vern said:
Hopefully all the mofos who have been bashing IIS all over the internet will come and show up and prove their rhetoric without due credence. I also hope that the people who are setting this up are geniunely curious and doing this objectively (hardening the box with reasonable security measures), instead of just conceding IIS is not secure.
I am waiting for MS to roll out their next security patches for Windows 2003 server to patch the server at school. So far it is fairly secure, but you never know with the new exploits coming out daily. I personally trust Apache on FreeBSD/OpenBSD more than IIS on Windows, but that is just me.
j79zlr said:
Interesting, the site was running Win2k and IIS 5.0 until a couple days ago, and now on 2k3 and IIS 6.0. Maybe they are afraid that IIS 5 and Win2k are insecure? BTW, this is run by Microsoft, do you really think they are going to admit it when their server gets compromised? I'll thow a Code Red/Nidma at it
I portscanned the server, they only have port 80 open, now if they were running the remote web administration I think I'd atleast try it, since there are some XSS vulnerabilities in IIS 6.0 that have gone unpatched for almost two years
Well if they have everything closed but port 80, then it is a fair contest to see how bad IIS really is. I will be waiting for the results. IIS 6 is supposed to be quite a bit better security wise than the older versions, plus it does not run as the SYSTEM anymore, well, except a few modules that get loaded into the kernel for faster TCP/IP handshaking with Windows/IE. Interesting note about this later.
perris said:
/love the idea, but win an x box?
they are going to get millions of dollars worth of r and d...anyone that will be able to crack this is site I don't think wants an x box...though they'll do it for the fame
I doubt they want fame because of this, after you hack the server people will be wary about hiring you, only people that can do this without repercussion in the form of not getting a job the next time they need one, is the security companies. And $150 is just not worth "giving" out a new exploit for script kiddies, they want to do more damage than get a shiny new Xbox. As to them it is not about the money, but rather the amount of damage they can do.
perris said:
would this be true for any operating system?
Yes, if it is reasonable badly programmed. Cpanel, plesk, ensim all have major problems in their administration, only thing that helps them out of the fire is the fact that they have a pretty good security in the frontend, so getting in is more of a problem, than once you are in. That is not to say that if you run a server with cpanel, plesk or ensim that you are automatically insecure.
Webmin has a pretty good security track record as does DirectAdmin, but i would still not use them for my day to day tasks, and would keep even them limited to a small set of IP's that are allowed to connect to the port.
perris said:
I'm thinking the server would get hacked even if it has greater security then other os's...everything is relative to the effort invested
the real test is to put all os's up to the same competition, and then the os to get hacked with the fewest resources, and fewest hours invested in the effort is the looser
even that wouldn't be fair becuase more people would have allready invested more time hacking microsoft products and ms would start any competition like that a leg down
still this would be accurate, since practically it would still be less secure regaredless of the reason that might be so
As a server? Running what software?
j79zlr said:
There is webmin for *nix servers, which is relatively secure, as in you can't really have a server be remotely administrated without any vulnerabilities. The problem with the remote web administration for IIS is that you can use session spoofing to gain administrative rights because of an exploit left in by Microsoft on purpose, in order to allow an administrator to reboot the machine remotely but still continue the remote administrative session without logging back in. It should also be noted that this server is not running anything, just IIS, not ASP, no database, email, ftp or anything, just IIS; also it is running behind a pretty powerful UNIX firewall ironically enough, as pointed out on /.
As noted in many other discussions on this, the prize of an XBOX is basically nil, considering a true exploit found in a "secured" IIS server would be worth a hell of a alot more than a $150 XBOX.
That is a problem with most software j79zlr recently cpanel closed a hole that had the same problem when restarting WHM itself, not the whole server.
DwarfData said:
From May 16th, the server will be hosting an ASP.Net website with a back end SQL Server.
Back end SQL server, so that will probably mean it is not open from attack from the internet, which is a good thing, as we are testing IIS 6 here, not the SQL server.
NetRyder said:
Well, you don't have to give them your personal details. In that case, they probably won't be able to send you the Xbox either (although the recognition is a bigger incentive to most people, as discussed earlier).
But if someone wants to prove that IIS6 can be compromised, he can remain anonymous and still achieve his goal. If the server is compromised, I'm sure the results will be announced, regardless of whether the hacker chooses to reveal his personal details or not.
I doubt anyone on this forum (especially the IIS bad-mouthers) can do it. Prove me wrong.
I doubt it as well. I am not sure if IIS 6 has new exploit's or not, MS is coming out with another patch set in June i believe, and that is when we get it at school, and will see what is going on. I do not know of any exploits that are currently available that work against a standard IIS 6 install, which is reasonable locked down.
FishBoy said:
damn no DoS allowed since it's the easiest way to get in to anything
No, DDoS is a distributed denial of service, not the easiest way to get into anything. All it does is make the server go down for extended periods of time because it is overwhelmed with illegitimate traffic which does nothing but congest pipes on the internet with Gigabytes of traffic per second. All it could find is that Windows TCP/IP stack breaks down because of the amount per second, and the server BSOD's, but then nothing is accomplished. If Linux or FreeBSD or openBSD, or any other OS gets that much traffic thrown at it, it will mostly get bogged down so fast that no more new connections are possible. And might possibly take a service down or two. This is mostly mitigated by having a ton of servers with a huge pipe and front load balancers, which spread the traffic thinly, and that most bad traffic never gets to the server in question. Thing is, most of the time that does not help anymore, because of the sheer magnitude of bandwidth that is used incoming.