RE: Seeking IIS v6 checklist and clarification on authentication

["Carl Davis" <cdavis () rvasi com>]

Here's some links to resources.  Hope these help.

Windows 2003/IIS 6.0 DMZ Hardening Guidelines
http://www.shebeen.com/win2003/

Securing Internet Information Services 6.0
http://www.microsoft.com/smallbusiness/support/articles/sec_iis_6_0.mspx 

IIS 6.0 Security Best Practices
http://technet2.microsoft.com/WindowsServer/en/Library/ace052a0-a713-423e-8e
8c-4bf198f597b81033.mspx 

Security in IIS 6.0 (links to resources)
http://technet2.microsoft.com/WindowsServer/en/Library/354f4539-982a-418c-bf
e7-4d5155b83f4a1033.mspx 

Checklist: ASP Security (IIS 6.0)
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/d
2e896b5-97af-4b74-89be-55a30e1030e2.mspx?mfr=true

Microsoft IIS Hardening Checklist
www.uchsc.edu/is/security/IISHardeningChecklist.pdf

Cheers, 

Carl Davis,C|EH,CISSP,MCSE,CCSA
Site: http://www.rvasi.com 
Forum: http://www.rvasi.com/forum 


-----Original Message-----
From: Pranav Lal [mailto:pranav.lal () gmail com] 
Sent: Tuesday, May 02, 2006 11:32 AM
To: security-basics () securityfocus com
Subject: Seeking IIS v6 checklist and clarification on authentication

Hi all,

I need a checklist for hardening IIS that is internet Information Services
v6. I have found several guides on IIS v5 but very little on v6. This brings
me to my next point. I have found an article or 2 that explains the
differences between iis V5 and v6. One key difference was regarding
authentication. The IIS v5 checklist suggests that basic and direct
authentication should be disabled in IIS v5 since reversible encryption is
used especially in direct authentication. Is this true? I believe this has
changed in IIS v6 but what is the change?

Pranav