Internet Information Server Security Newsletter Vol 1 No 1
Welcome to the inaugural issue of the Internet Information
Server Security Newsletter - the electronic newsletter for
companies using Microsoft Internet Information Server for their
Internet websites. As a user of Internet Information
Server,
we are sure that you will find each issue to be an indispensable source of
information on how to keep your website and network secure and reliable.
No matter what industry you are in, whether your hosting is outsourced or
handled in-house, whether your company is small or large, whether your website
is informational or a core component of your business processes, Internet
security has become a critical concern for every business.
Contents:
Latest Issues - Nimda and Code Red: Still Doing
the Rounds
Most users of Internet Information Server will keenly remember the havoc caused by Nimda,
the Internet worm that propagated itself by email, LANs, web browsers and IIS
webservers to inflict over $500 million in damage to businesses worldwide. The storm seems to have
died down, but it would be a mistake to think that the threat has completely disappeared.
Some sites managed, by sheer luck, to avoid infection during Nimda's peak and are
only being hit for the first time now. Others cleaned out their Nimda
infections or rebuilt their servers but may not have made the security changes
necessary to prevent re-infection in the future. In an unpleasant
demonstration of this, a new Nimda variant - Nimda.E - released last week has
been found slowly but steadily infecting machines around the Internet. Nimda.E uses different filenames than the original version, but exploits
identical vulnerabilities.
Subscribers who have not already done so are advised to update their web
browsers to Internet Explorer 5.01 SP2, 5.5 SP2, or 6.0; to update their
antivirus software; to apply the latest patches from Microsoft and to audit
their IIS webservers to make sure that they are not vulnerable to attack.
Remember that even machines not formally designated as web servers may still be
vulnerable - development and test machines, mail servers and even workstations
and personal computers running Microsoft FrontPage may also be affected.
Servers running Cold Fusion or Lotus Domino R5 on top of IIS should also be
tested.
And what ever happened to Code Red - the worm with the $2.6 billion cleanup
bill? Even though the Code Red worm was set to cease replication on October 1, a
thin trickle of Code Red attacks still seem to be going on around the Internet.
Many of these are due to incorrect date settings on infected servers (they think
it's still August or September) but others have been observed to be from
crackers imitating Code Red's attack signature with a view to creating
themselves an alibi if caught.
For up the the minute Internet security news, be sure to visit the Peterson
IT Consulting
news page.
The Burning Question: Is IIS Secure Enough?
The huge surge in attacks on Microsoft
Internet Information Server web servers in the second half of
2001 gave some media exposure to the claims made by Unix
devotees that Windows is not a secure enough operating system
for the Internet.
Even well respected research firms such as
Gartner have jumped on the bandwagon, with the startling
recommendation that companies abandon their investments in IIS
and switch to Unix-based Apache servers for their business
webhosting.
Such advice is misleading, and such a move
would be not only costly, but entirely unnecessary. Apart
from the obvious cost to rebuild their web assets in a new
architecture, businesses risk exchanging one set of security
problems for another - that they may not be as well equipped to
deal with.
An important thing to note about all of the
recent attacks is that they made use of widely publicised
exploits for which patches had already been released – in most
cases months prior to the attacks taking place. The other important thing to
note is that the Unix operating systems suffer from the same
problems, and then some. One research group (http://project.honeynet.org)
estimated the life expectancy of an unpatched Unix server at
around 72 hours, with a comment that some of their test servers
had been compromised in as little as 3 hours.
The moral to the story? Don’t believe
the hype. Windows and Internet Information Server can look
after your company website just fine as long as you keep an eye
on security. How can you do that?
-
Make sure that you have a security plan in
place that covers your entire network - especially your
webservers.
-
Keep up to date with security news and
apply vendor security patches in a timely fashion.
-
Make sure that security is top of your list
of design requirements for any new websites.
-
Conduct regular security audits to make
sure that you find any security holes in your systems before the
bad guys do.
Ten Myths of Internet Security - Part 1 of 5
Over the next few issues, we will be presenting 10 common myths of Internet
security. Although these will primarily relate to the security of
webservers, we will also be covering some other issues of interest to readers in
this section. In this instalment, we address the false sense of security
that can arise from having a firewall or a low-profile website.
Myth #1: We have a firewall, so we can't be hacked.
Oh yes you can. Broadly speaking, what firewalls do is to block certain
kinds of traffic from getting into your network. A correctly configured
firewall will block a lot of nefarious activity, but can't provide complete
safety if an unpatched system or a careless website developer leaves other
avenues of attack wide open.
In short, a firewall is essential to keep your network secure but can only be
effective if it is part of a comprehensive security plan that includes:
- regular updates to security patches on servers;
- security by design in websites;
- logging and monitoring of website activity; and
- regular audits and reviews
Myth #2: No-one would ever bother to hack us.
You'd be surprised. The break-ins that make headlines tend to be when
the victims are high-profile companies or when large numbers of credit card
numbers have been stolen, but even small websites can be potential targets.
Some website vandals are simply after notoriety for bringing down as many small,
undefended sites as possible in the shortest period of time. The
“World of Hell” cracking group, for example, claimed the record in June for
having defaced 679 websites in one minute – most of which were owned by
individuals or small businesses. This may have been the start of a destructive
trend as two months later the previously unknown "Kebracho" group from Argentina
beat that record with close to 1000 sites.
Others do not intend immediate harm, but use compromised systems as launching
pads for future attacks against other websites. If your website is used in
this fashion any attacks would be traced back to your site and any blame or
retaliation would initially fall upon you, rather than the actual culprit.
Others are after free storage space for things that they would rather not have
in their own name - usually distribution points for pirated software,
pornography or other undesirable material.
Even if your site isn't publicised on search engines it can still be found by
crackers. It need not even have a domain name - automated cracking tools
and the latest generation of Internet worms (a la Code Red and Nimda) will
indiscriminately attack any machine connected to the Internet. Some of my
customers have found their webservers under attack within hours of connecting
them to the Internet - before their websites had even been set up. Even
home PCs can be caught up in mass crack attempts - forty two were made on me by
worms and automated cracking tools while I was writing this article.
Hacker? Cracker? "Script Kiddie"? Huh? The Jargon Buster
has the answer.
For those new to Internet security, some
of the terms used in the industry can be quite confusing, particularly given the inconsistencies
with which terms are applied in the media.
To help our customers understand the lingo we present the
jargon buster, available on the
Peterson IT
Consulting website.
Subscriber Services
Internet Information Server Security Newsletter is a
fortnightly newsletter independently published by Peterson IT
Consulting - it is not affiliated with Microsoft in any fashion.
Subscription or removal requests can be sent to
IISSN@PetersonITConsulting.com. Feedback on the
content of the newsletter can be sent to
editor@PetersonITConsulting.com. For further
information on Peterson IT Consulting, please visit our website
at
www.PetersonITConsulting.com.
Frontpage, Windows, Internet Information Server, IIS and
Internet Explorer are trademarks of the Microsoft corporation.
Other trademarks are the property of their respective owners.
