IIS insecure? What about NetWare?

Many of you probably chuckled when research firm Gartner released a report a couple of weeks ago suggesting that users and companies should immediately begin investigating alternatives to Microsoft's Internet Information Services product.

Many of you probably chuckled when research firm Gartner released a report a couple of weeks ago suggesting that users and companies should immediately begin investigating alternatives to Microsoft's Internet Information Services (IIS) product.

The gist of the story was that, because attacks to IIS were proliferating through the use of viruses, worms and trojan horses, it might be prudent to switch to another web server such as Apache or iPlanet.

Those who chortled the loudest, though, appear to have short memories. Back in the pre-IIS and Windows NT days of Microsoft LAN Manager and NetWare 3, there were crackers. Yes, even in those long ago dark ages of internet computing when IP stacks were add-ons to DOS and Windows computers, there were worms and viruses and trojans. But they mostly attacked Unix systems because they were easy to reach over the internet, had holes and backdoors that were well-known and easily exploitable.

Those systems were also administered by people who didn't understand the security options of their systems.

As Microsoft computing came to dominate first the desktop, then the server space and finally the internet, it became a bigger target for the crackers, the bad guys and those with too much free time on their hands. Microsoft could be called an enabler, however. One reason why Microsoft systems proliferated was the Redmond machine's emphasis on ease of use.

I'm sure we've all heard from either a vendor, a client, a boss or a user who say we should dump NetWare and switch to Windows (NT, 2000, XP, et al) servers because they were so much easier to handle. But that very ease of use masked the ultimate complexity of securely operating the system. And Microsoft systems generally ship as open systems which need to be specifically configured for high security as the default levels are easily exploited.

So what does this mean to you and NetWare? NetWare and other Novell products have been getting lots of new "ease of use" functionality of late - there's the GUI Install, ConsoleOne, the Management Portal and NDS/eDirectory's iMonitor. Lots of new toys which let you "mouse around" the screen and "browse around" the network from somewhere across the room, the building, the campus -- even across the world. But just how secure is it? Have you thought about that? Have you implemented security, or simply accepted the defaults? Do you know what the vulnerabilities might be?

Try this. Go to Google or another favourite search engine. Put in the words "8008 imonitor" (port 8008 is one used by the iMonitor HTTP server) and follow some of those links. Look at all the information that's available: server names, tree names, even user names. If the information is as scary to you as it was to me, start reading about security. One good place to start is Limiting the Exposure of a NetWare Server in an IP World from the SANS Institute. If you thought you were secure because you were running NetWare, then it's time to feel a little fear.

Kearns is a Network World US columnist. Send email to Dave Kearns. Send letters for publication in Computerworld to Computerworld Letters.

Join the newsletter!

Error: Please check your email address.

Tags iisnetware

More about ApacheExposureGartnerGoogleiPlanetKearnsLANMicrosoftNDSNovellSANS Institute

Show Comments
[]