Dave, I'd say your on the money here. The DAY after the CEO of Oracle touted 9i as "unbreakable" Oracle bombarded with hacking attempts (some of which were successful leaving egg on the Oracle face). MS gets that kind of attack every day - and unlike Oracle, MS products run on the desktop of every wannabee hacker HS student in the world.
As far as apache, if you use the default installation, unlike IIS, it's a very "minimal" install - it is NOT configured with all the features you might want - and there's no GUI that helps you figure out what it might be able to do either (which is one of its glaring weaknesses). MS has always taken the permissive approach - "we'll give you everything and its up to you to lock it down". The reason for this is that MS's gravy comes from the desktop world - where regular home users want everything available on the local desktop. But in the server world, the opposite approach is more appropriate - "give me the minimum to accomplish my task and I'll install anything else that's necessary". When novice PC technicians build their first W2k server, they install audio drivers, complex video drivers, Bells and whistles, netscape, utilities, print drivers, QoS services ... even the accessories/games features. All of it is superflous - and taking up overhead on the server. The first thing you learn regarding server installation is: Only install what you need - disable all the services you don't use. Disable all protocols you don't use.... install the minimum. I even go into the bios and disable the parallel port, serial port, IDE controller (if I'm using SCSI) etc. Anything I don't need is stripped away. Then document the bios settings, services settings and feature install - so you can check it when you install the latest service pack or version of software. Mark -----Original Message----- From: Dave Carabetta [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 06, 2002 8:48 AM To: CF-Talk Subject: RE: CF MX works on WebSite Pro (was: RE: Ridiculous Problem!) > > We're not a hosting house, and from my perspective, free beats cheap. >The > > thing is, WebSite doesn't really offer any features that IIS doesn't, >and I > > don't think it's any better than IIS, really. IIS has to be set up > > correctly, but that's pretty trivial to do. In that sense, I'm a >satisfied > > IIS user. > > > > Dave Watts, CTO, Fig Leaf Software > >Even if it means having to apply a patch every other day? Just curious. >Ever since IIS started getting hacked left and right, I started leaning >towards Apache. Not starting a fight here, just having a discussion. I'm just curious (since this thread is still active), is a product like Apache or other non-IIS products *proven* to be more secure, assuming you disable the IIS features you don't need and apply the appropriate patches? That's not a rhetorical question, I'm really asking for people's opinions. See, I've been of the school of thought lately that, while IIS does have its security flaws, I think that they get magnified 1000% because it's a Microsoft product, and hackers and the press will do anything they can to rip Microsoft. For example, Oracle touted Oracle9i as being "unbreakable." However, if you go and look at the security patches they've released for it (a veritable library, not just one or two little things), it clearly was "breakable!" However, because Oracle isn't as disliked by hackers or the press as Microsoft is, you don't read about it on the front page of technical web sites. As far as Apache and even Linux go, are they truly more secure? It seems to me that those willing to try are more focused on hacking MS products, and therefore Apache and Linux are as heavily scrutinized. Again, I'm not claiming that as fact, it's just my impression. I will concede that MS has had some pretty glaring security holes in the past with not just IIS, by other products as well. As a side note for those who haven't read or heard about it, criticism has gotten so bad that the MS has shifted raises and bonuses from being release-based (i.e., did your team release a product this year) to security-based (i.e., the fewer security flaws found, the higher your raise/bonus). To me, that's a step in the right direction. But anyway, we use Apache here at my job. While I have no complaints about it, I would argue that it's "more secure" (inherently, not after re-programming modules and such) because you have to be a true programmer to really get into the meat of the product and mess around. You can't just go into a GUI interface and click a few buttons to disable it. Thoughts? Regards, Dave. ______________________________________________________________________ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
