Securing IIS

Our production Internet Information Server failed to boot after we installed the MS04-011 patch, so we restored the system to its previous state and it runs again. But now we're worried about the latest IIS exploits. Are there workarounds we can use to secure the system while we further test the patch installation on our development server?

Go to the Microsoft TechNet Web site. Currently the most widely known exploit attacks the Private Communication Transport protocol developed by Microsoft and Visa, and since replaced by Secure Sockets Layer Version 3. You can protect your server from the IIS PCT exploit by disabling PCT in the registry (described in Microsoft Knowledge Base Article 187498). Ten of the other 13 problems the MS04-011 patch tries to fix have workarounds listed, ranging from using a firewall to block selected ports, to un-registering the HCP protocol by deleting the HCP key from the registry. Remaining issues (holes in the ASN.1 library, the local descriptor table and a buffer overrun in winlogon) lack workarounds and leave systems exposed to compromise, so working out the installation details and getting that patch installed is still critical.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Our production Internet Information Server failed to boot after we installed the MS04-011 patch, so we restored the system to its previous state and it runs again. But now we're worried about the latest IIS exploits. Are there workarounds we can use to secure the system while we further test the patch installation on our development server?

Go to the Microsoft TechNet Web site. Currently the most widely known exploit attacks the Private Communication Transport protocol developed by Microsoft and Visa, and since replaced by Secure Sockets Layer Version 3. You can protect your server from the IIS PCT exploit by disabling PCT in the registry (described in Microsoft Knowledge Base Article 187498). Ten of the other 13 problems the MS04-011 patch tries to fix have workarounds listed, ranging from using a firewall to block selected ports, to un-registering the HCP protocol by deleting the HCP key from the registry. Remaining issues (holes in the ASN.1 library, the local descriptor table and a buffer overrun in winlogon) lack workarounds and leave systems exposed to compromise, so working out the installation details and getting that patch installed is still critical.

Read more about security in Network World's Security section.