Looking to repair the real and public-relations damage done by Code Red worms during the last few weeks, Microsoft Corp. last week released a security tool designed to lock down Internet Information Services servers and prevent further large-scale attacks on the machines.
However, the tool is receiving less-than-enthusiastic reviews in the security community.
Known as IIS Lockdown Tool, the utility is meant to help administrators configure IIS machines more securely. Also, Microsoft officials said the tool will protect IIS servers against virtually all known vulnerabilities, even without the relevant patches installed.
The tool, which is available for download from Microsofts TechNet site, runs in two modes: Express and Advanced. Express mode enables administrators to configure servers using a default setting, and the Advanced mode lets administrators see all a servers settings and choose the ones to disable.
The tool is meant mainly for small-business and home IIS users but can be used by anyone running IIS.
“The idea is that servers should be configured to run the services that the administrator wants running and no others,” said Scott Culp, manager of the security response center at Microsoft, in Redmond, Wash.
However, some critics said that while the tool is a good start, it doesnt go far enough. “In general, Im disappointed at Microsoft Security for labeling the tool as an IIS lockdown tool. It isnt; its a Web services lockdown tool,” Russ Cooper, surgeon general of TruSecure Corp. and moderator of the NTBugtraq mailing list wrote in a critique of the tool that was posted to the list. “It does nothing about the default installations of FTP and SMTP servers out there. Most people who are likely to run the tool probably arent aware they have FTP and SMTP enabled in addition to Web services. Theyre likely going to get a false sense of security out of running an IIS lockdown tool when it doesnt touch these other services.”
The tool is essentially a software version of a security checklist that Microsoft has made available to users of the IIS server for more than two years, Culp said. Among other functions, the utility denies anonymous users access to all system utilities and checks for sample files on production Web servers.
