SANS chases ambulances

Best line from this: "We haven't determined pricing yet, but it would be inappropriate to try to capitalize off of this attack."

Date: Fri, 3 Aug 2001 18:36:07 -0600 (MDT)
From: The SANS Institute (
Subject: Securing Microsoft's IIS Web Server

Hello, I am Stephen Northcutt, from the SANS Institute.  The recent code
red worm has been an interesting and instructive experience for all of
us.  We are very fortunate that this worm was essentially benign; it
did not delete files and only consumed bandwidth and took down routers.
Things could have been a whole lot worse!  As you know, the root cause
of the problem is poorly configured Microsoft IIS web servers.  If we
don't learn to deploy IIS properly, then any vulnerability in IIS can
be used to start another worm and we will have to go through the whole
mess again.  In this world of copycat attacks, is a significant and
immediate possibility.  Please ask your MCSEs and others managing
Windows systems to get your IIS systems configured safely.  Microsoft
certification does *not* cover this material or much security at all.
We each need to do our part to get this mess cleaned up.

SANS Instructors, Jason Fossen and Eric Cole are available during the
next few weeks to teach a special one-day course on Securing IIS.  The
description of this course can be found at:

We have found space in several cities in the coming weeks.  The draft
schedule is included at the bottom of this note.

We will run this class only in those cities in which there is sufficient
interest.  If you are interested in attending, or sending your people
drop us a note at by Wednesday, August 8. Tell us your name
and your organization's name, the city (and date) you would attend, and
the number of people from your organization who will definitely come,
the number who will probably come, and the number who may possibly come.

If you are running Unix and you know someone running Windows IIS, please
forward this note to them.  If we have enough interest, we will run the
courses.  We haven't determined pricing yet, but it would be
inappropriate to try to capitalize off of this attack.  When we know
the cities in which people are interested in attending the course, we
will calculate the hotel, travel and printing and other costs and
compute an average and send the price (probably under $250) to everyone
who asks us to hold space for them.

Stephen Northcutt 
The SANS Institute

Ottawa - August 13 
Crowne Plaza 
New York City - August 20 
Sheraton New York 
Atlanta - August 22 
Sheraton Colony Square 
Raleigh - August 25 
Sheraton Imperial 
Boston - September 11 
Boston Park Plaza 
Chicago - September 13 
Westin Michigan Avenue 
Los Angeles - September 15 
Westin Hotel 
San Jose - September 17 
Sheraton San Jose 
Washington DC - September 22 
Renaissance Hotel

main page ATTRITION feedback