Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: IIS6 Security and other web servers

From: "Andrew Aris" <andrew () dev bigfishinternet co uk>
Date: Fri, 28 Jan 2005 10:36:24 -0000

Greetings All,

I'd like to ask for some clarification here.  I know that 
Ebay, Anandtech, et al. run on a purely Windows architecture 
(for the ease of programming in .Net from what the folks at 
Anandtech are saying) for their web-services and that works 
well for them.

However, I know of no Windows architecture that is exposed 
directly to the Internet.  Every vendor/consultant/Admin I 
have ever met is saying that in order for Windows to be 
secure it must be protected by layers of protection (hardened 
router, hardware firewall, etc).

On the other hand, I know of a number of LAMP-type servers 
that are exposed directly to the Internet with no intervening layers.

Am I to take the statement that "IIS6 is a very secure 
platform" to mean that IIS6 is only secure after it has been 
hardened from its insecure default installation and protected 
by layered security that prevents direct access to the Internet".

I may well be wrong here, so please feel free to correct me 
if I'm out on a limb.

Thank you,

RandyW



The default install of IIS6 is actually quite secure once patched to the
most recent level - IMHO I would say it is more secure than a default
install of Apache (also patched). With IIS6 its not so much that you need to
do a lot of work hardening it, more that you have to be careful when turning
functionality on not to create any unnessecary exposure. I would say
exposing a LAMP (Linux-Apache-MySQL-PHP)machine to the internet directly
would be a foolhardy thing to do unless the machine was extremely hardened,
layers of protection are always good no matter what platform you have.

cheers,

Andrew
Previous By Date Next
Previous By Thread Next

Current thread: