I do agree with one point: it ultimately falls upon the administrator to secure his systems and his network. Unfortunately, at this point, if he is still using IIS and doesn't have some basic security built into his setup, he's already dropped the ball. IIS can be made immune to 90% of the worms out there with just a few configuration settings. If an admin were to setup virtual hosts requiring HTTP1.1 hostnames for all web aliases, then setup a default site that just listens to the primary IP and has no functionality, IP based worms would be largely ineffective. This is not a cure-all, but it would definitely add another layer of security to the mix. As far as IIS is concerned, every little bit helps. An IIS server will never be perfect, but it can be made reasonably secure to the vast majority of issues.

I don't agree with your idea that all Microsoft has to do is put out a patch and they are off the hook. I've encountered problems with almost all of the M$ patches to date, and this one is no exception. We've already encountered problems and have had to postpone the very critical systems for times when we will have the ability to back out or reapply if needed. We've gotten the externally visible servers, but are taking our time with the internal, mission critical servers.

If M$ were worth the bag of doo burning on their front porch, they would make sure all of their patches have been THOROUGHLY tested, not just tested a little then released. I understand this may not be possible in all cases. In this case, however, their trained pets are the ones who found the holes. Who knows how long they had to build a patch before they had to announce it? Microsoft is culpable for their operating system, regardless of what the EULA states, or how the lawyers spin it. Regardless of how you spin it, Microsoft isn't the greatest thing since sliced bread, nor are they even worth being in the webserver market. You may get paid to push their products or to kiss their bottom, but I get paid to keep a large web infrastructure working. Microsoft craps is the main reason I have to do so much work. I spend more time on our minority of IIS servers than I do on our vast array of Apache-based webservers. I attribute that to the lack of functionality, the lack of extendability, the lack of security and the lack of stability with IIS. Trust me, I'm not a paid Microsoft spokesperson, I'm a professional with IIS and Apache. I KNOW which is better.

Oh, and one more thing. EVERYONE does not use ASP. We've even disabled it on most of our machines, and we have quite a few.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/74/11890#11890