Security Basics mailing list archives
RE: IIS6 Security and other web servers
From: tom.farrar () it-ps com
Date: Thu, 27 Jan 2005 10:33:07 +0000
Apache and IIS are much the same security wise nowadays - it comes down to personal preference, not like older versions of IIS where at companies such as VeriSign it was a full time job to research and patch IIS. I would say it comes down to 3rd party modules - Being OpenSource Apache runs a higher risk with poorly made 3rd party modules, but security holes get patched far quicker. Both are good products when configured and patched correctly, however out of the box Apache is relatively weak. Tom Farrar Data Centre Engineer tom.farrar () it-ps com IT Professional Services t +44 (0)191 442 8300 f +44 (0)191 442 8301 Support: +44 (0)870 444 0535 -----Original Message----- From: Rivera Alonso, David [mailto:drivera () iberdrola es] Sent: 25 January 2005 14:52 To: security-basics () securityfocus com Subject: IIS6 Security and other web servers Dear friends, I just want to throw a little question to know your opinion. I was discussing yesterday with a friend about the quality of IIS6 from a Security point of view. He immediately said it's a bad choice, as previous Microsoft web servers. I've read a few papers and I have this opinion: as it's been redesigned from the ground (with all the previous failures in mind), with the security perspective, with every little service and option disabled by default, and so on, I told him that now, in my opinion, IIS6 is a good choice. He loves GNU, Linux, and, logically, he thinks Apache is the king in security. Just because I felt curious, I went into www.securityfocus.com to check the latest vulnerability advisories, for Apache and IIS6. Incredible, Apache wins, it has many more (not to talk about the many releases since version 2.0)! In fact, I just found one alert about IIS6. What do you experts think? Of course, I know IIS was very dangerous before version 6. But, maybe an IIS6 in a well configured, patched and securized Windows 2003 machine is al last a good choice to house Web Applications? Or maybe it's too soon, there are few installed, and maybe in the future it'll have as many holes as the predecessors? What do you think? best regards from Spain, DAVID ============================= Este mensaje se dirige exclusivamente a su destinatario. Puede contener informacion confidencial sometida a secreto profesional o cuya divulgacion este prohibida, en virtud de la legislacion vigente. No esta permitida su divulgacion, copia o distribucion a terceros sin la autorizacion previa y por escrito de Iberdrola. Si ha recibido este mensaje por error, le rogamos nos lo comunique inmediatamente por esta misma via y proceda a su destruccion. This e-mail is intended exclusively for the individual or entity to which it is addressed and may contain confidential or legally privileged information, which may not be disclosed under current legislation. Any form of disclosure, copying or distribution of this e-mail is strictly prohibited, save with written authorisation from Iberdrola. If you have received this message in error, please notify the sender immediately by e-mail and delete all copies of the message. =============================
Current thread:
- IIS6 Security and other web servers Rivera Alonso, David (Jan 25)
- Re: IIS6 Security and other web servers Gary H. Jones II (Jan 25)
- Re: IIS6 Security and other web servers Joachim Schipper (Jan 26)
- <Possible follow-ups>
- RE: IIS6 Security and other web servers Roger A. Grimes (Jan 26)
- Re: IIS6 Security and other web servers Randy Williams (Jan 27)
- RE: IIS6 Security and other web servers Andrew Aris (Jan 28)
- Re: IIS6 Security and other web servers Randy Williams (Jan 27)
- RE: IIS6 Security and other web servers adisegna (Jan 26)
- RE: IIS6 Security and other web servers Joe Polk (Jan 27)
- Re: IIS6 Security and other web servers H Carvey (Jan 27)
- RE: IIS6 Security and other web servers Justin Coffi (Jan 27)
- RE: IIS6 Security and other web servers tom . farrar (Jan 27)
- RE: IIS6 Security and other web servers Roger A. Grimes (Jan 28)
- RE: IIS6 Security and other web servers tom . farrar (Jan 28)