IIS LockDown v. 2.1
![Jerry Bryant [MS]'s profile photo](https://lh3.googleusercontent.com/a/default-user=s40-c)
Jerry Bryant [MS]
http://microsoft.com/technet/security/tools/locktool.asp
What's new in version 2.1 of the IIS Lockdown Wizard:
a.. Server Roles: Version 2.1 is driven by supplied templates for the major IIS-dependent Microsoft products, including Microsoft
Exchange 5.5 and 2000, Commerce Server, BizTalk, Small Business Server 4.5 and 2000, SharePoint Portal Server, FrontPage Server
Extensions and SharePoint Team Server.
b.. URLscan integration, with customized templates for each supported server role. This integration allows the Lockdown Wizard to
provide additional security enforced by URLscan without requiring the administrator to design a custom URLscan filter for the
particular server configuration and application.
c.. Ability to remove or disable IIS services such as HTTP, FTP, SMTP and NNTP
d.. The updated wizard is able to read from an answer file, giving support for scripted or unattended installation
e.. Re-designed UI and bug fixes based on user feedback
To provide feedback on this tool:
http://microsoft.com/technet/security/Default.asp
Or, post in this newsgroup.
Thanks!
--
For up to date IIS information:
http://support.microsoft.com/directory/content.asp?ID=FH;EN-US;iis50
Get Secure!
http://www.microsoft.com/security
Regards,
Jerry Bryant
Microsoft IT Communities
This posting is provided "AS IS" with no warranties, and confers no rights.
You assume all risk for your use. © 2001 Microsoft Corporation. All rights reserved.
Chris Crowe [Microsoft IIS MVP]
The new download file is not currently available
Details from the release page
a.. For More Information -
http://www.microsoft.com/technet/security/tools/locktool.asp
b.. Version - 1.0
c.. Release Date - 23 Aug 2001
d.. Estimated Download Size/Time @28.8 - 50 kb / 1min
Old link to the file!
http://download.microsoft.com/download/iis50/Utility/1.0/NT45/EN-US/IISLockD
.exe
--
Chris Crowe [Microsoft IIS MVP]
Please visit the unofficial IIS Web Site at www.iisfaq.com
"Jerry Bryant [MS]" <jbryan...@microsoft.com> wrote in message
news:evKXVvhbBHA.2036@tkmsftngp02...
Jerry Bryant [MS]
1. In the initial release of Urlscan, there was a bug in AllowDotInPath=0 where it would reject requests in the form of
"/abc.dll/foo.bar.htm". Earlier urlscan did all of the parsing to find the last recognizable extension. Now in addition urlscan will
look for the first recognizable extension in the string. If that extension is ".dll", ".com" or ".exe", then it will store that
instead, and pass the AllowDotInPath test.
Here's the difference in the behavior:
a.. In the earlier version, "/_vti_bin/shtml.dll/foo.bar.htm" would result in an extension of ".htm" and urlscan would fail the
AllowDotInPath test.
b.. In the new version, "/_vti_bin/shtml.dll/foo.bar.htm" would result in an extension of ".dll" and urlscan would pass the
AllowDotInPath test.
2. The log output for URLs has been changed so that they are pre-pended with the instance ID of the site for the request (i.e.
"1:/foo.htr", instead of "/foo.htr").
3. The [AllowExtensions] and [DenyExtensions] now support the administrator entering "." as an extension to give them a way to
include extension less URLs in either of those sections. Eg. http://server.com/
4. A new option "RejectResponseUrl" has been added, which the administrator can use to specify a URL to return to the client in the
case of a rejected request. This will not only allow the admin to select what the client sees, it will default to "/~notfound",
which will result in a complete custom error 404 in the default case.
Details: Allowed value is a string. The default is /<Rejected-By-UrlScan>. This string is a URL in the form "/path/file_name.ext".
In the event UrlScan rejects a request, it will run the specified URL, which needs to be local to the Web site for the request being
analyzed by UrlScan. The specified URL can have the same extension (for example, .asp) as the rejected URL.
UrlScan creates the following server variables that can be used by the specified URL in determining the nature of the rejected
request and to allow flexibility in returning the actual response to the client:
HTTP_URLSCAN_STATUS_HEADER Contains the reason the request is being rejected.
HTTP_URLSCAN_ORIGINAL_VERB Contains the original verb from the request that is being rejected.
HTTP_URLSCAN_ORIGINAL_URL Contains the original URL from the request that is being rejected.
UrlScan appends the URL of the request that is being rejected as a query string to the location specified by RejectReponseUrl. If
IIS is configured to log request query strings, the URL of the rejected request can be found in the IIS log in addition to the
UrlScan log.
There is a special value for RejectResponseUrl that can be used to put UrlScan into "Logging Only Mode." If you set the value of
RejectResponseUrl to /~*, UrlScan performs all of the configured scanning and logs the results, however, it will allow IIS to serve
the page even if it would normally be rejected. This mode is useful if you would like to test UrlScan.ini settings without actually
rejecting any requests. Note that the log entries in the UrlScan log file will be clear that requests are not being rejected.
5. A new option "RejectFastPath" has been added. The allowed values are 0 or 1. The default is 0. If set to 1, UrlScan ignores the
RejectResponseUrl and return a short 404 response to the client in cases where it rejects a request. This is faster than allowing
the full processing of the RejectResponseUrl, but if this option is used, IIS cannot return a custom 404 response or log many parts
of the request into the IIS log (the UrlScan log file will still contain complete information about rejected requests).
6. The date format in the UrlScan.log has been changed from the form [Fri, Sept 28 2001 - 01:01:01] to [09-28-2001 - 01:01:01] to
make it easier to parse programmatically.
7. Administrators can create a new log file each day, where the filename is in the form of "UrlScan.092801.log" using PerDayLogging.
The allowed values are 0 or 1. Default is 1. If set to 1, UrlScan creates a new log file each day and appends a date to the log file
name (for example, UrlScan.101501.log). If both PerDayLogging=1 and PerProcessLogging=1 are set, the log file name contains the date
and a process ID in the name (for example, UrlScan.101501.123.log). Note that with PerDayLogging, a log is be created for the
current day (and the log for the previous day is closed) when the first log entry is written for that day. If a day passes with no
UrlScan activity, no log is created for that day. If this value is set to 0, then UrlScan opens a single file called UrlScan.log (or
UrlScan.xxx.log, where xxx is the process ID, in the case of PerProcessLogging=1).
--
For up to date IIS information:
http://support.microsoft.com/directory/content.asp?ID=FH;EN-US;iis50
Get Secure!
http://www.microsoft.com/security
Regards,
Jerry Bryant
Microsoft IT Communities
This posting is provided "AS IS" with no warranties, and confers no rights.
You assume all risk for your use. © 2001 Microsoft Corporation. All rights reserved.
"Jerry Bryant [MS]" <jbryan...@microsoft.com> wrote in message news:evKXVvhbBHA.2036@tkmsftngp02...
Martin O. Hedinger
case on a SBS 4.5 box). Is there a coniguration with the recent version you
still have access to the internet from inside the LAN via Proxy?
TIA. Regards, Martin
"Jerry Bryant [MS]" <jbryan...@microsoft.com> schrieb im Newsbeitrag
news:eew#oNibBHA.1448@tkmsftngp02...
Jerry Bryant [MS]
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=33961
--
For up to date IIS information:
http://support.microsoft.com/directory/content.asp?ID=FH;EN-US;iis50
Get Secure!
http://www.microsoft.com/security
Regards,
Jerry Bryant
Microsoft IT Communities
This posting is provided "AS IS" with no warranties, and confers no rights.
You assume all risk for your use. © 2001 Microsoft Corporation. All rights reserved.
"Chris Crowe [Microsoft IIS MVP]" <ch...@iisfaq.com> wrote in message news:eV4Jd9hbBHA.2020@tkmsftngp02...
Jerry Bryant [MS]
The group that developed IIS Lockdown and URLScan worked closely with other teams to try and make sure that it worked well with
other products. The tool is template based or you can define your own settings via the wizard. However, if you have this issue
again, below are steps that have been known to resolve it:
RESOLUTION
===================
1) Run the iislockd.exe again and undo the changes
2) Run iislockd.exe again and select advanced mode
3) Allow ASP and DO NOT remove the Scripts virtual directory
--
For up to date IIS information:
http://support.microsoft.com/directory/content.asp?ID=FH;EN-US;iis50
Get Secure!
http://www.microsoft.com/security
Regards,
Jerry Bryant
Microsoft IT Communities
This posting is provided “AS IS” with no warranties, and confers no rights.
You assume all risk for your use. © 2001 Microsoft Corporation. All rights reserved.
"Martin O. Hedinger" <m.hed...@mytextart.ch> wrote in message news:uTsf#2ibBHA.1004@tkmsftngp02...
Ray
I have IISLockDown and URLScan already installed. Do I need to uninstall
them before I install the new version? Or does it install over the top?
Thanks,
Ray
"Jerry Bryant [MS]" <jbryan...@microsoft.com> wrote in message
news:evKXVvhbBHA.2036@tkmsftngp02...
Ray
Just freed up a server, so I answered my own question. I had URLScan set for
OWA 5.5. When I ran the new version it told me I had to remove the old
settings. So far so good. However, when it was undoing the previous stuff it
stopped the web server for several minutes. So best make this a late night
change. : )
The detail on the screens is very good and URLScan still works OK. However,
I do have one question left: Did it read my settings from the old URLScan
.ini file or did it write a new one based on the template I chose? Kind of
hard to tell.
Thanks for such a wonderful set of tools and especially for your
participation!
Ray
"Ray" <repl...@newsgroup.only> wrote in message
news:enoYYDsbBHA.568@tkmsftngp02...
Jerry Bryant [MS]
The new URLScan version will create a new ini file based on the template options you choose in the wizard.
Glad that it is working well for you and appreciate the positive feedback!
--
For up to date IIS information:
http://support.microsoft.com/directory/content.asp?ID=FH;EN-US;iis50
Get Secure!
http://www.microsoft.com/security
Regards,
Jerry Bryant
Microsoft IT Communities
This posting is provided "AS IS" with no warranties, and confers no rights.
You assume all risk for your use. © 2001 Microsoft Corporation. All rights reserved.
"Ray" <repl...@newsgroup.only> wrote in message news:uDU8$csbBHA.2020@tkmsftngp02...
Ray
Ray
"Jerry Bryant [MS]" <jbryan...@microsoft.com> wrote in message
news:uAthNwsbBHA.2036@tkmsftngp07...
Paul
I'd like to refer to a recent thread on the iissecurity newsgroup on IIS
beating Apache in a secure server poll. One comment by Keith McCammon struck
a chord with me and perhaps this is the best thread to post about..
Keith wrote "No different. Does it need to be given some attention by MS?
Yes. Does it need to be given some attention by those running the systems.
Hell yes. Would I rather run Apache? Yes, but mainly because it is easier
to use,
duplicate, restore, etc. "
Part of maintaining a secure server is disaster recovery. I work for a
hosting company and do my best to ensure that if there are any problems with
servers for whatever reason, I can quickly roll in another server.
With Apache this is very easy because I can rsync data between a primary and
secondary server securely and the web server configurations are text files
and therefore easy to replicate and manipulate. IIS unfortunately is not
like this.
I'm not talking about clustering or NLB - many customers won't wear the
added cost for doing this. I'm talking about having a second server that
gets replicated say, hourly. Replicating the data is not such a big deal,
but the Metabase is.
There needs to be a tool developed (or Metaedit enhanced) to further improve
the ability of administrators to quickly replicate the metabase
configuration of one IIS box to another. All currently supported backup
methods are not transferrable to another machine. How about making this
process a little more generic and scriptable to it can be run via task
manager?
This would complete the picture..
Paul
"Jerry Bryant [MS]" <jbryan...@microsoft.com> wrote in message
news:evKXVvhbBHA.2036@tkmsftngp02...
Unknown
>the ability of administrators to quickly replicate the metabase
>configuration of one IIS box to another. All currently supported backup
>methods are not transferrable to another machine. How about making this
>process a little more generic and scriptable to it can be run via task
>manager?
Rumor has it that IIS6 has an XML-based Metabase which would appear to
make this a no-brainer. Though replication is not an issue high on my
wish-list due to my configurations, the ability to quickly restore to
a new server with relatively current data is. Since my metabase
doesn't change all that frequently, we've been imaging out the IIS
system(s) after changes, they can thus be restored to virtually any
system with a few tweaks in less than an hour. But this is a bit much
at times. I'm hesitant to rely solely on tape backups, which is where
our data files would be restored from.
Jeff
Jerry Bryant [MS]
> make this a no-brainer.
This it true. In IIS 6.0, the metabase is XML. The backup API's, command line support, and UI have all been modified to allow for
backup with password, which can then be used to restore onto a different machine.
IIS 6.0 also exposes a configuration import/export API, command line support and in UI which allows you to move configuration for
site(s), app(s), vdir(s), etc.
As far as new or modified tools for IIS 5.0, I cannot comment on that as I do not know. I do know that a lot of folks have requested
this ability and this feedback has been delivered.
Thanks!
--
For up to date IIS information:
http://support.microsoft.com/directory/content.asp?ID=FH;EN-US;iis50
Get Secure!
http://www.microsoft.com/security
Regards,
Jerry Bryant
Microsoft IT Communities
This posting is provided "AS IS" with no warranties, and confers no rights.
You assume all risk for your use. © 2001 Microsoft Corporation. All rights reserved.
<Jeff Cochran> wrote in message news:3bfcfbe0...@news.supernews.com...
Chris Crowe [Microsoft IIS MVP]
file, this can be imported into another machine.
Sounds like what you are wanting.
Problems:
It can not be scripted (well maybe sendkeys)
The export stops the web site during the export
To get the IIS metabase editor go to www.iisfaq.com/metabase for the URL.
And yes IIS 6 will be a lot easier to work with in this situation.
--
Chris Crowe [Microsoft IIS MVP]
Please visit the unofficial IIS Web Site at www.iisfaq.com
<Jeff Cochran> wrote in message news:3bfcfbe0...@news.supernews.com...
Unknown
>file, this can be imported into another machine.
>
>Sounds like what you are wanting.
I use the editor for this, but our Metabase/IIS settings are rather
simple and even if I lost them and had to recreate it's not hard. In
our case, the folder stuctures and permissions are more of an issue.
>Problems:
>
>It can not be scripted (well maybe sendkeys)
>The export stops the web site during the export
I think this is what stops the original poster, Apache's files can
easily be cripted for copying.
Jeff
ROD SNYDER
enlighten me as to how to tell what version of it is on the disk. Doesn't
appear on the media and I can't find it in the documentation.
Rod
"Jerry Bryant [MS]" <jbryan...@microsoft.com> wrote in message
news:eew#oNibBHA.1448@tkmsftngp02...
Jerry Bryant [MS]
Sorry for the confusion. The version of the Lockdown tool is 2.1 and URLScan is 2.0.
--
For up to date IIS information:
http://support.microsoft.com/directory/content.asp?ID=FH;EN-US;iis50
Get Secure!
http://www.microsoft.com/security
Regards,
Jerry Bryant
Microsoft IT Communities
This posting is provided "AS IS" with no warranties, and confers no rights.
You assume all risk for your use. © 2001 Microsoft Corporation. All rights reserved.
"ROD SNYDER" <rod_s...@yahoo.com> wrote in message news:#U0QdVgcBHA.1928@tkmsftngp03...