Keeping up with all the hotfixes and bulletins that are available can be challenging. Here’s a list of email lists and Web sites that can keep you up-to-date.

Microsoft Product Security Notification
Subscribe to the Microsoft Product Security Notification email list by sending an email message to microsoft_security-subscribe-request@announce.microsoft.com. (The content of the message is ignored.) This list is Microsoft’s primary way of getting security information to the masses.

IIS Hotfix List
You can find a list of all IIS hotfixes at

  • IIS 5.0—http://www.microsoft.com/technet/security/current.asp?productid=15
  • IIS 4.0—http://www.microsoft.com/technet/security/current.asp?productid=14

Win2K Security List
You can find the Win2K Security List (win2ksecadvice@listserv.ntsecurity.net) and Web pages at http://www.windowsitsecurity.com. This mailing list has regular announcements from several security experts. Often, the announcements include details that are missing from Microsoft’s announcements. For example, where Microsoft refers to "a specially malformed header," the Win2K Security List provides details about exactly what that means. Although this list has Win2K in the title, it often covers IIS 4.0 topics.

IIS 5.0 Hotfix Checking Tool
The IIS 5.0 hotfix tool checks your IIS 5.0 server and tells you which hotfixes you haven’t applied. You can download the IIS 5.0 hotfix tool from http://www.microsoft.com/downloads/release.asp?releaseid=24168.

IIS Security Checklists
Be sure to read and apply the IIS security checklists that Microsoft provides. Checklists are available for IIS 5.0 and IIS 4.0

  • IIS 5.0—http://www.microsoft.com/technet/security/iis5chk.asp
  • IIS 4.0—http://www.microsoft.com/technet/security/iischk.asp

SecurityFocus.com
Visit http://www.securityfocus.com, and read the IIS section.