PRO+ Premium Content/Information Security magazine

Thank you for joining!
Access your Pro+ Content below.
February 2002

IIS server patching best practices

QUESTION: I keep getting conflicting advice about patching my IIS servers. Some people recommend patching live systems for serious vulnerabilities as soon as I can. Others say you must test the patch before putting the server back into production. What should I do? ANSWER: The best way to address this common problem is to set yourself up so you don't have to address it at all. If the configuration of your system is already resistant to an attack, you don't have to worry about applying new patches. For example, Code Red attacked a vulnerability in IDQ. DLL, a component used to provide access to Index Server via IIS. Most people don't use Index Server in their Web sites, but IIS enables this functionality by default. Ergo, most IIS servers were vulnerable to Code Red. This isn't an isolated example, however. In fact, the majority of attacks against IIS servers leverage some component that most businesses don't use (or need). Heck, with a slightly modified installation, an IIS server would be secure against most of the attacks ...

Access this PRO+ Content for Free!

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Features in this issue

Columns in this issue

  • Security startups: Recipe for success

    by  Robert Logan

    Stir one part technologist with one part experienced CEO and some VC money and you have the recipe for successful security startups.

  • Secure reads: The CISSP Prep Guide, CISSP Exam Cram

    by  SearchSecurity staff

    Although efficient study guides for cramming before the CISSP test, The CISSP Prep Guide and the CISSP Exam Cram won't advance the infosec profession and are likely plagiarized.