Microsoft Has Come a Long Way with IIS

 
 
By Larry Seltzer  |  Posted 2006-07-17 Print this article Print
 
 
 
 
 
 
 

Opinion: Windows Web servers aren't the pushovers they used to be, and the next generation should make them even more secure.

There was a time, just a few years ago, when Internet Information Server was held in the same high esteem for security as, for example, Internet Explorer. Why did things change? This month Microsoft released a security advisory for a vulnerability in IIS. It caught my attention for two reasons: Its pretty minor, all things considered, and its only the second advisory in the last several years.

In the meantime, IIS has basically kept its share of the Web server market, according to a Netcraft survey, even though most Web server customers have more of an opportunity to switch than other server users. In other words, this is a competitive market.

I have to add that the public Netcraft survey, while interesting and useful, is a survey of domain names, not strictly of servers. Its possible—in fact, Id say likely—that the percentage advantage Apache enjoys in that survey exaggerates its actual lead in the number of servers running. And the survey is only of publicly accessible servers, so it doesnt take into account internal portals and intranets, both of which I would presume, without any real data, are more likely to run IIS than is a public Web server.

This latest advisory and patch (MS06-034) illustrate how things have changed. Its a remote code execution bug, which you would think should automatically ring the "Critical" bell, but this isnt the case. It requires numerous conditions that are not enabled by default and some of which would be obvious security breaches even to relative novices.

Are Microsofts SharePoint Server and Services its next sleeper hit? Click here to read more.

Even if, for example, you permitted a user to upload a potentially malicious ASP file to the server, it would run in the context of the security-limited IWAM_ account. Theres not much that user can do. You could set the application to run in the context of a more privileged user, or elevate the IWAM_ account privileges, but would you really do that? In any event, this level of bad administration could be performed on any Web server.

Apache over that period of time has also had a small number of vulnerabilities, none of them really serious. Apache, of course, is a simpler program than IIS. While IIS includes complicating factors like ASP, Apache is a Web server that supports extensions, such as PHP, and this is where the problems have been found for Apache users. In fact, over the last couple of years the number of PHP vulnerabilities has been large, and there have been some embarrassing exploits of them.

To be fair, an IIS server is also a Windows server and is therefore arguably vulnerable to all the flaws in other parts of Windows that it runs, but theres only so far you can go with this argument. Apache servers are also vulnerable to flaws in their underlying operating systems (and there have been quite a few Linux vulnerabilities), and a public Web server should be configured to ignore all traffic not on ports needed for it, which would insulate it from many attacks to other components of the system.

And now IIS 7 is on the way with a design even more conducive to a secure configuration. Jim Rapozas right—its closer to the Apache design and theres nothing wrong with that. The only people who might complain are management software vendors who will have to retool to manage IIS7 by parsing the web.config file. Big deal.

There was a point several years ago when it became clear to everyone at Microsoft, and famously to Bill Gates, that security was important. The Nimda and Code Red attacks on IIS were as stark a slap in the face as they could get, even though those attacks developed long after the holes they exploited were patched. Things had to change.

The default Windows 2000 IIS configuration was meant to be easy to use and to make IIS ubiquitous, so they turned on all sorts of services and left them in vulnerable configurations. This betrayed Microsofts ignorance of the reality of life on the Internet. But now a Windows Web server comes locked down and is as configurable for security as the competition. Things have changed.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog. More from Larry Seltzer
 
 
 
 
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel