Re: Ideas for a "IIS 5.2"

From: Kevin Williams (kwilliams@sark.com)
Date: 09/26/01 

Message-ID: <000701c14699$d7dc3c80$09076b83@admin1>
From: "Kevin Williams" <kwilliams@sark.com>
To: <jpuckett@ticom.com>, <focus-ms@securityfocus.com>
Subject: Re: Ideas for a "IIS 5.2"
Date: Wed, 26 Sep 2001 08:45:10 -0600

I specifically and intentionally wrote "enterprise software". Microsoft
_should_ continue to make their user software with all the foo-foo crap they
can think up. That's what users want. There's just no reason for MP3
players, "smart tags", IM clients, video conferencing, or elaborate GUIs
with "themes" on a server. I was referring to business systems; IIS for
example. (See original post in thread.) I believe they will lose market
share in the enterprise market space unless they start making their
enterprise focused software more reliable, secure, and easy to administer.
After all, aren't they pushing "Zero Administration" in their enterprise
market? That doesn't seem to be working. It's more like "24-7
Administration".

Perhaps, beginning with XP, they will move in the right direction (not
including the whole 'raw sockets' issue). Here's Steve Lipner talking about
how they are addressing security concerns.
http://www.pcworld.com/news/article/0,aid,63323,00.asp. I hope for
everyone's sake that "Prefix" does it's job well.

----- Original Message -----
From: "James Puckett" <jpuckett@ticom.com>
To: "Williams, Kevin" <KWilliams@sark.com>; <focus-ms@securityfocus.com>
Sent: Wednesday, September 26, 2001 11:19 AM
Subject: Re: Ideas for a "IIS 5.2"

That would not work out too well for M$. Remember, Microsoft did not use
quality to win their share of the server market, they used a GUI. As soon as
they make things less user friendly, businesses will run right back to UNIX.

On Tuesday 25 September 2001 11:02, Kevin Williams wrote:
> I agree completely. How about it, Microsoft? Stop making enterprise
> software "user friendly" and start making it reliable and secure and
"admin
> friendly".
>
> ----- Original Message -----
> From: "Andrew van der Stock" <ajv@e-secure.com.au>
> To: <focus-ms@securityfocus.com>
> Sent: Monday, September 24, 2001 10:57 PM
> Subject: Ideas for a "IIS 5.2"
>
>
>
> Hi there,
>
> After nearly finishing a six week security review of a major new system
> that uses IIS, I must say that when I saw the Gartner FirstTake by John
> Pescatore recommending Gartner clients to look at alternatives for IIS,
> I wasn't surprised.
>
> http://www3.gartner.com/DisplayDocument?doc_cd=101034
>
> The above "cure" is alarmist and overstates the extent of the problem,
> but the symptoms are supportable by ample evidence in any webserver's
> logs. Rewriting IIS will not help - it will just create a different set
> of bugs, particularly during early shakedown. But a safer version of IIS
> and relevant components is necessary, in my opinion.
>
> I think that it's important that Microsoft try to regain the trust we
> once had in IIS, something to make it safer to recommend (and by
> association, defend) the use of IIS again. I think the easiest way is a
> dot release of IIS, one that is out of the box as secure as it can be,
> and easy to keep that way.
>
> The root causes of all IIS attacks is simple:
>
> * Most sites are unaware they run IIS and other vulnerable components
> because they do not check or remove any default components or take any
> effort to secure the host
> * Most sites never patch as they didn't realise it was necessary
> * Many sites refuse to patch because they don't trust the patches
> * Human nature can be described as "least effort"; why do something when
> it's still working?
>
> The first can be reduced by not installing IIS and associated components
> by default. The second can only be addressed by administrator training,
> emphasizing the need for regular patching, or a button that schedules
> regular automatic maintenance if they so choose. The third can only be
> helped if SPs and hotfixes become safer to apply, and possibly user
> education about the safety of the patching process. The last one can't
> be fixed - all vendors must work with human nature, not rely on active
> intervention.
>
> Basically here's my wishlist for an "IIS 5.2", one that should be a
> simple one click install or upgrade:
>
> * No associations with any ISAPI or other DLLs without explicitly
> enabling them
> * Index server is dangerous until proven otherwise - it shouldn't be
> installed by default
> * No authoring (WebDAV, FP ext) without explicitly enabling it
> * No sample content... at all. This should be part of a separate "SDK"
> install
> * No hook into any ADO or other components, including COM/COM+/DCOM and
> .Net without enabling it
>
> I would like it if Microsoft would show real commitment to their "shared
> source" initiative. Source for at least the front end should be
> available for IIS, Index Server and FP/WebDAV, and the front end bits of
> MSADC, asp.dll, aspnet_isapi.dll, webhits.dll, and other common
> components. This is where the all the data exchange is done, and it's
> where the large number of vulnerabilities (such as Unicode re-writing)
> are caused. The huge number of eyeballs may help reduce bugs (cf.
> Borland's database backdoor not discovered for nearly five years,
> despite source being available).
>
> And finally, an automated upgrade / config tool that helps you step
> through the IIS checklist, applying hisecweb.inf and doing all the other
> little things that currently take about one - three hours to do by hand.
> The current tool is a good first start, but it's just that - a first
> start.
>
> And finally, it would be really nice if Windows Update offered all
> fixes, including those for IIS and all BackOffice components, such as
> SQL and Exchange. Using hfnetcheck after doing a Windows Update was
> initially an interesting experience. It shouldn't be.
>
> My personal $0.02,
>
> Andrew van der Stock, MCSE
> ajv@greebo.net

Quantcast