Muhahaaha...

[Warren Togami]

http://groups.google.com/groups?selm=3c3c9b9d.518663173%40news

I followed this guide and managed to install IIS 5.0 from my Windows
2000 Advanced Server CD onto Windows XP Home.  At first it had some
permission problems due to missing system accounts in Home version that
are present in Windows 2000, but that was easily fixable.

Applying the updates was a bit more complicated.  The hotfixes refused
to run because it detected the wrong build of Windows, major version,
minor version and service pack. Fortunately the raw files within the
hotfix had a plain text file to edit these values, and it easily
installed the hotfixes.

This was the first time I took a serious look at securing and
configuring IIS.  There are a few good things about its configuration
interface that Apache could learn some lessons from, but I'm appalled by
the this thing Windows calls a "security model".

The most absurd part is the URLscan filter that the IIS Lockdown tool
installs.  At first I thought it would be some kind of complicated
security tool, but it appears to just intercept URL's by name that were
default ASP and executables in default IIS configurations and other
stuff that could possibly be exploitable by Code Red or Nimda, and
display an error 500 message without any error message in the event
logs.  It took me an hour of testing to figure out it was a NORMAL error
message and my IIS configuration was actually correct.

Ewww... default.htm and default.asp...

On the bright side, I avoided paying Microsoft $300 for Windows XP Pro. 
I think I'll donate that to Mandrake, Red Hat, Transgaming and
CodeWeavers instead.

Warren Togami
warren at togami.com