[cvsnt] OT IIS (was CVSNT + Web Application Implementation)

Glen Starrett glen at starretthome.net
Wed Jan 25 17:09:54 GMT 2006 

Gerhard Fiedler wrote:
> Glen Starrett wrote:
> 
> 
>>Switch to Apache and dump the security nightmarish IIS :b
> 
> 
> Hm... besides the fact that IIS works just fine, I fail to see what the
> problem is with local web servers on developer machines. Supposedly they
> are on systems with local IP addresses of a company LAN, supposedly they
> are exposed to the internet only through a company router/gateway, where
> supposedly incoming requests on port 80 get routed to the company web
> server and not to any developer machine -- so where's the potential
> security threat of IIS (or any local web server on developer machines)?

IIS doesn't always work just fine in my experience.  I'm getting 
somewhat non-specific here, but I've had IIS 'act up' on a production 
server and have flakey configuration retention -- says one thing but 
acts like another is set and not responding as expected -- and in 
general a PITA compared to the clarity and simplicity of the Apache 
config model.  I'm not trying to bash IIS here, but my experiences with 
it overall have been too much negative to justify some of the positives.

YMMV, and mine has too.  I've had some positive experience with IIS.  I 
just appreciate the clarity of clear text configuration compared to the 
IIS GUI model.  IIS has also been improving over the years.

To your point though, I agree that I don't understand why it isn't 
allowable to put IIS on the developer machines.  I just assumed the OP 
had gone down that road with his IT already.  A worm infecting their 
Internet-exposed machine could potentially turn around and infect all 
internal machines too if they don't have a DMZ partitioned off to hold 
their exposed machines (good practice regardless of the brand of web 
server).

> 
> On a typical Windows system, there are more dangerous services alive. When
> exposing my system to the internet, IIS is the least of my concerns :)

Agreed, but I would hope you would firewall all Internet-exposed 
machines. Unfortunately IIS has a history that when it does have a hole 
exposed, it's a doozy! :)

Regards,

-- 
Glen Starrett

More information about the cvsnt mailing list