Whilst this has been changed to a 'secure by default' posture for IIS 6.0, it is crucial that administrators take the time to fully understand their web server and adjust the configuration to allow only those features and services required.
In addition, Securing Apache: Step-by-Step by Artur Maj is a very helpful paper found in the SANS Reading Room that covers in detail the tasks of securing an Apache server.
While having current service packs and security hotfixes addresses many software design-related problems (such as buffer overflows, code design errors etc), there are a number of dangerous features in Windows OS that have legitimate and documented functionality, but can be safely disabled or secured in many cases in order to harden system security.
The latest version of IE is 6, and it has certainly accumulated an impressive record of holes: 153 since 18 April 2001, according to the SecurityFocus Vulnerabilities Archive.
Security issues are not common, but when they are found, they are openly discussed and fixed quickly.
Both are good ideas; in particular, the latter should be enabled by security pros on the machines they oversee, as it will greatly reduce the likelihood of miscreant installs (the link above implies Firefox is not implementing the XPI whitelist; Mozilla bug 240552 contravenes this).
Feeds |
Contact