How insecure is IIS 5?

[contra53]

i want to run a web server from my home with win2k, iis5 with all the latest upgrades. this will be a small site mostly for friends and family(<500 hits / month). some friends are into computers, is iis 5 easy to hack? can i run on my machine or should i make the server its own box? or should i go linux? should i run a different flavor of win - ie. server or win nt 4? win2k with apache?

thanks,

 

[Nothinman]

I still get thousands of hits a month on my Apache server from nimda infected IIS servers, if you don't know IIS at all don't put it on the Internet until you do. You couldn't pay me to put an IIS box on the Internet, even Apache on Win32 is better IMHO.

 

[Journeyman]

IIS5 is fine as long as you keep up with the patches. People who have problems with Nimda and the like are the lazy admins who don't. 2k Pro should be fine for that low volume - it allows for up to 10 simultaneous connections, which you'll probably not reach.

I've heard, though I haven't tried it myself, that Apache for Windows is a joke. This may or may not be the case.

If you've got a little box you can dedicate, it'd be a good learning experience, if nothing else, to set it up as a Linux server running Apache. Plus then you don't have to worry about the box getting fragged - none of your really vital stuff will be on there.

 

[Nothinman]

I've heard, though I haven't tried it myself, that Apache for Windows is a joke.

It's the exact same product, only difference is that it hasn't had as much testing because it's newer. I'm sure a few modules don't work because they are hard to port or don't make sense, but the important stuff like perl and php work.

IIS5 is fine as long as you keep up with the patches. People who have problems with Nimda and the like are the lazy admins who don't.

I know several admins that thought they were patched but weren't and they got hit. Of course if you follow all the securing IIS docs out there you'd be ok, but that's a lot more work than installing and using Apache which is safe out of the box.

 

[n0cmonkey]

Wait for MS Apac- I mean IIS 6.0. Until then, run apache.

 

[bot2600]

I have been running IIS 5.0 for over a year with no problems. I just make sure to check on updates on a regular basis and run it behind a firewall. Granted a firewall wouldn't help against Code Red type attacks, but most of the code red hoopla happened WAY after the patch was released to fix the problem. And checking frequently for updates and running behind a firewall is something you should do no matter what OS or webserver you are running.

Bot

 

[contra53]

i patch asap and do run behind a firewall - tiny personal firewall. also, how hard would linux be? never used it.

 

[bot2600]

Linux isn't necessarily harder, it is just a totally different mind set and if you are used to windows the transition can be....rough. Alot of people never make the transition at all, many decide it is not worth the effort. I don't know for sure if they are right are wrong. I like linux but spend most of my time in windows 2000, it is just easier to do the day to day there.

Bot