Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: IIS6 Security and other web servers

from [Joachim Schipper] Network Security [Permanent Link]
Subject: Re: IIS6 Security and other web servers
Date: Wed, 26 Jan 2005 10:54:34 +0100 
On Tue, Jan 25, 2005 at 03:52:08PM +0100, Rivera Alonso, David wrote:


Dear friends,

I just want to throw a little question to know your opinion.
I was discussing yesterday with a friend about the quality of IIS6 from a
Security point of view.
He immediately said it's a bad choice, as previous Microsoft web servers.
I've read a few papers and I have this opinion: as it's been redesigned from
the ground (with all the previous failures in mind), with the security
perspective, with every little service and option disabled by default, and
so on, I told him that now, in my opinion, IIS6 is a good choice.
He loves GNU, Linux, and, logically, he thinks Apache is the king in
security.
Just because I felt curious, I went into www.securityfocus.com to check the
latest vulnerability advisories, for Apache and IIS6. Incredible, Apache
wins, it has many more (not to talk about the many releases since version
2.0)! In fact, I just found one alert about IIS6.

What do you experts think?
Of course, I know IIS was very dangerous before version 6.
But, maybe an IIS6 in a well configured, patched and securized Windows 2003
machine is al last a good choice to house Web Applications?
Or maybe it's too soon, there are few installed, and maybe in the future
it'll have as many holes as the predecessors?

What do you think?

best regards from Spain,

DAVID


Dear David,

As always, the Open Source alternative is more configurable. It'd be
difficult to say which standard install is more secure; however, Apache
with a lot of third-party modules hastily written by a programmer high
on coffee might not measure up to IIS.

On the other hand, if you take the security-conscious (aka paranoid)
route and run Apache in a chroot() jail, as a dedicated user, with a
minimum of modules (compiled statically whenever possible) and compile
the whole thing with PaX and SSP support, it is quite likely that you're
better off than with IIS[1]. Some GNU/Linux distributions, like
Adamantix, do a decent job in this respect, or so I've heard...
Alternatively, go with OpenBSD.

Good luck!

                        Joachim

[1] A custom install also means custom upgrades - be sure to do this! I
can usually out-patch at most major distributions, mainly because I need
not test it on hundreds of different configurations.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Openpgp.org, Philip Wagenaar
Next by Date:  Betr.: RE: encryption, Philip Wagenaar
Previous by Thread:  Re: IIS6 Security and other web servers, Gary H. Jones II
Next by Thread:  RE: IIS6 Security and other web servers, Roger A. Grimes
Indexes:  [Date] [Thread] [Top] [All Lists]