> so what exactly is Qchain... go here to download it :)
> http://www.webattack.com/get/qchain.shtml
I'd recommend getting it from Microsoft's site directly, I think, but it's
the same thing.
> Thanks for the find.. does it work under NT though as
> well :)
Yes, it does. Simply run all your patches from the command line with "-r -m"
(I think), then run qchain when you're done. The entire process will require
one reboot.
> Outside of that, keeping the boxes current and healthy does
> require patching and reboots... hardening a box can hardly
> be true wherein such is littered with buffer overflows and
> other things that are the basis of service provision...
I can't think of one recent patch that would affect the typical CF/Windows
application server, assuming the box was correctly set up in the first
place. All those buffer overflows you're referencing, they typically attack
ISAPI extensions. Are you using the IIS interface to Index Server? How about
the IIS NT password changer? No, of course not - very few people use these
things (and arguably, shouldn't use them on outward-facing production web
servers). So, if you simply remove/disable/turn off these things, you don't
have to patch them. It's as simple as that.
> Needless to say, there are some better planning that
> everyone might take and apply to minimize risk... However,
> in the real world and in a diversified environment, like
> well, service provision to third parties, turning everything
> off isn't a solution.
Out of curiosity, have any of your customers/clients/whatever required any
of the ISAPI extensions other than those for CF, ASP, and SHTML?
> Windows does a good job, but certainly could perform better
> and more securely by applying some common sense things like
> you recommend Dave. Ideally, that should be the way/job of
> the software creator, not the implementer/buyer...
It's worth noting that, for any piece of software, there are going to be
tradeoffs between security and convenience. Windows and its products
typically favor convenience heavily. That's why they're easier to set up
(note that I didn't say set up "well" or "correctly") but harder to secure.
If you compare that with, say OpenBSD ("Four years without a remote hole in
the default install!"), well, OBSD favors security much more than
convenience - there aren't any remote holes in the default install because
there aren't any listening services in the default install!
However, neither Windows nore OpenBSD is that difficult to secure, and that
was originally my primary point. You simply don't have to constantly patch
Windows servers to keep them secure, as long as you did the work up front.
And, we're not talking about that much work - you simply have to know what
you're doing (which is just the same as with Unix).
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
voice: (202) 797-5496
fax: (202) 797-5444
______________________________________________________________________
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
------------------------------------------------------------------------------
To unsubscribe, send a message to [EMAIL PROTECTED] with
'unsubscribe' in the body or visit the list page at www.houseoffusion.com
