Netcraft Finds IIS Locked Down in Wake of Code Red

Web server monitor Netcraft has documented that sites running Microsoft's IIS are substantially more locked down for security in the wake of Code Red than they were before the outbreak of the worm.

"The combination of the Code Red worm and the first cumulative patch for Microsoft-IIS has significantly improved the security of Microsoft-IIS systems on the Internet," Netcraft wrote in the August edition of its monthly report on Web server usage.

Netcraft tests several hundred Secure Sockets Layer (SSL) sites each month as part of its business, which includes automated penetration testing, site audits and site monitoring.

In July, almost 35 percent of IIS SSL sites tested by Netcraft were vulnerable to Code Red. In August, vulnerable sites fell to 2 percent.

The increased attention to IIS security and the cumulative IIS patches released by Microsoft contributed to sharp declines in other vulnerabilities as well. The percentage of IIS SSL sites where the server paths were revealed dropped from 50 percent in June to about 6 percent in August. Sites where administration pages were accessible fell from nearly 36 percent in June to 10 percent in August.

However, one vulnerability is on the increase -- sites with the root.exe installed. Both sadmind/IIS and Code Red II install root.exe, which provides attackers with a live backdoor facility for remaining in control of a Web server.

The patches do not necessarily remove the root.exe facility, Netcraft noted. The percentage of IIS SSL sites with root.exe installed has risen steadily from around 6 percent in May to nearly 13 percent in August, according to Netcraft.

Netcraft also surveys millions of Web servers each month to determine what Web server software holds the greatest market share. In August, IIS was the only one of the three major Web servers to gain market share among all Web sites, Netcraft found.

IIS usage rose by 0.38 percent, while the open source Apache Web server dropped 0.2 percent and Sun-Netscape's iPlanet dropped 0.02 percent. Apache still runs on more than twice as many sites as IIS, which is about 10 times as common as iPlanet.

Netcraft said that it is too early to tell if the predictions of mass migrations away from IIS by users disgusted by Code Red and other IIS-related vulnerabilities will occur.

"Our data was collected at the start of the month, and we will have a clearer picture of whether Code Red has caused any significant movement away from Microsoft-IIS in September," Netcraft said.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


comments powered by Disqus

Subscribe on YouTube