Announcement

Collapse
No announcement yet.

IIS6 security?

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • IIS6 security?

    Is IIS really as secure as people say? Given it's bad history I just have trouble believing the stats indicating apache is WAY more unsecure. I'm thinking it more has to do with apache being open source and IIS6 being rather newer, but do you think eventually there will be way more holes found in it? I've been wanting to get more deep into hacking just so I can try and exploit it on my test server.

    I don't like the idea of a M$ product being more secure then apache. Just not right.
    Red Squirrel

  • #2
    Originally posted by Red Squirrel
    I don't like the idea of a M$ product being more secure then apache. Just not right.
    Whats so wrong with that? MS is spending millions of dollars to produce IIS, it damn well better be more secure. I don't like the idea of a product that costs many hundreds of dollars being less secure than one that is a free download.

    -zac
    %54%68%69%73%20%69%73%20%6E%6F%74%20%68%65%78

    Comment


    • #3
      Yeah good point. I guess it's just a shock to see a webserver that is like a trojan to sudently be known to be secure.
      Red Squirrel

      Comment


      • #4
        IIS 6 already has securtiy holes.. chack k-otik. u'll know.. apache is fundamentally more secure than IIS will ever get because it is open source.. u can customise it to ur needs.. once that is done apache is a lot safe and stable than IIS..

        u dont hack into software.. u hack into the mistakes of the programmer.. more the number of programmers lesser the number of mistakes.. and apache has a large portion of the hacker community working on it.. that's a lot compared to the people working on IIS..

        Comment


        • #5
          Bugmenot.

          What IIS 6.0 security holes?

          "Yeah good point. I guess it's just a shock to see a webserver that is like a trojan to sudently be known to be secure."

          How can anyone possibly be this stupid?

          "u dont hack into software.. u hack into the mistakes of the programmer.. more the number of programmers lesser the number of mistakes.. and apache has a large portion of the hacker community working on it.. that's a lot compared to the people working on IIS.."

          Well, fuck me.

          Everyone at Ars: Hi Mom!

          Comment


          • #6
            Originally posted by pr0zac0x2a
            I don't like the idea of a product that costs many hundreds of dollars being less secure than one that is a free download.
            -zac
            are you new here?
            Delicious Poison:

            The difference between a nerd and a geek? Well a nerd does not wear Spider Man butt huggers.

            Comment


            • #7
              Your right, his post did seem a little too intelligent for the audience.

              Comment


              • #8
                If you run a decent amount of services on Windows Server 2003 you'll find yourself applying about a good 10 security patches every month or so.
                45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B0
                45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B1
                [ redacted ]

                Comment


                • #9
                  Originally posted by fedcon
                  Your right, his post did seem a little too intelligent for the audience.
                  Least someone got my point.

                  Either way, do a search on milw0rm and tell me how many script kiddie exploits get returned for IIS, and how many get returned for apache. If you don't feel like looking, heres the results:
                  11 for IIS since 2000-11-18
                  20 for apache since 2003-04-04

                  A Security Focus Vulnerability search for apache and one for IIS both return 4 pages of results.

                  So if someone wants to go through and show me how all the IIS flaws are huge holes and all the apache ones are tiny little bugs feel free. It just doesn't seem like apaches all that more secure than IIS to me.

                  -zac
                  %54%68%69%73%20%69%73%20%6E%6F%74%20%68%65%78

                  Comment


                  • #10
                    Originally posted by s.kaniff
                    IIS 6 already has securtiy holes.. chack k-otik. u'll know.. apache is fundamentally more secure than IIS will ever get because it is open source.. u can customise it to ur needs.. once that is done apache is a lot safe and stable than IIS..
                    This is an outright fallacy: open source does not guarantee security any more than closed source denies it. Apache has had more than its share of exploitable vulnerabilities over the years, much the same as IIS. What it ultimately boils down to is that programmers make mistakes that aren't caught before the product ships. If you don't believe me, check the last five years or so of the Bugtraq archives - you'll find a wide variety of vulnerabilities and exploits for both.

                    u dont hack into software.. u hack into the mistakes of the programmer.. more the number of programmers lesser the number of mistakes..
                    This is another fundamental flaw in the way people view open source. More programmers does not necessarily equal better code. That doesn't mean that it equals worse code, but you do have more people with their own ideas of how everything should be done. What this means, really, is that without proper independent code review, any closed- or open-source project faces a greater chance of exploitable vulnerabilities making it in.

                    and apache has a large portion of the hacker community working on it.. that's a lot compared to the people working on IIS..
                    Microsoft has engineering resources that can only be described as 'massive'. How many people really work on Apache, anyway? A lot of contributors doesn't necessarily equate to a lot of people working on it - I can correct typos in the documentation, submit it, and say that I've 'worked' on Apache. Someone who's actively working to improve the threading model in it, however, is doing something way more valuable that what I am.

                    And lest this sound like an anti-open-source diatribe, it isn't. But people need to figure out that using one model over the other doesn't necessarily confer any superiority in terms of the quality and security of the software being developed. Good coding practices, independent code review, and actively finding and fixing existing problems in the code count for a lot more than adding features before fixes, or fiddling with one's pet part of the code.

                    Also:

                    Originally posted by s.kaniff
                    u'll know
                    u can
                    ur needs
                    u dont
                    u hack
                    I'm aware that you're in India and that English is one of probably at least two languages you speak, but please don't use SMS-speak here. It makes even intelligent replies sound utterly stupid.

                    Comment


                    • #11
                      IIS 6 is not that new and pretty damn secure

                      Microsoft contracted Dave Aitel, Dildog, and one other person (I think K2) to audit IIS6 and made huge changes to the security architecture of IIS in response to the seemingly endless string of vulnerabilities in previous versions of IIS. IIS6 has a good history with very limited known security issues. MS really made a big effort to straighten IIS out, and it shows.

                      Anybody who thinks open-source has security advantages over closed-source has clearly not read enough open-source code
                      I program my home computer

                      Comment


                      • #12
                        Originally posted by d.fi
                        Anybody who thinks open-source has security advantages over closed-source has clearly not read enough open-source code
                        As opposed to reading closed-source code?
                        In a world without walls and fences, who needs Windows and Gates?

                        Comment


                        • #13
                          http://episteme.arstechnica.com/grou...1#883004516731

                          Don't feed the cross-forum trolls.
                          Aut disce aut discede

                          Comment


                          • #14
                            Yup

                            Originally posted by stringslayer
                            As opposed to reading closed-source code?
                            How is this for a response to your quip: if you do not have experience reading closed-source software, by either working for commercial software vendors or being paid to audit closed-source software, then you have no ground to stand on in this debate. Only developers and code auditors that have substantial experience working on or studing both open and closed source software have any basis for making a claim one way or another. Vulnerability statistics do not backup the arguments from either side.
                            I program my home computer

                            Comment


                            • #15
                              Idiot trolls. they are anti-open source people at heart, to even go down to the level of trolling here to try and give their point that "because it's free, it can't be as good".

                              Might want to close this thread or move it to /dev/null
                              Red Squirrel

                              Comment

                              Working...
                              X