How to verify the IIS Lockdown Tools has been running
Q: How should I verify the IIS LockDown tool on Windows 2000 Server?
A: Reporting this tool has been running a thing, and reporting it is still playing again and another thing. In other words, when you run the LockDown tool for the first time, some specific files and settings are created, you can determine the LockDown tool on the server. However, you can easily run this tool, or you can easily revoke it. Therefore, if you want to determine that this tool is still playing, it is not enough to verify that this tool has been running on the server.
If any of the following conditions is true, the LockDown tool has been running:
• There is a local group Web Anonymous Users and Web Applications. If this tool is run, these groups will be created, but these groups do not delete if they run this tool again to cancel the lock. • <% Root Catalog%> / System32 / InetSRV folder has log file oblt-log.log and oblt-rep.log. In order to test whether it is still in a locked state, you can check if there is an oblt-undo.log and oblt-undone.log file. If these files do not exist, or they exist, and the date and time are still in the locked state. • There is a registry key HKLM / Software / Microsoft / Iis Lockdown Wizard.
In addition, Microsoft Baseline Security Analyzer can also report to whether to run the LockDown tool on the local or remote IIS server, but it cannot report whether this tool has been revoked.
