Big news over at Linux-land...er, Slashdot today. "Study Finds Windows More Secure Than Linux". The summaries of the results are pretty good, as these two appear to have done a more fair comparison than I've seen in the past. For example, IIS isn't a webserver, it's an application server and does more than just serve static webpages. To compare IIS to Apache side-by-side is like comparing a Hummer to Yugo. One will get you back and forth to work, the other will get back and forth to work if you have to pass over the rockies, through some rivers and mow down any deer on the way. To make a fair and reasonable comparison, you need to add in a couple of scripting languages to Apache, as well as enable a lot of extra modules. You then need to take into account the security holes in those as well!
Well, anyway, this is news to me...not. For some reason, Apache's been getting a lot of abuse on this blog this week. Not my intention, but it's just worked out that way. Let's be clear, this study shows that IIS is more secure than Apache, and isn't a Linux vs. Windows article. Since so many people have enough trouble with facts, I like to clear up the easy ones in advance. :)
People have been comparing Apache to IIS for ages. For ages, I've been saying IIS is as secure, if not more so than Apache, if configured by a competent administrator! The problem is, IIS "out of the box" is no where near as secure as Apache is out of the box. In fact, even I wouldn't presume to call an out of box IIS secure in any way.
And this is where the confusion sets in, because *nix guys don't know how to secure a Windows box. They just assume it's not, and don't even try. Don't believe me? Ask a *nix guy "How do you secure a Windows box?" They'll always give you an answer similar to "Unplug it from the power outlet" or "Throw it over a cliff". When you press them for a real answer, they'll always say it's not possible. Press them further with "Can you do ANYTHING to secure the box at all?" and they'll usually tell you no. Oddly enough, they DO know how to secure a Windows box, they just don't know the exact procedures. Securing any system includes some basics that any competent admin should know. Security "Best Practices". Some of the basics...
Rule #1: Don't run services you don't need. Every extra service you have installed on a box above and beyond what's necessary for that box to perform its function is a point of failure. Turn 'em off.
Rule #2: Don't use known default configurations. By default, IIS is in C:\Inetpub, Apache in /var/www. Move them.
Rule #3: Secure the filesystems. Don't allow a service to write to your hard drive, unless it absolutely has to.
Rule #4: Use non-privledged accounts for services. On my box, Apache runs as the user apache, and it has write access to one folder on the entire hard drive, a folder required for one of the PHP scripts used. Unfortunately, this isn't as easy on IIS as it is on Apache, but if it's the only practice you miss, it's not as bad as it could be.
I've paraphrased these for the non-technical, and this sure isn't all of them, but they're the most essential, so we'll start with them. We'll use CodeRed as an example (forgetting for the moment that CodeRed also affected some Unix machines as well...) CodeRed was a worm that utilized an exploit in the Internet Printing Protocol in IIS. There isn't anyone who uses IPP, but it's installed by default in IIS. A bad thing right? Nope, let's look at how a machine could get infected with CodeRed...
First, you have to leave the IPP installed. Didn't we just talk about running services you don't need? If you have IPP installed, you're breaking the first cardinal rule of security! No one uses it, so why do you have it? The obvious retort is always, "Well, they don't make it easy to know what's necessary and what's not!" Who's they? Microsoft? Isn't it your job to know, regardless of availability of information? Yeah, I thought it was.
Next, when CodeRed infects a machine, it stores itself in the Scripts virtual directory on an IIS machine. Um, Scripts? You mean that well-known virtual directory that's installed by default and no one uses? Why was it there in the first place. Doesn't that violate Rule #2? Tsk, tsk!
Oh, wait! "It stores itself in the"? So, you mean your webserver got hit with an exploit, and it wrote an infected file to the filesystem? If we followed Rule #3, this wouldn't have happened, would it? It's a worm, not a hacker. It knows to try a couple of default things, and then just fails if they don't exist.
And, with rules 1-3 in place, rule #4 isn't an issue...
Whose fault is it if you got infected now? A little more humble, aren't we loyal penguinhead? You violated three of the top four security practices, and it's someone else's fault that you got infected. I know, Microsoft should secure these things out of the box. After all Apache does, right? But, why? At the end of the day, it's not Microsoft that is setting up these services, it's me. I'm the only one who knows what things I'm going to need, and how I'm going to use the software. That means it's up to ME as administrator to make sure the machine is secure, and no one else.
Anyone who tells you differently is bullshitting you to get you to believe it's not their fault.
Does MS have an alternative to Apache?
ReplyDeletei.e. just a web server? or is IIS another example of MS foisting a seriously bloated app on us in the name of marketing and profit?
Actually, interestingly enough, IIS 6.0 could be considered just a webserver. It can now be installed without ASP support. Older versions of IIS could also be installed as just a webserver. I think v4 & 5 is when they became "inseparable".
ReplyDeleteHowever, that being said, so what? You make it sound like they're making products that no one wants. I know, I know, the only reason people use MS products is because they're a monopoly and no one has a choice.
Guess what? We do, and always did. I choose their products because they work, they work well, they work together and so on. So you couldn't get IIS prior to v6 without extra capabilities. You could turn off what you didn't need, but little isn't needed.
Great, Apache just serves static pages. Whooptie freakin' do! Nice way for them to catch up to 1996!