In-Reply-To: <969653E17315064BA3EFBBA57C8458DC0215A0CF@clbilarr01a.iberdrola.es>
What do you think?
It sounds as if this is the age old quasi-religious "argument" about which
operating system is more secure. Unfortunately, what few people fail to grasp
is that in the hands of an incompetent individual, *any* platform is relatively
insecure.
Of course, I know IIS was very dangerous before version 6.
What makes you say that? Sure, the web server had a lot of unnecessary
functionality turned on by default, but it was pretty trivial to turn it off.
A tool called "mdutil.exe" shipped with the CD, and could be used to create a
batch file that effectively hardened IIS by making changes to the metabase. In
fact, Dave LeBlanc set up an IIS web server that was not vulnerable to Code Red
a full year before Code Red came out...this was a trivial exercise, as all one
had to do was disable the script mapping for .ida/.idq files.
In a nutshell, it's nothing more than an implementation of the Principle of
Least Privilege...if you don't need it, don't run it. Reduce the attack
surface by limiting the number of running services and applications that you
have to manage.
maybe an IIS6 in a well configured, patched and securized Windows 2003
machine is al last a good choice to house Web Applications?
Maybe? It all depends on what your web app is. There are a lot of web apps
that ran very well on IIS 4.0. It all depends on your requirements. Too
often, what happens is that somewhere along the line, someone institutes a
requirement that doesn't make any sense, and they implement something in the
design of the web app that makes it overly complex, violating the KISS
principle.
The point is that it doesn't really matter what web server you use, as long as
you pick the one that meets your needs. Any web server is going to require
configuration control, as well as administration and management.
H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com
