Microsoft KB Archive/832852

= MBSA detects the IIS Lockdown Tool after you use the IIS Lockdown Tool Undo feature =

Article ID: 832852

Article Last Modified on 3/1/2006

-

APPLIES TO


 * Microsoft Internet Information Services 5.1
 * Microsoft Internet Information Services 5.0
 * Microsoft Internet Information Server 4.0

-



We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx





Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry



SYMPTOMS
After you use the Undo feature of the IIS Lockdown Tool, the Microsoft Baseline Security Analyzer (MBSA) reports the following when you run the MBSA:

The IIS Lockdown Tool has been run on the machine.



CAUSE
When you install the IIS Lockdown Tool, the following registry entry is created:

However, when you rerun the Lockdown Tool to undo previous changes, this registry entry is not deleted. The MBSA checks for this registry entry as part of its scan for IIS vulnerabilities, and the MBSA bases its scan results on whether this key is present or is absent.



WORKAROUND
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

To work around this problem, after you use the undo feature of the IIS Lockdown Tool wizard, manually delete the following registry key if it exists:

When you delete this registry key, the MBSA recognizes that the IIS Lockdown Tool settings are no longer in effect and makes a recommendation that the IIS Lockdown Tool should be run.

Note Microsoft strongly recommends that you install the IIS Lockdown Tool and URLScan on servers that are running Microsoft Internet Information Services (IIS).



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.

