> Your are all talking about past stuff - which has already > been documented as being insecure and as a result is the > first thing you fix on a new machine.
So, I take it that you've completed your audit of the Windows and IIS source code, and you've found no other vulnerabilities. That's good to know! Seriously, there are new issues found on a regular basis - there are plenty of smart people banging on Windows and IIS to see what falls out. Configuring a server for security isn't just a matter of making sure all the patches are installed - you have to configure the server defensively, so that when some new vulnerability comes up, you're less likely to be vulnerable since you've disabled that functionality, or applied more restrictive ACLs, or whatever. > I doubt any URL data will be able to fire off an SP, unless > it knew the name, username and password of the sp etc..... Well, if you're running SQL Server, you probably have all of the built-in SQL Server stored procedures. My favorite is xp_cmdshell, which lets your SQL statement open a command processor on your database server - handy for FTPing whatever files you want to install onto your database server, among other things. > I heed your warnings, but I can safely say that my machine > is at present 100% secure. So, you've unplugged it and turned it off. Yes, now it's secure, in that case. If not, you can't safely say anything of the sort - that would be either ignorant or hubristic. No server is 100% secure - most of us would happily settle for adequate security, or some level of due diligence. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
