Re: security on iis 5 open port router

From: karl [x y] (
Date: 07/29/02

From: "karl [x y]" <>
Date: Sun, 28 Jul 2002 21:38:45 -0400

"Ian Hastie" <> wrote in message

> Security is only as good as the weakest point. IIS has a much worse
> security track record than Apache, both in numbers of vulnerabilities
> and time to fix those that are found. IIS is definitely a weak point in
> system security.

Depends on how you look at it. Most of the IIS servers being hacked are
hacked because the latest patches haven't been installed and the default
configuration was not changed or improved. I agree that a large number of
buffer overruns have been found for Microsoft IIS. However, an
administrator that doesn't update IIS won't update Apache either. Also,
Microsoft IIS is fairly easy to secure. An administrator who can't figure
out how to secure IIS won't be able to figure out how to secure Apache. You
need to correct the default configuration and install all security patches
no matter what software you're running, almost without exception.

If you're an administrator that knows what she is doing security-wise in an
environment that is using Visual Interdev or .NET to program and where the
features of IIS are needed, IIS can be secure enough and it might be even be
the best choice. Apache isn't always the best choice for everyone.

Relevant Pages

  • RE: IIS
    ... Apache is much more secure by default. ... irony I run IIS but this because I know how to harden it). ... recipient, or an employee or agent responsible for delivering this ...
  • RE: IIS6 Security and other web servers
    ... Will you have to learn Apache or IIS? ... IIS6 Security and other web servers ... I was discussing yesterday with a friend about the quality of IIS6 from ...
  • RE: IIS6 Security and other web servers
    ... Apache and IIS are much the same security wise nowadays - it comes down to ... I would say it comes down to 3rd party modules - Being OpenSource Apache ... IIS6 Security and other web servers ...
  • Re: IIS on DMZ
    ... I understand what you mean but security team basically is saying IIS is not ... also on DMZ but firewall opens up only port 80/443 on the proxies. ... But there is no such thing as "perfectly secure". ...
  • Re: IIS vs. Apache Security
    ... > Anyone here have any good documentation on IIS vs. Apache Security? ... > project I am rolling out because apparently "we all know how unsecure IIS ... *nix servers for this year and last outnumber IIS / Windows servers. ...