Internet Information Server Security Newsletter Vol 1 No 1

Welcome to the inaugural issue of the Internet Information Server Security Newsletter - the electronic newsletter for companies using Microsoft Internet Information Server for their Internet websites.  As a user of Internet Information Server, we are sure that you will find each issue to be an indispensable source of information on how to keep your website and network secure and reliable.

No matter what industry you are in, whether your hosting is outsourced or handled in-house, whether your company is small or large, whether your website is informational or a core component of your business processes, Internet security has become a critical concern for every business.

Contents:

Latest Issues - Nimda and Code Red: Still Doing the Rounds

Most users of Internet Information Server will keenly remember the havoc caused by Nimda, the Internet worm that propagated itself by email, LANs, web browsers and IIS webservers to inflict over $500 million in damage to businesses worldwide.  The storm seems to have died down, but it would be a mistake to think that the threat has completely disappeared.

Some sites managed, by sheer luck, to avoid infection during Nimda's peak and are only being hit for the first time now.  Others cleaned out their Nimda infections or rebuilt their servers but may not have made the security changes necessary to prevent re-infection in the future.  In an unpleasant demonstration of this, a new Nimda variant - Nimda.E - released last week has been found slowly but steadily infecting machines around the Internet.  Nimda.E uses different filenames than the original version, but exploits identical vulnerabilities. 

Subscribers who have not already done so are advised to update their web browsers to Internet Explorer 5.01 SP2, 5.5 SP2, or 6.0; to update their antivirus software; to apply the latest patches from Microsoft and to audit their IIS webservers to make sure that they are not vulnerable to attack.  Remember that even machines not formally designated as web servers may still be vulnerable - development and test machines, mail servers and even workstations and personal computers running Microsoft FrontPage may also be affected.  Servers running Cold Fusion or Lotus Domino R5 on top of IIS should also be tested.

And what ever happened to Code Red - the worm with the $2.6 billion cleanup bill? Even though the Code Red worm was set to cease replication on October 1, a thin trickle of Code Red attacks still seem to be going on around the Internet.  Many of these are due to incorrect date settings on infected servers (they think it's still August or September) but others have been observed to be from crackers imitating Code Red's attack signature with a view to creating themselves an alibi if caught.

For up the the minute Internet security news, be sure to visit the Peterson IT Consulting news page.

The Burning Question: Is IIS Secure Enough?

The huge surge in attacks on Microsoft Internet Information Server web servers in the second half of 2001 gave some media exposure to the claims made by Unix devotees that Windows is not a secure enough operating system for the Internet.

Even well respected research firms such as Gartner have jumped on the bandwagon, with the startling recommendation that companies abandon their investments in IIS and switch to Unix-based Apache servers for their business webhosting.

Such advice is misleading, and such a move would be not only costly, but entirely unnecessary.  Apart from the obvious cost to rebuild their web assets in a new architecture, businesses risk exchanging one set of security problems for another - that they may not be as well equipped to deal with.

An important thing to note about all of the recent attacks is that they made use of widely publicised exploits for which patches had already been released – in most cases months prior to the attacks taking place.  The other important thing to note is that the Unix operating systems suffer from the same problems, and then some.  One research group (http://project.honeynet.org) estimated the life expectancy of an unpatched Unix server at around 72 hours, with a comment that some of their test servers had been compromised in as little as 3 hours.

The moral to the story?  Don’t believe the hype.  Windows and Internet Information Server can look after your company website just fine as long as you keep an eye on security.  How can you do that?

  • Make sure that you have a security plan in place that covers your entire network - especially your webservers.

  • Keep up to date with security news and apply vendor security patches in a timely fashion.

  • Make sure that security is top of your list of design requirements for any new websites.

  • Conduct regular security audits to make sure that you find any security holes in your systems before the bad guys do.

Ten Myths of Internet Security - Part 1 of 5

Over the next few issues, we will be presenting 10 common myths of Internet security.  Although these will primarily relate to the security of webservers, we will also be covering some other issues of interest to readers in this section.  In this instalment, we address the false sense of security that can arise from having a firewall or a low-profile website.

Myth #1: We have a firewall, so we can't be hacked.

Oh yes you can.  Broadly speaking, what firewalls do is to block certain kinds of traffic from getting into your network.  A correctly configured firewall will block a lot of nefarious activity, but can't provide complete safety if an unpatched system or a careless website developer leaves other avenues of attack wide open. 

In short, a firewall is essential to keep your network secure but can only be effective if it is part of a comprehensive security plan that includes:

  • regular updates to security patches on servers;
  • security by design in websites;
  • logging and monitoring of website activity; and
  • regular audits and reviews

Myth #2: No-one would ever bother to hack us.

You'd be surprised.  The break-ins that make headlines tend to be when the victims are high-profile companies or when large numbers of credit card numbers have been stolen, but even small websites can be potential targets.  Some website vandals are simply after notoriety for bringing down as many small, undefended sites as possible in the shortest period of time.  The “World of Hell” cracking group, for example, claimed the record in June for having defaced 679 websites in one minute – most of which were owned by individuals or small businesses. This may have been the start of a destructive trend as two months later the previously unknown "Kebracho" group from Argentina beat that record with close to 1000 sites.

Others do not intend immediate harm, but use compromised systems as launching pads for future attacks against other websites.  If your website is used in this fashion any attacks would be traced back to your site and any blame or retaliation would initially fall upon you, rather than the actual culprit.  Others are after free storage space for things that they would rather not have in their own name - usually distribution points for pirated software, pornography or other undesirable material.

Even if your site isn't publicised on search engines it can still be found by crackers.  It need not even have a domain name - automated cracking tools and the latest generation of Internet worms (a la Code Red and Nimda) will indiscriminately attack any machine connected to the Internet.  Some of my customers have found their webservers under attack within hours of connecting them to the Internet - before their websites had even been set up.  Even home PCs can be caught up in mass crack attempts - forty two were made on me by worms and automated cracking tools while I was writing this article.

Hacker? Cracker?  "Script Kiddie"?  Huh?  The Jargon Buster has the answer.

For those new to Internet security, some of the terms used in the industry can be quite confusing, particularly given the inconsistencies with which terms are applied in the media.

To help our customers understand the lingo we present the jargon buster, available on the Peterson IT Consulting website.

Subscriber Services

Internet Information Server Security Newsletter is a fortnightly newsletter independently published by Peterson IT Consulting - it is not affiliated with Microsoft in any fashion.

Subscription or removal requests can be sent to IISSN@PetersonITConsulting.com.  Feedback on the content of the newsletter can be sent to editor@PetersonITConsulting.com.  For further information on Peterson IT Consulting, please visit our website at www.PetersonITConsulting.com.

Frontpage, Windows, Internet Information Server, IIS and Internet Explorer are trademarks of the Microsoft corporation.  Other trademarks are the property of their respective owners.

© Peterson IT Consulting 2001-2012.  Please read our Privacy Statement 
 

Get an independent review of the top antivirus software
Protect your PC from viruses, spam and phishing with Trend Micro Titanium Maximum Security 2012