Regarding the responsibility of IIS web admins... sure, common sense should tell them to delete unused script mappings. But even for the clueless ones, MS has formally recommended this on Technet. See "Secure Internet Information Services 5 Checklist" (note the date: June 2000, and there also was a version for IIS4 a few years ago). It's near the bottom, but it's there.
If your admin simply installs a default W2K, that's pretty weak... if he/she doesn't visit Technet (at least occasionally), then he/she's not really any more qualified than the landscaper.
This is a serious issue, but there's really no excuse for any company to be running a server that's vulnerable. For anyone with brains, this is a non-issue.
Slashdot Mirror
Regarding the responsibility of IIS web admins... sure, common sense should tell them to delete unused script mappings. But even for the clueless ones, MS has formally recommended this on Technet. See "Secure Internet Information Services 5 Checklist" (note the date: June 2000, and there also was a version for IIS4 a few years ago). It's near the bottom, but it's there.
If your admin simply installs a default W2K, that's pretty weak... if he/she doesn't visit Technet (at least occasionally), then he/she's not really any more qualified than the landscaper.
This is a serious issue, but there's really no excuse for any company to be running a server that's vulnerable. For anyone with brains, this is a non-issue.
-Andy