Can IIS flourish post-Gartner?

Hint: can your OFH secure Solaris any better?

  • alert
  • submit to reddit

High performance access to file storage

As the cashier at my local Safeway handed over the receipt for my groceries, she smiled and said "Thank you! You saved six dollars with your card!" Though I said "Thank you" back, I was really thinking "Yeah... Saved six bucks, and it only cost me $175."

Gartner Research, in their recommendation for corporations to dump IIS, is using the same flawed logic. In a recent press release, the generally well-respected research and advisory firm is advising that companies hit by Nimda and Code Red "immediately seek alternatives" to Microsoft's IIS Web Server product due to its history of security vulnerabilities.

It's a bad idea.

Not that IIS hasn't had its share of issues; it certainly has. But so has everything else out there. Every operating system and every Web server application has had security holes, and they will have them in the future.

But switching from vendor to vendor when problems arise is no solution. The solution is to learn how to secure what you have.

There is no such thing as a perpetually secure solution. There is no such thing as an "install and forget" Web application; not when security is a goal. Auto-updaters and the like may help, but they will not take the place of a policy of management, audit, and continued education.

Commercial drivers must undergo special training and acquire job-specific licenses to operate a vehicle on our highways. I can see the day coming where a government regulatory commission will be formed to enforce the same protocol for companies when they choose to plug in to the Internet. I'm not saying I like it, I just see it coming.

If you got hit by Nimda (the IIS specific segments) and Code Red, you had people who either did not know how to secure IIS, or they simply chose not to. That is the bottom line, as crass as it may sound.

Patch early, Patch often

I have heard all the arguments regarding the level of difficulty in rolling out patches to hundreds, or even thousands of IIS systems, but the same thing would have to be done no matter what solution your company chose when it came time to apply a patch. I'm not discounting the chore of applying fixes to large installations-- in some companies the task can be Herculean. But nobody said this would be easy.

You cannot compare the security of Apache running on a Linux box to IIS on Win2k. You can only compare the knowledge of the people who are implementing the different systems.

While there are aspects of the *nix architecture that do make applications on those platforms inherit a certain type of security, there are options available in the Win32 world that perform similar functions.

You can't just yank IIS and stick in iPlanet as if you are buying a new pair of shoes. The idea that you can is quixotically naïve. The level of direct integration of IIS with other Microsoft technologies is so deeply fused into corporate infrastructures that a move from it would start the dominos of application monoliths falling until they smacked right into your bank account. Data driven Web applications, certificate services, Exchange and Outlook Web Access, authorization structures, server clustering, load balancing, and integrated vendor solutions would only be a few of the many technologies you would have to modify or replace altogether.

IIS is not hard to secure. In fact, if you know how, it is actually pretty easy. The configuration recommendations that would have saved you from Code RGB, the IIS vectors of Nimda, as well as other general purpose worms and attacks have been readily available for years... Not days or months, but years. And they are not locked away in some dank cell, scratched cryptically on the wall for viewing by an elite few after passing some ceremonial test of technical prowess. they are readily available on a plethora of sites sprawled all about the world.

The grass isn't greener

I think the Gartner recommendation also trivializes the complexities of the open system architectures. Being a Microsoft person, this is a bit hard to say, but I've always felt that the *nix, Solaris, and *BSD gurus have had a technical leg-up on us Windows guys. These systems take you far closer to the real action, and can be far more difficult to work with. I'm not saying *nix administrators are necessarily smarter than the rest of us, but I do think they are more "robust."

While their hand-to-hand combat experience and depth of knowledge will most likely help *nix guys when interacting with MS systems, I'm not so confident that it will work the other way around. One thing is for sure: If you've got an admin that can't secure a Microsoft Web server, then your chances of having them secure a Solaris installation will be slim.

None of this is meant to minimize Microsoft's responsibility to manufacture secure products. But this "grass is greener" mentality has got to change. All it does is obviate the administrators from their due diligence when configuring a system. No matter what solution gets deployed, when your company connects a box to the Internet, you must become part of the security community.

You must subscribe to notification lists, and you must participate (or at least lurk) in security newsgroups and mail lists specific to your applications. Your investment in joining the global marketplace cannot stop at a server, a circuit, and some Web pages; you must invest in the education of your sys-admins, or invest in a professionally deployed solution with maintained support and monitoring.

There have been enough knee-jerk reactions to security issues of late. Let's not make this another one.

© 2001 SecurityFocus.com, all rights reserved.

Tim Mullen is CIO and Chief Software Architect for AnchorIS.Com, a developer of secure, enterprise-based accounting software.

Related Story

Ditch Microsoft IIS now, says Gartner

High performance access to file storage

More from The Register

next story
Windows 8.1, which you probably haven't upgraded to yet, ALREADY OBSOLETE
Pre-Update versions of new Windows version will no longer support patches
Android engineer: We DIDN'T copy Apple OR follow Samsung's orders
Veep testifies for Samsung during Apple patent trial
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
Microsoft lobs pre-release Windows Phone 8.1 at devs who dare
App makers can load it before anyone else, but if they do they're stuck with it
Half of Twitter's 'active users' are SILENT STALKERS
Nearly 50% have NEVER tweeted a word
Windows XP still has 27 per cent market share on its deathbed
Windows 7 making some gains on XP Death Day
Internet-of-stuff startup dumps NoSQL for ... SQL?
NoSQL taste great at first but lacks proper nutrients, says startup cloud whiz
US taxman blows Win XP deadline, must now spend millions on custom support
Gov't IT likened to 'a Model T with a lot of things on top of it'
Microsoft TIER SMEAR changes app prices whether devs ask or not
Some go up, some go down, Redmond goes silent
prev story


Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.