FRAMINGHAM (04/06/2000) - Microsoft Corp. has released a free utility designed to help network professionals automatically and optimally configure the recently released Internet Information Server (IIS) 5.0 package.
Internet Server Security Configuration Tool (ISSCT) walks users through the process of setting up the IIS 5.0 Web server - which is built into Windows 2000 - with a series of checkboxes for services such as FTP or Network News Transfer Protocol. The utility also asks if the Web server will handle static or dynamic content and whether connections are needed for other back-end systems such as databases.
The utility is intended to provide a hard-line evaluation of what services are activated on IIS and is designed to error on the side of caution so users don't leave security gaps in their base configurations. Services left open on a Web server potentially could become playgrounds for hackers.
The configuration checklist is similar to the one Microsoft produced for IIS 4.0, except the ISSCT tool is online and automated. IIS 4.0 provided a paper cheat sheet server administrators had to carry around during installations.
ISSCT not only guides users through the configuration, but also saves the configuration file so it can be reused on other machines.
Microsoft is positioning the utility as the first step in setting up secure Web servers, arguing that services not in use should be locked down.
"It sounds more like a management tool with the benefit coming for people who have to deploy multiple servers," says Jim Hurley, an analyst with Aberdeen Group. "If you're talking about a tool that does such things as set policies on the firewall and test them before distributing those policies to servers, that's security."
Microsoft officials acknowledge that the first version of the tool is mostly for configuration but claim configuration is a foundation for good security.
"We know that the vast majority of security break-ins happen because of misconfigurations," says Scott Culp, a security product manager for Microsoft.
"What we are trying to do with this tool is close some of those problems off."
Culp says future enhancements will include mechanisms for staying up-to-date on patches and security maintenance, and support for servers with multiple network interface cards.
Users should take caution when using ISSCT. It can make servers inaccessible to anything but Web services, because it can cripple any service not required by IIS.
Microsoft: www.microsoft.com/technet/security/tools.asp