> If you lock down your box but leave IIS openly listening > for HTTP requests without filtering potentially risky > requests, you are leaving yourself open to future attack > as new weaknesses are discovered (you cannot possibly > patch your server quickly enough to guarantee you are > safe from attack). > > Any application that accepts input should really have > strict validation rules to ensure that only valid input > is received (whether it's a web server, a desktop > application or whatever). URLScan allows you to simply > and cheaply ensure IIS has strict input validation rules > that will protect you from most attacks that make use of > HTTP requests.
While I agree that URLScan or other input filters are valuable tools, and should be used if possible, it's not completely true that you're leaving yourself open to future vulnerabilities. Historically, most serious IIS vulnerabilities don't have anything to do with the core of IIS itself, but rather with its extensions. Most of these extensions aren't used, and should therefore be disabled and/or removed. Using an input filter is not a substitute for proper server configuration. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ______________________________________________________________________ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. ------------------------------------------------------------------------------ To unsubscribe, send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body or visit the list page at www.houseoffusion.com
