The reason Apache has more security alerts is the same reason Windows has more
security alerts than Linux. Apache has 60-68% of the webserver market. They
are ubiquitous, to an extent, as Windows is on the desktop. There are not as
many 'Net-facing servers running IIS6 or even previous editions. Yes, there
are some, but if you're writing exploits you generally go for what's there.
--
<<JAV>>
---------- Original Message -----------
From: <adisegna@siscocorp.com>
To: <security-basics@securityfocus.com>
Sent: Wed, 26 Jan 2005 13:36:31 -0500
Subject: RE: IIS6 Security and other web servers
David,
This question also comes to mind. Which system/software are you familiar
with? Will you have to learn Apache or IIS? I've had a locked down IIS
6.0 server online using WEBDAV and SSL for over a year now without
issue.. Knock, Knock. Think about the Total Cost of Ownership as well...
AD
Proactive not reactive is the name of the game.
-----Original Message-----
From: Rivera Alonso, David [mailto:drivera@iberdrola.es]
Sent: Tuesday, January 25, 2005 9:52 AM
To: security-basics@securityfocus.com
Subject: IIS6 Security and other web servers
Dear friends,
I just want to throw a little question to know your opinion.
I was discussing yesterday with a friend about the quality of IIS6 from
a
Security point of view.
He immediately said it's a bad choice, as previous Microsoft web
servers.
I've read a few papers and I have this opinion: as it's been redesigned
from
the ground (with all the previous failures in mind), with the
security perspective, with every little service and option disabled
by default, and so on, I told him that now, in my opinion, IIS6 is a
good choice. He loves GNU, Linux, and, logically, he thinks Apache
is the king in security. Just because I felt curious, I went into
www.securityfocus.com to check the latest vulnerability advisories,
for Apache and IIS6. Incredible, Apache wins, it has many more (not
to talk about the many releases since version
2.0)! In fact, I just found one alert about IIS6.
What do you experts think?
Of course, I know IIS was very dangerous before version 6.
But, maybe an IIS6 in a well configured, patched and securized
Windows 2003 machine is al last a good choice to house Web Applications?
Or maybe it's too soon, there are few installed, and maybe in the future
it'll have as many holes as the predecessors?
What do you think?
best regards from Spain,
DAVID
=============================
Este mensaje se dirige exclusivamente a su destinatario.
Puede contener informacion confidencial sometida a secreto
profesional o cuya divulgacion este prohibida, en virtud de la
legislacion vigente. No esta permitida su divulgacion, copia o
distribucion a terceros sin la autorizacion previa y por escrito de Iberdrola.
Si ha recibido este mensaje por error, le rogamos nos lo comunique
inmediatamente
por esta misma via y proceda a su destruccion.
This e-mail is intended exclusively for the individual or entity to
which it is addressed
and may contain confidential or legally privileged information, which
may not be disclosed
under current legislation. Any form of disclosure, copying or
distribution of this e-mail
is strictly prohibited, save with written authorisation from Iberdrola.
If you have received this message in error, please notify the sender
immediately by e-mail
and delete all copies of the message.
=============================
------- End of Original Message -------
