Re: IIS6 Security and other web servers
From: Joachim Schipper (j.schipper_at_math.uu.nl)
Date: 01/26/05
- Previous message: Philip Wagenaar: "Openpgp.org"
- In reply to: Rivera Alonso, David: "IIS6 Security and other web servers"
- Next in thread: Roger A. Grimes: "RE: IIS6 Security and other web servers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 26 Jan 2005 10:54:34 +0100 To: "Rivera Alonso, David" <drivera@iberdrola.es>
On Tue, Jan 25, 2005 at 03:52:08PM +0100, Rivera Alonso, David wrote:
>
> Dear friends,
>
> I just want to throw a little question to know your opinion.
> I was discussing yesterday with a friend about the quality of IIS6 from a
> Security point of view.
> He immediately said it's a bad choice, as previous Microsoft web servers.
> I've read a few papers and I have this opinion: as it's been redesigned from
> the ground (with all the previous failures in mind), with the security
> perspective, with every little service and option disabled by default, and
> so on, I told him that now, in my opinion, IIS6 is a good choice.
> He loves GNU, Linux, and, logically, he thinks Apache is the king in
> security.
> Just because I felt curious, I went into www.securityfocus.com to check the
> latest vulnerability advisories, for Apache and IIS6. Incredible, Apache
> wins, it has many more (not to talk about the many releases since version
> 2.0)! In fact, I just found one alert about IIS6.
>
> What do you experts think?
> Of course, I know IIS was very dangerous before version 6.
> But, maybe an IIS6 in a well configured, patched and securized Windows 2003
> machine is al last a good choice to house Web Applications?
> Or maybe it's too soon, there are few installed, and maybe in the future
> it'll have as many holes as the predecessors?
>
> What do you think?
>
> best regards from Spain,
>
> DAVID
Dear David,
As always, the Open Source alternative is more configurable. It'd be
difficult to say which standard install is more secure; however, Apache
with a lot of third-party modules hastily written by a programmer high
on coffee might not measure up to IIS.
On the other hand, if you take the security-conscious (aka paranoid)
route and run Apache in a chroot() jail, as a dedicated user, with a
minimum of modules (compiled statically whenever possible) and compile
the whole thing with PaX and SSP support, it is quite likely that you're
better off than with IIS[1]. Some GNU/Linux distributions, like
Adamantix, do a decent job in this respect, or so I've heard...
Alternatively, go with OpenBSD.
Good luck!
Joachim
[1] A custom install also means custom upgrades - be sure to do this! I
can usually out-patch at most major distributions, mainly because I need
not test it on hundreds of different configurations.
- Previous message: Philip Wagenaar: "Openpgp.org"
- In reply to: Rivera Alonso, David: "IIS6 Security and other web servers"
- Next in thread: Roger A. Grimes: "RE: IIS6 Security and other web servers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
