FBI: Microsoft IIS most vulnerable

It used to be pretty tough to find out your security vulnerabilities, but that's changed. The prestigious SANS Institute in Bethesda, Maryland, working with the FBI, has developed a top 20 list of common vulnerabilities that leave Internet sites open to attacks. The list includes descriptions of the vulnerabilities, the recommended means to fix them, and descriptions of any products that managers can use to help plug the holes or check to confirm that things are fixed.

What Paller and the FBI found is that some problems are more widespread than others. "This year it's Microsoft IIS," Paller says, "because it's so widespread and so easy to break into." Adding to the problem is that so many installations aren't known to the companies that have them. Unfortunately for security managers, installations of Windows NT, Windows 2000, and Windows XP can also include a fully functional Web server that's created at the time the operating system is installed, depending on the options you select. Because the installation isn't obvious, many managers don't know it exists. But if they don't explicitly disable it, the hidden version of IIS can simply run in the background, providing a back door into the computer on which it's installed.

This is not to suggest that Microsoft operating systems are alone in vulnerability. Plenty of Unix and Linux servers also have a big back door that's frequently not locked. In this case, it's sample scripts that are intended to provide a basis for Web server managers to create their own scripts. However, these samples are never intended for use on the Internet, and as a result, have no security built in. Worse, they may be so poorly written that executing them can open vulnerabilities that the manager had thought plugged.

Fortunately, most of the major vulnerabilities can be fixed easily, and they can stay that way as long as managers keep on top of the problem. Unfortunately, that can be easier said than done, because manufacturers and operating system distributors aren't doing much to help. Paller suggests that Microsoft could have provided updates to earlier versions of Windows that would have enhanced security, but didn't. And Unix and Linux installation programs could have been changed so that they don't install sample scripts. Now, users have to know they need to fix those problems.

And that, of course, is the reason for the SANS Top 20 list of vulnerabilities. According to Paller, the list will be updated constantly, so improved methods of handling problems will be posted as soon as they are discovered. New problems will be posted when they turn up. "We had about 20 updates in the first eight days," Paller says, noting that SANS has a number of strong candidates to add.

Wayne Rash runs a product testing lab near Washington, DC. He's been involved with secure networking for 20 years and is the author of four books on networking topics.