To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://comment.silicon.com/0,39024711,11028190,00.htm

Best of Reader Comments: An all-Microsoft special
System admins of the world unite...

By editorial@silicon.com

Published: Friday 12 October 2001

In a silicon.com exclusive, a senior security chief at Microsoft has claimed that the company's much-maligned IIS web server software is not as unreliable as many claim. Instead he insisted that if system administrators took more care to update patches there would be far fewer security problems.

Click here for the whole story: http://www.silicon.com/a48169

The assertion has incensed silicon.com readers. Here's just some of the feedback we've received since we published the story.

Responsibilities
From Matt Jenkins
Surely it should be the responsibility of the application vendor to provide applications that work as they are supposed to? Microsoft's policy of making their products easy to use by the non-technically minded is all well and good, but the non-technically minded are not likely to be concerned with downloading patches and upgrading a product that was supposed to be secure in the first place.

A number of web providers run Microsoft IIS, and I know for a fact that they don't have much expertise in the field of the more technical aspects of server maintenance.

I feel that the main reason why IIS is seen as such a security nightmare is twofold:

1. The underlying operating system is inherently insecure - there should be no way that web server software would even know that the rest of the file system exists (i.e. like Unix's 'chroot()' function)

2. Apache and its brothers require considerably more knowledge about software, networks and security to be able to install and set up, and it is much more likely that the kind of people able to do this are also the kind of people that are likely to keep up-to-date with current software news.

By taking more and more control of the software out of the hands of the user and placing it in the unreliable hands of configuration 'Wizards' that try to be intelligent, Microsoft are opening the fragile world of internet service provision to less and less skilled people. And all in the name of increasing its already bloated profits.

More training required
No name supplied
Does Microsoft's comment say anything about the systems administrators who choose to use their product? Or the quality of the training they are given on approved MS courses?

It may be easy to install but perhaps it should carry a Microsoft Health warning on the packet&

I just got to....
By Andrew North
Hellen said the vulnerabilities of IIS are distorted because of a large user base, and because the easy installation option does not invoke the highest security settings available in the software.

IIS is not the most popular web server, Apache is. It does not command nearly 50 per cent of the server market. According to Netcraft, it manages a piffling 30 per cent, compared to Apache's 60 per cent.

Good Choice
From Graham Rowe
Hmmm, of all the people involved in the food chain - blame the people who are responsible for making your software run securely in the business. Smacks of shooting self in foot

Blaming the sys admins
No name supplied
Without wishing to get into an argument of which OS is best, I can't help but think that a lot of the problems is caused by:
1. The belief that because Windows NT/2000 looks like a desktop OS, it must be easy to manage, so skill levels aren't as high as they could be (this is unrelated to the certification level, which I believe is quite high).
2. High workloads for sys admins, so many of them are in a position that they don't have the opportunity to be proactive in keeping patched (whatever the OS). In a production web server environment with availability KPIs, patching can be a major logistical challenge.

From my perspective, these are real reasons for companies to consider outsourcing web facilities, and allowing hosting companies to start getting some economies of scale in server management.

Hellen is right
From: Andrew North
And that's precisely the culture that Microsoft cashed in on - all in one - cheap and cheerful. Now MS wants to be a grown-up.

How much for a Sun or IBM server? Big difference. But that's the cost of reliability and security (with patches on a CD that are issued rather often more than once a year).

We're learning. We'll get there in the end - and pay a lot more.

Why MS is far more insecure than Apache
From Adam L. Gibson
I hate to burst his bubble, but Apache itself has not had a root compromise vulnerability in years. If someone manually installs some insecure CGI and causes Apache to get hacked, that is much different to how vulnerable IIS is with its built in vulnerable components. IIS should not install anything but static html ability by default,

That is where MS is failing...

Let us know what you think. Are system administrators failing to perform essential upgrades to web server software, or is Microsoft just offloading the blame?

Add a reader comment by clicking on the button below.