Fog Creek Software
Discussion Board




IIS Security?


What's your thoughts on IIS?  I have one client whose "security" department absolutely refuse to allow IIS to be used on any machine accessable from the internet.  There primary reason being that they subscribe to Garnter and their Gartner consultant basically told them this:
http://news.com.com/2100-1001-273461.html?legacy=cnet

Ryan James
Thursday, March 18, 2004

That kind of crap pisses me off.

A well administered IIS server is MUCH more secure than a poorly administered Apache server. And VICE VERSA!

The skills of the administrators and the diligence with which they track and apply patches is MUCH more significant to security. If your sysadmins are better at Unix, run Apache. If they're better at Windows, run IIS. If they're the kinds of morons who does whatever Gartner tells them to do without thinking for themselves, they're not going to have a very secure web server no matter what they run.

What especially pissed me off about the Gartner rubbish was that they thought that completely rewriting IIS was a way to make it more secure, which showed a complete lack of understanding of how code works. Over time, you find bugs and fix them. Fresh code has more bugs than old code, not fewer; anyone who has ever written a 10 line BASIC program should understand that by now.

Joel Spolsky
Fog Creek Software
Thursday, March 18, 2004

Has any IT journalist or IT research group ever got *anything* right about *any* aspect of programming and code?

Manuel M. Garcia
Thursday, March 18, 2004

Since IIS is easier to install, it's used by more sysadmins who don't know what they're doing. These folks shouldn't be running IIS or Apache.

If Gartner's advice leads these same people, who were running insecure IIS servers, to use Apache, the result will be even worse security.

Those who know what they're doing can pick their platform, IMHO.

Nate Silva
Friday, March 19, 2004

All web servers should be placed behind some sort of stateful proxy. Hide the real internal address of the server, limit the types of commands that can be sent to server, the length of URLs, prevent "unexpected" conditions before they happen, etc...

Of course, I design such things for a living, so I might be a tad biased. :-)

SG
Friday, March 19, 2004

"What especially pissed me off about the Gartner rubbish was that they thought that completely rewriting IIS was a way to make it more secure, which showed a complete lack of understanding of how code works. Over time, you find bugs and fix them. Fresh code has more bugs than old code, not fewer; anyone who has ever written a 10 line BASIC program should understand that by now."

And yet MS says they rewrote most of it.

"A well administered IIS server is MUCH more secure than a poorly administered Apache server. And VICE VERSA!"

A well administered Apache server is MUCH more secure than a well administered IIS server.

Mike
Friday, March 19, 2004

Mike, could you elaborate on why do you believe "a well administered Apache is much more secure than a well administered IIS" ?

RF
Friday, March 19, 2004

RF:

How about, if nothing else, because more hackers target IIS machines in the first place.

Baba Booey
Friday, March 19, 2004

Baba Booey:

That's a fair point and one that I heard many times. I believe that IIS servers are attacked more often by incompetent hackers, script kiddies and such. Patching regularly, and using a simple packet filter usually defeats these kinds of agressions. If we talk about a "well administered" server I assume deeper precautions are adopted.
When comparing  "well administered" servers we must enfasise more sofisticated attacks - targeted, studied and commited by skillful people.  I admit having no numbers to back this claim, but I suspect IIS systems are no more a target than Apache. As far as I know Apache even has the biggest market share - meaning a greater number of valuable servers.

Do any of you guys have technical information on IIS vs Apache security?

(sorry about the english)

RF
Friday, March 19, 2004

Mike, could you elaborate on why do you believe "a well administered Apache is much more secure than a well administered IIS" ?

Because usually it is run on a flavor of Unix that isn't swiss cheese as nt and 2000 are.

Mike
Friday, March 19, 2004

Also I might add Microsoft's security performance is abysmal.

Mike
Friday, March 19, 2004

Mike,

What exactly do you feel makes windows "swiss chees"?

That's quite a bold statement.  I'm assuming that you have some hard evidence to back it up.  Have you done an audit of the codebases of Windows and your favorite *nix, comparing defect counts?

Name one security exploit that affected Windows that wasn't fixed well in advance of the exploit being public.  Name one exploit that couldn't have been prevented if basic security measure were taken (installing patches, enabling a firewall, etc).

Myron A. Semack
Friday, March 19, 2004

"analysis of hacker attacks on online servers in January by U.K.-based security consultancy mi2g found that Linux servers were most frequently hit, accounting for 13,654 successful attacks, or 80 percent of the survey total. Windows came in a distant second with 2,005 attacks.

A detailed analysis of government servers also found Linux to be more susceptible, accounting for 57 percent of all security breaches.

In a similar study last year, Microsoft Windows proved to be more vulnerable, accounting for 51 percent of successful attacks on government servers.

However, the sharp rise in Linux breaches probably reflects a lack of training and deployment expertise rather than inherent security problems within Linux, mi2g officials suggested."

http://asia.cnet.com/newstech/security/0,39001150,39169103,00.htm


Both Apache and IIS are very decent, secure servers. The same can not be said of many of the applications running on top of both platforms and of the administrators operating them.

Just me (Sir to you)
Friday, March 19, 2004

"Just me",  that was the biggest bullshit study ever.  One quote is enough:

"The group discounted the recent wave of worms, viruses and other attacks that have affected Windows systems worldwide. It confined the study to overt digital attacks by hackers."

You can read that as "discounting all of the tons of evidence on the contrary IIS is more secure."

tekumse
Friday, March 19, 2004

"Name one security exploit that affected Windows that wasn't fixed well in advance of the exploit being public."

The RPC (DCOM) exploit.  It existed in the wild for months pryor to it being known about by MS and then a little longer before the patch was made.

http://software.newsforge.com/software/04/02/28/0130209.shtml

Swiss cheese.  Look at the last 3 years history of remotely exploitable vulnerabilities.  Windows vs. any commercial Unix.  Windows is crap security wise.

Why do you think hacker insurance costs more for windows machines?  Because they are the definition of security?  Not hardly.

Mike
Friday, March 19, 2004

Mike!! Is this you?

http://www.adequacy.org/public/stories/2001.11.26.101258.24.html

PaulJ
Friday, March 19, 2004

Joel, I hate to put it this way but this time you are wrong. There are unpatched vulnerabilities in IIS. Not widely exploited of course, but still. Apache is not good either, not a far cry from IIS security-wise.

However this is nothing that a good stateful filter can't fix most of. If you want to put an IIS box on line, check out "SecureIIS" (use Google) and similar products. Filter out everything that doesn't fit a proper request and you'll the fine. The crap we've seen mostly centers around SSL bugs and the Unicode exploits.

Mike: You are naive. What about the Windows exploit that was known for 8 months before a patch was released, do you think those things are discovered by white hats only?

Jonas B.
Friday, March 19, 2004

Mike,

Yeah, that link was objective evidence.  What some guy claims he heard in a chat room.  That sounds like a really credible source. </sarcasm>

You seriously don't consider a list of DISCOVERED vulnerabilities to be a good measure of security do you?

Myron A. Semack
Friday, March 19, 2004

Jonas, I think Mike was saying and the article he linked to that many exploits exist long before white hats or the vendors know becasue the black hats don't advertise when they find a hole.

The mi2g study was b.s.  It really belongs up on Microsoft's why we're better than Linux page of paid for by Microsoft studies.  Hey folks!  Studies paid for by Microsoft are akin to drug companies approving their own drugs.

Cardinal Stritch
Friday, March 19, 2004

"I have one client whose "security" department absolutely refuse to allow IIS to be used on any machine accessable from the internet."

That's a damn good policy.  Even if IIS is now less prone to security issues a policy like this keeps you from buying a lot of 3rd party software that depends on IIS.  In short it hurts sales of Microsoft technologies.  Anything that does that is good in my book.  If software is useful, they can write it to use Roxen, Zues, Apache, AOL Server as well as IIS.  IIS is the lazy Window developer way out.

As400
Friday, March 19, 2004

Myron,

"Yeah, that link was objective evidence.  What some guy claims he heard in a chat room.  That sounds like a really credible source. </sarcasm>"

LSD (Last Stage of Delerium) discovered the RPC DCOM issue and contacted Microsoft on June 27, 2003 about the problem. The patch was released on July 16, 2003. Microsoft credits LSD for finding the problem. It's likely that an exploit did exist in May, but I doubt it was distributed widely --- LSD
has a reputation of being professional.

http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx

http://lsd-pl.net/

SG
Saturday, March 20, 2004

My point is that one link he pulled out of his ass is hardly enough to call Windows "swiss cheese".

Myron A. Semack
Saturday, March 20, 2004

Myron, Just because you are ignorant of all the holes in Windows does not make Windows secure.

As400
Saturday, March 20, 2004

Fine then, show me how I'm ignorant.  Show me EXACTLY how Windows is "swiss cheese".  Show me the all the unpatched holes in Windows.  Show me how Windows is inherently insecure.

Don't give me a link to an interview with a guy bitching about Microsoft's security practices.  Give me some real, quantifiable evidence.

Then, while you're at it, show me exactly how Unix/Linux is more secure.  Show me the lower numbers of defects.  Show me an platform that's completely free of security holes.

"Mike" claimed that Apache is more secure than IIS, given eqally-qualified administrators.  He goes on to claim that Apache is more secure because Windows is "swiss cheese".  Fine then, show me EXACTLY how Windows is swiss cheese.  Show me how exactly you intend to measure the secuirty of one platform over another.

You may have formed an OPINION about Windows security by reading Slashdot, but that is NOT a substitute for actual data.

Myron A. Semack
Saturday, March 20, 2004

Just for the record, the current Windows server platform is Windows Server 2003, which is far, far more secure out of the box than previous versions.

References to Win2k are as relevant as references to the 2.2 Linux kernel or Apache 1.0.

In doing a quick surf of google and reading the disclaimers from various Linux advocates about various "Linux isn't more secure" studies, I find it interesting that many of them are using the arguments used by MS advocates over the years:
1) It's not the platform's fault if the admin doesn't know what he's doing
2) It's not the platform, it's the software running on the platform

I think the ground truth is as has been stated above - both systems are inherently securable; the issue is administration and diligence.

Philo

Philo
Sunday, March 21, 2004

"References to Win2k are as relevant as references to the 2.2 Linux kernel or Apache 1.0. "

Philo, did Microsoft ship everybody running NT or 2k a free upgrade to Win 2003?  There are still a lot of old Windows systems out there.  AFAIK Win 2003 is only more secure in that they closed more stuff up by default.  All that means is it is more securely configured which becomes a moot point if you have a decent Win admin and a decent Unix admin who are going to confugure it sanely anyway.

I believe that if you look at past history, say the last 3 years, a sanely configured Windows box is much more vulnerable than a sanely configured Unix box.  I'm talking Unix here, not Linux.

Myron, I don't have the time to look up every Windows exploit for you.  You see, there are TOO DAMN MANY!

As400
Sunday, March 21, 2004

"Myron, I don't have the time to look up every Windows exploit for you.  You see, there are TOO DAMN MANY!"

I said show me the UNPATCHED ones.  Surely someone as qualified as you to pass judgment about the security of something as complicated as an operating system (millions of lines of code), has a list of all these unpatched exploits handy.

If you're going to judge the secuity of a platform, you should have some kind of metric to do it.  Otherwise, you're talking out your ass.

Myron A. Semack
Sunday, March 21, 2004

Once again I would like to advice against trying to make general statments about Linux and Unix compared to windows. Its like comparing all japanese cars to ford tarus.

Eric Debois
Sunday, March 21, 2004

I don't have a list of the undiscovered ones.  I'll get to work on that right after I figure out next weeks lottery numbers.  I was speaking to the issue of the number of current holes patched or otherwise are indicative of poor programming and are predictive of the number of future exploits.  Kind of like the stock market only in this case past performance does predict future results.

And Myron, why the fascination with my ass?  You've alluded to it twice now.

Mike
Sunday, March 21, 2004

Do discovered vulnerabilities necessarily indicate that a product is less secure?  I seriously hope you're not using that as a metric.  If you are, I hope you don't administer any networks near me.

Product A is used by lots of people, it has lots of real-world testing.  A lot of problems are found with it, and are patched promptly by the software creator.

Product B is used by fewer people.  Few vulnerabilities are discovered in it.  Few fixes are issued.

Is Product B more secure?  Not necessarily.

Just because few vulnerabilities are REPORTED does NOT mean that the product is more secure.  How many problems are reported in CP/M?  Not many.  Does that mean CP/M is more secure?  Hell no.

Comparing patch counts is a foolish way to measure security.

Myron A. Semack
Sunday, March 21, 2004

Myron,

Apache, IIS, Windows and Unix are all widely used.  I would say in this case that if there are fewer Unix vulns you could expect fewer to be discovered in the future.  The whole past performance thing.

Mike
Monday, March 22, 2004

"I would say in this case that if there are fewer Unix vulns you could expect fewer to be discovered in the future."

So you consider things with fewer reported vulnerabilities to be more secure?

If that's the case, then I have some programs I've written with NO reported vulnerabilities.  Wow, they must really be secure!

Besides, it's not like Unixes don't have more than their fair share of vulnerabilities as well:

http://www.ciac.org/ciac/bulletinsByType/vndr_sun_bulletins.html

Wow, Sun Microsystem must have some pretty terrible, programmers!  I mean look at their past performance.  They must not know how to write anything that's secure!

http://www.ciac.org/ciac/bulletinsByType/vndr_hp_bulletins.html

HP must be pretty lousy too!

All software has bugs.  Would you rather they were't fixed?  Security has very little to do with the software package you use, and very much to do with the competency of the administrator.

Myron A. Semack
Monday, March 22, 2004

If it is such a swiss cheese, why did it survive openhack? http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/openhack.asp

Come on guys, you know better. Both are securable. If I had to take one tomorrow and secure it with my life hanging in the balance, I'd go IIS. Why? Because I am a bit more familiar with the MS stack and community, and I think that would give me an edge. Not because I think one or the other is >more secure<.
If you think security comes to you through buying products, well, you are going to get a wakeupcall real soon now.

Just me (Sir to you)
Monday, March 22, 2004

Run MS and you'll spend more time patching.  Time is money.  MS costs more.

See ya Myron.

Mike
Monday, March 22, 2004

My Red Hat 9 install seemed to require a mass of patches, about the same as my Windows 2000, whereas my Windows Server 2003 has been very light so far. What is your point?

Just me (Sir to you)
Monday, March 22, 2004

Forget Linux compare it to Unix

Mike
Monday, March 22, 2004

I think the lists I linked to show pretty clearly that switching to a Unix does NOT mean that you won't ever have to install patches.  Unix has its share of exploits too.

If you think you don't have to patch your Unix system, you have a false sense of security.

Myron A. Semack
Monday, March 22, 2004

Sure you have to patch Unix.  Not as much as Windows, and usually you don't reboot.  Windows has had too many vulns that's why it is swiss cheese.

Mike
Monday, March 22, 2004

I honestly cannot be convinced that it is possible for product A to be *inherently* more or less "secure" than product B because either one is *impossible* to prove (the word "secure" is in quotes because it seems entirely subjective).  Somewhere Joel wrote something about software development methodologies and the effectiveness claims surrounding them.  His point was that they are anecdotal by their very nature because they go something like: company A implemented FOO and saved money and completed projects on time.  Company B implemented BAR and lost money and everything was late.  The problem is that *they are not the same companies.*  They're not building the same products and they don't have the same coders and managers working on them.  Even if they were, the comparisons would not be apples to apples unless the exact same people could repeat the exact same project with the only variable being substituting FOO for BAR.  Furthermore, those people would have to somehow perform the comparison iteration without utilizing anything they might have learnt from the first.  Well I have to believe that any evidence that says Company A used Apache and had a bad experience while company B used IIS had a good experience suffers from the same fault.

Even if we claim that the shear numbers of companies who had positive results with FOO outweighs the number of companies having positive results with BAR, that could mean that the findings are comprised of lots of companies affected by all of the extra variables mentioned above.  The same can be said of counting vulnerabilities/fixes.  All software has bugs, and I would guess that if we limited examination only to software written by a team of thousands, containing tens of millions of lines of code we could say that A and B must be assumed to have an approximately equal number of bugs, regardless of who those teams are comprised of.  Therefore, if more bugs are being found in A than B, there must be some external factor causing the increased findings.

I've used Linux/Unix + Apache + <insert other OSS> off and on personally and professionally for the last 5 years.  I've used Windows + IIS slightly more during the same period. My point (at long last): as important as security is, there has to be *somthing* besides claims of inherently superior security to sell me on a particular platform.  How about evaluating each situation individually and selecting the platform that best meets your needs accross all important criteria for a given set of circumstances?  If one of those important criteria is familiarity, then weight that factor and apply it appropriately.

MacSqueeb
Monday, March 22, 2004

Apologies to Joel if I severely distorted the paraphrase above -- couldn't find the article I was thinking of.

MacSqueeb
Monday, March 22, 2004

MacSqueeb, well said.

Mike,

"Sure you have to patch Unix.  Not as much as Windows, and usually you don't reboot.  Windows has had too many vulns that's why it is swiss cheese. "

I dunno, it looks like I've had to patch Windows 2003 a lot less than say Solaris 9.  They look to be pretty close to me.

I'd also like to know how you decided what "too many" vulnerabilities are.  Surely you have some kind of threshold for "swiss cheese".  How many do you consider to be too many?  Do you honestly feel that you're safe with even one vulnerability on your system?

The lesson here:  No OS is more secure than any other one.  Secuirty does not depend on your platform.  It depends on your administrator, and your system configuration.  A properly secured Windows network can be just as secure as a Unix one.  If you really beleive your network is more secure just because you're running Unix, you're asking for trouble.

Myron A. Semack
Tuesday, March 23, 2004


Myron, wait one year then compare the Windows 2003 list with the Solaris 9 list.  Any bets which has more holes, more like swiss cheese?

Mike
Tuesday, March 23, 2004

"check out "SecureIIS" (use Google)"

Do you know how many products are on Google with this name?

Would it be possible for you to be just a little more specific?

Link Impaired
Tuesday, March 23, 2004

So how many patches make it "swiss cheese"?  Clearly you must have some number in mind.

How many is too many?  Do you really feel secure with even one vulnerability?

Myron A. Semack
Tuesday, March 23, 2004

As a developer of security software, I think this "who has more vulnerabilities" concept is idiotic.

In environments where security is an issue, the problem comes down to compartmentalization and auditing. If application X has a vulnerability, it should not lead to someone taking control of my box. Both Unix/Linux and Windows have flawed security models when viewed upon in this context. There are ways (kernel patches, special compilers, etc) to get around on this on Unix/Linux, but Windows has always been problematic.

Some of Microsoft's recent forays into this field look promising. I like the prevention of stack-based attacks that you can enable on certain AMD processors.

Some of the clients I do business with have stringent requirements that devices in their network have mandatory-access control (versus discretionary), compartmentalization, and proper auditing.

Anon
Tuesday, March 23, 2004

"Some of Microsoft's recent forays into this field look promising. I like the prevention of stack-based attacks that you can enable on certain AMD processors."

That's an example of Microsoft's innovative approach to security? Cool. I'm glad I didn't believe all those people who talked about doing the same thing decades ago.  :)

(I'm sure it's a wonderful idea - you may want to watch where you're assigning the credit though.)


Tuesday, March 23, 2004

They're by no means the first. It's just good they finally decided to do it!

Anon
Tuesday, March 23, 2004

*  Recent Topics

*  Fog Creek Home