IIS6 Security and other web servers

From: Rivera Alonso, David (drivera_at_iberdrola.es)
Date: 01/25/05

Next message: Ismael Gonzalez: "Re: I am searching for an good online infosec learning institution.. any suggestions?"

Previous message: Kelly Martin: "SF new article announcement: Blind Buffer Overflows In ISAPI Extensions"
Next in thread: Gary H. Jones II: "Re: IIS6 Security and other web servers"
Reply: Gary H. Jones II: "Re: IIS6 Security and other web servers"
Reply: Joachim Schipper: "Re: IIS6 Security and other web servers"
Maybe reply: Roger A. Grimes: "RE: IIS6 Security and other web servers"
Maybe reply: adisegna_at_siscocorp.com: "RE: IIS6 Security and other web servers"
Maybe reply: H Carvey: "Re: IIS6 Security and other web servers"
Maybe reply: Justin Coffi: "RE: IIS6 Security and other web servers"
Maybe reply: tom.farrar_at_it-ps.com: "RE: IIS6 Security and other web servers"
Maybe reply: Roger A. Grimes: "RE: IIS6 Security and other web servers"
Maybe reply: tom.farrar_at_it-ps.com: "RE: IIS6 Security and other web servers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: security-basics@securityfocus.com
Date: Tue, 25 Jan 2005 15:52:08 +0100

Dear friends,

I just want to throw a little question to know your opinion.
I was discussing yesterday with a friend about the quality of IIS6 from a
Security point of view.
He immediately said it's a bad choice, as previous Microsoft web servers.
I've read a few papers and I have this opinion: as it's been redesigned from
the ground (with all the previous failures in mind), with the security
perspective, with every little service and option disabled by default, and
so on, I told him that now, in my opinion, IIS6 is a good choice.
He loves GNU, Linux, and, logically, he thinks Apache is the king in
security.
Just because I felt curious, I went into www.securityfocus.com to check the
latest vulnerability advisories, for Apache and IIS6. Incredible, Apache
wins, it has many more (not to talk about the many releases since version
2.0)! In fact, I just found one alert about IIS6.

What do you experts think?
Of course, I know IIS was very dangerous before version 6.
But, maybe an IIS6 in a well configured, patched and securized Windows 2003
machine is al last a good choice to house Web Applications?
Or maybe it's too soon, there are few installed, and maybe in the future
it'll have as many holes as the predecessors?

What do you think?

best regards from Spain,

DAVID

=============================
Este mensaje se dirige exclusivamente a su destinatario.
Puede contener informacion confidencial sometida a secreto profesional o cuya divulgacion
este prohibida, en virtud de la legislacion vigente. No esta permitida su divulgacion,
copia o distribucion a terceros sin la autorizacion previa y por escrito de Iberdrola.
Si ha recibido este mensaje por error, le rogamos nos lo comunique inmediatamente
por esta misma via y proceda a su destruccion.

This e-mail is intended exclusively for the individual or entity to which it is addressed
and may contain confidential or legally privileged information, which may not be disclosed
under current legislation. Any form of disclosure, copying or distribution of this e-mail
is strictly prohibited, save with written authorisation from Iberdrola.
If you have received this message in error, please notify the sender immediately by e-mail
and delete all copies of the message.
=============================

Next message: Ismael Gonzalez: "Re: I am searching for an good online infosec learning institution.. any suggestions?"

Previous message: Kelly Martin: "SF new article announcement: Blind Buffer Overflows In ISAPI Extensions"
Next in thread: Gary H. Jones II: "Re: IIS6 Security and other web servers"
Reply: Gary H. Jones II: "Re: IIS6 Security and other web servers"
Reply: Joachim Schipper: "Re: IIS6 Security and other web servers"
Maybe reply: Roger A. Grimes: "RE: IIS6 Security and other web servers"
Maybe reply: adisegna_at_siscocorp.com: "RE: IIS6 Security and other web servers"
Maybe reply: H Carvey: "Re: IIS6 Security and other web servers"
Maybe reply: Justin Coffi: "RE: IIS6 Security and other web servers"
Maybe reply: tom.farrar_at_it-ps.com: "RE: IIS6 Security and other web servers"
Maybe reply: Roger A. Grimes: "RE: IIS6 Security and other web servers"
Maybe reply: tom.farrar_at_it-ps.com: "RE: IIS6 Security and other web servers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: asp.net 3.5 and ajax on widows 2003
... per other posts apparently (and bizzarely in my opinion) in IIS6 the asp.net ... isnt supposed so be available in the dropdown, ... trying to get them to synchronize the .Net Framework version with the ASP.NET version. ...
(microsoft.public.dotnet.framework.aspnet)
Re: IIS6 Security and other web servers
... > Dear friends, ... > I just want to throw a little question to know your opinion. ... > Security point of view. ... > latest vulnerability advisories, for Apache and IIS6. ...
(Security-Basics)
Re: IIS6 Security and other web servers
... Security issues in Apache will be found and reported before bugs get found ... Apache is open source which allows people to audit the source code easily. ... IIS6 however, isn't open source and it's often more time-consuming to find ...
(Security-Basics)
Re: IIS6 - allow "<" and ">" sign in URLs
... this security setting in IIS6. ... > The question is not about "IIS6 disallowing characters in URLs". ... > "Jochen Kiefer" wrote in message ...
(microsoft.public.inetserver.iis)
RE: IIS6 Security and other web servers
... IIS6 is a very secure platform. ... web server, you must follow basic guidelines and keep your patches ... If you have mostly Windows experience, it certainly isn't a poor choice. ... Windows guy, though, so configuring security and other things is easier ...
(Security-Basics)