RE: IIS6 Security and other web servers

["Joe Polk" <listuser () javelinux com>]

The reason Apache has more security alerts is the same reason Windows has more
security alerts than Linux. Apache has 60-68% of the webserver market. They
are ubiquitous, to an extent, as Windows is on the desktop. There are not as
many 'Net-facing servers running IIS6 or even previous editions. Yes, there
are some, but if you're writing exploits you generally go for what's there. 

--
<<JAV>>


---------- Original Message -----------
From: <adisegna () siscocorp com>
To: <security-basics () securityfocus com>
Sent: Wed, 26 Jan 2005 13:36:31 -0500
Subject: RE: IIS6 Security and other web servers

> David,
>
> This question also comes to mind. Which system/software are you familiar
> with? Will you have to learn Apache or IIS? I've had a locked down IIS
> 6.0 server online using WEBDAV and SSL for over a year now without 
> issue.. Knock, Knock. Think about the Total Cost of Ownership as well...
>
> AD
>
> Proactive not reactive is the name of the game.
>
> -----Original Message-----
> From: Rivera Alonso, David [mailto:drivera () iberdrola es] 
> Sent: Tuesday, January 25, 2005 9:52 AM
> To: security-basics () securityfocus com
> Subject: IIS6 Security and other web servers
>
> Dear friends,
>
> I just want to throw a little question to know your opinion.
> I was discussing yesterday with a friend about the quality of IIS6 from
> a
> Security point of view.
> He immediately said it's a bad choice, as previous Microsoft web
> servers.
> I've read a few papers and I have this opinion: as it's been redesigned
> from
> the ground (with all the previous failures in mind), with the 
> security perspective, with every little service and option disabled 
> by default, and so on, I told him that now, in my opinion, IIS6 is a 
> good choice. He loves GNU, Linux, and, logically, he thinks Apache 
> is the king in security. Just because I felt curious, I went into 
> www.securityfocus.com to check the latest vulnerability advisories,
>  for Apache and IIS6. Incredible, Apache wins, it has many more (not 
> to talk about the many releases since version
> 2.0)! In fact, I just found one alert about IIS6.
>
> What do you experts think?
> Of course, I know IIS was very dangerous before version 6.
> But, maybe an IIS6 in a well configured, patched and securized 
> Windows 2003 machine is al last a good choice to house Web Applications?
> Or maybe it's too soon, there are few installed, and maybe in the future
> it'll have as many holes as the predecessors?
>
> What do you think?
>
> best regards from Spain,
>
> DAVID
>
> =============================
> Este mensaje se dirige exclusivamente a su destinatario.
> Puede contener informacion confidencial sometida a secreto 
> profesional o cuya divulgacion este prohibida, en virtud de la 
> legislacion vigente. No esta permitida su divulgacion, copia o 
> distribucion a terceros sin la autorizacion previa y por escrito de Iberdrola.
> Si ha recibido este mensaje por error, le rogamos nos lo comunique
> inmediatamente
> por esta misma via y proceda a su destruccion.
>
> This e-mail is intended exclusively for the individual or entity to
> which it is addressed
> and may contain confidential or legally privileged information, which
> may not be disclosed
> under current legislation. Any form of disclosure, copying or
> distribution of this e-mail
> is strictly prohibited, save with written authorisation from Iberdrola.
> If you have received this message in error, please notify the sender
> immediately by e-mail
> and delete all copies of the message.
> =============================
------- End of Original Message -------