Well Nancy - you were most likely hit with CodeRed. [anti-flame war hat on]
I like to think that I'm the ambassador for all OSes - I've used them all and my three favorites are Windows, OS X, and Linux right now. (Although I'm installing FreeBSD on second box in the background right now.) Back in the early days of both IIS and Apache - it was easy to install the system with no patches and get hacked - pure and simple. Now - we know what "least priveledges" means, how to NAT/firewall, etc. The problem with Windows and IIS is most users install it by default (which isn't the case for XP or 2003 anymore). Your standard Windows user is about 5 cans short of a 6 pack and has no idea what IIS even stands for. Many of you are linux geeks and you know how to protect your Apache - here are some hints for your IIS on 2000 and XP. (2003 ships with a secure base configuration) First and foremost, IIS Lockdown. This one does A LOT - so read the instructions carefully. http://www.microsoft.com/technet/security/tools/locktool.mspx URL Scan is an optional component of IIS Lockdown. It restricts the information being posted via IIS. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/ html/secmod114.asp Patterns and Practices: Securing your Web Server http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/ html/secmod89.asp NSA Security Configuration Guides http://www.nsa.gov/snac/ For IIS: http://www.nsa.gov/snac/downloads_miis.cfm?MenuID=scg10.3.1.4 And don't knock IIS too much; Apache has its problems too. Patch it - secure it - check it. There's not that many great single source guidelines for Apache. You'll find some information with the NSA (since they did all the SELinux stuff too) and some with Apache. http://httpd.apache.org/docs-2.0/misc/security_tips.html http://www.nsa.gov/selinux/index.cfm Put your pitch forks down... I'm just being fair. If you take a few minutes to make sure your setup is solid, you can make it work great like eWeek did for their OpenHack competition. The contest was to hack either the Apache/Oracle/Java or IIS/SQL/.NET setup. They both stood up well (the Oracle stack was hacked but it was due to the application itself being vulnerable and not the underlying software). Note - most systems are hacked through non-OS software such as Web Apps or simply by lack of proper administration (bad setup, not patched, etc). http://www.eweek.com/article2/0,1759,741388,00.asp /David. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nancy Anthracite Sent: Friday, April 22, 2005 5:27 PM To: hardhats-members@lists.sourceforge.net Subject: Re: [Hardhats-members] VistA Web Time for a web search for a work-around ... meanwhile, those with XP Pro have IIS as an option for their installation. Can they least try it or does it take something more than that, I wonder? Anyone who uses IIS, be careful. It is a popular target. A few years back I was using it to debug some code for a web site that was going to run on an IIS server. I got hit successfully with my first virus when I was using it. My screen blanked and a message came up, "You have been hacked by Chinese." I shut it down and reformatted the disk. After that, I didn't start it when my machine was connected to the Internet. On Friday 22 April 2005 04:54 pm, Mark Street wrote: > It looks to me like it is pretty much Windoze 2003 specific. Too bad.... > > Software Requirements.... from the installation document. > > Windows Server 2003 Enterprise, configured with the role of Application > Server Internet Information Services (IIS) 6.0 (installed by default as > part of the Application Server role) > Microsoft Visual J#.NET 2003 runtime component > .NET Framework 1.1 (part of the Windows Server 2003 operating system > default installation) > FTP services and an FTP folder (to be used as a staging location for > updates to VistAWeb) > SMTP Virtual Server > .NET Framework 1.1 is installed by default on Windows 2003 systems. > Services packs and updates to all three components are available through > Microsoft Windows update (http://windowsupdate.microsoft.com). > Web Extension Services set to allow ASP.NET extensions (see Figure 2) > > On Friday 22 April 2005 11:49, Nancy Anthracite wrote: > > Well, then I guess we will have to just figure out how to do that - > > tunnel it or whatever. We have only begun to fight! > > > > Actually, since the Hui project folks gave me that nice bound copy of the > > documentation, I think they have it going, but I think they said it uses > > an IIS server, which means we will have to see about Apache and all of > > that, too. It may be written with VB Script or something. I really > > haven't looked at it at all since I have been working on getting the > > CPRS/Wine problem licked - which we are finally making some progress on, > > I think/hope. -- Nancy Anthracite ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Hardhats-members mailing list Hardhats-members@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/hardhats-members ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_ide95&alloc_id396&op=click _______________________________________________ Hardhats-members mailing list Hardhats-members@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/hardhats-members