*Q: If the main target is Internet facing systems with IIS & ASP.NET installed, should I concentrate on patching my webservers first before patching client systems?**
A:* Prioritization for this update would be specific to users’ environments, but servers that are internet-facing and accept input from unauthenticated or untrusted user-provided content are most affected and should be prioritized. Likewise, clients are typically not in a web server role, and so systems that are running a web server role should be prioritized.”
Q: These updates run on Windows clients whether or not IIS or ASP is installed. Are the updates not effective in this case?
A: By default, IIS is not installed with .NET and by default, .NET is not installed by ASP.NET. Customers would first need to installed .NET framework with ASP.NET in order to be vulnerable to the vulnerabilities documented in MS11-100.
On workstations, where .net versions from 1 to 4 are installed, you are not at risk.
On SBS servers, I just dont’ see that an attacker would target a small business server.
If you have a public web site (like ecomerce site), those would be of greatest risk.