|
1) Gartner's article specifically says, in the opening paragraph no less, "on virtually every PC and server running IE, IIS Web servers or the Outlook Express e-mail client." I don't know what actually goes into Garner's TCO numbers but given that statement I'd have to think this was in there. 2) The MS01-044 fix was a rollup of previously available fixes. Also, had you configured IIS as a secure web server per MS's instructions that have been available since W2K came out over 18 months ago you would have been immune to both attacks. Even if you didn't config as secure had you installed the rollup you'd have been safe. Aug 15th was plenty of time to install before the attack. Granted, by default IIS is not all that secure. But you shouldn't be putting web servers into production using the default config. After all IIRC the AS/400, until recently, shipped with level 10 as the default security level. You're not going to tell me that you ever put an AS/400 into production at level 10, are you? -Walden -----Original Message----- From: Jim Franz [mailto:franz400@triad.rr.com] Sent: Wednesday, September 26, 2001 8:45 PM To: midrange-l@midrange.com Subject: Re: Gartner Group: DO NOT USE IIS! (my comment relates not just to Walden's post but the whole day's posting) Gartner's recommend had only to do with web servers, nothing to do with desktops, and was all about TCO (total cost ownership), nothing to do about standards or features. <quote> In the report, analyst John Pescatore says the numerous patches and fixes that must be installed to address vulnerabilities on IIS means "using internet-exposed IIS web servers securely has a high cost of ownership". Gartner recommends that enterprises hit by both Code Red and Nimda immediately investigate alternatives to IIS, including moving web applications to Web server software from other vendors, such as iPlanet and Apache," the report says. Although these web servers have required some security patches, they have much better security records than IIS and are not under active attack by the vast number of virus and worm writers. <end quote> The last sentence above says it all-"other servers have better security records and are not under active attack by the vast number of virus & worm writers". btw-under XP it uses the same IIS server. also btw-MS aug 15 Security Bulletin MS01-044 is what was required (according to incidents.org) the desktop payload in nimda is just another exploit in a long list of holes (features) in Internet Exploder and Outlook. jim franz ----- Original Message ----- From: "Walden H. Leverich" <WaldenL@TechSoftInc.com> To: <midrange-l@midrange.com> Sent: Wednesday, September 26, 2001 11:22 AM Subject: RE: Gartner Group: DO NOT USE IIS! > Every time I read this quote I cringe. Let's consider, if I was running say > Apache, or the native AS/400 HTTP server I would STILL have to patch all my > PCs running IE (clients) and Outlook Express (again clients). So the cost to > patch these pcs should not be included in the TCO of IIS since the cost is > there regardless of the server used. > > Additionally, an IIS server that was only moderately current on patches was > IMMUNE to Nimda _and_ CodeRed. The real pain of these two viruses was the > bandwidth they used attempting to hack my server. That bandwidth would be > used up regardless of the web server I had. > > Finally, the number of OTHER people running an unpatched server is not > effected by my use of any server. Whether I use IIS, Apache, Domino or HTTP > native the same number of OTHER people will be using IIS and PWS, so how > does my changing server help? Abandoning IIS for another server because > there are so many ill-managed, unpatched servers in the world is roughly the > same as saying "I'm afraid of getting hit by a drunk driver so I won't > drink." > > -Walden > > -----Original Message----- > From: Dennis Lovelady [mailto:dlovelady@dtcc.com] > Sent: Wednesday, September 26, 2001 9:40 AM > To: midrange-l@midrange.com > Subject: Re: Gartner Group: DO NOT USE IIS! > > > > Hi, all: > > Quoting Gartner > To protect against Nimda, Microsoft recommends > installing numerous patches and service packs on > virtually every PC and server running IE, IIS Web > servers or the Outlook Express e-mail client. As > the earlier Code Red worm showed, many servers and > PCs running IIS Web server processes may not be obvious > since they may be run as personal Web servers on the > intranet but still be exposed to the Internet. > End quote > > Ummm... I have a slightly different suggestion. For those applications > where AS/400 may not be a good fit, or may just be too expensive to > implement there.... > > Why patch MS to make it kinda-sorta reliable for the next few minutes? Why > use MS at all? Why does our user community and those who make the > decisions even CONSIDER putting up with the expense and problems of > trouble-prone MS products? > > All of this stuff and much more is available for Linux and other flavors of > Unix, and at prices that should scare the dickens out of Macro$loth > (frequently $0.00; invariably less than MS). Also, have those > decision-making people not been watching the salary costs of MS "CEs" vs. a > good System Administrator on ANY other platform? > Number of unix systems impacted by IIS threats: 0. > Number of unix systems impacted by the Code Red virus: 0 > > Dennis Lovelady > Accenture > > > > > > > > > "Norm Dennis" <wmss@iinet.net.au>@midrange.com on 09/26/2001 09:20:16 AM > > Please respond to midrange-l@midrange.com > > Sent by: midrange-l-admin@midrange.com > > > To: <midrange-l@midrange.com> > cc: > Subject: Re: Gartner Group: DO NOT USE IIS! > > > This is a link to The Australian: > > http://australianit.news.com.au/common/storyPage/0,3811,2937520%5E442,00.htm > l > > > > ----- Original Message ----- > From: "Schenck, Don" <Don.Schenck@pfizer.com> > Sent: Wednesday, 26 September 2001 20:56 > > > Anyone else see the article in which it quotes the Gartner Group as saying > companies should abandon IIS as quickly as possible? > > As a Windows developer ... lemme tell ya ... truer words have never been > spoken. > > > > _______________________________________________ > This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list > To post a message email: MIDRANGE-L@midrange.com > To subscribe, unsubscribe, or change list options, > visit: http://lists.midrange.com/cgi-bin/listinfo/midrange-l > or email: MIDRANGE-L-request@midrange.com > Before posting, please take a moment to review the archives > at http://archive.midrange.com/midrange-l. > _______________________________________________ > This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list > To post a message email: MIDRANGE-L@midrange.com > To subscribe, unsubscribe, or change list options, > visit: http://lists.midrange.com/cgi-bin/listinfo/midrange-l > or email: MIDRANGE-L-request@midrange.com > Before posting, please take a moment to review the archives > at http://archive.midrange.com/midrange-l. > _______________________________________________ This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@midrange.com To subscribe, unsubscribe, or change list options, visit: http://lists.midrange.com/cgi-bin/listinfo/midrange-l or email: MIDRANGE-L-request@midrange.com Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.