Re: Check out what Gartner is recommending. Drop IIS!
from: Rey Bango [EMAIL PROTECTED] Replacing every IIS box makes absolutely no business sense and the cost would be astronomical. Depends on whether it is replaced with a free open source alternative like AOLServer or Apache or with it is replaced with a commercial alternative. -- Never apply a Star Trek solution to a Babylon 5 problem. Larry W. Virden mailto:[EMAIL PROTECTED] URL: http://www.purl.org/NET/lvirden/ Even if explicitly stated to the contrary, nothing in this posting should be construed as representing my employer's opinions. ~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Check out what Gartner is recommending. Drop IIS!
from: Costas Piliotis [EMAIL PROTECTED] You know it's funny though. A quick search at www.securiteam.com shows that Apache and iPlanet have many vulnerabilities as well. Think perhaps that the research is simply political? Hackers seem to actually target IIS boxes likely for their hatred of Micro$oft. I think there's more to this than meets the eye... If this is the case, then I would expect that no rewrite is ever going to exist to protect people using IIS. I too would recommend that people run as fast as possible from IIS simply because of its association with such a 'hated' company... -- Never apply a Star Trek solution to a Babylon 5 problem. Larry W. Virden mailto:[EMAIL PROTECTED] URL: http://www.purl.org/NET/lvirden/ Even if explicitly stated to the contrary, nothing in this posting should be construed as representing my employer's opinions. ~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Check out what Gartner is recommending. Drop IIS!
Larry, I replied directly to you because we were asked to move this to cf-community. Rey... - Original Message - From: Larry W. Virden [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Wednesday, September 26, 2001 8:44 AM Subject: Re: Check out what Gartner is recommending. Drop IIS! from: Rey Bango [EMAIL PROTECTED] Replacing every IIS box makes absolutely no business sense and the cost would be astronomical. Depends on whether it is replaced with a free open source alternative like AOLServer or Apache or with it is replaced with a commercial alternative. -- Never apply a Star Trek solution to a Babylon 5 problem. Larry W. Virden mailto:[EMAIL PROTECTED] URL: http://www.purl.org/NET/lvirden/ Even if explicitly stated to the contrary, nothing in this posting should be construed as representing my employer's opinions. ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Check out what Gartner is recommending. Drop IIS!
Replace IIS with whatever you want - but you have to see it this way - if something goes tits-up; Microsoft will and can help - the Apache group will simply lull in its little oh we hate Microsoft world On a side note I really wish people would stop coming down on Microsoft (and no I am not a MS employee...but I have just had a meeting with total anti-MS spods and its feking p-ed me off...) They spend $ Millions on development and these nonces simply just dismiss things as useless but the Microsoft people are FAR FAR MORE intelligent than these Open Source chaps and chapesses. The truth of it is, most New Media work requires Windows Based software - Apple has its place but as unstable as it is, cant be seriously considered as an alternative...far far to unstable. Sorry just livid at these muppets that dont understand development time over cost price - jeex, I thank a company which spends $ millions on development and you have to part with what oh! $1k of your dollars/pounds/whatever!... not exactly a hard trade off just my $0.02 and it does take peoples mind off the ongoing nonsense and diabacle :-) Neil ~~ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Check out what Gartner is recommending. Drop IIS!
the Microsoft people are FAR FAR MORE intelligent than these Open Source chaps and chapesses. Microsoft only has so many developers when the open source world pulls from unlimited numbers of developers all with there own backgrounds and experience to add. In addition to that, everyone is freely avaiable to review the source code, so you get many more eyes catching bugs or potentialy exploits. The truth of it is, most New Media work requires Windows Based software Most of the motion picture industry in moving/moved in the linux direction. Dreamworks and ILM are now running linux for workstations and there rendering farms. I think one of the main problems with IIS is that most windows systems are easy to configure, so you get people who probably just got an MCSE from some internet site and don't really know how to secure there a windows machine properly. -Original Message- From: Neil Clark [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 26, 2001 9:41 AM To: CF-Talk Subject: RE: Check out what Gartner is recommending. Drop IIS! Replace IIS with whatever you want - but you have to see it this way - if something goes tits-up; Microsoft will and can help - the Apache group will simply lull in its little oh we hate Microsoft world On a side note I really wish people would stop coming down on Microsoft (and no I am not a MS employee...but I have just had a meeting with total anti-MS spods and its feking p-ed me off...) They spend $ Millions on development and these nonces simply just dismiss things as useless but the Microsoft people are FAR FAR MORE intelligent than these Open Source chaps and chapesses. The truth of it is, most New Media work requires Windows Based software - Apple has its place but as unstable as it is, cant be seriously considered as an alternative...far far to unstable. Sorry just livid at these muppets that dont understand development time over cost price - jeex, I thank a company which spends $ millions on development and you have to part with what oh! $1k of your dollars/pounds/whatever!... not exactly a hard trade off just my $0.02 and it does take peoples mind off the ongoing nonsense and diabacle :-) Neil ~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Check out what Gartner is recommending. Drop IIS!
You saying its hard to get a MS Cert :-) I agree that for workstations Linux do seem a good choice - but lets be fair a nice little Server farm of NT or Unix cant b beat and lets be fair - Linus has an awful haircut ~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Check out what Gartner is recommending. Drop IIS!
At 11:15 AM 09/26/2001 -0400, you wrote: the Microsoft people are FAR FAR MORE intelligent than these Open Source chaps and chapesses. Microsoft only has so many developers when the open source world pulls from unlimited numbers of developers all with there own backgrounds and experience to add. In addition to that, everyone is freely avaiable to review the source code, so you get many more eyes catching bugs or potentialy exploits. My one thing to add here is that... I will give Microsoft credit for being a lot more organized than the open source chaps. I think they both have benefits. The truth of it is, most New Media work requires Windows Based software Most of the motion picture industry in moving/moved in the linux direction. Dreamworks and ILM are now running linux for workstations and there rendering farms. I know at my last full-time job, they had an SGI (Silicon Graphics I forget what the I stands for) which was used for rendering 3D images. I seem to remember the operating system being some UNIX variant; but I never used the system myself. I thought that the BE OS was a specialized (or optimized) OS for digital media (such as touching up film on a movie) but once again I'm not an expert here. If by 'new media' you meant something on the web... I think that an end resultant file that will run in Windows Media Player would be an ideal goal. -- Jeffry Houser | mailto:[EMAIL PROTECTED] AIM: Reboog711 | ICQ: 5246969 | Fax / Phone: 860-223-7946 -- I'm looking for a room-mate in the Hartford CT area, starting in October -- DotComIt: Database Driven Web Data My Book: Instant ColdFusion 5.0 | http://www.instantcoldfusion.com -- Far Cry Fly, Alternative Folk Rock http://www.farcryfly.com | http://www.mp3.com/FarCryFly -- A friend is someone who knows how to spell your name. ~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Check out what Gartner is recommending. Drop IIS!
You start off making some valid points. However. Regarding patching: you're telling me there's never been an apache patch? How about an iPlanet patch? And you can apply it without restarting any daemons? Right. No Apache patches. Ever. They come perfect, right out of the box, every time. I think they DO have patches, they just call them REVISIONS. Regarding reboot while patching IIS: three days out of 90. Not bad. One day a month maintaining an IIS box. Big deal. The TV analogy: Ever seen the watch that will serve as a remote control? We still buy the tv. People can hack cell phone calls, yet we still used them. Phone lines can be tapped, we still use the phone. My car got broken into last week. The autobody shop said Locks are meant to keep honest people out. If someone wants in, really, they'll get in eventually. You can't stop them. You can only make the effort to keep it difficult. I like what they said in the score: If Someone built it, it can be taken apart. Don't for a second think that *nix is any more secure than WinBlows. Nobody has forced you to accept appalingly poor quality software simply because the majority don't know. The majority DOES know I'm afraid. If YOU don't like it, switch professions. Be thankful you have a job. I am. Without this majority, there wouldn't be the need for IT professionals. That's the way the world works. It's not like a virus has never been written for *nix, or a worm, or a DoS attack, or bad code. It's a way of life in IT. -Original Message- From: Toby Tremayne [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 25, 2001 10:02 PM To: CF-Talk Subject: Re: Check out what Gartner is recommending. Drop IIS! cfwhinge I'm sorry - I've been avoiding it but I have to jump in here... I keep reading on this list and others, and in so many news articles about windows only being targeted because it's the most popular, and about it being down to irresponsible admins etc etc. Both of these points are in some ways valid, but to me these people seem to be missing the point. Yes, less of this would happen if admins were responsible and used all the latest patches etc etc. But what am I missing here -why is it nobody seems to see that the entire concept of windows and iis patches is the problem in the first place - we need to patch our servers because they are a)in some places so pathetically coded and/or untested that they break down and let all kinds of nonsecure access through and b)at development time it is obviously decided that security is not cost effective to implement. These worms are all aimed at the fact that explorer/iis/outlook let you arbitrarily execute all kinds of foreign code or local commands without any kind of checking or restraint whatsoever. And yes perhaps there are patches for the majority of these - but they should never have been released requiring those patches in the first place. Windows is targetted not purely because of it's market share but because it makes possible the functions of these worms. I don't agree with the idea that there are more windows based hackers than unix based hackers - the thought is ludicrous - and it makes little difference. You don't need any great level of expertise to write one of these things, and as bad as the last year or two have become it's astounding there aren't more of them. And still microsoft continues to release software with these vulnerabilities coded into them - and we continue to buy them. Look at it this way, if someone made a television that did all the normal stuff, but had an extra feature that let anyone arbitrarily connect to it and start changing your channels, you'd never buy it. And if you'd already bought it and later found out, you'd kick up an enormous stink. It ought to be no different with software - especially software that's mission critical and costs you large sums of money when it fails - not to mention inadvertently hammering the daylights out of *other* people's software without you being able to stop it. These are just my opinions, but I'm seriously tired of the fact that we who know better get forced to accept appalingly poor quality software simply because the majority don't know or care what the problems are and follow the upgrade paths dished out to them. We don't help this situation any when we let these kind of arguments ride without pointing out the truth. /cfwhinge cheers, Toby P.S. Just for the record, I too run Win2K, IIS, AND Linux Life is poetry, write it in your own words Toby Tremayne Architect / Developer Code Poet and Zen Master of the Heavy Sleep MercuryRed Lvl 9, 123 Queen st Melbourne VIC 3000 p: +61 3 9605 5035 m: +61 416 048 090 ICQ: 13107913
Re: Check out what Gartner is recommending. Drop IIS!
Amen. - Original Message - From: Jeremy Allen [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Wednesday, September 26, 2001 7:03 AM Subject: RE: Check out what Gartner is recommending. Drop IIS! It is not reasonably difficult to secure a system against these worms. Every single security weakness Nimda exploited already had a patch. Our development server never missed a beat, and is publicly visible on the Internet. I do think security is mostly relative to your administrator, and somewhat on your operating system and web serving software. I think the human factor, as in the administrators, is the bigger issue here. Nothing against anyone but any good admin following procedure could have secured their systems against this. That said, IIS is thrust into the hands of unsuspecting users who are NOT system administrators. Your average business user does not have a clue about securing a NT system. Yet the tool is run by default and put into the hands of business users on fat net pipes. I also see it proliferate extremely virally on my DSL subnet. This says to me that people have IIS running and are probably not even aware they have been hit and are infecting others, of course this statement is largely based on assumptions, no other explanation works very well since the fixes for these worms were out before code red. Herein lies my real complaint with this situation. IIS should not be turned on and should not be used by people who know what they are doing. Microsoft helps propagate these kind of worms by insecure default configurations. Whereas, if you actually turn IIS on somehow, you probably have a much better clue about what your doing. Of course, I have seen default installations of RedHat come with remotely exploitable holes. Solaris with a default installation is a joke, pick your root kit and have at it. I do believe Apache is not *inherently* more secure. However I will raise a challenge to say that Apache tends to have less severe bugs, the frequency is less often, and you can fix the bug yourself, or quickly get a patch for it, without reliance on Microsoft. The architecture is generally more well known, and the software is at this point, rather nice. I run Apache on my W2K system at home, no remote exploits or even regular exploits to hit my machine, I am still waiting. So there will always be Microsoft hates, but whatever works. If your machines get hit by this a lot, and you lose a lot of time on stuff like this; hit the books and be sensible about using software, any software, on the Internet. Knowledge is the only real way to stop these kind of bugs from being proliferated. :-D Thanks Jeremy Allen elliptIQ Inc. -Original Message- From: Tony Gruen [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 25, 2001 4:44 PM To: CF-Talk Subject: RE: Check out what Gartner is recommending. Drop IIS! It comes down to responsible administration. We have watched this come and still going on without incident and several IIS servers. Tony Gruen sfnetworks ~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Check out what Gartner is recommending. Drop IIS!
When I read this from Gartner I rejoiced; check out how MS is responding @ http://www.theregister.co.uk/content/55/21869.html Paul Sizemore Finish Line 3308 N Mitthoeffer Rd Indianapolis, IN 46235 W: 317-899-1022 ext 3516 -Original Message- From: Rey Bango [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 25, 2001 12:03 PM To: CF-Talk Subject: OT: Check out what Gartner is recommending. Drop IIS! Now, I've always found Gartner to sway in a particular direction based in the wind changes and the phases of the moon but this recommendation is just plain stupid. Check it out: http://news.cnet.com/news/0-1003-200-7294516.html Rey Bango ~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Check out what Gartner is recommending. Drop IIS!
Paul, Rejoicing for a more secure product is certainly understandable but Gartner's recommendation to dump IIS altogether is just plain dumb. Replacing every IIS box makes absolutely no business sense and the cost would be astronomical. In addition, a bigger part of the issue is the way security, in general, is handled. Security through obscurity is not the way to deal w/ a publicly accessible box and that seems to be the trend. I've seen the way that many admins work (whether by choice or, in most cases, because they're overworked) and they tend to ignore security advisories. I am glad, however, that the report lit a fire under Microsoft's butt so that people can continue to use a good web serving platform w/out having to shift focus to a totally foreign platform (eg: Linux/Apache or Sun/iPlanet). My 2 cents. Rey... - Original Message - From: Paul Sizemore [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Tuesday, September 25, 2001 2:00 PM Subject: RE: Check out what Gartner is recommending. Drop IIS! When I read this from Gartner I rejoiced; check out how MS is responding @ http://www.theregister.co.uk/content/55/21869.html Paul Sizemore Finish Line 3308 N Mitthoeffer Rd Indianapolis, IN 46235 W: 317-899-1022 ext 3516 -Original Message- From: Rey Bango [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 25, 2001 12:03 PM To: CF-Talk Subject: OT: Check out what Gartner is recommending. Drop IIS! Now, I've always found Gartner to sway in a particular direction based in the wind changes and the phases of the moon but this recommendation is just plain stupid. Check it out: http://news.cnet.com/news/0-1003-200-7294516.html Rey Bango ~~ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Check out what Gartner is recommending. Drop IIS!
Maybe a little OT, but my 2c. I wouldn't call that stupid at all. Consider all of the attacks aimed squarely at IIS in the past few months. It's only going to increase. I've had personal experience with being hacked. I run 2 internal IIS development boxes for CF and an internal hack replaced *ALL* index.htm, default.htm files in all folders in the web serving directory. Lucky more files where cfm. I'm not a 'server' admin (by title) but I can thank MS for this. If they released a tighter web server with less vunerabilities maybe there would be fewer viruses/hacks that could penetrate. People shouldn't need to have to patch every week. Doesn't that fact indicate that just *maybe* the software itself is pretty shaky? Consider this quote from the article, Gartner remains concerned that viruses and worms will continue to attack IIS until Microsoft has released a completely rewritten, thoroughly and publicly tested, new release of IIS, Rewritten. That would be a good idea. Try to imagine a pair of pants with as many 'security' patches as is and will continue to be required for IIS. I'd say the pants would be more patches than pants. Just a thought, Benjamin PS maybe apache would be a good alternative. - Original Message - From: Rey Bango [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Wednesday, September 26, 2001 3:03 AM Subject: OT: Check out what Gartner is recommending. Drop IIS! Now, I've always found Gartner to sway in a particular direction based in the wind changes and the phases of the moon but this recommendation is just plain stupid. Check it out: http://news.cnet.com/news/0-1003-200-7294516.html Rey Bango ~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Check out what Gartner is recommending. Drop IIS!
You know it's funny though. A quick search at www.securiteam.com shows that Apache and iPlanet have many vulnerabilities as well. Think perhaps that the research is simply political? Hackers seem to actually target IIS boxes likely for their hatred of Micro$oft. I think there's more to this than meets the eye... Remember, nothing's ever secure. As stated in the movie The Score: If someone built it, someone can break it. -Original Message- From: Benjamin Falloon [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 25, 2001 12:42 PM To: CF-Talk Subject: Re: Check out what Gartner is recommending. Drop IIS! Maybe a little OT, but my 2c. I wouldn't call that stupid at all. Consider all of the attacks aimed squarely at IIS in the past few months. It's only going to increase. I've had personal experience with being hacked. I run 2 internal IIS development boxes for CF and an internal hack replaced *ALL* index.htm, default.htm files in all folders in the web serving directory. Lucky more files where cfm. I'm not a 'server' admin (by title) but I can thank MS for this. If they released a tighter web server with less vunerabilities maybe there would be fewer viruses/hacks that could penetrate. People shouldn't need to have to patch every week. Doesn't that fact indicate that just *maybe* the software itself is pretty shaky? Consider this quote from the article, Gartner remains concerned that viruses and worms will continue to attack IIS until Microsoft has released a completely rewritten, thoroughly and publicly tested, new release of IIS, Rewritten. That would be a good idea. Try to imagine a pair of pants with as many 'security' patches as is and will continue to be required for IIS. I'd say the pants would be more patches than pants. Just a thought, Benjamin PS maybe apache would be a good alternative. - Original Message - From: Rey Bango [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Wednesday, September 26, 2001 3:03 AM Subject: OT: Check out what Gartner is recommending. Drop IIS! Now, I've always found Gartner to sway in a particular direction based in the wind changes and the phases of the moon but this recommendation is just plain stupid. Check it out: http://news.cnet.com/news/0-1003-200-7294516.html Rey Bango ~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Check out what Gartner is recommending. Drop IIS!
Sure, I'm not saying that either Apache or other web server don't have holes, but running IIS is like walking around with a 'kick me' sign stuck to your back knowing full well it's there. People don't usually write viruses/worms for apache and other web servers... they usually just hack them which is always possible, but with IIS people are writting automated viruses/worms. I'd rather be hacked by a hacker with a sense of humour than have my how web serving directory nuked by an automated program. My point is that you would have less exposure to risk running alternatives because they aren't a massive target like IIS is. Benjamin - Original Message - From: Costas Piliotis [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Wednesday, September 26, 2001 6:19 AM Subject: RE: Check out what Gartner is recommending. Drop IIS! You know it's funny though. A quick search at www.securiteam.com shows that Apache and iPlanet have many vulnerabilities as well. Think perhaps that the research is simply political? Hackers seem to actually target IIS boxes likely for their hatred of Micro$oft. I think there's more to this than meets the eye... Remember, nothing's ever secure. As stated in the movie The Score: If someone built it, someone can break it. -Original Message- From: Benjamin Falloon [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 25, 2001 12:42 PM To: CF-Talk Subject: Re: Check out what Gartner is recommending. Drop IIS! Maybe a little OT, but my 2c. I wouldn't call that stupid at all. Consider all of the attacks aimed squarely at IIS in the past few months. It's only going to increase. I've had personal experience with being hacked. I run 2 internal IIS development boxes for CF and an internal hack replaced *ALL* index.htm, default.htm files in all folders in the web serving directory. Lucky more files where cfm. I'm not a 'server' admin (by title) but I can thank MS for this. If they released a tighter web server with less vunerabilities maybe there would be fewer viruses/hacks that could penetrate. People shouldn't need to have to patch every week. Doesn't that fact indicate that just *maybe* the software itself is pretty shaky? Consider this quote from the article, Gartner remains concerned that viruses and worms will continue to attack IIS until Microsoft has released a completely rewritten, thoroughly and publicly tested, new release of IIS, Rewritten. That would be a good idea. Try to imagine a pair of pants with as many 'security' patches as is and will continue to be required for IIS. I'd say the pants would be more patches than pants. Just a thought, Benjamin PS maybe apache would be a good alternative. - Original Message - From: Rey Bango [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Wednesday, September 26, 2001 3:03 AM Subject: OT: Check out what Gartner is recommending. Drop IIS! Now, I've always found Gartner to sway in a particular direction based in the wind changes and the phases of the moon but this recommendation is just plain stupid. Check it out: http://news.cnet.com/news/0-1003-200-7294516.html Rey Bango ~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Check out what Gartner is recommending. Drop IIS!
My sentiments exactly, Costas. Rey Bango... - Original Message - From: Costas Piliotis [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Tuesday, September 25, 2001 4:19 PM Subject: RE: Check out what Gartner is recommending. Drop IIS! You know it's funny though. A quick search at www.securiteam.com shows that Apache and iPlanet have many vulnerabilities as well. Think perhaps that the research is simply political? Hackers seem to actually target IIS boxes likely for their hatred of Micro$oft. I think there's more to this than meets the eye... Remember, nothing's ever secure. As stated in the movie The Score: If someone built it, someone can break it. -Original Message- From: Benjamin Falloon [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 25, 2001 12:42 PM To: CF-Talk Subject: Re: Check out what Gartner is recommending. Drop IIS! Maybe a little OT, but my 2c. I wouldn't call that stupid at all. Consider all of the attacks aimed squarely at IIS in the past few months. It's only going to increase. I've had personal experience with being hacked. I run 2 internal IIS development boxes for CF and an internal hack replaced *ALL* index.htm, default.htm files in all folders in the web serving directory. Lucky more files where cfm. I'm not a 'server' admin (by title) but I can thank MS for this. If they released a tighter web server with less vunerabilities maybe there would be fewer viruses/hacks that could penetrate. People shouldn't need to have to patch every week. Doesn't that fact indicate that just *maybe* the software itself is pretty shaky? Consider this quote from the article, Gartner remains concerned that viruses and worms will continue to attack IIS until Microsoft has released a completely rewritten, thoroughly and publicly tested, new release of IIS, Rewritten. That would be a good idea. Try to imagine a pair of pants with as many 'security' patches as is and will continue to be required for IIS. I'd say the pants would be more patches than pants. Just a thought, Benjamin PS maybe apache would be a good alternative. - Original Message - From: Rey Bango [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Wednesday, September 26, 2001 3:03 AM Subject: OT: Check out what Gartner is recommending. Drop IIS! Now, I've always found Gartner to sway in a particular direction based in the wind changes and the phases of the moon but this recommendation is just plain stupid. Check it out: http://news.cnet.com/news/0-1003-200-7294516.html Rey Bango ~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Check out what Gartner is recommending. Drop IIS!
Thanks for the feedback bud but I still disagree. IIS and Microsoft are just the flavor of choice now for the cracker community. If you go to SecurityFocus.com, you'll see that both Linux and Apache have a long history of security issues. Look up Sun and you'll find the same thing. If we were to call IIS shaky simply because of the current security issues, then I'm not exactly sure what to call the other operating systems that at one time had many security breaches and to this day, still have to constantly patch their implementations. I truly hope MS is sincere in their statement of rewriting IIS but inevitably, there are still going to be hacks. The strongest OS that I've seen publicly available is OpenBSD and that's because they audit *every* line of code in their BSD offering and many of the accompanying packages. Those that can't be audited are put into a ports tree and an advisory is specified accordingly. Anyone that would come out and say that SunOS, Linux or FreeBSD (very good webserving alternatives) are without security issues would be a liar. I certainly acknowledge that IIS WinNT/2K have some security issue but I have seen and experienced the same thing on other OSes. As for Gartner, like I mentioned originally, they sway with the wind. I find them to be very good sometimes and VERY crappy on other occasions. I've seen they're reports for the last eight years, through the client/server days and now with ecommerce and, frankly, have seen a steady decline in their analysis of anything. Its almost as if they just hire any schmoe to do a review of some business practice, regardless of that person's skills or past experiences. I remember when they smacked Sybase around because they didn't have row-level locking when in reality, 90% of DBMS users, at that point, had no need for that feature because they weren't in a high-OLTP environment. Its was stupid and this latest report is right in line w/ the deteriorating level of their reports. It makes very poor fiscal sense for a large corporation to drop critical web servers and start a huge migration to a new platform of which they probably have no knowledge. You want to see a real security mess? Get a bunch of MS-focused companies to switch to Linux and watch the crackers have fun. Then lets see what Gartner would have to say. A better argument would've been to recommend that companies start taking security seriously and invest in training their existing staff as well as supplementing those overburdened admins. Rey... - Original Message - From: Benjamin Falloon [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Tuesday, September 25, 2001 3:42 PM Subject: Re: Check out what Gartner is recommending. Drop IIS! Maybe a little OT, but my 2c. I wouldn't call that stupid at all. Consider all of the attacks aimed squarely at IIS in the past few months. It's only going to increase. I've had personal experience with being hacked. I run 2 internal IIS development boxes for CF and an internal hack replaced *ALL* index.htm, default.htm files in all folders in the web serving directory. Lucky more files where cfm. I'm not a 'server' admin (by title) but I can thank MS for this. If they released a tighter web server with less vunerabilities maybe there would be fewer viruses/hacks that could penetrate. People shouldn't need to have to patch every week. Doesn't that fact indicate that just *maybe* the software itself is pretty shaky? Consider this quote from the article, Gartner remains concerned that viruses and worms will continue to attack IIS until Microsoft has released a completely rewritten, thoroughly and publicly tested, new release of IIS, Rewritten. That would be a good idea. Try to imagine a pair of pants with as many 'security' patches as is and will continue to be required for IIS. I'd say the pants would be more patches than pants. Just a thought, Benjamin PS maybe apache would be a good alternative. - Original Message - From: Rey Bango [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Wednesday, September 26, 2001 3:03 AM Subject: OT: Check out what Gartner is recommending. Drop IIS! Now, I've always found Gartner to sway in a particular direction based in the wind changes and the phases of the moon but this recommendation is just plain stupid. Check it out: http://news.cnet.com/news/0-1003-200-7294516.html Rey Bango ~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Check out what Gartner is recommending. Drop IIS!
We have a handful of servers that were affected by Code Red and Nimda. Nimda shut us down for over 36 hours (complete shutdown - in a panic). It came in through a shared drive before we could cut it off (the Network Admin didn't know it was shared to a third party). I hate to think how much this cost us. The Gartner report said for those companies affected by both viruses. That implies companies that do not have a Security Administrator, or companies that are at risk for contracting these type of viruses. Also, as you suggested, I'm sure the author meant to light a fire under MS. I don't make the decisions as to what OS our servers run, but TCO is getting to be pretty outstanding on our (MS) servers, especially the ones that could easily be hosted on another OS . Don't get me wrong, MS servers are great, but we don't need all of those features on some of our servers. -Original Message- From: Rey Bango [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 25, 2001 1:59 PM To: CF-Talk Subject: Re: Check out what Gartner is recommending. Drop IIS! Paul, Rejoicing for a more secure product is certainly understandable but Gartner's recommendation to dump IIS altogether is just plain dumb. Replacing every IIS box makes absolutely no business sense and the cost would be astronomical. In addition, a bigger part of the issue is the way security, in general, is handled. Security through obscurity is not the way to deal w/ a publicly accessible box and that seems to be the trend. I've seen the way that many admins work (whether by choice or, in most cases, because they're overworked) and they tend to ignore security advisories. I am glad, however, that the report lit a fire under Microsoft's butt so that people can continue to use a good web serving platform w/out having to shift focus to a totally foreign platform (eg: Linux/Apache or Sun/iPlanet). My 2 cents. Rey... - Original Message - From: Paul Sizemore [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Tuesday, September 25, 2001 2:00 PM Subject: RE: Check out what Gartner is recommending. Drop IIS! When I read this from Gartner I rejoiced; check out how MS is responding @ http://www.theregister.co.uk/content/55/21869.html Paul Sizemore Finish Line 3308 N Mitthoeffer Rd Indianapolis, IN 46235 W: 317-899-1022 ext 3516 -Original Message- From: Rey Bango [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 25, 2001 12:03 PM To: CF-Talk Subject: OT: Check out what Gartner is recommending. Drop IIS! Now, I've always found Gartner to sway in a particular direction based in the wind changes and the phases of the moon but this recommendation is just plain stupid. Check it out: http://news.cnet.com/news/0-1003-200-7294516.html Rey Bango ~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Check out what Gartner is recommending. Drop IIS!
It comes down to responsible administration. We have watched this come and still going on without incident and several IIS servers. Tony Gruen sfnetworks ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Check out what Gartner is recommending. Drop IIS!
At this point, this is probably true. The security landscape changes with time, and as professionals, we must change with it. We should be willing to learn other platforms if IIS isn't the best solution; we must also guard against the Microsoft bigotry that runs rampant. If this was Apache, people would say, There are costs to the freedom that the open source revolution brings us! If it's IIS, Typical Microsoft sh**. That's what they get for their bold attempt at world domination! For fun, the next time someone mentions worms and IIS, and how *Nix is the best alternative, say three words: UNIX. Morris. Worm. --- Billy Cravens Web Development, EDS [EMAIL PROTECTED] -Original Message- From: Benjamin Falloon [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 25, 2001 3:32 PM To: CF-Talk Subject: Re: Check out what Gartner is recommending. Drop IIS! Sure, I'm not saying that either Apache or other web server don't have holes, but running IIS is like walking around with a 'kick me' sign stuck to your back knowing full well it's there. People don't usually write viruses/worms for apache and other web servers... they usually just hack them which is always possible, but with IIS people are writting automated viruses/worms. I'd rather be hacked by a hacker with a sense of humour than have my how web serving directory nuked by an automated program. My point is that you would have less exposure to risk running alternatives because they aren't a massive target like IIS is. Benjamin - Original Message - From: Costas Piliotis [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Wednesday, September 26, 2001 6:19 AM Subject: RE: Check out what Gartner is recommending. Drop IIS! You know it's funny though. A quick search at www.securiteam.com shows that Apache and iPlanet have many vulnerabilities as well. Think perhaps that the research is simply political? Hackers seem to actually target IIS boxes likely for their hatred of Micro$oft. I think there's more to this than meets the eye... Remember, nothing's ever secure. As stated in the movie The Score: If someone built it, someone can break it. -Original Message- From: Benjamin Falloon [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 25, 2001 12:42 PM To: CF-Talk Subject: Re: Check out what Gartner is recommending. Drop IIS! Maybe a little OT, but my 2c. I wouldn't call that stupid at all. Consider all of the attacks aimed squarely at IIS in the past few months. It's only going to increase. I've had personal experience with being hacked. I run 2 internal IIS development boxes for CF and an internal hack replaced *ALL* index.htm, default.htm files in all folders in the web serving directory. Lucky more files where cfm. I'm not a 'server' admin (by title) but I can thank MS for this. If they released a tighter web server with less vunerabilities maybe there would be fewer viruses/hacks that could penetrate. People shouldn't need to have to patch every week. Doesn't that fact indicate that just *maybe* the software itself is pretty shaky? Consider this quote from the article, Gartner remains concerned that viruses and worms will continue to attack IIS until Microsoft has released a completely rewritten, thoroughly and publicly tested, new release of IIS, Rewritten. That would be a good idea. Try to imagine a pair of pants with as many 'security' patches as is and will continue to be required for IIS. I'd say the pants would be more patches than pants. Just a thought, Benjamin PS maybe apache would be a good alternative. - Original Message - From: Rey Bango [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Wednesday, September 26, 2001 3:03 AM Subject: OT: Check out what Gartner is recommending. Drop IIS! Now, I've always found Gartner to sway in a particular direction based in the wind changes and the phases of the moon but this recommendation is just plain stupid. Check it out: http://news.cnet.com/news/0-1003-200-7294516.html Rey Bango ~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Check out what Gartner is recommending. Drop IIS!
At this point, this is probably true. The security landscape changes with time, and as professionals, we must change with it. We should be willing to learn other platforms if IIS isn't the best solution; we must also guard against the Microsoft bigotry that runs rampant. If this was Apache, people would say, There are costs to the freedom that the open source revolution brings us! If it's IIS, Typical Microsoft sh**. That's what they get for their bold attempt at world domination! For fun, the next time someone mentions worms and IIS, and how *Nix is the best alternative, say three words: UNIX. Morris. Worm. --- Billy Cravens Web Development, EDS [EMAIL PROTECTED] -Original Message- From: Benjamin Falloon [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 25, 2001 3:32 PM To: CF-Talk Subject: Re: Check out what Gartner is recommending. Drop IIS! Sure, I'm not saying that either Apache or other web server don't have holes, but running IIS is like walking around with a 'kick me' sign stuck to your back knowing full well it's there. People don't usually write viruses/worms for apache and other web servers... they usually just hack them which is always possible, but with IIS people are writting automated viruses/worms. I'd rather be hacked by a hacker with a sense of humour than have my how web serving directory nuked by an automated program. My point is that you would have less exposure to risk running alternatives because they aren't a massive target like IIS is. Benjamin - Original Message - From: Costas Piliotis [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Wednesday, September 26, 2001 6:19 AM Subject: RE: Check out what Gartner is recommending. Drop IIS! You know it's funny though. A quick search at www.securiteam.com shows that Apache and iPlanet have many vulnerabilities as well. Think perhaps that the research is simply political? Hackers seem to actually target IIS boxes likely for their hatred of Micro$oft. I think there's more to this than meets the eye... Remember, nothing's ever secure. As stated in the movie The Score: If someone built it, someone can break it. -Original Message- From: Benjamin Falloon [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 25, 2001 12:42 PM To: CF-Talk Subject: Re: Check out what Gartner is recommending. Drop IIS! Maybe a little OT, but my 2c. I wouldn't call that stupid at all. Consider all of the attacks aimed squarely at IIS in the past few months. It's only going to increase. I've had personal experience with being hacked. I run 2 internal IIS development boxes for CF and an internal hack replaced *ALL* index.htm, default.htm files in all folders in the web serving directory. Lucky more files where cfm. I'm not a 'server' admin (by title) but I can thank MS for this. If they released a tighter web server with less vunerabilities maybe there would be fewer viruses/hacks that could penetrate. People shouldn't need to have to patch every week. Doesn't that fact indicate that just *maybe* the software itself is pretty shaky? Consider this quote from the article, Gartner remains concerned that viruses and worms will continue to attack IIS until Microsoft has released a completely rewritten, thoroughly and publicly tested, new release of IIS, Rewritten. That would be a good idea. Try to imagine a pair of pants with as many 'security' patches as is and will continue to be required for IIS. I'd say the pants would be more patches than pants. Just a thought, Benjamin PS maybe apache would be a good alternative. - Original Message - From: Rey Bango [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Wednesday, September 26, 2001 3:03 AM Subject: OT: Check out what Gartner is recommending. Drop IIS! Now, I've always found Gartner to sway in a particular direction based in the wind changes and the phases of the moon but this recommendation is just plain stupid. Check it out: http://news.cnet.com/news/0-1003-200-7294516.html Rey Bango ~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Check out what Gartner is recommending. Drop IIS!
Maybe a little OT, but my 2c. ... I'm not a 'server' admin (by title) but I can thank MS for this. If they released a tighter web server with less vulnerabilities maybe there would be fewer viruses/hacks that could penetrate. People shouldn't need to have to patch every week. Doesn't that fact indicate that just *maybe* the software itself is pretty shaky? The problem with IIS is that, like all MS products, there tends to be lots of extra features that are included by default but that no one actually seems to use. The vast majority of problems found, and of patches for those problems, are with these extras, rather than with the IIS service itself. The fact is that if you install IIS without any extras, and perform a few simple steps to turn off functionality you don't need, your IIS server will be secure, and you can safely disregard the aforementioned patches. Now, for your purposes (running development servers), you might very well be better off using Apache. However, in a production environment, where server administrators are supposedly paid for their competence at managing servers, these IIS issues should be non-issues. The fact is, if these same incompetent administrators switched to Apache (or iPlanet, even worse), their employers would pay another price - they'd be forced to learn how to manage those servers, which can be more complex to manage in my opinion. Instead, Gartner should recommend that people hire competent administrators and follow basic security guidelines and processes. If you got these same people to set up a Linux box, they probably wouldn't patch that either. I wouldn't be surprised if there were all kinds of similar problems with iPlanet, but given its lack of popularity who's going to bother writing exploit code for that? Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Check out what Gartner is recommending. Drop IIS!
My point is that you would have less exposure to risk running alternatives because they aren't a massive target like IIS is. Sorry bud but you're exposed with every server. I've got a T1 running in here and I scan the logs. I get probed all of the time on all different types of ports and as I mentioned before, MS is just the flavor of the month. Don't be surprised that while everyone is making a big deal about IIS, someone's alrady coming out with a new worm for Linux. There was a nice juicy one just awhile ago that really slapped around several Linux admins. You are exposed at the moment that you connect *any* server or pc, with any OS, to the Net and to assume that you would have less exposure to risk by not using MS/IIS would be naive. *YOU* are the main determining factor in how secure your box will be. Yes, applying patches is a PITA but its part of what goes with running a publicly accessible web server. Here's my take on this, irregardless of OS. If a person does not know how to properly manage their box or doesn't have the time to do it, then: 1) They shouldn't be putting it out on Net or 2) They should hire someone to do it. The management of a webserver is essentially a full-time job and most people treat that responsibility in a half-ass way. Then, when they get hacked, they blame the OS. Its like raising a child. If you're not prepared to do it the right way, then abstain, wear protecion or stay celebate! hehe. Thanks for the opinions, bud. Rey... Benjamin - Original Message - From: Costas Piliotis [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Wednesday, September 26, 2001 6:19 AM Subject: RE: Check out what Gartner is recommending. Drop IIS! You know it's funny though. A quick search at www.securiteam.com shows that Apache and iPlanet have many vulnerabilities as well. Think perhaps that the research is simply political? Hackers seem to actually target IIS boxes likely for their hatred of Micro$oft. I think there's more to this than meets the eye... Remember, nothing's ever secure. As stated in the movie The Score: If someone built it, someone can break it. -Original Message- From: Benjamin Falloon [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 25, 2001 12:42 PM To: CF-Talk Subject: Re: Check out what Gartner is recommending. Drop IIS! Maybe a little OT, but my 2c. I wouldn't call that stupid at all. Consider all of the attacks aimed squarely at IIS in the past few months. It's only going to increase. I've had personal experience with being hacked. I run 2 internal IIS development boxes for CF and an internal hack replaced *ALL* index.htm, default.htm files in all folders in the web serving directory. Lucky more files where cfm. I'm not a 'server' admin (by title) but I can thank MS for this. If they released a tighter web server with less vunerabilities maybe there would be fewer viruses/hacks that could penetrate. People shouldn't need to have to patch every week. Doesn't that fact indicate that just *maybe* the software itself is pretty shaky? Consider this quote from the article, Gartner remains concerned that viruses and worms will continue to attack IIS until Microsoft has released a completely rewritten, thoroughly and publicly tested, new release of IIS, Rewritten. That would be a good idea. Try to imagine a pair of pants with as many 'security' patches as is and will continue to be required for IIS. I'd say the pants would be more patches than pants. Just a thought, Benjamin PS maybe apache would be a good alternative. - Original Message - From: Rey Bango [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Wednesday, September 26, 2001 3:03 AM Subject: OT: Check out what Gartner is recommending. Drop IIS! Now, I've always found Gartner to sway in a particular direction based in the wind changes and the phases of the moon but this recommendation is just plain stupid. Check it out: http://news.cnet.com/news/0-1003-200-7294516.html Rey Bango ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Check out what Gartner is recommending. Drop IIS!
Benjamin that is one of the best analogies I've heard. But back to what Costas was saying. Why has Microsoft become such a target? Sure they release overpriced, bloated, buggy products. Sure their business practices are shady. And perhaps maybe, just maybe they stole a couple of ideas from other companies. But why all the hate? Look at all the good they have done. -Original Message- From: Benjamin Falloon [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 25, 2001 3:32 PM To: CF-Talk Subject: Re: Check out what Gartner is recommending. Drop IIS! Sure, I'm not saying that either Apache or other web server don't have holes, but running IIS is like walking around with a 'kick me' sign stuck to your back knowing full well it's there. People don't usually write viruses/worms for apache and other web servers... they usually just hack them which is always possible, but with IIS people are writting automated viruses/worms. I'd rather be hacked by a hacker with a sense of humour than have my how web serving directory nuked by an automated program. My point is that you would have less exposure to risk running alternatives because they aren't a massive target like IIS is. Benjamin - Original Message - From: Costas Piliotis [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Wednesday, September 26, 2001 6:19 AM Subject: RE: Check out what Gartner is recommending. Drop IIS! You know it's funny though. A quick search at www.securiteam.com shows that Apache and iPlanet have many vulnerabilities as well. Think perhaps that the research is simply political? Hackers seem to actually target IIS boxes likely for their hatred of Micro$oft. I think there's more to this than meets the eye... Remember, nothing's ever secure. As stated in the movie The Score: If someone built it, someone can break it. -Original Message- From: Benjamin Falloon [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 25, 2001 12:42 PM To: CF-Talk Subject: Re: Check out what Gartner is recommending. Drop IIS! Maybe a little OT, but my 2c. I wouldn't call that stupid at all. Consider all of the attacks aimed squarely at IIS in the past few months. It's only going to increase. I've had personal experience with being hacked. I run 2 internal IIS development boxes for CF and an internal hack replaced *ALL* index.htm, default.htm files in all folders in the web serving directory. Lucky more files where cfm. I'm not a 'server' admin (by title) but I can thank MS for this. If they released a tighter web server with less vunerabilities maybe there would be fewer viruses/hacks that could penetrate. People shouldn't need to have to patch every week. Doesn't that fact indicate that just *maybe* the software itself is pretty shaky? Consider this quote from the article, Gartner remains concerned that viruses and worms will continue to attack IIS until Microsoft has released a completely rewritten, thoroughly and publicly tested, new release of IIS, Rewritten. That would be a good idea. Try to imagine a pair of pants with as many 'security' patches as is and will continue to be required for IIS. I'd say the pants would be more patches than pants. Just a thought, Benjamin PS maybe apache would be a good alternative. - Original Message - From: Rey Bango [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Wednesday, September 26, 2001 3:03 AM Subject: OT: Check out what Gartner is recommending. Drop IIS! Now, I've always found Gartner to sway in a particular direction based in the wind changes and the phases of the moon but this recommendation is just plain stupid. Check it out: http://news.cnet.com/news/0-1003-200-7294516.html Rey Bango ~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Check out what Gartner is recommending. Drop IIS!
Lots of good points Rey, I agree with you. I think my comments were perhaps aimed a little more at MS then at the article itself, but it's interesting to take note of other articles that report the 'report' as it were. Take this for example: http://it.mycareer.com.au/breaking/2001/09/25/FFXI5T3L0SC.html?NDailyH This report lacks the 'urgency' of the original cnet post so I think that perhaps part of the issue is the news reporting. Having read the above link prior to your original post the first word I noticed was 'immediately' (in bold and at the beginning of the article). This lowers the credibility of the report itself IMO. You sound like you know more about this then I, but do you really believe that IIS is as secure as apache etc? Benjamin PS For me this isn't an issue of cash/cost of ownership etc, just security (Which is grave indeed - obviously). - Original Message - From: Rey Bango [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Wednesday, September 26, 2001 6:22 AM Subject: Re: Check out what Gartner is recommending. Drop IIS! Thanks for the feedback bud but I still disagree. IIS and Microsoft are just the flavor of choice now for the cracker community. If you go to SecurityFocus.com, you'll see that both Linux and Apache have a long history of security issues. Look up Sun and you'll find the same thing. If we were to call IIS shaky simply because of the current security issues, then I'm not exactly sure what to call the other operating systems that at one time had many security breaches and to this day, still have to constantly patch their implementations. I truly hope MS is sincere in their statement of rewriting IIS but inevitably, there are still going to be hacks. The strongest OS that I've seen publicly available is OpenBSD and that's because they audit *every* line of code in their BSD offering and many of the accompanying packages. Those that can't be audited are put into a ports tree and an advisory is specified accordingly. Anyone that would come out and say that SunOS, Linux or FreeBSD (very good webserving alternatives) are without security issues would be a liar. I certainly acknowledge that IIS WinNT/2K have some security issue but I have seen and experienced the same thing on other OSes. As for Gartner, like I mentioned originally, they sway with the wind. I find them to be very good sometimes and VERY crappy on other occasions. I've seen they're reports for the last eight years, through the client/server days and now with ecommerce and, frankly, have seen a steady decline in their analysis of anything. Its almost as if they just hire any schmoe to do a review of some business practice, regardless of that person's skills or past experiences. I remember when they smacked Sybase around because they didn't have row-level locking when in reality, 90% of DBMS users, at that point, had no need for that feature because they weren't in a high-OLTP environment. Its was stupid and this latest report is right in line w/ the deteriorating level of their reports. It makes very poor fiscal sense for a large corporation to drop critical web servers and start a huge migration to a new platform of which they probably have no knowledge. You want to see a real security mess? Get a bunch of MS-focused companies to switch to Linux and watch the crackers have fun. Then lets see what Gartner would have to say. A better argument would've been to recommend that companies start taking security seriously and invest in training their existing staff as well as supplementing those overburdened admins. Rey... - Original Message - From: Benjamin Falloon [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Tuesday, September 25, 2001 3:42 PM Subject: Re: Check out what Gartner is recommending. Drop IIS! Maybe a little OT, but my 2c. I wouldn't call that stupid at all. Consider all of the attacks aimed squarely at IIS in the past few months. It's only going to increase. I've had personal experience with being hacked. I run 2 internal IIS development boxes for CF and an internal hack replaced *ALL* index.htm, default.htm files in all folders in the web serving directory. Lucky more files where cfm. I'm not a 'server' admin (by title) but I can thank MS for this. If they released a tighter web server with less vunerabilities maybe there would be fewer viruses/hacks that could penetrate. People shouldn't need to have to patch every week. Doesn't that fact indicate that just *maybe* the software itself is pretty shaky? Consider this quote from the article, Gartner remains concerned that viruses and worms will continue to attack IIS until Microsoft has released a completely rewritten, thoroughly and publicly tested, new release of IIS, Rewritten. That would be a good idea. Try to imagine a pair of pants with as many 'security' patches as is and will continue to be required for IIS
RE: Check out what Gartner is recommending. Drop IIS!
It is not reasonably difficult to secure a system against these worms. Every single security weakness Nimda exploited already had a patch. Our development server never missed a beat, and is publicly visible on the Internet. I do think security is mostly relative to your administrator, and somewhat on your operating system and web serving software. I think the human factor, as in the administrators, is the bigger issue here. Nothing against anyone but any good admin following procedure could have secured their systems against this. That said, IIS is thrust into the hands of unsuspecting users who are NOT system administrators. Your average business user does not have a clue about securing a NT system. Yet the tool is run by default and put into the hands of business users on fat net pipes. I also see it proliferate extremely virally on my DSL subnet. This says to me that people have IIS running and are probably not even aware they have been hit and are infecting others, of course this statement is largely based on assumptions, no other explanation works very well since the fixes for these worms were out before code red. Herein lies my real complaint with this situation. IIS should not be turned on and should not be used by people who know what they are doing. Microsoft helps propagate these kind of worms by insecure default configurations. Whereas, if you actually turn IIS on somehow, you probably have a much better clue about what your doing. Of course, I have seen default installations of RedHat come with remotely exploitable holes. Solaris with a default installation is a joke, pick your root kit and have at it. I do believe Apache is not *inherently* more secure. However I will raise a challenge to say that Apache tends to have less severe bugs, the frequency is less often, and you can fix the bug yourself, or quickly get a patch for it, without reliance on Microsoft. The architecture is generally more well known, and the software is at this point, rather nice. I run Apache on my W2K system at home, no remote exploits or even regular exploits to hit my machine, I am still waiting. So there will always be Microsoft hates, but whatever works. If your machines get hit by this a lot, and you lose a lot of time on stuff like this; hit the books and be sensible about using software, any software, on the Internet. Knowledge is the only real way to stop these kind of bugs from being proliferated. :-D Thanks Jeremy Allen elliptIQ Inc. -Original Message- From: Tony Gruen [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 25, 2001 4:44 PM To: CF-Talk Subject: RE: Check out what Gartner is recommending. Drop IIS! It comes down to responsible administration. We have watched this come and still going on without incident and several IIS servers. Tony Gruen sfnetworks ~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Check out what Gartner is recommending. Drop IIS!
Paul, I sympathize with ya man. I know that the clean-up work can be a real headache. Good luck on that. With regards to your TCO, imagine if you had to make a switch to an OS that you're not savvy on. Lets assume that you're a Linux newbie. Lets go through the steps: 1) Ensure that your hardware is compatible w/ the distro you're using. If not, swap out hardware ($$$). 2) Install the distro. If you don't know how, hire a consultant ($$$). 3) Fortify your installation. Turn off services. Close ports. et al. If you don't know how, hire a consultant ($$$). 4) Install ColdFusion for Linux. If you don't know how, hire a consultant ($$$). 5) Migrate your apps over and hope they work the same way. If not, start modifying code ($$$). If you need help on OS specifics you don't know how, hire a consultant ($$$). 6) I would assume that if you were on an NT platform, you're also running MS SQL Server. If you migrate it to your new platform, then you'll probably go with Oracle. If you don't know how, hire a consultant ($$$). 7) Send your staff to Linux admin and Oracle admin training ($$$). Hire a consultant to manage your site in the interim ($$$). 8) Wait until your staff gets over the initial learning curve of managing a new platform and database ($$$). Hire a consultant to manage your site in the interim ($$$). Now, once you've done that, you're back in the same position you were when you were using IIS because you still have people prodding and probing your servers everyday. The only difference is that your knowledgeable, MCSE-cert admin is now a quasi-knowledgeable Linux/Apache wannabe admin that will freak when your system gets rootkiitted. Tony Gruen said it perfectly: It comes down to responsible administration. We have watched this come and still going on without incident and several IIS servers. Rey Bango,..,, - Original Message - From: Paul Sizemore [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Tuesday, September 25, 2001 4:35 PM Subject: RE: Check out what Gartner is recommending. Drop IIS! We have a handful of servers that were affected by Code Red and Nimda. Nimda shut us down for over 36 hours (complete shutdown - in a panic). It came in through a shared drive before we could cut it off (the Network Admin didn't know it was shared to a third party). I hate to think how much this cost us. The Gartner report said for those companies affected by both viruses. That implies companies that do not have a Security Administrator, or companies that are at risk for contracting these type of viruses. Also, as you suggested, I'm sure the author meant to light a fire under MS. I don't make the decisions as to what OS our servers run, but TCO is getting to be pretty outstanding on our (MS) servers, especially the ones that could easily be hosted on another OS . Don't get me wrong, MS servers are great, but we don't need all of those features on some of our servers. -Original Message- From: Rey Bango [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 25, 2001 1:59 PM To: CF-Talk Subject: Re: Check out what Gartner is recommending. Drop IIS! Paul, Rejoicing for a more secure product is certainly understandable but Gartner's recommendation to dump IIS altogether is just plain dumb. Replacing every IIS box makes absolutely no business sense and the cost would be astronomical. In addition, a bigger part of the issue is the way security, in general, is handled. Security through obscurity is not the way to deal w/ a publicly accessible box and that seems to be the trend. I've seen the way that many admins work (whether by choice or, in most cases, because they're overworked) and they tend to ignore security advisories. I am glad, however, that the report lit a fire under Microsoft's butt so that people can continue to use a good web serving platform w/out having to shift focus to a totally foreign platform (eg: Linux/Apache or Sun/iPlanet). My 2 cents. Rey... - Original Message - From: Paul Sizemore [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Tuesday, September 25, 2001 2:00 PM Subject: RE: Check out what Gartner is recommending. Drop IIS! When I read this from Gartner I rejoiced; check out how MS is responding @ http://www.theregister.co.uk/content/55/21869.html Paul Sizemore Finish Line 3308 N Mitthoeffer Rd Indianapolis, IN 46235 W: 317-899-1022 ext 3516 -Original Message- From: Rey Bango [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 25, 2001 12:03 PM To: CF-Talk Subject: OT: Check out what Gartner is recommending. Drop IIS! Now, I've always found Gartner to sway in a particular direction based in the wind changes and the phases of the moon but this recommendation is just plain stupid. Check it out: http://news.cnet.com/news/0-1003-200-7294516.html Rey Bango ~~ Get the mailserver that powers
Re: Check out what Gartner is recommending. Drop IIS!
For fun, the next time someone mentions worms and IIS, and how *Nix is the best alternative, say three words: UNIX. Morris. Worm. huh? cos' thats what they will say to me if I said that ;-) - Original Message - From: Billy Cravens [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Wednesday, September 26, 2001 6:43 AM Subject: RE: Check out what Gartner is recommending. Drop IIS! At this point, this is probably true. The security landscape changes with time, and as professionals, we must change with it. We should be willing to learn other platforms if IIS isn't the best solution; we must also guard against the Microsoft bigotry that runs rampant. If this was Apache, people would say, There are costs to the freedom that the open source revolution brings us! If it's IIS, Typical Microsoft sh**. That's what they get for their bold attempt at world domination! For fun, the next time someone mentions worms and IIS, and how *Nix is the best alternative, say three words: UNIX. Morris. Worm. --- Billy Cravens Web Development, EDS [EMAIL PROTECTED] -Original Message- From: Benjamin Falloon [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 25, 2001 3:32 PM To: CF-Talk Subject: Re: Check out what Gartner is recommending. Drop IIS! Sure, I'm not saying that either Apache or other web server don't have holes, but running IIS is like walking around with a 'kick me' sign stuck to your back knowing full well it's there. People don't usually write viruses/worms for apache and other web servers... they usually just hack them which is always possible, but with IIS people are writting automated viruses/worms. I'd rather be hacked by a hacker with a sense of humour than have my how web serving directory nuked by an automated program. My point is that you would have less exposure to risk running alternatives because they aren't a massive target like IIS is. Benjamin - Original Message - From: Costas Piliotis [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Wednesday, September 26, 2001 6:19 AM Subject: RE: Check out what Gartner is recommending. Drop IIS! You know it's funny though. A quick search at www.securiteam.com shows that Apache and iPlanet have many vulnerabilities as well. Think perhaps that the research is simply political? Hackers seem to actually target IIS boxes likely for their hatred of Micro$oft. I think there's more to this than meets the eye... Remember, nothing's ever secure. As stated in the movie The Score: If someone built it, someone can break it. -Original Message- From: Benjamin Falloon [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 25, 2001 12:42 PM To: CF-Talk Subject: Re: Check out what Gartner is recommending. Drop IIS! Maybe a little OT, but my 2c. I wouldn't call that stupid at all. Consider all of the attacks aimed squarely at IIS in the past few months. It's only going to increase. I've had personal experience with being hacked. I run 2 internal IIS development boxes for CF and an internal hack replaced *ALL* index.htm, default.htm files in all folders in the web serving directory. Lucky more files where cfm. I'm not a 'server' admin (by title) but I can thank MS for this. If they released a tighter web server with less vunerabilities maybe there would be fewer viruses/hacks that could penetrate. People shouldn't need to have to patch every week. Doesn't that fact indicate that just *maybe* the software itself is pretty shaky? Consider this quote from the article, Gartner remains concerned that viruses and worms will continue to attack IIS until Microsoft has released a completely rewritten, thoroughly and publicly tested, new release of IIS, Rewritten. That would be a good idea. Try to imagine a pair of pants with as many 'security' patches as is and will continue to be required for IIS. I'd say the pants would be more patches than pants. Just a thought, Benjamin PS maybe apache would be a good alternative. - Original Message - From: Rey Bango [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Wednesday, September 26, 2001 3:03 AM Subject: OT: Check out what Gartner is recommending. Drop IIS! Now, I've always found Gartner to sway in a particular direction based in the wind changes and the phases of the moon but this recommendation is just plain stupid. Check it out: http://news.cnet.com/news/0-1003-200-7294516.html Rey Bango ~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Check out what Gartner is recommending. Drop IIS!
I don't think anyone will disagree that MS has done some of what you've listed. However, not all their products are big and bloaty. Not every business practice is shady. Some of their products have resulted from in-house innovation. I seriously doubt that the Redhats of the world are perfect. Microsoft just gets tainted as evil because they are the biggest, and most exposed. Kinda like a mayor or other figurehead who is accused of adultery. You assume the mayor is immoral, but you don't think the same thing about the people across the street that are doing the same thing - because it hasn't been pointed out. Ever noticed that 98% of all Microsoft critics have mail headers that point to Outlook, Outlook Express, or an Exchange server? --- Billy Cravens Web Development, EDS [EMAIL PROTECTED] -Original Message- From: Chris Martinez [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 25, 2001 3:54 PM To: CF-Talk Subject: RE: Check out what Gartner is recommending. Drop IIS! Benjamin that is one of the best analogies I've heard. But back to what Costas was saying. Why has Microsoft become such a target? Sure they release overpriced, bloated, buggy products. Sure their business practices are shady. And perhaps maybe, just maybe they stole a couple of ideas from other companies. But why all the hate? Look at all the good they have done. -Original Message- From: Benjamin Falloon [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 25, 2001 3:32 PM To: CF-Talk Subject: Re: Check out what Gartner is recommending. Drop IIS! Sure, I'm not saying that either Apache or other web server don't have holes, but running IIS is like walking around with a 'kick me' sign stuck to your back knowing full well it's there. People don't usually write viruses/worms for apache and other web servers... they usually just hack them which is always possible, but with IIS people are writting automated viruses/worms. I'd rather be hacked by a hacker with a sense of humour than have my how web serving directory nuked by an automated program. My point is that you would have less exposure to risk running alternatives because they aren't a massive target like IIS is. Benjamin - Original Message - From: Costas Piliotis [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Wednesday, September 26, 2001 6:19 AM Subject: RE: Check out what Gartner is recommending. Drop IIS! You know it's funny though. A quick search at www.securiteam.com shows that Apache and iPlanet have many vulnerabilities as well. Think perhaps that the research is simply political? Hackers seem to actually target IIS boxes likely for their hatred of Micro$oft. I think there's more to this than meets the eye... Remember, nothing's ever secure. As stated in the movie The Score: If someone built it, someone can break it. -Original Message- From: Benjamin Falloon [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 25, 2001 12:42 PM To: CF-Talk Subject: Re: Check out what Gartner is recommending. Drop IIS! Maybe a little OT, but my 2c. I wouldn't call that stupid at all. Consider all of the attacks aimed squarely at IIS in the past few months. It's only going to increase. I've had personal experience with being hacked. I run 2 internal IIS development boxes for CF and an internal hack replaced *ALL* index.htm, default.htm files in all folders in the web serving directory. Lucky more files where cfm. I'm not a 'server' admin (by title) but I can thank MS for this. If they released a tighter web server with less vunerabilities maybe there would be fewer viruses/hacks that could penetrate. People shouldn't need to have to patch every week. Doesn't that fact indicate that just *maybe* the software itself is pretty shaky? Consider this quote from the article, Gartner remains concerned that viruses and worms will continue to attack IIS until Microsoft has released a completely rewritten, thoroughly and publicly tested, new release of IIS, Rewritten. That would be a good idea. Try to imagine a pair of pants with as many 'security' patches as is and will continue to be required for IIS. I'd say the pants would be more patches than pants. Just a thought, Benjamin PS maybe apache would be a good alternative. - Original Message - From: Rey Bango [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Wednesday, September 26, 2001 3:03 AM Subject: OT: Check out what Gartner is recommending. Drop IIS! Now, I've always found Gartner to sway in a particular direction based in the wind changes and the phases of the moon but this recommendation is just plain stupid. Check it out: http://news.cnet.com/news/0-1003-200-7294516.html Rey Bango ~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives
Re: Check out what Gartner is recommending. Drop IIS!
Chris, We're not talking about why MS is a target. The discussion is about whether Gartner's recommendation to move to another platform makes sense. I don't want to harp on you but I don't want this to turn into another Linux is better than MS is better than FreeBSD is better than... thread. Rey... - Original Message - From: Chris Martinez [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Tuesday, September 25, 2001 4:53 PM Subject: RE: Check out what Gartner is recommending. Drop IIS! Benjamin that is one of the best analogies I've heard. But back to what Costas was saying. Why has Microsoft become such a target? Sure they release overpriced, bloated, buggy products. Sure their business practices are shady. And perhaps maybe, just maybe they stole a couple of ideas from other companies. But why all the hate? Look at all the good they have done. -Original Message- From: Benjamin Falloon [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 25, 2001 3:32 PM To: CF-Talk Subject: Re: Check out what Gartner is recommending. Drop IIS! Sure, I'm not saying that either Apache or other web server don't have holes, but running IIS is like walking around with a 'kick me' sign stuck to your back knowing full well it's there. People don't usually write viruses/worms for apache and other web servers... they usually just hack them which is always possible, but with IIS people are writting automated viruses/worms. I'd rather be hacked by a hacker with a sense of humour than have my how web serving directory nuked by an automated program. My point is that you would have less exposure to risk running alternatives because they aren't a massive target like IIS is. Benjamin - Original Message - From: Costas Piliotis [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Wednesday, September 26, 2001 6:19 AM Subject: RE: Check out what Gartner is recommending. Drop IIS! You know it's funny though. A quick search at www.securiteam.com shows that Apache and iPlanet have many vulnerabilities as well. Think perhaps that the research is simply political? Hackers seem to actually target IIS boxes likely for their hatred of Micro$oft. I think there's more to this than meets the eye... Remember, nothing's ever secure. As stated in the movie The Score: If someone built it, someone can break it. -Original Message- From: Benjamin Falloon [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 25, 2001 12:42 PM To: CF-Talk Subject: Re: Check out what Gartner is recommending. Drop IIS! Maybe a little OT, but my 2c. I wouldn't call that stupid at all. Consider all of the attacks aimed squarely at IIS in the past few months. It's only going to increase. I've had personal experience with being hacked. I run 2 internal IIS development boxes for CF and an internal hack replaced *ALL* index.htm, default.htm files in all folders in the web serving directory. Lucky more files where cfm. I'm not a 'server' admin (by title) but I can thank MS for this. If they released a tighter web server with less vunerabilities maybe there would be fewer viruses/hacks that could penetrate. People shouldn't need to have to patch every week. Doesn't that fact indicate that just *maybe* the software itself is pretty shaky? Consider this quote from the article, Gartner remains concerned that viruses and worms will continue to attack IIS until Microsoft has released a completely rewritten, thoroughly and publicly tested, new release of IIS, Rewritten. That would be a good idea. Try to imagine a pair of pants with as many 'security' patches as is and will continue to be required for IIS. I'd say the pants would be more patches than pants. Just a thought, Benjamin PS maybe apache would be a good alternative. - Original Message - From: Rey Bango [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Wednesday, September 26, 2001 3:03 AM Subject: OT: Check out what Gartner is recommending. Drop IIS! Now, I've always found Gartner to sway in a particular direction based in the wind changes and the phases of the moon but this recommendation is just plain stupid. Check it out: http://news.cnet.com/news/0-1003-200-7294516.html Rey Bango ~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Check out what Gartner is recommending. Drop IIS!
Look at all the good they have done. And what would that be? You listed all the things that they are already noted before? What good have they done? And please don't say Windows... because that idea just came from somewhere else!!! It was those said 'shady business practices' that got them where they are today... and have put so many other companies out of business, or stopped them being able to compete. ~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Check out what Gartner is recommending. Drop IIS!
You sound like you know more about this then I, but do you really believe that IIS is as secure as apache etc? Hmmm. That's really hard to say. You'd have to be able to really look under the hood to make a firm judgement. I think that if you stay on top of IIS and manage it the way it should be, it can be very secure. These worms have simply exploited holes that were previously reported. Had these holes been patched, then the worm's capability to propogate would've been greatly diminished. I need to restate this because I think its very important. The biggest issue with IIS is administration. You have too many people deploying IIS that are underqualified or overworked. If you don't know squat about IIS or webservers, you're asking for trouble. If you're overworked because your boss is too cheap to get ya some help, you're bound to overlook something or just not be able to get to it in time. If you have the time, though, to actually stay on top of the patches, you can make any product secure. Rey... Benjamin PS For me this isn't an issue of cash/cost of ownership etc, just security (Which is grave indeed - obviously). - Original Message - From: Benjamin Falloon [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Tuesday, September 25, 2001 4:59 PM Subject: Re: Check out what Gartner is recommending. Drop IIS! Lots of good points Rey, I agree with you. I think my comments were perhaps aimed a little more at MS then at the article itself, but it's interesting to take note of other articles that report the 'report' as it were. Take this for example: http://it.mycareer.com.au/breaking/2001/09/25/FFXI5T3L0SC.html?NDailyH This report lacks the 'urgency' of the original cnet post so I think that perhaps part of the issue is the news reporting. Having read the above link prior to your original post the first word I noticed was 'immediately' (in bold and at the beginning of the article). This lowers the credibility of the report itself IMO. You sound like you know more about this then I, but do you really believe that IIS is as secure as apache etc? Benjamin PS For me this isn't an issue of cash/cost of ownership etc, just security (Which is grave indeed - obviously). - Original Message - From: Rey Bango [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Wednesday, September 26, 2001 6:22 AM Subject: Re: Check out what Gartner is recommending. Drop IIS! Thanks for the feedback bud but I still disagree. IIS and Microsoft are just the flavor of choice now for the cracker community. If you go to SecurityFocus.com, you'll see that both Linux and Apache have a long history of security issues. Look up Sun and you'll find the same thing. If we were to call IIS shaky simply because of the current security issues, then I'm not exactly sure what to call the other operating systems that at one time had many security breaches and to this day, still have to constantly patch their implementations. I truly hope MS is sincere in their statement of rewriting IIS but inevitably, there are still going to be hacks. The strongest OS that I've seen publicly available is OpenBSD and that's because they audit *every* line of code in their BSD offering and many of the accompanying packages. Those that can't be audited are put into a ports tree and an advisory is specified accordingly. Anyone that would come out and say that SunOS, Linux or FreeBSD (very good webserving alternatives) are without security issues would be a liar. I certainly acknowledge that IIS WinNT/2K have some security issue but I have seen and experienced the same thing on other OSes. As for Gartner, like I mentioned originally, they sway with the wind. I find them to be very good sometimes and VERY crappy on other occasions. I've seen they're reports for the last eight years, through the client/server days and now with ecommerce and, frankly, have seen a steady decline in their analysis of anything. Its almost as if they just hire any schmoe to do a review of some business practice, regardless of that person's skills or past experiences. I remember when they smacked Sybase around because they didn't have row-level locking when in reality, 90% of DBMS users, at that point, had no need for that feature because they weren't in a high-OLTP environment. Its was stupid and this latest report is right in line w/ the deteriorating level of their reports. It makes very poor fiscal sense for a large corporation to drop critical web servers and start a huge migration to a new platform of which they probably have no knowledge. You want to see a real security mess? Get a bunch of MS-focused companies to switch to Linux and watch the crackers have fun. Then lets see what Gartner would have to say. A better argument would've been to recommend that companies start taking security seriously and invest in training
Re: Check out what Gartner is recommending. Drop IIS!
Its the Unix worm that literally brought down the Net. hehe. Here's a link for some articles on it. http://www.google.com/search?q=Unix+worm+morris Rey... - Original Message - From: Benjamin Falloon [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Tuesday, September 25, 2001 5:14 PM Subject: Re: Check out what Gartner is recommending. Drop IIS! For fun, the next time someone mentions worms and IIS, and how *Nix is the best alternative, say three words: UNIX. Morris. Worm. huh? cos' thats what they will say to me if I said that ;-) - Original Message - From: Billy Cravens [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Wednesday, September 26, 2001 6:43 AM Subject: RE: Check out what Gartner is recommending. Drop IIS! At this point, this is probably true. The security landscape changes with time, and as professionals, we must change with it. We should be willing to learn other platforms if IIS isn't the best solution; we must also guard against the Microsoft bigotry that runs rampant. If this was Apache, people would say, There are costs to the freedom that the open source revolution brings us! If it's IIS, Typical Microsoft sh**. That's what they get for their bold attempt at world domination! For fun, the next time someone mentions worms and IIS, and how *Nix is the best alternative, say three words: UNIX. Morris. Worm. --- Billy Cravens Web Development, EDS [EMAIL PROTECTED] -Original Message- From: Benjamin Falloon [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 25, 2001 3:32 PM To: CF-Talk Subject: Re: Check out what Gartner is recommending. Drop IIS! Sure, I'm not saying that either Apache or other web server don't have holes, but running IIS is like walking around with a 'kick me' sign stuck to your back knowing full well it's there. People don't usually write viruses/worms for apache and other web servers... they usually just hack them which is always possible, but with IIS people are writting automated viruses/worms. I'd rather be hacked by a hacker with a sense of humour than have my how web serving directory nuked by an automated program. My point is that you would have less exposure to risk running alternatives because they aren't a massive target like IIS is. Benjamin - Original Message - From: Costas Piliotis [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Wednesday, September 26, 2001 6:19 AM Subject: RE: Check out what Gartner is recommending. Drop IIS! You know it's funny though. A quick search at www.securiteam.com shows that Apache and iPlanet have many vulnerabilities as well. Think perhaps that the research is simply political? Hackers seem to actually target IIS boxes likely for their hatred of Micro$oft. I think there's more to this than meets the eye... Remember, nothing's ever secure. As stated in the movie The Score: If someone built it, someone can break it. -Original Message- From: Benjamin Falloon [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 25, 2001 12:42 PM To: CF-Talk Subject: Re: Check out what Gartner is recommending. Drop IIS! Maybe a little OT, but my 2c. I wouldn't call that stupid at all. Consider all of the attacks aimed squarely at IIS in the past few months. It's only going to increase. I've had personal experience with being hacked. I run 2 internal IIS development boxes for CF and an internal hack replaced *ALL* index.htm, default.htm files in all folders in the web serving directory. Lucky more files where cfm. I'm not a 'server' admin (by title) but I can thank MS for this. If they released a tighter web server with less vunerabilities maybe there would be fewer viruses/hacks that could penetrate. People shouldn't need to have to patch every week. Doesn't that fact indicate that just *maybe* the software itself is pretty shaky? Consider this quote from the article, Gartner remains concerned that viruses and worms will continue to attack IIS until Microsoft has released a completely rewritten, thoroughly and publicly tested, new release of IIS, Rewritten. That would be a good idea. Try to imagine a pair of pants with as many 'security' patches as is and will continue to be required for IIS. I'd say the pants would be more patches than pants. Just a thought, Benjamin PS maybe apache would be a good alternative. - Original Message - From: Rey Bango [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Wednesday, September 26, 2001 3:03 AM Subject: OT: Check out what Gartner is recommending. Drop IIS! Now, I've always found Gartner to sway in a particular direction based in the wind changes and the phases of the moon but this recommendation
RE: Check out what Gartner is recommending. Drop IIS!
Indeed - people who think that *nix is the savior, and IIS is evil, have no clue (or a really bad memory) that the first Internet worm spread using common holes (at the time) in Unix It is nothing to know your enemy; it is everything to know yourself -- don't know if anyone has ever said that, but if not, I'll take credit, and be quoted for centuries to come! muahahaha --- Billy Cravens Web Development, EDS [EMAIL PROTECTED] -Original Message- From: Benjamin Falloon [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 25, 2001 4:14 PM To: CF-Talk Subject: Re: Check out what Gartner is recommending. Drop IIS! For fun, the next time someone mentions worms and IIS, and how *Nix is the best alternative, say three words: UNIX. Morris. Worm. huh? cos' thats what they will say to me if I said that ;-) - Original Message - From: Billy Cravens [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Wednesday, September 26, 2001 6:43 AM Subject: RE: Check out what Gartner is recommending. Drop IIS! At this point, this is probably true. The security landscape changes with time, and as professionals, we must change with it. We should be willing to learn other platforms if IIS isn't the best solution; we must also guard against the Microsoft bigotry that runs rampant. If this was Apache, people would say, There are costs to the freedom that the open source revolution brings us! If it's IIS, Typical Microsoft sh**. That's what they get for their bold attempt at world domination! For fun, the next time someone mentions worms and IIS, and how *Nix is the best alternative, say three words: UNIX. Morris. Worm. --- Billy Cravens Web Development, EDS [EMAIL PROTECTED] -Original Message- From: Benjamin Falloon [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 25, 2001 3:32 PM To: CF-Talk Subject: Re: Check out what Gartner is recommending. Drop IIS! Sure, I'm not saying that either Apache or other web server don't have holes, but running IIS is like walking around with a 'kick me' sign stuck to your back knowing full well it's there. People don't usually write viruses/worms for apache and other web servers... they usually just hack them which is always possible, but with IIS people are writting automated viruses/worms. I'd rather be hacked by a hacker with a sense of humour than have my how web serving directory nuked by an automated program. My point is that you would have less exposure to risk running alternatives because they aren't a massive target like IIS is. Benjamin - Original Message - From: Costas Piliotis [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Wednesday, September 26, 2001 6:19 AM Subject: RE: Check out what Gartner is recommending. Drop IIS! You know it's funny though. A quick search at www.securiteam.com shows that Apache and iPlanet have many vulnerabilities as well. Think perhaps that the research is simply political? Hackers seem to actually target IIS boxes likely for their hatred of Micro$oft. I think there's more to this than meets the eye... Remember, nothing's ever secure. As stated in the movie The Score: If someone built it, someone can break it. -Original Message- From: Benjamin Falloon [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 25, 2001 12:42 PM To: CF-Talk Subject: Re: Check out what Gartner is recommending. Drop IIS! Maybe a little OT, but my 2c. I wouldn't call that stupid at all. Consider all of the attacks aimed squarely at IIS in the past few months. It's only going to increase. I've had personal experience with being hacked. I run 2 internal IIS development boxes for CF and an internal hack replaced *ALL* index.htm, default.htm files in all folders in the web serving directory. Lucky more files where cfm. I'm not a 'server' admin (by title) but I can thank MS for this. If they released a tighter web server with less vunerabilities maybe there would be fewer viruses/hacks that could penetrate. People shouldn't need to have to patch every week. Doesn't that fact indicate that just *maybe* the software itself is pretty shaky? Consider this quote from the article, Gartner remains concerned that viruses and worms will continue to attack IIS until Microsoft has released a completely rewritten, thoroughly and publicly tested, new release of IIS, Rewritten. That would be a good idea. Try to imagine a pair of pants with as many 'security' patches as is and will continue to be required for IIS. I'd say the pants would be more patches than pants. Just a thought, Benjamin PS maybe apache would be a good alternative. - Original Message - From: Rey Bango [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Wednesday, September 26, 2001 3:03 AM Subject: OT: Check out what Gartner is recommending
RE: Check out what Gartner is recommending. Drop IIS!
All I can tell is that this discussion isn't about coldfusion. Please move it to CF Community -Original Message- From: Rey Bango [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 25, 2001 4:33 PM To: CF-Talk Subject: Re: Check out what Gartner is recommending. Drop IIS! Chris, We're not talking about why MS is a target. The discussion is about whether Gartner's recommendation to move to another platform makes sense. I don't want to harp on you but I don't want this to turn into another Linux is better than MS is better than FreeBSD is better than... thread. Rey... - Original Message - From: Chris Martinez [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Tuesday, September 25, 2001 4:53 PM Subject: RE: Check out what Gartner is recommending. Drop IIS! Benjamin that is one of the best analogies I've heard. But back to what Costas was saying. Why has Microsoft become such a target? Sure they release overpriced, bloated, buggy products. Sure their business practices are shady. And perhaps maybe, just maybe they stole a couple of ideas from other companies. But why all the hate? Look at all the good they have done. -Original Message- From: Benjamin Falloon [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 25, 2001 3:32 PM To: CF-Talk Subject: Re: Check out what Gartner is recommending. Drop IIS! Sure, I'm not saying that either Apache or other web server don't have holes, but running IIS is like walking around with a 'kick me' sign stuck to your back knowing full well it's there. People don't usually write viruses/worms for apache and other web servers... they usually just hack them which is always possible, but with IIS people are writting automated viruses/worms. I'd rather be hacked by a hacker with a sense of humour than have my how web serving directory nuked by an automated program. My point is that you would have less exposure to risk running alternatives because they aren't a massive target like IIS is. Benjamin - Original Message - From: Costas Piliotis [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Wednesday, September 26, 2001 6:19 AM Subject: RE: Check out what Gartner is recommending. Drop IIS! You know it's funny though. A quick search at www.securiteam.com shows that Apache and iPlanet have many vulnerabilities as well. Think perhaps that the research is simply political? Hackers seem to actually target IIS boxes likely for their hatred of Micro$oft. I think there's more to this than meets the eye... Remember, nothing's ever secure. As stated in the movie The Score: If someone built it, someone can break it. -Original Message- From: Benjamin Falloon [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 25, 2001 12:42 PM To: CF-Talk Subject: Re: Check out what Gartner is recommending. Drop IIS! Maybe a little OT, but my 2c. I wouldn't call that stupid at all. Consider all of the attacks aimed squarely at IIS in the past few months. It's only going to increase. I've had personal experience with being hacked. I run 2 internal IIS development boxes for CF and an internal hack replaced *ALL* index.htm, default.htm files in all folders in the web serving directory. Lucky more files where cfm. I'm not a 'server' admin (by title) but I can thank MS for this. If they released a tighter web server with less vunerabilities maybe there would be fewer viruses/hacks that could penetrate. People shouldn't need to have to patch every week. Doesn't that fact indicate that just *maybe* the software itself is pretty shaky? Consider this quote from the article, Gartner remains concerned that viruses and worms will continue to attack IIS until Microsoft has released a completely rewritten, thoroughly and publicly tested, new release of IIS, Rewritten. That would be a good idea. Try to imagine a pair of pants with as many 'security' patches as is and will continue to be required for IIS. I'd say the pants would be more patches than pants. Just a thought, Benjamin PS maybe apache would be a good alternative. - Original Message - From: Rey Bango [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Wednesday, September 26, 2001 3:03 AM Subject: OT: Check out what Gartner is recommending. Drop IIS! Now, I've always found Gartner to sway in a particular direction based in the wind changes and the phases of the moon but this recommendation is just plain stupid. Check it out: http://news.cnet.com/news/0-1003-200-7294516.html Rey Bango ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http
Re: Check out what Gartner is recommending. Drop IIS! - IIS6 features
I got this in a newsletter today...He says IIS6 may be out by 1Q 2002. IIS 6.0 is a complete paradigm shift; it provides an infrastructure that installs security hotfixes by default. IIS 6.0 also lets you download hotfixes and apply them automatically as they become available. IIS 6.0 includes these security enhancements: - Configurable Worker Process Identities, which let you start services under the security context of LocalSystem, LocalService, NetworkService, or a configurable account. - Selectable Crypto Service Provider, which lets you use hardware- based Secure Sockets Layer (SSL). Hardware-based SSL is lightning-fast compared with the SSL latency we have to deal with today in IIS 5.0 and older releases. - Remotable Certificate installation and removal, which lets you install and remove certificates on remote computers. - Publishing, which you can disable. - Delegation for all protocols so you can securely distribute a Kerberos ticket when you use Digest, Basic, NT LAN Manager (NTLM), or Passport. - Sand-boxed FTP, which lets you configure FTP sites so only specific users can upload content. http://www.iisadministrator.com jon ~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Check out what Gartner is recommending. Drop IIS!
Hahah.. Too late --- Billy Cravens Web Development, EDS [EMAIL PROTECTED] -Original Message- From: Rey Bango [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 25, 2001 4:33 PM To: CF-Talk Subject: Re: Check out what Gartner is recommending. Drop IIS! Chris, We're not talking about why MS is a target. The discussion is about whether Gartner's recommendation to move to another platform makes sense. I don't want to harp on you but I don't want this to turn into another Linux is better than MS is better than FreeBSD is better than... thread. Rey... - Original Message - From: Chris Martinez [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Tuesday, September 25, 2001 4:53 PM Subject: RE: Check out what Gartner is recommending. Drop IIS! Benjamin that is one of the best analogies I've heard. But back to what Costas was saying. Why has Microsoft become such a target? Sure they release overpriced, bloated, buggy products. Sure their business practices are shady. And perhaps maybe, just maybe they stole a couple of ideas from other companies. But why all the hate? Look at all the good they have done. -Original Message- From: Benjamin Falloon [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 25, 2001 3:32 PM To: CF-Talk Subject: Re: Check out what Gartner is recommending. Drop IIS! Sure, I'm not saying that either Apache or other web server don't have holes, but running IIS is like walking around with a 'kick me' sign stuck to your back knowing full well it's there. People don't usually write viruses/worms for apache and other web servers... they usually just hack them which is always possible, but with IIS people are writting automated viruses/worms. I'd rather be hacked by a hacker with a sense of humour than have my how web serving directory nuked by an automated program. My point is that you would have less exposure to risk running alternatives because they aren't a massive target like IIS is. Benjamin - Original Message - From: Costas Piliotis [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Wednesday, September 26, 2001 6:19 AM Subject: RE: Check out what Gartner is recommending. Drop IIS! You know it's funny though. A quick search at www.securiteam.com shows that Apache and iPlanet have many vulnerabilities as well. Think perhaps that the research is simply political? Hackers seem to actually target IIS boxes likely for their hatred of Micro$oft. I think there's more to this than meets the eye... Remember, nothing's ever secure. As stated in the movie The Score: If someone built it, someone can break it. -Original Message- From: Benjamin Falloon [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 25, 2001 12:42 PM To: CF-Talk Subject: Re: Check out what Gartner is recommending. Drop IIS! Maybe a little OT, but my 2c. I wouldn't call that stupid at all. Consider all of the attacks aimed squarely at IIS in the past few months. It's only going to increase. I've had personal experience with being hacked. I run 2 internal IIS development boxes for CF and an internal hack replaced *ALL* index.htm, default.htm files in all folders in the web serving directory. Lucky more files where cfm. I'm not a 'server' admin (by title) but I can thank MS for this. If they released a tighter web server with less vunerabilities maybe there would be fewer viruses/hacks that could penetrate. People shouldn't need to have to patch every week. Doesn't that fact indicate that just *maybe* the software itself is pretty shaky? Consider this quote from the article, Gartner remains concerned that viruses and worms will continue to attack IIS until Microsoft has released a completely rewritten, thoroughly and publicly tested, new release of IIS, Rewritten. That would be a good idea. Try to imagine a pair of pants with as many 'security' patches as is and will continue to be required for IIS. I'd say the pants would be more patches than pants. Just a thought, Benjamin PS maybe apache would be a good alternative. - Original Message - From: Rey Bango [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Wednesday, September 26, 2001 3:03 AM Subject: OT: Check out what Gartner is recommending. Drop IIS! Now, I've always found Gartner to sway in a particular direction based in the wind changes and the phases of the moon but this recommendation is just plain stupid. Check it out: http://news.cnet.com/news/0-1003-200-7294516.html Rey Bango ~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm
Re: Check out what Gartner is recommending. Drop IIS!
Here's the bottom line. microsoft product rules. but microsoft sucks. not the other way around From: Rey Bango [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Subject: Re: Check out what Gartner is recommending. Drop IIS! Date: Tue, 25 Sep 2001 17:46:53 -0400 You sound like you know more about this then I, but do you really believe that IIS is as secure as apache etc? Hmmm. That's really hard to say. You'd have to be able to really look under the hood to make a firm judgement. I think that if you stay on top of IIS and manage it the way it should be, it can be very secure. These worms have simply exploited holes that were previously reported. Had these holes been patched, then the worm's capability to propogate would've been greatly diminished. I need to restate this because I think its very important. The biggest issue with IIS is administration. You have too many people deploying IIS that are underqualified or overworked. If you don't know squat about IIS or webservers, you're asking for trouble. If you're overworked because your boss is too cheap to get ya some help, you're bound to overlook something or just not be able to get to it in time. If you have the time, though, to actually stay on top of the patches, you can make any product secure. Rey... Benjamin PS For me this isn't an issue of cash/cost of ownership etc, just security (Which is grave indeed - obviously). - Original Message - From: Benjamin Falloon [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Tuesday, September 25, 2001 4:59 PM Subject: Re: Check out what Gartner is recommending. Drop IIS! Lots of good points Rey, I agree with you. I think my comments were perhaps aimed a little more at MS then at the article itself, but it's interesting to take note of other articles that report the 'report' as it were. Take this for example: http://it.mycareer.com.au/breaking/2001/09/25/FFXI5T3L0SC.html?NDailyH This report lacks the 'urgency' of the original cnet post so I think that perhaps part of the issue is the news reporting. Having read the above link prior to your original post the first word I noticed was 'immediately' (in bold and at the beginning of the article). This lowers the credibility of the report itself IMO. You sound like you know more about this then I, but do you really believe that IIS is as secure as apache etc? Benjamin PS For me this isn't an issue of cash/cost of ownership etc, just security (Which is grave indeed - obviously). - Original Message - From: Rey Bango [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Wednesday, September 26, 2001 6:22 AM Subject: Re: Check out what Gartner is recommending. Drop IIS! Thanks for the feedback bud but I still disagree. IIS and Microsoft are just the flavor of choice now for the cracker community. If you go to SecurityFocus.com, you'll see that both Linux and Apache have a long history of security issues. Look up Sun and you'll find the same thing. If we were to call IIS shaky simply because of the current security issues, then I'm not exactly sure what to call the other operating systems that at one time had many security breaches and to this day, still have to constantly patch their implementations. I truly hope MS is sincere in their statement of rewriting IIS but inevitably, there are still going to be hacks. The strongest OS that I've seen publicly available is OpenBSD and that's because they audit *every* line of code in their BSD offering and many of the accompanying packages. Those that can't be audited are put into a ports tree and an advisory is specified accordingly. Anyone that would come out and say that SunOS, Linux or FreeBSD (very good webserving alternatives) are without security issues would be a liar. I certainly acknowledge that IIS WinNT/2K have some security issue but I have seen and experienced the same thing on other OSes. As for Gartner, like I mentioned originally, they sway with the wind. I find them to be very good sometimes and VERY crappy on other occasions. I've seen they're reports for the last eight years, through the client/server days and now with ecommerce and, frankly, have seen a steady decline in their analysis of anything. Its almost as if they just hire any schmoe to do a review of some business practice, regardless of that person's skills or past experiences. I remember when they smacked Sybase around because they didn't have row-level locking when in reality, 90% of DBMS users, at that point, had no need for that feature because they weren't in a high-OLTP environment. Its was stupid and this latest report is right in line w/ the deteriorating level of their reports. It makes very poor fiscal sense for a large corporation to drop critical web servers
Re: Check out what Gartner is recommending. Drop IIS!
Look at all the good they have done. And what would that be? You listed all the things that they are already noted before? Nick, He was being sarcastic. Rey... ~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Check out what Gartner is recommending. Drop IIS!
Sorry to open an additional can of worms, but our servers got nailed and they're managed out in California (I'm in Chicago). I'm not a sysad, nor do I have any experience at managing a server. Are there courses or certifications that I can get to help me stay on top of these things? I'm the only programmer in my office and the de facto IT guy so when stuff like this happens, they all look at me like I know what the heck I'm doing. I've been at this for less than two years and just don't have the experience to deal with this appropriately. Any tips? Respectfully, Michael - Original Message - From: Tony Gruen [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Tuesday, September 25, 2001 3:43 PM Subject: RE: Check out what Gartner is recommending. Drop IIS! It comes down to responsible administration. We have watched this come and still going on without incident and several IIS servers. Tony Gruen sfnetworks ~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Check out what Gartner is recommending. Drop IIS!
OK. Since you are not familiar with sarcasm, I'm closing the register. Quoth the Costas: Hackers seem to actually target IIS boxes likely for their hatred of Micro$oft. I think there's more to this than meets the eye... Quoth the Benjamin: Sure, I'm not saying that either Apache or other web server don't have holes, but running IIS is like walking around with a 'kick me' sign stuck to your back knowing full well it's there. I'm not disagreeing with anything you guys have said. Certainly every web server has bugs exploits, blah, blah, blah. I'm simply offering an opinion as to why IIS seems to have a big ass target painted on it. Perhaps Just call me Flamebait. -Original Message- From: Rey Bango [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 25, 2001 4:33 PM To: CF-Talk Subject: Re: Check out what Gartner is recommending. Drop IIS! Chris, We're not talking about why MS is a target. The discussion is about whether Gartner's recommendation to move to another platform makes sense. I don't want to harp on you but I don't want this to turn into another Linux is better than MS is better than FreeBSD is better than... thread. Rey... - Original Message - From: Chris Martinez [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Tuesday, September 25, 2001 4:53 PM Subject: RE: Check out what Gartner is recommending. Drop IIS! Benjamin that is one of the best analogies I've heard. But back to what Costas was saying. Why has Microsoft become such a target? Sure they release overpriced, bloated, buggy products. Sure their business practices are shady. And perhaps maybe, just maybe they stole a couple of ideas from other companies. But why all the hate? Look at all the good they have done. -Original Message- From: Benjamin Falloon [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 25, 2001 3:32 PM To: CF-Talk Subject: Re: Check out what Gartner is recommending. Drop IIS! Sure, I'm not saying that either Apache or other web server don't have holes, but running IIS is like walking around with a 'kick me' sign stuck to your back knowing full well it's there. People don't usually write viruses/worms for apache and other web servers... they usually just hack them which is always possible, but with IIS people are writting automated viruses/worms. I'd rather be hacked by a hacker with a sense of humour than have my how web serving directory nuked by an automated program. My point is that you would have less exposure to risk running alternatives because they aren't a massive target like IIS is. Benjamin - Original Message - From: Costas Piliotis [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Wednesday, September 26, 2001 6:19 AM Subject: RE: Check out what Gartner is recommending. Drop IIS! You know it's funny though. A quick search at www.securiteam.com shows that Apache and iPlanet have many vulnerabilities as well. Think perhaps that the research is simply political? Hackers seem to actually target IIS boxes likely for their hatred of Micro$oft. I think there's more to this than meets the eye... Remember, nothing's ever secure. As stated in the movie The Score: If someone built it, someone can break it. -Original Message- From: Benjamin Falloon [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 25, 2001 12:42 PM To: CF-Talk Subject: Re: Check out what Gartner is recommending. Drop IIS! Maybe a little OT, but my 2c. I wouldn't call that stupid at all. Consider all of the attacks aimed squarely at IIS in the past few months. It's only going to increase. I've had personal experience with being hacked. I run 2 internal IIS development boxes for CF and an internal hack replaced *ALL* index.htm, default.htm files in all folders in the web serving directory. Lucky more files where cfm. I'm not a 'server' admin (by title) but I can thank MS for this. If they released a tighter web server with less vunerabilities maybe there would be fewer viruses/hacks that could penetrate. People shouldn't need to have to patch every week. Doesn't that fact indicate that just *maybe* the software itself is pretty shaky? Consider this quote from the article, Gartner remains concerned that viruses and worms will continue to attack IIS until Microsoft has released a completely rewritten, thoroughly and publicly tested, new release of IIS, Rewritten. That would be a good idea. Try to imagine a pair of pants with as many 'security' patches as is and will continue to be required for IIS. I'd say the pants would be more patches than pants. Just a thought, Benjamin PS maybe apache would be a good alternative. - Original Message - From: Rey Bango [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Wednesday, September 26, 2001 3:03 AM Subject: OT: Check out what Gartner is recommending. Drop IIS! Now
RE: Check out what Gartner is recommending. Drop IIS!
PLEASE MOVE THIS THREAD TO CF-COMMUNITY ! -Original Message- From: Rey Bango [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 25, 2001 3:00 PM To: CF-Talk Subject: Re: Check out what Gartner is recommending. Drop IIS! Look at all the good they have done. And what would that be? You listed all the things that they are already noted before? Nick, He was being sarcastic. Rey... ~~ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Check out what Gartner is recommending. Drop IIS!
Yeah, I noticed. hehe. ;o) Rey... - Original Message - From: Billy Cravens [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Tuesday, September 25, 2001 5:58 PM Subject: RE: Check out what Gartner is recommending. Drop IIS! Hahah.. Too late --- Billy Cravens Web Development, EDS [EMAIL PROTECTED] -Original Message- From: Rey Bango [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 25, 2001 4:33 PM To: CF-Talk Subject: Re: Check out what Gartner is recommending. Drop IIS! Chris, We're not talking about why MS is a target. The discussion is about whether Gartner's recommendation to move to another platform makes sense. I don't want to harp on you but I don't want this to turn into another Linux is better than MS is better than FreeBSD is better than... thread. Rey... - Original Message - From: Chris Martinez [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Tuesday, September 25, 2001 4:53 PM Subject: RE: Check out what Gartner is recommending. Drop IIS! Benjamin that is one of the best analogies I've heard. But back to what Costas was saying. Why has Microsoft become such a target? Sure they release overpriced, bloated, buggy products. Sure their business practices are shady. And perhaps maybe, just maybe they stole a couple of ideas from other companies. But why all the hate? Look at all the good they have done. -Original Message- From: Benjamin Falloon [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 25, 2001 3:32 PM To: CF-Talk Subject: Re: Check out what Gartner is recommending. Drop IIS! Sure, I'm not saying that either Apache or other web server don't have holes, but running IIS is like walking around with a 'kick me' sign stuck to your back knowing full well it's there. People don't usually write viruses/worms for apache and other web servers... they usually just hack them which is always possible, but with IIS people are writting automated viruses/worms. I'd rather be hacked by a hacker with a sense of humour than have my how web serving directory nuked by an automated program. My point is that you would have less exposure to risk running alternatives because they aren't a massive target like IIS is. Benjamin - Original Message - From: Costas Piliotis [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Wednesday, September 26, 2001 6:19 AM Subject: RE: Check out what Gartner is recommending. Drop IIS! You know it's funny though. A quick search at www.securiteam.com shows that Apache and iPlanet have many vulnerabilities as well. Think perhaps that the research is simply political? Hackers seem to actually target IIS boxes likely for their hatred of Micro$oft. I think there's more to this than meets the eye... Remember, nothing's ever secure. As stated in the movie The Score: If someone built it, someone can break it. -Original Message- From: Benjamin Falloon [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 25, 2001 12:42 PM To: CF-Talk Subject: Re: Check out what Gartner is recommending. Drop IIS! Maybe a little OT, but my 2c. I wouldn't call that stupid at all. Consider all of the attacks aimed squarely at IIS in the past few months. It's only going to increase. I've had personal experience with being hacked. I run 2 internal IIS development boxes for CF and an internal hack replaced *ALL* index.htm, default.htm files in all folders in the web serving directory. Lucky more files where cfm. I'm not a 'server' admin (by title) but I can thank MS for this. If they released a tighter web server with less vunerabilities maybe there would be fewer viruses/hacks that could penetrate. People shouldn't need to have to patch every week. Doesn't that fact indicate that just *maybe* the software itself is pretty shaky? Consider this quote from the article, Gartner remains concerned that viruses and worms will continue to attack IIS until Microsoft has released a completely rewritten, thoroughly and publicly tested, new release of IIS, Rewritten. That would be a good idea. Try to imagine a pair of pants with as many 'security' patches as is and will continue to be required for IIS. I'd say the pants would be more patches than pants. Just a thought, Benjamin PS maybe apache would be a good alternative. - Original Message - From: Rey Bango [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Wednesday, September 26, 2001 3:03 AM Subject: OT: Check out what Gartner is recommending. Drop IIS! Now, I've always found Gartner to sway in a particular direction based in the wind changes and the phases of the moon but this recommendation is just plain
Re: Check out what Gartner is recommending. Drop IIS!
PLEASE MOVE THIS THREAD TO CF-COMMUNITY ! Dude, take a valium! Ask like a normal human being and I'm sure it can be accomodated. Geez. Rey... -Original Message- From: Rey Bango [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 25, 2001 3:00 PM To: CF-Talk Subject: Re: Check out what Gartner is recommending. Drop IIS! Look at all the good they have done. And what would that be? You listed all the things that they are already noted before? Nick, He was being sarcastic. Rey... ~~ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Check out what Gartner is recommending. Drop IIS!
OK, sorry Gee, folks - would you please consider moving this to cf-community? Thanks. -Ben -Original Message- From: Rey Bango [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 25, 2001 4:04 PM To: CF-Talk Subject: Re: Check out what Gartner is recommending. Drop IIS! PLEASE MOVE THIS THREAD TO CF-COMMUNITY ! Dude, take a valium! Ask like a normal human being and I'm sure it can be accomodated. Geez. Rey... -Original Message- From: Rey Bango [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 25, 2001 3:00 PM To: CF-Talk Subject: Re: Check out what Gartner is recommending. Drop IIS! Look at all the good they have done. And what would that be? You listed all the things that they are already noted before? Nick, He was being sarcastic. Rey... ~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Check list for securing IIS (WAS RE: Check out what Gartner is recommending. Drop IIS!)
Anyone know of a check list for securing IIS 5.0 in conjunction with CF 5.0? I think I remember seeing one for 4.0 some time back, but can't find a link. I am not totally sure of everything I CAN turn off or what measures I can take beyond keeping up with the constant flow of security patches. Although I am up-to-date with patches and have had no issues with Code Red or Nimda, I would still like to learn more on how to lock IIS down for maximum security. Regards, Mike -Original Message- I'm not a 'server' admin (by title) but I can thank MS for this. ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Check out what Gartner is recommending. Drop IIS!
Thanks dude! :o) Rey... - Original Message - From: Braver, Ben [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Tuesday, September 25, 2001 7:20 PM Subject: RE: Check out what Gartner is recommending. Drop IIS! OK, sorry Gee, folks - would you please consider moving this to cf-community? Thanks. -Ben -Original Message- From: Rey Bango [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 25, 2001 4:04 PM To: CF-Talk Subject: Re: Check out what Gartner is recommending. Drop IIS! PLEASE MOVE THIS THREAD TO CF-COMMUNITY ! Dude, take a valium! Ask like a normal human being and I'm sure it can be accomodated. Geez. Rey... -Original Message- From: Rey Bango [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 25, 2001 3:00 PM To: CF-Talk Subject: Re: Check out what Gartner is recommending. Drop IIS! Look at all the good they have done. And what would that be? You listed all the things that they are already noted before? Nick, He was being sarcastic. Rey... ~~ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Check out what Gartner is recommending. Drop IIS!
... do you really believe that IIS is as secure as apache etc? No, I don't believe it is. The biggest security flaw with IIS (one that can't be patched or fixed in the current releases, I don't think) is that it runs within the SYSTEM security context - which is essentially equivalent to running as root on Unix. The reason IIS runs as SYSTEM is so that it can perform impersonation of other users. This is how IIS can integrate so well with Windows security (ACLs, user rights, etc.). Apache, even on Windows, can be run as a less-privileged user. So, if an IIS exploit runs before the impersonated user's security context kicks in, the exploit code runs as SYSTEM, which is a very bad thing. However, I don't recall any IIS buffer overflow exploits that can do this without taking advantage of one of the ISAPI extensions that most people don't use anyway, so if you've removed all those unused extensions, I suspect you're pretty safe from that kind of attack. I don't think that any buffer overflows are likely to turn up in the core IIS engine - if there were, they'd have been found by now! Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 ~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Check out what Gartner is recommending. Drop IIS!
When you say your servers are managed out in California, I assume you just mean that they're located in California. If they're managed, then you shouldn't be responsible for security. Realistically, if you're a developer and don't have at least 8 or 12 hours per week to devote to managing your web servers, follow up on security bulletins, install patches, run security scans, you should outsource this operation. That could be as simple as contracting managed servers (rather than colocated servers with minimal management) from an ISP or IPP, or could involve hiring a full or part time contractor to take care of your machines. Like you, and I'm sure as in many small organizations, I do development and system administration also. Either I'm constantly being pulled away from pressing development projects or else I can only address security and server issues minimally. It's doable, but far from optimal. Jim - Original Message - From: [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Tuesday, September 25, 2001 3:31 PM Subject: Re: Check out what Gartner is recommending. Drop IIS! Sorry to open an additional can of worms, but our servers got nailed and they're managed out in California (I'm in Chicago). I'm not a sysad, nor do I have any experience at managing a server. Are there courses or certifications that I can get to help me stay on top of these things? I'm the only programmer in my office and the de facto IT guy so when stuff like this happens, they all look at me like I know what the heck I'm doing. I've been at this for less than two years and just don't have the experience to deal with this appropriately. Any tips? Respectfully, Michael - Original Message - From: Tony Gruen [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Tuesday, September 25, 2001 3:43 PM Subject: RE: Check out what Gartner is recommending. Drop IIS! It comes down to responsible administration. We have watched this come and still going on without incident and several IIS servers. Tony Gruen sfnetworks ~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Check list for securing IIS (WAS RE: Check out what Gartner is recommending. Drop IIS!)
Anyone know of a check list for securing IIS 5.0 in conjunction with CF 5.0? Check this out: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutio ns/security/tools/iis5chk.asp HTH, Nick Bourgeois [EMAIL PROTECTED] ~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Check out what Gartner is recommending. Drop IIS!
They were responsible for putting the Internet in the homes, which created a large number of jobs. At 07:43 AM 9/26/2001 +1000, you wrote: Look at all the good they have done. And what would that be? You listed all the things that they are already noted before? What good have they done? And please don't say Windows... because that idea just came from somewhere else!!! It was those said 'shady business practices' that got them where they are today... and have put so many other companies out of business, or stopped them being able to compete. ~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Check out what Gartner is recommending. Drop IIS!
I'll move this over to CF-Community and reply On Wed, 26 Sep 2001 11:35, you wrote: They were responsible for putting the Internet in the homes, which created a large number of jobs. At 07:43 AM 9/26/2001 +1000, you wrote: Look at all the good they have done. And what would that be? You listed all the things that they are already noted before? What good have they done? And please don't say Windows... because that idea just came from somewhere else!!! It was those said 'shady business practices' that got them where they are today... and have put so many other companies out of business, or stopped them being able to compete. ~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Check out what Gartner is recommending. Drop IIS!
I've resent this email because it didn't go through earlier... Very good intelligent responses Rey and Dave. Ultimately it comes down to responsible management in the form of expertise as you both allude to. I think you have a good point though Dave in saying that IIS is maybe a little over-loaded. I read a report from some people administering army.mil (or something like that) just today and it's conclusion rested on the same principle of awareness. Interestingly, there conclusion was the in order for your 'average' set-up (read - no frills) the most 'secure' server set-up (being less exposed) would probably be a Mac with a vanilla web server. This issue is so multi-faceted that it's impossible to cover specific needs and unwise to generalise to much. One major issue in light the recent Nimda worm is that because there are many irresponsible IIS admins these type of worms can spread even further and faster than before. An unfortunate side effect was articulated by our colleagues on one of the flash lists that people were being encouraged to increase there IE security settings to avoid the infected servers (caused in part by IIS in combination with ActiveX - both MS). The side effect being that people visiting flash sites were getting security 'warnings'. I've had one of our clients call citing people not wanting to enter the web site because of these warnings. If as you suggest Dave, these 'features' could be by default turned off then maybe that's a start... But it seems to me that MS is being targeted more than anything else and its counter productive to the development community if MSs own software 'features and flaws' starts interfering with our work in other way then just security (as the flash example shows). Benjamin - Original Message - From: Rey Bango [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Wednesday, September 26, 2001 6:45 AM Subject: Re: Check out what Gartner is recommending. Drop IIS! My point is that you would have less exposure to risk running alternatives because they aren't a massive target like IIS is. Sorry bud but you're exposed with every server. I've got a T1 running in here and I scan the logs. I get probed all of the time on all different types of ports and as I mentioned before, MS is just the flavor of the month. Don't be surprised that while everyone is making a big deal about IIS, someone's alrady coming out with a new worm for Linux. There was a nice juicy one just awhile ago that really slapped around several Linux admins. You are exposed at the moment that you connect *any* server or pc, with any OS, to the Net and to assume that you would have less exposure to risk by not using MS/IIS would be naive. *YOU* are the main determining factor in how secure your box will be. Yes, applying patches is a PITA but its part of what goes with running a publicly accessible web server. Here's my take on this, irregardless of OS. If a person does not know how to properly manage their box or doesn't have the time to do it, then: 1) They shouldn't be putting it out on Net or 2) They should hire someone to do it. The management of a webserver is essentially a full-time job and most people treat that responsibility in a half-ass way. Then, when they get hacked, they blame the OS. Its like raising a child. If you're not prepared to do it the right way, then abstain, wear protecion or stay celebate! hehe. Thanks for the opinions, bud. Rey... ~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Check out what Gartner is recommending. Drop IIS!
I am happy to say my settings are always up on the browser and gladly it does kill the flash... I like a fair percent of the technobabble bunch probably am not typically interested in how many times folks can slide their logo or plop out pure marketing :) Flash that isn't optionally sent isn't cool.. and indeed maybe this whole thing migh cause people to integrate flash selectively :) We likewise have got calls when our clients opted to utilize a self signed cert because of cheap factor vs. teh Verisign use-to-be overpriced monopoly :) At any rate, same sort of general panic and general calls... I have been running IIS for years... I use to be a Website Pro person myself I run IIS because of the easy of installation and rapid knowledge base I have accumulated... I only utilize it to serve pages, log the accesses and interface with Cold Fusion... but indeed I finally got my first viral infection in my 14+ years of computing... Running away from IIS is not the solution. One of Microsofts big problems right now is the overbearing loopiness of patching a system.. do this and that.. and that patch undoes this... it is almost an art to make sense of IF I WERE MICROSOFT, I would issue the patches and start issuing frequent all inclusive update bundles that knock it all out... this piecemeal stuff is really getting to people... AND quit NEEDING A DAMN reboot every time I patch something... stop the service and unload and reload... I rebooted one machine about 14 times the other day issuing each patch... I certainly am considering switching in part due to that.. Heck I might even end up running my front end web servers on Linux with Apache again... I personally can attribute 3 full work days over the last quarter to patching IIS and addressing the strand of Virus stuff floating around... I encourage folks to install some monitoring packages... Install virus software and scan regularly... run backups often enough and keep track of your systems... Indeed this concept of plug in and run forever is utopian from the hosting perspective... We all need to be a bit more aware of what our machines are talking to and who is talking to them... the ingenuity behind them is only going to get better and certainly is not going to stay isolate to MS stuff.. -paris [finding the future in the past, passing the future in the present] [connecting people, places and things] -Original Message- From: Benjamin Falloon [EMAIL PROTECTED] Date: Wed, 26 Sep 2001 11:59:19 +1000 Subject: Re: Check out what Gartner is recommending. Drop IIS! I've resent this email because it didn't go through earlier... Very good intelligent responses Rey and Dave. Ultimately it comes down to responsible management in the form of expertise as you both allude to. I think you have a good point though Dave in saying that IIS is maybe a little over-loaded. I read a report from some people administering army.mil (or something like that) just today and it's conclusion rested on the same principle of awareness. Interestingly, there conclusion was the in order for your 'average' set-up (read - no frills) the most 'secure' server set-up (being less exposed) would probably be a Mac with a vanilla web server. This issue is so multi-faceted that it's impossible to cover specific needs and unwise to generalise to much. One major issue in light the recent Nimda worm is that because there are many irresponsible IIS admins these type of worms can spread even further and faster than before. An unfortunate side effect was articulated by our colleagues on one of the flash lists that people were being encouraged to increase there IE security settings to avoid the infected servers (caused in part by IIS in combination with ActiveX - both MS). The side effect being that people visiting flash sites were getting security 'warnings'. I've had one of our clients call citing people not wanting to enter the web site because of these warnings. If as you suggest Dave, these 'features' could be by default turned off then maybe that's a start... But it seems to me that MS is being targeted more than anything else and its counter productive to the development community if MSs own software 'features and flaws' starts interfering with our work in other way then just security (as the flash example shows). Benjamin - Original Message - From: Rey Bango [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Wednesday, September 26, 2001 6:45 AM Subject: Re: Check out what Gartner is recommending. Drop IIS! My point is that you would have less exposure to risk running alternatives because they aren't a massive target like IIS is. Sorry bud but you're exposed with every server. I've got a T1 running in here and I scan the logs. I get probed all of the time on all different types of ports and as I mentioned before, MS is just the flavor
Re: Check out what Gartner is recommending. Drop IIS!
Very good intelligent responses Rey and Dave. Ultimately it comes down to responsible management in the form of expertise as you both allude to. I think you have a good point though Dave in saying that IIS is maybe a little over-loaded. I read a report from some people administering army.mil (or something like that) just today and it's conclusion rested on the same principle of awareness. Interestingly, there conclusion was the in order for your 'average' set-up (read - no frills) the most 'secure' server set-up (being less exposed) would probably be a Mac with a vanilla web server. This issue is so multi-faceted that it's impossible to cover specific needs and unwise to generalise to much. One major issue in light the recent Nimda worm is that because there are many irresponsible IIS admins these type of worms can spread even further and faster than before. An unfortunate side effect was articulated by our colleagues on one of the flash lists that people were being encouraged to increase there IE security settings to avoid the infected servers (caused in part by IIS in combination with ActiveX - both MS). The side effect being that people visiting flash sites were getting security 'warnings'. I've had one of our clients call citing people not wanting to enter the web site because of these warnings. If as you suggest Dave, these 'features' could be by default turned off then maybe that's a start... But it seems to me that MS is being targeted more than anything else and its counter productive to the development community if MSs own software 'features and flaws' starts interfering with our work in other way then just security (as the flash example shows). Benjamin - Original Message - From: Rey Bango [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Wednesday, September 26, 2001 6:45 AM Subject: Re: Check out what Gartner is recommending. Drop IIS! My point is that you would have less exposure to risk running alternatives because they aren't a massive target like IIS is. Sorry bud but you're exposed with every server. I've got a T1 running in here and I scan the logs. I get probed all of the time on all different types of ports and as I mentioned before, MS is just the flavor of the month. Don't be surprised that while everyone is making a big deal about IIS, someone's alrady coming out with a new worm for Linux. There was a nice juicy one just awhile ago that really slapped around several Linux admins. You are exposed at the moment that you connect *any* server or pc, with any OS, to the Net and to assume that you would have less exposure to risk by not using MS/IIS would be naive. *YOU* are the main determining factor in how secure your box will be. Yes, applying patches is a PITA but its part of what goes with running a publicly accessible web server. Here's my take on this, irregardless of OS. If a person does not know how to properly manage their box or doesn't have the time to do it, then: 1) They shouldn't be putting it out on Net or 2) They should hire someone to do it. The management of a webserver is essentially a full-time job and most people treat that responsibility in a half-ass way. Then, when they get hacked, they blame the OS. Its like raising a child. If you're not prepared to do it the right way, then abstain, wear protecion or stay celebate! hehe. Thanks for the opinions, bud. Rey... Benjamin - Original Message - From: Costas Piliotis [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Wednesday, September 26, 2001 6:19 AM Subject: RE: Check out what Gartner is recommending. Drop IIS! You know it's funny though. A quick search at www.securiteam.com shows that Apache and iPlanet have many vulnerabilities as well. Think perhaps that the research is simply political? Hackers seem to actually target IIS boxes likely for their hatred of Micro$oft. I think there's more to this than meets the eye... Remember, nothing's ever secure. As stated in the movie The Score: If someone built it, someone can break it. -Original Message- From: Benjamin Falloon [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 25, 2001 12:42 PM To: CF-Talk Subject: Re: Check out what Gartner is recommending. Drop IIS! Maybe a little OT, but my 2c. I wouldn't call that stupid at all. Consider all of the attacks aimed squarely at IIS in the past few months. It's only going to increase. I've had personal experience with being hacked. I run 2 internal IIS development boxes for CF and an internal hack replaced *ALL* index.htm, default.htm files in all folders in the web serving directory. Lucky more files where cfm. I'm not a 'server' admin (by title) but I can thank MS for this. If they released a tighter web server with less vunerabilities maybe there would be fewer viruses/hacks that could penetrate. People shouldn't need
RE: Check out what Gartner is recommending. Drop IIS!
My 2c:-) Could we imagine a world with out hackers, who didn't notify us of these exploits! I could, the internet would not be were it is now. Secondly there is more hackers on Windows than there is that use *nix. So of course the windows platform will be attacked a lot more looking for exploits. Don't think for a moment that *nix can't be hacked, they can. But they are more secure than its counter parts, and such you get the script junkies or wannabees trying to find computers who have not patched there system rather than looking for actual new hacks! So this is where windows becomes flavour of the month! Regards, Andrew Scott -Original Message- From: Benjamin Falloon [mailto:[EMAIL PROTECTED]] Sent: Wednesday, 26 September 2001 5:42 AM To: CF-Talk Subject: Re: Check out what Gartner is recommending. Drop IIS! Maybe a little OT, but my 2c. I wouldn't call that stupid at all. Consider all of the attacks aimed squarely at IIS in the past few months. It's only going to increase. I've had personal experience with being hacked. I run 2 internal IIS development boxes for CF and an internal hack replaced *ALL* index.htm, default.htm files in all folders in the web serving directory. Lucky more files where cfm. I'm not a 'server' admin (by title) but I can thank MS for this. If they released a tighter web server with less vunerabilities maybe there would be fewer viruses/hacks that could penetrate. People shouldn't need to have to patch every week. Doesn't that fact indicate that just *maybe* the software itself is pretty shaky? Consider this quote from the article, Gartner remains concerned that viruses and worms will continue to attack IIS until Microsoft has released a completely rewritten, thoroughly and publicly tested, new release of IIS, Rewritten. That would be a good idea. Try to imagine a pair of pants with as many 'security' patches as is and will continue to be required for IIS. I'd say the pants would be more patches than pants. Just a thought, Benjamin PS maybe apache would be a good alternative. - Original Message - From: Rey Bango [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Wednesday, September 26, 2001 3:03 AM Subject: OT: Check out what Gartner is recommending. Drop IIS! Now, I've always found Gartner to sway in a particular direction based in the wind changes and the phases of the moon but this recommendation is just plain stupid. Check it out: http://news.cnet.com/news/0-1003-200-7294516.html Rey Bango ~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Check out what Gartner is recommending. Drop IIS! - IIS6 features
Sandbox security for FTP, man about time:-) Regards, Andrew Scott -Original Message- From: Jon Hall [mailto:[EMAIL PROTECTED]] Sent: Wednesday, 26 September 2001 8:00 AM To: CF-Talk Subject: Re: Check out what Gartner is recommending. Drop IIS! - IIS6 features I got this in a newsletter today...He says IIS6 may be out by 1Q 2002. IIS 6.0 is a complete paradigm shift; it provides an infrastructure that installs security hotfixes by default. IIS 6.0 also lets you download hotfixes and apply them automatically as they become available. IIS 6.0 includes these security enhancements: - Configurable Worker Process Identities, which let you start services under the security context of LocalSystem, LocalService, NetworkService, or a configurable account. - Selectable Crypto Service Provider, which lets you use hardware- based Secure Sockets Layer (SSL). Hardware-based SSL is lightning-fast compared with the SSL latency we have to deal with today in IIS 5.0 and older releases. - Remotable Certificate installation and removal, which lets you install and remove certificates on remote computers. - Publishing, which you can disable. - Delegation for all protocols so you can securely distribute a Kerberos ticket when you use Digest, Basic, NT LAN Manager (NTLM), or Passport. - Sand-boxed FTP, which lets you configure FTP sites so only specific users can upload content. http://www.iisadministrator.com jon ~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Check out what Gartner is recommending. Drop IIS!
cfwhinge I'm sorry - I've been avoiding it but I have to jump in here... I keep reading on this list and others, and in so many news articles about windows only being targeted because it's the most popular, and about it being down to irresponsible admins etc etc. Both of these points are in some ways valid, but to me these people seem to be missing the point. Yes, less of this would happen if admins were responsible and used all the latest patches etc etc. But what am I missing here -why is it nobody seems to see that the entire concept of windows and iis patches is the problem in the first place - we need to patch our servers because they are a)in some places so pathetically coded and/or untested that they break down and let all kinds of nonsecure access through and b)at development time it is obviously decided that security is not cost effective to implement. These worms are all aimed at the fact that explorer/iis/outlook let you arbitrarily execute all kinds of foreign code or local commands without any kind of checking or restraint whatsoever. And yes perhaps there are patches for the majority of these - but they should never have been released requiring those patches in the first place. Windows is targetted not purely because of it's market share but because it makes possible the functions of these worms. I don't agree with the idea that there are more windows based hackers than unix based hackers - the thought is ludicrous - and it makes little difference. You don't need any great level of expertise to write one of these things, and as bad as the last year or two have become it's astounding there aren't more of them. And still microsoft continues to release software with these vulnerabilities coded into them - and we continue to buy them. Look at it this way, if someone made a television that did all the normal stuff, but had an extra feature that let anyone arbitrarily connect to it and start changing your channels, you'd never buy it. And if you'd already bought it and later found out, you'd kick up an enormous stink. It ought to be no different with software - especially software that's mission critical and costs you large sums of money when it fails - not to mention inadvertently hammering the daylights out of *other* people's software without you being able to stop it. These are just my opinions, but I'm seriously tired of the fact that we who know better get forced to accept appalingly poor quality software simply because the majority don't know or care what the problems are and follow the upgrade paths dished out to them. We don't help this situation any when we let these kind of arguments ride without pointing out the truth. /cfwhinge cheers, Toby P.S. Just for the record, I too run Win2K, IIS, AND Linux Life is poetry, write it in your own words Toby Tremayne Architect / Developer Code Poet and Zen Master of the Heavy Sleep MercuryRed Lvl 9, 123 Queen st Melbourne VIC 3000 p: +61 3 9605 5035 m: +61 416 048 090 ICQ: 13107913 DISCLAIMER - All errors and omissions excepted. This message contains privileged and confidential information intended only for the use of the addressee named above. If you are not the intended recipient of this message you are hereby notified that you must not disseminate, copy or take any action in reliance on it. If you have received this message in error, please notify Mercury Red immediately - Original Message - From: Benjamin Falloon [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Wednesday, September 26, 2001 7:39 AM Subject: Re: Check out what Gartner is recommending. Drop IIS! Very good intelligent responses Rey and Dave. Ultimately it comes down to responsible management in the form of expertise as you both allude to. I think you have a good point though Dave in saying that IIS is maybe a little over-loaded. I read a report from some people administering army.mil (or something like that) just today and it's conclusion rested on the same principle of awareness. Interestingly, there conclusion was the in order for your 'average' set-up (read - no frills) the most 'secure' server set-up (being less exposed) would probably be a Mac with a vanilla web server. This issue is so multi-faceted that it's impossible to cover specific needs and unwise to generalise to much. One major issue in light the recent Nimda worm is that because there are many irresponsible IIS admins these type of worms can spread even further and faster than before. An unfortunate side effect was articulated by our colleagues on one of the flash lists that people were being encouraged to increase there IE security settings to avoid
