I have been following this thread for a while.  Here are what I consider a
couple key points that go beyond "my OS is better than yours" type
arguments.

1.  Out-of-the-box security is irrelevant.  Why do I say that when most
users run software with out of the box settings a la IIS?  Because no matter
what OS, web server, mail server, etc. that you run (even BSDs), if you use
out of the box settings you are completely vulnerable.  Period.  You MUST
harden to have a secure OS/application/service.

2.  There is a heck of a lot more to hardening IIS than keeping up with
patches.  In fact, most of the recent worms and what not for IIS were not
effective on unpatched but hardened IIS boxes.  Things like ISAPI filters
should be disabled unless you absolutely need them.  That is one of the
basic tenants of security.  ALWAYS turn off services and features you don't
use or need.  Never use default settings, and that includes installation
paths.  Most automated worms are not intelligent enough to figure out if key
files are not in default directories (though a determined hacker might).

3.  Open source does have an advantage in hardening.  This was already
pointed out but it is worth repeating.  If you can read and edit source
code, then you are more likely to be able to create your own fix or someone
else will while you wait for the developer to release an "official" patch.
Otherwise, you are at the mercy of the vendor if it is closed source
software.  That does NOT mean open source is more secure, just that it can
be easier to harden if you know what you are doing.

4.  While IIS can be hardened to an acceptable level by knowledgeable
admins, the fact that IIS runs with System level access (which can not be
changed) is an unfortunate problem that can not be addressed by admins.
Privileges should be another key component of a secure system, and IIS
should not require this much access to serve up web pages.  And since we
already know that IIS comes with everything turned on by default, the risk
is greater that someone will miss something and leave a vulnerable feature
running.

Given 1 and 2 are popular misconceptions, IIS is not as insecure as some ppl
like to make it out to be.  But I think 3 and 4 should help ppl realize why
Apache can ultimately be made to be more secure.

Brownfox


Reply via email to