|
Home > Archive > IIS Server Security > December 2004 > IIS lockdown - odd log entrys
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
IIS lockdown - odd log entrys
|
|
|
| hi all,
Just installed IIS on my XP pro box and decided to run the IIS
lockdown tool, all seemed to go fine but I got the following in the
report at the end:
..
..
..
Warning: Unable to secure content
(C:\WINDOWS\$NtUninstallKB828741$\comrep
l.exe): Access is denied.
Warning: Unable to secure content
(C:\WINDOWS\$NtUninstallKB828741$\migreg
db.exe): Access is denied.
Warning: Unable to secure content
(C:\WINDOWS\$NtUninstallKB835732$\helpct
r.exe): Access is denied.
..
..
..
why was it even trying to access these files!?
Also, I ran windows update after installing IIS and it found no
updates! I found that odd - I do have service pack 2 however, could
that be why I needed no updates for IIS (even tho I did not have it
installed when I installed SP2!)? IISlockdown reports I am all
uptodate with patches for IIS - should I trust it?
cheers guys!
Gav
| |
| Bernard 2004-12-06, 2:46 am |
| Not sure why you get access is denied, but I believe iislockdown is trying
to configure the ntfs permission so that anonymous access do not have write
access to those paths.
iislockdown do not tell you what patch is missing, you can do this via
windows update or get MBSA from microsoft.com
--
Regards,
Bernard Cheah
http://www.tryiis.com/
http://support.microsoft.com/
http://www.msmvps.com/bernard/
"Gav" <gavin@my-deja.com> wrote in message
news:7da6364d.0412040936.6a8ae5e2@posting.google.com...
> hi all,
>
> Just installed IIS on my XP pro box and decided to run the IIS
> lockdown tool, all seemed to go fine but I got the following in the
> report at the end:
> .
> .
> .
> Warning: Unable to secure content
> (C:\WINDOWS\$NtUninstallKB828741$\comrep
l.exe): Access is denied.
> Warning: Unable to secure content
> (C:\WINDOWS\$NtUninstallKB828741$\migreg
db.exe): Access is denied.
> Warning: Unable to secure content
> (C:\WINDOWS\$NtUninstallKB835732$\helpct
r.exe): Access is denied.
> .
> .
> .
>
> why was it even trying to access these files!?
>
> Also, I ran windows update after installing IIS and it found no
> updates! I found that odd - I do have service pack 2 however, could
> that be why I needed no updates for IIS (even tho I did not have it
> installed when I installed SP2!)? IISlockdown reports I am all
> uptodate with patches for IIS - should I trust it?
>
> cheers guys!
>
> Gav
| |
| Ken Schaefer 2004-12-06, 8:47 pm |
| Hi,
IISLockdown is probably trying to secure NTFS permissions for those file to
prevent an anonymous user from executing them. However, those files are
already located in protected directories.
There are no post-SP2 patches for IIS on Windows XP. When you installed IIS,
even if you had already installed SP2, it should request SP2 binaries if
required.
To verify, you can use Microsoft Baseline Security Analyser:
www.microsoft.com/technet/security/tools/mbsahome.mspx
Cheers
Ken
"Gav" <gavin@my-deja.com> wrote in message
news:7da6364d.0412040936.6a8ae5e2@posting.google.com...
> hi all,
>
> Just installed IIS on my XP pro box and decided to run the IIS
> lockdown tool, all seemed to go fine but I got the following in the
> report at the end:
> .
> .
> .
> Warning: Unable to secure content
> (C:\WINDOWS\$NtUninstallKB828741$\comrep
l.exe): Access is denied.
> Warning: Unable to secure content
> (C:\WINDOWS\$NtUninstallKB828741$\migreg
db.exe): Access is denied.
> Warning: Unable to secure content
> (C:\WINDOWS\$NtUninstallKB835732$\helpct
r.exe): Access is denied.
> .
> .
> .
>
> why was it even trying to access these files!?
>
> Also, I ran windows update after installing IIS and it found no
> updates! I found that odd - I do have service pack 2 however, could
> that be why I needed no updates for IIS (even tho I did not have it
> installed when I installed SP2!)? IISlockdown reports I am all
> uptodate with patches for IIS - should I trust it?
>
> cheers guys!
>
> Gav
| |
| gavin@my-deja.com 2004-12-07, 7:47 am |
| cheers for the info - sounds like its not too big a deal - any opinions
as to whether I should worry?
I checked the directory security and there is no anonymous access but
when I try to check the actual files mentioned I dont get the security
tab - just lots of options for how it should be run in DOS mode! Other
files in the directories do show the security tab... why would this be?
I have indeed run MBSA and it seems to say all is well in terms of
patches.
gav
Ken Schaefer wrote:
> Hi,
>
> IISLockdown is probably trying to secure NTFS permissions for those
file to
> prevent an anonymous user from executing them. However, those files
are
> already located in protected directories.
>
> There are no post-SP2 patches for IIS on Windows XP. When you
installed IIS,
> even if you had already installed SP2, it should request SP2 binaries
if[vbcol=seagreen]
> required.
>
> To verify, you can use Microsoft Baseline Security Analyser:
> www.microsoft.com/technet/security/tools/mbsahome.mspx
>
> Cheers
> Ken
>
>
> "Gav" <gavin@my-deja.com> wrote in message
> news:7da6364d.0412040936.6a8ae5e2@posting.google.com...
| |
| Bernard 2004-12-08, 2:47 am |
| huh ? it should have a 'security' tab.
anyway, I think you can safely ignore the errors.
--
Regards,
Bernard Cheah
http://www.tryiis.com/
http://support.microsoft.com/
http://www.msmvps.com/bernard/
<gavin@my-deja.com> wrote in message
news:1102420144.524674.252750@f14g2000cwb.googlegroups.com...
> cheers for the info - sounds like its not too big a deal - any opinions
> as to whether I should worry?
> I checked the directory security and there is no anonymous access but
> when I try to check the actual files mentioned I dont get the security
> tab - just lots of options for how it should be run in DOS mode! Other
> files in the directories do show the security tab... why would this be?
>
>
> I have indeed run MBSA and it seems to say all is well in terms of
> patches.
>
> gav
>
>
> Ken Schaefer wrote:
> file to
> are
> installed IIS,
> if
>
| |
| Ken Schaefer 2004-12-08, 2:47 am |
| Did you turn off "Use Simple File Sharing"?
(In Explorer -> Tools -> Folder Options -> View -> uncheck "use Simple File
Sharing (Recommended)") and then you should see a security tab.
Cheers
Ken
<gavin@my-deja.com> wrote in message
news:1102420144.524674.252750@f14g2000cwb.googlegroups.com...
> cheers for the info - sounds like its not too big a deal - any opinions
> as to whether I should worry?
> I checked the directory security and there is no anonymous access but
> when I try to check the actual files mentioned I dont get the security
> tab - just lots of options for how it should be run in DOS mode! Other
> files in the directories do show the security tab... why would this be?
>
>
> I have indeed run MBSA and it seems to say all is well in terms of
> patches.
>
> gav
>
>
> Ken Schaefer wrote:
> file to
> are
> installed IIS,
> if
>
| |
| gavin@my-deja.com 2004-12-08, 7:50 am |
| hi again,
Ok yep sorry the tab is there (Doh!) I just did not see it because
there was a whole host of other tabs there too which I dont normally
see. sorry!
Ken Schaefer wrote:
> Did you turn off "Use Simple File Sharing"?
>
> (In Explorer -> Tools -> Folder Options -> View -> uncheck "use
Simple File[vbcol=seagreen]
> Sharing (Recommended)") and then you should see a security tab.
>
> Cheers
> Ken
>
> <gavin@my-deja.com> wrote in message
> news:1102420144.524674.252750@f14g2000cwb.googlegroups.com...
opinions[vbcol=seagreen]
but[vbcol=seagreen]
security[vbcol=seagreen]
Other[vbcol=seagreen]
be?[vbcol=seagreen]
those[vbcol=seagreen]
files[vbcol=seagreen]
binaries[vbcol=seagreen]
the[vbcol=seagreen]
denied.[vbcol=seagreen]
denied.[vbcol=seagreen]
denied.[vbcol=seagreen]
could[vbcol=seagreen]
it[vbcol=seagreen]
|
|
|
|
|