Loading user information from Channel 9

Something went wrong getting user information from Channel 9

Latest Achievement:

Loading user information from MSDN

Something went wrong getting user information from MSDN

Visual Studio Achievements

Latest Achievement:

Loading Visual Studio Achievements

Something went wrong getting the Visual Studio Achievements

Brent Hill and Roger Grimes - Chatting about IIS 7's security

26 minutes, 56 seconds


Right click “Save as…”

Roger Grimes is a security expert and author (he wrote a free ebook: Keeping Your Business Safe From Attack: Passwords and Permissions and more than 100 magazine articles on security). Anyway, he was visiting Microsoft's campus and sat down with IIS evangelist Brent Hill to talk about IIS 7 and security in Microsoft Windows.


Follow the discussion

  • Oops, something didn't work.

    Getting subscription
    Subscribe to this conversation
  • Looking at secunia.com IE has a lot more unpatched vulnerabilities than FireFox.:O
  • I thought the discussion was about IIS not IE.

  • erikerik_ Whooops!
    for a few seconds yes, which was pretty dumb because now all the replays are about IE6.
    And IIS well, he also talked about that but hey, you can't complain about that because it's to damn good or ?

    Great video, it would be nice to actualy see a video with a active directory setup and a good linux setup and actually see the difference in deployement. It's a bit of a weird question probaly, but to get a good view of what really are the problems you need to see them yourself. (And I am too lazy to do it myself)
  • MinhMinh WOOH!  WOOH!
    XP SP2 has been out for six months now? Surely, he's not talking about the home users -- which must comprise a majority of the zombies out there. I know people still using Windows 98. And what use are ACLs if most users run as admin by default? Vista better get these things right!

    Also he kept saying, "Windows is the most secured popular O/S" ... why qualify it w/ "popular"? If XP + 2K has 85% of the market share, who else can qualify as another "popular" OS?  It's like saying I'm the best looking guy in the room -- and I'm the ONLY guy in the room.

    Why not start with some honest conversation? Seven months ago, Windows security was a mess. And I was tired of cleaning out virii out of my father's machine.
  • User opinion won't change until IE7 is out because IE is a down in the trenches application.
  • The seriouseness of the vulnerabilites is this for IIS 6 - zero, that is 0, as in null, nada, empty set, none are rated critical by anyone who rates these things.

    Just do this: Go to any site that lists security vulnerabilities from multiple platforms. Any of them.

    Compare IIS 6 to Apache 2.x. Compare Windows 2003 to *nix.

    Be objective as you can. What is the result?

    Check it out.

    Brett Hill
    IIS Evanglist

  • This video was fairly disheartening. If 90% of people are using IIS and IIS security incorrectly isnt the correct conclusion that the product is too difficult to use? It seems liek Grimes is blaming the users instead.

    Why should MS advertise it has the most secure platform on the market if nobody can figure out how to use it?
  • joshmess wrote:

    Why should MS advertise it has the most secure platform on the market if nobody can figure out how to use it?

    Are you truly saying that MS IIS is more difficult to install/use as apache?

    But I also agree that you need to look at the playing field, if people are still using an older version of something, and you still support it, it needs to be secure. We can only do our best to inform the customer to upgrade to a new version because of know issues and better functionality.

    I'm curious about eDirectory/ZENworks on Novell linux though...
  • Ben Laurie heads up security efforts at Apache. Listen to my conversation with him here:


  • I also have my own opinion:


  • Very interesting. Thanks for posting the interview.  In the interview, I invite people to do the research and make their own conslusions.  The whole point is to update people's pereception of judging IIS 6 based on track record for IIS 5, not to claim that IIS is more secure than Apache or that Apache is insecure. 

    -brett hill

  • If Microsoft is going to bring in non-Microsoft interview people (note to self - Channel 9 typically means Microsoft) then maybe think about bringing in very non-bias individuals.

    Roger, all credit due, was laughed out of a challenge for securing IIS.  Is this really someone I (as a admin) should listen too?

    Let me answer my own question -- Brett, stop the uhh, um's and get real solid data.
  • Thanks for you reply. I really like this conversation.

    I am tempted to ask what you would consider "real" numbers, but any numbers or claims I make are going to be critizied as being non-objective.  That's why I invite you to do the research and come to your own conclusions.  Check Secunia.net. Check Securityfocus. Check anywhere you like. Objectively compare IIS 6 and Windows 2003 to any OS+Web Server released at that time and see what the data says. That's all I'm saying here.

    As for Roger, he writes a security column for Infoworld, is an author for Windows IT Pro Magazine, and teachs hardening and security classes (Ultimate Hacking) for Foundstone and SANs. Knows a bit about the topic.   

    I'd love to interview anyone you think would be important to listen to as an admin (or dev). If you tell me who you would like, I'll try to get them on record and posted to C9.


Remove this comment

Remove this thread


Comments closed

Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums, or Contact Us and let us know.