Re: IIS6 Security and other web servers

From: Gary H. Jones II (gary_at_pointblanksecurity.com)
Date: 01/25/05

  • Next message: Schott, Erik J Mr ANOSC/FCBS: "RE: Snort Training"
    To: "Rivera Alonso, David" <drivera@iberdrola.es>
    Date: Tue, 25 Jan 2005 14:44:57 -0500
    
    

    Security issues in Apache will be found and reported before bugs get found
    in IIS6.

    Apache is open source which allows people to audit the source code easily.
    IIS6 however, isn't open source and it's often more time-consuming to find
    bugs. It's difficult to determine right now if IIS6 has more security
    issues than Apache for that reason. It could have less; it could have more,
    since it isn't open-source, only time will tell.

    I personally notice Apache security patches/new releases are out quicker
    than Microsoft's.

    If I were to receive a security bulletin detailing a security issue in
    Apache, I could go to the affected part and fix it and recompile. You can't
    do that with IIS.

    I would say that those are some of many reasons Apache have been the most
    widespread http server since 1996
    (http://news.netcraft.com/archives/web_server_survey.html).

    Sincerely,

    Gary H Jones II

    ----- Original Message -----
    From: "Rivera Alonso, David" <drivera@iberdrola.es>
    To: <security-basics@securityfocus.com>
    Sent: Tuesday, January 25, 2005 9:52 AM
    Subject: IIS6 Security and other web servers

    >
    > Dear friends,
    >
    > I just want to throw a little question to know your opinion.
    > I was discussing yesterday with a friend about the quality of IIS6 from a
    > Security point of view.
    > He immediately said it's a bad choice, as previous Microsoft web servers.
    > I've read a few papers and I have this opinion: as it's been redesigned
    from
    > the ground (with all the previous failures in mind), with the security
    > perspective, with every little service and option disabled by default, and
    > so on, I told him that now, in my opinion, IIS6 is a good choice.
    > He loves GNU, Linux, and, logically, he thinks Apache is the king in
    > security.
    > Just because I felt curious, I went into www.securityfocus.com to check
    the
    > latest vulnerability advisories, for Apache and IIS6. Incredible, Apache
    > wins, it has many more (not to talk about the many releases since version
    > 2.0)! In fact, I just found one alert about IIS6.
    >
    > What do you experts think?
    > Of course, I know IIS was very dangerous before version 6.
    > But, maybe an IIS6 in a well configured, patched and securized Windows
    2003
    > machine is al last a good choice to house Web Applications?
    > Or maybe it's too soon, there are few installed, and maybe in the future
    > it'll have as many holes as the predecessors?
    >
    > What do you think?
    >
    > best regards from Spain,
    >
    > DAVID
    >
    >
    >
    >
    > =============================
    > Este mensaje se dirige exclusivamente a su destinatario.
    > Puede contener informacion confidencial sometida a secreto profesional o
    cuya divulgacion
    > este prohibida, en virtud de la legislacion vigente. No esta permitida su
    divulgacion,
    > copia o distribucion a terceros sin la autorizacion previa y por escrito
    de Iberdrola.
    > Si ha recibido este mensaje por error, le rogamos nos lo comunique
    inmediatamente
    > por esta misma via y proceda a su destruccion.
    >
    > This e-mail is intended exclusively for the individual or entity to which
    it is addressed
    > and may contain confidential or legally privileged information, which may
    not be disclosed
    > under current legislation. Any form of disclosure, copying or distribution
    of this e-mail
    > is strictly prohibited, save with written authorisation from Iberdrola.
    > If you have received this message in error, please notify the sender
    immediately by e-mail
    > and delete all copies of the message.
    > =============================
    >
    >


  • Next message: Schott, Erik J Mr ANOSC/FCBS: "RE: Snort Training"

    Relevant Pages