Will IIS ever really be secure?

A popular definition of insanity is doing the same thing over and over again expecting to get different results.
Written by Jonathan Yarden, Contributor
A popular definition of insanity is doing the same thing over and over again expecting to get different results. If you apply this logic to software development, I'm sure that a number of software products would earn a well-deserved name change. In the case of Microsoft's IIS, several humorous titles come to mind.

Levity aside, the latest IIS vulnerability is rather severe, given that IIS is the second most popular Web server platform after the open source Apache server, which just recently received it's own bug "black eye." Microsoft is calling this vulnerability a "heap overrun," which is just another term for buffer overflow. Since the term buffer overflow is now synonymous with "bug," my guess is that "heap overflow" might make some developers think that the IIS problem isn't severe. It is.

Now that the announcement has been made regarding the .HTR buffer overflow, what's next? If you're using IIS, I hope you're up to date with all of the patches, considering Nimda and Code Red infestations are still out there. If you're running IIS, you might also want to run Microsoft's ISS Lockdown Tool because it disables .HTR requests by default.

The bigger question to consider is whether this latest IIS problem is a reason to abandon IIS as a Web-hosting platform. I personally don't have a clear answer for that because a number of elements factor into this decision. It isn't simple to abandon a Web server platform, especially when a company has standardized on the Microsoft platform for Web services. Regardless of the Web server software you choose, cost is a factor. I will say that I don't recommend using IIS unless there is a specific business reason to do so. In many cases, IIS is the only platform that businesses can use to host Web-based applications. If you have to use IIS, just make sure you secure it.

Microsoft is well aware of the public sentiment regarding IIS: There are a lot of unhappy customers still reeling from Code Red and Nimda infestations. It's unknown how much of the problem was (and is still) due to improper computer systems administration. There are products that can make IIS more secure, such as eEye's SecureIIS Application Firewall product.

It's possible that many companies are unaware of Microsoft's security recommendations for IIS. Although IIS 6.0 isn't out yet, I hope that Microsoft incorporated learned lessons from the previously buggy versions of IIS.

Perhaps the saying "once bitten, twice shy" applies to IIS. With Microsoft's dominant position in the software industry, it should be able to make IIS secure. Only time will tell if this is true. I'm actually looking forward to seeing whether IIS 6.0 can correct the mistakes of Microsoft's past IIS versions.

Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.

Editorial standards