Re: IIS vs. Apache Security

From: Jeff Cochran (jcochran.nospam@naplesgov.com)
Date: 11/14/02

• Next message: Vincent Polite: "Re: Basic Authentication + IIS 5 + Windows 2000 + Frontpage 2002 = failure?"
• Previous message: Richard Donovan: "Re: being attacted"
• In reply to: Karl Levinson [x y] mvp: "Re: IIS vs. Apache Security"
• Next in thread: Karl Levinson [x y] mvp: "Re: IIS vs. Apache Security"
• Reply: Karl Levinson [x y] mvp: "Re: IIS vs. Apache Security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: jcochran.nospam@naplesgov.com (Jeff Cochran)
Date: Thu, 14 Nov 2002 19:12:07 GMT

>> Anyone here have any good documentation on IIS vs. Apache Security?

SANS would be a good place to start. I'd be suspect of most sources,
ranging from the Linux community to Microsoft press releases to the
Gartner Group, they all seem to show a bias.

>> A workgroup I work with has someone now suggesting we use Apache for a
>> project I am rolling out because apparently "we all know how unsecure IIS
>> is". I absolutely disagree, stating that IIS is as unsecure as the
>Sysadmin
>> running it, have read much on it in the past, but can't seem to find any
>> good ammo on it.

All software is only as good as the admin running it. That's just a
given. Plus, is your group concerned about IIS security or Windows
security? Will Apache be run on Windows, Linux or something else? So
far as I've seen, Websphere on AS/400 appears to have the fewest
vulnerabilities. If you're talking overall security, look at some of
the secure Linux options, such as En Guarde Linux, and stay away from
the mainstream stuff like Red Hat that ships in a far more open
configuration.

>> Am looking for articles I have seen that show the number of
>vulnerabilities
>> per platform, number of hacks, overall security, etc.

SANS. CERT. BugTraq. et. al.

Jeff

---

• Next message: Vincent Polite: "Re: Basic Authentication + IIS 5 + Windows 2000 + Frontpage 2002 = failure?"
• Previous message: Richard Donovan: "Re: being attacted"
• In reply to: Karl Levinson [x y] mvp: "Re: IIS vs. Apache Security"
• Next in thread: Karl Levinson [x y] mvp: "Re: IIS vs. Apache Security"
• Reply: Karl Levinson [x y] mvp: "Re: IIS vs. Apache Security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day, he lp the cause ... supply of patches (Windows NT4/95/98) these systems should go offline ... Security is always a trade-off. ... This is how Linux and other ... Apache virtually owns the market with more than 60%. ... (Full-Disclosure) SecurityFocus Linux Newsletter #39 ... Subject: SecurityFocus Linux Newsletter #39 ... Need to keep track of the latest vulnerability information? ... vulnerabilities for both security product vendors and corporate security ... NEW PRODUCTS FOR LINUX PLATFORMS ... (Focus-Linux) RE: Linux hacked ... Subject: Linux hacked ... After you boot up into the OS running from CD, ... >> First let me say I'm a security novice. ... >> been unsuccessful in getting root back. ... (Security-Basics) Re: Community responsibility and abuse (2): the case of top- ... Without ANY evidence of ANY security problems you try ... PLEASE PROVIDE EVIDENCE OF ANY ... evidence that Linux is anywhere near as insecure as windows. ... Still no "spacific evidence that Linux is anywhere near as insecure as ... (alt.linux) Re: testing laptop based on bsd anyone ... "A new linux distribution for Wardrivers" ... I wasn't speaking about the relative strengths of security measures within ... As attacks through web applications continue to rise, ... vulnerability management needs. ... (Pen-Test)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)