[LINK] Ditch IIS now: Gartner
Tue, 25 Sep 2001 11:25:33 -0600
Chirgwin, Richard wrote:
>>Ditch Microsoft IIS now, says Gartner
And, in a nice counterpoint:
> Redmond is telling its sales channel that a rewrite of IIS is underway
> for version 6.0, and will introduce interim security measures along
> the lines of the lock-down utility, because, it says, "we also realize
> customers cannot wait that long."
> Most remarkably, it's even mulling whether to leave the web server IIS
> - along with many other services - uninstalled by default.
> The comments are in a bulletin sent to its sales staff and resellers,
> and seen by /The Register/.
Pretty remarkable stuff. It occurs to me that over the last 12 months or
so there has been quite a sea change in the attitude towards security
from the boy and girls in Redmond. Better late than never.
My experience with the lockdown tool and associated patches has been
quite positive. I ran the tool and installed the patches on my Win 2000
home PC (connected via always-on cable internet). Since then I've had
over 10000 requests for /winnt/system32/cmd.exe (and numerous variations
thereof), default.ida and other script kiddy favourites. Most of these
have occurred over the last week or so, and I assume they can be
attributed to Nimda. None have gotten through, though I've had quite a
few 'internal server error' responses, not sure what that means.
It has been quite an eye-opening experience running a web server on my
cable modem. The number of connection requests from other @home network
users is quite amazing. One fellow (I assume it's a male :) in the
aurora1.co.home.com domain has tried to connect almost 200 times since I
started recording stats 3 weeks ago. Most of the others come from the
co.home.com (Colorado) domain, but there are plenty of others from
neighbouring states. I assume these guys are simply war-dialing IP
address ranges looking for vulnerabilities. I don't doubt they find some.
The article goes on:
> Indications are that the rewrite of IIS is "partial" and that one
> feature of the new server in particular troubles IIS users. At its
> TechEd Forum this year Microsoft promised to implement some httpd
> functionality into the kernel.
> "Does this mean script kiddies will be able to generate BSODS, too?"
> asks one correspondent. On the face of it, yes.
Which certainly seems scary. Of course the Linux world provides the
inspiration for this approach (http://www.fenrus.demon.nl/), I wonder
what they do about security?