IIS 6: The Complete Reference
|
|
You can secure your system using several methods. No matter which method you choose to protect your system from attack, information is key. If you aren't aware of issues, it's more difficult to resolve them.
The Secure Windows Initiative
In response to attacks becoming increasingly commonplace, Microsoft launched the Secure Windows Initiative (SWI). SWI is an internal Microsoft effort that makes its products more secure from malicious attacks. The SWI team provides consulting services for developers to help them write more secure code-since most developers are not security experts and lack the training required to write secure code. In addition to identifying what code enables buffer overflows, the SWI team is well versed in other security technologies, such as encryption. Although C provides the framework for buffer overflows to happen, the security problems with it are well defined, so it's easier to write good code to prevent security vulnerabilities.
Note | Windows is written in C++. |
This focus on security was part of the process for coding Windows Server 2003 (WS03), and it's one of the reasons IIS version 6 is much more secure than previous versions.
Although you should take seriously any security vulnerability patches that are released, you don't have to apply every patch that comes along just because it's out there. Before you decide whether or not to apply a patch, you need to consider a few factors. As you consider installing a patch, make sure that the risk of not applying the patch is greater than the risk of applying the patch. Evaluate the effectiveness and the benefit of applying the patch and the cost of not applying the patch.
Consider the urgency of applying a patch. For example, a security patch that specifically targets a bug that creates a vulnerability in your system is an urgent matter and should be considered more seriously than a feature patch that gives you added functionality.
Patching Your System
Unfortunately, no code that's millions of lines long is perfect, and security holes will always exist. One of the best ways to protect yourself is to make sure your system has the most recent patch levels installed. Rarely does a virus or worm attack a brand new vulnerability; rather, they attack known vulnerabilities for which patches exist. Typically, people who discover vulnerabilities will report them to Microsoft, and a patch is created and released along with the announcement of the vulnerability.
Note | All operating systems have vulnerabilities of one kind or another, and buffer overflows aren't indigenous only to Microsoft products. But since this book is about IIS and WS03, we are covering security only with Microsoft products. |
Administering the Patching Process
When you are administering a production environment with business-critical functions, it's extremely important that you use a controlled process to manage your patching. Here are some ideas to get you started on a patching procedure.
Implement Change Control First and foremost, you should implement a change control process for your system. A change control process has
-
Defined owners for the system, patch, and any applications
-
Communication to all parties involved in the patch
-
A waiting period, so that the interested and affected parties can raise objections or questions; it's often a good idea to get approval from each of the owners before applying a patch
-
An audit trail and back-out plan
-
A scheduled time for installation and a defined outage window
Be Consistent When applying patches, make sure the same patch level is applied to each server-unless you have a good reason not to do this. Consistent installation is especially true for domain controllers, since out-of-sync patches could mess with replication or authentication between DCs.
Read the Documentation Always completely read the documentation for a patch before you install it, so you can understand thoroughly what's involved. That way, you can determine whether applying the patch is going to disable some needed functionality or cause issues with a certain piece of hardware or software on your system. Reading the documentation will also educate you on which patches are necessary and which ones are not critical.
Test It Out It is a good idea to have a test lab in your organization that tests any new patches before they're installed systemwide. When you are completely satisfied that the patch performs appropriately and have appropriate sign-off from everyone involved, target noncritical systems first for patching. If you are not comfortable patching, don't do it, especially if the patch is a feature enhancement rather than a security patch.
Be Able to Uninstall the Patch If you can, install patches so that you can uninstall them if you need to later on. That way, you can back out of a patch if it causes problems on your system. You can usually find switches that allow for this. Also, keep a backup of the system state data on hand, plus a full backup of the system, just in case.
Make Sure the Patch Is Relevant Always make sure that you can or should apply a patch to a system. Applying a WS03 Post SP1 patch before applying SP1 probably isn't a great idea. Also, keep in mind that you may not need to apply client patches, such as Internet Explorer patches, to a server, since Internet Explorer won't be used on the server. In addition, applying a whole service pack is usually better than applying lots of individual patches within the service pack.
Using Windows Updating
You can keep on top of the patches released in two ways:
-
By visiting the Microsoft Windows Update web page (at http://windowsupdate.microsoft.com) every day to see if new updates are available, and by reading through everything available to see what's relevant to your system.
-
By using Windows Automatic Updating, which will install updates for you.
Since most system administrators have way too much work to do, the second option is quite helpful. Windows Automatic Updating is a standard feature in WS03, and it checks the Windows Update site periodically to see whether any updates are relevant to your system.
Setting Up Automatic Updates
You can configure Windows to run Automatic Updates on your system by setting up this utility. Here's how:
-
Choose Start | Control Panel, and click the System icon.
-
In the System Properties window, click the Automatic Updates tab. Automatic Updating is enabled by default, so make sure the box next to Keep My Computer Up To Date is checked (see Figure 6-1).
Figure 6-1: Configuring Automatic Updates in the System Properties window -
Choose particular settings (as listed in the following sections) that indicate how and when you get your updates.
-
Click OK after you've made your selections.
Note Automatic Updates are enabled by default. You can disable Automatic Updates if you are using another package or you prefer to do your updates manually. Just click the checkbox to remove the check mark.
Notify Me Before Downloading Choosing this option will notify you of any potential updates; then, if you choose to download them, it will prompt you again when they are ready to install. It will also prompt you if a reboot is necessary to complete the installation.
Download the Updates Automatically Choosing this option will download the updates automatically but will prompt you for any updates to be installed. It will also prompt you if a reboot is necessary to complete the installation.
Automatically Download and Install Choosing this option will download the updates and install them automatically at the time you specify. If a reboot is necessary, the system will reboot, regardless of what is happening on the system at that time. If you are logged in to the system with administrator rights at the time, you will be given an opportunity to cancel the reboot; otherwise, your system will send out a notice to all connected users and then reboot itself.
Using the Windows Update Web Site
If you prefer, you can find out what patches are available by visiting the Windows Update site at http://windowsupdate.microsoft.com. The Windows Update site will install an ActiveX control that can scan your system to find out what patches are available for your configuration. You can also install product enhancements at this site.
Tip | Even if you have a service that automatically updates your servers, it's a good idea to stay on top of security issues out there in cyberspace. One great way is to check out the CERT web site at http://www.cert.org. The CERT Coordination Center (CERT/CC) is a center of Internet security expertise located at Carnegie Mellon University. |
|
|