IIS 6.0 Resource Kit

16 Mar 2005 9:15 PM

Phillip LeMaster

We just had our annual security audit. We were advised that we should not
have IIS 6.0 tools installed on web server connected to the internet. I can
not find any information that states this. Does anyone know Microsoft's
policy on resource kit installations?

17 Mar 2005 5:57 AM

Bernard

I don't see a risk of having the reskit in the box.
Of coz, if you don't need it, don't install.

--
Regards,
Bernard Cheah
http://www.tryiis.com/
http://support.microsoft.com/
http://www.msmvps.com/bernard/

Show quoteHide quote

"Phillip LeMaster" <PhillipLeMas***@discussions.microsoft.com> wrote in
message news:8BD7C351-37C1-4504-A409-82A90A839154@microsoft.com...
> We just had our annual security audit. We were advised that we should not
> have IIS 6.0 tools installed on web server connected to the internet. I
> can
> not find any information that states this. Does anyone know Microsoft's
> policy on resource kit installations?

17 Mar 2005 12:00 PM

Jason Brown [MSFT]

To agree with Bernard, I don't see any specific threat posed by the RK
tools, however it's usually a good policy to keep production servers in as
clean a state as possible, and only install the tools if you have a specific
need. This goes for pretty muchtools not directly related to the day-to-day
running of a production box.

Most, if not all of the tools in the kit can be used from a connected
workstation, so there isn't necessarily a need for them to be there anyway,
but at the end of the day the choice is yours. As far as I'm aware,
Microsoft provides no specific guidance on the IIS 6.0 resource kit in this
direction, though I'll be happy to check this out further if you like.

--
Jason Brown
Microsoft GTSC, IIS

This posting is provided "AS IS" with no warranties, and confers no rights.

Show quoteHide quote

"Phillip LeMaster" <PhillipLeMas***@discussions.microsoft.com> wrote in
message news:8BD7C351-37C1-4504-A409-82A90A839154@microsoft.com...
> We just had our annual security audit. We were advised that we should not
> have IIS 6.0 tools installed on web server connected to the internet. I
> can
> not find any information that states this. Does anyone know Microsoft's
> policy on resource kit installations?

17 Mar 2005 2:15 PM

Phillip LeMaster

Thank you Jason. I agree to some extent. Our servers are in a remote
location and when working with Microsoft support in the past they have asked
that the resouce kit be installed for them to trouble shoot. I also agree
partially that tools should not be installed unless used. Our tools are used
al least every month, but to take the time to install and uninstall is too
cumbersome. And my last point. If a security professional writes up
something then they should be able to relate that issue to a known bug or
case where this is an issue and not just their personal preferences. So for
the sake of being professional we need to know what Microsoft's view is if
possible. I thought most tools and especially yhe system32 directories are
locked down pretty much. If someone has already gotten to your system32
directory then those tools are not going to prevent them from doing
irreprable damage.

Show quoteHide quote

"Jason Brown [MSFT]" wrote:

> To agree with Bernard, I don't see any specific threat posed by the RK
> tools, however it's usually a good policy to keep production servers in as
> clean a state as possible, and only install the tools if you have a specific
> need. This goes for pretty muchtools not directly related to the day-to-day
> running of a production box.
>
> Most, if not all of the tools in the kit can be used from a connected
> workstation, so there isn't necessarily a need for them to be there anyway,
> but at the end of the day the choice is yours. As far as I'm aware,
> Microsoft provides no specific guidance on the IIS 6.0 resource kit in this
> direction, though I'll be happy to check this out further if you like.
>
>
> --
> Jason Brown
> Microsoft GTSC, IIS
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> "Phillip LeMaster" <PhillipLeMas***@discussions.microsoft.com> wrote in
> message news:8BD7C351-37C1-4504-A409-82A90A839154@microsoft.com...
> > We just had our annual security audit. We were advised that we should not
> > have IIS 6.0 tools installed on web server connected to the internet. I
> > can
> > not find any information that states this. Does anyone know Microsoft's
> > policy on resource kit installations?
>
>
>

18 Mar 2005 3:37 AM

Jeff Cochran

On Thu, 17 Mar 2005 06:15:02 -0800, "Phillip LeMaster"
<PhillipLeMas***@discussions.microsoft.com> wrote:

>Thank you Jason. I agree to some extent. Our servers are in a remote
>location and when working with Microsoft support in the past they have asked
>that the resouce kit be installed for them to trouble shoot. I also agree
>partially that tools should not be installed unless used. Our tools are used
>al least every month, but to take the time to install and uninstall is too
>cumbersome. And my last point. If a security professional writes up
>something then they should be able to relate that issue to a known bug or
>case where this is an issue and not just their personal preferences. So for
>the sake of being professional we need to know what Microsoft's view is if
>possible. I thought most tools and especially yhe system32 directories are
>locked down pretty much. If someone has already gotten to your system32
>directory then those tools are not going to prevent them from doing
>irreprable damage.

First, you didn't ask Microsoft to review your security, why do you
need them to provide a view on what fits your needs in your
environment?

But the real reason a security audit will list those is that if you
don't use them, you should remove them. Every audit has
recommendations, some of which you follow and others you justify not
following. An audit may recommend removing the FTP service to provide
more security on the box. Remoing it *does* increase security. But
if you use it, it's not an option to remove it. Justify that you use
the tools, and make whatever changes make sense in your organization.

Jeff

Show quoteHide quote

>"Jason Brown [MSFT]" wrote:
>
>> To agree with Bernard, I don't see any specific threat posed by the RK
>> tools, however it's usually a good policy to keep production servers in as
>> clean a state as possible, and only install the tools if you have a specific
>> need. This goes for pretty muchtools not directly related to the day-to-day
>> running of a production box.
>>
>> Most, if not all of the tools in the kit can be used from a connected
>> workstation, so there isn't necessarily a need for them to be there anyway,
>> but at the end of the day the choice is yours. As far as I'm aware,
>> Microsoft provides no specific guidance on the IIS 6.0 resource kit in this
>> direction, though I'll be happy to check this out further if you like.
>>
>>
>> --
>> Jason Brown
>> Microsoft GTSC, IIS
>>
>> This posting is provided "AS IS" with no warranties, and confers no rights.
>>
>> "Phillip LeMaster" <PhillipLeMas***@discussions.microsoft.com> wrote in
>> message news:8BD7C351-37C1-4504-A409-82A90A839154@microsoft.com...
>> > We just had our annual security audit. We were advised that we should not
>> > have IIS 6.0 tools installed on web server connected to the internet. I
>> > can
>> > not find any information that states this. Does anyone know Microsoft's
>> > policy on resource kit installations?
>>
>>
>>

18 Mar 2005 3:33 AM

Jeff Cochran

On Wed, 16 Mar 2005 13:15:05 -0800, "Phillip LeMaster"
<PhillipLeMas***@discussions.microsoft.com> wrote:

>We just had our annual security audit. We were advised that we should not
>have IIS 6.0 tools installed on web server connected to the internet. I can
>not find any information that states this. Does anyone know Microsoft's
>policy on resource kit installations?

If you use the tools, they have to be on the server. Any you don't
use you should remove, just as you'd remove services you don't use
when hardening a box.

Jeff