Weird - that site, www.turillion.com, is using ColdFusion but they changed their extension to ".htm"
Fancy that - I thought all MS-centric shops ran ASP. Howie ----- Original Message ----- From: "Kevin Davis" <[EMAIL PROTECTED]> To: "CF-Server" <[EMAIL PROTECTED]> Sent: Monday, February 25, 2002 5:51 PM Subject: Re: PC Server Stability > If your looking for IIS security, then you should to checkout eServer > Secure. (www.turilllion.com) It's an application firewall that will protect > your IIS servers without having to constantly apply Microsoft patches. I > use it and it works great. > > > ----- Original Message ----- > From: "Dave Watts" <[EMAIL PROTECTED]> > To: "CF-Server" <[EMAIL PROTECTED]> > Sent: Monday, February 25, 2002 4:50 PM > Subject: RE: PC Server Stability > > > > > so what exactly is Qchain... go here to download it :) > > > http://www.webattack.com/get/qchain.shtml > > > > I'd recommend getting it from Microsoft's site directly, I think, but it's > > the same thing. > > > > > Thanks for the find.. does it work under NT though as > > > well :) > > > > Yes, it does. Simply run all your patches from the command line with > "-r -m" > > (I think), then run qchain when you're done. The entire process will > require > > one reboot. > > > > > Outside of that, keeping the boxes current and healthy does > > > require patching and reboots... hardening a box can hardly > > > be true wherein such is littered with buffer overflows and > > > other things that are the basis of service provision... > > > > I can't think of one recent patch that would affect the typical CF/Windows > > application server, assuming the box was correctly set up in the first > > place. All those buffer overflows you're referencing, they typically > attack > > ISAPI extensions. Are you using the IIS interface to Index Server? How > about > > the IIS NT password changer? No, of course not - very few people use these > > things (and arguably, shouldn't use them on outward-facing production web > > servers). So, if you simply remove/disable/turn off these things, you > don't > > have to patch them. It's as simple as that. > > > > > Needless to say, there are some better planning that > > > everyone might take and apply to minimize risk... However, > > > in the real world and in a diversified environment, like > > > well, service provision to third parties, turning everything > > > off isn't a solution. > > > > Out of curiosity, have any of your customers/clients/whatever required any > > of the ISAPI extensions other than those for CF, ASP, and SHTML? > > > > > Windows does a good job, but certainly could perform better > > > and more securely by applying some common sense things like > > > you recommend Dave. Ideally, that should be the way/job of > > > the software creator, not the implementer/buyer... > > > > It's worth noting that, for any piece of software, there are going to be > > tradeoffs between security and convenience. Windows and its products > > typically favor convenience heavily. That's why they're easier to set up > > (note that I didn't say set up "well" or "correctly") but harder to > secure. > > If you compare that with, say OpenBSD ("Four years without a remote hole > in > > the default install!"), well, OBSD favors security much more than > > convenience - there aren't any remote holes in the default install because > > there aren't any listening services in the default install! > > > > However, neither Windows nore OpenBSD is that difficult to secure, and > that > > was originally my primary point. You simply don't have to constantly patch > > Windows servers to keep them secure, as long as you did the work up front. > > And, we're not talking about that much work - you simply have to know what > > you're doing (which is just the same as with Unix). > > > > Dave Watts, CTO, Fig Leaf Software > > http://www.figleaf.com/ > > voice: (202) 797-5496 > > fax: (202) 797-5444 > > > ______________________________________________________________________ Get the mailserver that powers this list at http://www.coolfusion.com ------------------------------------------------------------------------------ To unsubscribe, send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body or visit the list page at www.houseoffusion.com
