Re: Administrivia #35466 - NetCraft IIS insecurity statistics

From: Russ (Russ.Cooper@RC.ON.CA)
Date: 11/09/01 

Message-ID:  <E9A01F52DC939448BBDE44ED2E1C468F23CCFF@muskie.rc.on.ca>
Date:         Fri, 9 Nov 2001 07:47:59 -0500
From: Russ <Russ.Cooper@RC.ON.CA>
Subject:      Re: Administrivia #35466 - NetCraft IIS insecurity statistics
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

I obviously triggered a nerve, probably more due to my wording than my lack
of a High School education...;-]

That said, consensus seems to be;

1. NetCraft didn't do any extrapolation, that was done by others reporting
on NetCraft's survey results.

2. The sample size ("several hundred") could be adequate for extrapolation,
it depends on whether or not the sample was RANDOMLY chosen from the greater
population.

3. The Web Server Security dataset clearly wasn't randomly chosen. It was
100% of the IIS boxes they did the security tests on (100% of the subset
they did security testing on that were IIS).

Ergo, extrapolation of the results should not be done, and isn't
statistically representative of the IIS servers on the 'net. Each person can
decide for themselves whether the boxes tested should or shouldn't have been
clean at the time they were being tested.

NetCraft should add a question to their process which asks the owner of the
box to rate the security of the box they're having tested prior to the
tests. If everyone requesting the test thinks their box is secure, the test
results mean one thing...if they all think their boxes are insecure already,
the results have a different meaning.

Cheers,
Russ - NTBugtraq Editor

Relevant Pages

  • Re: Mac Server Hacked In Less Than 6 Hours
    ... Windows has RAS, and for it is built in since NT 3.1 ... | A typical IIS box and this Mac are not the same thing so the comparison ... IIS has been subject to quite a few bugs and so have ... Security isn't a proprietary attribute. ...
    (sci.crypt)
  • Re: DCOM calls fails - access denied
    ... That's exactly how I understood the ASP.NET security. ... But why does one configuration work but not the other? ... should get the token from IIS. ... If you set there a domain account, ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: How to secure IIS?
    ... XP as well, because even if you don't install IIS, there are still a number ... If you think Windows 98 is secure, ... easy to attack, if there's no firewall... ... IIS security checklists] 3) install firewall and antivirus, ...
    (microsoft.public.inetserver.iis.security)
  • RE: .pdf security using ASP.NET security...
    ... I am wondering if using the aspnet_isapi.dll to handle PDF files security ... IIS has a list of Application Mappings which dictate whether a particular ... entries that tell aspnet_isapi.dll what to do with various file types. ... Files that do have app mappings require all the same steps, ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: impact of mapping .??? to ASP.NET ISAPI???
    ... security issue, either from ASP.NET or IIS (this is something that my ISP ... > entries that tell aspnet_isapi.dll what to do with various file types. ... > process the request. ...
    (microsoft.public.dotnet.framework.aspnet.security)
Quantcast