IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

IWETHEY Home / IWETHEY Board / Patent Wars and Antitrust Forum / Not necessarily.
Post #14,447
by addison
10/21/01 2:24:41 PM
Reply
New Not necessarily.
Whether or not a web server gets hacked depends not on the server software but on the cluefulness or not of its admins.

I know you're paid to say that, but that's sheer, utter bollocks.

That *is* a factor, yes.

It is not the ONLY factor.

If your web server has a vulnerability, and there's *no patch*, *no fix*, no way to stop it, it doesn't matter how good you are - you *can't* secure it.

And that's a big problems with IIS. Microsoft 1) denies many problems 2) minimizes their risk 3) puts out fixes when they feel like it.

Until they decide its a problem, and get you a fix, there ain't a damn thing you can do. And if you're hacked *first*, well, you're screwed. Now, this *is* the same with any other webserver. However, right now keeping IIS patches has our NT folks in a severe tizzy, *and* sometimes installing some web product has the net effect of uninstalling one or the other. (.DLL hell strikes again, and no, I can't give details, they were complaining about that, luckily it was *our* scanners who detected that a hole was back open).

IIS is securable.

IIS has hooks to the operating system that most other web servers don't, for exactly those security precautions. As a result, I certainly think of it as less securable than other comparable web servers.

The problem is that very few people know how to do it.

Then maybe IIS isn't a good choice, then. :)

Addison
Post #14,448
by pwhysall
Picture of pwhysall
10/21/01 2:48:36 PM
Reply
New Re: Not necessarily.
IIS has hooks to the operating system that most other web servers don't, for exactly those security precautions. As a result, I certainly think of it as less securable than other comparable web servers.

OK, that's very true - and it's one of my primary gripes with it. (The kafka-esque configuration process and sheer amount of "stuff" you need to slop onto a previously working box to get it going, are others)

Then maybe IIS isn't a good choice, then. :)

Never said it was, just that it it's *possible* to secure it. Doesn't mean that it's going to happen, though :)

Here's a thought, though, which I saw somewhere - if your admins aren't capable of securing an IIS box, what makes you think they're capable of securing anything else?

Fear.

Peter
Shill For Hire
[link|http://www.kuro5hin.org|There is no K5 Cabal]
Post #14,457
by ben_tilly
10/21/01 5:38:55 PM
Reply
New Actually you can secure IIS - with a trick
I can't find the article right now, but I saw a detailed article about how someone secured an IIS server against all past, present, and future security holes in IIS. The idea was simple, the implementation not quite so.

What they did is put up a reverse proxy in front of it which did very strict validations of what it would allow to be proxied. If they didn't know why a request should be allowed through, or if the request matched certain parameters for a buffer overflow, it was blocked. There was no way from the internet to directly access the IIS server.

It was a lot of work, but their reason for doing it is that they had a web application which didn't successfully port to a newer version of IIS, which they didn't have the luxury to rewrite immediately, which they couldn't just discontinue, and which they needed to have secured against bugs in the old IIS. So they analyzed the application, and produced their reverse proxy.

Cheers,
Ben

PS The admins in this case were uncommonly competent. Not surprisingly, they considered this secure version of IIS to be a stopgap measure, and they planned to rewrite it for Apache when they got time. :-)
Post #14,474
by static
Picture of static
10/21/01 8:37:54 PM
Reply
New Sounds like a good money spinner...

"All around me are nothing but fakes
Come with me on the biggest fake of all!"
Post #15,258
by Yendor
10/26/01 10:46:14 AM
Reply
New And that trick is...
...uninstallation.

;-)
-YendorMike

"The problems of the world cannot possibly be solved by the skeptics or the cynics whose horizons are limited by the obvious realities. We need people who dream of things that never were." - John F. Kennedy
Post #14,537
by jb4
Picture of jb4
10/22/01 9:33:21 AM
Reply
New You missed one...
And that's a big problems with IIS. Microsoft 1) denies many problems 2) minimizes their risk 3) puts out fixes when they feel like it.


You missed:

4) Gets pissed (and pissy) when someone points out their foibles, and publishes a scenario where the defect can be exploited.

Once all the bluster and bullshit they spout about their hurt feelings subsides, 4) tends to cause 3) to occur with shorter lead time than would otherwise be the case.

(I wish I could find the link to the Register article about this...)
jb4
(Resistance is not futile...)
     The Olympic Winter Games Web Site: IIS on Windows . . - (Andrew Grygus) - (10) - Oct. 20, 2001, 12:16:13 PM EDT
         "if" it gets hacked? - (wharris2) - (9) - Oct. 20, 2001, 11:00:23 PM EDT
             If. - (addison) - Oct. 21, 2001, 01:29:35 PM EDT
             Not necessarily. - (pwhysall) - (6) - Oct. 21, 2001, 01:35:35 PM EDT
                 Not necessarily. - (addison) - (5) - Oct. 21, 2001, 02:24:41 PM EDT
                     Re: Not necessarily. - (pwhysall) - Oct. 21, 2001, 02:48:36 PM EDT
                     Actually you can secure IIS - with a trick - (ben_tilly) - (2) - Oct. 21, 2001, 05:38:55 PM EDT
                         Sounds like a good money spinner... -NT - (static) - Oct. 21, 2001, 08:37:54 PM EDT
                         And that trick is... - (Yendor) - Oct. 26, 2001, 10:46:14 AM EDT
                     You missed one... - (jb4) - Oct. 22, 2001, 09:33:21 AM EDT
             While a hack would not shock me . . - (Andrew Grygus) - Oct. 21, 2001, 03:24:33 PM EDT

Mmmmm... warm chunky cheese Danish... in a cup! How convenient is that??
94 ms