Linux Today: Linux News On Internet Time.

ZDNet: Microsoft IIS miscast as network villain

Oct 06, 2001, 16:08 (53 Talkback[s])
(Other stories by Jack Danahy)
"In a recent report delivered by the Gartner Group, Vice President and Research Director John Pescatore advised that enterprises seek alternatives to the Microsoft IIS platform. After analyzing the recent Code Red and NIMDA attacks, Gartner believes that their clients should reconsider their investments in the Microsoft infrastructure . They are not the first to say so. While concern over these events is clearly merited, following this advice would prove extremely costly, and would do little to address the underlying problems that resulted in the spread of these attacks.

Let's take a look at an analogy for this situation. I live just outside of Boston, Mass. Each winter we have fairly significant snowfall, and each winter I invariably slip and fall on the ice. I have chosen to live here for a variety of reasons, but falling on the ground is not one of them. Based on Gartner's rationale for avoiding the Microsoft IIS platform, I think that they would recommend that I move to San Francisco, where there is little snow, instead of simply telling me to use some salt and be more careful. The problem with this advice is that I like living in Boston, I am comfortable here, and the fact that living in San Francisco has its own issues, like earthquakes. This lack of a broad perspective also describes the problem with Gartner's advice, which ignores users' comfort, familiarity and investment in the Microsoft IIS platform, and does not take into account the fact that the alternatives can prove to be just as slippery.

The recommendations indicate a limited understanding of the real reasons why so many systems have inadequate security. This issue has little to do with the Microsoft IIS server, or any platform, but is a consequence of the lack of security awareness, training, and resources in these organizations. Blaming the platform for the NIMDA and Code Red attacks is itself inaccurate. The vulnerabilities exploited by NIMDA and Code Red were addressed by patches made available by Microsoft long before the attacks. As a result, we know that the vulnerable machines were administered by people who either did not understand the risk sufficiently to apply proper urgency in updating their systems, did not have the resources to apply new server protection technologies or who assumed this risk knowingly. The vulnerability that was truly exploited in these attacks was not a Microsoft coding error, but rather a lack of understanding or implementation of strong security practices."

Complete Story

Related Stories: