I met Roger Grimes through Windows IT Pro magazine conferences and events. He's a great guy with whom I have a lot in common. Trainer, speaker, author kinda guy. You don't meet many people can talk well about technology, that can also teach, that can also write - but he's good at all of that. So I was intrested in his idea of creating an IIS 6 server and inviting the world to hack it. Like me, he's really tired of the myth that IIS is an insecure platform. People who know me know that I would be one of the first to say if this was otherwise, LOUD and clear, but it ain't so. So I say loud and clear, IIS is secure platform. Debnunking IIS mythology is one of the things I love to do - inside and outside Microsoft. For example, it's a myth that scripts need Execute permission. There's a lot of IIS documentation that says it does - but it doesn't. Ditto for the IUSR account requiring Log on Local rights - never has required that but it is a persistent myth. I've done presentations galore on these myths, but none is more persisten than IIS is insecure.

Now to be sure, IIS 5 gold out of the box is highly insecure. Those days are gone and a properly hardened IIS 5 server is very secure indeed. Believe it or not, You may not believe it, but there are thousands upon thousands of IIS 5 servers out there with mission critical, publicly assccessible web applications that have never seen succesful breach. IIS 6 SP1 out of the box is a secure installation and I challenge anyone who says otherwise.

In fact, if you can find a security hotfix for IIS 6 - let me know. That means a critical security update to IIS 6 binaries not services that IIS 6 uses such as asp.net. People never seem to blame Apache for problems with PHP, but an asp.net issue somehow gets lumped in as an IIS issue. To be fair, asp.net runs exclusively on IIS and they are both Microsoft products so there is a big bucket called "Microsoft web delivered applications" that you can point at as cumulative indicator for security issues and get bigger numbers than zero - however just do the same on Apache/*nix and compare. Apples to apples as it were.

So Roger is putting up the server and we'll see what happens! Hackiis6.com.

-brett