MIDRANGE dot COM Mailing List Archive



Home » MIDRANGE-L » September 2001

RE: Gartner Group: DO NOT USE IIS!



fixed

Dave,

When you said "box got infected" I assume you mean that you had your web
pages modified and your c: drive opened as a share. To do that the worm has
to _run_ on the web server. The web server exploit allows the worm to run on
the server and thus deliver it's payload. If the method of infection was via
a network share all the worm could have done from a remote machine was
change the .exe files in the share to include the worm. Until you ran those
.exes from the server it couldn't do more damage to that server.

Now, if the \WINNT drive was shared and your user had modify rights to that
drive then they could have infected .exes that windows runs all the time
(explorer.exe, rundll32.exe, etc.) and you would have been infected that
way, but general users shouldn't have change rights to system level stuff.

If all that happened was infection of the .exe files on the server then I'd
point out that that infection could have occurred on any file server that
allowed the user to modify .exe (linux via samba, AS/400 via IFS, Novell,
...)

-Walden

-----Original Message-----
From: Prowak, Dave [mailto:DProwak@ci.syracuse.ny.us]
Sent: Friday, September 28, 2001 7:51 AM
To: midrange-l@midrange.com
Subject: RE: Gartner Group: DO NOT USE IIS!


>2) Your server ALREADY had an open share that the infected user was
>authorized to write to and you (manually or by a service) ran an executable
>on that server. (also bad)
That's where our vulnerability was.  It was spread to a server
via a shared.  I'm not sure what you mean by:
"and you (manually or by a service) ran an executable on that server. "
Could you explain?  I believe that the virus spread via the shares, without
any executable running on the server.

In my reply I was pointing out that many servers with all security patches
and
hotfixes were infected, as this virus was unique in it's multiple attack
mode.
Many Win 2000 boxes with all updates/patches were infected at companies near
& far.


-----Original Message-----
From: Walden H. Leverich [mailto:WaldenL@TechSoftInc.com]
Sent: Thursday, September 27, 2001 5:24 PM
To: 'midrange-l@midrange.com'
Subject: RE: Gartner Group: DO NOT USE IIS!


Dave,

Then you have a problem. If you installed on 8/17 and that box got infected
then there are two other possiblities:

1) You opened an e-mail on your server (bad)
2) Your server ALREADY had an open share that the infected user was
authorized to write to and you (manually or by a service) ran an executable
on that server. (also bad)

-Walden

-----Original Message-----
From: Prowak, Dave [mailto:DProwak@ci.syracuse.ny.us]
Sent: Thursday, September 27, 2001 10:24 AM
To: midrange-l@midrange.com
Subject: RE: Gartner Group: DO NOT USE IIS!


Walden,

>2) The MS01-044 fix was a rollup of previously available fixes. Also, had
>you configured IIS as a secure web server per MS's instructions that have
>been available since W2K came out over 18 months ago you would have been
>immune to both attacks. Even if you didn't config as secure had you
>installed the rollup you'd have been safe. Aug 15th was plenty of time to
>install before the attack.

Sorry, but that's not true.  I had installed MS01-044 on 8/17, 2 days after
it's release.
That same box got infected, not from the internet, but from a client on our
internal network.

Nimda was unique in that it could infect machines via 3 different avenues.
Email, shared folders and web server vulnerabilities.  MS01-044 only
addressed
web server vulnerabilities.

Dave


-----Original Message-----
From: Walden H. Leverich [mailto:WaldenL@TechSoftInc.com]
Sent: Thursday, September 27, 2001 10:07 AM
To: 'midrange-l@midrange.com'
Subject: RE: Gartner Group: DO NOT USE IIS!


1) Gartner's article specifically says, in the opening paragraph no less,
"on virtually every PC and server running IE, IIS Web servers or the Outlook
Express e-mail client." I don't know what actually goes into Garner's TCO
numbers but given that statement I'd have to think this was in there.

2) The MS01-044 fix was a rollup of previously available fixes. Also, had
you configured IIS as a secure web server per MS's instructions that have
been available since W2K came out over 18 months ago you would have been
immune to both attacks. Even if you didn't config as secure had you
installed the rollup you'd have been safe. Aug 15th was plenty of time to
install before the attack.

Granted, by default IIS is not all that secure. But you shouldn't be putting
web servers into production using the default config. After all IIRC the
AS/400, until recently, shipped with level 10 as the default security level.
You're not going to tell me that you ever put an AS/400 into production at
level 10, are you?

-Walden

-----Original Message-----
From: Jim Franz [mailto:franz400@triad.rr.com]
Sent: Wednesday, September 26, 2001 8:45 PM
To: midrange-l@midrange.com
Subject: Re: Gartner Group: DO NOT USE IIS!


(my comment relates not just to Walden's post but the whole day's posting)
Gartner's recommend had only to do with web servers, nothing to do with
desktops, and was all about TCO (total cost ownership), nothing to do about
standards or features.
<quote>
In the report, analyst John Pescatore says the numerous patches and fixes
that must be installed to address vulnerabilities on IIS means "using
internet-exposed IIS web servers securely has a high cost of ownership".
Gartner recommends that enterprises hit by both Code Red and Nimda
immediately investigate alternatives to IIS, including moving web
applications to Web server software from other vendors, such as iPlanet and
Apache," the report says.
Although these web servers have required some security patches, they have
much better security records than IIS and are not under active attack by the
vast number of virus and worm writers.
<end quote>
The last sentence above says it all-"other servers have better security
records and are not under active attack by the vast number of virus & worm
writers".
btw-under XP it uses the same IIS server.
also btw-MS aug 15 Security Bulletin MS01-044 is what was required
(according to incidents.org)
the desktop payload in nimda  is just another exploit in a long list of
holes (features) in Internet Exploder and Outlook.
jim franz

----- Original Message -----
From: "Walden H. Leverich" <WaldenL@TechSoftInc.com>
To: <midrange-l@midrange.com>
Sent: Wednesday, September 26, 2001 11:22 AM
Subject: RE: Gartner Group: DO NOT USE IIS!


> Every time I read this quote I cringe. Let's consider, if I was running
say
> Apache, or the native AS/400 HTTP server I would STILL have to patch all
my
> PCs running IE (clients) and Outlook Express (again clients). So the cost
to
> patch these pcs should not be included in the TCO of IIS since the cost is
> there regardless of the server used.
>
> Additionally, an IIS server that was only moderately current on patches
was
> IMMUNE to Nimda _and_ CodeRed. The real pain of these two viruses was the
> bandwidth they used attempting to hack my server. That bandwidth would be
> used up regardless of the web server I had.
>
> Finally, the number of OTHER people running an unpatched server is not
> effected by my use of any server. Whether I use IIS, Apache, Domino or
HTTP
> native the same number of OTHER people will be using IIS and PWS, so how
> does my changing server help? Abandoning IIS for another server because
> there are so many ill-managed, unpatched servers in the world is roughly
the
> same as saying "I'm afraid of getting hit by a drunk driver so I won't
> drink."
>
> -Walden
>
> -----Original Message-----
> From: Dennis Lovelady [mailto:dlovelady@dtcc.com]
> Sent: Wednesday, September 26, 2001 9:40 AM
> To: midrange-l@midrange.com
> Subject: Re: Gartner Group: DO NOT USE IIS!
>
>
>
> Hi, all:
>
> Quoting Gartner
>      To protect against Nimda, Microsoft recommends
>      installing numerous patches and service packs on
>      virtually every PC and server running IE, IIS Web
>      servers or the Outlook Express e-mail client. As
>      the earlier Code Red worm showed, many servers and
>      PCs running IIS Web server processes may not be obvious
>      since they may be run as personal Web servers on the
>      intranet but still be exposed to the Internet.
> End quote
>
> Ummm... I have a slightly different suggestion.  For those applications
> where AS/400 may not be a good fit, or may just be too expensive to
> implement there....
>
> Why patch MS to make it kinda-sorta reliable for the next few minutes?
Why
> use MS at all?  Why does our user community and those who make the
> decisions even CONSIDER putting up with the expense and problems of
> trouble-prone MS products?
>
> All of this stuff and much more is available for Linux and other flavors
of
> Unix, and at prices that should scare the dickens out of Macro$loth
> (frequently $0.00; invariably less than MS).  Also, have those
> decision-making people not been watching the salary costs of MS "CEs" vs.
a
> good System Administrator on ANY other platform?
>    Number of unix systems impacted by IIS threats: 0.
>    Number of unix systems impacted by the Code Red virus: 0
>
> Dennis Lovelady
> Accenture
>
>
>
>
>
>
>
>
> "Norm Dennis" <wmss@iinet.net.au>@midrange.com on 09/26/2001 09:20:16 AM
>
> Please respond to midrange-l@midrange.com
>
> Sent by:  midrange-l-admin@midrange.com
>
>
> To:   <midrange-l@midrange.com>
> cc:
> Subject:  Re: Gartner Group: DO NOT USE IIS!
>
>
> This is a link to The Australian:
>
>
http://australianit.news.com.au/common/storyPage/0,3811,2937520%5E442,00.htm
> l
>
>
>
> ----- Original Message -----
> From: "Schenck, Don" <Don.Schenck@pfizer.com>
> Sent: Wednesday, 26 September 2001 20:56
>
>
> Anyone else see the article in which it quotes the Gartner Group as saying
> companies should abandon IIS as quickly as possible?
>
> As a Windows developer ... lemme tell ya ... truer words have never been
> spoken.
>
>
>
> _______________________________________________
> This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
> To post a message email: MIDRANGE-L@midrange.com
> To subscribe, unsubscribe, or change list options,
> visit: http://lists.midrange.com/cgi-bin/listinfo/midrange-l
> or email: MIDRANGE-L-request@midrange.com
> Before posting, please take a moment to review the archives
> at http://archive.midrange.com/midrange-l.
> _______________________________________________
> This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
> To post a message email: MIDRANGE-L@midrange.com
> To subscribe, unsubscribe, or change list options,
> visit: http://lists.midrange.com/cgi-bin/listinfo/midrange-l
> or email: MIDRANGE-L-request@midrange.com
> Before posting, please take a moment to review the archives
> at http://archive.midrange.com/midrange-l.
>

_______________________________________________
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@midrange.com
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/cgi-bin/listinfo/midrange-l
or email: MIDRANGE-L-request@midrange.com
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
_______________________________________________
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@midrange.com
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/cgi-bin/listinfo/midrange-l
or email: MIDRANGE-L-request@midrange.com
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
_______________________________________________
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@midrange.com
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/cgi-bin/listinfo/midrange-l
or email: MIDRANGE-L-request@midrange.com
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
_______________________________________________
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@midrange.com
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/cgi-bin/listinfo/midrange-l
or email: MIDRANGE-L-request@midrange.com
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
_______________________________________________
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@midrange.com
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/cgi-bin/listinfo/midrange-l
or email: MIDRANGE-L-request@midrange.com
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.






Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2014 by MIDRANGE dot COM and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available here. If you have questions about this, please contact