Netcraft Finds IIS Locked Down in Wake of Code Red

Web server monitor Netcraft has documented that sites running Microsoft's IIS are substantially more locked down for security in the wake of Code Red than they were before the outbreak of the worm.

"The combination of the Code Red worm and the first cumulative patch for Microsoft-IIS has significantly improved the security of Microsoft-IIS systems on the Internet," Netcraft wrote in the August edition of its monthly report on Web server usage.

Netcraft tests several hundred Secure Sockets Layer (SSL) sites each month as part of its business, which includes automated penetration testing, site audits and site monitoring.

In July, almost 35 percent of IIS SSL sites tested by Netcraft were vulnerable to Code Red. In August, vulnerable sites fell to 2 percent.

The increased attention to IIS security and the cumulative IIS patches released by Microsoft contributed to sharp declines in other vulnerabilities as well. The percentage of IIS SSL sites where the server paths were revealed dropped from 50 percent in June to about 6 percent in August. Sites where administration pages were accessible fell from nearly 36 percent in June to 10 percent in August.

However, one vulnerability is on the increase -- sites with the root.exe installed. Both sadmind/IIS and Code Red II install root.exe, which provides attackers with a live backdoor facility for remaining in control of a Web server.

The patches do not necessarily remove the root.exe facility, Netcraft noted. The percentage of IIS SSL sites with root.exe installed has risen steadily from around 6 percent in May to nearly 13 percent in August, according to Netcraft.

Netcraft also surveys millions of Web servers each month to determine what Web server software holds the greatest market share. In August, IIS was the only one of the three major Web servers to gain market share among all Web sites, Netcraft found.

IIS usage rose by 0.38 percent, while the open source Apache Web server dropped 0.2 percent and Sun-Netscape's iPlanet dropped 0.02 percent. Apache still runs on more than twice as many sites as IIS, which is about 10 times as common as iPlanet.

Netcraft said that it is too early to tell if the predictions of mass migrations away from IIS by users disgusted by Code Red and other IIS-related vulnerabilities will occur.

"Our data was collected at the start of the month, and we will have a clearer picture of whether Code Red has caused any significant movement away from Microsoft-IIS in September," Netcraft said.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • Windows 10 Preview Adds Windows Subsystem for Linux 2 on ARM64 Devices

    Microsoft's latest Windows 10 preview release for testers (build 18980), announced on Wednesday, includes support for version 2 of the Windows Subsystem for Linux, plus ARM64 device support for WSL 2.

  • Microsoft Defender Advanced Threat Protection Evaluation Lab Now Available

    The Microsoft Defender Advanced Threat Protection (ATP) Evaluation Lab is now ready for use by organizations.

  • How Organizations Can Adapt to SharePoint's 'Modern' Shift

    In a September interview, SharePoint expert Asif Rehmani described how users, developers and organizations are dealing with SharePoint Online's so-called "modern" innovations.

  • Microsoft Urges LDAP Workaround Fix for Windows Systems

    Microsoft updated an August security advisory this week to urge organizations using the Lightweight Directory Access Protocol in supported Windows systems to implement some configuration changes manually.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.