Internet Information Server - don´t do it

[Philipp 6]

Analysts are advising against using Microsoft´s Internet Information Server (IIS) because of its multitude of vulnerabilities that viruses like Nimda and Code Red exploit.

 

The Gartner Group has advised enterprises that had not yet made web server decisions to "weigh security heavily and to evaluate other web server software offerings" rather than opting straight out for IIS.

 

Read more

[gimp 0]

Microsoft is going to learn quite quickly that they are not the software engineers they think they are. While I'm sure they have internal security audits of their network software they just don't have the following that the true Unix, Linux, BSD, and other *nix variants have on the whole internet.

 

Its sad to say that Microsoft is looked upon as the bohemeth giant who writes software full of exploits, potential buffer overflows, and general security issues. This is why Yahoo, Ebay, Pay-Pal, and _most_ other web firms out there run *nix-based servers for their actual production machines and let the internal workers run the Windows platforms for day-to-day operations.

 

Microsoft likes to tie their non-operating system software into the operating system. Explorer, IIS, Active Directory..these are all issues Microsoft will have to realize that SOMEDAY people will come to their senses and realize that Microsoft is trying to do something impossible. This is why the Unix's out there continue to gain ground and perform server-side tasks so much better, especially Linux.

 

Of course the *nix environments have their fallbacks, but if you have the basic concept of navigating in a console environment and understand networking and network security there is NO REASON why the world of network administrators should be recommending Win32 and Win64 solutions to their IT managers and forcing companies to spend billions of extra dollars on software that costs money to upgrade. Yes commercial Unix operating systems do cost money, but I think Yahoo and Ebay do just fine with large clusters of FreeBSD boxes. Its been years since I've seen reports of Yahoo and Ebay being cracked and information being stolen.

 

I like the NT/Win2k platform as a desktop solution, because its stable and is low maintenance (if the end user isn't completely computer illeterate). But as for a web, ftp, and database solution, Microsoft has a lot of catching up to do. And in this catch up process they're making a lot of mistakes.

 

EDIT: And while we're on the topic of bad programming, I see a WebTrends logo on the bottom of this page. I briefly worked for WebTrends a couple years ago in their support department and found the company to be completely irresponsible and poorly managed when it came to fixing software bugs and resolving customer issues. I won't say what company, but one of WebTrends' best customers was on the verge of cancelling their multi-million dollar contract because the programmer responsible for resolving the problem this customer had was on vacation and wouldn't be addressed until he came back from the East Coast. I say, is that good business practice?

[clutch 1]

Personally, I like IIS. I don't have any problems with it, but then again I stay on top of updates, and use the utilities (like URLScan) that MS provides to block these exploit attempts that make the headlines. The bottom line is that IIS is easy to install and get running, so it takes a much less skilled person to maintain it. Therefore, almost anybody with NT/2K can have it running (sometimes on accident) and not have enough experience to realize they should be maintaining it. If *nix was more popular, then you would see more exploits for that platform than you do now. When I first started researching hacking 5-6 years ago, it was almost exclusively limited to getting into Unix systems, and there were plenty of exploits for them. Now, nobody seems to remember that anymore and it's easier to claim that MS writes poor code, and makes it super easy to hack anything they make. When you're that big, it's just hard to duck away from attack.

 

I am hoping that MS will make the default settings so strict on these newer OSs, that in order to even use them you have to be somewhat experienced in configuring systems in general (be it the OS, web services, etc) and that this will help filter out the casual user that just wants to install it and see what it does from the power user or seasoned admin that knows exactly what he/she wants to do.

 

IIS has made it much easier to bring out dynamic sites via ASP and ADO, that use common syntax forms amongst various programming platforms. It also makes searching the local server much more powerful via Index Server (yep, another exploit if not properly maintained) which can also be used for internal document control.

 

Overall, it works really well, but like anything that's "online", you have to stay on top of it.