RE: NT/2000 vs Unix based Web Servers

From: Trevor Cushen (Trevor.Cushen@sysnet.ie)
Date: 07/12/02


Date: Fri, 12 Jul 2002 15:11:28 +0100
From: "Trevor Cushen" <Trevor.Cushen@sysnet.ie>
To: "Steve Bremer" <steveb@nebcoinc.com>


Yes the default WWW Service runs as System on Windows and yes you can
(and should) change that. It is quite unbelievable just how much you
have to do to really harden IIS but it can be done.

It is interesting that you point out one of the exploits available for
OpenSSH which highlights the fact that other systems have security
exploits also. But again I will agree that IIS more than takes its
share. But they can all be removed and it can be a very secure web
server.

Icecast is a freeware media streamer but is it for audio, not movies.

On the flame point, you may have noticed some irate responses to my
first entry. But hey I have myself to blame for responding so quick and
not reading through before hitting the send button.

Something worth adding and you may have noticed this on this list. I
sent a web URL which showed some stealth scanners available on the web.
Two points here, these scanners have a database of exploits for checking
against web sites. IIS is certainly not alone in this database, a lot
of CGI stuff in there. The second more important point is that it is a
good idea to keep your scanner version or database up to date and scan
your web site yourself regularly to see if there are indeed issues on
it. Checking your logs will show you attempts at unusual requests which
you can then filter out before they become an issue.

Stealth Scanner is one. Sara, Nessus, Whisper are other bigger scanners
for networks but also cover web servers. But Stealth Scanner is web
server only.

Trevor Cushen
Sysnet Ltd

www.sysnet.ie
Tel: +353 1 2983000
Fax: +353 1 2960499

-----Original Message-----
From: Steve Bremer [mailto:steveb@nebcoinc.com]
Sent: 12 July 2002 14:14
To: Trevor Cushen
Cc: security-basics@securityfocus.com
Subject: RE: NT/2000 vs Unix based Web Servers

> My apologies, I had replied quite quickly while running through the
> office. And re-reading the email and your comments I see your point
> on many issues, in that I didn't back up anything really, did I.

No problem, I'm sure we all have been guilty of the same thing from
time to time.

> The problem with IIS is
> that it is up and running almost out of the box and few web admins
> spend the extra time to go through the full hardening process which
> basically strips the machine down to being a web server and nothing
> else.

I agree with you there. I don't use IIS personally, but relying on a
default install for anything is not a good idea in my opinion.

> Buffer Overflows
> can cause little or no damage if the underlining OS is secured also
> along with the IIS itself.

Possibly. Correct me if I'm wrong, but doesn't IIS run with the
equivalent of "root" privileges ("system" I believe??) in the *nix
world? So, if an exploitable buffer overflow is found, your entire
system is at risk of compromise? Or, is the configurable as well? If
so, is it still usable?

For example, take the recent OpenSSH exploit. Theo announced
about a week ahead of time that you should upgrade to version 3.3
and enable privilege separation because otherwise the exploit would
grant a cracker instant root access. Whereas running with privilege
separation they would get access as a non-privileged user in a
limited environment.

Known and unknown bugs are something you
> have with all software.

I definitely agree with you there. It just seems that some
applications have more than their share of serious bugs (serious
meaning those that cause security problems).

> Media software. I am very aware of many of the products out there for

I haven't really looked into this myself, but I know there is a media
server available for free called icecast. I don't know how it
compares to microsoft's offering however.

>
> Again I hope this has been a more helpful email and is not just part
> of a newly beginning flame!!!!

No flames intended here. I just wanted to have a few points
clarified.

Steve Bremer