In-Reply-To: <[EMAIL PROTECTED]>
> Also, you can run apache instead of IIS as an added measure >of security as IIS has proven to be a bit of an injection vector for all >manner of sicknesses... I'm not about to dictate to anyone what web server they should run, but if they've already invested in IIS, the above statement is somewhat short-sighted. Most of the 'sicknesses' we've seen of late have been due to programming errors in the product, but to be completely correct, the reason the various malware had the effect they did was due to misconfiguration errors. If IIS admins had disabled ida/idq script mappings when they installed the server, they would NOT have fallen victim to Code Red. The dir transversal patch was released in Nov '00, yet sadmin/IIS (aka, 'poisonbox') ran rampant in April '01. I've done incident response on IIS web servers and when I've asked some admins for the web server logs, I've received a zipped archive containing three .evt files. So perhaps it's not so much the product as it is those responsible for managing it. After all, if someone misuses a gun and shoots himself in the foot, is the gun manufacturer then responsible?
