Pau Lo
asked on
MS security updates on web servers.
we have been looking at some get-hotfix reports to determine that last MS security updates applied to a multitude of servers serving different purposes. In some cases the process seems to be working an critical updates are applied in a timely manner, but we found a few exceptions. For my own knowledge/benefit - if a server was acting as a web server and only had standard web ports open, could any of the vulnerabilities that the MS updates 'address', still be exploitable from the outside through those ports? I'm not entirely sure what range of products/services the updates cover in their 'monthly roll ups', so I would be interested to learn a little more.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
There can be patches for IIS, as well as .NET Framework that would be accessible from the Internet, so yes, they need to be patched. Your first priority should be in patching every system that is exposed to the Internet. The threat from the Internet to unpatched systems is much greater than the threat to unpatched systems that are only available internally.
Long version is that it depends on the vulnerability and the configuration of the server. Having ports open is one thing, how you use them is another (hence my configuration comment). Also, if you have a WAF in place, that is going to protect you from a number of exploits, but that doesn't change the fact you should patch. A CDN will also give some level of protection from some exploits, but patching is still very necessary.