Since accuracy is important in these matters... "In addition to MIIS 4.0 and 5.0, I was just shown a news report that the "Red Alert" worm also infects PCs with Windows NT4.0 and Windows 2000. Those on DSL or cable modems will be especially vulnerable." This worm ONLY affects machines running unpatches IIS services. "Considering Microsoft's weaknesses, it is truely amazing that people would willingly give their personal data to a Passport or Microsoft's .net or XP setup. Yikes! What do they think we are? Stupid?!? Yes." Actually, IIS/Windows servers, when maintained correctly are much easier to keep secure than their Linux counterparts. The number of IIS exploits available is small compared to the piles and piles of vulnerabilities on the average Linux server (sendmail, bind anyone?). Both systems CAN be secured, but in Windows I have exactly one vendor to track, a vendor who does a very good job in getting me timely patches... in Linux I have multiple projects/authors to try and track and all the interdependancy issues to deal with. 99.9999999% of the time I can just hit "Windows Update", say yes and I am all set - it can be part of my daily maintenance (and is). "Companies must be accountable when security patches are available and, for one reason or the other, they fail to install them in a timely manner." I agree. ALL software has bugs and security flaws, if your job as an admin isn't to keep your servers secure as it's highest priority then what IS your job? "BTW, the "PoBox" hack, the last major round of hacks, was hacked UNIX boxes randomly looking for IIS boxes to infect. Who blames MS for the UNIX crack?" I agree, the hypocrasy is simply stunning. The screaming about MS's "flaws" will go on for weeks, but no one will make a peep about the latest Linux root exploits. "Is Apache really that difficult to use, or is it simply that people don't realise you can get frontpage extensions for that too." Not at all, I have run many Apache based systems for large customers - and still admin a few who won;t switch. The reality is simply this ... Apache is an inferior product to IIS in every way my clients and I find important. ASP and ASP.NET are good fast development environments... and the support for them on Apache is nil (or almost nil). The administration of IIS is incredibly efficient and it's uptime is every bit as good as Apache. And, again, an IIS/Windows server is much, much easier to keep secure. "One of the "rules" of being a decent sysadmin, is not installing every patch that comes down the pipe, just because it's there." That's an outdated rule, and it was never really a good one to start with... but let's skip that for a moment. Not installing a patch for a KNOWN, high vulnerability and widely publicized exploit is not nearly the same thing as not installing "every patch that comes doen the pipe". it's like not putting on a Kevlar vest before getting shot because you don;t know if it is a carcinogen. Yes, the patch may be a problem, but that chance is worth the risk because you KNOW FOR A FACT that 8 million rabid GNU terrorists are just waiting to slam your MS server to hell and back as soon as someone with talent can write them a shell script. "Casa-had the patches been applied before approval from our third party vendors or the stated SLA of 48hours notice to our customers, I would have lost my job." I appreciate your problem... but you need to try and alter those contracts. There is simply no way to secure your system if you cannot be allowed to apply a critical patch from the OS vendor for a high profile vulnerability on your own authority. "I wasn't suggesting the Apache was bulletproof, just that it can be made highly resilient if you're willing to put in the hours, the very fact that source is free is what makes it so, everyone can see how it does what it does, so vulnerabilies are patched on a daily basis, once a sucessfull hack is found, as the "hack a mac" contest proved." The fact that Apache is "free" doesn't make any difference.. as evidenced by the ease with which cracks are found for many free/open source products. The patches from MS are extremely well done, extremely timely and very often available weeks or months before the exploit is widely known. On average, I devote 30-45 minutes on security issues for all my servers (13+, most Windows) and workstations (20+) and that covers it nicely. If your going to "put in the hours" then your IIS/Windows system is goign to be as if not more secure than your Apache/Linux system. Ah well, it's all OT :)