Penetration Testing mailing list archives
Re: [PEN-TEST] [pen-test] IIS4/5
From: Ryan Russell <ryan () SECURITYFOCUS COM>
Date: Thu, 21 Dec 2000 10:32:41 -0800
On Thu, 21 Dec 2000, Mattias Tiasen wrote:
Hi, I was wondering if one could consider an IIS5 httpd with all patches to be trusted? And also if one could consider nt4/iis4/sp6 running ftpd is secure with full patching?
Depends totally on your definition of "trusted" I suppose, but the short answer is...well, maybe. (BTW, applying patches is not enough. There are a number of known issues that MS doesn't release patches for, rather they leave the fix up to configuration.) Assuming you've got your patches and permissions/configurations in place, you're relatively safe until the next public hole is announced. That means you'll have to keep an eye on new holes being announced. You'll never be able to put it in place, and walk away confident that it will be safe forever. You can't do that with any system. So, when I'm tasked with admining an IIS box, I patch it up according to the current state of the art, then I fix it again every time a new hole is announced. There's always a chance that you'll be the first one to be the victim of a new private exploit, but that's the price of being on the Internet. At that point your recovery plans kick in. I could get into which sets of software I'd prefer to try and minimize the number of holes that crop up in the future, and minimize the number of times I have to apply a patch in the middle of the night with no advanced warning, but that's really a different question. Ryan
Current thread:
- [PEN-TEST] [pen-test] IIS4/5 Mattias Tiasen (Dec 21)
- Re: [PEN-TEST] [pen-test] IIS4/5 Ryan Russell (Dec 21)
- [PEN-TEST] Design and maintenance of secure systems (was Re: IIS4/5) Bennett Todd (Dec 22)
- Re: [PEN-TEST] [pen-test] IIS4/5 Ryan Russell (Dec 21)