[WEB4LIB] Re: alternate site for resource page on attacks

[Richard L. Goerwitz III]

Raymond Wood wrote:

> > Because of the latest virus to strike us, our webserver is down as we wait
> > for an update from Norton.
> 
> I hear apache is immune ;>

With Microsoft IIS, you have a rich, complex server that hasn't
really been subjected to the kind of public code review that Apache
has.  With its closed, proprietary underpinnings and smaller market
share, there's really no way Microsoft will ever be able to compete
with Apache on the security front.  Their strategy, therefore, is
to work IIS into a proprietary infrastructure that includes things
like COM, COM+, .NET, FrontPage extensions, etc. that are difficult
to integrate with other software and operating systems.  To keep its
revenue stream up, Microsoft is also committed to never-ending fea-
ture creep and paradigm shift, along with new licensing models that
look more like renting than owning.

It may be time for institutions who have sunk a lot of time and 
energy into Microsoft products to look at Linux (or, to some extent,
MacOS).  Linux is *almost* ready for the desktop.  It's cetainly
ready for the "internet kiosk" scenario.  And at the server level
it's more reliable and cheaper than Win2k.

I hear many libraries tell me "we're stuck with Microsoft" or "our
faculty and students have to have it".  Remember that these are the
same folks who (well, in the case of faculty at least) were using
things like WordPerfect and Lotus in the 80s and early 90s.  They
aren't stupid.  They can adjust.  At the server level they don't
even see the changes, except that you need to take steps to discour-
age use of FrontPage (which is really intended for use with IIS).
Introduction of limited Linux-based cluster workstations can ease
the transition.  Many people are actually excited to see something
new.  And many administrators are thrilled when a department actu-
ally decides to stop bending over and getting, well, hurt, by Mic-
rosoft and trying to find a way to cut their IT budget.

With regard to IIS specifically:

The typical situation in academia is that a department gets a chunk
of money as part of a grant, or as a line item in their IT budget.
They go out and buy a server and Microsoft IIS, set it up, then have
a couple of graduate students, or an overworked systems administra-
tor, keep half an eye on it.  The server has a direct internet con-
nection, with no intervening reverse proxy.  And often there's no
firewall to block scans for unneeded services that might have been
left accidentally turned on.  It's kind of like capital improvement
budgets.  Many institutions are great a building things, but lousy
at keeping them maintained and improved.  It's partly the way they
budget.  Especially when dealing with soft money, academic folks
often think in terms of one-time costs.

Best practice in the IT industry these days is to hide internal web-
server(s) behind a reverse proxy and then place the reverse proxy in
the DMZ.  The "real" server(s) are then protected by a firewall that
blocks direct outside connections.  And the real servers are vigor-
ously maintained with patches and software updates by someone who
monitors the security groups and CERT announcements.

Rarely done in academia, I might note.  Not done enough in industry.

wasn't it Obvia (the remote-access vendor) who got hit badly by the
Code Red virus, months after Microsoft released updates (ones that
actually worked)?

---

Richard Goerwitz                               richard at Goerwitz.COM
tel: 401 438 8978