RE:Ideas for a "IIS 5.2"

From: William Morse (william.morse@prudential.com)
Date: 09/25/01 

From: "William Morse" <william.morse@prudential.com>
To: focus-ms@securityfocus.com
Message-ID: <85256AD2.005FF048.00@paerscngw01.prudential.com>
Date: Tue, 25 Sep 2001 13:27:07 -0400
Subject: RE:Ideas for a "IIS 5.2"

Can I get a hallelujah?

Let me add a few more point releases to your wish list...

IIS 5.1.5 All of the features now configurable in the new URLScan Isapi
filter are built right into IIS, are selectable through the MMC, and are
relatively tight by default.

IIS 5.3 IIS runs under the CLR. Managed code is immune to buffer
overflows and AV's? Sounds like some features I'd like in a web server. Can you
think of a better way to show faith in your shiny new .NET platform?

ps: Has anyone heard about Microsoft releasing the source code for URLScan?
(Stop laughing at me!)

Thanks,
Bill

----- Forwarded by William Morse/PSC/Pru on 09/25/2001 01:12 PM -----
|--------+--------------------------------->
| | "Andrew van der Stock" |
| | <ajv@e-secure.com.au> |
| | |
| | |
| | Tuesday September 25, 2001 |
| | 12:57 AM |
| | |
|--------+--------------------------------->
>--------------------------------------------------|
  | |
  | To: |
  | <focus-ms@securityfocus.com> |
  | cc: |
  | Subject: Ideas for a "IIS 5.2" |
>--------------------------------------------------|

Hi there,

After nearly finishing a six week security review of a major new system
that uses IIS, I must say that when I saw the Gartner FirstTake by John
Pescatore recommending Gartner clients to look at alternatives for IIS,
I wasn't surprised.

http://www3.gartner.com/DisplayDocument?doc_cd=101034

The above "cure" is alarmist and overstates the extent of the problem,
but the symptoms are supportable by ample evidence in any webserver's
logs. Rewriting IIS will not help - it will just create a different set
of bugs, particularly during early shakedown. But a safer version of IIS
and relevant components is necessary, in my opinion.

I think that it's important that Microsoft try to regain the trust we
once had in IIS, something to make it safer to recommend (and by
association, defend) the use of IIS again. I think the easiest way is a
dot release of IIS, one that is out of the box as secure as it can be,
and easy to keep that way.

The root causes of all IIS attacks is simple:

* Most sites are unaware they run IIS and other vulnerable components
because they do not check or remove any default components or take any
effort to secure the host
* Most sites never patch as they didn't realise it was necessary
* Many sites refuse to patch because they don't trust the patches
* Human nature can be described as "least effort"; why do something when
it's still working?

The first can be reduced by not installing IIS and associated components
by default. The second can only be addressed by administrator training,
emphasizing the need for regular patching, or a button that schedules
regular automatic maintenance if they so choose. The third can only be
helped if SPs and hotfixes become safer to apply, and possibly user
education about the safety of the patching process. The last one can't
be fixed - all vendors must work with human nature, not rely on active
intervention.

Basically here's my wishlist for an "IIS 5.2", one that should be a
simple one click install or upgrade:

* No associations with any ISAPI or other DLLs without explicitly
enabling them
* Index server is dangerous until proven otherwise - it shouldn't be
installed by default
* No authoring (WebDAV, FP ext) without explicitly enabling it
* No sample content... at all. This should be part of a separate "SDK"
install
* No hook into any ADO or other components, including COM/COM+/DCOM and
.Net without enabling it

I would like it if Microsoft would show real commitment to their "shared
source" initiative. Source for at least the front end should be
available for IIS, Index Server and FP/WebDAV, and the front end bits of
MSADC, asp.dll, aspnet_isapi.dll, webhits.dll, and other common
components. This is where the all the data exchange is done, and it's
where the large number of vulnerabilities (such as Unicode re-writing)
are caused. The huge number of eyeballs may help reduce bugs (cf.
Borland's database backdoor not discovered for nearly five years,
despite source being available).

And finally, an automated upgrade / config tool that helps you step
through the IIS checklist, applying hisecweb.inf and doing all the other
little things that currently take about one - three hours to do by hand.
The current tool is a good first start, but it's just that - a first
start.

And finally, it would be really nice if Windows Update offered all
fixes, including those for IIS and all BackOffice components, such as
SQL and Exchange. Using hfnetcheck after doing a Windows Update was
initially an interesting experience. It shouldn't be.

My personal $0.02,

Andrew van der Stock, MCSE
ajv@greebo.net