Microsoft seems to release hotfixes and security bulletins weekly. How can I keep up with what I need to apply to my servers? Does anyone post all the hotfixes and bulletins in a one location or provide a notification service?
This problem is of growing concern to those of us who maintain IIS servers. Indeed, Microsoft releases hotfixes for IIS and related technologies regularly. Some of the problems fixed are more serious than others, but all are cause for concern.
As if the multiple hotfixes weren't problem enough, some administrators have reported problems with their servers after applying a hotfix. For example, concerns about hotfixes garnered attention recently when Microsoft released a hotfix (http://www.microsoft.com/technet/security/bulletin/ms00-086.asp) for a problem another hotfix had introduced.
The point here is that hotfixes aren't risk free. When a security problem is discovered, Microsoft is under pressure to release a hotfix quickly. As a result, hotfixes don't undergo the same level of testing as service packs; Microsoft releases the fixes without the benefit of those extensive tests and, sometimes, more quickly than is best.
Ideally, a product shouldn't need patches. However, I don't believe that IIS is less secure than any other Web server. Many people worldwide pound on products by Microsoft and other companies solely for the purpose of announcing to the world that they've found a security hole in a major product. Such products are more complex, in much greater use, and have more money flowing through them (e-commerce) than anyone ever imagined would be the case. Consequently, more problems are found, and any problem creates a greater risk. I don't believe that software is less secure than before, just that the software is under greater scrutiny.
I recommend that you don't automatically apply a hotfix to your servers the moment Microsoft releases that hotfix. You must weigh the seriousness of the security risk with the possibility that the hotfix might disable your server or expose another risk. I also strongly recommend that you make a complete backup of your server before you apply a hotfix. In addition, you should perform a test installation (if possible) on a nonproduction server. Ideally, you might wait awhile to see whether other administrators encounter problems with the hotfix.
So, how do you keep up with releases and current vulnerabilities? I use a combination of email lists and specific Web sites. See the Web-exclusive sidebar "Security Resources" for a list of these sites.
I handle a Web server that provides mission-critical service. Recently, my Web sites began taking turns stopping. IIS is still running, but when I use Internet Service Manager (ISM) to look at the sites, the sites appear stopped. No log entries or events are recorded. Does a tool exist that can help troubleshoot and restart the Web sites without constant human monitoring and intervention?
This experience is, unfortunately, all too common and one of the most complex problems to diagnose effectively. I can say that this problem isn't as prevalent in IIS 5.0 as it is in IIS 4.0, but that's of little help to IIS 4.0 Web administrators. Usually, you can trace the problem to the improper use of Active Server Pages (ASP) files; using a an earlier version of Microsoft Data Access Components (MDAC), which includes ActiveX Data Objects (ADO); an outdated scripting engine (e.g., VBScript, JScript); or insufficient memory to serve the load.
By far, the most common cause of a Web site stopping unexpectedly is the incorrect or sloppy use of ASP. Many administrators have reported that by releasing every called object at the end of each page and closing all connections the moment they can be closed, they solve the "stopping without warning" problem.
In addition, this problem can arise when you don't update IIS components. Microsoft releases updates to important IIS components by means other than service packs. For example, ADO is part of the MDAC package. You can download more recent versions of the MDAC package than those Microsoft supplies with the installation disks and service packs. You can even find service packs specifically for MDAC. The MDAC components have been known to cause sudden, "unexplained" stops in Web servers that you can fix by upgrading.
Determining the MDAC version you should be running is challenging. Five versions exist, and which one you've installed on your system is important. For example, MDAC 2.6, which comes with Microsoft SQL Server 2000, doesn't support clustering for SQL Server 7.0. For information about updates to IIS, see the Web-exclusive sidebar "Important Updates for IIS."
Everyone wishes that IIS would provide information about the site that stopped and why, but it doesn't, as you note. You can, however, implement monitoring for your sites that can restart a Web site when it's stopped. One popular tool is ipMonitor from MediaHouse (http://www.mediahouse.com). You can set up ipMonitor to check whether a Web site is delivering pages. If it isn't, ipMonitor can take several actions, including writing an event to the event log, paging an administrator, or executing a script. With scripting, you can easily stop and start a Web site. Sample scripts install with IIS that illustrate how you can script such actions. You can find the startweb.vbs sample script at \winnt\system32\inetsrv\adminsamples in IIS 4.0 and at \inetpub\adminscripts in IIS 5.0.
To get you started, you can obtain a good yet inexpensive monitor called Servers Alive at http://www.woodstone.nu. This tool can perform much of the same monitoring as a more expensive monitor, but it lacks some reporting and logging features. Nevertheless, Servers Alive is a bargain and works well.
Previous
Perl Junkie December 09, 2003