Windows 2000 IIS Lockdown Information

Support
Windows 2000 IIS Lockdown Information

Due to the recent IIS viruses and attacks, an increasing number of Journyx customers have asked about running Microsoft's IIS Lockdown Tool. As of this writing the Windows 2003 Lockdown Tool appears to be unavailable from Microsoft's site. This document refers to the Windows 2000 & NT 4.0 version of the Lockdown Tool, which is called "iislockd.exe". Journyx cannot provide a link to this tool on Microsoft's site. If you do not already have a copy of the tool then you should search Microsoft's support site for IIS Lockdown Tool.

Who These Instructions Are For

This document applies only to Timesheet 5.5 and later, including 5.5.2m1 and 5.6. This document explicitly does not apply if you are running a version of Timesheet prior to 5.5. If you are running an older version of Timesheet and you have a current maintenance contract then you will need to contact Journyx support for assistance.

Journyx has produced this document because the IIS Lockdown Tool has a large number of configuration options that may disable Timesheet if misconfigured. This document should not be taken as advice from Journyx that any customer install or not install any security patch. This document is merely an acknowledgement that many Journyx customers have had difficulties installing the IIS Lockdown Tool in a manner that did not disable their Timesheet installation.

If your Windows server is hosting any web pages or applications other than Timesheet then you may need to make additional configuration allowances for those sites or application. The IIS Lockdown Tool disables all IIS services and functions when run with no configuration changes. The process of configuring the IIS Lockdown Tool is simply telling the tool what services and functions to not disable. If you need to deviate from the configuration outlined below, for the purpose of allowing other sites or applications to work, then you need to allow more IIS processes and functions. Do not disallow any of the processes and functions that are documented below as allowed.

Journyx And Other Vendor's Patches

Journyx recommends that all customers remain informed of security bulletins from other software manufacturers, and take reasonable security precautions as they deem necessary. Journyx should not be your source of security information. Journyx updates all of our internal test and development servers regularly, and thus tests security patches relatively soon after they are released. To date no security patch or tool has proven to be incompatible with Timesheet.

Safety First! Backing Up Your Timesheet Data

As with any Timesheet server changes, you should always run a Timesheet backup of your Timesheet database. Please use the Timesheet backupdb utility to perform this backup. On your Timesheet server, in the Start menu, under Programs and then Journyx Timesheet, select the Timesheet Command Line Prompt. If you simply type backupdb with no parameters then you will see the full usage instructions for the backupdb command. Normally you will type something like backupdb -v iislockdown to create a backup file called iislockdown.jx. On most servers the backupdb command should complete in a matter of minutes. For further information on Timesheet's backupdb command, please see the Journyx KnowledgeBase.

Stopping The Journyx Timesheet Service

Before you run the IIS Lockdown Tool you must stop the Journyx Timesheet service. This can be accomplished by going to the Services control panel, selecting the 'Journyx Timesheet' service, and hitting the Stop button. You can find the Services control panel either by right-clicking on 'My Computer' and choosing 'Manage', or by going to your Control Panel, and then Administrative Tools, and then selecting Services.

Running The IIS Lockdown Tool

On the first page of the IIS Lockdown Tool wizard there are templates for various types of servers. These templates simply pre-select the major configuration options for you. The template that most closely matches the configuration you need for Timesheet is "Dynamic Web Server (ASP enabled)", towards the bottom of the list. You will need to select the checkbox for "View Template Settings" at the bottom of the page.

The second page of the wizard is a list of the major functions that will be enabled after the lockdown. If you chose "Dynamic Web Server (ASP enabled)" then only the "Web Service (HTTP)" should be selected. No other service needs to be enabled for Timesheet.

The third page of the wizard is a list of the types of HTML script maps to be disabled. If you chose "Dynamic Web Server (ASP enabled)" then only the "Active Server Pages (.asp)" should be enabled. No other types of script maps need to be enabled for Timesheet.

The fourth page of the wizard is a list of specific IIS functions to be disabled. If you chose "Dynamic Web Server (ASP enabled)" then everything on this page will come up as being disabled. You must uncheck "Writing to Content Directories" in the middle of the page. No other function needs to be enabled for Timesheet.

After the wizard completes you will need to restart the Journyx Timesheet service. There is no need to reboot the server. The IIS Lockdown is complete and Timesheet should be running normally.

Additional Questions & Getting Help

If you have any further questions or problems with the IIS Lockdown Tool then you should contact Microsoft support. If you have further questions about Timesheet then please contact Journyx support.