IIS6 vs Apache2 Security Defects
A few days ago I decided to look into how IIS6 has faired security-wise since its release well over a year ago. But I didn't want to use Microsoft figures; I wanted to use other figures. This led me to Secunia.com as they have a very nice Web site tracking vulnerability counts in different products. The reason I wanted to use non-Msft figures is because I wanted to see how IIS6 faired versus Apache 2.0.
So why did I chose Secunia? Well, they don’t issue advisories, they simply reflect the vendor advisories, and in some instances “rumblings in the marketplace.” There is a downside to the site too, as some vendors don’t patch so they may look better on Secunia. However, both Microsoft and Apache have good advisory records, so the data is useful.
Why did I choose IIS6? Because IIS5 was the subject of a good deal of criticism:
Sep 25, 2001. “Gartner Recommends Against Microsoft IIS[5]” https://www.eweek.com/article2/0%2C1759%2C1240915%2C00.asp
The figures are interesting to say the least.
By the way, I looked into the two bugs, the one in 2004 is the subject of a KB article, https://support.microsoft.com/?id=834452, and the one in 2003 is very low priv, as it's admin acces only, requires SSL, and is not installed by default.
Comments
- Anonymous
October 15, 2004
Speaking of SSL, MS04-011 contained issues that impact an SSL web server. The Apache statistics you've quoted do include mod_ssl vulnerabilities, so you should really include MS04-011 in your IIS 6.0 statistics if you're going to compare like with like. Similarly, you just released MS04-030 which affects WebDAV.
In fact, you probably ought to be comparing against Apache 1.3.x, not 2.0.x. It seems that a large number of sites are still using 1.3.x versions rather than 2.0.x. Netcraft's surveys don't break out 2.x versus 1.x - Port80Software's last survey, of Fortune 1000 companies in June 2004, showed about a 6:1 ratio of 1.3.x to 2.0.x for the versions shown (http://www.port80software.com/surveys/top1000webservers/)
An administrator still has to consider which services he/she has installed and enabled on a given server. But I will agree that IIS 6.0 is a big improvement on IIS 5.x; Apache 2.0.x seems to have gone in the wrong direction. - Anonymous
October 16, 2004
Actually, the stats don't include mod_ssl, nor OpenSSL - this week I'll add those stats too.
Also, I wanted to look at IIS6 and Apache2 because they are the latest, and should reflect the state of the art. Also, it's the default install in many Linux dists. - Anonymous
October 16, 2004
What about compared to apache 1.3.* which is the version most websites use. - Anonymous
October 17, 2004
http://dotnetjunkies.com/WebLog/stefandemetz/archive/2004/03/30/10388.aspx
http://dotnetjunkies.com/WebLog/stefandemetz/archive/2004/10/05/27720.aspx - Anonymous
October 18, 2004
Some of the bugs that affect Apache are platform specific (I remember seeing advisories that mentioned linux, but not the Win32 version); comparing to IIS should probably be done only using the win32 Apache version.
And it could also be a matter of "too little, too late" for Microsoft. Having been burned (badly) by IIS4 and 5; many sites have migrated to Apache/PHP and probably won't migrate back to IIS/ASP.
I haven't tried IIS6 (and have no plan to do so either), but another advantage that became clear with Apache is the ease of administering a server farm of Apache server. Since the configuration files are all text, it's easy to script changes across 20 or 30 servers. With IIS, we had to go from server to server and reapply the same changes using the UI. - Anonymous
October 18, 2004
> Since the configuration files are all text, it's easy to script changes across 20 or 30 servers.
In IIS6 the metabase can be edited as a text (XML) file.
> With IIS, we had to go from server to server and reapply the same changes using the UI.
Ever heard of ADSI?
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/iissdk/iis/using_adsi_to_configure_iis.asp - Anonymous
October 18, 2004
Guy, I had a look at all the security bugs in Apache 2.0.x (http://www.apacheweek.com/features/security-20) and saw a small number that were platform specific:
2.0.49 CAN-2004-0174 in AIX, Solaris, Tru64
2.0.44 CVE-2003-0016 in Windows
2.0.40 CAN-2002-0661 in Windows, OS2, Netware and Cygwin
Two of them lie within the 2003/2004 timeframe of Secunia's records, so that means IIS6 had 2 security issues, and Apache had 18. - Anonymous
October 18, 2004
I help run a web farm of 70 IIS5 + 6 servers - we script all changes to them remotely using VBScript...plus if you were in an environment with even more servers then you should look at AppCenter - it will sync the config of hundreds of servers in one fell swoop. - Anonymous
October 18, 2004
A comment on this article on Michael Howard's web log, IIS6 vs Apache2 Security Defects, got me thinking a bit about the differences between the windows way and the "unix way" (for lack of better terms). I'm only sort of... - Anonymous
October 18, 2004
Why should I study how to manage a farm of IIS6?
With text-based config files I can use the tools I like: bash, perl/ruby, etc. to manage ALL SERVICES on ALL SERVERS.
Don't care if it's http, ftp or whatever, I use the same tools all the time.
And what if with IIS7 the M$ says you should do it changes? Will I have to throw away my tools?
With text-based config files the principles stay. Why changing things that work? - Anonymous
October 18, 2004
IIS 6, 3 vulnerabilities, 1 patched, 2 still open.
Apache 2, 22 vulnerabilities, 21 patched, 1 still open. - Anonymous
October 18, 2004
"Why should I study how to manage a farm of IIS6?"
At some point you had to learn how to manage an Apache server. That is, if you truly know how.
Of course, the level of "study" required will very from person to person.
But as was said above, you can configure the IIS metabase as text as well.
If text-based and CLI is really important to you, I suggest you check out channel 9's recent video about Monad - Microsoft's next-gen command shell (msh). I've always liked bash/tcsh, but msh is way beyond those. - Anonymous
October 19, 2004
<i> I've always liked bash/tcsh, but msh is way beyond those. </i>
Now, CLI killer is really fun. Shell is powerfull when you have zillions of little cli applications that can work togather. This is case in Linux but not in Win. Shell alone is of no use no metter how "smart" it is. Anyway, I just don't get it what can be so much improved in shell? - Anonymous
October 19, 2004
Pavel / Brandon:
XML for IIS6 is nice, but it still isn't as simple as a good old text file.
The point, and I think that's the same one Martin was making is that with text files, you can use simple, well-know tools (grep, sed, awk, perl... whatever) to process the config files. You still have to learn the syntax of the file itself, but you can administer any service using the same techniques and tools.
While checking out ADSI, I saw that there are 4 different methods that allow you to administer IIS (and I'm not sure what tools work with what version). Will those tools also work with SQL server? With ISA server? Exchange? Third-party vendors...?
The point, again, is to keep it simple. It's enough to learn the syntax of the file to configurer the server without having to learn yet another technology-du-jour to configure it.
Back on topic: If Microsoft is finally "getting" security and putting it first before bells, whistles, doodads and eye-candy; well I, for one am very happy.
You still have work to do to make us forget this: http://radsoft.net/resources/rants/20011102,00.html - Anonymous
October 19, 2004
>>You still have work to do to make us forget this: http://radsoft.net/resources/rants/20011102,00.html
How about this? http://rhn.redhat.com/errata/rhel3as-errata-security.html or this http://docs.info.apple.com/article.html?artnum=61798?
:) - Anonymous
October 19, 2004
Or this http://www.mozilla.org/projects/security/known-vulnerabilities.html - Anonymous
October 19, 2004
or these just for comparisons sake
SQL Server vs MySQL http://dotnetjunkies.com/WebLog/stefandemetz/archive/2004/10/11/28280.aspx
ASP.NET vs PHP http://dotnetjunkies.com/WebLog/stefandemetz/archive/2004/03/31/10465.aspx - Anonymous
October 19, 2004
As long as software is written by organisms that are fallible, then that software will be fallible.
The unproven, repeatly discounted assertion that Software Not By Microsoft is somehow "safer" or "more secure" is a matter of ego, and nothing else. - Anonymous
October 19, 2004
The comment has been removed - Anonymous
October 19, 2004
The comment has been removed - Anonymous
October 19, 2004
> XML for IIS6 is nice, but it still isn't as
> simple as a good old text file.
> The point, and I think that's the same one
> Martin was making is that with text files,
> you can use simple, well-know tools (grep,
> sed, awk, perl... whatever) to process the
> config files.
Personally, I prefer using a simple, well-known tool called "XML parser".
I suspect that 90% of the people who would ever need to programmatically configure IIS6 metabase don't even know what "awk" is. - Anonymous
October 19, 2004
http://msdn.microsoft.com/XML/BuildingXML/XMLColumns/default.aspx?pull=/library/en-us/dnexxml/html/xml10202004.asp
From that article's recommendation, I don't see the advantage of using XML for a web server's configuration...
And where's that well-known XML parser on my Windows installation? - Anonymous
October 19, 2004
The comment has been removed - Anonymous
October 19, 2004
Uma boa análise sobre as vulnerabilidades já descobertas do IIS 6.0 e do Apache 2.0, quando ambos já completaram 1 ano de vida... http://blogs.msdn.com/michael_howard/archive/2004/10/15/242966.aspx... - Anonymous
October 20, 2004
Guy: You seem to be a knowledgeable person and overall a smart guy (no pun intended), so please drop the trollish arguments.
"IIS6 might have a strong codebase, but is it still running as Localsystem?" - means you don't know what IIS 6 behaves like and you haven't bothered to check it out.
Also, the magical XML thingie is called MSXML and you can use it, for instance, in .vbs scripts (yeah, Windows can run scripts as well). Besides, for most configuration tasks, you usually have an object model to work against, and you don't have to know anything about the format, syntax or other internals of the actual configurations. - Anonymous
October 20, 2004
You're right about IIS6. I haven't tried it and have no intention to. We migrated all our web servers to Apache (both on Linux and Windows) quite a while ago and we currently see no reason to migrate back. I'm not trying to troll; the point I was trying to make is that even with few "holes", if IIS6 is still running as LocalSystem, whoever finally "exploits" it will own the machine. Apache normally runs as a very restricted user and exploiting it doesn't give you much access.
As for them XML vs. text stuff, I simply don't see any advantages to XML for configuration files. I'm sure it works fine and I'd use it if I had to but it adds a unnecessary layer of complexity for a simple task: give parameters to a service.
With Apache's httpd.conf, I can view/edit it with notepad, vi, BBedit or whatever text editor is availble on whatever platform. I can support customers from offsite simply be asking them to send me the file by email. I can check it out on any platform, using any editor I prefer; I can easily add comments to whatever change I make to it. I can leave the old configuration in comments in case I'm trying something out and want to "rollback" later.
I could probably do all that with an IIS6 XML config too (like I said, I never used IIS6 and don't think I will.) but XML parsers aren't as ubiquitous as text editor.
Basically, I don't see what's so great about XML? Maybe someone can show me the light?
And again, I'm not trying to troll. If IIS6 is now the most secure web server on the planet, I'm very happy about that and I hope the effort will propagate to the rest of MS products. - Anonymous
October 20, 2004
>>IIS6 is still running as LocalSystem
IIS6 absolutely DOES not run user requests as LocalSystem, and by default IIS5 did not either. - Anonymous
October 20, 2004
The comment has been removed - Anonymous
October 20, 2004
Inetinfo runs as SYSTEM, but it NEVER sees a users requests, it's a management console only. The process which handles user requests, w3wp.exe runs as Network Service. No user code runs in Inetinfo. - Anonymous
October 20, 2004
Thanks for the info.
Meanwhile, I also found a detailed and interesting description of IIS6 here: http://www.directionsonmicrosoft.com/sample/DOMIS/update/2002/07jul/0702riawns.htm
It does look much improved from previous versions. - Anonymous
October 20, 2004
The comment has been removed - Anonymous
October 24, 2004
I agree that Microsoft is starting to actually pay attention to security with IIS 6. However, this comparison simply isn't fair.
Apache 2 is new. It is an immature product and is less secure because of it.
Compare IIS 6:
http://secunia.com/product/1438/
With Apache 1.3:
http://secunia.com/product/72/
Much fairer comparison. IIS still wins in terms of number of advisories, but numbers like this mean very little on their own.
- The Apache foundation has an interest in making sure its customers know about a security vulnerability as soon as they know about it. Microsoft, on the other hand, has in interest in making sure that it takes as long as possible for the general public to find out about a vulnerability.
- Apache 1.3 has 91% vendor patches. This is very good, compared to 33% vendor patches for IIS.
- Apache has far more non-severe problems than IIS. Over 55% where in the "Less important" category. Compared to 67% in the moderate category for IIS.
- What's more, 100% of the IIS vulnerabilities were remote, compared to 82% for apache
- And, IIS had one unpatched vulnerability, compared to zero for apache. - Anonymous
October 24, 2004
>>Apache 2 is new. It is an immature product and is less secure because of it
Apache2 is hardly new, and that's a really bad excuse for an insecure product. IIS6 is new too, yet it's performing very well, security-wise, and has fewer defects than IIS5.
New stuff should be more secure because it's designed better, with better knowledge of threats and best practice, not get less secure. At Microsoft, we're seeing a trend of newer code having fewer security defects. So from your comment, customers should simply expect more, less secure code from open source. Wow!! - Anonymous
October 31, 2004
Microsoft gets blamed for a lot of security problems, and for the most part, they deserve it. There's no excuse for the irresponsible "on by default" policy that resulted in so many vulnerable Windows 2000 IIS installations. That's why... - Anonymous
November 04, 2004
I can't believe nobody has mentioned this yet.
GUY - an XML file is a TEXT file. you don't need a parser, you can use vi/notepad to edit it. there's nothing in there that vi won't like - in fact I use vi myself, and edit a ton of xml that way.
I'm not sure what you're developing on windows, but go take a google at some xml resources, its going to be used more and more (its the entire basis for web service for example)
If you look in httpd.config (I think the one I have is from Apache 1.3) its 1/2 xml and 1/2 plain text anyway!
-
<Directory "DRIVELETTER:/Apache/cgi-bin">
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>
-
XML makes it insanely simple to machine parse tokens, so for option files is way easier than plain text. Below is that half attempt at xml in pure xml.
<Directory location="/Apache/cgi-bin">
</AllowOverride>
</Options>
<Order>allow,deny</Order>
<AllowFrom>all</AllowFrom>
</Directory>
Thats much easier to parse in code,and turn the options in objects or tokens.
But hey - on the bright side you've been nearly using XML and didn't even know - take the extra step and
embrace it fully!
Enjoy the light.. - Anonymous
November 05, 2004
S?kerkod.se blog » Catching up - Anonymous
August 16, 2005
A recent comment on the IE Blog made it pretty apparent that not everybody is aware... - Anonymous
March 07, 2006
Ok... I'm sure the zealots will eventually come tar and feather me and distort the conversation I started... - Anonymous
January 22, 2009
PingBack from http://www.hilpers.pl/434083-o-wyzszosci-peceta-na-makiem/8