In my opinion it applies even moreso to Windows.
If it was my call, I would never, ever use IIS. I would rather use Tomcat alone on port 80 if Windows was my environment.
Even IIS shouldn't be run with default permissions and access levels. Granted, changing this is not for anyone who isn't an advanced Microsoft admin, but that doesn't alter the fact that default configurations from MSFT, even the new Windows Server 2003, should always be immediately suspect until proven otherwise. I'm not trying to bash MSFT, just trying to describe what I consider a best practice.
Security best practice is "deny everything by default, then allow only what you absolutely need". Translated to server admin, that means "never run any service that can do anything it wants to do unless there is no other alternative".
The statement in the book has less "oomph" on Windows because Windows doesn't have the < 1024 port restriction as does UNIX and Linux. You can run a service that doesn't have SYSTEM level access on port 80 on Windows without any additional configuration. This is not true of UNIX or Linux.
Either way, running services as root or "SYSTEM" in my mind is a bad idea if there is an alternative. The worst exploit in the world is the one that nobody knows about except the guy who just found it. Better to take precautions as much as you can and do the triage up front rather than after. Avoiding configurations where services have admin access is just one way to do that, even if on the surface it seems unnecessary.
HTH
John
Nathan Ward wrote:
I have a question for John Turner about a statement in the book Apache Tomcat Security.
Page 12 says: "As discussed earlier, running publicly available web services as root or superuser is typically a bad idea, so the solution is to avoid using Tomcat as a stand-alone web server on port 80 by integrating it with a standard HTTP web server such as Apache, Microsoft's IIS, or Sun Microsystem's iPlanet."
Question: Does this apply when running under Windows? The reference to "as discussed earlier" talks about running Tomcat as a service with more permissions than necessary. Windows defaults to running services as SYSTEM which has administrator privileges. Fine, but as also mentioned earlier, you can create a user account with less permissions and setup the service to run Tomcat under that account. So, how does the statement on page 12 relate to running Tomcat under windows, i.e. why run Tomcat with IIS rather than just run Tomcat? There may be performance reasons, but from a security point of view, is there increased security risks in running Tomcat without IIS when running as a service under Windows?
Nathan
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
