Airline removes 100 'unauthorised' web servers

British Airways has removed 100 "unauthorised" web servers running Microsoft IIS from its network over fears that the software could be a target for virus attacks.

The move came after the company found that the web servers had been installed by its own staff "without the correct authorisation procedures".

BA was worried that the servers could be attacked by the Code Red virus. A company spokesman said that the airline was not affected by the virus.

Code Red exploits a buffer overflow vulnerability in an unpatched machine that could allow an attacker to gain complete control of an affected web server.

It then makes copies of itself and scans the internet looking for other vulnerable IIS machines to infect. It is this that led the airline to take preventative measures.

"As part of our normal housekeeping procedures, and in line with good IT security practice, we launched an internal review of our use of Microsoft web servers," said a spokesman. "We are undertaking a project to remove the product where it has been installed without the correct authorisation procedures."

According to internet consultancy Netcraft, all BA websites currently visible from the internet run Netscape Enterprise 4.1 on Sun Solaris.

The BA spokesman explained that all the IIS servers ran internal departmental intranets and that it was not possible to view them externally "unless this is configured in our web access control infrastructure".

If an IIS-based server is not properly configured and patched, it is vulnerable to attacks. The spokesman admitted that "there is no such thing as perfect security".

Richard Barber, of security consultants Integralis, said that BA had felt secure because it had a policy of using non-Microsoft web servers.

"People on the inside of a company can set up their own web servers and, if these go to the internet through the firewall at http, they become visible," he explained. "It is then fairly obvious from the outside of the network to hackers."

"Unfortunately BA was not managing and maintaining the threat that staff presented in putting up their own websites," he added.

In future BA hopes to keep tabs on its infrastructure "by regular audits and reviews of web servers", said Barber.

Microsoft declined to comment.