Patching IIS (was - RE: ASP security in HTML pages)

["Wolf, Yonah" <Yonah.Wolf () ujc org>]

All,

 I seems that a lot of these responses are pointing out age-old flaws in ASP - stuff that was around 3-4 years ago. If 
someone were to properly configure and/or patch their server (say, by running the IIS lockdown tool) they would not be 
exposed to these vulnerabilities. In light of that I just wanted to point out several things:

        - It's not the holes you close, but the ones you need to keep open that you need to worry about (hence the need 
for web app security)

        - I understand if someone gets taken by a new flaw when it first comes out, but it is a sorry state of affairs 
when ASP flaws from 3 years ago are still being exploited - I just can't understand why well-known security patches 
aren't being applied!?!?

        - Steps to protect your source code, especially if that code is contained in scripts, is like the false 
security of a life preserver in shark-infested waters - it will help you, but to a point.


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------