Since May, Microsoft has released two cumulative hotfixes for IIS. These cumulative hotfixes are similar to service packs in that they include all previous security hotfixes. I recommend that you apply all cumulative fixes as Microsoft releases them as a fail-safe measure. If the cumulative hotfix doesn't include new hotfixes important to your server, consider waiting a week to determine whether the cumulative hotfix introduces any new bugs. (See Brett Hill, "IIS Informant," page 4, for information about cumulative IIS hotfixes.)
If you're in doubt as to which hotfixes have been loaded on your servers, check out the Microsoft Network Security Hotfix Checker (hfnetchk.exe) tool, which you can download from http://support .microsoft.com/support/kb/articles/q303/2/15 .asp. Using this tool, you can scan your servers for applied hotfixes. The tool then generates a report of missing hotfixes. Also at that URL, you can find a utility called qchain.exe, which lets you install multiple hotfixes with one reboot—a handy utility if you find that you have a lot of hotfixes to catch up on.
Harden Your Web Servers
Keeping systems up-to-date is important because many exploits are problems in Microsoft code that only Microsoft can fix. But how can you increase your immunity to attacks in the first place and reduce the urgency of loading updates from Microsoft? The answer is to harden your Web server.
You can configure your Web servers in many imaginative ways to repulse attacks, but you'll get the most mileage by starting with the basics from the Secure Internet Information Services 5 Checklist and Microsoft Internet Information Server 4.0 Security Checklist (http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/ tools/tools.asp). These checklists cover many areas of OS and IIS security, but I want to draw your attention to an extremely important section of these documents—removing unneeded script mappings. This recommendation is one of the most important rules to follow in computer security: If you don't need it, turn it off.
On the same Web site as the checklists, you can also find the IIS Lockdown Tool and the Windows 2000 Internet Server Security Tool (IISLock), which automate many of the steps in the respective checklists. I recommend that you peruse the appropriate checklist, determine which recommendations are appropriate to your server, then perform the step manually to retain control over what's happening to your server. However, if you have many servers to harden or time constraints, you might decide to use the hardening utility. If you do, make sure that you understand what the tool does before you use it. Also be aware that IISLock doesn't make every change in the checklist and can break a server if you don't know what you're doing.
Ongoing Security
If you do nothing else for your Web site's security, I urge you at least to perform an initial hardening of your server and implement an ongoing process to load relevant security hotfixes. When you receive a security bulletin from Microsoft, determine whether it applies to any of the products or services on your server. Then, keep your server baselined by installing any new service packs for Win2K, security rollups for NT (Microsoft has announced no further service packs for NT, but it does periodically release security rollups), and cumulative hotfixes for IIS. You'll not only protect your sites but also prevent your computer from being used to attack other servers on the Web.
Register
