iis security: I have a Windows 2000 server with Exchange 2000 and IIS 5 running on
it. I have OWA set up on this server for out of office users as well.
I am trying to secure this system, so I ran the IIS Lockdown tool on it
and it did it's thing without a hitch. Then when I run the Microsoft
Baseline Security Analyzer on the machine, it says that I should
disable Parent Paths. When I do this OWA stops working. If I re-run
the Microsoft Baseline Security Analyzer it resets everything to how it
was originally and I'm back at square one. Has anyone done this and
can give me some advice?
Thanks.

The baseline analyzer makes the suggestion you disable parent paths, but like
most security configurations, it is a suggestion, not a directive. OWA may
require parent paths and it sounds like it does. The lockdown tool is not
involved in this so there is no need to undo what it has done. Simply do what
you can that the baseline analyzer suggests, but do not disable parent paths
if it is required by your application. Many, many applicaitons use parent
paths so it is commonly left enabled, but would be best if it was disabled
for security reasons.

That's kind of what i figured. However, the documentation from
Microsoft says:

If done incorrectly, Exchange (specifically Outlook Web Access) will no
longer function. If this occurs, run the IIS Lockdown tool again and
after verifying the three child nodes in the previous steps appear in
the Inheritance Overrides dialog box, click OK to accept these
settings.

The problem with that is that it's just a checkbox, so i don't really
see how it could be done "incorrectly". This statement from them makes
me think that it can be done, i just can't figure out how. Also, I
have no idea what they're talking about in that statement about
verifying three child nodes in the previous steps. What previous steps
are they referring to?

I found the steps they were talking about. It still doesn't work right
though, now I get a directory listing of the Exchange virtual directory
when I log into OWA.