|
Home > Archive > IIS Server Security > July 2005 > IIS Lockdown Tool
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
| redrobit 2005-07-07, 5:54 pm |
| I recently upgraded a 200 server to 2003, thus upgrading IIS to version 6. I
am running OWA using a re-direct to HTTPS, and want to know if I should be
using the IIS Lockdown tool. I think I read an article that it should be
used in IIS is an upgrade, and not a clean install of server 2003. Any
advice?
| |
| Leon Mayne [MVP] 2005-07-08, 7:48 am |
| redrobit wrote:
> I recently upgraded a 200 server to 2003, thus upgrading IIS to
> version 6. I am running OWA using a re-direct to HTTPS, and want to
> know if I should be using the IIS Lockdown tool. I think I read an
> article that it should be used in IIS is an upgrade, and not a clean
> install of server 2003. Any advice?
You shouldn't need IIS Lockdown in IIS6 at all, as it has all of the
security features built in.
You need to install it BEFORE you upgrade to iis6. From the IIS Lockdown
download page:
"All of the default security-related configuration settings in IIS 6.0 meet
or exceed the security configuration settings made by the IIS Lockdown tool.
Therefore, you do not need to run this tool on Web servers running IIS 6.0.
However, if you are upgrading from a previous version of IIS, you should run
the IIS Lockdown Tool before the upgrade to enhance the security of your Web
server."
http://www.microsoft.com/technet/se...s/locktool.mspx
| |
| redrobit 2005-07-08, 7:48 am |
| Great!! Thansk for the clarification!!!
"Leon Mayne [MVP]" wrote:
> redrobit wrote:
>
> You shouldn't need IIS Lockdown in IIS6 at all, as it has all of the
> security features built in.
>
> You need to install it BEFORE you upgrade to iis6. From the IIS Lockdown
> download page:
>
> "All of the default security-related configuration settings in IIS 6.0 meet
> or exceed the security configuration settings made by the IIS Lockdown tool.
> Therefore, you do not need to run this tool on Web servers running IIS 6.0.
> However, if you are upgrading from a previous version of IIS, you should run
> the IIS Lockdown Tool before the upgrade to enhance the security of your Web
> server."
>
> http://www.microsoft.com/technet/se...s/locktool.mspx
>
>
>
| |
| Jeff Cochran 2005-07-09, 5:49 pm |
| On Thu, 7 Jul 2005 06:27:02 -0700, "redrobit"
<redrobit@discussions.microsoft.com> wrote:
>I recently upgraded a 200 server to 2003, thus upgrading IIS to version 6. I
>am running OWA using a re-direct to HTTPS, and want to know if I should be
>using the IIS Lockdown tool. I think I read an article that it should be
>used in IIS is an upgrade, and not a clean install of server 2003. Any
>advice?
I wouldn't use the Lockdown Tool as such, but URLScan still has some
value. Check:
http://www.microsoft.com/technet/se...ls/urlscan.mspx
Especially the section:
"Determining Whether to Use UrlScan 2.5 with IIS 6.0"
Naturally, the Resource Kit is your other security friend. And see:
http://www.microsoft.com/technet/se...odtech/IIs.mspx
Jeff
|
|
|
|
|