Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft Attempts to Secure IIS

michael posted more than 12 years ago | from the taking-their-own-sweet-time dept.

Microsoft 392

billmaly writes: "Yahoo has this article about trying to make IIS more secure. Among steps is to have it install in its most secure state, putting the onus on sysadmins to remove it from that state. It looks like Microsoft may be trying to do the right thing from a security standpoint, at least on paper."

cancel ×

392 comments

Sorry! There are no comments related to the filter you selected.

Secure IIS is possible (-1, Troll)

crumbz (41803) | more than 12 years ago | (#2385403)

just uninstall it.
Perfect security.

my 2 cents.

this frist prost (-1)

beee (98582) | more than 12 years ago | (#2385415)

this f.irst p.ost is brought to you by ZXYLITION!

sorry dork, you only made 2nd post (-1, Flamebait)

Squeezer (132342) | more than 12 years ago | (#2385633)

faggot.

keyword (-1, Flamebait)

jeffy124 (453342) | more than 12 years ago | (#2385417)

I think the keyword here is 'Attempt'

Re:keyword (0, Redundant)

kilgore_47 (262118) | more than 12 years ago | (#2385529)

I think the keyword here is 'Attempt'

I think the keyword is Astroturf.

From billmaly's story submission:
It looks like Microsoft may be trying to do the right thing from a security standpoint, at least on paper."

How does this stuff make it to slashdot's front page? C'mon, this is just blatant astroturfing!

Re:keyword (1)

NathanL (248026) | more than 12 years ago | (#2385589)

I second the astroturf statement. If it was Apache "trying to do the right thing from a security standpoint," that "at least on paper" jab wouldn't have been added at the end.

Re:keyword (-1, Redundant)

Anonymous Coward | more than 12 years ago | (#2385640)

The jab is clearly just an attempt by the astroturfer to sound cool to the anti-ms crowd and draw attention away from the fact that they are letting pro-ms propaganda slip onto the frontpage of slashdot.

This is war. A war on evil!

Power of Gartner (4, Informative)

augustz (18082) | more than 12 years ago | (#2385421)

Sounds like a good thing to me.

There marketing material pointing out holes in Apache mostly focused on Tomcat the java app server, PHP etc. But these don't come installed by default, where was with IIS, you install just about everything by default.

Also, the power of nasty insurance premiums (0, Redundant)

devphil (51341) | more than 12 years ago | (#2385606)


I can't get to the article right now, but I'd be surprised if MS isn't trying to recover its stance from insurance companies starting to charge a higher premium and rate for "hacker coverage" if you run IIS.

Re:Power of Gartner (0, Flamebait)

NathanL (248026) | more than 12 years ago | (#2385620)

where was with IIS, you install just about everything by default.


Oh, really? Are you sure about that? Or are you just saying that because you install Apache more often than IIS? Are you aware that there is an option to pick the stuff you want to install rather than letting it install everything?


No IIS servers I installed got hit by code red because - gasp - the default install was not done. If the exploitable software isn't installed, guess what happens? Your server doesn't get compromised! What a revelation.

Sendmail (0, Flamebait)

Cave Dweller (470644) | more than 12 years ago | (#2385423)

Isn't this kinda like the efforts to make Sendmail more secure?

Hmm... (4, Funny)

Wakko Warner (324) | more than 12 years ago | (#2385425)

Apparently every copy of Windows XP/2000 is now shipping with a pair of scissors, to be used to "secure" the ethernet connection of IIS servers.

- A.P.

Dumbentia.com beat you to it... (1)

PhilMills (209855) | more than 12 years ago | (#2385535)

The amazing Chris Condon at dumbentia.com already thought of that joke:

http://www.dumbentia.com/pdflib/scissors.pdf

"Running with Scissors" takes on a whole new meaning ;)

-phil

Warning! May cause severe regret! (2, Funny)

Nindalf (526257) | more than 12 years ago | (#2385537)

This just reminded me of a particular Daily Victim [gamespy.com] .

"In a fit of rage I went over the deep end and cut our apartment's DSL connection!"

actually Microsoft offers a choice (3, Funny)

Anonymous Coward | more than 12 years ago | (#2385554)

If you don't feel like hurting good quality cables, alternatively you can use the scissors to cut out every instance of the word "secure" from the IIS documentation, and run the software.

LOL! (0, Offtopic)

Mustang Matt (133426) | more than 12 years ago | (#2385558)

I would have modded this funny. Sorry don't have any mod points right now.

Re:LOL! (0)

Anonymous Coward | more than 12 years ago | (#2385658)

Don't worry, five other idiots were there to cover for you.

I hope they succeed (5, Funny)

drodver (410899) | more than 12 years ago | (#2385426)

because 78,417 Nimda hits are more than enough for me!

Heh, relying on IIS admins? (1, Flamebait)

Jayde Stargunner (207280) | more than 12 years ago | (#2385428)

These are the guys who have still be unable to figure out that the Buffer Overflow, etc. patches are available to them on Windows Update--or that almost all the new exploits would be fixed by getting Service Pack 2.

If they can't figure out how to use Windows Update, or have the sensibility to get the latest service pack within 4 months of its release...I doubt they know how to configure the system from scratch. *L*

Maybe this will require MS sysadmins to least something about the the OS for once. ;-P

-Jayde

Re:Heh, relying on IIS admins? (0)

Anonymous Coward | more than 12 years ago | (#2385516)

No, they are not available on Windows Update.

You get shit like new themes and Internet Explorer patches on Windows Update.

To update the SERVER components you have to go to the technet area and download them. This is why they have a security bulletin notification.

http://www.microsoft.com/technet/ [microsoft.com]

Re:Heh, relying on IIS admins? (1)

Anonymous Coward | more than 12 years ago | (#2385530)

Haven't been reading the news, have you?


The majority of cracked IIS servers were on default Win2K Server installations used by individuals, not commercial websites.

Re:Heh, relying on IIS admins? (1)

MadCow42 (243108) | more than 12 years ago | (#2385552)

I wish they'd do something like a shareware program I saw recently did (the Linux "tarpit" software mentioned here last week or so):

require that a specific thing be done to make the software run at all, and hide the details deep in the manual somewhere, so you actually have to read it to get it to work.

That would be justice. q:]

MadCow.

Re:Heh, relying on IIS admins? (1)

mike_the_kid (58164) | more than 12 years ago | (#2385574)

Actually, you would think that the security patches are covered by Windows Update, but the patch that closed up the "Hacked by Chinese" worm was not (at the time when the first infection took off). The update had been available seperately since May, but was not mentioned or noted in Windows Update. Again, Microsoft's fault, because the perception is that Windows Update will keep someone up to date, but you really have to subscribe to MS's security bulletin.

Re:Heh, relying on IIS admins? (5, Informative)

McSpew (316871) | more than 12 years ago | (#2385581)

These are the guys who have still be unable to figure out that the Buffer Overflow, etc. patches are available to them on Windows Update--or that almost all the new exploits would be fixed by getting Service Pack 2.

Um, I think you've completely missed the point. First off, not all patches are available from WindowsUpdate. In fact, precious few are. Most of the updates from WindowsUpdate apply to IE, not IIS. Second, there are a large number of exploits that have appeared since SP2 shipped. I have personally installed nearly two dozen Post-SP2 hotfixes to one server. I average between 8 and 10 post-SP2 hotfixes per server.

Mind you, actually keeping up-to-date on hotfixes actually became possible with the release of HFNETCHK [microsoft.com] . Before then, it was virtually impossible for any normal sysadmin to keep up with all of Microsoft's patches and apply only the ones they were supposed to. Also, before the release of QCHAIN [microsoft.com] , it was a horrible and time-consuming process to apply hotfixes to a server, even when you knew which ones to apply, because each hotfix wanted its own reboot to complete and you couldn't just apply them all and then reboot once.

I actually use WindowsUpdate [microsoft.com] , HFNETCHK and MPSA [microsoft.com] to check and make sure I catch all possible vulnerabilities. I've found that it's not uncommon for each one to catch something the others did not.

Even with the three tools I listed above, properly securing IIS (or any MS server) is still a royal pain. The damn things come preconfigured with their flies completely unzipped. MS's IIS Lockdown Tool [microsoft.com] won't even run if you've already taken some steps on your own to manually lock down IIS, and even if it does run, it doesn't turn off the "../" parent directory functionality that's enabled by default. You still have to go into IIS Admin and turn that damn thing off manually.

Let's not pick on IIS admins unfairly. Many of them prefer Linux and use it at home, but have to use IIS at work because that's been mandated. Debian makes it easy to stay patched and does a half decent job of implementing default security, but MS leaves everything wide open by default, makes it damn difficult to lock any system down effectively, installs unnecessary services by default (and won't even let you uninstall some of them) and has a half-assed mechanism for rolling hotfixes and patches out to customers.

Microsoft needs something like Symantec's LiveUpdate, which allows sysadmins to roll out tested updates to internal users on their own schedules, without physically touching every system on their networks. Yes, there are IIS admins out there who are jackasses, but there are plenty of overworked sysadmins out there who'd love to properly secure IIS, if only it weren't damn near impossible.

What about Linux (0, Redundant)

Anonymous Coward | more than 12 years ago | (#2385432)

And when will the Linux distributions ship with all the services off?

Why would they? (0)

Anonymous Coward | more than 12 years ago | (#2385561)

They're doing so well in the security hole [slashdot.org] polls. At least they got #1 in something!

Re:What about Linux (1)

giantsquidmarks (179758) | more than 12 years ago | (#2385663)

here here... I've dumped Linux for OpenBSD. I don't have to spend an hour "hardening" after a fresh install. If I want a service, I turn it on. novel idea huh...

A problem of "least privilege" (5, Insightful)

sting3r (519844) | more than 12 years ago | (#2385436)

The root of IIS's troubles is not exploitability of particular services. It is the fact that much of the IIS server code runs as SYSTEM, which is the same as "root" under UNIX - an all-powerful user. Years ago, the developers of NCSA httpd and Apache learned to make their products usable by non-root users. Currently, Apache only needs root privileges to bind to port 80 - then it completely relinquishes them. That is the way it should be and that would make 0wning an IIS box many times more difficult - because using an "ordinary user" account to get SYSTEM access on NT is a lot more difficult than on UNIX because NT doesn't have setuid bits.

Admittedly, IIS does run certain scripts and perform certain functions as a "nobody" user. But most of the recent exploits were able to get an immediate "root shell" because the services being exploited did run as SYSTEM. And unless Microsoft is willing to address that problem, admins who need to enable many services and don't keep up on patches will still get rooted on a regular basis.

-sting3r

How far along this line can we go? (2, Interesting)

Nindalf (526257) | more than 12 years ago | (#2385594)

You might be interested in EROS - the Extremely Reliable Operating System [eros-os.org] , which takes permissions resolution to its logical extreme: the capability system. If something only needs access to one directory and one port, that's all you give it.

Very interesting project.

Microsoft's new strategy (4, Funny)

Anonymous Coward | more than 12 years ago | (#2385438)

Download source code for Apache. Tweak the headers to say "IIS" instead of "Apache". Brag about their speedy team of coders.

a little late (0)

Anonymous Coward | more than 12 years ago | (#2385439)

after years of disruption and billions of dollars in damage... ms should be shut down...irresponsible.

10th post blues (-1)

The_Messenger (110966) | more than 12 years ago | (#2385440)

P s e u d o f i r s t p o s t !
Feel the sensation!

The newest phemonemon on World Wide Web, PFP are sensation that is make mouth tingle! We are not to let lamers (ha! haha) like teh CmdrTaco take away the firsts posts. To first post! Is our right! And no one takes away out right!

SO teh first post in every story is to be awardde Award of Pseudofirst Posting, even though the post has not number "1".

So band together, friends! For the is sweeping the Internet! PFP, the new sensation!

-- The_Messenger [mailto]

IIS Secure? (5, Troll)

zarathustra93 (164244) | more than 12 years ago | (#2385441)

Open the source. Put it up for peer review. Fix the holes. I'm not saying that they should hand out the source for their whole OS, but when they have had as many debacles with one piece of software it might actually help them out quite a bit.

I refuse to install products that require IIS as well. A software provider of ours makes an ultra nice business mining product that can be nicely web enabled. I told them that I would purchase it as soon as they supported a web server that didn't have a new security flaw or bug discovered every week.

Yes, open the source MS! (0)

Anonymous Coward | more than 12 years ago | (#2385601)

Maybe then you'll have a chance at improving your highest unique (#4) ranking in security holes [sans.org] . Linux/*nix cleaned up, #1 and at least sharing 8 of the top 10!!!! If Microsoft opens their source, they could certainly hope to aspire to such greatness.

Sounds good... (2, Interesting)

RadioheadKid (461411) | more than 12 years ago | (#2385442)

Well from the looks of it sound like they're doing all the right things. Just too bad for most of us who've been seeing "GET /default.ida?XXXX..." and "GET /scripts/root.exe?/c+dir HTTP/1.0" 404" in our apache logs, its can't come soon enough...

KidA

Two step process? (2, Redundant)

jlockard (140979) | more than 12 years ago | (#2385444)

So, like what are they going to do?

Step 1: Install IIS
Step 2: Uninstall IIS

Secure indeed! (0)

Anonymous Coward | more than 12 years ago | (#2385448)

You can be secure in the fact that IIS will be crushed by the next Code-Redish virus.

Summary (2, Informative)

wiZd0m (192990) | more than 12 years ago | (#2385449)

They will fix the problem in the next upgrade.

Uh oh! (2, Interesting)

nilstar (412094) | more than 12 years ago | (#2385451)

This will mean that IIS Sysadmins will actually have to think...! Now I know there are a lot of intelligent Sysadmins out there running IIS, but if you've come across the people I have in the industry, you'll know that there a lot of people who aren't very tech savvy running servers.

How about with this, an increase in the Microsoft Certification program?

Secure IIS - NOT! (3, Interesting)

fjaffe (469551) | more than 12 years ago | (#2385452)

It's nice that they will ATTEMPT to make it install more securely by default. What are they going to do to help secure all the existing installations from the current (and future) gaping holes?

About damn time! (0, Redundant)

Kencordia (191269) | more than 12 years ago | (#2385455)

Thank god. Now all they have to do is provide a WindowsUpdate-esque way of keeping IIS secure. Since we know these holes can be exploited via the web, then Microsoft should be able to detect them and patch them, right?

You'd think so.

It's about time (-1)

Guns n' Roses Troll (207208) | more than 12 years ago | (#2385456)

[insert stupid MS comment here]

Thank you. Now back to your regularly scheduled linux wankfest.

Secret security mechansim (1)

Lozzer (141543) | more than 12 years ago | (#2385458)

The knowledge base [microsoft.com] is tightening up.
Random rubbish for lameness filter.

don't install it (1)

martin (1336) | more than 12 years ago | (#2385462)

then its secure - yeah I know troll, but 10p says
there will be many such comments.

Technology ain't the problem, its the people...ooo it's windows, pointy clicky don't need an experienced sys-admin to look after it.

:-)

this is a good first step, but.. (4, Interesting)

Masem (1171) | more than 12 years ago | (#2385465)

As pointed out in this CNET article [cnet.com] , while forcing the maximum secure version and forcing uses to install all patches is a good step in the right direction, the fact that IIS has been patched so many times implies that to really improve the security of it, it needs to be rewritten from scratch, particularly since it is a closed source application and thus does not have the same QA that open source software might have.

A paper on handling IIS in a secure manner: (4, Funny)

Nindalf (526257) | more than 12 years ago | (#2385471)

The paper is here. [auckland.ac.nz]

It's more involved than you might think. If you are a sysadmin, this might be important for your job security.

That's all great and everything, but... (0)

Anonymous Coward | more than 12 years ago | (#2385473)

...The real problem with Microsoft is thier extremely poor testing. They try to implement a billion features at once, and in so doing, half of them don't work right, or have serious security flaws.

Hey Microsoft, howabout testing your crap before shoving it down the peoples throats? Too radical for you? That's fine, it doesn't matter at this point for my organization, we've begun upgrading our NT servers to RedHat 7.1. You'd be surprised how easy it is to administer, especially if all you know about Linux you got off of zdnet, or another Bill Gates Microschlong sucking media outlet.

No Real Change & Marketing Ploy (4, Informative)

webword (82711) | more than 12 years ago | (#2385475)

This is not a change in the fundamental technology. They don't seem to indicate that IIS itself will change, only that the default settings will yield more secure servers. This is only one type of security issue. What about all of the others [66.129.1.101] ?

Another thing to consider is that they are not doing this to be kind, gentle, or nice. They are doing it to shore up their marketing of Hailstorm, Passport, and so forth. This is not a response to "what the users want" or they would have done this ages ago. It is a marketing ploy. It is the right thing to do, but it is a marketing ploy. Managers, CIOs, CEOs, and so forth will be able to sleep better at night.

Re:No Real Change & Marketing Ploy (1)

jeffphil (461483) | more than 12 years ago | (#2385555)

I agree, they started the Secure Windows Initiative [zdnet.com] [zdnet.com] 6 months ago -- and how many people here knew it would be a nothing done , status quoe marketing ploy that ultimately would lead to another disaster such as Code Red and Nimda.

Who is ever going to trust .Net? .Not me.

it will never be accepted (4, Insightful)

evenprime (324363) | more than 12 years ago | (#2385480)

If they do they do this, they will alienate their consumer base. Many Microsoft customers tend to choose their products because of ease of use. Taking something that is insecure and knowing how much to open up to get your applications to work is more difficult than installing it and just having it work right away because all the features you need (...and all the ones you don't) are already activated.

It would be great to have everything disabled by default, and would be a major help for security. (That's how OpenBSD have been able to go four years without a hole in the default install...there's not much enabled in the default install). I just don't think that the average M$ shop wants to take the time involved for an average admin to get a secure-by-default product working, or pay the top dollars needed to get an admin savvy enough to already know how to do this.

Re:it will never be accepted (4, Troll)

Darth RadaR (221648) | more than 12 years ago | (#2385631)

It would be interesting if MS does set IIS as "locked down by default". Then we can really find out which MCSEs have a clue and which ones are just good at taking exams.

Does this mean... (0)

Anonymous Coward | more than 12 years ago | (#2385483)

They will also remove any backdoors left in IIS intentionally?

Speaking of broken webservers... (0, Offtopic)

Wakko Warner (324) | more than 12 years ago | (#2385485)

Any idea when we'll experience a 24-hour period in which Slashdot's database doesn't explode?

- A.P.

Re:Speaking of broken webservers... (0)

Anonymous Coward | more than 12 years ago | (#2385501)

When they stop using shitty server software and upgrade to IIS :)

Re:Speaking of broken webservers... (0)

Anonymous Coward | more than 12 years ago | (#2385553)

Do you post at an automatic +2?

or did someone actually moderate this piece of shit up?

I'll get you in metamod either way.

Re:Speaking of broken webservers... (0)

Anonymous Coward | more than 12 years ago | (#2385659)

auto +1 and the comment hasn't been moderated up yet. So metamod won't help you. Bye bye.

Secure IIS already out in Beta (0, Funny)

Grim Grepper (452375) | more than 12 years ago | (#2385489)

Microsoft has released a secure version of IIS to its beta testers. I cannot give you any details, except that it has codename "Apache".

Microsoft security... (3, Offtopic)

Desco (46185) | more than 12 years ago | (#2385496)

Microsoft's idea of making their products more secure is making it harder to copy... Seriously, if they'd spend as much time worrying about actual security as they do preventing and prosecuting piracy, it'd be more secure than Fort Knox.

Securing IIS... (1)

gatesh8r (182908) | more than 12 years ago | (#2385498)

Somehow I get the feeling when one of us does strings on the actual binary we may see the apache licence :-P Just that M$ and security go together as Satan and good.

Microsoft security solution (3)

Rocketboy (32971) | more than 12 years ago | (#2385499)

1. Place unopened IIS software in bank vault.
2. Close and lock vault door.
3. Eat paper on which vault lock combination is stored.

Oh, you actually wanted to use the software?

*sigh* I probably shouldn't rag on Microsoft: they needed to do this a long time ago. But in so many ways they've hoisted themselves by their own petard: by touting how easy their software is to use, by implication they've convinced businesses and technicians that they don't need much training on how to use it. Locking down IIS is one step: making sure that IIS admins know how to properly use it is another and I have yet to see any emphasis placed on education and training by Microsoft or any of its apologists.

Note: having one's connection refused by Slashdot when attempting to post a comment is just plain rude. On the other hand, the wonder isn't how well the bear dances, it's that the bear dances at all. :)

Like they had any choice ? (4, Insightful)

Archfeld (6757) | more than 12 years ago | (#2385504)

With the Gartner group sending letters to all their customers RECOMMENDING they remove IIS as "an unacceptable security risk" based on the TCO of IIS rapidly exceeding the cost of the hardware, the OS and THE SUPPORT STAFF. When a nationally recognized consulting firm that supports 400 of the top 500 firms , and one that HAS BEEN PRO M$ up to this point, or at least VERY neutral, suddenly starts advocating ABANDONING your investment you know you have BIG PROBLEMS. I personally think this is TOO LITTLE TOO LATE. Why was the product not shipped like this in the first place ???

Re:Like they had any choice ? (0)

Anonymous Coward | more than 12 years ago | (#2385521)

When you talk in caps it means YOU'RE SHOUTING. I CANNOT READ TEXT CONSTANTLY LIKE THIS. If you want emphasis, use bold or italics. thanks

Re:Like they had any choice ? (1, Funny)

Anonymous Coward | more than 12 years ago | (#2385607)

With the Gartner group sending letters to all their customers RECOMMENDING they remove IIS as "an unacceptable security risk" based on the TCO of IIS rapidly exceeding the cost of the hardware, the OS and THE SUPPORT STAFF. When a nationally recognized consulting firm that supports 400 of the top 500 firms , and one that HAS BEEN PRO M$ up to this point, or at least VERY neutral, suddenly starts advocating ABANDONING your investment you know you have BIG PROBLEMS. I personally think this is TOO LITTLE TOO LATE. Why was the product not shipped like this in the first place ???
"Do androids dream of electric sheep ?" - Phillip K. Dick

Re:Like they had any choice ? (0)

Anonymous Coward | more than 12 years ago | (#2385645)

Damn I wish I had mod points...+1, Funny!

Gartner has never been Pro-Microsoft (4, Insightful)

sheldon (2322) | more than 12 years ago | (#2385542)

They most certainly don't have a history of being pro-Microsoft. All their TCO stuff is directed at proving desktops are really expensive and we should all go back to big iron.

Gartner recommends whatever it's clients pay it to recommend.

Making IIS secure (1, Redundant)

Darth RadaR (221648) | more than 12 years ago | (#2385508)

"...it's incumbent on Microsoft, being in the leadership position we're in, to help drive forward the industry in this area,'' Brian Valentine, senior vice president of the Windows Division at Microsoft.

Which means Microsoft has found someone to steal it from. :)

it will never be accepted (2, Interesting)

evenprime (324363) | more than 12 years ago | (#2385513)

If they do they do this, they will alienate their consumer base. Many Microsoft customers tend to choose their products because of ease of use. Taking something that is insecure and knowing how much to open up to get your applications to
work is more difficult than installing it and just having it work right away because all the features you need (...and all the ones you don't) are already activated.


It would be great to have everything disabled by default, and would be a major help for security. (That's how OpenBSD have been able to go four years without a hole in the default install...there's not much enabled in the default install). I just don't think that the average M$ shop wants to take the time involved for an average admin to get a secure-by-default product working, or pay the top dollars needed to get an admin savvy enough to already know how to do this.

Re:it will never be accepted (1)

chinton (151403) | more than 12 years ago | (#2385575)

If this is the case then what are they to do? Keep it the way it is and continue getting hammered by every script kiddie that knows how to cut-and-paste? Or fix it so it installs the Right Way and alienate their customers?

How much time do those sysadmins spend patching and closing holes after each new worm crawls on through? It would seem to me that it would take less time to install IIS and get it configured the Right Way than it would be to keep applying the latest patch...

where's the hitch? (2, Interesting)

shibut (208631) | more than 12 years ago | (#2385514)

Reading this article I smell a goat, as they say. It smacks too much of a good initiative that will be exploited. Like the recenly announced toolkit to get your system checked for vulnerabilities and fixed free (see here [microsoft.com] ). If you try to actually have it sent to you and go thru a few screens you see that you need Passport (a.k.a. "all your passwords are belong to us!") in order to have them send you a CD by snail-mail. What does a physical CD have to do with an evil service, you ask? Did I mention that the CD might be useful/coveted? Has anyone found a similar hitch with this (e.g., putting the settings in such a way that a central M$ database will check the appropriateness of all your info "to make sure it's secure", oh and to make sure you don't use it for anything that disparages M$, hotmail, MSN, etc).

Re:where's the hitch? (2)

scott1853 (194884) | more than 12 years ago | (#2385548)

I tried using the lockdown tool after I manually did a little house cleaning. Specifically, deleting the iissamples folder. The tool wouldn't run without that folder. Now that makes me feel secure. I restored it from the recycling bin and the tools proceeded.

Of course, what was I thinking by deleting the samples folder, they've never had any security issues with those files.

Didn't they already feed us this? (1)

scott1853 (194884) | more than 12 years ago | (#2385518)

I'm too lazy to go looking for it, but didn't MS claim they were going to focus on security about 1.5 or 2 years ago, back when IIS 4 was having problems?

Linux can learn from this (0)

Anonymous Coward | more than 12 years ago | (#2385520)

... as not all Distributions are shipped at its most secure state.

Uneducated Opinion :-) (5, Interesting)

robi2106 (464558) | more than 12 years ago | (#2385525)

I had to test some java code being developed by (company) for a newly released (product) and needed a web server. The usual test platform server had just been taken down by nimda (ie not 3 hours earlier). Fortunately for my productivity log, an extremely capable app called Apache exists for WinNT and in under 30 minutes I had it up and running (including denying every host under the sun that was sending those annoying GET requests for /winnt/system32/cmd.exe).

The entire dev team working on the java code would have just taken the afternoon off, had I not casually mentioned the existance of my humble Pentium Pro 200 running Apache. :-)

This caught the attention of my boss who wondered why our group was able to continue working, while many others were outside playing basketball waiting for the Admins to finish the virus updates. Who knows . . . we may shift away from simple IIS servers (for a java service on a server you don't need some big IIS machine).

From a security stand point, This little server did a good job of fending off every virus attack (a few hundred every hour). I believe two additional simple IIS servers have been temporarily changed to Apache since they don't have a need for any other service. Who knows what will be their ultimate fate. But right now they are doing their job and don't need to be updated. This may affect the purchasing policy for one or two machines here. Not a huge step towards non-M$ product use, but I am encouraged none the less.

robi

Thank god: Microsoft drives forward the industry! (1, Troll)

Sir Spank-o-tron (18193) | more than 12 years ago | (#2385531)

Did you catch that:

"``it's incumbent on Microsoft, being in the leadership position we're in, to help drive forward the industry in this area,'' Brian Valentine, senior vice president of the Windows Division at Microsoft, said in an interview."

Now, hopefully Apache and other webservers will start shipping more secure products. Thank you Microsoft for driving forward the industry towards more secure standards.

Offtopic but funny (2, Offtopic)

ch-chuck (9622) | more than 12 years ago | (#2385532)

Just read on cnet where Ray Noorda of Novell used to call the guys at Msft Bill "Pearly" Gates who promises you the heavens while Steve "The Embalmer" prepares the body for burial.

fun quotes (4, Troll)

ethereal (13958) | more than 12 years ago | (#2385540)

``With the virus attacks of late and the numbers of those and how vicious those attacks have been ... it's incumbent on Microsoft, being in the leadership position we're in, to help drive forward the industry in this area,'' Brian Valentine, senior vice president of the Windows Division at Microsoft, said in an interview.

I would think that Microsoft would want to get out of their leadership position in enabling virus attacks and making them so painful, but I guess that's why I'm not President of the Windows Division. I don't think the industry wants to be driven too much further down that path, though - alternate web serving platforms are more like where Microsoft is driving their customers.

``We can't just sit back and think about Microsoft,'' said Valentine, who is leading Microsoft's new security task force.

Well, that will be a first.

Tip for installing software (2, Interesting)

ZaneMcAuley (266747) | more than 12 years ago | (#2385549)

Never install a peice of software as Administrator, use poweruser or something less.

If it doesnt install as that user, dont install it. Its obvious that that app was not designed with security in mind.

This is the default condition of Apache, you know (4, Interesting)

Water Paradox (231902) | more than 12 years ago | (#2385550)

Remember the first time you installed Apache?

It was secure by default because you had to learn what the heck you were doing, and a fair bit about the structure of your hard drive before you could get it running.

Now IIS is catching up, having learned what happens when you appeal to the lowest common denominator. This is very good news, because it means IIS will no longer be administrated by people who haven't a clue. It's not that IIS is inherently insecure, but that it's inherently run by people who don't know how to secure it.

Apache appeals to a different crowd, and is more secure by nature for that reason...

Interesting that we all criticize MS (0)

NotSurprised (525043) | more than 12 years ago | (#2385559)

for their security holes, and generally overlook the fact that the default config of RedHat (and other Linux distributions) is also horribly insecure.

Typical microsoft spin (2)

CormacJ (64984) | more than 12 years ago | (#2385560)

Quote: "With the virus attacks of late and the numbers of those and how vicious those attacks have been ... it's incumbent on Microsoft, being in the leadership position we're in, to help drive forward the industry in this area," Brian Valentine, senior vice president of the Windows Division at Microsoft, said in an interview

They have to drive forward the industry? They are playing catchup. They are implimenting security features that have been in Apache for years at this stage, and setting defaults that should have been set at day one. It's typical of Microsoft to try and fix things up once they have totally broken, then try to sell it as a feature, and to try and say "Look what good things we've done in combating this problem", when all along there should never have been a problem in the first place.

MS released another tool today (5, Interesting)

CmdrMightyTaco (517355) | more than 12 years ago | (#2385562)

In a related topic, MS released another tool set today to help admins secure their boxen...

The rest of this comment is from the NTBugTraq newsgroup:

Microsoft have today announced a suite of initiatives intended to address the issues their customers face from the threat of Worms and other malcode like Nimda and Code Red.

About time.

I've been assured that substantial resources have been allocated to this new effort, but one has to wonder just who was consulted in coming up with what this program involves (if you were, drop me a line.)

Announced today was the "Microsoft Security Tool Kit";

Click here [microsoft.com]

This "Greatest Hits" CD or network download contains all of the things you should already have;

- - Latest Service Packs for OS, IIS, and IE.
- - Security Checklists for NT, W2K, and IIS.
- - A W2K-SP2 Deployment guide (the Update.msi section is worth reading if you have an Active Directory environment and use Group Policies)
- - An NT 4.0-SP6a Deployment guide for SMS.
- - IE Deployment guides.
- - Several individual Hotfixes required for NT 4.0 Terminal Server (even though they are included in the NT 4.0 SRP) - - IIS Lockdown Tool
- - URLScan
- - HFNetchk
- - Critical Update Notification 3.0 (only applies to W98/W2K according to the referenced KB article)
- - QChain

There's a difference between the download and the CD. According to the announcement page, "It (CD) includes automation scripts to quickly install all the security hotfixes recommended in the kit.", but the CD may take from 3 to 6 weeks to arrive.

I was told there would also be a "Bootstrap Client for Windows Update" within this package somewhere, but if its just the Critical Update Notification 3.0 tool then its not a "Bootstrap Client" in the sense I thought it was.

While there are additional things planned, the biggest thing missing at this stage is a re-release of the NT 4.0 Option Kit CD which contains;

1. Patched version of IIS 4.0 (one that's not vulnerable out of the box)
2. Patched versions of MDAC
3. Modifications to the samples to eliminate RDS
4. Modified default installation that doesn't install in a way known to be exploitable
5. Modified Setup program that doesn't re-install removed script mappings and other components after the user has manually removed them (since that's what many people have done to protect themselves)

In addition, what is desperately needed is some way to do the following;

a) Probe your internal network to identify IIS installations (this can be done with HFNetchk, but working with its output is no fun)
b) Completely remove the IIS installation on command (remotely!), or render it stopped
c) Query the IIS installation and alter it, removing RDS keys, updating MDAC, patching it, disabling /scripts, tightening permissions, etc...
d) Report results in a comprehensive fashion

I don't know about the rest of you, but many people have thousands of IIS boxes to deal with. While Microsoft does sell SMS, if you used Ghost to distribute your installations it hardly seems reasonable for MS to expect you to purchase SMS to secure what you thought was a reasonable installation.

If you have more than 1000 hosts under your control, send me your suggestions for the best product/method used to get patches and service packs out.

Given that this whole initiative, supported at the highest levels in Microsoft, is designed in response to Worms that required the touching of every machine in your organization, the first thing out the door should've been something that made that problem less onerous.

There are plans in the works (for Q2-2002) for an internal version of Windows Update. I've been calling for this with Microsoft for eons now, and while its great they have finally been hit with the clue-bat it seems ridiculous that its going to be 6 months plus before we see it. Such a tool would allow Network Administrators to rely on the client's Windows Update component to provide fixes (fixes decided on by the Network Administrator). In addition, a new feature in that client (still some 3 months out) allowing it to be setup to allow automatic updates (a push mechanism), would give you a way to push out a fix quickly to all clients.

Again, about time!

Also coming out of all of this was news that Windows 2000 SP3 is not likely to ship this year.

Cheers, Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

you guys are incredible (1)

Telek (410366) | more than 12 years ago | (#2385563)

putting the onus on sysadmins to remove it from that state

First it's all Microsoft's fault because IIS was shipped in an "easy to use state" which made it insecure. Now you're reversing the tables and saying that the "onus" is on the sysadmins to put it into a less secure state. Will you guys ever be happy?

It looks like Microsoft may be trying to do the right thing from a security standpoint, at least on paper.

So, lemmy get this straight.... Instead of praising them for finally doing what you've been asking all along, you give hesitant "well now the onus is on the sysadmin" and "may be trying to do... at least on paper" comments... What exactly will make you happy? (besides MS rolling over and playing dead).

Re:you guys are incredible (1)

Anonymous DWord (466154) | more than 12 years ago | (#2385621)

What will make us happy? MS rolling over and... oh, besides that? Umm... Free as in beer? Beer makes us happy.

Their secure configuration... (1)

chrae (159904) | more than 12 years ago | (#2385564)

  • ...locked down in the most secure configuration.


Would that new "secure configuration" be upside down, along side the new AOL 6.0 Platinum, 50k hours for your first month, pH balanced for kiddies(tm) [aol.com] CD in the Trash? I suppose then you'd have to worry about people breaking in and stealing your trash.



...something about a cake and multitasking abilities.

translating MSpeak (1)

aka-ed (459608) | more than 12 years ago | (#2385573)

"it's incumbent on Microsoft, being in the leadership position we're in, to help drive forward the industry in this area"

(Our products? A security problem? Don't be silly, it is "the industry." We will fix the industry.)

"We can't just sit back and think about Microsoft."

(It's not a Microsoft problem...but we will do the charitable thing and help, anyway.)

Weirdest spin I've seen in a long time....

Re:translating MSpeak (1)

PhreakinPenguin (454482) | more than 12 years ago | (#2385600)

Does that mean I can spin it a positive way?

"We can't just sit back and think about Microsoft."

Maybe he's saying that MS has sat around saying it wasn't there problem, and now he is taking it on himself to say it is they're problem?

New (5, Funny)

mlknowle (175506) | more than 12 years ago | (#2385590)

In other news, Microsoft's hardware division announced a plan to make water flow uphill.

What is this? (1)

hhe_hee (470065) | more than 12 years ago | (#2385591)

"It looks like Microsoft may be trying to do the right thing from a security standpoint"

Hey, look now, I thought that this wasn't the funny section, or am I wrong...?

They attempts to secure IIS? Shouldn't they be "attempting" to do so all the time. Isn't that trivial knowledge in programming to try to find out and fix security holes.

Re:What is this? (5, Informative)

Tackhead (54550) | more than 12 years ago | (#2385653)

> "It looks like Microsoft may be trying to do the right thing from a security standpoint"

In other news today, Satan said to be interested in joining US Figure Skating Team. "Yes, this is a serious bid; we've already started training now!", said the Dark One, executing a perfect double axel over what was once the Ninth Plane of Hell.

gee, that's a toughie. (1)

ErikZ (55491) | more than 12 years ago | (#2385599)


So, doesn't IIS install as default when you install Windows?

Wouldn't the ultimate security be: Don't install it with the OS as default?

Sheesh.

Re:gee, that's a toughie. (0)

ZaneMcAuley (266747) | more than 12 years ago | (#2385617)

heh or dont install the OS :D

Wondering what the new settings will be... (4, Funny)

blogan (84463) | more than 12 years ago | (#2385602)

A paperclip comes up and asks you, "Would you like to have the server start? Would you like to allow connections from outside 127.0.0.1? Would you like to run scripts? Would you like to be able to access files not residing on the read only floppy? Would you like to have all comments automatically read by Outlook?"

Right... (0)

sirgoran (221190) | more than 12 years ago | (#2385604)

And monkeys will fly out my butt.

Somehow I don't trust M$ to not "add" a little something else to help secure your box and to also help secure their position in the marketplace.

Sorry, but the words "M$" and "helping" being used together sounds too much like an oxymoron to me. That's like trying to make "Tax Audit" and "Root Canal" sound like a good thing.

Goran

Easy updates are the key (3, Informative)

ENOENT (25325) | more than 12 years ago | (#2385612)

This whole IIS thing is only a Microsoft problem by coincidence. Any piece of software can have security holes, so the key to reducing their effect is timely application of patches. That appears to be the main thrust of MS's "securing IIS" effort.

Unfortunately, almost nobody makes it easy to get security patches. Debian does the best job, from an admin's point-of-view--just "apt-get update && apt-get upgrade" when there's a security announcement, and you can even put this into a cron job. MS doesn't do too badly, with "Windows Update". Solaris stinks--Sun seems to go out of their way to hide security patches from visitors to their website. I don't have much experience with other platforms--there may be better systems than Debian's, but I haven't seen them.

I love it (0)

moderate_this (231075) | more than 12 years ago | (#2385615)

"And J.S. Wurzler Underwriting Managers' Safeonline division is charging some companies using IIS as much as 15 percent more in premiums."

Don't forget to add in the added insurance premiums when calculation MS's total cost of ownership :)

format c:, fdisk (0)

Anonymous Coward | more than 12 years ago | (#2385634)

ITs almost like you are working full time for, & have to pay ransom to, felonious father william, when you "attempt" to use that crud. &, it seems know matter what you do, buy next weak you're InFactDead AGAIN anyway.

no matter, we'll NEVER (strong word, know?) use ANY PayPer LieSense filled, virus friendly, invasion of privacy, m$BugWear at ScaredCity(?tm?) [scaredcity.com] . we will, however, give some fortunate netizen this uninfected (never been driven in the winter/bankrupted/etc...) set of URLs [opensourceworks.com] , including a year's free hosting, for being able to follow some simple directions, while not being aFraUD. are we easy, or what?

IIS 6.0 (3)

isa-kuruption (317695) | more than 12 years ago | (#2385643)

Uhm I heard from a web developer for middleware systems that uses IIS that IIS 6.0 is going to run in kernel memory. Maybe this is a bad thing? Executing ASP code in kernel memory? Just.... maybe?

sarcasm? (5, Funny)

Anonymous Coward | more than 12 years ago | (#2385649)

"It looks like Microsoft may be trying to do the right thing from a security standpoint, at least on paper."

Thank God. Since MS usually tries to do the wrong thing, on purpose. Now they are doing the right thing on paper.

I don't get it. (3, Interesting)

Auckerman (223266) | more than 12 years ago | (#2385652)

I'm not really sure how this will help. Having a server off by default will not make it harder to break into once the server has been turned on. Not only that, the problem's exploited by worms and script kiddies are all known, sometimes months and even years in advance of an attack. If MS were truely serious, they would exstablish an independant body to certify MSCEs, make it so that the certification is much more difficult than it is now, and only provide support to customers who have certified personal on staff. On top of this, MS should guarantee backward compatibility of ALL software installed on a system after a security update is applied (within a given product version) so that admins won't be terrified to install updates.

Holy (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2385671)

shit mang.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>