> My apologies, I had replied quite quickly while running through the
> office. And re-reading the email and your comments I see your point
> on many issues, in that I didn't back up anything really, did I.
No problem, I'm sure we all have been guilty of the same thing from
time to time.
> The problem with IIS is
> that it is up and running almost out of the box and few web admins
> spend the extra time to go through the full hardening process which
> basically strips the machine down to being a web server and nothing
> else.
I agree with you there. I don't use IIS personally, but relying on a
default install for anything is not a good idea in my opinion.
> Buffer Overflows
> can cause little or no damage if the underlining OS is secured also
> along with the IIS itself.
Possibly. Correct me if I'm wrong, but doesn't IIS run with the
equivalent of "root" privileges ("system" I believe??) in the *nix
world? So, if an exploitable buffer overflow is found, your entire
system is at risk of compromise? Or, is the configurable as well? If
so, is it still usable?
For example, take the recent OpenSSH exploit. Theo announced
about a week ahead of time that you should upgrade to version 3.3
and enable privilege separation because otherwise the exploit would
grant a cracker instant root access. Whereas running with privilege
separation they would get access as a non-privileged user in a
limited environment.
Known and unknown bugs are something you
> have with all software.
I definitely agree with you there. It just seems that some
applications have more than their share of serious bugs (serious
meaning those that cause security problems).
> Media software. I am very aware of many of the products out there for
I haven't really looked into this myself, but I know there is a media
server available for free called icecast. I don't know how it
compares to microsoft's offering however.
>
> Again I hope this has been a more helpful email and is not just part
> of a newly beginning flame!!!!
No flames intended here. I just wanted to have a few points
clarified.
Steve Bremer
