Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


IIS Rounds the Security Corner



 By: Larry Seltzer
2004-10-04
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Opinion: There are only two Web servers that matter. While two-thirds of domains run Apache, Web server share numbers show that Microsoft's IIS is also a respectable choice.

It used to be exciting to read the new Web server share numbers from Netcraft every month. For a while there, Apache and Microsofts IIS (Internet Information Services) were really duking it out. But these days, the survey has a look of obsolescence.

It looks like the market has hit an equilibrium, with Apache at about 67 percent, IIS at about 20 percent and the rest fighting over small niches. The basic numbers have been unchanged for about a year.

The way I see it, both Apache and IIS have won, and for IIS, this means that the security issue has been dealt with on IIS. While some of the great attacks in computing history were targeted at IIS, good standard practices and a default lockdown state for IIS 6 in Windows Server 2003 mean that the low-hanging fruit is all picked.

Its worth clarifying some of the frequently misrepresented Apache numbers. The public survey that receives so much attention is a survey of domains and the server software on which they run. It is not a measure of the number of copies of each program running or the number of servers on which they run.

A large percentage of the 55.4 million domains measured by Netcraft are parked on a comparatively small number of servers and arent really running at all. Every now and then, the survey is skewed when a large provider, such as Register.com, moves its very large number of parked domains from a Windows to a Linux server, or vice-versa. These sites are just dead weight in the survey because nobody has really made a decision to run the site on any particular software; its not running.

Resource Library:

But lots of actual, running sites are run by hosting services where they share a single server with potentially thousands of other sites. This shared hosting market is dominated by Apache, where the cost benefits are overwhelming. In more complex, dedicated hosted servers—and in internal servers that dont show up on the Netcraft survey—IISs share is much higher.

SecurityFocuss vulnerabilities database shows no vulnerabilities reported for IIS 6.0 in the past year and a single one overall.

That one report, from July 2003, was based on a single, third-party assertion of problems in the Web administration interface for IIS6, and there was no follow-up to the initial report. I suspect the report wasnt confirmed. IIS6 has a pretty good security record.

This is in marked contrast to the default installations of IIS4 and IIS5, the Windows NT 4.0 and Windows 2000 versions. These had some vulnerabilities for the ages, but their real problems were that they installed turned on by default as part of a Windows server installation. This is why Code Red and Nimda were so successful, because they attacked many IIS servers that users didnt even know they had running.

But this hasnt been a problem with IIS6 which, like Apache always has, installs in a "locked-down" configuration. No doubt this has created extra work for some admins. Boo hoo hoo. And through the aggressive application of security patches and the use of third-party products for intrusion detection and other features, its possible to run very secure IIS servers.

Note that Netcrafts survey of the most-reliable hosting providers during September shows six of the top 10 running Windows, with three on Windows 2000 and three on Windows 2003. This shows the servers resistance to DDoS (distributed denial of service) attacks as well, although many of these providers surely use external protections against such attacks.

Its probably going too far to say that IIS is now as secure as Apache. In a sense, its an apples-and-oranges comparison. Out of the box, IIS6 still comes with far more complex and ambitious facilities than Apache—along with the accompanying risks. More importantly, an IIS server can become compromised through holes in other services running on the same box.

But there was a time where IIS could have lost out badly due to a poor security reputation, and Microsoft stopped the bleeding mostly through a technique it needs to use more aggressively elsewhere: defaulting services off.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

Be sure to add our eWEEK.com Security news feed to your RSS newsreader or My Yahoo page

More from Larry Seltzer



  Reader Comments: IIS Rounds the Security Corner
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Larry Seltzer
 


x}ks㶲*Q3皢H=m-yr,}&UZ$CR~L6~bvKJcsw&-`n4w|Aș=&1(ٝ:GLzIj|݇@BizN)#C3WrD廚fw2v=S;^> \?g#QY|r@/T| pTƦ;=aR!k4ًʏш(qGOw?ȀYF {.Q^ZZ~ 4 b'*cO^3l cŰ A=c9p<k- GJ3v' j|'ӤRcfHÑcWPWw,ǃT*sTjQ3#mjZ35k-3G@ؾQ̀ ݢ&q/#!ʿ$fō0r ̳X#vRB'lǦ" 'l_j|5v938 3z7 wj%NXEo~cnh! ;E&sؗY֌`F-S4uPU}V(~h,^ߛiL7;ӟozzgysz#GA fm+h[N"ijQ݇8_u{ݓ>^> 9N koLZ.JX<&ȇ Tr`9rM7JQ߸p~iCX@vIna>E4b™EQ ,GQ%?[U&U}Y6f0R*CA-t?#;SrqsҺy\7=rҽ"uCV@|Ӡd6 2T~`]vjo__ eZP G/<@#D53cfMs,egy0AM)61tGv!fBy;P?z@@jR~nV(UrdoF" 2#~B(pHqbNb8O|૦yp1rY]4'tauAUiSÛRށItneO^ S3G#洋вn3榣ZǦcWPT;,}p{ h2e8l ԰2nБ6?ς@utiSMC|>9ևm'!|Аd mx=Z.S3IXn`Nt&h/Qpy4ڭ,%_ >< )zN=H]6(Zχ`jc˦M@B9{ǻޚB<QС4|aqjQ]*~h3-w= | wA,߃9#z[LKx GN }p (~~9-RC1tKt <CɣQHċl - 686p#}nP rQ 'G,-s9VV j5R{5>k断,0!.(2n@п,/lVCax9Zzǎ As,r}Nz[{fl.n9 cp:h>JeHǝ8~L&[BUjJb35-F   _ǂK ޣȁUrqXSalaa;i/ ESIQ6Om V!҇D+ه0`L E=͝tmRF_` EEI$[b"ud\6˰@e9ִ&3r,˹& zfd~$a(Juѧɹi 3 M~N! hPU*1 "I9O5/V cG˿\tg>:F} `+z\qgItоhʰeh8`Zzq$KDX(TҀah"pHE@xZ+hpL@E.Zr>J+b"8 Utl) FujIMy-!/?ˇI%$4X2=2~2Ejw8x_=p˻~~L4O>AL}6݂ /r=29X>: ;012&z@jAbv6CynR)brdLǖ8+ѡ,Xr*-ÏR U#tT#CWta7 X]QiSiQ9^PӲ*ZЁQ}?rkh豸4] QB|`L ؇^gm/J_+*5"X CbQD i^{p jN*ӁjFB-8k*^y1`g}3^^fCr|^u?]ycM q޲oSR=h3 J@c$bwmɾW2zZ^6[G銿ð Oa區us޼ع_>uQCrֹhK^Kփ w"YKrBëֈȰRW Z_ĥ{j_qfij ^k-W'27]?\F`vY; ºY PH2>(_!a C{ z H)'4-N9:\bϺ;$B R`2"穔(BS.hDO§,>^59S9j67 EGW%'[; u{-$:}mFў`m e܃*Vr[i':פ{GHY ?9/g`!IB^2 7[%E馺+ԛ21 &r֚SE[Dc}OӆO|BYATwJރd$-zdeafIlx0e9RJ锐']'C8 z>RB'T˓$/+IYO)yqhd*꒐~*~(i&'ءXҡԛ]6/6'8 $O krisq/Psq%yx4"k85(~yNHmQJiIw 3DJ^MjpVK ɏh8#z])G? #̫r@N~A=?rW%}ݝf0zH4S `'#9ʼSs`Z GW ./v6gNȣ&k{?ɘK A/g]s6ͥ=O̴E{wmhG(V=w9c99Z7vY?yxXT3mD1'ͳ~4/>OA 6̯> H-@N޽?4GQp]9Qz ACvg^sFΛ=uڻ|Of0w+t>Ninmǡ8 0Nt,4P$yEQj/V $]Bn':L9zdM#}>Jfzki^x̠t4u遧{ !.u06.y~|$E8(TrL (09%|cWQU|!w$zͪ0l͐mlVoq1u4l$^8熞S!`x[۹1_AbظꆜP}] jgZ"R\M'RwH6%4[/"ɯM"^tKy֣X_g_cG~,~,~,~,%bm{m+\G.0C]zOי&Wެh=}mW]AټyꂥϵYD2[WNxq ύc< 5˯ (*t V5^[{܄uq泛sZ 7/\\[-M3%Ee#c5'WqkK5<@uE <+E>^"T)zmz,ux5.PL] L-NSG]/ѠUوNʿ> )-*#*MNrf;,.g`uZJ3=o x.!X_g/*̟U:4R\q'=v\ģ{68sΠZ~P];vvIO6_/XZsRKS\,/n-po/_֑{[xp5:f 0ʤ^{ mYxʄ?k3u#){A5[ofn6௺aul</K=4<^E]6bԹ g| ך c4$p{#͟/z}"x?A* nO2 ymfSx#e f0Q :&M^󒉲G~RB~'s` ApNx+I)LI|-A$H;H~{-'Vp7 d'|w]$lKvךQN|l:KpJmۏosnb,]*@,ʼna#)ȁcâ*1ʱ, <߉",p{R4a䀲e`ؕŠ=B 0[AX^qP3&W~4#eT[RS-ZQ爫[Ԓ#rd! `Bo,"Exa hquQ%?t h#8XҲS5Z 6qNfAfQȢiH\1^V r~zzɟZbiE.c 2d1&^^ME*ރ0HuP[%P UP+$hŨtvms!Vy <׶L8Vy ֵn&S+m'hzBRKo^;C'ܬDId f.sGN݀;mQNaDXrTeX# @Ʌ);9 ?Enє'2t=jhDѤJd i\XCX(+J]?3|M-TZIyø<"aO,z,TOsYXO:Rga^1`^.b¼y#i <΂,'EOSg>雘 (qJ:<}Q-mEr1&Sg?g|}P.[˜ozpҸaoKk)%iYп(HE{{i/+1~Hګ+6G&=$2iѩ Hۡ[57A\N{5,%&hPjߙcju) +Kh-^a9eE&d[h ilwNQg)q8 @ɩfkeٹT75zG*%F¯RވfFܞVkm[JBGh5=P*T&"(S[]ă0T]q{'+[!5T<0 0SYKw`C'[BaO g>򽉡{0u3rRC´vxrT+B<䱤Pl <'/< MO_zwb꾌@h),f,])B9|Ե>|+R0cE)'vx1nVw4W )WTx s##vFCdQs>1'};1h^^}&'+$'W6}:_u.9juoLoWj([u|ܽ|ҹh_^u.Ɖ1 ky-m2/*vg(P\4NQʩpm.4 "Gd;ˀW}QXm3Wi(PJTٌ/!bTթ4 W?\z USp:kj:ٙ%oK#C|E@ЦoJc>sUNMo )n}>E;MjV}QyxQ QQ~Wˏ͌.w3ʑ[@V;ʏW}N21?A姝\㴳5:r_'\dC;k( W 053?ggsAs/s <_?.):wA(*h&࿛ Ku1Ay3CΚpz~;9(/GRz UK}(gg  ~22Εbk_/C+@q>sym%R+ ]Q%=Lk[M2n@ ȣ{i K{Jy@J s hxVydR byeÿV,$=)>w懤Ixϕ崝#&JR7喛O'ikr(%s<2g.g}=* 4=} s`cTHD1KAB0_wQ2 Lg~<'Ԋʼn=P.v8)n7WpK|*SG09nsOkr>u!<[~|^@O窌ÙCgHX&58W!7cUݡQӦB~Sf@+:dFLdp!gB͛Kt]@aD˪U抋k՞/kf:aKƈ DUKIn#-Erly0963wH6P,#V}< (luy1o<N/hpxJD`a\m8JI(q07x,4FW51L(/a5o[.|6bZ Ơ}ֽD#[#7XYNƀ_@,o=,N7"f/ڞ05lӌ/T# Aflk8ӥcXS1wYW-d~K5 D 9b8 o1LO٥_9$2ƃBLr$Ҵ)?LLt{?ul70H-t{| eƻ;os{Lx9Äצ,|Ŷ/G㿄&lE[0Cǹ~rh`=E(E|\+,!#1Y Mк # B8ɄN`'9}Ǧ e48wM߰ r:'쭰F |m)۹d,ӧu'ٵӹ$}[4läd |Af$f Kǣ,h X2X-F{&7 /Y{N6 )4M˚μPszlo%()%y+L9(نWxiW*HԶx*D¼yG=Q'nalhd)K^F5Ou`H؂{ꐏXi[e1BpCɖ)tOAVt3B[ϗ5`/=H,](\n)ZF15B\ (at L?Qa˟]lہR#jȹ-` j+7EmEtA{|wn}#\:1F`]cűedg)C2^#s!YX&7ę /O CWѰ0 L;,lqEG%RrNCb ɧ<lu K#(t>0 'Ɣ ϰO"- s鏗exDh\"?P߯d+KWԱ0_^5FElT$bB=Ay$O~т!gnh]1fnBO .&DW6K54Ƙb>Y{&LV 92lt* X>!ˣŬ"D0Ȯ'Z:tsh;h[3TJX6c?tf ŷ@ý]^c*a7<#/ah(`yjSSQ2$Y?