Administrivia #35466 - NetCraft IIS insecurity statistics
From: Russ (Russ.Cooper@RC.ON.CA)Date: 11/08/01
- Previous message: Russ: "Re: Problems with MS01-052 - Microsoft responds"
- Next in thread: Eduardo Subelman: "Re: Administrivia #35466 - NetCraft IIS insecurity statistics"
- Reply: Eduardo Subelman: "Re: Administrivia #35466 - NetCraft IIS insecurity statistics"
- Reply: Russ: "Re: Administrivia #35466 - NetCraft IIS insecurity statistics"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <E9A01F52DC939448BBDE44ED2E1C468F23CCB7@muskie.rc.on.ca> Date: Thu, 8 Nov 2001 09:40:17 -0500 From: Russ <Russ.Cooper@RC.ON.CA> Subject: Administrivia #35466 - NetCraft IIS insecurity statistics To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Numerous recent articles have used information provided by NetCraft, who
survey on-line web sites, to decry the state of affairs with on-line
Microsoft IIS site security. Of biggest note was NetCraft's claim that
11.11% of IIS SSL sites had ROOT.EXE installed on them, leaving them wide
open to takeover.
Looking at the available data at http://www.netcraft.com/survey, one would
believe that NetCraft is stating that 11.11% of 9.6 million IIS sites have
root.exe on them (amongst many other problems).
Statistics, and stories, like these are what drive people away from IIS.
NetCraft states they are leaving IIS and going to Apache, despite their own
statistics indicating that IIS has risen and Apache fallen in overall market
share.
This note is intended to point you to my free Webinars on Friday, titled
"Top 10 ways to reduce 80% of your risk" with IIS servers, and clear away
some of the cruft from the alleged statistics from NetCraft.
We questioned NetCraft on their statistics and got some additional
information.
1. NetCraft's Web Server Survey statistics, 33+ million web servers on the
net, 9.6+ million running IIS, etc... had nothing to do with their Web
Server Security statistics. Basic statistics are gathered without the user's
consent (e.g. a simple probe for a banner), Web Server Security statistics
are only gathered when the user specifically requests them during the
purchase of an SSL certificate.
2. NetCraft performs "several hundred" Web Server Security evaluations per
month, and this, and only this, makes up the dataset for their Web Server
Security statistics. "Several hundred" out of 9.6+ million is hardly
statistically significant, especially since there's no attempt to ensure
that the subset is representative of the main dataset.
3. Of the "several hundred" Web Server Security evaluations that NetCraft
does monthly, and uses for their Web Server Security statistics, "In
general, around 60% of all the sites we test are running IIS". So, of the
~200-300 sites tested per month, only ~120-180 of them are running IIS.
Ergo, only ~120-180 tests are used to extrapolate statistics over a group of
9.6+ million sites.
4. NetCraft state that, over the past 12 months, the ratio of IIS 4.0 to IIS
5.0 has been 2:1, although they say that IIS 5.0 is gaining. Its significant
that still today, more IIS 4.0 boxes are going on-line with an SSL
certificate than IIS 5.0 boxes. Microsoft would have us believe we don't
need a re-release of the NT 4.0 Option Kit (the only source for IIS 4.0) to
correct the huge problems it creates in new installs of IIS 4.0...it would
seem their customers disagree.
NetCraft is normally pointed to frequently as a reliable source of
statistical data. Unfortunately, now that they are in the Security Testing
business, they've seen fit to use a ridiculously small test set to hype the
insecurity of IIS.
I won't argue that there are many IIS servers out there which are not
secure, that's obvious, but NetCraft shouldn't be abusing its reputation
with such shoddy statistical analysis without being up-front about it on
their survey web page.
For those interested, as part of the TruSecure Webinar series, I will be
delivering 3 free webinars this Friday. These are held on-line, and this one
is titled "Secure Your Microsoft IIS Servers: Top Ten Ways To Reduce 80% of
Your Risk". It's a repeat of one I delivered April 18th, before PoisonBox,
before Code Red, and before Nimda. Anyone who took the hour or so to do what
I said back then was immune to everything that happened this year against
IIS boxes. In an hour I will remind you (or show you) the 10 steps needed to
secure your server against all known attacks (and most, if not all, future
attacks).
To register, see;
http://www3.icsa.net/webinar/chweb.shtml?LOC=L3
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
============================================================================
Delivery co-sponsored by Trend Micro, Inc.
============================================================================
BEST-OF-BREED ANTIVIRUS SOLUTION FOR MICROSOFT EXCHANGE 2000
Earn 5% rebate on licenses purchased for Trend Micro ScanMail for
Microsoft Exchange 2000 between October 1 and November 16. ScanMail
ensures 100% scanning of inbound and outbound traffic and provides
remote software management. For program details or to download your
30-day FREE evaluation copy:
http://www.antivirus.com/banners/tracking.asp?si=53&bi=245&ul=http://www.a
ntivirus.com/smex2000_rebate
- Previous message: Russ: "Re: Problems with MS01-052 - Microsoft responds"
- Next in thread: Eduardo Subelman: "Re: Administrivia #35466 - NetCraft IIS insecurity statistics"
- Reply: Eduardo Subelman: "Re: Administrivia #35466 - NetCraft IIS insecurity statistics"
- Reply: Russ: "Re: Administrivia #35466 - NetCraft IIS insecurity statistics"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
