Slashdot Mirror
Microsoft Attempts to Secure IIS
billmaly writes: "Yahoo has this article about trying to make IIS more secure. Among steps is to have it install in its most secure state, putting the onus on sysadmins to remove it from that state. It looks like Microsoft may be trying to do the right thing from a security standpoint, at least on paper."
Sounds like a good thing to me.
There marketing material pointing out holes in Apache mostly focused on Tomcat the java app server, PHP etc. But these don't come installed by default, where was with IIS, you install just about everything by default.
Isn't this kinda like the efforts to make Sendmail more secure?
Apparently every copy of Windows XP/2000 is now shipping with a pair of scissors, to be used to "secure" the ethernet connection of IIS servers.
- A.P.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
because 78,417 Nimda hits are more than enough for me!
These are the guys who have still be unable to figure out that the Buffer Overflow, etc. patches are available to them on Windows Update--or that almost all the new exploits would be fixed by getting Service Pack 2.
;-P
If they can't figure out how to use Windows Update, or have the sensibility to get the latest service pack within 4 months of its release...I doubt they know how to configure the system from scratch. *L*
Maybe this will require MS sysadmins to least something about the the OS for once.
-Jayde
What's a sig?
And when will the Linux distributions ship with all the services off?
Admittedly, IIS does run certain scripts and perform certain functions as a "nobody" user. But most of the recent exploits were able to get an immediate "root shell" because the services being exploited did run as SYSTEM. And unless Microsoft is willing to address that problem, admins who need to enable many services and don't keep up on patches will still get rooted on a regular basis.
-sting3r
Download source code for Apache. Tweak the headers to say "IIS" instead of "Apache". Brag about their speedy team of coders.
after years of disruption and billions of dollars in damage... ms should be shut down...irresponsible.
Open the source. Put it up for peer review. Fix the holes. I'm not saying that they should hand out the source for their whole OS, but when they have had as many debacles with one piece of software it might actually help them out quite a bit.
I refuse to install products that require IIS as well. A software provider of ours makes an ultra nice business mining product that can be nicely web enabled. I told them that I would purchase it as soon as they supported a web server that didn't have a new security flaw or bug discovered every week.
Well from the looks of it sound like they're doing all the right things. Just too bad for most of us who've been seeing "GET /default.ida?XXXX..." and "GET /scripts/root.exe?/c+dir HTTP/1.0" 404" in our apache logs, its can't come soon enough...
KidA
"Karma can only be portioned out by the cosmos." -Homer Simpson
So, like what are they going to do?
Step 1: Install IIS
Step 2: Uninstall IIS
--JLockard - "Some mornings, it's just not worth chewing through the leather straps." - Emo Phillips
You can be secure in the fact that IIS will be crushed by the next Code-Redish virus.
They will fix the problem in the next upgrade.
This will mean that IIS Sysadmins will actually have to think...! Now I know there are a lot of intelligent Sysadmins out there running IIS, but if you've come across the people I have in the industry, you'll know that there a lot of people who aren't very tech savvy running servers.
How about with this, an increase in the Microsoft Certification program?
===> An eye for an eye makes everyone blind - MG
It's nice that they will ATTEMPT to make it install more securely by default. What are they going to do to help secure all the existing installations from the current (and future) gaping holes?
Thank god. Now all they have to do is provide a WindowsUpdate-esque way of keeping IIS secure. Since we know these holes can be exploited via the web, then Microsoft should be able to detect them and patch them, right?
You'd think so.
"Forty-two," said Deep Thought, with infinite majesty and calm.
The knowledge base is tightening up.
Random rubbish for lameness filter.
Special Relativity: The person in the other queue thinks yours is moving faster.
then its secure - yeah I know troll, but 10p says
there will be many such comments.
Technology ain't the problem, its the people...ooo it's windows, pointy clicky don't need an experienced sys-admin to look after it.
:-)
As pointed out in this CNET article, while forcing the maximum secure version and forcing uses to install all patches is a good step in the right direction, the fact that IIS has been patched so many times implies that to really improve the security of it, it needs to be rewritten from scratch, particularly since it is a closed source application and thus does not have the same QA that open source software might have.
"Pinky, you've left the lens cap of your mind on again." - P&TB
"I can see my house from here!" - ST:
The paper is here.
It's more involved than you might think. If you are a sysadmin, this might be important for your job security.
...The real problem with Microsoft is thier extremely poor testing. They try to implement a billion features at once, and in so doing, half of them don't work right, or have serious security flaws.
Hey Microsoft, howabout testing your crap before shoving it down the peoples throats? Too radical for you? That's fine, it doesn't matter at this point for my organization, we've begun upgrading our NT servers to RedHat 7.1. You'd be surprised how easy it is to administer, especially if all you know about Linux you got off of zdnet, or another Bill Gates Microschlong sucking media outlet.
This is not a change in the fundamental technology. They don't seem to indicate that IIS itself will change, only that the default settings will yield more secure servers. This is only one type of security issue. What about all of the others?
Another thing to consider is that they are not doing this to be kind, gentle, or nice. They are doing it to shore up their marketing of Hailstorm, Passport, and so forth. This is not a response to "what the users want" or they would have done this ages ago. It is a marketing ploy. It is the right thing to do, but it is a marketing ploy. Managers, CIOs, CEOs, and so forth will be able to sleep better at night.
How to Download YouTube Videos
It would be great to have everything disabled by default, and would be a major help for security. (That's how OpenBSD have been able to go four years without a hole in the default install...there's not much enabled in the default install). I just don't think that the average M$ shop wants to take the time involved for an average admin to get a secure-by-default product working, or pay the top dollars needed to get an admin savvy enough to already know how to do this.
"Weapons should be hardy rather than decorative" - Miyamoto Musashi
I think that goes for OS's too
They will also remove any backdoors left in IIS intentionally?
Any idea when we'll experience a 24-hour period in which Slashdot's database doesn't explode?
- A.P.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
Microsoft has released a secure version of IIS to its beta testers. I cannot give you any details, except that it has codename "Apache".
Microsoft's idea of making their products more secure is making it harder to copy... Seriously, if they'd spend as much time worrying about actual security as they do preventing and prosecuting piracy, it'd be more secure than Fort Knox.
Somehow I get the feeling when one of us does strings on the actual binary we may see the apache licence :-P Just that M$ and security go together as Satan and good.
Karma whorin' since 1999
1. Place unopened IIS software in bank vault.
:)
2. Close and lock vault door.
3. Eat paper on which vault lock combination is stored.
Oh, you actually wanted to use the software?
*sigh* I probably shouldn't rag on Microsoft: they needed to do this a long time ago. But in so many ways they've hoisted themselves by their own petard: by touting how easy their software is to use, by implication they've convinced businesses and technicians that they don't need much training on how to use it. Locking down IIS is one step: making sure that IIS admins know how to properly use it is another and I have yet to see any emphasis placed on education and training by Microsoft or any of its apologists.
Note: having one's connection refused by Slashdot when attempting to post a comment is just plain rude. On the other hand, the wonder isn't how well the bear dances, it's that the bear dances at all.
With the Gartner group sending letters to all their customers RECOMMENDING they remove IIS as "an unacceptable security risk" based on the TCO of IIS rapidly exceeding the cost of the hardware, the OS and THE SUPPORT STAFF. When a nationally recognized consulting firm that supports 400 of the top 500 firms , and one that HAS BEEN PRO M$ up to this point, or at least VERY neutral, suddenly starts advocating ABANDONING your investment you know you have BIG PROBLEMS. I personally think this is TOO LITTLE TOO LATE. Why was the product not shipped like this in the first place ???
errr....umm...*whooosh* *whoosh* Is this thing on ?
"...it's incumbent on Microsoft, being in the leadership position we're in, to help drive forward the industry in this area,'' Brian Valentine, senior vice president of the Windows Division at Microsoft.
:)
Which means Microsoft has found someone to steal it from.
/*drunk.. fix later*/
work is more difficult than installing it and just having it work right away because all the features you need (...and all the ones you don't) are already activated.
It would be great to have everything disabled by default, and would be a major help for security. (That's how OpenBSD have been able to go four years without a hole in the default install...there's not much enabled in the default install). I just don't think that the average M$ shop wants to take the time involved for an average admin to get a secure-by-default product working, or pay the top dollars needed to get an admin savvy enough to already know how to do this.
"Weapons should be hardy rather than decorative" - Miyamoto Musashi
I think that goes for OS's too
Reading this article I smell a goat, as they say. It smacks too much of a good initiative that will be exploited. Like the recenly announced toolkit to get your system checked for vulnerabilities and fixed free (see here ). If you try to actually have it sent to you and go thru a few screens you see that you need Passport (a.k.a. "all your passwords are belong to us!") in order to have them send you a CD by snail-mail. What does a physical CD have to do with an evil service, you ask? Did I mention that the CD might be useful/coveted? Has anyone found a similar hitch with this (e.g., putting the settings in such a way that a central M$ database will check the appropriateness of all your info "to make sure it's secure", oh and to make sure you don't use it for anything that disparages M$, hotmail, MSN, etc).
I'm too lazy to go looking for it, but didn't MS claim they were going to focus on security about 1.5 or 2 years ago, back when IIS 4 was having problems?
... as not all Distributions are shipped at its most secure state.
I had to test some java code being developed by (company) for a newly released (product) and needed a web server. The usual test platform server had just been taken down by nimda (ie not 3 hours earlier). Fortunately for my productivity log, an extremely capable app called Apache exists for WinNT and in under 30 minutes I had it up and running (including denying every host under the sun that was sending those annoying GET requests for /winnt/system32/cmd.exe).
:-)
The entire dev team working on the java code would have just taken the afternoon off, had I not casually mentioned the existance of my humble Pentium Pro 200 running Apache.
This caught the attention of my boss who wondered why our group was able to continue working, while many others were outside playing basketball waiting for the Admins to finish the virus updates. Who knows . . . we may shift away from simple IIS servers (for a java service on a server you don't need some big IIS machine).
From a security stand point, This little server did a good job of fending off every virus attack (a few hundred every hour). I believe two additional simple IIS servers have been temporarily changed to Apache since they don't have a need for any other service. Who knows what will be their ultimate fate. But right now they are doing their job and don't need to be updated. This may affect the purchasing policy for one or two machines here. Not a huge step towards non-M$ product use, but I am encouraged none the less.
robi
I think the keyword here is 'Attempt'
I think the keyword is Astroturf.
From billmaly's story submission:
It looks like Microsoft may be trying to do the right thing from a security standpoint, at least on paper."
How does this stuff make it to slashdot's front page? C'mon, this is just blatant astroturfing!
___
The way to see by faith is to shut the eye of reason. --Ben Franklin
Did you catch that:
"``it's incumbent on Microsoft, being in the leadership position we're in, to help drive forward the industry in this area,'' Brian Valentine, senior vice president of the Windows Division at Microsoft, said in an interview."
Now, hopefully Apache and other webservers will start shipping more secure products. Thank you Microsoft for driving forward the industry towards more secure standards.
-- Spankmeister General
Just read on cnet where Ray Noorda of Novell used to call the guys at Msft Bill "Pearly" Gates who promises you the heavens while Steve "The Embalmer" prepares the body for burial.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
The amazing Chris Condon at dumbentia.com already thought of that joke:
;)
http://www.dumbentia.com/pdflib/scissors.pdf
"Running with Scissors" takes on a whole new meaning
-phil
Once you eliminate the impossible, whatever remains, no matter how improbable, will be quoted out of context on
This just reminded me of a particular Daily Victim.
"In a fit of rage I went over the deep end and cut our apartment's DSL connection!"
I would think that Microsoft would want to get out of their leadership position in enabling virus attacks and making them so painful, but I guess that's why I'm not President of the Windows Division. I don't think the industry wants to be driven too much further down that path, though - alternate web serving platforms are more like where Microsoft is driving their customers.
Well, that will be a first.
Your right to not believe: Americans United for Separation of Church and
They most certainly don't have a history of being pro-Microsoft. All their TCO stuff is directed at proving desktops are really expensive and we should all go back to big iron.
Gartner recommends whatever it's clients pay it to recommend.
Never install a peice of software as Administrator, use poweruser or something less.
If it doesnt install as that user, dont install it. Its obvious that that app was not designed with security in mind.
----- Whats wrong with this picture? http://www.revoh.org:1234/whatswrong
Remember the first time you installed Apache?
It was secure by default because you had to learn what the heck you were doing, and a fair bit about the structure of your hard drive before you could get it running.
Now IIS is catching up, having learned what happens when you appeal to the lowest common denominator. This is very good news, because it means IIS will no longer be administrated by people who haven't a clue. It's not that IIS is inherently insecure, but that it's inherently run by people who don't know how to secure it.
Apache appeals to a different crowd, and is more secure by nature for that reason...
information is immaterial
If you don't feel like hurting good quality cables, alternatively you can use the scissors to cut out every instance of the word "secure" from the IIS documentation, and run the software.
I would have modded this funny. Sorry don't have any mod points right now.
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
for their security holes, and generally overlook the fact that the default config of RedHat (and other Linux distributions) is also horribly insecure.
They have to drive forward the industry? They are playing catchup. They are implimenting security features that have been in Apache for years at this stage, and setting defaults that should have been set at day one. It's typical of Microsoft to try and fix things up once they have totally broken, then try to sell it as a feature, and to try and say "Look what good things we've done in combating this problem", when all along there should never have been a problem in the first place.
They're doing so well in the security hole polls. At least they got #1 in something!
The rest of this comment is from the NTBugTraq newsgroup:
Microsoft have today announced a suite of initiatives intended to address the issues their customers face from the threat of Worms and other malcode like Nimda and Code Red.
About time.
I've been assured that substantial resources have been allocated to this new effort, but one has to wonder just who was consulted in coming up with what this program involves (if you were, drop me a line.)
Announced today was the "Microsoft Security Tool Kit";
Click here
This "Greatest Hits" CD or network download contains all of the things you should already have;
- - Latest Service Packs for OS, IIS, and IE.
- - Security Checklists for NT, W2K, and IIS.
- - A W2K-SP2 Deployment guide (the Update.msi section is worth reading if you have an Active Directory environment and use Group Policies)
- - An NT 4.0-SP6a Deployment guide for SMS.
- - IE Deployment guides.
- - Several individual Hotfixes required for NT 4.0 Terminal Server (even though they are included in the NT 4.0 SRP) - - IIS Lockdown Tool
- - URLScan
- - HFNetchk
- - Critical Update Notification 3.0 (only applies to W98/W2K according to the referenced KB article)
- - QChain
There's a difference between the download and the CD. According to the announcement page, "It (CD) includes automation scripts to quickly install all the security hotfixes recommended in the kit.", but the CD may take from 3 to 6 weeks to arrive.
I was told there would also be a "Bootstrap Client for Windows Update" within this package somewhere, but if its just the Critical Update Notification 3.0 tool then its not a "Bootstrap Client" in the sense I thought it was.
While there are additional things planned, the biggest thing missing at this stage is a re-release of the NT 4.0 Option Kit CD which contains;
1. Patched version of IIS 4.0 (one that's not vulnerable out of the box)
2. Patched versions of MDAC
3. Modifications to the samples to eliminate RDS
4. Modified default installation that doesn't install in a way known to be exploitable
5. Modified Setup program that doesn't re-install removed script mappings and other components after the user has manually removed them (since that's what many people have done to protect themselves)
In addition, what is desperately needed is some way to do the following;
a) Probe your internal network to identify IIS installations (this can be done with HFNetchk, but working with its output is no fun) /scripts, tightening
permissions, etc...
b) Completely remove the IIS installation on command (remotely!), or render it stopped
c) Query the IIS installation and alter it, removing RDS keys, updating MDAC, patching it, disabling
d) Report results in a comprehensive fashion
I don't know about the rest of you, but many people have thousands of IIS boxes to deal with. While Microsoft does sell SMS, if you used Ghost to distribute your installations it hardly seems reasonable for MS to expect you to purchase SMS to secure what you thought was a reasonable installation.
If you have more than 1000 hosts under your control, send me your suggestions for the best product/method used to get patches and service packs out.
Given that this whole initiative, supported at the highest levels in Microsoft, is designed in response to Worms that required the touching of every machine in your organization, the first thing out the door should've been something that made that problem less onerous.
There are plans in the works (for Q2-2002) for an internal version of Windows Update. I've been calling for this with Microsoft for eons now, and while its great they have finally been hit with the clue-bat it seems ridiculous that its going to be 6 months plus before we see it. Such a tool would allow Network Administrators to rely on the client's Windows Update component to provide fixes (fixes decided on by the Network Administrator). In addition, a new feature in that client (still some 3 months out) allowing it to be setup to allow automatic updates (a push mechanism), would give you a way to push out a fix quickly to all clients.
Again, about time!
Also coming out of all of this was news that Windows 2000 SP3 is not likely to ship this year.
Cheers, Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
"I thought I had an Appetite for Destruction, when all I really wanted was a club sandwich."
putting the onus on sysadmins to remove it from that state
First it's all Microsoft's fault because IIS was shipped in an "easy to use state" which made it insecure. Now you're reversing the tables and saying that the "onus" is on the sysadmins to put it into a less secure state. Will you guys ever be happy?
It looks like Microsoft may be trying to do the right thing from a security standpoint, at least on paper.
So, lemmy get this straight.... Instead of praising them for finally doing what you've been asking all along, you give hesitant "well now the onus is on the sysadmin" and "may be trying to do... at least on paper" comments... What exactly will make you happy? (besides MS rolling over and playing dead).
If God gave us curiosity
Would that new "secure configuration" be upside down, along side the new AOL 6.0 Platinum, 50k hours for your first month, pH balanced for kiddies(tm) CD in the Trash? I suppose then you'd have to worry about people breaking in and stealing your trash.
"it's incumbent on Microsoft, being in the leadership position we're in, to help drive forward the industry in this area"
(Our products? A security problem? Don't be silly, it is "the industry." We will fix the industry.)
"We can't just sit back and think about Microsoft."
(It's not a Microsoft problem...but we will do the charitable thing and help, anyway.)
Weirdest spin I've seen in a long time....
I survived the Dick Cheney Presidency 7 to 9 AM 7-21-07
I second the astroturf statement. If it was Apache "trying to do the right thing from a security standpoint," that "at least on paper" jab wouldn't have been added at the end.
In other news, Microsoft's hardware division announced a plan to make water flow uphill.
"It looks like Microsoft may be trying to do the right thing from a security standpoint"
Hey, look now, I thought that this wasn't the funny section, or am I wrong...?
They attempts to secure IIS? Shouldn't they be "attempting" to do so all the time. Isn't that trivial knowledge in programming to try to find out and fix security holes.
2 reptiles beneath your current threshold.
You might be interested in EROS - the Extremely Reliable Operating System, which takes permissions resolution to its logical extreme: the capability system. If something only needs access to one directory and one port, that's all you give it.
Very interesting project.
So, doesn't IIS install as default when you install Windows?
Wouldn't the ultimate security be: Don't install it with the OS as default?
Sheesh.
Democrats or Republicans. They are both taking us to the same place and they are not afraid of us anymore.
Maybe then you'll have a chance at improving your highest unique (#4) ranking in security holes. Linux/*nix cleaned up, #1 and at least sharing 8 of the top 10!!!! If Microsoft opens their source, they could certainly hope to aspire to such greatness.
A paperclip comes up and asks you, "Would you like to have the server start? Would you like to allow connections from outside 127.0.0.1? Would you like to run scripts? Would you like to be able to access files not residing on the read only floppy? Would you like to have all comments automatically read by Outlook?"
And monkeys will fly out my butt.
Somehow I don't trust M$ to not "add" a little something else to help secure your box and to also help secure their position in the marketplace.
Sorry, but the words "M$" and "helping" being used together sounds too much like an oxymoron to me. That's like trying to make "Tax Audit" and "Root Canal" sound like a good thing.
Goran
Carpe Scrotum - The only way to deal with your competition.
I can't get to the article right now, but I'd be surprised if MS isn't trying to recover its stance from insurance companies starting to charge a higher premium and rate for "hacker coverage" if you run IIS.
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
This whole IIS thing is only a Microsoft problem by coincidence. Any piece of software can have security holes, so the key to reducing their effect is timely application of patches. That appears to be the main thrust of MS's "securing IIS" effort.
Unfortunately, almost nobody makes it easy to get security patches. Debian does the best job, from an admin's point-of-view--just "apt-get update && apt-get upgrade" when there's a security announcement, and you can even put this into a cron job. MS doesn't do too badly, with "Windows Update". Solaris stinks--Sun seems to go out of their way to hide security patches from visitors to their website. I don't have much experience with other platforms--there may be better systems than Debian's, but I haven't seen them.
That's "Mr. Soulless Automaton" to you, Bub.
"And J.S. Wurzler Underwriting Managers' Safeonline division is charging some companies using IIS as much as 15 percent more in premiums."
:)
Don't forget to add in the added insurance premiums when calculation MS's total cost of ownership
no matter, we'll NEVER (strong word, know?) use ANY PayPer LieSense filled, virus friendly, invasion of privacy, m$BugWear at ScaredCity(?tm?). we will, however, give some fortunate netizen this uninfected (never been driven in the winter/bankrupted/etc...) set of URLs, including a year's free hosting, for being able to follow some simple directions, while not being aFraUD. are we easy, or what?
Uhm I heard from a web developer for middleware systems that uses IIS that IIS 6.0 is going to run in kernel memory. Maybe this is a bad thing? Executing ASP code in kernel memory? Just.... maybe?
Thank God. Since MS usually tries to do the wrong thing, on purpose. Now they are doing the right thing on paper.
I'm not really sure how this will help. Having a server off by default will not make it harder to break into once the server has been turned on. Not only that, the problem's exploited by worms and script kiddies are all known, sometimes months and even years in advance of an attack. If MS were truely serious, they would exstablish an independant body to certify MSCEs, make it so that the certification is much more difficult than it is now, and only provide support to customers who have certified personal on staff. On top of this, MS should guarantee backward compatibility of ALL software installed on a system after a security update is applied (within a given product version) so that admins won't be terrified to install updates.
Burn Hollywood Burn
I really think that this is a good thing. It might actually help reduce the number of script kiddie type attacks over all - because it will actually force people to learn that you DON'T leave the admin site running and you DON'T use the default web site to run YOUR site from, etc, etc... Let's face it - if your PHB's force you to use it (cough, cough) than you should at least know how.
It really is about time they did this, heck the way the install is now - it almost hacks itself!!
FreeBSD: Nothing runs like a daemon with a pitch fork.
Friggin karma whores!
By intending to secure IIS, Microsoft is doing the right thing. Unix freaks are laughing at Microsoft freaks because of code red & co. But the point is that flaws in any system is bad for the whole internet. People don't trust internet any more, they don't want to give their credit card number any more, etc. When every host on the internet will be pretty secure, e-commerce may do a real come-back.
The problem with this annouce is that Microsoft will start from the existing IIS product and try to secure it.
Securing something that wasn't initially coded with security in mind is very tricky. Flaws always pass on.
Have a look at bind or sendmail. They are very old servers. They are widely used. Many companies and individual people hardly audited the code. So what? A new flaw was still discovered in sendmail last week, and bind always was one of the favorite toy for kiddies.
On the other hand, software like djbdns and postfix were started later. They were started from scratch with the knowledge of all common security flaws their ancestor had. The result is that they are very secure. More than old software that was audited by hundreds of skilled people.
So while Microsoft's initiative is in the right direction, they won't get a secure product in any case. Just because they didn't rewrite it from scratch.
{{.sig}}
I thought it qualified for 1 "Funny" point. Of course, I'm going to post this anonymously so the asshole moderators don't take away my precious Karma points.
If M$ is sincere, this is of course welcome news.
The problem is that M$ have a history of promising "initiatives" of this nature, then never following through once the smoke has cleared a bit.
And that's assuming it isn't just pure FUD, as in this lovely example.
sPh
spelling is a plus.
"You are running Outlook 97 or Outlook 98. You should consider upgrading to the latest version of Outlook to ensure you have the most recent product and security enhancements."
Hmm. Is this telling me that there are no patches available, and my only choice is to pay cash money and upgrade to Outlook 2000?
Yeah, it provides useful information, but it still feels like they're trying to shaft me.
-grendel drago
Laws do not persuade just because they threaten. --Seneca
I dont like microsoft. I would rather use linux. It would be good if people who used microsoft would start using linux. Linux is good.
American Scissors Council
-phil
Once you eliminate the impossible, whatever remains, no matter how improbable, will be quoted out of context on
are you just putting the words 'front' and 'page' together to plug Microsoft Frontpage? Are you trying to get the combined word Frontpage into the english vocabulary?
I call a Microsoft rat!
Sure they can make it look all fancy and nice on paper, but we'll still have to see whether or not thier talking out of thier ass, just to get people trusting them again. P.S. As for me, I'm of to learn RUBY!
Hey, this is my sig, if you don't like it, STOP READING MY POSTS!
I suppose this got modded up simply because it promotes the open source agenda and disparages closed source.
Bravo.
...plug the RJ45 cable into the back of your network card.
Steve
The United States is attempting to stop terrorism.
-- the computer doesn't want any beer, no matter how much you think it does. NEVER, EVER feed your computer beer.
Windows Update has covered patches for every major exploit in the last 6 months. They have been phasing in server patches for quite some time now.
At least 50% of the "Critical Update Pacakages" I have seen are IIS or Server based.
-Jayde
What's a sig?
Seriously, I guy posts a valid comment and some Linux zealot automatically feels the need to mod it down. Woohoo.
.. as not all Distributions are shipped at its most secure state
100% security is unrealistic in nearly every case. How much security you need must be ballanced with how much functionality you need. Windows is extremely functional but incredibly insecure. Linux can go either way depending on who installs/configures it. I don't know anything about your family, but my grandmother isn't a sysadmin. An OS for most people should be fairly secure from remote attacks but remain very functional. A tall order indeed.
Yes, the ISO finally updated the HTML spec with a new tag called </em>. It actually turns off the emphasis tag (<em>), just in case someone reading your page doesn't like italics.
Next week they'll release an RFC for the controversial "Preview" button.
On a side note, I'm glad you aren't posting at an automatic -1, mr. taco...
Microsoft Attempts to Secure IIS
Keep trying...
When a (h)(cr)acker writes a virus/worm that cracks into servers and provides root access without actually doing any damage, what they are doing is letting the world know how easy it is to do so.
Bear in mind that there are lots of folks out there (thieves, terrorists, enemy governments) who would (and presumably do) break into servers and steal credit card numbers and/or sensitive corporate/government info, without telling anyone!!
If the "virus authors" weren't constantly exploiting these simple security holes, the greater public would never know they were there, because the real "bad guys" always try to go unnoticed.
...wouldn't involves IIS at all, but Apache!! At my shop, we changed from IIS to Apache and it works great. Much faster and more stable.
Why don't more people know about the power of Apache, even if on an NT platform? It's not all about choosing Linux vs. Microsoft.
Dear Microsoft,
Thank you for your recent ammouncement that (someday) you will secure IIS.
Enclosed please find a blank, signed check.
When a more secure IIS is ready, please fill in the amount on the check, deposit it, and then ship me the new IIS. I'm patient. I'll wait until it's ready.
I know you're working very hard and that the benefit of end users is the number one concern of Microsoft.
Your loyal lackey,
MCSE guy.
Those who would give up liberty in exchange for security and DRM should switch to Microsoft Palladium!
Please, learn the difference between than and then.
Thanks.
Finally, a patch to defeat all known IIS exploits. It's simple too!
The interesting thing is: they're not the leaders. Not in Web servers. You saw the Netcraft survey results a few days ago. Apache 60% or so, IIS holds about half that. Half.
Excellent spin, to imply that the reason for all the vicious attacks is market leadership. But they don't have it, and that isn't the reason.
Libertarianism is rich wolves and poor sheep playing gambler's ruin for dinner.
The article hints at this, but I think that Microsoft needs to not only secure their default install for future products but make security part of their MCSE core training/testing requirements. I think they need to make a separate MCSE core test that focuses on security.
Microsoft driving the industry. Sheesh, more like :
Microsoft booked for drink driving.
HTH. HAND.
Among steps is to have it install in its most secure state, putting the onus on sysadmins to remove it from that state.
... friggin' ... duhhhhhhhh. And no, i don't want friggin' Microsoft fries with that.
No
Comment removed based on user account deletion
Actually root canals aren't as bad as everyone says. I had one a few years ago and, aside from nearly fainting from pain at one point, it wasn't so bad.
from the article:
That means the settings will be placed in the most secure configurations when shipped, rather than in the most ``open'' position, which can leave the computer more vulnerable to hacking, but can offer more immediate and advanced functionality.
I would hope that every software vendor would adhere to this advice, even Linux vendors. Basically, it means that you can't use vulnerable services until you know what you're doing enough to unlock them and use them securely. this is good.
Stop misrepresenting the netcraft numbers, you mental midget. Apache runs 60% of *sites* -- due to it's heavy use in virtual hosted ISPs, it's server marketshare is only about equal to IIS's.
Furthermore, Netcraft doesn't interest itself with intranets or cable modem networks, which is where much of the worm havoc is playing out.
I have just released my tool which can be used to generate reports about these worms by examining your Apache logs. Very configurable, lots of options, written in Java, released under the GPL.
Please check it out at http://www.websoup.net/wormscan/. I'm looking forward to some feedback.
You can accomplish anything you set your mind to. The impossible just takes a little longer.
we at MS could either:
- recode IIS from the ground up, and potentially make it good
- set the default install to turn off as much functionality as possible so we can point the finger at admins who actually want their webserver to do something
yea, good choice MS.... what a crock.... oh yea, and 100x bleh at saying that this action is MS doing the right thing from a security standpoint....-- dragonxhero
What about mergers, business parterships, extranets and other results of a dynamic business environment? What if you find yourself happing to open the application to others? Sure, the first few are easy, change the firewall rules. But what if their servers get infected with the next worm du juor?
And please tell me what is IIS's intrinsic advantage in delivering dynamic application content to desktops?
Bleh!
I wanted to post this but you were ahead of me. And it's not just a problem with IIS -- most (all?) NT "services" run as LocalSystem, which actually has even more privileges than Administrator.
Bugs and security holes are inevitable in any software, but their impact is different. Any buffer overflow in IIS is disasterous, whereas a buffer overflow in Apache will have a very limited damage. To 0wn a Unix box running Apache you need two security holes: first a hole in Apache to get unprivileged access, then another hole elsewhere that lets you get root. This is considerably harder and a lot more unlikely than a simple buffer overflow in the web server.
On top of that there is a huge problem with file system permissions. Both Unix and NT have the ability to restrict access to files. The difference is that a default installation of NT has all file permissions set to Everyone:Full Control(*). (That's like making every file and directory 777)! You have to manually lock it down! If the file system permissions are not used, running IIS as an unprivileged user won't help.
Contrast this with Unix. Even if a hole in Apache is exploited, you won't even be able to overwrite the web pages (unless another hole is used to gain root access, see above).
(*) I understand the default file permissions have been improved somewhat in windows 2000. Could somebody in the know give more details? Oh, and what's the deal with IIS running partially in the kernel? is it true or has it been debunked?
In all fairness, Unix has had its problems with root-running daemons. BIND was the latest exploit. Since then BIND guys have learned their lesson -- version 9 no longer runs as root. Will Microsoft learn? After so many years of beeing plagued with security holes, not bloody likely.
___
If you think big enough, you'll never have to do it.
Bleh!
Interview about the "Secure Windows Initiative"
MS always finds a way to spin bad news. Check this out: "it's incumbent on Microsoft, being in the leadership position we're in". Yeah, our product may suck, but we're the leader anyways, ha! ha! take that!
Alright. I'm sure this will get a lot of MCSE's all huffy but too bad... it's not about you anyway.
The biggest selling point for Microsoft crap is in how easy it is. It's also its biggest problem. Sure it's easy to set things up when, at install time, everything (especially the stuff the installer doesn't yet know about) is turned on by default! It is precisely this selling point that has created this problem.
You know, most people put their dangerous tools behind some level of inconvenience to prevent accidents. I have no doubt that Microsoft never intended this to happen... yet it has... I don't know how many releases of Windows had to come out before warnings about having file shares open when connected to the internet started to appear. So file shares are dangerous but exposing IIS (+addons) aren't?
A comment made by one user/admin noted that IIS by itself is not vulnerable that it is all the useless addins that make it so. Most of these addins aren't even used by the casual user. The casual user doesn't even use IIS! And that is the crux of the CodeRed problem in general. Microsoft has put dangerous tools into the hands of people who don't know how to use them so they can make more money. It's as simple as that. Microsoft is responsible for the problem and they should take appropriate measures.
By making it "too easy" people are making themselves vulnerable without their knowledge. It's out. It's too late. The best they can do is issue a RECALL on IIS and everything that comes bundled with IIS. Issuing advisories that people aren't reading and patches that people aren't downloading isn't going to get people's attention.
If they are truly interested in solving the problem, they will have to swallow their pride and make it very public that they wish to RECALL IIS! Then people will sit up and take notice and do the things they need to do.
Recalls are embarassing. They will not want to do it. But for the good of the internet, they should. Okay, I hear the laughing... they aren't interested in the public good.
What is IIS anyway? Internet Infection System?
Microsoft has announced that the best way to secure IIS is to leave it inside the orignal wrapping.
Let me disagree. No one has the obligation to bring motivation to their job. If you are given mediocre tools, if your recomendations about the best solution for the problem are ignored, if managers trust their own marketing-based opinions more than your technical experience, then nobody can demand that you dedicate more than the barest minumum effort to your activities. If it's your job, it's your job, sure, but there's a matter of dedication, of loving what you do, that makes all the difference.
The bottom line is, IIS is insecure. Fixing the blame on the sysadmins won't solve that problem. Letting the sysadmins pick the system they feel more confortable with may be the first step in a true solution.
Linux user since 1991
What a suckup article... >>> The company contends that its software is targeted by virus writers and malicious hackers because it is so ubiquitous. What about an answer like "Everybody hates Bill and wants to mess with his street kred"? The guys a knee-biter. >>> In addition, the company also said it would continue addressing security issues during the development of its software to minimize the number of bugs and holes in its new products. Is it just me, or does this just take up room like gas?
Thanks, Steve
If any idiot can administer a Windows server, any idiot will.
- I don't need to go outside, my CRT tan'll do me just fine.
Job Interview:
Boss: Hi, we're looking for a Windows 2000 Server systemadmin.
Person: Yeah, I can do that. Look at my spiffy resume.
Boss: OK, you're hired.
On the Job:
Person: Just FYI, Windows 2000 Server sucks. You should be using Linux.
Boss: We hired you to be a Windows 2000 Server admin. We use Windows 2000 Server. We probably have lots of reasons for using it.
Person: OK, whatever. I'll just sit around and do a half-ass job because you won't change to Linux even though Linux is better. I don't care that you're paying me a lot to be a Windows 2000 Server admin, why should I have to keep up on things? Never mind that if I were running a Linux system, I'd be happy as a clam and patching like mad...not with Windows...maybe if I SUCK, I can blame it on Microsoft and get them to change to Linux.
SORRY. That's not how things work. If you got hired to be a Windows 2000 Server sysadmin, you DAMN WELL better do your job. If you have a problem with that, go get a job as a LINUX ADMIN, and stop proliferating security holes by your own laziness.
People nowdays...feh. Things are not always how you want, and bitching and moaning doesn't help. Do you job, or quit. If you can't do your job right, quit.
Don't complain that Microsoft is the cause of all your troubles when there are Windows admins all over that have little the no trouble simply because they actually know what they're doing. Being a Linux geek doesn't make you cut out to be a Windows admin if you don't know how to admin a Windows box.
-Jayde
What's a sig?
The 's' bit actually increases the security level. It allows the system to give restricted privileges in some circumstances. In a system without setuid, a lot more system resources need to be open to everyone.
By default, IIS runs as a special account IUSR_machinename on the internet. For intranets it will often run with the end user's credentials. Of course you can create any service account to run IIS if you're worried about a dictionary attack on the IUSR_machinename account.
/bin), move files like the command and scripting shells into it, and allowing only Administrators and System to access it (similar to moving that junk to /sbin)
In fact, one of microsoft's Security recommendations is to make a special folder in system32 (pseudo-equivilant of
The problem is that even a low priviledge account falls under the "Everybody" group, which has a wide latitude by default.
It also doesn't help that some shops are too cheap to shell out $300 for the W2K Resource Kit or a TechNet Subscription. Then maybe people would also stop complaining about the lack of MS documentation.
Trolls throughout history:
Jonathan Swift
A company whose main selling point is ease of use is bound to attract lazy people to manage its products. If the average Windows 2000 sysadmin is lazy and careless, while the average Unix sysadmin is careful and meticulous, whose fault is it?
As I mentioned, fixing the blame will not solve the problem. From an outsider point of view, the whole company is a black box. The customer doesn't know and doesn't care if the sysadmin is doing his job. All the customer sees is results. So, when managers hire people, they shouldn't just consider that Windows administrators can be hired for less than Unix administrators; they should think about the overall result: will a system composed by hardware+software+people work better with a Windows or with a Unix software component?
As a once and future system administrator, I have to agree with you.
As a manager, a business person, and a general human being who likes to communicate, I submit this humble question: is there a little bit of medieval guild-ism in statements of this nature? A desire to _keep_ things difficult, keep the cauldrons bubbling, keep the flap of the shamen's tent closed, so that only the guild of "clueful sysadmins" can perform amazing feats such as (gasp!) building a web site
Just asking.
sPh
Why would anyone in their right mind use IIS to run a web server anyway??
This comment posted from Mozilla v0.94 running under Mandrake Linux 8.1
We're going to make information free Mr. Anderson, whether you like it, or not.
Stop misrepresenting the netcraft numbers, you mental midget. Apache runs 60% of *sites*
I'm fully aware of this (o thou relative mental giant)... along with the parallel fact that as a percentage of machines, MS has 50%, and Linux is much lower.
Still, it says something about *mindshare*. Apparently, that 60% of people prefer to run their sites off apache. A certain number, of course, don't care what's run, or don't know, but I'm going to assume that percentagewise, those numbers are probably same. So the proportion would still be equal. MS's claim of leadership is still quite tenuous.
Libertarianism is rich wolves and poor sheep playing gambler's ruin for dinner.
I manage lots of workstations and several servers in a state agency. We use Dameware for remote information collection and control.
In the past we used SMS but it was waaay too slow, especially across some of our 56k lines. Dameware is a wonderful product. There may be some way to script it's use as well. I was provided with the product by the department, so I don't know what the licensing issues are, but it looks like it's around $200.00 or less for download and is available for a 30 day free trial.
I really endorse this product. Hope the info helps.
War is Peace. Freedom is Slavery. Ignorance is Strength. - George Orwell or George Bush?
Why read less than ten books and take one exam so that you can call yourself an Engineer, when you can take another and call yourself a Microsoft Certified Surpreme Court Judge?
So which user does it run as again? How does a running process magically switch the user it runs as? Oh right it doesn't! IIS runs as LocalSystem. As AC pointed out, it uses "impersonation" to run *scripts* as another user (this is eqivalent to sudo). Repeat: it runs *scripts* as whatever user; IIS itself runs as LocalSystem.
In fact, one of microsoft's Security recommendations is to make a special folder in system32 (pseudo-equivilant of /bin), move files like the command and scripting shells into it, and allowing only Administrators and System to access it (similar to moving that junk to /sbin)
This is the dumbest thing I have ever heard. It's like making bash and perl executable by root only. This prevents you from running scripts as non-root (or non-Administrator), and does exactly zero to improve security: if you got in through an IIS hole, you already are Administrator so you can do whatever you damn want.
Of course you can create any service account to run IIS if you're worried about a dictionary attack on the IUSR_machinename account.
Wait, all these special (service-only) accounts have passwords? So you can log in as say LocalSystem or IUSR_watever if you guess it? Then NT security is an even bigger joke than I thought! (and that's saying much). (And before you post another dumb response, here is a clue: on Unix special accounts like bin, httpd, nobody, etc. have no passwords so you cannot log in with that user name no matter what password you type, but processes can still run as bin, httpd, or nobody).
___
If you think big enough, you'll never have to do it.
If they spent the $1,000,000,000 in XP advert money on real software development, they could rewrite everything from scratch. I'm not holding my breath.
Code-Red-V
Only the "patched" systems are vulnerable.
UGH! You are so friggin' clueless!
It's not about keeping things difficult.
TCP/IP & SECURITY are not difficult! Common sense is not difficult. Dilligence is not difficult.
Letting any Yahoo! that can Ctrl X & Crtl V run a complex system is idiotic. I doubt the original intent of the MCSE was to train people to pass a test! I assume they atually meant to test a person. Then once the test was passed the passer would take a position with an experienced Sys Admin who could "finish" their training. An apprenticeship... guild-like enough for you?
Cram learning a bunch of hooey like "remote installs" and other Marketing Crap hasn't produced any Sys Admins yet.
I'm not one of those people who assumes MCSE = Dimwit but if you hire an MCSE fresh out of school and expect an expert it is YOU who are the dimwit. And you should expect bad things to follow.
The OP has a valid point, marketing has sold the "Zero Administration" line, but truth be told it don't work, won't work, can't work and until people stop trying to make it work Nimda's will disrupt business everytime they come out.
This
Granted rights!
Makes that "old" implicit rights look pretty damn silly doesn't it?
Now if we can just figure out a way to make it so no applications have implicit rights (like a root user) but granted rights (like a user) we'd be OK.
So when is WINiX coming out?
This
The real problem isn't that the service starts as LocalSystem - even Apache starts off as root (it has to when it binds to port 80). What makes things so difficult under NT is there is no effective way to permanently and irrevokably drop privileges from a process while maintaining the ability to 'su' to another user if someone presents a username/password pair.
Even when IIS is running as a 'nobody' user, unless you have explicitly configured your script/application to run in a separate process then you'll find that a simple 'RevertToSelf()' call will grant you back all the privs that were dropped. On the flip side, without being LocalSystem you can't call 'LogonUser()' or 'CreateProcessAsUser()' from a username/password pair so you end up with catch 22.
If I'm wrong, please shoot me down in flames...
Fear: When you see B8 00 4C CD 21 and know what it means
The best they can do is issue a RECALL on IIS and everything that comes bundled with IIS. Issuing advisories that people aren't reading and patches that people aren't downloading isn't going to get people's attention.
Ha! Funny. So instead of security advisories that people ignore, and patches that people ignore, you're proposing a recall that people will ignore? Great idea!
Unless you're suggesting that Microsoft exploit one of their own backdoors, and remotely disable all IIS servers? Better hope they've installed Windows Media Player so they can't sue for that. Wouldn't it be great if a third of the Web suddenly dropped offline, though?
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
Had Microsoft had even the slightest degree of competence, IIS would have been shipped in a secure form in the beginning like other products are. Anybody with even the slightest degree of knowledge on the subject knows that an wide open and accessable system is naturally prone to assault by Crackers.
This point, above all, should be emphasised.
I don't like trolls and mod against me if you like, but I'd prefer if you'd reply.
Ummm...
/httpd/perl/ (A cgi-bin directory...BIG NO NO!!!) in their default install of their enhanced server (I forget what they call it).
My default install of Apache on Redhat and Mandrake both have ALL KINDS of unnecessary shit running. Mandrake 7.2 even gave browse rights to
Luckily I was smart enough to go in and disable everything I didn't need, but why was that the default behavior in the first place? If you need mod_perl, or PHP, or ASP, or Server stats, or directory listings...you should know how to enable that stuff on your own. It shouldn't be part of the default config.
Not really...I selected "basic server" as part of the installation of RedHat 5.2 and it got installed behind my back, along with alot of other things. RedHat 5.2 had lots of security problems. Hardly secure by default.
Our father which art in Redmond, Bill be thy name. .NET come. Thy will be done, in earth, as it is in Redmond.
Thy
Give us this day our daily executable.
And forgive us our syntax errors, as we forgive thy crashes
And lead us not into subscription-based services, but deliver us from blue-screens: For thine is the marketplace, and the patents, and the shares, for ever, Amen.
And like it or not, the common user is who dictates what OS reigns supreme. And yes, by supreme I mean the most often deployed -- that's all the suits really care about anyway. MS owns the bottom line, and without the marketing force form hell, linux just can't keep up.
What do you mean by scat or shit play?
:)
[Puddles] The word "Scat" is derived from the ancient Greek word for dung or excrement. The Jazz singing style is thought to be called scat because the singers are just 'talking shit'. In the context of this FAQ, however, Scat refers to sexual play involving shit.
Shit play encompasses a 'Brown Rainbow' of sexual desire. Some scat players are only into the visual aspects, such as watching someone take a dump or looking at an unflushed toilet while aroused. Many are into smearing shit on their bodies. Some like to eat shit. Still others are into 'Farming' or gathering shit from public toilets. For most it is probably some combinatation of these activities.
Mentally it is multi-faceted as well. For some it is an extremely intimate exchange between those involved, almost a sacrament. For others it serves as the climax of a heavy BDSM or humiliation scene. Even animal shit can be incorporated into scat play. Safe to say, if it has to do with the intersection of shit and sex, it?s scat.
Do people REALLY do that?
[RedRight]Yes, they really do. If you go explore some of the sites I list on my links page you'll find photographic proof.
Aww, come on! Are you crazy? That?s sick!
[Puddles] There are probably health-care professionals who will say that even masturbation is a sick activity given the right motivation. On the other hand, anything you do that you are comfortable with and don?t find the need to impose or inflict on uninterested parties isn?t sick. The biggest category of mental illness associated with scat is probably the guilt that some people feel from doing it.
If you are, say, missing work to go looking for shit sex, you do have a problem. The shit, however, isn?t it. The problem is the obsessive behavior and that could be focused on anything. Being into shit, in and of itself, isn?t sick.
[RedRight] Personally, I don't think so. Personally, you might. We could argue back and forth and probably never reach agreement. That's OK, as long as we can also agree that if my behavior doesn't harm you then you have no basis to try and control it. In short: Keep your laws off my body.
Crazy? Define crazy. Outside societal norms? Certainly, and quite happy being so. That's part of the fun. Being outside of societal norms, however, is not, in and of itself, a bad thing. Society is arguably enhanced and strengthend by a diversity of behaviors. Behaviors outside the norm help define the norm. They are the societal equivalent of mutations in the biological world. A certain amount is necessary for healthy evolution and change.
How can that possibly be erotic?
[RedRight] I'm not sure I can really explain that. Fetishes and kinks work below the rational level of our minds, down near the subconscious. That's what gives them a lot of their power. A rational answer on a kink or fetish will always miss the mark by a bit. None-the-less, I'll try.
There are many aspects of shit that are erotic for afficianados. Many of these are mental. For some the mere fact that it is so very taboo is enough to eroticise shit play. Add to that the fact that shit is highly symbolic, giving it a great mental kick. When you play with shit you are manipulating a huge variety of symbols and metaphors, many of them with powerful erotic content. For others, who find the exchange of power erotic, the complete submission given by accepting another's shit in or on yourslef is the key erotic element. For myself, there is an element of challenge to shit play: it is hard sex. That challenge is, in itself, erotic. Also, shit is an offering from deep inside the body, making it very, very intimate. Finally, its association with the anal region, a highly erogenous zone, adds to its erotic power.
On the physical side, shit also has some very attractive elements. It's warm and squishy, like a fine mud on a hot summer day. The feel of shit on your skin can be very sensous. Even the smell, which we are programmed to dislike, avoid, and fear is actually an intense, rich, complex odor that can have many erotic elements if you just let yourself smell it.
Finally, perhaps the overriding element, the sum of all the others: shit is INTENSE. Your whole body, your whole mind are wildly stimulated when you get into it.
Isn't shit poisonous? Won't it kill you?
[RedRight] No, it's not poisionous and playing with it generally won't kill you.
[Puddles]
Are a lot of people into this?
[RedRight] That depends on what you mean by a lot. Scat is certainly not the most common of fetishes or kinks, but it's a lot more widespread than most people realize. Witness the fact that there are a fair number of commercial sex sites dedicated to it. That means there are a good number of people willing to pay to see it. The Scatsite portion of the Redright web gets about 600 visitors a day and it's just a relatively small, non-commercial site.
It's just a Gay thing, right?
[RedRight] Absolutely not! There are a lot more straight scat enthusiasts than Gay ones. We Gay boys don't have the corner on the market for perversion -- we just have more fun with it!
Again, I turn to experience with my site: Early on I added about 50 Gay scat pics to my website and they were moderately popular. Then I added 12 straight scat pics to my site. They were so popular they very quickly started getting more traffic than the rest of my site combined. I had to remove them because the traffic was overruning my site.
An unscientific survey with the aid of a couple of search engines showed that at least 80% of the web sites found in a search for "scat sex" will be straight. That's gotta tell you something.
Is shit play illegal?
Are stories, videos, and pictures of shit play illegal?
Beginners
I really want to get into scat play but I can't get past the smell, what can I do?
[RedRight] While there are things that can be done to moderate the smell of shit you can't get rid of it. Stink is part of the essence of shit. In general, what you must set out to do is to reprogram your brain so that the smell is no longer unpleasant. How? Slowly. If you're asking this question there there is already some aspect of shit that is erotic to you. Work to build an association between that aspect of shit and the smell.
Almost since birth, you've been brainwashed that the smell of shit is a 'bad smell' (and that shit was bad in general). The smell itself isn't really all that bad. All you have to do is gently undo that bad programming you've unconsciously received and replace it.
The next time you take a dump and you're wiping, reach out with your mind to that aspect of shit that is already erotic and, once you've made that connection, take a good whiff of the dump you've just dropped. Sniff the brown smear on the toilet paper and think your favorite dirty shit thoughts. Your brain is a powerful associateve engine. There are hundreds of little everyday exercises you can do to build erotic associations with the smell.
For me a lot of the aversion to the smell of shit was just unfamiliarity. My solution was to build familiarity. It's pretty normal for me now to take a deep long whiff of my dumps. Farts too provide great opportunity -- when someone blows a cloud in your vacinity your reflex might be to hold your breath. Get over it! Smell it -- there's treasure in the air!
I really want to get into scat play but I'm afraid of getting together with someone and loosing it (puking, etc.). What can I do to prepare myself?
What is meant by shit "farming"? (...and where can I get some seeds!)
[Puddles] Farming is scat slang for collecting shit from public sources. It is scat without the donor knowing. The ?Farmer? usually traps shit in a toilet by turning the water off so it can?t flush or by using devices that allow water to pass through, but retaining the shit. Some farmers also search out beaches and parks were guys shit outdoors, like surfers at the beach or party spots in large parks. Some farmers have sophisticated ruses to get people to not flush the toilet. They might pretend to be a janitor and telling the shitting person that there is a plumbing problem. Some farming requires a lot of nerve, some a lot of patience. Outhouse lovers may fall into the farming category.
[RedRight] I'll be selling the seeds in my new Yahoo on-line store very soon...
The Resource Kit and Technet subscriptions aren't fixes (fixes are free), so your rant is unfounded. These items contain wads of documentation, best practices and other useful tools for a sysadmin and are well worth the money spent.
Fear: When you see B8 00 4C CD 21 and know what it means
So, does this mean we're going to see planes flown into the buildings @ 1 microsoft way, then? Let's hope so! :)
So which user does it run as again? How does a running process magically switch the user it runs as? Oh right it doesn't! IIS runs as LocalSystem. As AC pointed out, it uses "impersonation" to run *scripts* as another user (this is eqivalent to sudo). Repeat: it runs *scripts* as whatever user; IIS itself runs as LocalSystem.
;-P
Depending on how you configure it, it can have a secondary process spawned as a separate 'nobody' user that handles the requests. This lowers performance but (obviously) increases security. You can assign different users for different virtual directories.
Wait, all these special (service-only) accounts have passwords? So you can log in as say LocalSystem or IUSR_watever if you guess it?
Nope - they don't have permission for interactive or network login, only service login. Yes, they do have passwords (which IIS changes periodically). There is no such thing as an account on NT being allowed to switch user to another account unless it knows the password (ie 'su'/setuid() without passwords is impossible, even as LocalSystem), just as giving ownership of an object is impossible. And before you post another dumb response, here's a clue: on NT accounts have much finer grained permissions than on (standard) Unix - you would do well to look at them.
Fear: When you see B8 00 4C CD 21 and know what it means
Does IIS start 10 processes, each as a different user? Or does it actually mean that it will still run as LocalSystem and use "impersonation" to run *scripts* as different users, the way it already does?
This isn't quite true. IIS 5 can already be configured to run different virtual directories and sites as different users. It maintains the single listener running as LocalSystem, but farms each request to a separate process running as the specified user. You can easily verify this using the task manager to show which user owns which process - you'll see a few svchost.exe's running as the different web users.
In other words, IIS already has this option so I'm wondering exactly what they are going to add?
Fear: When you see B8 00 4C CD 21 and know what it means
Well, Microsoft leaves the tent door open, so consequentially the guild is full of people that have no clue how to keep the cauldron bubbling.
From the article: IIS, which is used to run Web sites, is sold separately and comes bundled with Windows 2000 [...] and Windows NT.
Is sold seperately AND comes bundled? And here I was thinking that Yahoo! was just the name of the website, not a description of their writers. IIS is NOT sold seperately - period. BTW, what asshole would buy a product that comes bundled with the OS that the product requires? Duh...
Black holes are where God divided by zero
Something that you can't do with IIS, again asking for trouble every time a new IIS hole comes out...
``We can't just sit back and think about Microsoft,'' said Valentine, who is leading Microsoft's new security task force.
Hahahahahah!!!
Together with a chrooted install of Apache, the security level is becoming rather comfortable.
heres to hoping that there are some folks left at
the following comment was posted by MS employee Joshua Allen at his weblog
The IIS Plan - This interview with Brian Valentine sums up the main action plan for addressing IIS concerns. The quote that sums up his attitude best is "When we look back in a few years, we will see this as one of the critical inflection points in our company's growth."
Here are my notes, detailing the parts of the plan I found interesting:
Two initiatives for customers:
Get Secure:
Stay Secure:
Internal Efforts (Not Customer-Facing):
Public:
So the way I see it, we will be successful to the degree that we:
- Assure that no customer ever again finds it difficult, confusing, or time-consuming to keep their system secure.
- Improve security going out the door so that fewer patches are required (IMO, this wouldn't have made a difference in any of the recent worms, but is still a good goal for countering potential future threats). The goal here is to be the platform with fewest known vulnerabilities that need to be patched, using any metric you care to apply.
- Be a lot more proactive in contacting, encouraging, and helping customers keep their systems secure.
And of course, huge progress in fighting worms could be made by getting the router vendors, OS vendors, and other infrastructure vendors to all work together, and hopefully that happens too.It also doesn't help that some shops are too cheap to shell out $300 for the W2K Resource Kit or a TechNet Subscription. Then maybe people would also stop complaining about the lack of MS documentation.
"Too cheap"?!? They've had to spend for NT (4 or 5) in the first place! Maybe it's MS who is too cheap to include basic admin tools with their 'server' products in the first place.
As someone else pointed out, TCO becomes more of an issue. Why the hell should I have to pay $300 for the privilege of being able to run 'kill.exe' to stop runaway processes (which seem to happen to me more under Windows than other systems).
Haven't checked 2000 so it MAY be part of that, but for YEARS, every time I used NT4, I had to go find the stupid resource kit to get kill.exe and other 'bonus' admin tools.
So on top of the $1000+ for the OS, I need to spend hundreds extra to stop runaway processes caused by a faulty OS in the first place.
TCO.
creation science book
Every time Microsoft has tried to secure IIS, it's more susceptible to attack, and about eight new worms take advantage of it. *shrug*.
We should shift from blaming Microsoft to looking at what's really causing many of these problems on a technical level. By and large, these problems are coming from potential buffer overflows and memory leaks. All of these come from the widespread use of C/C++ for system software. If we used a language with mandatory bounds checking (like Ada, or even the old Turbo Pascal), or at least had C/C++ programmers put those protections in, we would eliminate 80% of these problems!
msdn.microsoft.com is just defaced...
Very eloquent response.
sPh
Remember the first time you installed Apache?
It was secure by default because you had to learn what the heck you were doing,
What ARE you talking about? Aside from those who are CLI impaired, httpd.conf (for typical tasks) is just as easy as the IIS MMC. After having 3 years of experience with IIS (from IIS3.0... yuck), and NONE with Apache, one of our boxes at work required Apache to be installed. This was, of course, after our layoffs and we laid off our only full time linux guy. Everyone else (incuding myself) was mainly Windows. So, we needed to config an apache box to host over 1,000 domain names, and we needed our web application (running Cold Fusion on Windows) to automagically create the domain/website in both Bind and Apache. It litterally took me about a DAY to write a couple of perl scripts (this is with MINIMAL experience with Perl as well!) that built the zone file for bind, updated the named.boot, and updated the httpd.conf.
I had to do something similar for IIS once, and it took 3 times as much VBScript since I had to traverse "ADSI". The code runs slow, and it took about a week to complete (and I have experience dealing with the IIS Metabase). (aside... Thankfully, all of the Microsoft.NET config is in well formed XML. It's not in the registry, and not in some proprietary format that requires knowledge of a clumsy API).
Apache is easy for certain setups. Personally, I still like IIS (hold the security holes) for non-static sites. I could go on regarding IIS vs Apache - that's another discussion altogether. I just don't think you have to have much of a clue to use Apache, and you can have the same idiot admins screw up an Apache config as you can an IIS config.
There is no longer anything that can be done with computers that is nontrivial and clearly legal. -- Paul Phillips
Maybe an "extreme" analogy is in order.
Think of IIS as a gun. When handled improperly, it endangers the internet and its users.
An obvious problem with the analogy is that most people probably know if they own a gun. Much of the infected usership doesn't even know they are running IIS, let alone that they are infected and spreading.
Okay, I can't think of a good analogy that really fits. But the point I'm trying to get at is that Microsoft should be careful about putting too much in the hands of the people who don't know what they are doing.
Convenience is cool! No doubt about it. I love convenience. But you know? Slurpees are convenient... most of the time you don't even have to wait for the cashier to serve them up. But if IIS and Slurpees were similar, then it would be like giving hundreds of people a brain freeze because you were stupid enough to drink yours too fast! It's just wrong.
I normally don't write something like this, but I just couldn't help myself this time...
Isn't this like trying to put a combination lock on a cardboard box? What's the point?
Okay, okay...it was funnier when I first thought of it!
Called the support line stated in the story, was passed on several times by helpful phone support personnel, but in the end, the CD doesn't exist, and here I am, behind several firewalls and caring for a supposedly isolated (reality or theory ???) server.
Since when does Yahoo Serious know anything about IIS? I'm confused.
kill yourself, now. You are useless.
There is only one thing that will finally put an end to this endless cycle of patching. Companies need to start suing Microsoft over these bugs. As mentioned here on many previous occasions, if this were any other company putting out a crappy product, they would immediately feel the wrath of the lawyers. Don't think for a second a company would do this because they actually care about the safety of their customers.
This approach is so effective that other companies voluntarily recall defective products in order to avoid this.
Yes, I know most EULA's make it "illegal" to sue the software manufacturer, but if one considers the fact that most of what is said in your typical EULA won't stand up in court, then this argument makes perfect sense.
In case of fire, do not use elevator. Use water!
... is their bank account!
Of course, it has taken them a decade or so. One of the most annoying things to those of us who install (or re-install) MS software is that they NEVER update their cd's. A client could buy a brand new CD of NT4 and it would be virtually identical to the CD sold in 1995. Then the approximately gazillion security patches would have to be applied... every time you changed something.
This latest offering isn't much different than business as usual for MS in that patches to their software are offered but no changes to the products they are now shipping is contemplated.
Contrast this with the Linux/BSD communities where a completely new environment is produced every few months with older security holes patched for you.
No one ever had to evacuate a city because the solar panels broke!
finally sleeping beauty wakes up...
I am not necessarily disagreeing. Indeed, a fairly common occurance is for Joe Homeowner to decide he needs to "upgrade" from a Black & Decker drill to a Milwaukee Hole Hawg (now that such tools are available at homeowner hells). He takes it home, rips into some solid wood, and the drill breaks his wrist when he hits a nail. No question who is at fault there.
But my observation is more along the lines of, why does it have to be so hard? Joe Businessman doesn't need a license or a "security administrator" to print up and distribute some brochures. He may need a license, but doesn't need much help, to put up a small billboard. At least in the US (at least for the moment), he doesn't need a "secure firewall" to publish a small newspaper.
So why should all this rigamarole be necessary for a small busines to publish a small web site? Is there any incentive for the people in the admin and security industries to keep things complex?
Personally, if this stuff keeps up, I expect that within two years either (a) most businesses will abandon the Internet (b) draconian government controls, including licenses and strict liability for Internet pipes.
sPh
Something seems strange.
>>Windows Update has covered patches for every major exploit in the last 6 months. They have been phasing in server patches for quite some time now.
Possible if the server patches they are phasing in are for other than major exploits.
Possible if server exploits are not "major exploits"
Am I missing something here?
If BMW made a car where all you had to do was yank on the driver's door really hard (whether locked or not), then put any key in the ignition and drive away, then BMW's would get stolen like crazy, and everyone would be screaming at BMW for such shoddy workmanship.
Should the thieves still get thrown in jail for stealing a car? Of course they should. Should virus authors and script kiddies still get punished? Of course they should.
But the manufacturer of such insecure, dodgy products should get some/most of the blame for this. And can you really get upset with the BMW owner who is tired of taking his car into the shop once a week to have new locks installed again and again because their basic design is so poor?
I think not.
That analogy is so ridiculous that it's practically a Troll (unless you actually did mean it as a Troll).
/ etc.
No one died from Nimda/Code Red I & II/Sircam/ILOVEYOU/Melissa/Kournikova/etc/etc/etc
And I wasn't implying that the people who write these things shouldn't be punished; they should. If I have a crappy lock on my front door and someone twists the handle and the lock breaks and they come in my house, it's still breaking and entering.
But if over 90% of the houses have one brand of lock, and houses are continually broken into (whether anyone takes anything or not), don't you think people would get a little upset at the lock maker? Sure, those people breaking in are still crooks who should be thrown in jail, but doesn't the lock maker have some of the responsibility here, especially when they continually crow about how secure their locks are and you can put your trust in them, and why not use their locks for every last thing you need to put a lock on? (Hailstorm/Passport anyone?)
Well; it got more eloquent later on...
This
While blindly upgrading seems to be how most IT people respond, Bill Gates seems to disagree with that assesment about that being his customers' only choice. He acknowledges that there can be buggy products, but that bugs won't be fixed without bug-reports filed. If what he says about consumer behaivor is true, his business decisions seem fairly reasonable to me.
Many users of Microsoft products seem to take the approach of upgrade to the latest (and "greatest") whenever possible. Usefulness of features is irrelevant, it's quantity that counts! Odds are, significant bugs will be fixed by the next verision. That makes it a worthy gamble for my upgrade dollar! (Especially if I warez it.)
It is an interesting question that I won't address as to whether Microsoft causes or responds to this phenomenon in consumers of its products. Do users of Open Source products regularly file bug reports and only upgrade to fix these relevant bugs or to add previously desired features? (Hell no, if it's free, then gimme gimme!)
What I am saying, in light of every Bill Gates interview I have ever read, is that maybe Outlook 98 with service pack 1 can be considered the "latest version" of Outlook 98 for Macintosh. Perhaps Outlook 2000 (or was it 2001?) for the Mac is considered distinct in this circumstance.
There are many interviews of Bill Gates available where he discusses bugs in MS products. Check out Bill's Homepage and read some of his thoughts. In various entries you can find him addressing the subject in his own words. Or try, e.g. a less sympathetic source if you need to stoke your Anti-Gates dogma while he tells you that you have other choices than "to pay cash money and upgrade" to their current flagship product.
Like any good capitalist, his corporation is guided by the actions of the marketplace. Perhaps the last version of their product is too "big" and bloated to fit your needs, you are turned off by all of its nasty bugs... when most of the paying consumers respond by grabbing their ankles and asking for more features, more...
Okay, so I took the "shaft" metaphor too far. I blame my lack of sleep for lack of judgement. But I did stay pretty close to your points. Hopefully your eyes were opened. In exchange, I'll close mine.
goodnight