>No IIS servers I installed got hit by code red >because - gasp - the default install was not >done. If the exploitable software isn't >installed, guess what happens? Your server >doesn't get compromised! What a revelation.
On IIS 4.0 (NT Option Pack 4), I believe this was probably true. However, on IIS 5 (Win2K Server), indexing service gets installed by default.
However, Microsoft also makes the indexing service sound necessary when you read the description for it on the install. A lot of people would install it, regardless of whether they need it or not. Most of the Microsoft server farms I've seen are using it, around town.
I think that in order to become an MCSE, people should be forced to take a short course in security. Security is by and large part of the course content in learning UNIX, but for some reason it doesn't seem to be stressed for Windows administration.
Windows administration culture also needs to change; not just the installation semantics.