Thanks Russ.
If you're gonna cut and paste a quote from someone, you should give 'em
some sort of credit...
> I have not had the chance to try it but here goes nothing ....
>
> http://www.microsoft.com/technet/itsolutions/security/tools/locktool.asp
>
> What it does;
>
> 1. Creates two new groups, Web Anonymous Users and Web Applications,
> puts the IUSR and IWAM accounts in them respectively, then sets an
> ACE more than enough executables to specifically deny any access to
> those files. Good job.
>
> 2. Disables WebDAV. Good job.
>
> 3. Provides a new .dll, called 404.dll, that is implemented with all
> (or some) ISAPI filter script mappings. This provides a 404 response
> to any request for such a file. Probably the best we could expect
> since its impossible to tell IIS to not allow the re-implementation
> of a given script type (i.e. you can't prevent it from
> re-implementing .ida, but if its already mapped to a .dll you're not
> likely to overwrite the existing mapping). So so job. I haven't
> checked yet whether 404.dll is added to the WFC dllcache, I sure hope
> so.
>
> 4. Removes sample files. About time.
>
> 5. Removes the \scripts and \msadc *virtual* directories (the actual
> directories themselves, and their contents, are left intact). The
> directories should have been removed as well.
>
> 6. Explicitly denies the IUSR account write access to the contents of
> the INETPUB directory. Unfortunately it does this using a DACE, which
> NT 4.0 cannot handle, so on NT 4.0 systems you won't be able to view
> any security information about these modified files after the tool is
> run. W2K systems don't have this problem. Guess this is just another
> example of how MS seems to have forgotten how many NT 4.0 systems are
> out there, or figure that no Novices run NT 4.0?
List Charter and FAQ at:
http://www.sunbelt-software.com/exchange_list_charter.htm
