There are plenty of known vulnerabilities that Microsoft admits there
are no fixes for. The one used in this attack was unknown to MS PSS
and is still under study 2 months after the fact. A lot of people
would have ignored the attack because the Root Kit was almost perfect.
I think we can all agree everything has it's problems and in the
wrong or untrained hands things can be much worse. I do appreciate
your ideas on IIS. We've implemented them previously and it didn't
slow the attacker down.
> > I'd like to improve the security of the system by locking out all but
> > authorized users (it isn't a public website). Using IIS' internal
> > authentication doesn't prevent many of the known attacks so my thought
> > was to authenticate at the firewall.
> That'd be a support nightmare, and I don't know if it would even be possible.
Why do you feel authentication at the firewall would be a support
nightmare? That's the kind of information I'm looking for. If I'm
not going to be able to support this configuration I'd like to know
before I commit to it.