[LINK] Ditch IIS now: Gartner

Alastair Rankine arankine@avaya.com
Tue, 25 Sep 2001 11:25:33 -0600 

Chirgwin, Richard wrote:

>http://www.theregister.co.uk/content/4/21853.html
>
>>Ditch Microsoft IIS now, says Gartner
>>

And, in a nice counterpoint:

http://www.theregister.co.uk/content/55/21869.html

> Redmond is telling its sales channel that a rewrite of IIS is underway 
> for version 6.0, and will introduce interim security measures along 
> the lines of the lock-down utility, because, it says, "we also realize 
> customers cannot wait that long."
>
> Most remarkably, it's even mulling whether to leave the web server IIS 
> - along with many other services - uninstalled by default.
>
> The comments are in a bulletin sent to its sales staff and resellers, 
> and seen by /The Register/. 


Pretty remarkable stuff. It occurs to me that over the last 12 months or 
so there has been quite a sea change in the attitude towards security 
from the boy and girls in Redmond. Better late than never.

My experience with the lockdown tool and associated patches has been 
quite positive. I ran the tool and installed the patches on my Win 2000 
home PC (connected via always-on cable internet). Since then I've had 
over 10000 requests for /winnt/system32/cmd.exe (and numerous variations 
thereof), default.ida and other script kiddy favourites. Most of these 
have occurred over the last week or so, and I assume they can be 
attributed to Nimda. None have gotten through, though I've had quite a 
few 'internal server error' responses, not sure what that means.

It has been quite an eye-opening experience running a web server on my 
cable modem. The number of connection requests from other @home network 
users is quite amazing. One fellow (I assume it's a male :) in the 
aurora1.co.home.com domain has tried to connect almost 200 times since I 
started recording stats 3 weeks ago. Most of the others come from the 
co.home.com (Colorado) domain, but there are plenty of others from 
neighbouring states. I assume these guys are simply war-dialing IP 
address ranges looking for vulnerabilities. I don't doubt they find some.

The article goes on:

> Indications are that the rewrite of IIS is "partial" and that one 
> feature of the new server in particular troubles IIS users. At its 
> TechEd Forum this year Microsoft promised to implement some httpd 
> functionality into the kernel.

[snip]

> "Does this mean script kiddies will be able to generate BSODS, too?" 
> asks one correspondent. On the face of it, yes. 


Which certainly seems scary. Of course the Linux world provides the 
inspiration for this approach (http://www.fenrus.demon.nl/), I wonder 
what they do about security?