The 'How to secure IIS' checklists and docs that Microsoft puts out all list several aspects of IIS that should be shut off; sample apps, admin pages, stuff that makes sense on an Intranet but not on the Internet.
True, but it's still irresponsible for Microsoft to ship a webserver (or any 'Internet' software) that come out of box with an inherently insecure configuration. Given the rate of IIS bugs that affect non-core components, Code Red is just the beginning of the iceberg until admins figure out how to turn this stuff off.
Maybe you should check that the survey you link to counts *domains* and not *servers*. For example, www.microsoft.com has 50 webservers but is only counted once, while local yokel ISP hosts 50 lightly trafficked customer domains on an old Sun and is counted 50 times.
The only reason that Microsoft has such a large share is that it takes a few Windows servers to do the work of one Linux server
IIS has had a history of reliablity problems and is more likely to be used in corporate sites and in loadbalanced configurations. But that means that the *server* count is more like 50/50 (although Netcraft charges for per-IP data.)
What really made me want to shift into Nordic Stormgod Mode and beat the assholes within inches of their ignorant lives was the line "Just reboot the machine and the worm will go away."
Well, the worst thing about all of this hype is that it's not being directed towards fixing the root problem -- the fact that IIS ships with WAY WAY too much stuff turned on by default.
My guess is that 99% of the people infected by Code Red didn't need Index Server running in the first place. So, they'll patch (or worse, reboot) and go on their merry way. Until the next bi-monthly (not much of an exaggeration) Index Server bug is found in which case they are screwed again.
Repeat for FrontPage, Internet Printing, Remote Data, and all of the other mostly unused crap that out-of-box IIS has. The correct security advice should be:
1) Turn all of this stuff off if you aren't using it. (And if you can't figure out how, turn the web server off and get the hell away from it.)
2) Patch only if you need the affected software.
Netcraft's numbers do not apply to this situation -- they tally *public* webservers *by domain*, which means it ignores virtual hosts and load balanced configurations. Since the worm attacks on the IP address level, I think you'd find there's significantly more IIS _servers_ out there than the 20% of IIS _domains_ number indicates.
Second, Microsoft has a large market of intranet servers and client machines running IIS for some reason or another. That's a significant amount of mayhem that doesn't show up in Netcraft's reports at all.
The issue for consultancy or services companies is that at best they can expect linear growth. More revenue almost always equals more overhead. Combine that with a tech stock market that expects exponential growth from software or Internet companies and completely unrealistic rates of returns that people saw in the late 90s, and you've got a problem. The fallout didn't just hit Linux companies -- it hit every services company that was public or wanted to go public.
I have no doubt that privately held companies can and will make a decent living with Linux. However the ones that built their business model around going public are going to have a difficult time of it.
Fact is, they tried. Do you know how many 'interactive TV' and minitel-type experiments were tried from the 60s through the 90s, and they all went down in flames?
Finally, the Internet provided a model which at least had some attraction for users. Too much attraction, because you can't necessarily force content down people's throats. So, a bunch of dotcom financiers with sore butts are going back to the model of cable company + content + captive user base = profits except this time with HTTP/HTML as the underlying protocols. Won't work.
Your comment sounds exactly along the lines of what I heard from another corporate purchaser -- chipset stability is the most important factor, above cost and speed. That was the deciding factor against AMD-based systems (some of which have very dodgy chipsets), and Rambus boards. The question remains if the i845 will be another i820, or if it will be reasonably sound model like the 815. If folks like you yelp at Intel, the PIII may be around for another year or so.
I've kicked numerous ThinkPads to the floor, including a 600, and they've all survived just fine. (Can't say that about a particular Toshiba.) The best was a 701 "Butterfly" which had it's hard drive knocked loose when it bounced on the floor. When I tried to fire it up, I got ROM BASIC!
Half the problem is lack of conviction. The other half of the problem is that potential 'Geektivists' need only talk one look at their compensation plan and stock options and then follow the CEO's lobbying recommendations like a good little capitalist tool. Most people are smart enough to understand which side of their bread is being buttered.
I can understand how the DMCA flew under the radar, because at the time it seemed to apply primarily to people who made cable descramblers and the like and not directly applicable to software technology.
However, I find it especially shocking that when legislation that directly affects 'geeks' such as the H1-B Visa program expansion comes up for debate, there isn't a single group representing technical employees on capital hill lobbying for their interests, while every Silicon Valley company was out in full force. In fact, there isn't a single group claiming to represent technical employees at all, with the exception of the IWW and some obscure Unix Sysadmin club. You'll have to face that in this business, there is very little 'consciousness' and 'geeks' are more than happy to let their corporate masters do all of the talking.
OK, that shows that SVG is cool tech (that could potentially replace certain uses of PDF), but I'm not sure what it has to do with scaling bitmapped graphics.
I don't think anybody would have anticipated at the time that EVERYBODY and their mother would want to have such a toy
Microsoft anticipated that. Recall their old motto "A Personal Computer in every home and on every desk".
(Gates could have sold his shop to IBM for big money at any point in the 80s. Most businessmen would have, but he thought that per-machine licences would eventually be a verrry good business. IBM's entire marketing strategy for OS/2 shows that they never figured that out at all.)
PDF seems to scale vector-based graphics just fine. Scaling raster-based pictures is of course always going to be a problem anytime you are going from screen resolution to printer resolution, which is why you always need to plan for your end resolution.
I curious in what way SVG (Scalable *Vector* Graphics) would help with this problem.
Ignoring the controversial subject on whether blocking executable attachments is a good idea, I have to say the way that they implemented the "Object Guard" on the Outlook API is pretty lame.
You get this message that "Some unspecified program is trying access your address book" prompt, whether it's a VBScript virus or you are trying to use routing features from MS Excel etc. Meaning there is no way to have trusted code which actualy does office automation features without annoying the users to hell and just giving them another prompt to ignore. I figure the Virus Writer club will be back to their old tricks of sending Word or Excel-based viruses pretty quickly.
Not that it really matters -- The only think that "Melissa" and ilk prove is that a 12 year old can write a mail worm without warezing a copy of VisualBasic. It's not like reading the address book off disk or sending mail directly using MAPI or even the winsock is too difficult for the advanced 14 year old.
The Palm versus WinCE battle sorta reminds me of the old PC versus Mac versus Unix battle of the 1980s. Sure 90% of the people could get their work done fine and move along with an el cheapo DOS PC. However the other 10% couldn't shut up about their colorful graphical user interface with WYSIWYG printing, or their multi-user multi-tasking memory-protected super stable workstation.
Then one day, the Mac people and the Unix people woke up and figured that the PC could do almost exactly everything their specialized and more expensive systems could do.
It's the same thing in the handheld world, turned on it's head. Eventually WinCE-type handheld computers will have all the battery life, cost, and 'filofax' features of the Palm. BUT, if Palm gets the MPEG and Quake and Spreadsheet 'features' (which means a fast CPU and something resembling a real OS) before then without losing it's primary advantages, it will probably hold it's dominant marketshare lead forever.
Just zip your patches and you and your customers will be fine. Legitimite software delivery is a very small percentage of executable e-mail, and you probably don't want people thoughtless executing your patches either. You can say it's 'unacceptable' all day long, but good or bad, Microsoft hath spoken, and it's also unacceptable to for you to expect your customers to change their configuration.
"Pretty much every consultant or author involved with Office seems to have slammed that one"
Note that Outlook XP ships with this functionality (or lack of), so the protests have not been effective.
(And I can understand why. Everyone can point fingers all day long, but the root issue is the culture of executables in mail, as someone pointed out above. Kill the kulture, kill the problem. Anything else MS did would just be papering over the root problem.)
The Outlook solution was essentially correct. It put a security wrapper on Outlook's COM API which should have been their in the first place, but all that adds up to is another warning prompt for the user to ignore and press OK.
The root level problem is there's nothing you can do if the user insists on executing things they find in their inbox. There's a hundred ways to send mail that don't involve Outlook APIs. So, solve the root problem and get rid of executables in mail. Smart shops are probably already doing this on the server level. (And yes, it does suck that you can't turn it off.)
"when OS/2 was still viable IBM's commodity hardware was almost universally shipped with MSWindows."
For about a year, IBM shipped all _corporate_ systems in a dual boot OS/2 - PCDOS/Windows 3.1 configuration. The default OS was OS/2. Note that this didn't apply to Aptivas or other home stuff.
The reason they stopped doing this was a MASSIVE outcry from the customer base. Neither the Windows or the OS/2 shops liked this configuration, and IBM dropped it. This was considerably before the backroom deal surrounding the Win95 licence, BTW.
"There must be some reason that no major commodity hardware vendor is willing to ship a low-cost MS free system. After all, it would be MS they are undercutting, not themselves. "
No, they would be undercutting themselves. If you want to open your trap on this topic, you need to understand that the cost of an OS to an OEM is the licence plus support cost. By selling into big dollar business markets only, they can reduce the support exposure and build up their infrastructure. Selling Linux to the Walmart market would be financial suicide.
Lots of stuff runs on OS X's unix compatibility APIs, including XFree and Qt-Unix and most anything else that you'd want to port.
However, non of this stuff will be considered by the userbase to be 'native' applications. (Mac users have this nasty habit about actually caring about cut-n-paste!) So consider anything that isn't Carbon or Cocoa to be an interesting experiment by hackers and not a Mac OS X application.
I agree that Usenet could easily replace 90% of the non-corporate sites I routinely visit (including Slashdot). If the web moves to a pay-for-content model, I move back to Usenet,not that I really ever left.
(Although it wouldn't suprise me if I had to pay an access fee for usenet, but at least then I'm paying for the pipe and not paying for the right to babble on message boards or to read somebody's Quake III benchmark showing a shocking 9% improvment. The loss of premium search services like groups.google would suck though.)
To reply to myself with a sidenote to the root poster.
A year or so ago I was digging through a used bookstore and found "Inside OS/2" by Gordan Letwin (sp) of Microsoft. There's a fairly involved explaination on the hoops one had to jump through to implement a protected mode OS on the 80286 that was still compatible with 8086 software. My guess is that the OS kernel was written in ASM due to technical difficulties with the CPU (and speed on the aforementioned ATs). Anyway if you care about OS/2 1.x enough to still be complaining about it, it's a start.
The original planned ship date of OS/2 was something like 1985, only a year or so after the AT shipped. The 286 bit came directly out of the requirement that it would run on a AT (and it did).
Obviously the marketing when it was launched was tied to that of the PS/2, and there was "OS/2 Extended Edition" that only ran on PS/2s. It probably did play a big factor into IBM stupidly delaying i386 machines.
There's obviously a balance between buying a full copy of Office, Visio, and Project for each desk worker and your cost of keeping track of exactly how many Excel or whatever users you've got and providing seperate software installations and licence tracking for those users.
Microsoft certainly has this balance in mind when they set prices. Your attitude seems to be that it's their problem (or Zones) to tell you how your ass is screwed on. Sorry -- the way things are shaping up under Ballmer MS is that you either have a fulltime licencing accountant or you overpay MS. There's no pass for throwing up your hands and saying it's too hard
Slashdot Mirror
Free consulting since you are too stupid to RTFM -- Remove the extention mappings for all DLLs that you aren't using.
See recommendation #1 above. :)
The 'How to secure IIS' checklists and docs that Microsoft puts out all list several aspects of IIS that should be shut off; sample apps, admin pages, stuff that makes sense on an Intranet but not on the Internet.
True, but it's still irresponsible for Microsoft to ship a webserver (or any 'Internet' software) that come out of box with an inherently insecure configuration. Given the rate of IIS bugs that affect non-core components, Code Red is just the beginning of the iceberg until admins figure out how to turn this stuff off.
Maybe you should check that the survey you link to counts *domains* and not *servers*. For example, www.microsoft.com has 50 webservers but is only counted once, while local yokel ISP hosts 50 lightly trafficked customer domains on an old Sun and is counted 50 times.
The only reason that Microsoft has such a large share is that it takes a few Windows servers to do the work of one Linux server
IIS has had a history of reliablity problems and is more likely to be used in corporate sites and in loadbalanced configurations. But that means that the *server* count is more like 50/50 (although Netcraft charges for per-IP data.)
What really made me want to shift into Nordic Stormgod Mode and beat the assholes within inches of their ignorant lives was the line "Just reboot the machine and the worm will go away."
Well, the worst thing about all of this hype is that it's not being directed towards fixing the root problem -- the fact that IIS ships with WAY WAY too much stuff turned on by default.
My guess is that 99% of the people infected by Code Red didn't need Index Server running in the first place. So, they'll patch (or worse, reboot) and go on their merry way. Until the next bi-monthly (not much of an exaggeration) Index Server bug is found in which case they are screwed again.
Repeat for FrontPage, Internet Printing, Remote Data, and all of the other mostly unused crap that out-of-box IIS has. The correct security advice should be:
1) Turn all of this stuff off if you aren't using it. (And if you can't figure out how, turn the web server off and get the hell away from it.)
2) Patch only if you need the affected software.
Netcraft's numbers do not apply to this situation -- they tally *public* webservers *by domain*, which means it ignores virtual hosts and load balanced configurations. Since the worm attacks on the IP address level, I think you'd find there's significantly more IIS _servers_ out there than the 20% of IIS _domains_ number indicates.
Second, Microsoft has a large market of intranet servers and client machines running IIS for some reason or another. That's a significant amount of mayhem that doesn't show up in Netcraft's reports at all.
The issue for consultancy or services companies is that at best they can expect linear growth. More revenue almost always equals more overhead. Combine that with a tech stock market that expects exponential growth from software or Internet companies and completely unrealistic rates of returns that people saw in the late 90s, and you've got a problem. The fallout didn't just hit Linux companies -- it hit every services company that was public or wanted to go public.
I have no doubt that privately held companies can and will make a decent living with Linux. However the ones that built their business model around going public are going to have a difficult time of it.
then they can build there own damn NET!
Fact is, they tried. Do you know how many 'interactive TV' and minitel-type experiments were tried from the 60s through the 90s, and they all went down in flames?
Finally, the Internet provided a model which at least had some attraction for users. Too much attraction, because you can't necessarily force content down people's throats. So, a bunch of dotcom financiers with sore butts are going back to the model of cable company + content + captive user base = profits except this time with HTTP/HTML as the underlying protocols. Won't work.
Your comment sounds exactly along the lines of what I heard from another corporate purchaser -- chipset stability is the most important factor, above cost and speed. That was the deciding factor against AMD-based systems (some of which have very dodgy chipsets), and Rambus boards. The question remains if the i845 will be another i820, or if it will be reasonably sound model like the 815. If folks like you yelp at Intel, the PIII may be around for another year or so.
I've kicked numerous ThinkPads to the floor, including a 600, and they've all survived just fine. (Can't say that about a particular Toshiba.) The best was a 701 "Butterfly" which had it's hard drive knocked loose when it bounced on the floor. When I tried to fire it up, I got ROM BASIC!
Half the problem is lack of conviction. The other half of the problem is that potential 'Geektivists' need only talk one look at their compensation plan and stock options and then follow the CEO's lobbying recommendations like a good little capitalist tool. Most people are smart enough to understand which side of their bread is being buttered.
I can understand how the DMCA flew under the radar, because at the time it seemed to apply primarily to people who made cable descramblers and the like and not directly applicable to software technology.
However, I find it especially shocking that when legislation that directly affects 'geeks' such as the H1-B Visa program expansion comes up for debate, there isn't a single group representing technical employees on capital hill lobbying for their interests, while every Silicon Valley company was out in full force. In fact, there isn't a single group claiming to represent technical employees at all, with the exception of the IWW and some obscure Unix Sysadmin club. You'll have to face that in this business, there is very little 'consciousness' and 'geeks' are more than happy to let their corporate masters do all of the talking.
OK, that shows that SVG is cool tech (that could potentially replace certain uses of PDF), but I'm not sure what it has to do with scaling bitmapped graphics.
I don't think anybody would have anticipated at the time that EVERYBODY and their mother would want to have such a toy
Microsoft anticipated that. Recall their old motto "A Personal Computer in every home and on every desk".
(Gates could have sold his shop to IBM for big money at any point in the 80s. Most businessmen would have, but he thought that per-machine licences would eventually be a verrry good business. IBM's entire marketing strategy for OS/2 shows that they never figured that out at all.)
PDF seems to scale vector-based graphics just fine. Scaling raster-based pictures is of course always going to be a problem anytime you are going from screen resolution to printer resolution, which is why you always need to plan for your end resolution.
I curious in what way SVG (Scalable *Vector* Graphics) would help with this problem.
Ignoring the controversial subject on whether blocking executable attachments is a good idea, I have to say the way that they implemented the "Object Guard" on the Outlook API is pretty lame.
You get this message that "Some unspecified program is trying access your address book" prompt, whether it's a VBScript virus or you are trying to use routing features from MS Excel etc. Meaning there is no way to have trusted code which actualy does office automation features without annoying the users to hell and just giving them another prompt to ignore. I figure the Virus Writer club will be back to their old tricks of sending Word or Excel-based viruses pretty quickly.
Not that it really matters -- The only think that "Melissa" and ilk prove is that a 12 year old can write a mail worm without warezing a copy of VisualBasic. It's not like reading the address book off disk or sending mail directly using MAPI or even the winsock is too difficult for the advanced 14 year old.
The Palm versus WinCE battle sorta reminds me of the old PC versus Mac versus Unix battle of the 1980s. Sure 90% of the people could get their work done fine and move along with an el cheapo DOS PC. However the other 10% couldn't shut up about their colorful graphical user interface with WYSIWYG printing, or their multi-user multi-tasking memory-protected super stable workstation.
Then one day, the Mac people and the Unix people woke up and figured that the PC could do almost exactly everything their specialized and more expensive systems could do.
It's the same thing in the handheld world, turned on it's head. Eventually WinCE-type handheld computers will have all the battery life, cost, and 'filofax' features of the Palm. BUT, if Palm gets the MPEG and Quake and Spreadsheet 'features' (which means a fast CPU and something resembling a real OS) before then without losing it's primary advantages, it will probably hold it's dominant marketshare lead forever.
Just zip your patches and you and your customers will be fine. Legitimite software delivery is a very small percentage of executable e-mail, and you probably don't want people thoughtless executing your patches either. You can say it's 'unacceptable' all day long, but good or bad, Microsoft hath spoken, and it's also unacceptable to for you to expect your customers to change their configuration.
"Pretty much every consultant or author involved with Office seems to have slammed that one"
Note that Outlook XP ships with this functionality (or lack of), so the protests have not been effective.
(And I can understand why. Everyone can point fingers all day long, but the root issue is the culture of executables in mail, as someone pointed out above. Kill the kulture, kill the problem. Anything else MS did would just be papering over the root problem.)
The Outlook solution was essentially correct. It put a security wrapper on Outlook's COM API which should have been their in the first place, but all that adds up to is another warning prompt for the user to ignore and press OK.
The root level problem is there's nothing you can do if the user insists on executing things they find in their inbox. There's a hundred ways to send mail that don't involve Outlook APIs. So, solve the root problem and get rid of executables in mail. Smart shops are probably already doing this on the server level. (And yes, it does suck that you can't turn it off.)
"when OS/2 was still viable IBM's commodity hardware was almost universally shipped with MSWindows."
For about a year, IBM shipped all _corporate_ systems in a dual boot OS/2 - PCDOS/Windows 3.1 configuration. The default OS was OS/2. Note that this didn't apply to Aptivas or other home stuff.
The reason they stopped doing this was a MASSIVE outcry from the customer base. Neither the Windows or the OS/2 shops liked this configuration, and IBM dropped it. This was considerably before the backroom deal surrounding the Win95 licence, BTW.
"There must be some reason that no major commodity hardware vendor is willing to ship a low-cost MS free system. After all, it would be MS they are undercutting, not themselves. "
No, they would be undercutting themselves. If you want to open your trap on this topic, you need to understand that the cost of an OS to an OEM is the licence plus support cost. By selling into big dollar business markets only, they can reduce the support exposure and build up their infrastructure. Selling Linux to the Walmart market would be financial suicide.
Lots of stuff runs on OS X's unix compatibility APIs, including XFree and Qt-Unix and most anything else that you'd want to port.
However, non of this stuff will be considered by the userbase to be 'native' applications. (Mac users have this nasty habit about actually caring about cut-n-paste!) So consider anything that isn't Carbon or Cocoa to be an interesting experiment by hackers and not a Mac OS X application.
I agree that Usenet could easily replace 90% of the non-corporate sites I routinely visit (including Slashdot). If the web moves to a pay-for-content model, I move back to Usenet ,not that I really ever left.
(Although it wouldn't suprise me if I had to pay an access fee for usenet, but at least then I'm paying for the pipe and not paying for the right to babble on message boards or to read somebody's Quake III benchmark showing a shocking 9% improvment. The loss of premium search services like groups.google would suck though.)
To reply to myself with a sidenote to the root poster.
A year or so ago I was digging through a used bookstore and found "Inside OS/2" by Gordan Letwin (sp) of Microsoft. There's a fairly involved explaination on the hoops one had to jump through to implement a protected mode OS on the 80286 that was still compatible with 8086 software. My guess is that the OS kernel was written in ASM due to technical difficulties with the CPU (and speed on the aforementioned ATs). Anyway if you care about OS/2 1.x enough to still be complaining about it, it's a start.
The original planned ship date of OS/2 was something like 1985, only a year or so after the AT shipped. The 286 bit came directly out of the requirement that it would run on a AT (and it did).
Obviously the marketing when it was launched was tied to that of the PS/2, and there was "OS/2 Extended Edition" that only ran on PS/2s. It probably did play a big factor into IBM stupidly delaying i386 machines.
There's obviously a balance between buying a full copy of Office, Visio, and Project for each desk worker and your cost of keeping track of exactly how many Excel or whatever users you've got and providing seperate software installations and licence tracking for those users.
Microsoft certainly has this balance in mind when they set prices. Your attitude seems to be that it's their problem (or Zones) to tell you how your ass is screwed on. Sorry -- the way things are shaping up under Ballmer MS is that you either have a fulltime licencing accountant or you overpay MS. There's no pass for throwing up your hands and saying it's too hard