|
||||||||||
Chris, There are plenty of known vulnerabilities that Microsoft admits there are no fixes for. The one used in this attack was unknown to MS PSS and is still under study 2 months after the fact. A lot of people would have ignored the attack because the Root Kit was almost perfect. I think we can all agree everything has it's problems and in the wrong or untrained hands things can be much worse. I do appreciate your ideas on IIS. We've implemented them previously and it didn't slow the attacker down. > > I'd like to improve the security of the system by locking out all but > > authorized users (it isn't a public website). Using IIS' internal > > authentication doesn't prevent many of the known attacks so my thought > > was to authenticate at the firewall. > > That'd be a support nightmare, and I don't know if it would even be possible. Why do you feel authentication at the firewall would be a support nightmare? That's the kind of information I'm looking for. If I'm not going to be able to support this configuration I'd like to know before I commit to it. Thanks, Mike |