Microsoft Security Tool Defends IIS | eWeek

Microsoft Security Tool Defends IIS

Écrit par
Dennis Fisher
Dennis Fisher
Sep 3, 2001
2 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus

Looking to repair the real and public-relations damage done by Code Red worms during the last few weeks, Microsoft Corp. last week released a security tool designed to lock down Internet Information Services servers and prevent further large-scale attacks on the machines.

However, the tool is receiving less-than-enthusiastic reviews in the security community.

Known as IIS Lockdown Tool, the utility is meant to help administrators configure IIS machines more securely. Also, Microsoft officials said the tool will protect IIS servers against virtually all known vulnerabilities, even without the relevant patches installed.

The tool, which is available for download from Microsofts TechNet site, runs in two modes: Express and Advanced. Express mode enables administrators to configure servers using a default setting, and the Advanced mode lets administrators see all a servers settings and choose the ones to disable.

The tool is meant mainly for small-business and home IIS users but can be used by anyone running IIS.

“The idea is that servers should be configured to run the services that the administrator wants running and no others,” said Scott Culp, manager of the security response center at Microsoft, in Redmond, Wash.

However, some critics said that while the tool is a good start, it doesnt go far enough. “In general, Im disappointed at Microsoft Security for labeling the tool as an IIS lockdown tool. It isnt; its a Web services lockdown tool,” Russ Cooper, surgeon general of TruSecure Corp. and moderator of the NTBugtraq mailing list wrote in a critique of the tool that was posted to the list. “It does nothing about the default installations of FTP and SMTP servers out there. Most people who are likely to run the tool probably arent aware they have FTP and SMTP enabled in addition to Web services. Theyre likely going to get a false sense of security out of running an IIS lockdown tool when it doesnt touch these other services.”

The tool is essentially a software version of a security checklist that Microsoft has made available to users of the IIS server for more than two years, Culp said. Among other functions, the utility denies anonymous users access to all system utilities and checks for sample files on production Web servers.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.