Chapter 12: IIS Security

Previous page
Table of content
Next page

Overview

What's hacked more, Internet Information Services (IIS) or open-source Apache server? It might surprise you to learn that Apache 2.0 has suffered at least 27 separate vulnerabilities since March 2003, the month IIS 6 was released to production; and IIS 6 has suffered only 3 vulnerabilities. As of February 2006, IIS 6 has not required a single critical patch. Much of that gap in vulnerabilities between IIS and Apache is probably explained by the fact that IIS runs on only 19% of the world's public-facing web sites, while Apache runs on 79%. Like Windows, anything popular will invite more hackers.

However, IIS 6 is the web server software used at some of the world's most popular web sites, including eBay, Hotmail, MSNBC, and Microsoft. Hackers are constantly assaulting these web sites hoping to exploit them and take them down, yet they stand relatively untouched. A majority of the Fortune 1000 companies run IIS, and IIS virtually owns the intranet space. IIS's default programming language, ASP.NET, has suffered a handful of vulnerabilities since its release. Open-source PHP seems to get a new vulnerability every week. Spam bots live for unpatched PHP servers.

The Code Red worm is the attack that many administrators and open-source advocates use to demonstrate how weak IIS is, and Code Red is still one of the most popular attempted attacks on the Internet. It was released in July 2001. The patch that prevented it from working was released by Microsoft two months prior. IIS hasn't suffered a major publicly exploited vulnerability since then. Isn't it time we stopped thinking of IIS as weak and easily hackable?

Of course, any software, especially web servers, can be hacked. The key is to make your web servers sufficiently secured against easy attack. Out of the box, IIS 6 is secure. You literally have to go out of your way to make it not secure. But sometimes that is easier said than done when installing a complex web site with multiple custom applications. One small mistake can open a huge hacker hole. This chapter covers how to secure IIS. It begins with IIS 6 basics, summarizes the security steps, and then describes each recommendation in detail.

Note 

This chapter will focus on specifics of IIS version 6. The details of IIS version 7s, which is in early beta as this chapter goes to press, will be discussed where known to deviate from IIS 6, but are subject to change.


Previous page
Table of content
Next page
Professional Windows Desktop and Server Hardening
Professional Windows Desktop and Server Hardening (Programmer to Programmer)
ISBN: 0764599909
EAN: 2147483647
Year: 2004
Pages: 122
Authors: Roger A. Grimes
BUY ON AMAZON
Java How to Program (6th Edition) (How to Program (Deitel))
Mastering Delphi 7
Professional Struts Applications: Building Web Sites with Struts ObjectRelational Bridge, Lucene, and Velocity (Experts Voice)
802.11 Wireless Networks: The Definitive Guide, Second Edition
The Oracle Hackers Handbook: Hacking and Defending Oracle
GDI+ Programming with C#
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy