Re: Does merely having the IIS software on a server increase risk?

From: x y (levinson_k@excite.com)
Date: 01/28/03


From: "x y" <levinson_k@excite.com>
Date: Tue, 28 Jan 2003 10:45:11 -0500

As far as I know there are some SMTP vulnerabilities that you would want to
be sure you are running the latest patches... and also uninstall any unused
components of IIS. The WWW and FTP components of IIS are very very
vulnerable to hacking if not secured properly. Things you should consider
doing generally to secure Windows and IIS [but not specifically addressing
the SMTP service] are here:

http://securityadmin.info/faq.htm#harden

"Thomas Dulaney" <spamfilter2003@yahoo.com> wrote in message
news:002201c2c635$835d95b0$d7f82ecf@TK2MSFTNGXA14...
> Hello,
>
> I need to have SMTP services on an application server. I
> don't need or want a web server on this machine, but I
> have to have IIS installed to get the SMTP service as I
> understand it. I have stopped the default web sites that
> are created by the install. Is there hackable entry to
> the server that I need to worry about even if the web
> services (and everything else except SMTP) is turned off?
>
> Are there significant danger of being hacked through the
> SMTP port? This server houses a mission critical database
> so we want the server as crash free (and hence hack free)
> as is reasonable.
>
> Any and all advice is appreciated!!
>
> --Tom