|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
IIS Lockdown ToolI recently upgraded a 200 server to 2003, thus upgrading IIS to version 6. I
am running OWA using a re-direct to HTTPS, and want to know if I should be using the IIS Lockdown tool. I think I read an article that it should be used in IIS is an upgrade, and not a clean install of server 2003. Any advice? redrobit wrote:
> I recently upgraded a 200 server to 2003, thus upgrading IIS to You shouldn't need IIS Lockdown in IIS6 at all, as it has all of the > version 6. I am running OWA using a re-direct to HTTPS, and want to > know if I should be using the IIS Lockdown tool. I think I read an > article that it should be used in IIS is an upgrade, and not a clean > install of server 2003. Any advice? security features built in. You need to install it BEFORE you upgrade to iis6. From the IIS Lockdown download page: "All of the default security-related configuration settings in IIS 6.0 meet or exceed the security configuration settings made by the IIS Lockdown tool. Therefore, you do not need to run this tool on Web servers running IIS 6.0. However, if you are upgrading from a previous version of IIS, you should run the IIS Lockdown Tool before the upgrade to enhance the security of your Web server." http://www.microsoft.com/technet/security/tools/locktool.mspx Great!! Thansk for the clarification!!!
Show quoteHide quote "Leon Mayne [MVP]" wrote: > redrobit wrote: > > I recently upgraded a 200 server to 2003, thus upgrading IIS to > > version 6. I am running OWA using a re-direct to HTTPS, and want to > > know if I should be using the IIS Lockdown tool. I think I read an > > article that it should be used in IIS is an upgrade, and not a clean > > install of server 2003. Any advice? > > You shouldn't need IIS Lockdown in IIS6 at all, as it has all of the > security features built in. > > You need to install it BEFORE you upgrade to iis6. From the IIS Lockdown > download page: > > "All of the default security-related configuration settings in IIS 6.0 meet > or exceed the security configuration settings made by the IIS Lockdown tool. > Therefore, you do not need to run this tool on Web servers running IIS 6.0. > However, if you are upgrading from a previous version of IIS, you should run > the IIS Lockdown Tool before the upgrade to enhance the security of your Web > server." > > http://www.microsoft.com/technet/security/tools/locktool.mspx > > > On Thu, 7 Jul 2005 06:27:02 -0700, "redrobit"
<redro***@discussions.microsoft.com> wrote: >I recently upgraded a 200 server to 2003, thus upgrading IIS to version 6. I I wouldn't use the Lockdown Tool as such, but URLScan still has some>am running OWA using a re-direct to HTTPS, and want to know if I should be >using the IIS Lockdown tool. I think I read an article that it should be >used in IIS is an upgrade, and not a clean install of server 2003. Any >advice? value. Check: http://www.microsoft.com/technet/security/tools/urlscan.mspx Especially the section: "Determining Whether to Use UrlScan 2.5 with IIS 6.0" Naturally, the Resource Kit is your other security friend. And see: http://www.microsoft.com/technet/security/prodtech/IIs.mspx Jeff 
Other interesting topics
Classic ASP page gives 'The page cannot be found' in IIS6.0
Giving Inetrnet Guest account full access to folders Problem registering IISUBA.dll Please Help! - Advanced Digest With IIS6 - 401.1 setting web site permissions HTW file security risk IIS 6.0 Kerberos authentication Force Browser to Cache Images under SSL? SSL HTTPS works at first, then very slow or stops after some time? How to call EXE from Batch File in Windows 2003 Server? |
|||||||||||||||||||||||
