[WEB4LIB] More IIS Horror Stories

Andrew Mutch amutch at waterford.lib.mi.us
Tue Oct 30 17:06:54 EST 2001


I'm not going to defend IIS's lack of security but the only thing that this
article demonstrates is poor security methods.

1) You should never attach an unsecured server of any OS to the Internet

2) You should never use an unsecured machine to download anything, even
security patches.

While a default installation of IIS is inherently insecure, I'm sure that a
default installation of many web server products under such conditions could
be equally compromised.   A good network administrator will have a secure
internal network to build and patch up their servers before ever putting them
out on the Internet.  All I saw here was bad security practices in action.

Andrew Mutch
Library Systems Technician
Waterford Township Public Library
Waterford, MI

Thomas Dowling wrote:

> eWeek's current story on IIS vulnerabilities:
> <http://www.eweek.com/article/0,3658,s%253D708%2526a%253D17362,00.asp>.
>
> =========
>
> To see for ourselves how long a default installation of IIS would last in
> the wild, eWeek Labs connected a fresh install of Windows 2000 Server to
> the outside Internet. As an arbitrary deadline, we immediately started
> downloading the network install of Windows 2000 Service Pack 2 and
> disconnected from the network when it was done.
>
> The 110MB download took 25 minutes. For the first 15 minutes, we didn't
> see any HTTP traffic at all; in the last 10 minutes of the download, we
> were infected with Nimda twice-once from two different servers and several
> times by our own server reinfecting itself.
>
> =========
>
> Install the server, and get infected before you can download the patches.
> Cool.
>
> Thomas Dowling
> OhioLINK - Ohio Library and Information Network
> tdowling at ohiolink.edu



More information about the Web4lib mailing list