[Dshield] Off topic: IIS lockdown tool "did not disable exten sions" incident

dsb@rlxtechnologies.com dsb at rlxtechnologies.com
Tue Oct 16 22:34:11 GMT 2001

I have replicated these issues.  I have two stock Dell 2500s with Windows 2K
SP2.  I ran the lockdown tool, with the same results (or lack thereof.)  I'd
say that it's definitly reproducable.  

I also share in your dismay regarding MS's response.  However, I'm not


Dave Brookshire
Information Technology
RLX Technologies, Inc.
email dsb at rlxtechnologies.com
voice +1 (281) 863 2115

-----Original Message-----
From: Jonathan G. Lampe [mailto:jonathan at stdnet.com]
Sent: Tuesday, October 16, 2001 12:56 PM
To: dshield at dshield.org
Cc: seangra at yahoo.com
Subject: Re: [Dshield] Off topic: IIS lockdown tool "did not disable
extensions" incident

>You emailed the wrong people, they told you where to go.  They are not 
>allowed/able to give technical support for products, even if those 
>products are security products.

I thought since Microsoft markets their "lockdown toolkit" as a "security" 
product in response to the many holes which have appeared in IIS, their 
"security" people might be interested in finding out why their "security" 
product didn't work.

>Email PSS, and see what they say.  Would you expect to be able to go to 
>some companies IS tech support department and ask for product support on a 
>product that your company makes?

If you've ever dealt with Microsoft you know that "emailing PSS" isn't that 
easy.  You have to lay out some MORE cash before you can ask a 
question.  All I had was a simple question about a simple little "security" 
program which doesn't appear to do its job.  My immediate solution was to 
perform the actions the tools ought to have performed by hand.  I'm not 
willing to cough up a couple hundred bucks to help Microsoft do some 
debugging, but I was willing to donate a little of my valuable time to help 
them locate the problem.

Because many unsophisticated users out there are using Microsoft's lockdown 
toolkit as a major part of their "security" efforts, I would think 
Microsoft would be interested to hear that their product no longer works on 
a VERY common stock Dell platform.

>If you are the tech support, if someone came to you, would you (be able 
>to) help them, or would you refer them to your tech support department?

If I knew that person had a problem I would get as much information as I 
could from them (which Microsoft did not), personally contact a member from 
the appropriate department (which Microsoft did not) and have them contact 
the person who contacted me (which Microsoft did not).

Given Microsoft's precarious position in the enterprise web server market, 
"try this department instead" is a poor response to a security 
concern.  And I won't excuse Microsoft for being poor respondents just 
because they are a large company.  (Wasn't "Exchange" supposed to fix 
communication problems?  ;)

>And BTW, when I ran the tool it worked fine, do you have any other 
>machines that you can try the tool on?

Quite a few.  Just thought it might be interesting to get to the bottom of 
the problem with this tool on this platform - it's quite reproducible on 
Dell 2500 rackmounts with Windows 2000 sp 2 preinstalled, and I'm sure 
other people will run into the problem too.

>  What other software was installed on the machines prior to running the

Nothing.  Brand new machines: stock Windows 2000s, default IIS.

I think its best to finish this discussion offline.  (Or if your at SANS 
this week, I'll be leading a BOF on Thursday at 8:00 on Content Protection 
- look me up there.)

- Jonathan Lampe, GCIA - Standard Networks - jonathan at stdnet.com - 
608.227.6100 - 

Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list