Re: security on iis 5 open port router

From: karl [x y] (jamescagney90210@excite.com)
Date: 07/29/02


From: "karl [x y]" <jamescagney90210@excite.com>
Date: Sun, 28 Jul 2002 21:38:45 -0400


"Ian Hastie" <ian_a_hastie@hotmail.com> wrote in message
news:slrnak8v6t.gb7.ian_a_hastie@iahastie.local.net...

> Security is only as good as the weakest point. IIS has a much worse
> security track record than Apache, both in numbers of vulnerabilities
> and time to fix those that are found. IIS is definitely a weak point in
> system security.

Depends on how you look at it. Most of the IIS servers being hacked are
hacked because the latest patches haven't been installed and the default
configuration was not changed or improved. I agree that a large number of
buffer overruns have been found for Microsoft IIS. However, an
administrator that doesn't update IIS won't update Apache either. Also,
Microsoft IIS is fairly easy to secure. An administrator who can't figure
out how to secure IIS won't be able to figure out how to secure Apache. You
need to correct the default configuration and install all security patches
no matter what software you're running, almost without exception.

If you're an administrator that knows what she is doing security-wise in an
environment that is using Visual Interdev or .NET to program and where the
features of IIS are needed, IIS can be secure enough and it might be even be
the best choice. Apache isn't always the best choice for everyone.