> ... do you really believe that IIS is as secure as apache etc?
No, I don't believe it is. The biggest security flaw with IIS (one that
can't be patched or fixed in the current releases, I don't think) is that it
runs within the SYSTEM security context - which is essentially equivalent to
running as root on Unix. The reason IIS runs as SYSTEM is so that it can
perform impersonation of other users. This is how IIS can integrate so well
with Windows security (ACLs, user rights, etc.). Apache, even on Windows,
can be run as a less-privileged user. So, if an IIS exploit runs before the
impersonated user's security context kicks in, the exploit code runs as
SYSTEM, which is a very bad thing.
However, I don't recall any IIS buffer overflow exploits that can do this
without taking advantage of one of the ISAPI extensions that most people
don't use anyway, so if you've removed all those unused extensions, I
suspect you're pretty safe from that kind of attack. I don't think that any
buffer overflows are likely to turn up in the core IIS engine - if there
were, they'd have been found by now!
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
voice: (202) 797-5496
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Get the mailserver that powers this list at http://www.coolfusion.com
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
