If your looking for IIS security, then you should to checkout eServer Secure. (www.turilllion.com) It's an application firewall that will protect your IIS servers without having to constantly apply Microsoft patches. I use it and it works great.
----- Original Message ----- From: "Dave Watts" <[EMAIL PROTECTED]> To: "CF-Server" <[EMAIL PROTECTED]> Sent: Monday, February 25, 2002 4:50 PM Subject: RE: PC Server Stability > > so what exactly is Qchain... go here to download it :) > > http://www.webattack.com/get/qchain.shtml > > I'd recommend getting it from Microsoft's site directly, I think, but it's > the same thing. > > > Thanks for the find.. does it work under NT though as > > well :) > > Yes, it does. Simply run all your patches from the command line with "-r -m" > (I think), then run qchain when you're done. The entire process will require > one reboot. > > > Outside of that, keeping the boxes current and healthy does > > require patching and reboots... hardening a box can hardly > > be true wherein such is littered with buffer overflows and > > other things that are the basis of service provision... > > I can't think of one recent patch that would affect the typical CF/Windows > application server, assuming the box was correctly set up in the first > place. All those buffer overflows you're referencing, they typically attack > ISAPI extensions. Are you using the IIS interface to Index Server? How about > the IIS NT password changer? No, of course not - very few people use these > things (and arguably, shouldn't use them on outward-facing production web > servers). So, if you simply remove/disable/turn off these things, you don't > have to patch them. It's as simple as that. > > > Needless to say, there are some better planning that > > everyone might take and apply to minimize risk... However, > > in the real world and in a diversified environment, like > > well, service provision to third parties, turning everything > > off isn't a solution. > > Out of curiosity, have any of your customers/clients/whatever required any > of the ISAPI extensions other than those for CF, ASP, and SHTML? > > > Windows does a good job, but certainly could perform better > > and more securely by applying some common sense things like > > you recommend Dave. Ideally, that should be the way/job of > > the software creator, not the implementer/buyer... > > It's worth noting that, for any piece of software, there are going to be > tradeoffs between security and convenience. Windows and its products > typically favor convenience heavily. That's why they're easier to set up > (note that I didn't say set up "well" or "correctly") but harder to secure. > If you compare that with, say OpenBSD ("Four years without a remote hole in > the default install!"), well, OBSD favors security much more than > convenience - there aren't any remote holes in the default install because > there aren't any listening services in the default install! > > However, neither Windows nore OpenBSD is that difficult to secure, and that > was originally my primary point. You simply don't have to constantly patch > Windows servers to keep them secure, as long as you did the work up front. > And, we're not talking about that much work - you simply have to know what > you're doing (which is just the same as with Unix). > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > voice: (202) 797-5496 > fax: (202) 797-5444 > ______________________________________________________________________ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. ------------------------------------------------------------------------------ To unsubscribe, send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body or visit the list page at www.houseoffusion.com
