New IIS tool keeps servers secure

The business of securing corporate networks is a game of defense for IT managers, especially those running Microsoft Corp. server software that is a favorite target for hackers.

So last week, Microsoft released a tool that will help IT managers play better defense as they secure their Internet Information Server 5.0 installations.

The free tool, called Hotfix Check, helps IT managers ensure that their IIS servers have all the current security patches in place. The tool works by comparing the patches installed on an IIS server against a database of available patches on the Microsoft security Web site.

When Hotfix Check finds a patch that is missing from a server, it writes the data into an event log. Users can customize the notification process to include sending e-mail to an administrator or shutting down IIS until the patch is installed.

Hotfix Check will not automatically download patches; that must be done manually by an administrator.

However, the tool can be activated automatically from the Windows Task Scheduler on a daily, weekly or monthly basis. Hotfix Check can monitor one IIS server or check the patch status on multiple servers.

“Servers that have not had appropriate patches applied are amongst the most commonly vulnerable systems,” says Russ Cooper, a noted Windows security expert and editor of the NTBugTraq Web site. “This tool, according to its stated purpose and method of operation, should help minimize these [vulnerabilities].”

Cooper says the tool appears to be an excellent starting point. But users will have to evaluate the security of the product, including guarantees that the tool is securely connecting to the Microsoft Web site, he says.

IT managers can keep a local database of patches instead of checking the Microsoft site, but must be sure that they keep the local database updated.

“The goal here was to improve the lives of Web server administrators,” says Scott Culp, security program manager at the Microsoft Security Response Center. “Maintenance is a big part of security, and this tool is a good way to be up to date on patches and ensure consistency across servers.”

The tool is part of a series of free offerings from Microsoft that include tools that walk users through the secure setup of servers and domain controllers.

While Hotfix Check only works with ISS 5.0, Culp says versions are in the works for other versions of the server and for Windows 2000.

“This is a 1.0 version, so we want to get as much feedback as possible,” says Culp.

One known issue is that Hotfix Check can cause problems if IIS has to be reinstalled. Microsoft says that reinstalling IIS overwrites files installed with a hotfix, but does not delete hotfix entries in the registry database. Hotfix Check uses that database to detect missing patches, so after a reinstallation the registry would reflect a hotfix even though it is not present.

Microsoft says users must delete the hotfix entry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix after reinstalling IIS to avoid the problem.

Hotfix Check consists of two pieces, HFCheck.WSF, which is the actual tool, and Notify.JS, which is used to build in customizations. The free tool is available at

security/tools.asp under the Security Tools heading.