This month Microsoft released a security advisory for a vulnerability in IIS. It caught my attention for two reasons: Its pretty minor, all things considered, and its only the second advisory in the last several years.
In the meantime, IIS has basically kept its share of the Web server market, according to a Netcraft survey, even though most Web server customers have more of an opportunity to switch than other server users. In other words, this is a competitive market.
I have to add that the public Netcraft survey, while interesting and useful, is a survey of domain names, not strictly of servers. Its possible—in fact, Id say likely—that the percentage advantage Apache enjoys in that survey exaggerates its actual lead in the number of servers running. And the survey is only of publicly accessible servers, so it doesnt take into account internal portals and intranets, both of which I would presume, without any real data, are more likely to run IIS than is a public Web server.
This latest advisory and patch (MS06-034) illustrate how things have changed. Its a remote code execution bug, which you would think should automatically ring the "Critical" bell, but this isnt the case. It requires numerous conditions that are not enabled by default and some of which would be obvious security breaches even to relative novices.
Even if, for example, you permitted a user to upload a potentially malicious ASP file to the server, it would run in the context of the security-limited IWAM_ account. Theres not much that user can do. You could set the application to run in the context of a more privileged user, or elevate the IWAM_ account privileges, but would you really do that? In any event, this level of bad administration could be performed on any Web server.
Apache over that period of time has also had a small number of vulnerabilities, none of them really serious. Apache, of course, is a simpler program than IIS. While IIS includes complicating factors like ASP, Apache is a Web server that supports extensions, such as PHP, and this is where the problems have been found for Apache users. In fact, over the last couple of years the number of PHP vulnerabilities has been large, and there have been some embarrassing exploits of them.
To be fair, an IIS server is also a Windows server and is therefore arguably vulnerable to all the flaws in other parts of Windows that it runs, but theres only so far you can go with this argument. Apache servers are also vulnerable to flaws in their underlying operating systems (and there have been quite a few Linux vulnerabilities), and a public Web server should be configured to ignore all traffic not on ports needed for it, which would insulate it from many attacks to other components of the system.
And now IIS 7 is on the way with a design even more conducive to a secure configuration. Jim Rapozas right—its closer to the Apache design and theres nothing wrong with that. The only people who might complain are management software vendors who will have to retool to manage IIS7 by parsing the web.config file. Big deal.
There was a point several years ago when it became clear to everyone at Microsoft, and famously to Bill Gates, that security was important. The Nimda and Code Red attacks on IIS were as stark a slap in the face as they could get, even though those attacks developed long after the holes they exploited were patched. Things had to change.
The default Windows 2000 IIS configuration was meant to be easy to use and to make IIS ubiquitous, so they turned on all sorts of services and left them in vulnerable configurations. This betrayed Microsofts ignorance of the reality of life on the Internet. But now a Windows Web server comes locked down and is as configurable for security as the competition. Things have changed.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
More from Larry Seltzer