Re: [PEN-TEST] [pen-test] IIS4/5

[Ryan Russell <ryan () SECURITYFOCUS COM>]

On Thu, 21 Dec 2000, Mattias Tiasen wrote:

> Hi, I was wondering if one could consider an IIS5 httpd with all patches to
> be trusted? And also if one could consider nt4/iis4/sp6 running ftpd is
> secure with full patching?

Depends totally on your definition of "trusted" I suppose, but the short
answer is...well, maybe.  (BTW, applying patches is not enough.  There are
a number of known issues that MS doesn't release patches for, rather they
leave the fix up to configuration.)  Assuming you've got your patches and
permissions/configurations in place, you're relatively safe until the next
public hole is announced.  That means you'll have to keep an eye on new
holes being announced.  You'll never be able to put it in place, and walk
away confident that it will be safe forever.  You can't do that with any
system.

So, when I'm tasked with admining an IIS box, I patch it up according to
the current state of the art, then I fix it again every time a new hole is
announced.  There's always a chance that you'll be the first one to be the
victim of a new private exploit, but that's the price of being on the
Internet.  At that point your recovery plans kick in.

I could get into which sets of software I'd prefer to try and minimize the
number of holes that crop up in the future, and minimize the number of
times I have to apply a patch in the middle of the night with no advanced
warning, but that's really a different question.

                                        Ryan