Dave is right, which is why IISlock comes with URLSCAN and "removed" some of the more vulnerable extenstions in addition to using URLScan to filter requests. But I also think its a good idea, if your going to administer a server to try it a few times by hand and always verify that IISLock did its thing (removing permissions, scripts dir(s), extensions etc), because in the past I have run IISlock and then checked and it DID NOT always update what it says it did. But regardless, its worth doing it by hand and gaining a bit more understanding of where the vulnerabilities are....
Brook At 12:25 PM 2/12/2003 -0500, you wrote: > > If you lock down your box but leave IIS openly listening > > for HTTP requests without filtering potentially risky > > requests, you are leaving yourself open to future attack > > as new weaknesses are discovered (you cannot possibly > > patch your server quickly enough to guarantee you are > > safe from attack). > > > > Any application that accepts input should really have > > strict validation rules to ensure that only valid input > > is received (whether it's a web server, a desktop > > application or whatever). URLScan allows you to simply > > and cheaply ensure IIS has strict input validation rules > > that will protect you from most attacks that make use of > > HTTP requests. > >While I agree that URLScan or other input filters are valuable tools, and >should be used if possible, it's not completely true that you're leaving >yourself open to future vulnerabilities. Historically, most serious IIS >vulnerabilities don't have anything to do with the core of IIS itself, but >rather with its extensions. Most of these extensions aren't used, and should >therefore be disabled and/or removed. Using an input filter is not a >substitute for proper server configuration. > >Dave Watts, CTO, Fig Leaf Software >http://www.figleaf.com/ >voice: (202) 797-5496 >fax: (202) 797-5444 > > ______________________________________________________________________ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm ------------------------------------------------------------------------------ To unsubscribe, send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body or visit the list page at www.houseoffusion.com
