On my box, Apache runs as the user apache, and it has write access to one folder on the entire hard drive, a folder required for one of the PHP scripts used. Rule #4: Use non-privledged accounts for services. Don't allow a service to write to your hard drive, unless it absolutely has to. By default, IIS is in C:\Inetpub, Apache in /var/Rule #3: Secure the filesystems. Rule #2: Don't use known default configurations. Every extra service you have installed on a box above and beyond what's necessary for that box to perform its function is a point of failure. Rule #1: Don't run services you don't need. Securing any system includes some basics that any competent admin should know. Oddly enough, they DO know how to secure a Windows box, they just don't know the exact procedures. Press them further with "Can you do ANYTHING to secure the box at all?" and they'll usually tell you no. When you press them for a real answer, they'll always say it's not possible. Don't believe me? Ask a *nix guy "How do you secure a Windows box?" They'll always give you an answer similar to "Unplug it from the power outlet" or "Throw it over a cliff". They just assume it's not, and don't even try. In fact, even I wouldn't presume to call an out of box IIS secure in any way.Īnd this is where the confusion sets in, because *nix guys don't know how to secure a Windows box. For ages, I've been saying IIS is as secure, if not more so than Apache, if configured by a competent administrator! The problem is, IIS "out of the box" is no where near as secure as Apache is out of the box. People have been comparing Apache to IIS for ages. Since so many people have enough trouble with facts, I like to clear up the easy ones in advance. Let's be clear, this study shows that IIS is more secure than Apache, and isn't a Linux vs. Not my intention, but it's just worked out that way. For some reason, Apache's been getting a lot of abuse on this blog this week. You then need to take into account the security holes in those as well! To make a fair and reasonable comparison, you need to add in a couple of scripting languages to Apache, as well as enable a lot of extra modules. One will get you back and forth to work, the other will get back and forth to work if you have to pass over the rockies, through some rivers and mow down any deer on the way. To compare IIS to Apache side-by-side is like comparing a Hummer to Yugo. For example, IIS isn't a webserver, it's an application server and does more than just serve static webpages. The summaries of the results are pretty good, as these two appear to have done a more fair comparison than I've seen in the past. " Study Finds Windows More Secure Than Linux". Big news over at Linux-land.er, Slashdot today.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |