http://msmvps.com/blogs/bernard/archive/2004/06/10/7882.aspxAbout weeks ago, from a private security mailing list I get to know that recent findings on IIS 6 vulnerabilities count is 60! If you were on NTBugTraq mailing list, you might have read that as well. This actually came from Russ Copper's AUSCert presentationenCommunityServer 2008.5 SP2 (Build: 40407.4157)http://msmvps.com/blogs/bernard/archive/2004/06/10/7882.aspx#16099Tue, 19 Oct 2004 06:47:00 GMTd67277c4-116b-43f1-b688-e9ef184ea916:16099TrackBack<div style="clear:both;"></div><img src="http://msmvps.com/aggbug.aspx?PostID=16099" width="1" height="1">http://msmvps.com/blogs/bernard/archive/2004/06/10/7882.aspx#8613Mon, 21 Jun 2004 15:47:00 GMTd67277c4-116b-43f1-b688-e9ef184ea916:8613bernardHi Ray, <br>Just set it to false, and set AspScriptErrorMessage for the error msgs. <br><div style="clear:both;"></div><img src="http://msmvps.com/aggbug.aspx?PostID=8613" width="1" height="1">http://msmvps.com/blogs/bernard/archive/2004/06/10/7882.aspx#8455Sat, 19 Jun 2004 05:58:00 GMTd67277c4-116b-43f1-b688-e9ef184ea916:8455bernardGrat article with lots of good info. I would like to script (adsutil.vbs) the change so IIS won't &quot;Send detailed ASP error messages to client&quot; (Default Web Site|Home Directory|Configuration|Debugging Tab). What value do I set in the metabase (AspScriptErrorSentToBrowser)? <br>Thanks,<div style="clear:both;"></div><img src="http://msmvps.com/aggbug.aspx?PostID=8455" width="1" height="1">http://msmvps.com/blogs/bernard/archive/2004/06/10/7882.aspx#8043Sun, 13 Jun 2004 00:53:00 GMTd67277c4-116b-43f1-b688-e9ef184ea916:8043bernardCool. I didn't know that. Thanks Alun.<div style="clear:both;"></div><img src="http://msmvps.com/aggbug.aspx?PostID=8043" width="1" height="1">http://msmvps.com/blogs/bernard/archive/2004/06/10/7882.aspx#7994Sat, 12 Jun 2004 04:24:00 GMTd67277c4-116b-43f1-b688-e9ef184ea916:7994bernardJust a quick note in passing on the item &quot;PCT Vulnerability - CAN-2003-0719&quot; - PCT is not enabled by default on Windows Server 2003, and it's difficult to imagine too many situations where an admin would enable it. For the vulnerability to work, PCT would have to be enabled - enabling SSL is not enough.<div style="clear:both;"></div><img src="http://msmvps.com/aggbug.aspx?PostID=7994" width="1" height="1">http://msmvps.com/blogs/bernard/archive/2004/06/10/7882.aspx#7926Fri, 11 Jun 2004 02:26:00 GMTd67277c4-116b-43f1-b688-e9ef184ea916:7926bernardKudos on a well written post :) <br> <br>Security is the sum of all the parts and it's only as strong as it's weakest link. <br> <br>IIS 6.0 (which is yet to have it's first security release) is [b]VERY SECURE[/b]. It represents the fruitition of MS's efforts in strengthening it's security products. <br> <br>Russ is somewhat correct, in that to build a secure MS Internet or Intranet server, you need to consider all the parts (Windows, IE, etc), and thus you can arrive at dozens of required patches. Still, IIS is just a part and saying that [b]it[/b] has the number of vulnerabilities Russ identified is misleading. <br> <br>Respectfully, Harry <div style="clear:both;"></div><img src="http://msmvps.com/aggbug.aspx?PostID=7926" width="1" height="1">http://msmvps.com/blogs/bernard/archive/2004/06/10/7882.aspx#7910Thu, 10 Jun 2004 18:01:00 GMTd67277c4-116b-43f1-b688-e9ef184ea916:7910TrackBack<div style="clear:both;"></div><img src="http://msmvps.com/aggbug.aspx?PostID=7910" width="1" height="1">http://msmvps.com/blogs/bernard/archive/2004/06/10/7882.aspx#7907Thu, 10 Jun 2004 17:02:00 GMTd67277c4-116b-43f1-b688-e9ef184ea916:7907bernardAnd then there is the obvious component that the number of vulnerabilities can be further reduced by the fact that some of the 21 W2K3 vulnerabilities just do not apply to an IIS 6.0 Server maintained by anyone with sound mind and judgement. <br> <br>As far as the 22 IE vulnerabilities, how long has it been SOP not to perform casual web browsing from a production server?<div style="clear:both;"></div><img src="http://msmvps.com/aggbug.aspx?PostID=7907" width="1" height="1">