> I am not an Apache committer, and I would not be qualified to > be one. I do know that there are thousands of eyes looking > at the Apache source and finding bugs and vulnerabilities. I > do upgrade my Apache versions from time to time, and I do it > more often if a serious vulnerability is found. Unlike > Windows, however, this is not very often.
Actually, IIS patches have been few and far between lately, and I'm sure plenty of people are still looking for IIS vulnerabilities. But, I do agree that in general the open source world has been much better about responding to known security vulnerabilities. However, your point was that you could fix the source yourself. My response to that was that most people cannot or will not do that anyway, and even if you do, that may introduce additional problems when you need to upgrade. > Vast majority is not all. I have my servers set to auto > reboot when windows patches come out, and they have been > rebooting on a monthly basis. The last time they rebooted > was 12/17. If your servers have a higher uptime then 91 > days, you must not be doing your job of patching server > very well. If my job was to blindly apply every patch, without testing or even determining whether it's appropriate, then I wouldn't be doing my job very well. Don't you test patches before deploying to production? Do you just install every patch, even if you don't need it? For example, this month there've been three critical patches and one important patch released by Microsoft. All of them have to do with Microsoft Office. I don't have Microsoft Office installed on my servers, and I don't want to edit spreadsheets from my server console anyway. Last month, there were three critical patches and four important patches. The critical patches applied to Internet Explorer, Visual Studio 2005, and Windows Media Player. I don't allow browsing from the server - egress filtering is an important part of DMZ security - and I don't write .NET code or listen to MP3s from the server console, either. Out of the four important patches, one applies to SNMP - I'm not using that. Another is a generic privilege elevation vulnerability that requires a local login - I did apply that, it didn't require a restart. The third and fourth apply to Outlook Express and Remote Installation Services, neither of which is use in my server environment. And, just a heads-up, again, most patches no longer need a reboot, and you can even script the install in most cases to not prompt for a reboot if the patch doesn't require it. > Not to mention that running rewriting through CF is a lot > slower then using Apache or even ISAPI Rewrite. Really? Any statistics to back that up? I'd assume that using CF to rewrite URLs for static content would be slower than using the web server, but I doubt it makes any significant difference if you're using dynamic content. > From what I remember from ISAPI rewrite, it was pretty limited, > but I guess you're stuck with it if you're going to use IIS. Well, no, you're not stuck with it. There are other, similar tools, some of which are free and open source. I've heard of this one, for example: http://cheeso.members.winisp.net/IIRF.aspx And, I haven't run into any limitations with ISAPI Rewrite, myself, so I can think of worse things to be stuck with. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 & MX7 integration & create powerful cross-platform RIAs http:http://ad.doubleclick.net/clk;56760587;14748456;a?http://www.adobe.com/products/coldfusion/flex2/?sdid=LVNU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:267104 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
