IIS6 is a very secure platform. Some of the largest and most
Internet-exposed companies in the world run it. Ebay runs it. Like any
web server, you must follow basic guidelines and keep your patches
up-to-date, but that is any product.
If you have mostly Windows experience, it certainly isn't a poor choice.
Anyone saying otherwise is just going on inaccurate or old data, or just
letting their personal preferences get involved. I use both IIS and
Apache, and both are secure when implemented as recommended. I'm a
Windows guy, though, so configuring security and other things is easier
for me in IIS (click, click, click) than in Apache (find text file to
edit...).
In fact, Windows IT Pro mag and I are sponsoring a Hack IIS contest in a
few months with prizes.
Roger
************************************************************************
***
*Roger A. Grimes, Banneret Computer Security, Computer Security
Consultant
*CPA, CISSP, MCSE: Security (NT/2000/2003/MVP), CNE (3/4), CEH, CHFI
*email: roger@banneretcs.com
*cell: 757-615-3355
*Author of Malicious Mobile Code: Virus Protection for Windows by
O'Reilly
*http://www.oreilly.com/catalog/malmobcode
*Author of Honeypots for Windows (Apress)
*http://www.apress.com/book/bookDisplay.html?bID=281
************************************************************************
****
-----Original Message-----
From: Rivera Alonso, David [mailto:drivera@iberdrola.es]
Sent: Tuesday, January 25, 2005 9:52 AM
To: security-basics@securityfocus.com
Subject: IIS6 Security and other web servers
Dear friends,
I just want to throw a little question to know your opinion.
I was discussing yesterday with a friend about the quality of IIS6 from
a Security point of view.
He immediately said it's a bad choice, as previous Microsoft web
servers.
I've read a few papers and I have this opinion: as it's been redesigned
from the ground (with all the previous failures in mind), with the
security perspective, with every little service and option disabled by
default, and so on, I told him that now, in my opinion, IIS6 is a good
choice.
He loves GNU, Linux, and, logically, he thinks Apache is the king in
security.
Just because I felt curious, I went into www.securityfocus.com to check
the latest vulnerability advisories, for Apache and IIS6. Incredible,
Apache wins, it has many more (not to talk about the many releases since
version 2.0)! In fact, I just found one alert about IIS6.
What do you experts think?
Of course, I know IIS was very dangerous before version 6.
But, maybe an IIS6 in a well configured, patched and securized Windows
2003 machine is al last a good choice to house Web Applications?
Or maybe it's too soon, there are few installed, and maybe in the future
it'll have as many holes as the predecessors?
What do you think?
best regards from Spain,
DAVID
=============================
Este mensaje se dirige exclusivamente a su destinatario.
Puede contener informacion confidencial sometida a secreto profesional o
cuya divulgacion este prohibida, en virtud de la legislacion vigente. No
esta permitida su divulgacion, copia o distribucion a terceros sin la
autorizacion previa y por escrito de Iberdrola.
Si ha recibido este mensaje por error, le rogamos nos lo comunique
inmediatamente por esta misma via y proceda a su destruccion.
This e-mail is intended exclusively for the individual or entity to
which it is addressed and may contain confidential or legally privileged
information, which may not be disclosed under current legislation. Any
form of disclosure, copying or distribution of this e-mail is strictly
prohibited, save with written authorisation from Iberdrola.
If you have received this message in error, please notify the sender
immediately by e-mail and delete all copies of the message.
=============================
