Kicking 'Em When They're Down

I have some personal experience with Nimda. On Sept. 18, I was checking one of our Web servers when Nimda struck. I watched the worm repeatedly attempt to gain access to a production server. It was attempting to instantiate an FTP server on the box (in this case it was aimed at a small utility application called trivial FTP), which was intended to download some malicious code so that the worm could do its dirty work.

We were running Windows 2000 server with all available security patches and IIS 5. Windows 2000 service pack 2 had not been applied to that machine. It was protected with a third party software firewall. I manually intervened with the worm but it appears that the machine was secure enough to withstand that attack. I then turned my attention to a development server with the same configuration (minus the firewall). As I watched, that machine was quickly corrupted with one of the many Nimda payloads. This was on a machine that theoretically had all "critical updates" applied to prevent such an attack. It appeared to have been attacked using the known Unicode Web Folder Traversal1 vulnerability. This was "fixed" by a Microsoft patch in June. I had applied the fix, yet remained vulnerable to the Nimda worm. At that moment I might have agreed with the Gartner report.

In all fairness, this was a development server that was loaded with everything but Leisure Suit Larry. I know that it's essential to re-install hot fixes after installing new software, but I didn't. Mea culpa. But it does point out the inherent security weakness of Microsoft Web servers. I installed the fix, my registry told me the fix was installed, yet I was still vulnerable. I would not have been so lax on a production server, yet even then there is a constant uncertainty: Do I need to reinstall all my hot fixes?

Let's not belabor the point. Microsoft was beat up pretty badly this year by hackers, and the Gartner report simply voiced what a lot of people have been saying all along.

Should I really retire my IIS servers?

If you are only running static HTML on your Web site, and if you aren't running an e-commerce site, and if you aren't using a Microsoft SQL database, and if you have lot of money for new hardware and software and training, then by all means get out your platinum Amex card and give Sun Microsystems a call. Order up a bunch of iPlanet Web Server licenses. (What a deal-37 percent off.) You might as well get a few Sparc 64 boxes to run them while you're at it. Because you've got a static site, you can probably have your new, secure, version up in a day or so, confident that it's more secure than your old IIS solution.

But that's not the way we do it in the real world.

Real Web sites that deliver substantial quantities of dynamic information and provide secure e-commerce are not easily ported from one platform to another.

They are not off-the-shelf systems (or they aren't anymore). From the moment the first installation disk in put in the first drive, the customization starts. Installation is tweaked. Connections are established. An intricate web of connections is built that to some extent is platform specific.

We are constantly striving to allow one platform to interoperate with another, but that's a far cry from moving code from one to another. The Gartner report is an offense to every well-built and well functioning IIS Web site.

Our sites consist of thousands of active server pages, tens of thousands of lines of code, multiple databases, dynamic wrappers and dynamically generated HTML. To think that we could easily or feasibly move our Web applications to another server until Microsoft improves security is ludicrous. I can only assume that the report was meant as an "enough is enough" diatribe with the underlying realization that it really isn't possible.

Moving an e-commerce site from one Web server to another is a monstrous undertaking even when the operating systems and platforms are identical. They never are; there are hundreds of custom components, custom libraries, custom applications, and machine-specific code that must be ported over, registered, and tested. We're using ADO and ODBC to connect to (mostly) SQL databases. That doesn't port easily to a different platform. We're scaling up to use Microsoft's .NET Web services. How do you suppose that's going to fit in with a new platform? J2EE can handle what we have in mind, but not without a significant investment.

The point is simple: If you are currently running a successful operation on IIS, leave it there. Harden your sites, be fanatic about service packs and hot fixes, watch your servers, but do not try to jump to a new platform to gain a marginal increase in security. Microsoft is getting better all the time. It has no choice. Customers pay the bills. If Microsoft doesn't cater to customer needs, its market will dry up. The Gartner report was probably another nasty wake-up call in Redmond.

What's the worst that could happen?

This issue about Microsoft security is puzzling. Just how bad is it? There is no doubt that Microsoft has more people attempting to hack its products than any other software vendor. There is no doubt that more security holes are found in Microsoft products than anyone else's. This does not necessarily mean that Microsoft products are inferior. In fact, all these busy little hackers mucking about in Microsoft servers are doing a significant amount of testing for the guys in Redmond. Can you imagine what it would cost to do all the testing necessary to uncover all the various bugs, back doors, and weaknesses found by hackers?

This constant exposure in the glaring spotlight will eventually result in a very secure platform. I have a friend who won't use any operating system but OS/2. (I know, I know, but he's a good guy other than that.) He's always bragging about how there are virtually no OS/2 viruses. This is true, and for the same reason no one is making any OS/2 software: Why bother to write a virus that is going to get almost no exposure? Virtually every office desktop in the United States is running some Microsoft operating system, so that's what virus writers target. Couple that with the "big is bad" and "freeware is good" mentality of some of the most brilliant computer geeks, and Microsoft is the target of choice.

Unix has been around for more than 32 years. The NT kernel is fewer than 10 years old. Unix Web servers are more stable, more efficient, and more secure. If I were going to create a massive e-commerce operation from scratch, I would lean toward Unix and Java solutions. That doesn't mean there isn't a place for other systems. Microsoft operating systems and servers fill a need in today's Internet community. Most under-30 programmers cut their teeth on Microsoft operation systems and programming tools. That's a reality we can't escape. It also means that most under-30 hackers are going after operation systems they already know.

Microsoft products currently run about 30 percent of all Web servers. It is not practical or reasonable to expect to move those four million or so servers to a completely different platform. On the other hand, Microsoft does have a responsibility to do whatever it takes to keep its enterprise Web platforms as secure and stable as possible. Apache servers still make up more than 60 percent of the market. Unlike the browser wars, there is room for more than one Web platform. IIS users should demand immediate response and support from Microsoft, but we need to be aware that most of the damage done by Code Red and Nimda was on systems that weren't properly maintained.

Lockdown

On October 3, 2001 Microsoft announced a new Internet security initiative that it is calling the Strategic Technology Protection Program (STPP). According to its press release, "Microsoft recognizes it has a special obligation to help ensure the security of the Internet and our customers' data."

STPP is a multi-phased process that will immediately offer a lock-down tool for IIS, unspecified virus-related customer support, and a new "customer outreach" program. This first phase is known as Get Secure. The next phase, entitled Stay Secure, will provide a more extensive line of tools and services.

What I like is that future releases of IIS will be locked down by default. Administrators will thus be forced to take an active role in the security configuration of these systems. Good idea, Microsoft!