quote:all database access should be done with command objects and stored procedures, and not dynamic SQL
quote:If you're talking about ASP ISP one really huge security hole is the provider himself and his knowledge about the Windows OS he is using. I have a script utilizing the FileScriptingObject I used to test my provider and he fails the test.
quote:Another indeed. Any well-known web server is vulnerable straight out of the box. The IIS Lockdown Tool is a start. It is not the cure-all. However, if sysadmins run it, it'll eliminate most all of the vulnerabilities script kiddies are going to target with their pre-built and downloaded programs.
quote:With an out of the box Windows2000 installation there are not specific user permission installed, that means the users can do everything unless he is denied this privilege.
quote:One last statement perhaps, I've never seen a *NIX system crashed so hard, that root had no chance but reinstall, but I do have seen this happen to Windows system.