------------------------------------------------------------ | Windows 2000 Internet Server Security Configuration Tool | | Version 1.00.0020 (Mar 30th 2000) | ------------------------------------------------------------ ************************************************************************************* * IMPORTANT NOTE * * In the interests of security, this tool configures a Web server very securely. * * It is IMPERATIVE that you review any possible settings before you use this tool. * * Failure to do so may make your computer inaccessible to anything but Web services.* * * * The general philosophy of this tool is to lock down everything expect that which * * is required by the Internet Server! * * * * Also note, at this moment the tool is designed to configure a Web server and some * * other common services, it does not configure: * * - SQL Server * * - Commerce Server * * - COM+ * * - Dual-network card computers * * - A computer running Active Directory * * * * PLEASE REVIEW THE LEGAL NOTICE AT THE BOTTOM OF THIS FILE * ************************************************************************************* INTRODUCTION ------------ This tool allows you to set security policy to lockdown a Windows 2000 Server running Internet Information Server 5 on the Web. The tool poses a set of questions that you answer. The answers are then used to configure the Web server. There are two phases: the questions phase and the deployment phase. Once you have defined your security policy by answering the question you can deploy the policy to multiple Web server machines using the deployment phase. INSTALLATION ------------ Copy the files to a directory of your choice and type regsvr32 iissecuritywiz.dll at the command-line. This will register a COM+ component that performs administrative checks and service manipulation. GETTING STARTED --------------- You can start entering policy by running default.htm or opening this file in Internet Explorer 5. Please read through the documentation in the tool before you make any system changes with the tool. Once you have created your policy in the data entry tool, a file is produced (default name is IISTemplate.txt) describing your policy. This is fed into a deployment tool called IISConfig.cmd which calls a series of script files to set the policy. The policy is set at various levels: - Service settings - IPSec settings - SCE settings - IIS settings IMPORTANT Make sure you review and update the hisecweb.inf file to reflect any differences in your corporate environment before you continue. You can do this in the Security Templates MMC snap-in. COMMAND-LINE OPTIONS -------------------- Usage: IISConfig [-s server] [-f configfile] [-n] [-d] [-? | -h] Where: [-s server] is the server name (DNS or NetBIOS; IP address is not supported.) [-f configfile] is the configuration file name. [-n] configures port lockdown, services and IIS script maps only. Does not use SCE hisecweb.inf. [-d] display debug output as tool executes. [-?] this help. WHAT'S ON THE DISC ------------------ There are two subdirectories DataEntry and Engine, the former is where you enter your security policy and the latter is the where the script files are stored which are used to deploy policy. KNOWN ISSUES ------------ At present this tool does not configure all common applications nor common Web scenarios. We are investigating which to support and will include these scenarios in the future. SCE policy cannot be deployed on a remote computer, only a local computer. You may still use the tool but you will be warned that the SCE policy should (will) be deployed at the (local) computer. If you choose to lockdown a remote server tightly, the resulting event log entry describing the settings you made may not be written to the remote computer. Instead, the log will be written to the local computer's event log. This is by design. LEGAL NOTICE ------------ THE INFORMATION PROVIDED IN THIS TOOL IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. FEEDBACK -------- Please feel free to email Michael Howard (mikehow@microsoft.com) if you have any comments/feedback. Thanks!