Security Basics mailing list archives
RE: IIS6 Security and other web servers
From: "Andrew Aris" <andrew () dev bigfishinternet co uk>
Date: Fri, 28 Jan 2005 10:36:24 -0000
Greetings All, I'd like to ask for some clarification here. I know that Ebay, Anandtech, et al. run on a purely Windows architecture (for the ease of programming in .Net from what the folks at Anandtech are saying) for their web-services and that works well for them. However, I know of no Windows architecture that is exposed directly to the Internet. Every vendor/consultant/Admin I have ever met is saying that in order for Windows to be secure it must be protected by layers of protection (hardened router, hardware firewall, etc). On the other hand, I know of a number of LAMP-type servers that are exposed directly to the Internet with no intervening layers. Am I to take the statement that "IIS6 is a very secure platform" to mean that IIS6 is only secure after it has been hardened from its insecure default installation and protected by layered security that prevents direct access to the Internet". I may well be wrong here, so please feel free to correct me if I'm out on a limb. Thank you, RandyW
The default install of IIS6 is actually quite secure once patched to the most recent level - IMHO I would say it is more secure than a default install of Apache (also patched). With IIS6 its not so much that you need to do a lot of work hardening it, more that you have to be careful when turning functionality on not to create any unnessecary exposure. I would say exposing a LAMP (Linux-Apache-MySQL-PHP)machine to the internet directly would be a foolhardy thing to do unless the machine was extremely hardened, layers of protection are always good no matter what platform you have. cheers, Andrew
Current thread:
- IIS6 Security and other web servers Rivera Alonso, David (Jan 25)
- Re: IIS6 Security and other web servers Gary H. Jones II (Jan 25)
- Re: IIS6 Security and other web servers Joachim Schipper (Jan 26)
- <Possible follow-ups>
- RE: IIS6 Security and other web servers Roger A. Grimes (Jan 26)
- Re: IIS6 Security and other web servers Randy Williams (Jan 27)
- RE: IIS6 Security and other web servers Andrew Aris (Jan 28)
- Re: IIS6 Security and other web servers Randy Williams (Jan 27)
- RE: IIS6 Security and other web servers adisegna (Jan 26)
- RE: IIS6 Security and other web servers Joe Polk (Jan 27)
- Re: IIS6 Security and other web servers H Carvey (Jan 27)
- RE: IIS6 Security and other web servers Justin Coffi (Jan 27)
- RE: IIS6 Security and other web servers tom . farrar (Jan 27)
- RE: IIS6 Security and other web servers Roger A. Grimes (Jan 28)
- RE: IIS6 Security and other web servers tom . farrar (Jan 28)