Slashdot Mirror
Microsoft Attempts to Secure IIS
billmaly writes: "Yahoo has this article about trying to make IIS more secure. Among steps is to have it install in its most secure state, putting the onus on sysadmins to remove it from that state. It looks like Microsoft may be trying to do the right thing from a security standpoint, at least on paper."
Admittedly, IIS does run certain scripts and perform certain functions as a "nobody" user. But most of the recent exploits were able to get an immediate "root shell" because the services being exploited did run as SYSTEM. And unless Microsoft is willing to address that problem, admins who need to enable many services and don't keep up on patches will still get rooted on a regular basis.
-sting3r
It would be great to have everything disabled by default, and would be a major help for security. (That's how OpenBSD have been able to go four years without a hole in the default install...there's not much enabled in the default install). I just don't think that the average M$ shop wants to take the time involved for an average admin to get a secure-by-default product working, or pay the top dollars needed to get an admin savvy enough to already know how to do this.
"Weapons should be hardy rather than decorative" - Miyamoto Musashi
I think that goes for OS's too
With the Gartner group sending letters to all their customers RECOMMENDING they remove IIS as "an unacceptable security risk" based on the TCO of IIS rapidly exceeding the cost of the hardware, the OS and THE SUPPORT STAFF. When a nationally recognized consulting firm that supports 400 of the top 500 firms , and one that HAS BEEN PRO M$ up to this point, or at least VERY neutral, suddenly starts advocating ABANDONING your investment you know you have BIG PROBLEMS. I personally think this is TOO LITTLE TOO LATE. Why was the product not shipped like this in the first place ???
errr....umm...*whooosh* *whoosh* Is this thing on ?
They most certainly don't have a history of being pro-Microsoft. All their TCO stuff is directed at proving desktops are really expensive and we should all go back to big iron.
Gartner recommends whatever it's clients pay it to recommend.
Personally, I would think that rewriting from scratch would make IIS more dangerous. At least Microsoft is plugging the security holes. I would think that rewriting it from scratch might cause more new exploits, whereas fixing the old version makes it more secure with every revision.
This article, on the other hand, shows that Microsoft is trying hard to actually make its product better, instead of just saying "Here it is. New version. Use it or be forever left behind..." like they did with Office XP. I think this goes to show what a company in a non-monopoly position will do to succeed. (No one has a monopoly in web servers, and Microsoft isn't even the leader...)
This is a good thing, and it's the right choice for Microsoft. Please don't call for a rewrite, or in two years we'll all be complaining about the root exploits discovered in the new IIS...
"You are running Outlook 97 or Outlook 98. You should consider upgrading to the latest version of Outlook to ensure you have the most recent product and security enhancements."
Hmm. Is this telling me that there are no patches available, and my only choice is to pay cash money and upgrade to Outlook 2000?
Yeah, it provides useful information, but it still feels like they're trying to shaft me.
-grendel drago
Laws do not persuade just because they threaten. --Seneca
While I easily see your point, it doesn't solve the fact that most IIS admins are complete morons for leaving the systems unpatched to this point.
My point about Windows Update is that ALL of these recent high-prifile attacks have had Windows Update patches for MONTHS. Service Pack 2 blocks almost all of them as well.
I have seen entire tech department that were knocked out by Code Red. Then Code Red II. Then Nimda. Yet, as a "casual" IIS user, I was never hit AT ALL. These patches have been obviously available for MONTHS. And even after Code Red, IIS admins STILL couldn't figure out to patch a hole that has about 4 OBVIOUS places to get the patch from. Let's review.
1) Windows Update
2) Service Pack 2
3) MPSA
4) Any of the virus scanner's homepages which linked to patches after Code Red, Code Red II, and Nimda.
If IIS admins can't even patch the obvious stuff like that, there is really little hope.
As you say "Many of them prefer Linux and use it at home, but have to use IIS at work because that's been mandated."...they are the PROBLEM, not Microsoft. HFNETCHK is easily available, and if Linux users are too lazy to learn how to admin the system that they're PAID to admin, they deserve what they get. I don't care if you don't like Windows, if it's YOUR JOB to be a IIS admin, you sure as heck better learn how to do it RIGHT.
I'm sure modders are gonna hate me for saying that, but I don't care at all if you don't like the system. If it's your job, it's your job. I hate Oracle, but that doesn't mean I don't use it *right* when I have to. Is it my first choice? No. Am I gonna be a slack-ass about it just because of sour grapes if I have to you it? No.
-Jayde
P.S. Disabling Parent Paths is not a big deal if you secure the rest of you system. In fact, I doubt you would find any professional IIS web server which has Parent Paths disabled, as it has terrible effects on most ASP code. It's stupid for server-side code to be forced to code paths based on the root "./" instead of relitive paths "../" as server directory structure could easily change at any time.
What's a sig?
I would think that rewriting it from scratch might cause more new exploits
Yes. That's why sendmail and bind are the paragons of security they are today. From-scratch attempts to replace them are riddled with holes that make IIS look like a pinprick.
When a (h)(cr)acker writes a virus/worm that cracks into servers and provides root access without actually doing any damage, what they are doing is letting the world know how easy it is to do so.
Bear in mind that there are lots of folks out there (thieves, terrorists, enemy governments) who would (and presumably do) break into servers and steal credit card numbers and/or sensitive corporate/government info, without telling anyone!!
If the "virus authors" weren't constantly exploiting these simple security holes, the greater public would never know they were there, because the real "bad guys" always try to go unnoticed.
I have just released my tool which can be used to generate reports about these worms by examining your Apache logs. Very configurable, lots of options, written in Java, released under the GPL.
Please check it out at http://www.websoup.net/wormscan/. I'm looking forward to some feedback.
You can accomplish anything you set your mind to. The impossible just takes a little longer.
Well, they're just repeating the Gartner report. Many of us closer to the issue agree that what needs a complete rewrite is ISAPI.DLL. This is not nearly as big of a task as rewriting IIS!
There is no longer anything that can be done with computers that is nontrivial and clearly legal. -- Paul Phillips