> I'm just curious (since this thread is still active), is a > product like Apache or other non-IIS products *proven* to > be more secure, assuming you disable the IIS features you > don't need and apply the appropriate patches? That's not a > rhetorical question, I'm really asking for people's opinions.
I'm not aware of any code audits performed on both the Apache and IIS source code, and I think that's the only way to prove that one is more secure than the other. However, the core functionality of the web server itself is well-tested with both Apache and IIS - if someone found a security flaw with that core functionality, that would be a big issue, but I don't think that's ever happened. > See, I've been of the school of thought lately that, while > IIS does have its security flaws, I think that they get > magnified 1000% because it's a Microsoft product, and > hackers and the press will do anything they can to rip > Microsoft. There's certainly some weighting in favor of finding problems with MS products. I don't think it's just about "ripping" MS, either. Just like Willie Sutton said when asked why he robbed banks, "that's where the money is". (Actually, that's an apocryphal quote, I think, but who cares.) If you find an IIS vulnerability, you'll have a vast audience of potential "users". In addition, you might assume that most don't know how to configure their web servers anyway - and you'd probably be right. > But anyway, we use Apache here at my job. While I have no > complaints about it, I would argue that it's "more secure" > (inherently, not after re-programming modules and such) > because you have to be a true programmer to really get into > the meat of the product and mess around. You can't just go > into a GUI interface and click a few buttons to disable it. The thing that makes a default Apache install more secure than a default IIS install is that Apache doesn't actually do anything other than serve web pages. If you want it to do something else, you have to set that up yourself. There's a very good argument to be made that this is how server products should work - a "deny, then allow" approach to providing functionality. IIS, of course, currently follows the opposite approach - it has features that you have to turn off. Fortunately, it's easy and quick to disable those features, so there's really no excuse for not doing it. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ______________________________________________________________________ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
