Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: iis

  1. #1
    Junior Member
    Join Date
    Mar 2002
    Posts
    23

    iis

    with all these fly by night 31337 h4x0r5 using iis to break into computers to further send there files about, i was just woundering.... how would you fix this problem? is there a patch or something out there? (p.s. i am a newbie, so be nice)

  2. #2
    Senior Member
    Join Date
    Jul 2002
    Posts
    106
    m$ has a rollup package for iis that you should apply if you haven't already.

    check this link:

    http://www.microsoft.com/technet/tre...t1=go&isie=yes


    hope it helps

  3. #3
    Senior Member
    Join Date
    Aug 2001
    Posts
    259
    It's not IIS that's at fault it's the fact that most people who run it don't ever update it and run the security patches. Almost all defaceings are the result of some lame script that scans for old vulnerabilities and exploits them.
    Alternate realities celebrate reality. If you cant handle the reality your in, then you wont be able to handle the one your attempting to escape to.

  4. #4
    Senior Member
    Join Date
    Jul 2002
    Posts
    106
    i completely agree with zephrin.

    i haven't had a single iis server that i manage get hacked. i keep all my servers up to date with patches and use local tools (ie auditing, acl's etc.).
    just making some minor adjustments to your system....

  5. #5
    Member
    Join Date
    Jul 2002
    Posts
    38
    I also have to jump on the agreement train... There's about 200 IIS web servers in the environment I am charged with protecting and none have been compromised. If I find something that could lead to a compromise, it's usually the result of someone altering permissions at a directory level or doing a poor job of writing their web sites. Although MS seems to release new patches for IIS daily, the patches are usually effective in assisting in preventing compromise. By using vigilance, testing properly, and regularly reviewing security perms on the servers, they generally hold their own in the wild.

    ...aberration...
    [shadow]
    \"The most beautiful thing we can experience is the mysterious. It is the source of all true art and science.\"
    ~ Albert Einstein ~ [/shadow]

  6. #6
    Senior Member
    Join Date
    Apr 2002
    Posts
    324
    Try this tut I wrote for IIS security - Securing an installation of IIS 4. (No, seriously).

    Hope it helps
    \"I may not agree with what you say, but I will defend to the death your right to say it.\"
    Sir Winston Churchill.

  7. #7
    y does every1 trash IIS....apache has a bigger market and it has just as many security holes....
    [gloworange]Website
    File Server

    [/gloworange]

  8. #8
    Actually, I don't think it does have as many holes. Consider this, the main argument for pro-MS is that its software is so wide-spread that so many people use it that of course holes are going to develop for numerous reasons which are offshoots of its popularity. Think about the same argument with apache, yet apache doesn't have even close to as many reported holes. Prove that apache has as many holes. Seriously, prove it.

  9. #9
    Senior Member
    Join Date
    Apr 2002
    Posts
    711
    Originally posted here by khakisrule
    Actually, I don't think it does have as many holes. Consider this, the main argument for pro-MS is that its software is so wide-spread that so many people use it that of course holes are going to develop for numerous reasons which are offshoots of its popularity. Think about the same argument with apache, yet apache doesn't have even close to as many reported holes. Prove that apache has as many holes. Seriously, prove it.
    Well, considering that Apache is the most popular web server on the Internet (over double the market penetration as IIS alone), I think it's tends to be a lot more secure overall. Apache's MTBF along with their release cycle tends to blow the doors off of anything that Microsoft can even hope for, etc.

    When was the last time we saw an arbitrary file execution vulnerability in Apache? Ok - the time before that? Now how often, normally, do we see a serious vulnerability in Apache? Not often. And, when one's announced it's fixed how quickly? (last time was like two or three days folks) I can't help but point out that every single time you see a new bug in IIS, it invariably seems to be yet-another-way-to-run-cmd.exe-through-URL-encoding or some other exploit of their "tightly coupled web server" (that's both a selling point and a major detraction, in my opinion). Microsoft has trouble putting a single type of vulnerability to rest, let alone responding to serious problems with any sort of efficiency or responsibility.
    \"Windows has detected that a gnat has farted in the general vicinity. You must reboot for changes to take affect. Reboot now?\"

  10. #10
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    IMHO, the main reason I consider IIS to be less secure than something like apache is that there has been a neverending stream of serious vulnerabilities in IIS (although in the past M$ has been pretty quick with releasing patches, shame so many are lazy about installing them...more on that later). True, apache has had some vulnerabilities, like the most recent chunking problems; however, when you compare that to the seemingly neverending stream of vulnerabilities in IIS, unicode, ISAPI overflows, the index server overflows and throw into the mix other things like frontpage extensions and the general dislike of 'hackers/script kiddies' for anything Bill Gates or Microsoft related and things get ugly...

    In my past experience in the IM and security arena, it seems that the people that are more knowledgeable and experienced, who have years of experience typically will chose something like apache outright. IMHO, I think there is no question that apache is more secure 'out of the box' than IIS; and it is made even more secure because of the sys admin's experience. They take the time to properly secure the box, properly write their cgi's, properly maintain file security, etc and therefore have very secure web servers. I do work with system admins of IIS servers who are very responsible and who take the time to lock down their IIS server, patch and patch and patch, and who pay attention to how their cgi's work, and those boxes are just as tight (at least until the next major vulnerability). It has however also been my experience that the vast majority of people that I see using IIS use IIS because they have a lower experience and IIS is ease of use and the ability to easily get it running and up quickly. This lower experience also has lent itself towards the sysadmins not taking the time to properly secure the box or taking the time to keep the patches up to date, making a bad situation worse...

    Hmm...that explanation got a little longer than I wanted, but brief summary, is that I think there are multiple issues between the relative security of something like IIS versus something like apache. You have default out of the box quality of code and default security (like M$ default posture of allowing everything and blocking only a couple of things if anything at all), but you also have the quality of the admin thrown in there as well...You could have the best, tightest server in the world, but if the sysadmin doesn't do the job...then you have nothing...

    Neb
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •