Microsoft releases IIS locking tool

Microsoft has released a new security tool, the second in as many weeks. The company's Web server and security products have...

Microsoft has released a new security tool, the second in as many weeks. The company's Web server and security products have recently been dogged by a series of high profile flaws.

The new tool, called IIS Lockdown, is targeted at home and small business users and is intended for use with the company's Internet Information Server (IIS) software, the Web server software which the Code Red worm successfully attacked last month.

Code Red used a month-old vulnerability in IIS to infect servers and spread itself across the world. Microsoft said that Code Red could never have happened with IIS Lockdown, because the security hole - even if unpatched -would not have been vulnerable.

IIS Lockdown aims to lock down the IIS configuration on a system, making it unchangeable and inaccessible. The software offers two configuration options, Express Lockdown and Advanced Lockdown. Express Lockdown is a one-click, general security setting. Advanced Lockdown gives administrators the option to pick and choose the services that will be enabled on the system.

The software checks a server's configuration against a checklist of security practices provided by Microsoft to create secure systems, said Scott Culp, the security programme manager at the Microsoft security response centre. The checklist, which is also available on Microsoft Web sites as a standalone document, is included in the IIS Lockdown tool.

After consulting the checklist, IIS Lockdown turns off all unnecessary or potentially hazardous services, leaving just core IIS functions, Culp said. The software also includes an extensive help system which gives detailed information about what each component does and in which situations it would be used.

IIS Lockdown provides a sneak preview of the installation process for the forthcoming IIS 6.0, Culp said. IIS 6.0 will include an "interview" process by which the server will be configured with only the necessary services and functions, turning all others off.

But despite Microsoft's promise, the company still advises administrators to stay up-to-date on patching their systems.

Last week, Microsoft released two security vulnerability assessment tools: HFNetChk and Microsoft Personal Security Advisor. Culp said that IIS Lockdown would not be the last tool in this line and that at least one more would be released in the near future.

Read more on Antivirus, firewall and IDS products