MS server security patches: It's a trade-off

Following fierce criticism of the security of its products, Microsoft has launched a brace of new, downloadable tools designed to reduce IIS vulnerabilities, while helping administrators to keep on top of essential security fixes.

But analysts warn the server security tool may compromise functionality in the name of security. The IIS Lockdown tool is designed to address vulnerabilities associated with printing and scripting features in IIS Web Server 4.0 and 5.0, by automatically configuring Web servers to provide only the services that administrators require. This reduces the ability of viruses and worms to infect machines through inactive functions.

The tool offers two operating modes. The default is Express Lockdown, which configures the server in a secure way appropriate for basic Web servers, but for those who want to pick and choose the technologies to be enabled, the tool offers an Advanced Lockdown mode. Microsoft underlined that the service should be used in conjunction with other security services, such as antivirus software or firewall protection.

Other tools include HFNetChk, which runs a network report allowing administrators to ensure they are running appropriate patches, while the Microsoft Personal Security Advisor secures NT 4 and Windows 2000 for small businesses or home users. All can be downloaded free from the Internet.

Graham Titterington of analyst firm Ovum welcomed the initiative, but warned that changing the default configuration may lead to a loss of functionality. "I would be surprised if there was not some kind of trade-off, because by adopting a safer and more limited set of functions you reduce the risk of holes in the software," he said.

Mark Tennant, Windows 2000 server product manager, said IIS Lockdown was part of a broader strategy to improve security. "With IIS we developed features that were meant for ease of use, but a criticism was that it made systems vulnerable to security attacks," he said. "The IIS Lockdown tool literally locks down these features and would have made systems impervious to the Code Red virus."

Tennant added that Microsoft had specifically targeted home users and small businesses because their machines were more likely to be unpatched and spread infection.