> Saying this, we have a client who used to use IIS - they > thought they had all of the back-doors bolted... Then one > of the Code Red variants came along and strolled straight > through - they now use WSP
Well, I'm glad they're not using IIS then. However, this is an illustration of their inability to configure a server correctly, rather than an illustration of some special problem with IIS. I mean, this stuff is just not that hard. We're talking about ten minutes of initial configuration, or one minute if you've written a script to automate the process. The problem with IIS is similar to the problem with Windows - neither is designed to serve well as a public Internet server with their default configurations. If you're going to use Windows for public Internet servers, then you have to know how to configure them appropriately. The same is true for IIS. To some extent, of course, this is true for anything that you're going to put on an untrusted network - you have to know how to configure it appropriately. > > Here are some things that IIS allows you to do: > > > > - handle server-side includes (I use CFINCLUDE for that, > > and don't deal with static HTML.) > > WSP does this also, with HTML-SSI files > > > - allow NT users to change their NT passwords > > Ours is a pure web server... We don't have NT users on the > machine, so this isn't important to us > > > - allow IIS to handle local print jobs received through a web > > browser (IIS 5 only) > > Again, it's a pure web server, so no printer > > > - allow direct interaction with databases through MSADC > > How does CF interact with this? > > > - provide a direct interface to MS Index Server > > Since we don't use MS Index Server, this doesn't effect us... > > > - manage IIS itself through a browser > > Remote Admin - been in WSP for ages - not browser based, but > it's still remote Yes, I'm aware of the WebSite feature set. However, I think you're missing my point. Those are all things that should be TURNED OFF on a production web server - or any internet-facing web server - that isn't specifically using those features. If you turn them off, you don't have any problems. If you do need to use those features, then you have to go through some hoops to ensure that they're set up securely. As for the MSADC thing, CF doesn't interact with it - and I turn it off. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ______________________________________________________________________ Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
