> You sound like you know more about this then I, but do you really believe
> that IIS is as secure as apache etc?
Hmmm. That's really hard to say. You'd have to be able to really look under
the hood to make a firm judgement. I think that if you stay on top of IIS
and manage it the way it should be, it can be very secure. These worms have
simply exploited holes that were previously reported. Had these holes been
patched, then the worm's capability to propogate would've been greatly
diminished.
I need to restate this because I think its very important. The biggest issue
with IIS is administration. You have too many people deploying IIS that are
underqualified or overworked. If you don't know squat about IIS or
webservers, you're asking for trouble. If you're overworked because your
boss is too cheap to get ya some help, you're bound to overlook something or
just not be able to get to it in time.
If you have the time, though, to actually stay on top of the patches, you
can make any product secure.
Rey...
>
> Benjamin
>
> PS For me this isn't an issue of cash/cost of ownership etc, just security
> (Which is grave indeed - obviously).
----- Original Message -----
From: "Benjamin Falloon" <[EMAIL PROTECTED]>
To: "CF-Talk" <[EMAIL PROTECTED]>
Sent: Tuesday, September 25, 2001 4:59 PM
Subject: Re: Check out what Gartner is recommending. Drop IIS!
> Lots of good points Rey,
>
> I agree with you. I think my comments were perhaps aimed a little more at
MS
> then at the article itself, but it's interesting to take note of other
> articles that report the 'report' as it were.
>
> Take this for example:
> http://it.mycareer.com.au/breaking/2001/09/25/FFXI5T3L0SC.html?NDailyH
>
> This report lacks the 'urgency' of the original cnet post so I think that
> perhaps part of the issue is the news reporting. Having read the above
link
> prior to your original post the first word I noticed was 'immediately' (in
> bold and at the beginning of the article). This lowers the credibility of
> the report itself IMO.
>
> You sound like you know more about this then I, but do you really believe
> that IIS is as secure as apache etc?
>
> Benjamin
>
> PS For me this isn't an issue of cash/cost of ownership etc, just security
> (Which is grave indeed - obviously).
>
>
> ----- Original Message -----
> From: "Rey Bango" <[EMAIL PROTECTED]>
> To: "CF-Talk" <[EMAIL PROTECTED]>
> Sent: Wednesday, September 26, 2001 6:22 AM
> Subject: Re: Check out what Gartner is recommending. Drop IIS!
>
>
> > Thanks for the feedback bud but I still disagree. IIS and Microsoft are
> just
> > the flavor of choice now for the cracker community. If you go to
> > SecurityFocus.com, you'll see that both Linux and Apache have a long
> history
> > of security issues. Look up Sun and you'll find the same thing. If we
were
> > to call IIS "shaky" simply because of the current security issues, then
> I'm
> > not exactly sure what to call the other operating systems that at one
time
> > had many security breaches and to this day, still have to constantly
patch
> > their implementations.
> >
> > I truly hope MS is sincere in their statement of rewriting IIS but
> > inevitably, there are still going to be hacks. The strongest OS that
I've
> > seen publicly available is OpenBSD and that's because they audit *every*
> > line of code in their BSD offering and many of the accompanying
packages.
> > Those that can't be audited are put into a "ports" tree and an advisory
is
> > specified accordingly. Anyone that would come out and say that SunOS,
> Linux
> > or FreeBSD (very good webserving alternatives) are without security
issues
> > would be a liar.
> >
> > I certainly acknowledge that IIS & WinNT/2K have some security issue but
I
> > have seen and experienced the same thing on other OSes.
> >
> > As for Gartner, like I mentioned originally, they sway with the wind. I
> find
> > them to be very good sometimes and VERY crappy on other occasions. I've
> seen
> > they're reports for the last eight years, through the client/server days
> and
> > now with ecommerce and, frankly, have seen a steady decline in their
> > analysis of anything. Its almost as if they just hire any schmoe to do a
> > review of some business practice, regardless of that person's skills or
> past
> > experiences. I remember when they smacked Sybase around because they
> didn't
> > have row-level locking when in reality, 90% of DBMS users, at that
point,
> > had no need for that feature because they weren't in a high-OLTP
> > environment. Its was stupid and this latest report is right in line w/
the
> > deteriorating level of their reports. It makes very poor fiscal sense
for
> a
> > large corporation to drop critical web servers and start a huge
migration
> to
> > a new platform of which they probably have no knowledge. You want to see
a
> > real security mess? Get a bunch of MS-focused companies to switch to
Linux
> > and watch the crackers have fun. Then lets see what Gartner would have
to
> > say.
> >
> > A better argument would've been to recommend that companies start taking
> > security seriously and invest in training their existing staff as well
as
> > supplementing those overburdened admins.
> >
> > Rey...
> >
> > ----- Original Message -----
> > From: "Benjamin Falloon" <[EMAIL PROTECTED]>
> > To: "CF-Talk" <[EMAIL PROTECTED]>
> > Sent: Tuesday, September 25, 2001 3:42 PM
> > Subject: Re: Check out what Gartner is recommending. Drop IIS!
> >
> >
> > > Maybe a little OT, but my 2c.
> > >
> > > I wouldn't call that stupid at all.
> > > Consider all of the attacks aimed squarely at IIS in the past few
> months.
> > > It's only going to increase. I've had personal experience with being
> > hacked.
> > > I run 2 internal IIS development boxes for CF and an internal hack
> > replaced
> > > *ALL* index.htm, default.htm files in all folders in the web serving
> > > directory. Lucky more files where cfm.
> > >
> > > I'm not a 'server' admin (by title) but I can thank MS for this. If
they
> > > released a tighter web server with less vunerabilities maybe there
would
> > be
> > > fewer viruses/hacks that could penetrate. People shouldn't need to
have
> to
> > > patch every week.
> > >
> > > Doesn't that fact indicate that just *maybe* the software itself is
> pretty
> > > shaky?
> > >
> > > Consider this quote from the article,
> > >
> > > "Gartner remains concerned that viruses and worms will continue to
> attack
> > > IIS until Microsoft has released a completely rewritten, thoroughly
and
> > > publicly tested, new release of IIS,"
> > >
> > > Rewritten. That would be a good idea. Try to imagine a pair of pants
> with
> > as
> > > many 'security' patches as is and will continue to be required for
IIS.
> > I'd
> > > say the pants would be more patches than pants.
> > >
> > > Just a thought,
> > >
> > > Benjamin
> > >
> > > PS maybe apache would be a good alternative.
> > >
> > >
> > >
> > > ----- Original Message -----
> > > From: "Rey Bango" <[EMAIL PROTECTED]>
> > > To: "CF-Talk" <[EMAIL PROTECTED]>
> > > Sent: Wednesday, September 26, 2001 3:03 AM
> > > Subject: OT: Check out what Gartner is recommending. Drop IIS!
> > >
> > >
> > > > Now, I've always found Gartner to sway in a particular direction
based
> > in
> > > > the wind changes and the phases of the moon but this recommendation
is
> > > just
> > > > plain stupid. Check it out:
> > > >
> > > > http://news.cnet.com/news/0-1003-200-7294516.html
> > > >
> > > > Rey Bango
> > > >
> > > >
> > > >
> > >
> >
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Your ad could be here. Monies from ads go to support these lists and provide more
resources for the community. http://www.fusionauthority.com/ads.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
