From: "Rich Gauszka" 

you can also start with

http://www.microsoft.com/technet/security/tools/mbsahome.mspx

MBSA is an easy-to-use tool designed for the IT professional that helps
small and medium businesses determine their security state in accordance
with Microsoft security recommendations and offers specific remediation
guidance. Improve your security management process by using MBSA to detect
common security misconfigurations and missing security updates on your
computer systems.

and for help the various Microsoft security newsgroups

http://www.microsoft.com/technet/community/newsgroups/security/default.mspx



"Randall Parker"

wrote in message news:437fafd5{at}w3.nls.net...
> Geo,
>
> All thoroughly scary.
>
> In order to get a Win2k box up to date on all the security patches can one
> just surf to windowsupdate.microsoft.com and install what they tell you?
> Or do you have to go other places to install patches for ASPX and IIS?
>
> Geo wrote:
>> "Randall Parker"
>>

>> wrote in message news:4377dd07$1{at}w3.nls.net...
>>
>>
>>>I'm using ADO.Net, ASP.Net and IIS. I'm not using any other MS thingies.
>>
>>
>> I don't think the choices get that modular, like it's either the .net
>> extensions or nothing, but I may be wrong.
>>
>>
>>>Have there been any major exploits for aspx pages?
>>
>>
>> Microsoft Visual Studio .NET msdds.dll Remote Code Execution
>> Vulnerability
>> 2005-11-11
>> http://www.securityfocus.com/bid/14594
>>
>> Microsoft Windows MSRPC Eventlog Information Disclosure Vulnerability
>> 2005-07-07
>> http://www.securityfocus.com/bid/14178
>>
>> Microsoft ASP.NET URI Canonicalization Unauthorized Web Access
>> Vulnerability
>> 2005-06-14
>> http://www.securityfocus.com/bid/11342
>>
>> Microsoft GDI+ Library JPEG Segment Length Integer Underflow
>> Vulnerability
>> 2005-01-18
>> http://www.securityfocus.com/bid/11173
>>
>> Multiple Vendor XML DTD Parameter Entity SOAP Server Denial Of Service
>> Vulnerability
>> 2003-12-11
>> http://www.securityfocus.com/bid/9204
>>
>> Multiple Vendor XML Parser SOAP Server Denial Of Service Vulnerability
>> 2003-12-09
>> http://www.securityfocus.com/bid/9185
>>
>> Microsoft ASP.NET StateServer Cookie Handling Buffer Overflow
>> Vulnerability
>> 2002-06-08
>> http://www.securityfocus.com/bid/4958
>>
>>
>>
>>>My app is not used by the general public. Everyone will have to log on in
>>
>> order to
>>
>>>view other pages.
>>
>>
>> Is the server available to the public? In other words are any of the
>> pages
>> available if I were to view the machine without logging in?
>>
>>
>>>I haven't written the security part of my app yet. I'm wondering if I
>>>have
>>
>> to write
>>
>>>security code into every aspx page to check for an existing validated
>>
>> session or if
>>
>>>there's some way before each page runs to check the cookie stuff before
>>
>> letting the
>>
>>>page code execute at all. Any idea?
>>
>>
>> How would you code in something to protect you from
>>
>> http://www.example.com/secureDirectory%5Csomefile.aspx
>>
>> type of exploiting, that was the URI exploit listed above, doing that
>> allowed you to view stuff in a secure directory on the target server.
>>
>> Geo.
>>

--- BBBS/NT v4.01 Flag-5