cfhelp wrote: >http://www.microsoft.com/windows2000/downloads/recommended/urlscan/default.asp > >Any reason I wouldn't want to use this?
"this" is actually 2 products, LockDown and URLScan. Although they are bundled in one package, they are really 2 entirely different things. LockDown is a tool to configure your IIS install. URLScan runs as an ISAPI filter and will intercept requests at runtime. For LockDown, you wouldn't want to use it because: 1. It doesn't add any security to a system that is already configured correctly. 2. It breaks CF if you run it after installing CF. 3. It might break various other things such as compression of script files. URLScan on the other hand adds some extra features, such as the ability to filter reqeusts based on the verb. I'm unsure how usefull this really is. I am aware of some Cross Site Scripting exploits in Internet Explorer that could be filtered out this way. But depending on the server to solve a client side vulnerability is wrong for so many reasons that I don't use it (I install it but configure it to let everything pass, and only when there is a reason to filter I will start filtering). Jochem ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=5 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=5 This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. http://www.cfhosting.com Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.5
