Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » IIS, time to say goodbye?

IIS, time to say goodbye?

by phiber on May 22nd, 2001 It's been a difficult year for IIS (Internet Information Server), Microsoft's flagship Web sever. The most import question that needs to be asked regarding IIS is, "Why are so many large corporations still using this highly insecure, flawed product?".





May 21, 2001 - It's been a difficult year for IIS (Internet Information Server), Microsoft's flagship Web server. Just this month, Microsoft has had to issue two serious security bulletins for this product:



MS01-023 : Unchecked Buffer in ISAPI Extension Could Enable Compromise of IIS 5.0 Server



MS01-026 : Superfluous Decoding Operation Could Allow Command Execution via IIS



Each of these bulletins describes flaws in the design of IIS that can allow an unauthorized remote user to gain complete control of the Web server.



Earlier this year, other bulletins were issued for other serious problems with IIS:



MS01-014 : Malformed URL Can Cause Service Failure in IIS 5.0 and Exchange 2000



MS01-016 : Malformed WebDAV Request Can Cause IIS to Exhaust CPU Resources



Last year, Microsoft issued 100 security bulletins, and as of 17 May 2001, has issued 27 this year. Many of these vulnerabilities are quite serious. If exploited they could cause overload conditions, crashes, denials of service, inflict significant damage to the system (e.g., web site defacement), or allow an unauthorized attacker to gain administrative control of the system.



The most important question that needs to be asked regarding IIS is, "Why are so many large corporations still using this highly insecure, flawed product?" Possible explanations are:



It came with the operating system.

We're a Microsoft shop, so we use Microsoft products.

We're not familiar with other options.

Our consultants told us to use IIS.



Each of these explanations, which really should be seen as excuses, can be easily and powerfully refuted. The fact that a piece of software happens to be bundled with the installed software is hardly a good reason to use it. In fact, any fair and objective analysis of Web servers available today that takes into account security, robustness and overall reliability points out several viable alternatives to IIS. A sample of available alternatives may be found at:
http://webcompare.internet.com/cgi-bin/quickcompare.pl.



It's clear that many large companies use a lot of Microsoft software. Most of the software is installed on the desktops and laptops of employees. This is a fairly safe decision: Most office automation software runs on Windows operations systems; many technical support people are familiar with Windows; there are several anti-virus products that can protect these systems from infections; they are relatively low cost and easy to replace; most new staff members will need little training because they already are familiar with Microsoft.



Yet, none of this is a good reason to use IIS as an Internet accessible Web server. Using IIS represents an implicit decision to accept a much higher level of security risk than would be required if an alternative (more secure) Web server were chosen instead. This higher level of risk means a much greater chance that the Web server will in fact be broken into, defaced, made unavailable, and/or used as a launch point for further attacks on the company network.



Not being familiar with other options is, truth be told, a feeble excuse. Given the widespread availability of information about Web servers and related technologies, for an IT manager to claim ignorance of any better alternatives than IIS is simply unacceptable. Here are a few more secure products that can be used as IIS replacements:



Apache

Sun Cobalt Server Appliance

iPlanet (Netscape) Enterprise Web Server

Zeus

Oracle Web Server and Application Environment

IBM Websphere



Lastly, if any company is running IIS because a consulting firm recommended it, it's time to switch consulting firms. Either the recommending firm is so blinded by Microsoft propaganda that they cannot begin to be objective, or they are simply unwilling to perform an objective analysis of available alternatives.



The bottom line is this: Continuing to use Microsoft's IIS as a corporate Internet accessible Web server represents a significant security risk. This risk is much higher than the risk associated with other commercial quality Web servers available today. Companies that sell "hacking insurance" should be offering lower rates to companies that avoid using IIS.



Companies that continue using IIS need to begin exploring safer and more reliable alternatives. It's not necessary to change any desktop systems. But to fail to act now sends a powerful message to the hacking community: this message, bluntly put, is, "Hack me. I use IIS." If your company still uses IIS, it's time to "Just Say No!" and begin exploring safer more reliable alternatives. The Web server you save may be your own.


By Ric Steinberger ([email protected]) for SecurityPortal.


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »