My heart, it breaks!
It doesn't take much to lock down IIS.
Security Operations Guide for Windows 2000 Server
Of course, UNIX systems are also vulnerable as Bush2000 has pointed out numerous times but that doesn't seem to get the press about Microsoft.
Companies that hire incompetent web managers get hacked no matter what.
Yes, that is the essential truth.
I had been using IIS on WinNT at work for development purposes, which to my knowledge, no hackers were trying to get into. A version of the Nimda virus found the instance of IIS on my computer and proceeded to modify all sorts of files on my computer. Real nice. Granted the network ops guys were asleep on the job, but this virus doesn't make its home in Apache which I promptly switched to.
From SecurityFocus, a list of vulns by product for the last 4 years:
Apache 2.0
2002-06-17: | Apache Chunked-Encoding Memory Corruption Vulnerability |
One vuln.
Now, Microsoft IIS 5.0:
It is, in my opinion, professional incompetence to use MS IIS for any mission-critical web work.
From SecurityFocus, a list of vulns by product for the last 4 years:
Apache 2.0
2002-06-17: | Apache Chunked-Encoding Memory Corruption Vulnerability |
One vuln.
Now, Microsoft IIS 5.0:
It is, in my opinion, professional incompetence to use MS IIS for any mission-critical web work.