>>And to think I'm usually the one defending MS's practices. But not in this case. It most certainly appears they need to get some more security experts assigned to the MS campus.
>
>The issue is not so much a technical one as a policy one. The problem with IIS is not that it has more holes, but it exposes more functionality by default, which _exposes_ more holes. None of these worms would be a problem if the default IIS install was a bare bones, HTML only install, and all additional IIS functionality had to be intentionally added.


I read an article which quoted a Microsoft engineer as stating that they are going to reverse past packaging and make the default install of IIS servers bare bones, requiring the admin to turn on what he needs. An excellent idea.

>
>Apache is so much more secure because when you install it, all you get is a basic request parser to serve up pages on disk. IIS gives you bells and whistled out the wazoo, and the majority of the holes in the product (like the ones exploited by nimda and Code Red) are in those bells and whistles.

The bad guys exploited design decisions made by microsoft. Giving everyone 'root' priviledges, although W2K and XP have pretty much squelched that. The scripting engine is part of the "bells and whistles" interaction between components that folks love, and which makes WinXX 'easy' to use. Linux Apps like SO 5.2, SO 6.0, KDE and some that are utilising DCOM and CORBA are now at the center of current debates about exposure to scripting attacks that are common on WinXX. Linux coders are learning from Windows mistakes.