News from PANUG

News from PANUG - September 24, 2001
http://panug.org

IIS/FRONT PAGE-ONLY - Part 1
by Ed Sawicki

It should be clear to you by now that using Microsoft's IIS
web server is a mistake. Microsoft has had a long time to
get it right but there's no indication that they ever
will. The attacks just keep getting worse and maintainance
of IIS is an increasingly bigger job.

If you know all this but your management doesn't listen to
you, perhaps they'll listen to the Gartner Group who now
says:

"using...IIS Web servers securely has a high cost of
 ownership".

"Gartner recommends that enterprises...immediately
 investigate alternatives to IIS...such as iPlanet and
  Apache."

"This move should include any Microsoft .NET Web services,
 which requires the use of IIS."

Source:
http://www4.gartner.com/DisplayDocument?id=340962&acsFlg=accessBou
ght

Note that Gartner is not only recommending that you scrap
IIS, they recommend that you also scrap plans for .NET
deployment!

This is good advice but will companies listen?

At last week's PANUG meeting, you saw that most military
and federal government agencies are now using iPlanet
(the former Netscape servers now owned by Sun) and Apache.
Many of these agencies were using IIS this time last year.
They saw the problems and converted to more secure
platforms. The BizNix web server survey shows that more
companies outside of the United States are using iPlanet
and Apache. Yet U.S. corporations are still using IIS and
suffering the consequences. What's keeping them there?

One answer lies in how web pages are built. In many
companies, the choice of a web server is determined by the
web development tools. There's an army of people using
Microsoft's Front Page. Microsoft's IIS is considered to be
the native web server for serving up Front Page content.
So, a company chooses to use IIS because they want to do
their web site development in-house with inexpensive Front
Page developers.

The good news is that you can switch to iPlanet and Apache
and still do web page development in Front Page. There are
a few hurdles but the increased security more than makes
up for it. The bad news is that even secure web servers
cannot guard against ill-written content.

Many Front Page developers I've had to deal with have
taken a Front Page course and then consider themselves
a professional web page developer. Nobody's told them
that proficiency in Front Page is just the start and they
should move up to better development tools and learn some
of the underlying detail if they want to make web page
development a career. Having single-platform and
single-product skills is the kiss of death in this
industry.

Front Page-only developers need to become proficient in one
or more of the following if they want to maintain and advance
their careers:

Apache
iPlanet
Perl and it's many modules
PHP
Python
Zope
Java and related subjects
SQL servers such as Oracle, Sybase, MySQL, PostgresSQL
TCP/IP/HTTP
SSL/SSH

Stay tuned for Part 2 of this article.

Got comments about this article? Send them to info@panug.org.


TRAINING

PANUG is hosting the following courses:

October 16 - DNS Boot Camp
October 17 - Mastering Firewalls

Details are on PANUG's web site - http://panug.org


FEEDBACK

Thomas Gibson points out the article called "More States Say
Windows XP Poses Antitrust Issues". You can find it at:

http://dailynews.yahoo.com/h/nm/20010921/tc/microsoft_states_dc_1.html

John Mckean writes about the recent HONEY POTS article:

Thanks for the cool information on Lebrea! I will be putting
it on my Linux server at home (DSL, so I am getting scanned)
tonight.

Christian Bayer writes about the recent FRONTPAGE LIMITATIONS
article:

I think making the statement "Good thing that Microsoft is not
running or influencing our government." is simply inaccurate
or naive. I believe this influence Microsoft has upon the
government is far reaching and deep. Otherwise, how is it that
the company has been found guilty of criminal acts but has
been exempt, so far, from any penalties. Is it reasonable to
expect that the distraction created by the tragedy in New York
from the legal battle against Microsoft will indefinitely
postpone the proceedings?

Ironically, Microsoft may receive the greatest benefit of any
entity from this loss of many.

Also, how can the media be educated to understand that the Code
Red worm or Nimda virus does not threaten "the internet" but
merely threatens the fewer than thirty percent of "web servers"
that run a Microsoft "Operating System"?

Scott Hoffman writes:

I just saw an announcement that MS is still on track to launch
Win-XP next month. You may have already seen Steve Gibson's
(of Spinrite fame) site about being knocked off the Internet by
zombied Windows-based PCs (http://grc.com/dos/grcdos.htm) and the
additional hacker tools (full raw sockets access) included with
Win-XP (http://grc.com/dos/winxp.htm).

Also in the same announcement was the imminent release of the MS
Xbox game console. Want to think about the security implications
if/when those things are hooked up to the net?!