If you don't know any other way to harden IIS then patching it you seriously need to take a look at some good resources. If your running any IIS boxes ask for help, you might need it.
Take a look at: http://www.microsoft.com/technet/security/tools/tools.asp?frame=true For IIS 5 http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur ity/tools/iis5cl.asp http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur ity/tools/iis5chk.asp There is also great material available from the NSA and SANS. Above all follow one of the most basic rules in security. If you are not using it remove it. That goes for files, extension mappings, programs, everything. You can always add to a system if you need it in the future. I have secured hundreds of IIS boxes with great success, most of the worms did not effect me due to good administration practices. You are right that there are about twice the amount of apache servers out there (http://serverwatch.internet.com/securityspace/200008ss.html) but that makes no difference. I use both of them, they are both good. It all depends on what I need done and what the client wants. Saying that there is no way of securing an IIS box except to use obscure patches is like saying there is no way to stop a car except to run it in to a tree. It is just plain wrong! Patrick S. Harper | MCSE ISS mailto:[EMAIL PROTECTED] http://www.internetsecurityguru.com How do I set a laser printer to stun? -----Original Message----- From: irado furioso com tudo [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 08, 2002 3:36 AM To: Hornat, Charles Cc: 'Baba Bogdan'; [EMAIL PROTECTED] Subject: Re: IIS just my opinion: a) there are lots more apaches than IIS b) statistics is the art to lie.. (forgot the author) c) it is easier to harden a open system than a proprietary. c-1) And I donot know any other way to harden a IIS than obscure patches.. which closes a lot of holes just opening new ones. Hornat, Charles wrote: > I recently read a statistic that said apache is hacked more than IIS > web servers. and I have also seen statistics go the other way. I did > a quick search in google to try and see if I could find a solid > believable statistic, and was unsuccessful. I found many individuals > stating facts without citing their references. > > Besides this, Does it really matter what web server you choose? I > have worked with many and would answer this with, the system is as secure as the administrator of that system is knowledgeable. I know administrators who can secure an IIS server and others who can secure Apache. Its like asking which os is the most secure? There isn't really an answer. > > I am doing a study right now on OS's, and which are the most secure > out of the box and out of the box with the latest security patches applied. The study consist of operating systems like Solaris 6 and 8, redhat, windows and so on. We are using the latest nessus and nmap to scan the boxes and will be writing our findings up on each os. > > Lets face it, Apache isn't more secure than IIS. They are both > vulnerable unless hardened and protected. > > Charles > > > > ________________________________________________________________ > The information contained in this message is intended only for the > recipient, may be privileged and confidential and protected from > disclosure. If the reader of this message is not the intended > recipient, or an employee or agent responsible for delivering this > message to the intended recipient, please be aware that any > dissemination or copying of this communication is strictly prohibited. > If you have received this communication in error, please immediately > notify us by replying to the message and deleting it from your > computer. > > Thank you, > Standard & Poor's > > -- sauda��es, irado furioso com tudo. Linux User (SuSE) 179.402 explicando o padre marcelo ('o mala', the pope's boy, the pope's star): mer$&^ velha com roupa nova.
