Ever since the Gartner Report stated that anyone using IIS as a production web server should immediately migrate to Apache, the popular Unix web server, Microsoft’s web platform has gotten quite a bad rap. And a lot of it was deserved: buffer overflows, what seems like 10 security bulletins each week, worms that take over computers faster than they can be secured while on the network, and so on. Part of the problem was that the version of IIS included with Windows NT and Windows 2000, versions 4 and 5, respectively, were lax in their default permissions: everyone could do everything at any given time. Even the fact that IIS was installed by default during a Windows installation was a bad move: it didn’t matter if you didn’t want a web server because you got one anyway.
Those who prey on insecure web servers rely on users who are lax, lazy, or unknowledgeable about keeping their servers hardened and updated. Essentially, the climate of the Internet has degenerated into a situation in which even innocent users that get penetrated are used as attack vectors against other innocent but open servers. The responsibility lies not just with the attackers who promulgate these worms, but also with the administrators who allow their machines to be used like toys.
In this section, I’ll look at nine simple steps you can take to make sure you’re not a victim, and that you’re not an accessory to the hackers.
Although it’s probably the simplest suggestion ...