I use up-to-date patches and hotfixes and have Norton antivirus software on all my IIS servers. Even with these precautions, security holes constantly pop up. The patches and hotfixes only work sometimes. There has to be a trade-off between the risk of not being up to date versus the possibility that the server may be fried after installing the latest patch/hotfix? This question posed on 19 June 2002
There are those who believe Internet Information Server security cannot be managed effectively, and there's little doubt that the task is daunting to even seasoned administrators. Using the IIS Lockdown Tool will help put your servers in a more secure configuration, but some of the steps the tool recommends can't always be implemented in real world network environments. I tell people to have test servers ready all the time to check out patches and see if they break any functionality. Having these up and running can really help with response time.
Another step to consider is diversifying the server environment. It's often difficult to implement, but the advantages are striking. Nimda took out many companies' entire Web presence, often including intranets. If some systems were running on another platform, they would have survived almost unaffected.
Editor's Note: For more useful information, check out these technical tips:
*Sign up to have Windows security administration tips deliverd to your inbox every Tuesday morning.