Gartner: Another Windows 2000 flaw exposes Microsoft security weaknesses
Gartner (John Pescatore):
Another Windows 2000 flaw exposes Microsoft security weaknesses
The security flaw recently identified by Microsoft is only the latest in a long series of embarrassing exposures of software vulnerabilities in Windows 2000, primarily in its IIS Web-server component. This latest IIS vulnerability reveals the weaknesses inherent in Microsoft’s overreliance on issuing checklists designed to enable security-deficient software to be configured to make vulnerabilities less accessible. Gartner recognizes that Microsoft has begun to invest in improving its software-development and product-management processes to improve the security of the server operating systems (OSs) it will release in 2003 and beyond. Unfortunately, IIS predates any such focus on security at Microsoft—and it shows.
Enterprises using Windows 2000 in Internet-exposed applications must take serious precautions to ensure that IIS does not offer an open door to attacks by hackers and cybercriminals. Applying the Microsoft checklists (available at http://www.microsoft.com/security) are only the beginning. Gartner recommends that enterprises also use OS-hardening, policy-enforcement, host-based intrusion-detection or application-specific firewall software as part of all uses of IIS.
Enterprises that have not yet committed to IIS as their Web-server software should heavily weight security as a criterion in evaluating which Web-server software to use. Although IIS may come for free as part of Windows 2000, the operational costs of continually installing patches to address new IIS vulnerabilities—not to mention the cost of security incidents against IIS before it is patched—causes IIS to carry a very high total cost of ownership.
[via TechRepublic]
