Main Page

  Previous Section Next Section

9.4 Patching

The best use of the preceding techniques will not protect your application if you miss the important practice of patching. Patching is the practice of applying vendor-provided fixes to the software you use to run your web application. Whether it's your web server, your database software, your operating system, or any other software used in your application, running without security patches installed is an invitation to hackers everywhere.

Fortunately, Microsoft is working to make the patching process easier, with tools such as Windows Update, and a relatively new tool, the Microsoft Baseline Security Analyzer (MBSA). MBSA Version 1.1, available at http://www.microsoft.com/technet/security/tools/Tools/MBSAhome.asp, provides both GUI and command-line interfaces for scanning local and remote machines for patch status and common misconfigurations of the following products:

  • Windows NT 4.0

  • Windows 2000

  • Windows XP

  • IIS 4.0 and 5.0

  • SQL Server 7.0 and 2000

  • Internet Explorer 5.01 and later

  • Office 2000 and 2002

  • Exchange 5.5 and 2000 (patch scanning only)

  • Windows Media Player 6.4 and later (patch scanning only)

In addition to tools like Windows Update and MBSA, you can also sign up for notifications of security bulletins at http://www.microsoft.com/technet/security/bulletin/notify.asp.

Regardless of how you find out about patches, it is imperative that you keep all software associated with your web application patched and up-to-date.

      Previous Section Next Section