Very good intelligent responses Rey and Dave.
Ultimately it comes down to responsible management in the form of expertise
as you both allude to. I think you have a good point though Dave in saying
that IIS is maybe a little over-loaded. I read a report from some people
administering army.mil (or something like that) just today and it's
conclusion rested on the same principle of awareness. Interestingly, there
conclusion was the in order for your 'average' set-up (read - no frills) the
most 'secure' server set-up (being less exposed) would probably be a Mac
with a vanilla web server.
This issue is so multi-faceted that it's impossible to cover specific needs
and unwise to generalise to much. One major issue in light the recent Nimda
worm is that because there are many irresponsible IIS admins these type of
worms can spread even further and faster than before. An unfortunate side
effect was articulated by our colleagues on one of the flash lists that
people were being encouraged to increase there IE security settings to avoid
the infected servers (caused in part by IIS in combination with ActiveX -
both MS). The side effect being that people visiting flash sites were
getting security 'warnings'. I've had one of our clients call citing people
not wanting to enter the web site because of these warnings.
If as you suggest Dave, these 'features' could be by default turned off then
maybe that's a start... But it seems to me that MS is being targeted more
than anything else and its counter productive to the development community
if MSs own software 'features and flaws' starts interfering with our work in
other way then just security (as the flash example shows).
Benjamin
----- Original Message -----
From: "Rey Bango" <[EMAIL PROTECTED]>
To: "CF-Talk" <[EMAIL PROTECTED]>
Sent: Wednesday, September 26, 2001 6:45 AM
Subject: Re: Check out what Gartner is recommending. Drop IIS!
> > My point is that you would have less exposure to risk running
alternatives
> > because they aren't a massive target like IIS is.
>
> Sorry bud but you're exposed with every server. I've got a T1 running in
> here and I scan the logs. I get probed all of the time on all different
> types of ports and as I mentioned before, MS is just the flavor of the
> month. Don't be surprised that while everyone is making a big deal about
> IIS, someone's alrady coming out with a new worm for Linux. There was a
nice
> juicy one just awhile ago that really slapped around several Linux admins.
>
> You are exposed at the moment that you connect *any* server or pc, with
any
> OS, to the Net and to assume that you would have less exposure to risk by
> not using MS/IIS would be naive. *YOU* are the main determining factor in
> how secure your box will be. Yes, applying patches is a PITA but its part
of
> what goes with running a publicly accessible web server.
>
> Here's my take on this, irregardless of OS. If a person does not know how
to
> properly manage their box or doesn't have the time to do it, then:
>
> 1) They shouldn't be putting it out on Net or
> 2) They should hire someone to do it.
>
> The management of a webserver is essentially a full-time job and most
people
> treat that responsibility in a half-ass way. Then, when they get hacked,
> they blame the OS. Its like raising a child. If you're not prepared to do
it
> the right way, then abstain, wear protecion or stay celebate! hehe.
>
> Thanks for the opinions, bud.
>
> Rey...
>
>
> >
> > Benjamin
> >
> >
> > ----- Original Message -----
> > From: "Costas Piliotis" <[EMAIL PROTECTED]>
> > To: "CF-Talk" <[EMAIL PROTECTED]>
> > Sent: Wednesday, September 26, 2001 6:19 AM
> > Subject: RE: Check out what Gartner is recommending. Drop IIS!
> >
> >
> > > You know it's funny though. A quick search at www.securiteam.com
shows
> > that
> > > Apache and iPlanet have many vulnerabilities as well. Think perhaps
> that
> > > the research is simply political? Hackers seem to actually target IIS
> > boxes
> > > likely for their hatred of Micro$oft. I think there's more to this
than
> > > meets the eye...
> > >
> > > Remember, nothing's ever secure. As stated in the movie The Score:
"If
> > > someone built it, someone can break it".
> > >
> > >
> > > -----Original Message-----
> > > From: Benjamin Falloon [mailto:[EMAIL PROTECTED]]
> > > Sent: Tuesday, September 25, 2001 12:42 PM
> > > To: CF-Talk
> > > Subject: Re: Check out what Gartner is recommending. Drop IIS!
> > >
> > >
> > > Maybe a little OT, but my 2c.
> > >
> > > I wouldn't call that stupid at all.
> > > Consider all of the attacks aimed squarely at IIS in the past few
> months.
> > > It's only going to increase. I've had personal experience with being
> > hacked.
> > > I run 2 internal IIS development boxes for CF and an internal hack
> > replaced
> > > *ALL* index.htm, default.htm files in all folders in the web serving
> > > directory. Lucky more files where cfm.
> > >
> > > I'm not a 'server' admin (by title) but I can thank MS for this. If
they
> > > released a tighter web server with less vunerabilities maybe there
would
> > be
> > > fewer viruses/hacks that could penetrate. People shouldn't need to
have
> to
> > > patch every week.
> > >
> > > Doesn't that fact indicate that just *maybe* the software itself is
> pretty
> > > shaky?
> > >
> > > Consider this quote from the article,
> > >
> > > "Gartner remains concerned that viruses and worms will continue to
> attack
> > > IIS until Microsoft has released a completely rewritten, thoroughly
and
> > > publicly tested, new release of IIS,"
> > >
> > > Rewritten. That would be a good idea. Try to imagine a pair of pants
> with
> > as
> > > many 'security' patches as is and will continue to be required for
IIS.
> > I'd
> > > say the pants would be more patches than pants.
> > >
> > > Just a thought,
> > >
> > > Benjamin
> > >
> > > PS maybe apache would be a good alternative.
> > >
> > >
> > >
> > > ----- Original Message -----
> > > From: "Rey Bango" <[EMAIL PROTECTED]>
> > > To: "CF-Talk" <[EMAIL PROTECTED]>
> > > Sent: Wednesday, September 26, 2001 3:03 AM
> > > Subject: OT: Check out what Gartner is recommending. Drop IIS!
> > >
> > >
> > > > Now, I've always found Gartner to sway in a particular direction
based
> > > > in the wind changes and the phases of the moon but this
recommendation
> > > > is
> > > just
> > > > plain stupid. Check it out:
> > > >
> > > > http://news.cnet.com/news/0-1003-200-7294516.html
> > > >
> > > > Rey Bango
> > > >
> > > >
> > > >
> > >
> > >
> >
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
