• Welcome to Valhalla Legends Archive.
 

Securing IIS

Started by Grok, August 11, 2003, 07:18 AM

Previous topic - Next topic

Grok

Thursday, Microsoft is giving a TechNet Webcast on Securing IIS.

* Securing Internet Information Services (IIS)
August 14, 2003, 9:30 A.M. - 11:00 A.M. Pacific time
<http://go.microsoft.com/?linkid=217417>

drake

Its going to say the following:

Uninstall the IIS Service.
Goto apache.org and click HTTP
Goto to downloads, download it
Install it and use this instead

Note: Just a joke I know there are some IIS fans out there but we all know how unsecure it is. They patch something like every week it seems.

Adron

Quote from: drake on August 11, 2003, 04:32 PM
Its going to say the following:

Uninstall the IIS Service.
Goto apache.org and click HTTP
Goto to downloads, download it
Install it and use this instead

Note: Just a joke I know there are some IIS fans out there but we all know how unsecure it is. They patch something like every week it seems.

Apache is supposed to be rather insecure on the Win32 platform?

Grok

Quote from: drake on August 11, 2003, 04:32 PM
Its going to say the following:

Uninstall the IIS Service.
Goto apache.org and click HTTP
Goto to downloads, download it
Install it and use this instead

Note: Just a joke I know there are some IIS fans out there but we all know how unsecure it is. They patch something like every week it seems.

I don't understand your logic.  If a company patches their software, it is not secure?

Does that mean if a company never patches their software, it is secure?

Also, would you by chance be exaggerating the patch rate for IIS?

I don't know that a well administered IIS is inherently insecure.  Maybe you have knowledge I could use.

Banana fanna fo fanna

Grok: I adminned IIS 2 summers ago. It sucked so badly, I can't even start talking about it.

Twisted Web has to be the easiest server to admin :)

Thing

No matter what software you run on your server, it's only as secure as the administrator(s) that keep it updated.
That sucking sound you hear is my bandwidth.

drake

Ya I was exaggerating on the time. The point being they patch it a lot because of holes that they didn't see when they released the first version. Its actually a bad practice and a very microsoft one (sometimes definitely not in all cases) to release something and fix all the bugs later.

Although obviously sometimes programs that don't get patches are going to be insecure, it also could mean (and in most cases does), there are no holes or bugs that are KNOWN to them or the majority of people who would exploit them.

I am actually not sure how secure Apache in on Windows but I don't use it anyways. I hate running Apache or any Web Server on windows cause in most cases (except with IIS from what I hear), you have to run PHP as a CGI process rather than an HTTP Module which is insecure in itself. I leave the web hosting up to Linux machines. If was going to host off of a windows machine, I would use IIS cause it was built for windows unlike Apache and ultimately with as many holes that get patched, it would SEEM more secure although I don't really know or care enough to.

Arta

I'm not a particularly big Microsoft advocate but anyway:

How do you know that Microsoft products have more bugs than others? You're making a judgement without all the information available. Is it not entirely possible that Microsoft's products have similar numbers of bugs to products by other companies, but that Microsoft are better at finding them and more conciencious about releasing patches?

I have more confidence in a company that release patches regularly than in those that don't. As a programmer, I understand that bug-free software is in most cases a mathematical impossibility. Therefore I accept that bugs will always be a problem. Therefore I appreciate regular patches.

Despite IIS's shady history, Thing is quite right when he says that a server is only as secure - or insecure - as the administrator who runs it.

Banana fanna fo fanna

I'd use IIS if a client needed a Windows web solution. I'd stick it behind a firewall and I'd have Apache talk to it through mod_rewrite.

Kp

I concur that having the exploits patched is a good thing.  Either through relative levels of security or through different amounts of publication, I hear about far more IIS problems than I do problems with competing Web servers.  The implication is that either IIS does require more patches to work right or it is under significantly greater scrutiny for security vulnerabilities.

Regardless of which is the case, it seems that running another system is safer because either it really is safer or the majority of attackers are focused on IIS and therefore you're more likely to be left alone.  All that said, it behooves a systems administrator to keep up to date on patches to all publicly accessible services, regardless of how secure the services supposedly are.  Given the number of patches that IIS seems to require to remain secure (again, based on what I have seen, which as Arta points out may be incomplete evidence), it would appear to be more work to maintain a secure IIS because you must spend more time fetching+testing+installing patches for it than for something which has exploits published/patched rarely.

IMO, one of the problems with many Microsoft programs/services (they supposedly wised up about this in Win2k3EE though) is that they come with too many things turned *on* or running at unnecessarily high privilege levels.  So unless the admin sits down and disables everything he doesn't need, he has lots of potentially exploitable services enabled.
[19:20:23] (BotNet) <[vL]Kp> Any idiot can make a bot with CSB, and many do!

drake

I love how you guys drop my kudos cause you disagree with my opinion. I am not officially retiring from this site cause obviously I am not entitled to a different opinion then what the ones that the members here have without being punished for it.

Arta

#11
Punished? This is discussion, not punishment. Don't be a such a prat.

Kp: I agree that IIS requires more work to keep secure, and that more people seem to enjoy attacking it than other web servers, but more people also seem to audit it, so perhaps they cancel eachother out? Who knows.

Certainly Win2k3 is *vastly* better than previous versions of windows from a security standpoint - at least, based on my experience thus far. I haven't yet done any in-depth testing but it seems like a great improvement. I'm running IIS6 at the moment to see if its improvements over IIS5 make it worth using. So far, it seems ok, i'll be interested to see what comes up on the lists over the next few months :)

Adron

Quote from: Arta[vL] on August 13, 2003, 02:55 AM
Certainly Win2k3 is *vastly* better than previous versions of windows from a security standpoint - at least, based on my experience thus far. I haven't yet done any in-depth testing but it seems like a great improvement. I'm running IIS6 at the moment to see if its improvements over IIS5 make it worth using. So far, it seems ok, i'll be interested to see what comes up on the lists over the next few months :)

Doesn't IIS6 have a kernel mode web server? That would make it rather hard for it to drop any privileges, and anyone that exploits it would get very very much access to the system?

Banana fanna fo fanna

Wow, if that's true, that's BAD.

Yoni

QuoteDirectory of C:\WINDOWS\system32\drivers

2003-04-03  14:00           334,336 http.sys

Yes, there it is