Beefy Boxes and Bandwidth Generously Provided by pair Networks
Think about Loose Coupling

Re: Paranoid about web application security

by willyyam (Priest)
on Aug 09, 2005 at 13:14 UTC ( #482199=note: print w/replies, xml ) Need Help??

in reply to Paranoid about web application security

Apache is securable, as opposed to IIS, which cannot be secured. Apache on Windows does present a challenge though, because any accessible file or region of memory is potentially executable.

*NIX systems (Linux, BSBs, UNIX) can provide greater security through chroot jails and permission-based security. However, If you are not an experienced sysadmin with *NIX then the greater security of apache on *NIX may be negated by an inadvertent configuration error. OpenBSD is one of the most secure server systems, in that out of the box you can be reasonably sure that there are no significant vulnerabilities, and the most likely point of failure will be your script, which narrows your focus. In any case, you have lots of good advice above, so good luck. Security is not a solution, but a process involving vigilance.

  • Comment on Re: Paranoid about web application security

Replies are listed 'Best First'.
Re^2: Paranoid about web application security
by gellyfish (Monsignor) on Aug 09, 2005 at 18:54 UTC

    Apache is securable, as opposed to IIS, which cannot be secured.
    This sounds more like a statement of blind faith rather than a reasoned argument: I don't recall having heard of any disclosed vulnerabilities in IIS 6 (which is what you probably should be running as Windows 2000 has just gone out of support). Yes there were some absolutely horrible holes in IIS (I particularly remember the raw NTFS stream bug in IIS 3 with some amusement), but it strikes me that MS really are taking security seriously these days.

    Ideally you should have your web server behind a firewall anyway whatever OS it is running on, thereby preventing vulnerabilities in other parts of the OS making your web applications insecure.

    Of course if you know of any unpatched problems with IIS, maybe now is the time to be laying them out so the OP can make his own mind up based on the facts.

    Third party analysis of IIS 6 security can be found at:


      I spoke too soon. I was unaware that IIS 6 was available, or that it was better than previous versions - but it is, and it appears to be. I still contend that any Windows server is less secure by default than something like OpenBSD (designed from the ground up to be secure - as opposed to Windows, which is designed from the ground up to be easy to use for the most people), but if placed behind a sufficiently configured firewall, IIS 6 will probably be okay.

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://482199]
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others contemplating the Monastery: (5)
As of 2020-12-04 11:14 GMT
Find Nodes?
    Voting Booth?
    How often do you use taint mode?

    Results (58 votes). Check out past polls.