RE: WebServer?
From: Snow, Corey (CSNOW@ddpwa.com)Date: 02/13/02
- Previous message: Michael.Devlin@figleaves.com: "RE: WebServer?"
- Maybe in reply to: CHM Security: "WebServer?"
- Next in thread: Stephan Chenette: "RE: WebServer?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Snow, Corey" <CSNOW@ddpwa.com> To: "'CHM Security'" <chmsecurity@hotmail.com>, focus-ms@securityfocus.com Date: Wed, 13 Feb 2002 11:26:59 -0800
Now you've done it. :)
Actually, my experience suggests that neither one is more inherently secure
than the other- Gartner Group advisories aside. The fact is, any server
needs to be configured properly and hardnened before being placed into
production. The operating system, server process, and the environment all
need to be evaluated. This is something that many (most?) operators of web
sites and/or systems don't seem to understand, or even if they claim to,
assume that it's someone else's problem.
Out of the box, Apache is probably a bit more secure than IIS. A lot depends
on the operating system configuration as well. And as another poster
mentioned, IIS is more tightly integrated with the operating system.
However, no web server should ever be run on the Internet OOTB- to do so is
criminally stupid, and that applies no matter what operating system or
server software you use.
However, both platforms can be made "reasonably secure". That term means
that with the proper assessment of risks, the proper application of
resources to manage those risks, and the proper implementation of your
server environment, you can be reasonably certain that your environment is
secure from the attacks it is likely to undergo, regardless of which
platform you choose- a small company with a web site that only hosts a few
informational pages is probably not needing to manage the same amount of
risk as a large e-commerce portal wanting to handle huge volumes of credit
card transactions- the cost to secure the second one will obviously be much
higher because the risks are so much greater.
Regards,
Corey Snow
-----Original Message-----
From: CHM Security [mailto:chmsecurity@hotmail.com]
Sent: Tuesday, February 12, 2002 6:59 PM
To: focus-ms@securityfocus.com
Subject: WebServer?
Apache vs IIS 5 on Win2k server. Is there any documentation on actual
compromises of the systems to base which one is actually more secure? I'm
sure out of the box Apache blows it away, but if configured properly is it
still that much better than an IIS 5 box?
_________________________________________________________________
Join the world's largest e-mail service with MSN Hotmail.
http://www.hotmail.com
#########################################################
The information contained in this e-mail and subsequent attachments may be privileged,
confidential and protected from disclosure. This transmission is intended for the sole
use of the individual and entity to whom it is addressed. If you are not the intended
recipient, any dissemination, distribution or copying is strictly prohibited. If you
think that you have received this message in error, please e-mail the sender at the above
e-mail address.
#########################################################
- Previous message: Michael.Devlin@figleaves.com: "RE: WebServer?"
- Maybe in reply to: CHM Security: "WebServer?"
- Next in thread: Stephan Chenette: "RE: WebServer?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
