Gartner Recommends Against Microsoft IIS
Well I guess we all knew this was coming. I have to say I agree... I run IIS. I don't intend to stop running IIS. The problem is that EVERYONE including a moderately bright 6 year old can put up a website with IIS. But what everyone doesn't do is patch the thing.

When Code Red came out.. If you look back in my blog you can see it too.. I said if I wanted to write a nasty worm I would wait for microsoft to release a patch, write something that took advantage of that vulunerability and release it. That looks like about exactly what happened with Nimda. The patch came out two days later the worm hit. If people don't check for patches daily, or at least get on the Microsoft mailing list that notifies you of patches (after all it's free) IIS will never be safe.

The other thing people need to do is turn off the features they aren't using. Fine you are using IIS, you are serving a web page.. why do you have FTP running? ("What is FTP?" you ask. All the better reason to not have it running.) One of the biggest problems with IIS is that it default installs everything wide open, along with Microsoft's tendenancy to go with the principle of most privlidge on user rights.... it leads to servers asking, no begging to be hacked. It makes them easy to set up, easy to install... great... do we want easy targets or machines that require a bit more work to set up but are much harder to penetrate?

I guess this is my usual vent. NT and IIS don't have to be insecure, well they are in parts written with big gaping holes, that have been patched over causing littler holes etc... but in effect every OS is that way to some extent or another. The problem is the administrators, or small business owners or whoever who aren't patching their stuff. Take a bit of personal responsibility folks.

I concur..if somebody got hit by Code Red and Nimda (it would be because they didn't apply the patches that were recomended when Code Red was all over the news) their insurance rates should go up. Heck even my 72 year old uncle who has never touched a computer asked if I was patched versus Code Red. Get with the program folks..you are making us decent NT administrators look bad.