There is a useful tool, HFCINST.exe, for auditing web servers. The HFCheck tool allows IIS 5.0 administrators to ensure that their servers are up to date on all security patches. The tool can be run continuously or periodically, on a local machine or a remote one, using either a database on the Microsoft Web site or a locally-hosted copy. When the tool finds a patch missing, it can display a dialogue box or write a warning to the event log. Administrators can run this tool to validate that all of the pertinent hot fixes were applied. Visit this Web site to download the Windows 2000 IIS 5.0 Hotfix Checking Tool at http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24168. From the documentation file
HFCHECK.WSF consults an XML file list – either hosted on the Microsoft site or downloaded to the local machine – for the list of hotfixes available for IIS, then compares this list to the hotfixes installed on the local system. If a hotfix is missing, the tool calls the Notify function in NOTIFY.JS. The current implementation of Notify reports an error on the command-line and writes a warning message to the Application Eventlog, but it is possible to customize it to perform other actions such as stopping the server or sending an e-mail to the administrator. The Notify function is in a separate file ( NOTIFY.JS ), so that you can easily rewrite the Notify function for your own needs.
Microsoft is clearly beginning to respond to the continuing exploits of IIS. They have now released an IIS Lockdown tool that lets you configure an IIS 4.0 or 5.0 web server for secure operation. It provides two modes:
- an express mode that is appropriate for most basic web servers
- an advanced mode that allows the administrator pick and choose the technologies the server will support