Detecting and enforcing secure IIS configurations

(imported topic written by BenKus)

Some of our customers use BES to detect and enforce secure IIS configurations by creating Fixlets or properties that enforce their IIS policies. The nice benefit of this is that BES can routinely and cheaply check the IIS configurations and you will know within a few minutes of any insecure configuration (or you can have a policy action to auto-enforce the policy).

Here are some example checks that use the metabase inspectors (False=compliant, True=non-compliant):

WWWRoot folder can’t be on “C:”:

exists it whose (name of drive of it as lowercase = “c:”) of folder (values whose (identifier of it as integer = 3001) of keys “Root” of keys of key “LM\w3svc” of metabase as string)

Logging must be enabled in “Extended Logging Format”:

exists value whose (identifier of it as integer = 4000 AND it as integer != 1) of (key “LM\w3svc” of it;keys of key “LM\w3svc” of it) of metabase OR exists value whose (identifier of it as integer = 4011 AND it as string != “{FF160663-DE82-11CF-BC0A-00AA006111E0}”) of (key “LM\w3svc” of it;keys of key “LM\w3svc” of it) of metabase

Need help with some other checks? Just ask.

Ben

(imported comment written by iblinder91)

Ben,

Do you know if we can get the status of Web Service Extensions? I want to know for instance if Active Server Pages - Allowed or Prohibited. I looked into metabase and WMI and can’t find the status there…

Thanks, Ilia

(imported comment written by BenKus)

Hi Ilia,

I took a quick look around but couldn’t obviously spot it in the metabase either… I am guessing it is there somewhere, but we just need to find it…

Ben