> Actually, IIS patches have been few and far between lately, and I'm sure > plenty of people are still looking for IIS vulnerabilities. But, I do > agree > that in general the open source world has been much better about > responding > to known security vulnerabilities. However, your point was that you could > fix the source yourself. My response to that was that most people cannot > or > will not do that anyway, and even if you do, that may introduce additional > problems when you need to upgrade.
I agree that MS has been cleaning up their act lately with the patches. In the past, however, they have let major flaws stay unpatched for months. Anyone remember Code Red? I can't seem to find the original e-mail, but I don't remember saying that I can fix the source myself. Although, it is an option, my original point was that there are more eyes looking at and scrutinizing the code, so that vulnerabilities are found and fixed quicker. > If my job was to blindly apply every patch, without testing or even > determining whether it's appropriate, then I wouldn't be doing my job very > well. Don't you test patches before deploying to production? Do you just > install every patch, even if you don't need it? > > For example, this month there've been three critical patches and one > important patch released by Microsoft. All of them have to do with > Microsoft > Office. I don't have Microsoft Office installed on my servers, and I don't > want to edit spreadsheets from my server console anyway. > > Last month, there were three critical patches and four important patches. > The critical patches applied to Internet Explorer, Visual Studio 2005, and > Windows Media Player. I don't allow browsing from the server - egress > filtering is an important part of DMZ security - and I don't write .NET > code > or listen to MP3s from the server console, either. Out of the four > important > patches, one applies to SNMP - I'm not using that. Another is a generic > privilege elevation vulnerability that requires a local login - I did > apply > that, it didn't require a restart. The third and fourth apply to Outlook > Express and Remote Installation Services, neither of which is use in my > server environment. > > And, just a heads-up, again, most patches no longer need a reboot, and you > can even script the install in most cases to not prompt for a reboot if > the > patch doesn't require it. You're probably right, and I should be more proactive in only applying patches that apply to my configuration. I should also probably be testing the patches on a development server first. However, I would rather spend the time doing real work than worrying about patches. Why can't Windows patches be more pain free like Linux patches? In my experience, they are, but I believe many of you have been burned by bad MS patches in the past, which is why you feel the need to test the patch before applying it. Testing the patches should be the MS's job, not ours. > > Not to mention that running rewriting through CF is a lot > > slower then using Apache or even ISAPI Rewrite. > > Really? Any statistics to back that up? I'd assume that using CF to > rewrite > URLs for static content would be slower than using the web server, but I > doubt it makes any significant difference if you're using dynamic content. You're right and rewriting using CF for dynamic content probably doesn't make much of a difference, although you should agree that it is slower, even by a few milliseconds. My point was about static content. Lets say you want to set up a sort of proxy server where: http://www.example.com actually pulls content from http://www2.example.com. In Apache, you would just put in something like: RewriteCond %{HTTP_HOST} ^www.example.com $ [NC] RewriteRule ^(.*)$ http://www2.example.com/$1 [P] This will proxy all the requests through www2, while the url in the browser will appear as www. It will proxy images, as well as any pages. I doubt you can do this with ISAPI rewrite, and with CF it would be pretty difficult to do as well (if not impossible). Apache handles this type of stuff out of the box. > > From what I remember from ISAPI rewrite, it was pretty limited, > > but I guess you're stuck with it if you're going to use IIS. > > Well, no, you're not stuck with it. There are other, similar tools, some > of > which are free and open source. I've heard of this one, for example: > http://cheeso.members.winisp.net/IIRF.aspx > > And, I haven't run into any limitations with ISAPI Rewrite, myself, so I > can > think of worse things to be stuck with. See my previous example. Russ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 & MX7 integration & create powerful cross-platform RIAs http:http://ad.doubleclick.net/clk;56760587;14748456;a?http://www.adobe.com/products/coldfusion/flex2/?sdid=LVNU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:267131 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
