Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    IT Bugs Out Over IIS Security

    By
    Dennis Fisher
    -
    July 23, 2001
    Share
    Facebook
    Twitter
    Linkedin

      For Brooks Martin, patching and maintaining his Microsoft Corp. IIS Web servers is almost a full-time job. With so many vulnerabilities—and with a new patch appearing seemingly every week—Martin said its a struggle keeping his head above water.

      “We stay on top of what we do, but you never know,” said Martin, CEO of isObject Inc., an independent software developer in Brentwood, Tenn. “Maintaining IIS servers is a cumbersome, tedious process. Any time you bring a new server online, you have to apply 40 or 50 patches.”

      Martin and his staff were spending so much time dealing with the security of their Internet Information Services servers that Martin installed an add-on program designed to harden IIS boxes against a growing list of bugs.

      An increasing number of IIS users have grown weary of the nonstop flood of security problems that have plagued Microsofts widely deployed Web server. Since the beginning of last year, Microsoft has issued 21 security bulletins for IIS 5.0 alone, a number that is increasing at the rate of about one every three weeks. In fact, vulnerabilities in the Web server have become so commonplace that some security administrators joke that IIS stands for “It Isnt Secure.”

      Security consultancy @Stake Inc. estimates that IIS holds 25 percent of the market for enterprise Web servers, yet more than 50 percent of the Web sites listed on the Attrition.org archive of defaced sites are running IIS.

      Despite the widespread perception of IIS as a nonsecure server, many customers say that, because it is the default Web server with Windows NT and Windows 2000, it will remain their server of choice because they are too committed to Microsoft to make a switch practical or affordable. In real-world terms, this means large portions of the Internet will remain vulnerable as long as this attitude prevails.

      “I would switch if I could convince my company to do it,” said Jeff Nelson, network manager at Cleveland Motion Controls Inc., in Cleveland, and an IIS user. “Its hard to find good Unix security guys, though. But [Microsofts] new licensing policies do make dumping them a lot more attractive.”

      Many of the vulnerabilities in IIS are routine flaws that can be used to crash or hang the server. But a growing number of the flaws are serious problems that enable attackers to control the server. Among recent examples is a flaw in the ISAPI extension that is installed by default as part of the Indexing Server. By exploiting an unchecked buffer, an attacker can conduct a buffer overflow attack, gain control of the server and execute arbitrary commands.

      IT managers and security specialists have long been leery of IIS security, but, like Martin, they have stuck with it for convenience and fiscal reasons. However, the recent flood of problems and the increased attention to privacy and security in todays marketplace have led some, including Nelson, to reconsider their positions.

      The problem, users said, isnt just that IIS seems to be more prone to security problems than competing Web servers such as iPlanet and open-source darling Apache. (For more on Apache, see Tech Analysis, Page 30.) The real issue is the perception that Microsoft officials know theres a problem but refuse to take any meaningful steps to rectify it.

      “Who knows why they do what they do?” Martin asked. “They dont take people like us seriously.”

      This, Microsoft officials insisted, is not the case. They acknowledged that IIS has more than its share of vulnerabilities, but they also pointed out that Microsoft is one of the few vendors that issues security bulletins and patches as soon as a problem is found.

      “There is a problem with IIS,” said Scott Culp, security program manager at Microsoft, in Redmond, Wash. “Weve just had too many vulnerabilities affecting IIS, especially this year. We recognize the need to do a better job of making it secure.”

      Culp points to the last two versions of IIS—4.0 and 5.0—as the main sources of trouble.

      “In 4.0 and 5.0, IIS installed with more services turned on by default than most people needed,” he said. The assumption was that customers would then use the Microsoft-provided checklists to go through and shut down the services they didnt need, such as Internet Printing and Internet Database Connection. But few customers did so and thus were left exposed to a wide variety of vulnerabilities they could have avoided.

      Server in for an overhaul

      To rectify this issue, Microsoft is overhauling the default configuration process in IIS 6.0, which is part of the forthcoming .Net server due this fall.

      The configuration process will be driven by a wizard-style program that will ask the administrator a series of questions about how he or she plans to use the server. The answers will determine which services are enabled, Culp said.

      “Weve been surprised to find out how many customers have unneeded services turned on,” Culp said. “A lot of folks dont know these things are there.”

      To some IIS users, this is a big—if belated—step in the right direction.

      “The problem with Microsoft is that they try to be everything to everyone,” Nelson said. “They enable everything, and no one needs all of those services. Its really sad. You dont have to know anything about hacking to [break into an IIS server].”

      After his companys network was compromised recently by a crew of well-known software pirates who were using a server to store stolen programs, Nelson disabled more than 20 IIS services.

      In what may be a sign of things to come, Microsoft announced recently a partnership with VeriSign Inc. designed to bolster security. Under terms of the deal, VeriSign will provide digital certificates for Microsofts HailStorm Web services initiative. In addition, Microsoft will incorporate VeriSigns Personal Trust Agent technology into its Passport Web authentication service.

      Microsoft also plans to include existing IIS patches in any future patch release—a concept known as roll-up patches—in an effort to placate customers who complain that it is too time-consuming to install every patch that comes down the pike.

      Many companies perform extensive testing on bug fixes before installing them, and users said its hard to free up the manpower and resources needed to go through this process.

      While they said they believe that Microsoft is right to try to simplify the setup process and improve the security of IIS, many security professionals still say they dont trust Microsoft. “None of us feels that Microsoft knows a thing about security,” said one security specialist, whose company is gradually migrating from IIS to Apache out of concern for IIS security problems.

      Despite this sentiment and a track record that, by Microsofts own admission, is spotty at best, there are those who say that the companys mistakes get more attention simply because of Microsofts high profile.

      “IIS is a target because its Microsoft software,” said Chris Wysopol, research director at @Stake, in Cambridge, Mass. “Out of the box, the server is very open, and administrators dont know they have to tailor it to their needs. The product has the everything-but-the-kitchen-sink approach, and there are a lot of opportunities to attack it.”

      Culp, Wysopol and others also argue that administrators make the problems even worse by failing to use patches in a timely manner even when theyve been widely publicized.

      “We see a lot of bad configurations out there, and patches havent been installed, which is a big problem,” Wysopol said.

      But that doesnt refute the argument that, if Microsoft produced more secure software, administrators wouldnt have to spend so much time maintaining it. Or, as one soon-to-be former IIS user put it when asked why his company was switching Web servers, “When was the last time you read about an Apache vulnerability?”

      Dennis Fisher
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×