Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Date: Tue Aug 28 2001 - 15:23:44 CDT
> Amen to your wish-list on the MS Lockdown tool. It seems to me that MS is
> really out of touch with realities as far as their user-base and
> expectations are are concern. I think they only did this tool to satisfy
> their marketroids and image makers. It got them a lot of ink and media,
> it does not even begin to meet the expectations of any systems admin I
> spoken to so far.
I think this is a little over the top. The tool was most certainly not
written "only to satisfy their marketroids..." Contrary to popular belief,
the security team at MS really does care about the security of their
products and the people that use them. I know some of the guys personally,
and they are hard working, dedicated professionals.
I also think saying that it does "not even begin to meet the
expectations..." is a bit naive. There are vast amounts of people out there
deploying web sites that have no concept of security. This tool is a great
first step for them. While there are certainly issues with the tool, I know
that they are being addressed. For instance- some people have problems with
the tool because they already deleted icq.dll; this will be fixed, but I
would submit that if people already knew what idq.dll was, and knew to
delete it in the first place, then they are not the intended users of the
tool in the first place.
What would really be helpful is for people to submit these issues to MS
rather than just letting them die in a public forum. That way, options could
be written into the tool and other people who are not as smart as you can
benefit from your knowledge. That's what the forum is all about.
Personally, I would like to see the tool built into the default setup of
IIS- that way you could lock it down from the get go. Well, I guess it
would be even better to have the reverse true- everything is off by default
and you turn on what you want (IIS 6?). Until then, I think it would be
good to get the IISLockdown too developed out to meet everyone's needs.