RE: Seeking IIS v6 checklist and clarification on authentication

[Johnny Cho <popeye92 () yahoo com>]

> > I need a checklist for hardening IIS that is internet Information Services
> > v6. I have found several guides on IIS v5 but very little on v6. This brings
> > me to my next point. I have found an article or 2 that explains the
> > differences between iis V5 and v6. One key difference was regarding
> > authentication. The IIS v5 checklist suggests that basic and direct
> > authentication should be disabled in IIS v5 since reversible encryption is
> > used especially in direct authentication. Is this true? I believe this has
> > changed in IIS v6 but what is the change?

> These two Microsoft resources should help you:
>  
> http://www.microsoft.com/windowsserver2003/iis/techinfo/default.mspx
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/848968f3-baa0-46f9-b1e6-ef81dd09b015.mspx?mfr=true
>  
> Specifically the Deployment and Operations guides listed in the second link.

Another article from infocus in securityfocus 

http://www.securityfocus.com/infocus/1765

Thanks,
Johnny, CISSP/CISA


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com