Is it secure? I mean IIS

A free program identifies Internet Information Server before you type in your credit card

LAST WEEK I wrote about the latest security weakness found in the new Windows XP operating system. (See ” Plug-and-prey fiasco ,” Jan. 14.) XP is selling in retail channels at a rate that’s about one-third less than Windows 98 did at this stage, according to Port Washington, N.Y.-based market-research company NPDTechworld ( www.idg.net/crd_idgsearch_781514.html ). But thanks to preinstallation on new PCs, about 7 million to 10 million copies of XP (and growing) are now running. That’s an awful lot of machines that may become “zombies” in future DoS (denial of service) attacks due to XP’s security hole.

In a related development, security expert Steve Gibson recently released a small utility called ID Serve. It allows Web surfers to easily see whether an e-commerce site that’s asking for their credit card number is or is not running Microsoft’s IIS (Internet Information Server) software.

Last year’s worm wars gave Microsoft’s Web server product such a bad name among IT professionals that many of them joked that IIS stands for “It Isn’t Secure.” The Code Red and Nimda worms affected hundreds of thousands of IIS machines at the height of their exploits, and thousands of hacker backdoors remain in place even today.

Server software figures from Netcraft, a research group in Bath, England, reveal serious cracks. “One in 10 of the [IIS] e-commerce and encrypted transactions sites tested by us had backdoors in place to allow external attackers to monitor the systems, or have commands executed on the machines,” Netcraft said in November ( www.netcraft.com/Survey/index-200110.html ). That’s after many, many servers had been patched, but by no means all.

Besides reassuring cautious credit card users, ID Serve also allows users to determine the domain name associated with a given IP address. This can help you identify intruders your firewall may have detected. ID Serve and Gibson’s descriptions of various IIS problems can be found at www.grc.com/id/idserve.htm .

It’s not as if it’s impossible to make software that’s more secure. Wim Vandeputte, CTO of Custodix.com, a provider of trusted services, notes that the OpenBSD operating system he uses “hasn’t suffered from a remote hole in the default install in over four years.” In a similar vein, Gibson says, “The last serious remote-code execution vulnerability to hit the Apache Web server was back in 1997. But IIS has them monthly.” Knowing that you may need to patch a product next month and again the month after doesn’t make you feel as secure as using a product that’s well-tested. Partially as a result, Apache server software enjoys twice IIS’s market share in Netcraft’s latest survey.

Microsoft has some of the world’s best developers, but it still pushes some half-baked products.

Source: www.infoworld.com

Related Posts

Trending now

XML APIs for databases
XML APIs for databases
JNDI overview, Part 1: An introduction to naming services
JNDI overview, Part 1: An introduction to naming services
Spotlight dimmed on J2EE launch
News and New Product Briefs (December 20, 1999)