Brent Hill and Roger Grimes - Chatting about IIS 7's security

Posted By: scobleizer | Sep 4th, 2005 @ 7:48 PM | 33,878 Views | 13 Comments
Roger Grimes is a security expert and author (he wrote a free ebook: Keeping Your Business Safe From Attack: Passwords and Permissions and more than 100 magazine articles on security). Anyway, he was visiting Microsoft's campus and sat down with IIS evangelist Brent Hill to talk about IIS 7 and security in Microsoft Windows.
Media Downloads:
Rating:
0
0
#Sep 5th, 2005 @ 10:22 AM
koorb
koorb
Looking at secunia.com IE has a lot more unpatched vulnerabilities than FireFox.:O
#Sep 5th, 2005 @ 10:23 PM
erik_
erik_
Tablet Power
for a few seconds yes, which was pretty dumb because now all the replays are about IE6.
And IIS well, he also talked about that but hey, you can't complain about that because it's to damn good or ?

Great video, it would be nice to actualy see a video with a active directory setup and a good linux setup and actually see the difference in deployement. It's a bit of a weird question probaly, but to get a good view of what really are the problems you need to see them yourself. (And I am too lazy to do it myself)
#Sep 5th, 2005 @ 11:14 PM
Minh
Minh
WOOH! WOOH!
XP SP2 has been out for six months now? Surely, he's not talking about the home users -- which must comprise a majority of the zombies out there. I know people still using Windows 98. And what use are ACLs if most users run as admin by default? Vista better get these things right!

Also he kept saying, "Windows is the most secured popular O/S" ... why qualify it w/ "popular"? If XP + 2K has 85% of the market share, who else can qualify as another "popular" OS?  It's like saying I'm the best looking guy in the room -- and I'm the ONLY guy in the room.

Why not start with some honest conversation? Seven months ago, Windows security was a mess. And I was tired of cleaning out virii out of my father's machine.
#Sep 6th, 2005 @ 1:17 PM
koorb
koorb
User opinion won't change until IE7 is out because IE is a down in the trenches application.
#Sep 6th, 2005 @ 6:29 PM
iisguy
iisguy

The seriouseness of the vulnerabilites is this for IIS 6 - zero, that is 0, as in null, nada, empty set, none are rated critical by anyone who rates these things.

Just do this: Go to any site that lists security vulnerabilities from multiple platforms. Any of them.

Compare IIS 6 to Apache 2.x. Compare Windows 2003 to *nix.

Be objective as you can. What is the result?

Check it out.

Brett Hill
IIS Evanglist
Microsoft.com

#Sep 12th, 2005 @ 1:16 PM
joshmess
joshmess
This video was fairly disheartening. If 90% of people are using IIS and IIS security incorrectly isnt the correct conclusion that the product is too difficult to use? It seems liek Grimes is blaming the users instead.

Why should MS advertise it has the most secure platform on the market if nobody can figure out how to use it?
#Jan 2nd, 2006 @ 9:15 AM
Wowbagger
Wowbagger
joshmess wrote:


Why should MS advertise it has the most secure platform on the market if nobody can figure out how to use it?


Are you truly saying that MS IIS is more difficult to install/use as apache?

But I also agree that you need to look at the playing field, if people are still using an older version of something, and you still support it, it needs to be secure. We can only do our best to inform the customer to upgrade to a new version because of know issues and better functionality.

I'm curious about eDirectory/ZENworks on Novell linux though...
#Jan 18th, 2006 @ 6:00 PM
scottmace2002
scottmace2002

Ben Laurie heads up security efforts at Apache. Listen to my conversation with him here:

http://www.itconversations.com/shows/detail933.html

Microsoft Communities