Find, Fix Vulnerabilities
Get out the treasure map. bring along a stethoscope. hunting down IIS systems, especially inadvertently installed rogues, will take a methodical, plodding approach.Get out the treasure map. bring along a stethoscope. hunting down IIS systems, especially inadvertently installed rogues, will take a methodical, plodding approach. However, an accurate network diagram and diagnostic tools can take some of the pain out of plugging IIS security holes. Draw a map of the organizations network that shows where IIS systems are installed. HFNetChk, from Microsoft, can scan local or remote machines and indicate which patches have and have not been applied. This tool is hard to automate, and the output is difficult to use. Inventory management tools from Tally Systems Corp. and others can make this task a lot easier and less prone to error, by automatically surveying systems for a software "fingerprint." Although they require that an agent be installed on the target system, this is a small price to pay to keep tabs on critical systems. BindView Corp. makes a variety of bv-Control tools for Windows 2000. BindView products monitor server configurations specifically for changes to security settings. IT managers can then set configuration requirements and receive reports and alerts when systems are out of compliance.
Locate Windows 2000 servers that were automatically installed with IIS enabled but were not authorized by central IT. This will be a lot trickier. IT managers who suspect renegade systems are inside the firewall should start with the simple questions: Was a disk imaging system used to create production servers? If so, did the disk image include IIS, which is part of the default installation?