Default Install Security of WinXP IIS

Mje

Member
Jun 25, 2001
188
0
0
In response to this quote

<< You should be scared, I'm pretty sure it was said a default, unpatched install of Win2K+IIS or RedHat 7 (provided you choose the default server install and let it install all the daemons it wants) will get cracked in under 10 minutes. >>

from this thread.

Is this really possible? How secure is a default install of IIS on XP with all the updates from Windows Update? I've always considered this to be secure and routinely run IIS webserver on a nonstandard port to download files from a certain 1 deep directory while I'm at school(nothing critical and only with read permission). Webroot does not have rwxb for any users. I could not get any of the authentication methods to work, so I just gave up and did this. This computer is also behind a nat based router with a very select number of ports mapped to it.

Has my M$ centric world lulled me into a false sense of security?
 

Nothinman

Elite Member
Sep 14, 2001
30,672
0
0
Technically a default install doesn't have any of the patches. But think about how long it would take you to download them from WindowsUpdate, you'd be online that long unpatched. I have ~70000 nimda attempts on my Apache server that says you probably don't have enough time to download it before you're hit.

You say you use non-standard ports, which will stop things like nimda since they're not very smart. But if someone port scans you and sees you have IIS on another port they can manually try the exploits.

I personally don't trust IIS enough to put it on the Internet, even patched.