Security Basics mailing list archives

Re: IIS6 Security and other web servers

From: H Carvey <keydet89 () yahoo com>
Date: 26 Jan 2005 19:14:38 -0000

In-Reply-To: <969653E17315064BA3EFBBA57C8458DC0215A0CF () clbilarr01a iberdrola es>

What do you think?


It sounds as if this is the age old quasi-religious "argument" about which operating system is more secure.  
Unfortunately, what few people fail to grasp is that in the hands of an incompetent individual, *any* platform is 
relatively insecure.

Of course, I know IIS was very dangerous before version 6.


What makes you say that?  Sure, the web server had a lot of unnecessary functionality turned on by default, but it was 
pretty trivial to turn it off.  A tool called "mdutil.exe" shipped with the CD, and could be used to create a batch 
file that effectively hardened IIS by making changes to the metabase.  In fact, Dave LeBlanc set up an IIS web server 
that was not vulnerable to Code Red a full year before Code Red came out...this was a trivial exercise, as all one had 
to do was disable the script mapping for .ida/.idq files.  

In a nutshell, it's nothing more than an implementation of the Principle of Least Privilege...if you don't need it, 
don't run it.  Reduce the attack surface by limiting the number of running services and applications that you have to 
manage.

maybe an IIS6 in a well configured, patched and securized Windows 2003
machine is al last a good choice to house Web Applications?


Maybe?  It all depends on what your web app is.  There are a lot of web apps that ran very well on IIS 4.0.  It all 
depends on your requirements.  Too often, what happens is that somewhere along the line, someone institutes a 
requirement that doesn't make any sense, and they implement something in the design of the web app that makes it overly 
complex, violating the KISS principle.

The point is that it doesn't really matter what web server you use, as long as you pick the one that meets your needs.  
Any web server is going to require configuration control, as well as administration and management.  


H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

Current thread:

IIS6 Security and other web servers Rivera Alonso, David (Jan 25)
- Re: IIS6 Security and other web servers Gary H. Jones II (Jan 25)
- Re: IIS6 Security and other web servers Joachim Schipper (Jan 26)
- <Possible follow-ups>
- RE: IIS6 Security and other web servers Roger A. Grimes (Jan 26)
  - Re: IIS6 Security and other web servers Randy Williams (Jan 27)
    - RE: IIS6 Security and other web servers Andrew Aris (Jan 28)
- RE: IIS6 Security and other web servers adisegna (Jan 26)
  - RE: IIS6 Security and other web servers Joe Polk (Jan 27)
- Re: IIS6 Security and other web servers H Carvey (Jan 27)
- RE: IIS6 Security and other web servers Justin Coffi (Jan 27)
- RE: IIS6 Security and other web servers tom . farrar (Jan 27)
- RE: IIS6 Security and other web servers Roger A. Grimes (Jan 28)
- RE: IIS6 Security and other web servers tom . farrar (Jan 28)