(imported topic written by BenKus)
Some of our customers use BES to detect and enforce secure IIS configurations by creating Fixlets or properties that enforce their IIS policies. The nice benefit of this is that BES can routinely and cheaply check the IIS configurations and you will know within a few minutes of any insecure configuration (or you can have a policy action to auto-enforce the policy).
Here are some example checks that use the metabase inspectors (False=compliant, True=non-compliant):
WWWRoot folder can’t be on “C:”:
exists it whose (name of drive of it as lowercase = “c:”) of folder (values whose (identifier of it as integer = 3001) of keys “Root” of keys of key “LM\w3svc” of metabase as string)
Logging must be enabled in “Extended Logging Format”:
exists value whose (identifier of it as integer = 4000 AND it as integer != 1) of (key “LM\w3svc” of it;keys of key “LM\w3svc” of it) of metabase OR exists value whose (identifier of it as integer = 4011 AND it as string != “{FF160663-DE82-11CF-BC0A-00AA006111E0}”) of (key “LM\w3svc” of it;keys of key “LM\w3svc” of it) of metabase
Need help with some other checks? Just ask.
Ben