Gartner again, this time IIS

Level Extreme platform

Subscription

Corporate profile

Products & Services

Support

Legal

Français

Gartner again, this time IIS

Message

From

24/09/2001 11:27:31

Claude Fuchs
Centreville, Virginia, United States

24/09/2001 10:38:28

Jerry Kreps
Nebraska Dept of Revenue
Lincoln, Nebraska, United States

General information

Forum:

Visual FoxPro

Category:

Other

Title:

Re: Gartner again, this time IIS

Miscellaneous

Thread ID:

00559831

Message ID:

00560017

Views:

Give me a break, these are just more people's opinions...
It's just common sense - MS is the main target of hackers. I'm not saying anything against the open source movement other than that it's probably easier to find holes in software created by a loose conglomerate of programmers (open source) than it is to find them in software created by a tight-knit group of professionals (MS). The reason there is a problem is because there are probably at least 10x more hackers working on the MS software...
What is amazing is that you can easily automate these patches with Microsoft tools and keep up to date without worrying about it. That's what we've been doing and it works great without any problems...

>Dream on, you couldn't be MORE wrong if you tried.
>
>Below is a recent story about the issue. I wouldn't quote the store in full, but, strangely, the webpage is missing from ZDNet. However, thanks to Google's cache, it is still accessible, but I don't know for how long. I wonder why ZDNet pulled it? Possible distruption of their ad revenue stream? In looking for other recent stories I noticed that some of them, too, had dead links.
>
>It seems that one response is to claim that MS security problems are due to a conspiracy in the OpenSource movement...
>http://www.securitynewsportal.com/article.php?sid=1332
>That's a real laugher...
>
>There are several thousand articles on the web comparing Apache to IIS+ and you can use "apache security vs IIS security" to find them. Here are a few examples:
>
>http://ist.uwaterloo.ca/~dwhitesi/docs/apache-vs-iis.html
>http://www.zdnet.com.au/newstech/communications/story/0,2000024993,20248328-1,00.htm
>http://www.techrepublic.com/article.jhtml?id=r00620010528ggp01.htm
>
>**************************************************************
>
>Apache avoids most security woes
>Timothy Dyck , eWEEK
>July 20, 2001 2:52 PM ET
>
>The Apache Software Foundation Inc.'s Apache HTTP Server has earned what many hope for and few achieve: an enviable security reputation.
>
>This achievement is especially striking when contrasted with Microsoft Corp.'s IIS (Internet Information Services) Web server (see related story), which has gained the reputation of having more holes than Swiss cheese.
>
>A study of Apache security advisories dating back to Apache 1.0 shows the server's last serious problem (one where remote attackers could run arbitrary code on the server) was announced in January 1997. This problem was a buffer overflow in Apache's cookie module that was fixed in Apache 1.1.3.
>
>A group of less serious problems (including a buffer overflow in the server's logresolve utility) was announced and fixed in January 1998 with Apache 1.2.5. In the three and a half years since then, Apache's only remote security problems have been a handful of denial-of-service and information leakage problems (where attackers can see files or directory listings they shouldn't).
>
>(In a side bar:
>Why Apache does so well
> Installs very few server extensions by default
> All server components run as a nonprivileged user
> Source code for core server files is well-scrutinized
> All configuration settings are centralized in a single file
>)
>
>
>Why has Apache done so well and IIS fared so poorly?
>
>Having published source code helps but isn't enough on its own—the widely used Berkeley Internet Name Domain Name server from Internet Software Consortium Corp. and Washington University's FTP server also have source code available, but both have poor security records.
>
>Going over Apache's security advisories back to the server's Version 1.0 days shows that the secret—in addition to solid coding and scrutiny—lies in a minimalist design, careful attention to detail and a configuration process that makes it easy for administrators to know what's going on.
>
>First, Apache doesn't install a lot of extras (though Linux distribution packagers sometimes do, which has been a source of problems because each add-on can be a potential security issue). A default build of Apache from source code doesn't install any Apache module (extensions) at all. You just get a bare-bones Web server.
>
>By default, IIS is a much bigger product and has many more features. In a default Windows 2000 installation, IIS 5.0 installs with seven externally accessible dynamic link library file extensions accessible through 13 URL mappings, plus FrontPage Server Extensions. Every one of these eight components has had security updates since Windows 2000 was shipped.
>
>Second, all Apache components run as nonprivileged users, so if a buffer overflow occurs, damage is limited. Conversely, IIS makes components with system-level permissions Web-accessible, and two remote root Index Server attacks (MS01-033 and MS01-025) and one remote root Internet Printing Protocol attack (MS01-023) have resulted.
>
>Third, by default, Apache places all configuration settings in one file, httpd.conf, providing a single point of configuration. IIS settings need to be changed in several places.
>
>eWEEK Labs also found that when we manually removed all extensions from IIS, three (including the ones allowing the Index Server attacks) were silently restored by the Windows installer when we later removed the FrontPage components. This is documented, although unwelcome, behavior.
>
>West Coast Technical Director Timothy Dyck can be reached at timothy_dyck@ziffdavis.com.
>**************************************************************
>I wonder if Timothy still has a job?
>JLK
>
>>If hackers chose to go after Apache or any open source web servers, they would probably be 10x more vulnerable than IIS.
>>I don't think there are inherantly any more security flaws in IIS than in any other web servers.
>>The editorial seemed to imply this - Gartner simply said that because the extensive hacking is happening to IIS that maybe people should consider moving to other web servers. I don't think they said IIS security is any worse than any other web server...
>>>All
>>>
>>>Well, VFP isn't alone in being not liked by Gartner, now they've targeted IIS as well:
>>>
>>>http://www.zdnet.com/zdnn/stories/comment/0,5859,2813854,00.html
>>>
>>>We use IIS and apply the patches- there is a utility that checks your server and tells you if you need more patches.
>>>
>>>I'll be interested to see whether MS responds to this as energetically as they responded when Gartner said its piece about VFP.
>
>mmmm... maybe it is that Gartner's bias was being called into question by their clients, seeing how they have been caught publishing an MS PR bulliten under the guise of a Gartner Report. They would have gotten by with it had they not forgot to remove the MS PR copyright, and the fact that suspecions were raised by the fact that similar, if not identical paragraphs appeared in other 'news' stories at the same time.
>
>
>
>>>
>>>Regards
>>>
>>>JR

Map

View

Click here to load this message in the networking platform