Patches and Service Packs

IIS 4.0 Patches


IIS is one of the biggest threats to Windows NT, 2000 and XP security!

You must know how to protect your computer from IIS related attacks, and remember that even though you’re using Windows 2000 Professional – you’re still vulnerable to those attacks (IIS is installed by default on all W2K platforms, but not on XP and Windows Server 2003).

Note: Since IIS is such a potential threat to your system, and since my site is usually NOT security oriented, I cannot guarantee your computer’s safety even if you do follow my recommendations. I cannot be held responsible for anything that might happen to you, your computer, or the information stored on it.  I might compile a list of IIS security issues later this month. but till then you can read the TechNet Security Webpage and search for the IIS related issued, and also the Microsoft Security page

IIS 4.0 Required Patches

IIS 4.0 is an optional upgrade to Windows NT 4.0, and can be installed on the machine by installing the Windows NT 4.0 Option Pack.

Internet Information Server (IIS) 4.0 installed on a Windows NT 4.0 SP6a Server box requires the following security-related patches:

July 2004

MS04-021 : Security Update for IIS 4.0 (841373)

Sponsored Content

Passwords Haven’t Disappeared Yet

123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?

May 2003

MS03-018 : Cumulative Patch for Internet Information Service (811114)

This patch is a cumulative patch that includes the functionality of all security patches released for IIS 4.0 since Windows NT 4.0 Service Pack 6a:

  • 327696 MS02-062: October 2002 Cumulative Patch for Internet Information Services

  • 321599 MS02-028: Heap Overrun in HTR Chunked Encoding Might Enable Web Server Compromise

  • 319733 MS02-018: April 2002 Cumulative Patch for Internet Information Services

April 2000

MS00-028 : Server-Side Image Map Components Vulnerability

MS00-025 : Link View Server-Side Component Vulnerability

March 2000

MS00-019 : Virtualized UNC Share Vulnerability

July 1999

MS99-025 : Unauthorized Access to IIS Servers through ODBC Data Access with RDS

Other IIS Patching Tools

You should also look at the IIS Lockdown Tool and URLScan which are valuable tools for "anti-IIS" activity protection:

  • URLScan Security Tool (v2.5) URLscan is a powerful security tool that works in conjunction with the IIS Lockdown Tool to give IIS Web site administrators the ability to turn off unneeded features and restrict the kind of HTTP requests that the server will process. By blocking specific HTTP requests, the URLScan security tool prevents potentially harmful requests from reaching the server and causing damage.

  • IIS Lockdown Tool (v2.1) IIS Lockdown Wizard works by turning off unnecessary features thereby reducing attack surface available to attackers. To provide defense in depth, or multiple layers of protection against attackers, URLscan, with customized templates for each supported server role, has been integrated into the IIS Lockdown Wizard.

Related Topics:

BECOME A PETRI MEMBER:

Don't have a login but want to join the conversation? Sign up for a Petri Account

Register
Comments (0)

Leave a Reply

Don't leave your business open to attack! Come learn how to protect your AD in this FREE masterclass!REGISTER NOW - Thursday, December 2, 2021 @ 1 pm ET

Active Directory (AD) is leveraged by over 90% of enterprises worldwide as the authentication and authorization hub of their IT infrastructure—but its inherent complexity leaves it prone to misconfigurations that can allow attackers to slip into your network and wreak havoc. 

Join this session with Microsoft MVP and MCT Sander Berkouwer, who will explore:

  • Whether you should upgrade your domain controllers to Windows Server
    2019 and beyond
  • Achieving mission impossible: updating DCs within 48 hours
  • How to disable legacy protocols and outdated compatibility options in
    Active Directory

Sponsored by: