I'm trying to sell a IIS web-based solution to a customer who believes IIS to be inherently insecure no matter how it is configured. This is a general feeling on their part rather than a well researched position. I obviously disagree, and am looking for any pages with statistics or facts which will reassure my potential customer.

You're not going to find 'em.

People who understand these types of systems understand that security is
almost entirely in configuration and countermeasures. There's no way to
quantify this, when you're comparing IIS to Apache to Stronghold, etc. It's
opinion.

I would argue that people who are ignorant enough to believe that they are
"secure" if they use Product A, simply because they believe that Product B
is insecure, are not capable of being swayed, because to sway would require
understanding of the technology and the principle.

Bottom line: Probably isn't worth your money. Even if you get them to buy,
they'll dedicate all of their downtime to blaming you and your insecure
system.

Don't mean to sound preachy, but I've been in this very same position a
number of times, and the only way to win is to refuse to fight. The time is
better spent talking to intelligent, reasonable people.

[quoted text, click to view]
to be inherently insecure no matter how it is configured. This is a general
feeling on their part rather than a well researched position. I obviously
disagree, and am looking for any pages with statistics or facts which will
reassure my potential customer.
[quoted text, click to view]

I think Keith nails it. Security is not about reputation but configuration,
and if the customer only believes in reputation and shuns configuration, it
is a losing battle..

The only way for this customer to "learn" is to misconfigure a supposedly
secure system by reputation, get hacked, and hopefully realize their
fallacy.

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
[quoted text, click to view]
I'm trying to sell a IIS web-based solution to a customer who believes IIS
to be inherently insecure no matter how it is configured. This is a general
feeling on their part rather than a well researched position. I obviously
disagree, and am looking for any pages with statistics or facts which will
reassure my potential customer.

Any help gratefully received.

While I agree with the other two posts, if you don't have the luxury of
saying no to the business this customer could bring, I might suggest the
statistics somewhere at www.zone-h.org, where Linux / Apache web sites are
hacked at a much higher rate. Apache servers outnumber IIS, but not enough
to explain the stats at zone-h. You could also mention the recent hacking
detailed on the home page of www.debian.org

You and I know that such statistics are no guarantee that an individual web
server is going to be secure, but the customer doesn't seem to know. Most
of the zone-h hacks are low hanging fruit, and as long as you make sure you
aren't low hanging fruit, and you pick an OS that matches what your security
folks are most experienced with securing, they should do well. Pick an OS
that they have little experience with, and they won't.


[quoted text, click to view]
to be inherently insecure no matter how it is configured. This is a general
feeling on their part rather than a well researched position. I obviously
disagree, and am looking for any pages with statistics or facts which will
reassure my potential customer.
[quoted text, click to view]

That is not true, IIS can be secure, if properley configured.

Its all about the configuration,
a webserver is only as secure as its administrator, that applies to all operating systems.
Yes design error is always a problem, but that is not the admins fault.
This goes for all operating systems.

It would be nice to see MS get more involved in IIS, Email Server Security, and SQL Server Security also.
It needs to be looked at, and needs to be more secure for the future.

Good Luck,

On Fri, 30 Jan 2004 22:26:53 -0800, "David Wang [Msft]"
[quoted text, click to view]

Or blame the consultant... :)

Can you tell I work for the government?

Seriously, no good security person will ever claim they have never
been hacked. You learn by getting hacked. The best security people
are those who can say "I've never been hacked a second time..."

For some of us, the third time's the charm.