Try sans Also do a search in google for isn news or for IIS hacking or IIS security, I'm sure you will come up with something. Yahoo, C|Net, Wired, Register also have articles on IIS, I am convinced.
You can also go to www.microsoft.com/security <http://www.microsoft.com/security> and do a graph showing how many patches they released in the last three years for IIS 4 and IIS 5, and what it takes to secure an NT server (there is a security checklist for NT servers, the same thing probably exists for Windows2000 servers). Once you secure your web server, what happens when service packs have to be applied, admin time to keep everything up-to-date, etc. That is the clincher, the time it takes to administer NT in a secure environment, they must take that into account when they do cost analyses. Extract from this morning's SANS newsletter: 19 & 20 November 2001 Microsoft Apologizes, Admits it Knew of Vulnerability * 19 & 20 November 2001 Microsoft Apologizes, Admits it Knew of Vulnerability Microsoft apologized for "inaccurate" statements regarding an Internet Explorer (IE) vulnerability disclosed by Online Solutions. Initially, Microsoft blasted Online Solutions for making the vulnerability public on November 8, but then admitted that the security company had notified them of the problem a week before. http://news.cnet.com/news/0-1003-200-7920273.html?tag=prntfr <http://news.cnet.com/news/0-1003-200-7920273.html?tag=prntfr> http://www.theregister.co.uk/content/55/22935.html <http://www.theregister.co.uk/content/55/22935.html> I used to subscribe to ISN News e-zine, I liked it a lot - after parsing through the e-mails from that listserv you will be convinced it's not a fun world out there. Maybe after Sept 11th and additonal powers for CIA, FBI, NSA and other agencies, hacking will go way down. (?). You might want to search the ISN News archives, there must be stuff in there. Regards, Patrice Boivin Systems Analyst (Oracle Certified DBA) -----Original Message----- From: Sunny Verghese [SMTP:[EMAIL PROTECTED]] Sent: Thursday, November 29, 2001 12:04 AM To: Multiple recipients of list ORACLE-L Subject: RE: 9ias Vs IIS Thanks for you inputs. I'd like some concrete data on Security issues with IIS. Do you know of any sites for this ??? You know how it is, I can't just go to management and tell them that it's not very secure, I need to prove it with data (To make this all the more interesting I'm contracting with a state agency right now... you can imagine the managers there....... No offense to any State "managers" in this group :-) !!!) >From: [EMAIL PROTECTED] >Reply-To: [EMAIL PROTECTED] >To: Multiple recipients of list ORACLE-L <[EMAIL PROTECTED]> >Subject: RE: 9ias Vs IIS >Date: Wed, 28 Nov 2001 15:00:26 -0800 > >I'm not a web expert either ... we're just starting to look at web-enabling >our forms. > >But one big potential drawback to using IIS would be security issues. It's >the most-targeted and most-hacked server out there. Someone will need to >be >applying patches constantly and hoping for the best. > >Ask the new guys when was the last time they had to deal with a >security/hacker problem with your current 9iAS/Apache setup. :-) Not that >it can't be hacked ... but the hackers tend to focus on the easiest target. > > > -----Original Message----- > > From: Sunny Verghese [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, November 28, 2001 2:14 PM > > To: Multiple recipients of list ORACLE-L > > Subject: 9ias Vs IIS > > > > > > Briefly, our current setup includes Web enabled forms (PL/SQL > > Cartridges) > > accessing an 8i database via 9ias (currently OAS 4.2 but will > > be moving to > > 9ias in a month). Btw, we also use ORACLE APPS (11i) using > > the same Web > > Server (apps and ias handled by another dba... thankfully :-) ......) > > > > For a new system (requirement : ability for customers to > > upload files (xml, > > fixed format text file or spreadsheet, or enter data via a > > form. Need only > > specific people to be able to upload these files. Files need to be > > transmitted and saved securely...... Digital signature ?. > > These files could > > be required later (Law suit)) that we are looking at, a > > couple of new guys > > (who believe that the Sun rises and sets because of Microsoft > > !!!!) are > > proposing using IIS --> ASP --> OEMDB --> ORACLE database > > (existint DB). > > They also have a problem with IIS --> JSP --> JDBC --> ORACLE > > DB (they claim > > JSP would be an overhead on IIS and would slow it down) > > > > I don't know the web stuff well enough (Obviously :-) !!!) to > > see the holes > > (if any) in this approach. Their complaint is that 9ias is > > slow (or in their > > words, ORACLE should stay with databases and not get into the > > Web server > > world !!!) > > > > Opinions / Info that would help ????? > > > > Thanks, > > Sunny > > > > _________________________________________________________________ > > Get your FREE download of MSN Explorer at >http://explorer.msn.com/intl.asp > >-- >Please see the official ORACLE-L FAQ: http://www.orafaq.com >-- >Author: Sunny Verghese > INET: [EMAIL PROTECTED] > >Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 >San Diego, California -- Public Internet access / Mailing Lists >-------------------------------------------------------------------- >To REMOVE yourself from this mailing list, send an E-Mail message >to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in >the message BODY, include a line containing: UNSUB ORACLE-L >(or the name of mailing list you want to be removed from). You may >also send the HELP command for other information (like subscribing). >-- >Please see the official ORACLE-L FAQ: http://www.orafaq.com >-- >Author: > INET: [EMAIL PROTECTED] > >Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 >San Diego, California -- Public Internet access / Mailing Lists >-------------------------------------------------------------------- >To REMOVE yourself from this mailing list, send an E-Mail message >to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in >the message BODY, include a line containing: UNSUB ORACLE-L >(or the name of mailing list you want to be removed from). You may >also send the HELP command for other information (like subscribing). _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Sunny Verghese INET: [EMAIL PROTECTED] Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists -------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Boivin, Patrice J INET: [EMAIL PROTECTED] Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists -------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).