| About InfoWorld : Advertise : Subscribe : Contact Us : Awards : Events : Store |
 |
||||
|
||||
 |
||||
 |
|
|||
 |
||||
|
|
|
||
|
|||||||||||||||||||||||||||||||||||||||||
 COLUMN
Is it secure? I mean IIS LAST WEEK I wrote about the latest security weakness found in the new Windows XP operating system. (See "Plug-and-prey fiasco," Jan. 14.) XP is selling in retail channels at a rate that's about one-third less than Windows 98 did at this stage, according to Port Washington, N.Y.-based market-research company NPDTechworld (www.idg.net/crd_idgsearch_781514.html). But thanks to preinstallation on new PCs, about 7 million to 10 million copies of XP (and growing) are now running. That's an awful lot of machines that may become "zombies" in future DoS (denial of service) attacks due to XP's security hole.
Last year's worm wars gave Microsoft's Web server product such a bad name among IT professionals that many of them joked that IIS stands for "It Isn't Secure." The Code Red and Nimda worms affected hundreds of thousands of IIS machines at the height of their exploits, and thousands of hacker backdoors remain in place even today. Server software figures from Netcraft, a research group in Bath, England, reveal serious cracks. "One in 10 of the [IIS] e-commerce and encrypted transactions sites tested by us had backdoors in place to allow external attackers to monitor the systems, or have commands executed on the machines," Netcraft said in November (www.netcraft.com/Survey/index-200110.html). That's after many, many servers had been patched, but by no means all. Besides reassuring cautious credit card users, ID Serve also allows users to determine the domain name associated with a given IP address. This can help you identify intruders your firewall may have detected. ID Serve and Gibson's descriptions of various IIS problems can be found at www.grc.com/id/idserve.htm. It's not as if it's impossible to make software that's more secure. Wim Vandeputte, CTO of Custodix.com, a provider of trusted services, notes that the OpenBSD operating system he uses "hasn't suffered from a remote hole in the default install in over four years." In a similar vein, Gibson says, "The last serious remote-code execution vulnerability to hit the Apache Web server was back in 1997. But IIS has them monthly." Knowing that you may need to patch a product next month and again the month after doesn't make you feel as secure as using a product that's well-tested. Partially as a result, Apache server software enjoys twice IIS's market share in Netcraft's latest survey. Microsoft has some of the world's best developers, but it still pushes some half-baked products. Send tips to brian@brianlivingston.com. He regrets that he cannot answer individual questions. Go to www.iwsubscribe.com/newsletters to get his Window Manager column and E-Business Secrets e-zine free via e-mail.  RELATED SUBJECTS  SecurityOperating SystemsMORE > SPONSORED WHITE PAPERS 
SPONSORED LINKS
|
|||||||||||||||||||||||||||||||||||||||||
|
||||||||||
|
||||||||||
