Ya know, that's a good point.. but one thing..
IIS has so many freaking patches that it's very easy to miss one. It's a full time job just keeping up with my web server, let alone every damn thing else! I'm sick of us IT guys catching a bunch of flack over not loading a patch. How about you jump on MS for their crappy software?
Since Jan of 2000, IIS has had 42 vulnerabilities. There have been 11 in 2001 so far. If I loaded an IIS machine today, just to be up to speed, I have to load the big Service pack 6a, plus 7, count em, 7 patch releases, plus another 4-8 hot fixes that haven't been included in the patch releases. (And that's just for IIS, I'm not even including patches for vulnerablities in O'look, NT or Exchange) Microsoft seems to put out patches every day! (I'm aware that they don't, but it *seems* like it!) Heck, between IIS, Exchange, Outlook, and NT, I almost need to just block out an entire day a week for "Patch Update Day". Now, you think we just sit about playing Quake??? You go be a security guy, have fun.. see how much flack you take, even after working your ass off, you'll still get it from guys like you.
Now, before you start, I *have* to run IIS, it's not my choice.. yet. Due to the maintaince involved, not to mention MS's new strongarm tactics and moronic new licensing terms, we are activly trying to migrate *away* from all things MS. IIS > Apache, NT > *nix, MSsql7 > Sybase, etc. etc.
Oh, if you'd like to compare, go find a security hole in the Apache default install.. Oh wait, that's right, there hasn't been one since 1997! |
