Forrester senior analyst Laura Koetzle pointed out that the IIS Web server program is turned off by default in the new version of Windows, so that machines not offering Web connections need not be secured against Web-based attacks. Read the article at eCommerceTimes.
How Secure Is Windows Server 2003?
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
Turning off network services by default (especially IIS) is a good idea. But if IIS is disabled, how will web services be offered to remote apps?
Web services don’t per se need to have IIS or any web server running really. It is possible with a small amount of effort and not much complexity to code a standalone webservice. I can put my hand up and say that my product line does this and it works well.
True, but that’s not a story Microsoft would want to tell. That might get the customer thinking about Apache, then Java, then Linux..
I wont argue against the safety behind turning it off, but then, what security is there if you want web services? I’m asking, not trying to flame or say anything “suX0rz”. Are there other security features?
Supposedly Microsoft has been working on security for almost two years explicitly, so presumably there should be many decent security features. However, I simply can’t imagine a secure Microsoft product… thats how 3rd party firewalls/virus checkers/etc became such a complex industry… Microsoft simply can’t supply decent security. Perhaps they should actively seek to buy out a decent software firewall, and a decent virus checker, then include them both in the Server OS’s AT LEAST…
Security is the main reason people DON’T choose Microsoft products, so I guess its a good thing… If Microsoft decided they were going to make some pigs fly, they might actually realize this, untill then, start looking for Server 2003 services for such things, then get a couple of hardware firewalls, and you should be fine…
Or simply buy a cheap box, and have Linux/FreeBSD/etc set up to provide adequite security…
(I have however seen proxy/firewall services for Server 2003, I forget what its called though… so now all they need is a virus scanner… I still don’t think one should trust their security services though..)
“Security is the main reason people DON’T choose Microsoft products, so I guess its a good thing”
Well you were not very specific, I would asume your talking about server OS’s . I think for this security is an issue for many. I think many people in this area don’t use MS for stability reasons, though this is become a non issue. And even bigger reason the don’t buy MS products for servers is because their Sun or IBM system they got didn’t come with a MS os on them.
Now if you were talking all MS products your very wrong. People don’t buy MS products because they just don’t like windows, or want a mac and so forth. Most people don’t give a rats ass about security. Sure if you asked them if security is important they would say it is. But it’s not somthing they are thinking about when running windows or buying a copy of windows.
compared to Win98? very!
compared to Linux? hardly!
compared to OpenBSD? not!
You seem to have misunderstood me… I was saying that the reason companies like McAfee are so popular, is because of the sheer lack of security provided by ANY microsoft product… I am not talking stability, I am not talking about anything but security… after all, if security was sufficient, virus’ wouldn’t even be a threat… Think about it, you wouldn’t need virus scanners, and tools like nmap wouldn’t be effective at all – if only the OS was worth the money people pay. Its simply not though. Microsoft can never justify charging so much for such a peace of shit!
I have played with Windows Server 2003, in fact I am running it right now simply because I can… It simply isn’t even as powerfull as my Debian system sat across the room from me… yet there is a $1000+ difference in price… I beg someone to justify that one to me!!
And I fail to realize your point “because their Sun or IBM system they got didn’t come with a MS os on them”. To be running a server, one must assume they have some computer knowledge, thus your point is invalid. It doesn’t take a geneous to install a Microsoft product! Hell, even Mac OS X is a little more complicated then most Windows installs!
…do *not* require IIS if you use Remoting over a http or tcp channel. My app does it rather well actually
” It doesn’t take a geneous to install a Microsoft product!”
it does however take one to spell genius :o)
Linux gets better security because people are forced to learn how to install and set it up properly. Windows when set up by a good admin is fine. I used to think windows was insecure until I started reading the instructions and manuals on MS’ site, now I realise it was my lack of knowledge.
Server 2003 is not revolutionary, it just adds all the fixes to 2000 and improves the interface. They also evaluated EVERY default option and set them to sensible defaults. The product is no different.
as for the 30% speed increase, well duh! if you switch off half the OS then it will speed up :o) thats why linux is faster, less running.
“By all indications, Windows Server 2003 is engineered to be more secure than its predecessors”.
If someone tells me a structure (bridge, building, …) is more secure compared to another, I’ll ask which engineering firm checked that claim. When applied to Windows Server 2003, I wonder what the author means by “all indications”, since he doesn’t have access to the source code of that OS and seems to rely on first impressions of end users.
you can install Apache on it and the machine will be much more secure…
Unfortunately it’s such a new OS that it’s impossible to tell how secure it is. It will take time to see if it’s as hardened as has been claimed. I really hope that it does turn out to be a secure OS, that’s not enough though what needs to happen is that Microsoft IMHO of course needs to harden their old OS’s (least the supported ones) to make up for all the past security problems. If they did that, they would gain a lot of respect back from the industry.
Actually I know a company who have been running the RC2 of server 2003 for 6 months with no security issues, and they have many servers on the wrong side of a firewall :o)
—Web services don’t per se need to have IIS or any web server running really.
Then please tell me why it is called ‘web service’?
Any program, include yours, than handles with HTTP ot https requirement, is a web server.
—do *not* require IIS if you use Remoting over a http or tcp channel.
You just can not understand why this kind of services choose WEB protocol to go through firewall. Without this advantage, why not people stay with J2EE or CORBA?
Myabe you can go to M$ for the CTO position—their current one is too stupid.
>Actually I know a company who have been running the RC2 of
>server 2003 for 6 months with no security issues, and they
>have many servers on the wrong side of a firewall :o)
A company that stuppid, to setup beta servers for daily work,
are also the ones that do get cracked and do not even know it…Pffff
It seems these endless questions about Windows 2003 are to get the mind engaged thinking that Windows 2003 is a viable option.
Unless you want your computer spying on you, it is best to avoid Microsoft products.
The big companies and governments are moving away from Windows towards Linux so that their data does not get compromised.
Windows 2003 cannot be considered a secure OS until two things happen:
1. The source code is freely available.
2. The product can be independently built from the source code.
Windows 2003 cannot be considered a secure OS for public usage only if add this one more things:
Use any third part compiler to do the source-code compiling.
Yes, that is an important point. The product must be able to be built from the source code using third-party tools, including the compiler. Preferably, the whole software source chain should be open — compiler, linker, etc.
Is the IIS installed but disabled or not installed?
My opinion : Webserver security does not depend on the server type, it depends on the security knowledge of the installer. You can fail with apache, you can fail with iis. Common opinions Linux is cool,
MS is evil empire => apache is secure, IIS is unsecure…
Some numbers (securityfocus.com):
Apache : 97 security holes, tomcat : 25 security holes, openssl : 10 security holes, total 132 holes.
MS win 2000 + IIS 5 : 68 + 6 = 74 holes.
Read http://www.securityfocus.com/columnists/28
– Secman
Wow, this thread is so far behind for anyone who has read even the smallest piece on the beta or release candidate versions.
Win2k3 does not install IIS in the initial setup. When you do install IIS, it will only server static HTML until you enable other functions.
If these conditions had existed in NT4 and Win2k, the infamous worms would have had very little fertile soil from which to spread.
BTW, the number of hostnames running on II6 surpassed the number running on Solaris 9 in early April .. prior to the release.
http://news.netcraft.com/archives/2003/04/13/windows_server_2003_ov…
Oh, just because something is “open” doesn’t mean it’s secure. Conversely, just because something is NOT open, doesn’t mean it’s not secure. Does anyone doubt Checkpoint’s firewall product is secure? Ever seen the source code passed around?
Proper initial configuration and administration is required for any system to be secure. Sure, Linux is cool… but it’s also vulnerable until properly configured (as are FreeBSD, Solaris and a number of other OS’s). Heck, the first wide-spread worms latched on to vulnerabilities in Sendmail.
Don’t let your hatred of Microsoft blind you.
Nuzman