Brent Hill and Roger Grimes - Chatting about IIS 7's security

Download this episode

Download Video


Roger Grimes is a security expert and author (he wrote a free ebook: Keeping Your Business Safe From Attack: Passwords and Permissions and more than 100 magazine articles on security). Anyway, he was visiting Microsoft's campus and sat down with IIS evangelist Brent Hill to talk about IIS 7 and security in Microsoft Windows.



Available formats for this video:

Actual format may change based on video formats available and browser capability.

    The Discussion

    • koorb
      Looking at IE has a lot more unpatched vulnerabilities than FireFox.:O
    • DuNuNuBatman

      I thought the discussion was about IIS not IE.

    • erik_
      for a few seconds yes, which was pretty dumb because now all the replays are about IE6.
      And IIS well, he also talked about that but hey, you can't complain about that because it's to damn good or ?

      Great video, it would be nice to actualy see a video with a active directory setup and a good linux setup and actually see the difference in deployement. It's a bit of a weird question probaly, but to get a good view of what really are the problems you need to see them yourself. (And I am too lazy to do it myself)
    • Minh
      XP SP2 has been out for six months now? Surely, he's not talking about the home users -- which must comprise a majority of the zombies out there. I know people still using Windows 98. And what use are ACLs if most users run as admin by default? Vista better get these things right!

      Also he kept saying, "Windows is the most secured popular O/S" ... why qualify it w/ "popular"? If XP + 2K has 85% of the market share, who else can qualify as another "popular" OS?  It's like saying I'm the best looking guy in the room -- and I'm the ONLY guy in the room.

      Why not start with some honest conversation? Seven months ago, Windows security was a mess. And I was tired of cleaning out virii out of my father's machine.
    • koorb
      User opinion won't change until IE7 is out because IE is a down in the trenches application.
    • iisguy

      The seriouseness of the vulnerabilites is this for IIS 6 - zero, that is 0, as in null, nada, empty set, none are rated critical by anyone who rates these things.

      Just do this: Go to any site that lists security vulnerabilities from multiple platforms. Any of them.

      Compare IIS 6 to Apache 2.x. Compare Windows 2003 to *nix.

      Be objective as you can. What is the result?

      Check it out.

      Brett Hill
      IIS Evanglist

    • joshmess
      This video was fairly disheartening. If 90% of people are using IIS and IIS security incorrectly isnt the correct conclusion that the product is too difficult to use? It seems liek Grimes is blaming the users instead.

      Why should MS advertise it has the most secure platform on the market if nobody can figure out how to use it?
    • Wowbagger
      joshmess wrote:

      Why should MS advertise it has the most secure platform on the market if nobody can figure out how to use it?

      Are you truly saying that MS IIS is more difficult to install/use as apache?

      But I also agree that you need to look at the playing field, if people are still using an older version of something, and you still support it, it needs to be secure. We can only do our best to inform the customer to upgrade to a new version because of know issues and better functionality.

      I'm curious about eDirectory/ZENworks on Novell linux though...
    • scottmace20​02

      Ben Laurie heads up security efforts at Apache. Listen to my conversation with him here:

    • scottmace20​02
    • iisguy
      Very interesting. Thanks for posting the interview.  In the interview, I invite people to do the research and make their own conslusions.  The whole point is to update people's pereception of judging IIS 6 based on track record for IIS 5, not to claim that IIS is more secure than Apache or that Apache is insecure. 

      -brett hill

    • AUserAbout​IIS
      If Microsoft is going to bring in non-Microsoft interview people (note to self - Channel 9 typically means Microsoft) then maybe think about bringing in very non-bias individuals.

      Roger, all credit due, was laughed out of a challenge for securing IIS.  Is this really someone I (as a admin) should listen too?

      Let me answer my own question -- Brett, stop the uhh, um's and get real solid data.
    • iisguy

      Thanks for you reply. I really like this conversation.

      I am tempted to ask what you would consider "real" numbers, but any numbers or claims I make are going to be critizied as being non-objective.  That's why I invite you to do the research and come to your own conclusions.  Check Check Securityfocus. Check anywhere you like. Objectively compare IIS 6 and Windows 2003 to any OS+Web Server released at that time and see what the data says. That's all I'm saying here.

      As for Roger, he writes a security column for Infoworld, is an author for Windows IT Pro Magazine, and teachs hardening and security classes (Ultimate Hacking) for Foundstone and SANs. Knows a bit about the topic.   

      I'd love to interview anyone you think would be important to listen to as an admin (or dev). If you tell me who you would like, I'll try to get them on record and posted to C9.


    Comments closed

    Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums, or Contact Us and let us know.