IT Bugs Out Over IIS Security

Microsoft's platform flaws have users mulling switch to rival Web servers

For Brooks Martin, patching and maintaining his Microsoft Corp. IIS Web servers is almost a full-time job. With so many vulnerabilities—and with a new patch appearing seemingly every week—Martin said its a struggle keeping his head above water.

"We stay on top of what we do, but you never know," said Martin, CEO of isObject Inc., an independent software developer in Brentwood, Tenn. "Maintaining IIS servers is a cumbersome, tedious process. Any time you bring a new server online, you have to apply 40 or 50 patches."

Martin and his staff were spending so much time dealing with the security of their Internet Information Services servers that Martin installed an add-on program designed to harden IIS boxes against a growing list of bugs.

An increasing number of IIS users have grown weary of the nonstop flood of security problems that have plagued Microsofts widely deployed Web server. Since the beginning of last year, Microsoft has issued 21 security bulletins for IIS 5.0 alone, a number that is increasing at the rate of about one every three weeks. In fact, vulnerabilities in the Web server have become so commonplace that some security administrators joke that IIS stands for "It Isnt Secure."

Security consultancy @Stake Inc. estimates that IIS holds 25 percent of the market for enterprise Web servers, yet more than 50 percent of the Web sites listed on the archive of defaced sites are running IIS.

Despite the widespread perception of IIS as a nonsecure server, many customers say that, because it is the default Web server with Windows NT and Windows 2000, it will remain their server of choice because they are too committed to Microsoft to make a switch practical or affordable. In real-world terms, this means large portions of the Internet will remain vulnerable as long as this attitude prevails.

"I would switch if I could convince my company to do it," said Jeff Nelson, network manager at Cleveland Motion Controls Inc., in Cleveland, and an IIS user. "Its hard to find good Unix security guys, though. But [Microsofts] new licensing policies do make dumping them a lot more attractive."

Many of the vulnerabilities in IIS are routine flaws that can be used to crash or hang the server. But a growing number of the flaws are serious problems that enable attackers to control the server. Among recent examples is a flaw in the ISAPI extension that is installed by default as part of the Indexing Server. By exploiting an unchecked buffer, an attacker can conduct a buffer overflow attack, gain control of the server and execute arbitrary commands.

IT managers and security specialists have long been leery of IIS security, but, like Martin, they have stuck with it for convenience and fiscal reasons. However, the recent flood of problems and the increased attention to privacy and security in todays marketplace have led some, including Nelson, to reconsider their positions.

The problem, users said, isnt just that IIS seems to be more prone to security problems than competing Web servers such as iPlanet and open-source darling Apache. (For more on Apache, see Tech Analysis, Page 30.) The real issue is the perception that Microsoft officials know theres a problem but refuse to take any meaningful steps to rectify it.

"Who knows why they do what they do?" Martin asked. "They dont take people like us seriously."

This, Microsoft officials insisted, is not the case. They acknowledged that IIS has more than its share of vulnerabilities, but they also pointed out that Microsoft is one of the few vendors that issues security bulletins and patches as soon as a problem is found.

"There is a problem with IIS," said Scott Culp, security program manager at Microsoft, in Redmond, Wash. "Weve just had too many vulnerabilities affecting IIS, especially this year. We recognize the need to do a better job of making it secure."

Culp points to the last two versions of IIS—4.0 and 5.0—as the main sources of trouble.

"In 4.0 and 5.0, IIS installed with more services turned on by default than most people needed," he said. The assumption was that customers would then use the Microsoft-provided checklists to go through and shut down the services they didnt need, such as Internet Printing and Internet Database Connection. But few customers did so and thus were left exposed to a wide variety of vulnerabilities they could have avoided.

Server in for an overhaul

To rectify this issue, Microsoft is overhauling the default configuration process in IIS 6.0, which is part of the forthcoming .Net server due this fall.

The configuration process will be driven by a wizard-style program that will ask the administrator a series of questions about how he or she plans to use the server. The answers will determine which services are enabled, Culp said.

"Weve been surprised to find out how many customers have unneeded services turned on," Culp said. "A lot of folks dont know these things are there."

To some IIS users, this is a big—if belated—step in the right direction.

"The problem with Microsoft is that they try to be everything to everyone," Nelson said. "They enable everything, and no one needs all of those services. Its really sad. You dont have to know anything about hacking to [break into an IIS server]."

After his companys network was compromised recently by a crew of well-known software pirates who were using a server to store stolen programs, Nelson disabled more than 20 IIS services.

In what may be a sign of things to come, Microsoft announced recently a partnership with VeriSign Inc. designed to bolster security. Under terms of the deal, VeriSign will provide digital certificates for Microsofts HailStorm Web services initiative. In addition, Microsoft will incorporate VeriSigns Personal Trust Agent technology into its Passport Web authentication service.

Microsoft also plans to include existing IIS patches in any future patch release—a concept known as roll-up patches—in an effort to placate customers who complain that it is too time-consuming to install every patch that comes down the pike.

Many companies perform extensive testing on bug fixes before installing them, and users said its hard to free up the manpower and resources needed to go through this process.

While they said they believe that Microsoft is right to try to simplify the setup process and improve the security of IIS, many security professionals still say they dont trust Microsoft. "None of us feels that Microsoft knows a thing about security," said one security specialist, whose company is gradually migrating from IIS to Apache out of concern for IIS security problems.

Despite this sentiment and a track record that, by Microsofts own admission, is spotty at best, there are those who say that the companys mistakes get more attention simply because of Microsofts high profile.

"IIS is a target because its Microsoft software," said Chris Wysopol, research director at @Stake, in Cambridge, Mass. "Out of the box, the server is very open, and administrators dont know they have to tailor it to their needs. The product has the everything-but-the-kitchen-sink approach, and there are a lot of opportunities to attack it."

Culp, Wysopol and others also argue that administrators make the problems even worse by failing to use patches in a timely manner even when theyve been widely publicized.

"We see a lot of bad configurations out there, and patches havent been installed, which is a big problem," Wysopol said.

But that doesnt refute the argument that, if Microsoft produced more secure software, administrators wouldnt have to spend so much time maintaining it. Or, as one soon-to-be former IIS user put it when asked why his company was switching Web servers, "When was the last time you read about an Apache vulnerability?"