I'd highly recommend against running IIS. It's incredibly unreliable and still has a significant number of security vulnerabilities.

Just install Apache should you feel inclined to host your own forums.

As for phpBB and vBulletin, there are other options availble.

I'd highly recommend against running IIS. It's incredibly unreliable and still has a significant number of security vulnerabilities.
Unless you actually upgrade from IIS 3.0. Running a standard Unix install from the 90's is just as insecure as a MS one.

I'd highly recommend against running IIS. It's incredibly unreliable and still has a significant number of security vulnerabilities.That's a pretty vague bid of FUD there, don't you think?

Unless you actually upgrade from IIS 3.0. Running a standard Unix install from the 90's is just as insecure as a MS one.

^^ true story

Unless you actually upgrade from IIS 3.0. Running a standard Unix install from the 90's is just as insecure as a MS one.


Digging up a Solaris 2.1 install from 1992 is just a little different from installing from the factory provided XP CDs with your shiny new Dell paperweight. Any given idiot is far more likely to end up with a highly vulnerable IIS install than pretty much anything else, even stuff that runs on Windows.

That's comparing apples and oranges. A standard install of 2003 server starts out with absolutely everything locked down. You'd have to put a bit of work into making it vulnerable. You must be talking about something years old, or something not intended for server use.

Making a case out of IIS' old insecurities is no more valid than pointing out all of the sendmail exploits past.

Sanchek got it right, and Malse, apparently, just likes beating the same old drum.

Given a "moderately technical" person - one whom, say, had to ask on a bulletin board what bulletin software to run - they're going to have, at best, a moderately secure Linux implementation of of Apache + dependencies, and a reasonably secure Server 2003 install -- because for the novice, the 2003 install is well hardened, and realy "just works."

Don't get me wrong, it's not like a new SUSE install isn't reasonably well harneded, but, we could play the "pick a distribution game" for the next month.

The Microsoft-Hate here might be earned, deserved even - but it continues to fall off the mark.

And, by the way, your factory provided XP-SP2 CD from Dell has the firewall enabled, has no RPC exploits, and is auto-update enabled. There's no mythical 15-minute internet ownage on that machine.

The bottom line is that it's the user who makes the software secure, not the server that makes the server secure. Even if your the software you use has the fewest reported cases of sucessful hacks, an incompetent user will make any software vulnerable. My biggest pet peeve is that people seem to say that the software makers are always at fault, but sometimes people blame them more than they deserve, or give them a little too much credit.

However, there are a few reasons why vBulletin is inherently more secure than phpBB: they have a paid staff maintaining the code; they are very prompt to fix cross-scripting, sql insertion, and hire third-parties and offer bounties for security holes; you have to pay to get vBulletin, so the code falls into fewer hands; and above all else, vBulletin just handles sessions and security much more securely. phpBB also isn't the best coded software I've seen. I've tried to decipher the code, but there is no consistent standard. It's the number one reason so many security holes exist for phpBB and the number one reason that phpBB is the target of so many hackings. They still have SQL insertion bugs all over the board, and it's not too hard for an average user -- or hell, a twelve year old kid who can't spell his own name, for example, who hacked the necro boards -- to exploit a phpBB. If you go with phpBB, you will want to upgrade often and early.

Uh, drum beating? I think I've posted a grand total of 0 things on the subject until today, and it's not for lack of experience, but arguing with people over their platform choices is about as productive and amusing use of my time as rubbing my face on sandpaper.

I've never had a reason to use NT5.2003, but unless they have fundamentally restructured the IIS security model, that somebody hasn't found whatever lurks for the unwary is really just a matter of time. If they're finally paying attention to basic security practices from 1995 and turning off Computer Browser and Print Spooler, that's a great start and maybe after a few years in the field (and when they've caught up to 2000 when everybody BUT them near perfected safe execution environments) it might be somewhat trustable. Meanwhile you guys can argue over which flavor of Linux tastes best when tossing salads.


Heh, speaking of immunity to internet ownage, someone just copied me an NTBUGTRAQ mailing from earlier today ...


Oh yeah, and I wanted to agree with Ryb about VBulletin versus PHPBB. Given I've had some clandestine encounters with both, one of them is significantly more likely to be accomodating to unauthorized access.

The thing about IIS is that I've had a 2000 web/ftp server, running MSSQL 2000, sitting on my home network for years. It's completely exposed, no firewall, no nothing. I let run windows update patches automatically and do no other maintenance to it. It doesn't even have a monitor connected, and the batteries in its keyboard have been dead for over a year. I've yet to have any trouble at all with it.

Even scarier is, I'm connected right now to a SQL Server 6.5 production server running on NT 4.0 at work. No VPN or anything. Just SQL Server authentication protecting it. We've never had a problem with it either (though, there's no other external access to that machine on other ports).

I just have a hard time meshing the "OH NOES M$ IS INSECURE!!!" with my actual experience using it. Especially given I've spent maybe 5 minutes administering anything security related on my home server, after installing it with default settings.

"OH NOES M$ IS INSECURE!!!"

On that topic - hey! another IM virus attack today.

I too have had IIS running for almost a year and still haven't bothered to update to service pack 2, run no firewall or anti virus, and still to this day run fine. I am not totally worried about having to re-install anything anyways (although Visual Studio sucks to install ..too many CD's) and if I was to install PHPBB it would be for an "intranet" with in my department for fun.

Can linux run ASP.NET applications? Thats pretty much all I play around with these days anyways.

By the way not saying IIS is great but all I ever hear is its super dangerous and WATCH out omg your going to get hacked. Suppose if I had anything worth a crap to worry about losing I'd actually look into it.

I've never had a reason to use NT5.2003Then perhaps you shouldn't speak on the subject of running IIS.

Well, I got SMF running. I had started mysqld using the user "mysql" after solving a few rights problems last night concerning /usr/share/mysql and some /var/lib directory.

After that, I got stuck when running the "install.php" page. I tried all kinds of things while using the username 'mysql.' Wouldn't work. Also, I don't know if there's a password somewhere in mysql for the user mysql. I attempted to change it last night using the mysqladmin command, but couldn't.

A support person on their BBS suggested I use user 'root' on the install.php page, and that worked right off the bat.

Of course, this means that I now have a forum running using a database that is using the 'root' user, which doesn't make me happy. I have to figure out how to fix that and get it to use the user 'mysql.'

Several people have recommended I get phpadmin or something like that to help with administration chores; I'll have to hunt it down tonight.

If you had to use the root account it sounds like you have some sort of perms problem, maybe even group or ownership issues. I have very little exp with mysql but it seems to me it would be like other databases and have a admin type account. Have you checked on the perms for your mysql account? Do you know if you have to create one? etc.

IIS or Apache, you're much more likely to run into the next PHP bug, or the next MySQL bug that the author of your bulletin board of choice didn't realize he needed to code for.

If you're having someone host for you, they're going to spend their time managing keeping those things patched, forcing you to use vastly complex passwords for your SQL environment (I can't BEGIN to tell you how many SA passwords are SA or null).

Pick a forum that you like the look and feel of, and play with it. See if you like the administration interface. PHPBB is *pretty good*, but they're all going to take regular patching. At least if someone else runs the backend for you, you're only going to have to worry about keeping ONE piece of software patched.

Oh, and, FWIW, running any of the PHPBB-based message software is as simple as uploading the files to your hosting company, having them enable SQL and PHP for your account, editing ONE file to include your SQL credentials, and running the the first-run page.

Unless you actually upgrade from IIS 3.0. Running a standard Unix install from the 90's is just as insecure as a MS one.

I made no reference to operating systems. I will stand by my IIS statement.

Should one be interested in hosting their own forums, they would be wise to seek wisdom from knowledgeable sources on the internet other than just here.

For the volume of traffic they are doing, though, I fail to see why they don't just use EZ Board. Sure, they'll get some banners, but it's not really *that* bad. Free, too.

What, are you a politician? Let's talk about Mustangs and Camaros, but say we aren't talking about car brands.

I've kinda shyed away from the whole .NET thing. If I want to rapidly build Web-based ASP-type applications, I use Coldfusion on top of Java since I can call custom Java classes, I can use JSP and instantiate servlets, and it runs on Windows, Linux, BSD, Solaris, and what not. For example, I can resize images using Java just using a few lines of code:<cfobject type="java" name="iu" class="ImageUtils" action="create">
<cfset loaded = false>
<cfset result = false
<cffunction name="load" access="public">
<cfargument name="filename" type="string" required="true">
<cfscript>
iu.load(arguments.filename);
loaded = true;
</cfscript>
</cffunction>It's ridiculously easy to use Coldfusion; the language and syntax is so simple that I don't mind paying for what is in short a very sophisticated taglib. I could use JSP, but why just stick with JSP when I can use JSP as well as embedding it with Coldfusion? Who wants to code the ridiculous logic of handling mundane tasks?

Sure, there are other free JSP technologies such as JSP+JSTL that offer similar functionality. But Coldfusion is fast and easy to use. That's important for any business project. Unless I need to use a Struts framework, etc, I'll develop everything quickly and easily with Coldfusion and combine it with Java when warranted. But, wait! There's no need for that either when you can use Coldfusion to

- use existing Java Frameworks (STRUTS and others),
- use JSP tags/taglibs (JSTL and others),
- interoperate with JSP pages,
- use Java servlets,
- use Java objects, including JavaBeans and Enterprise JavaBeans.

The best developed WEB enterprise apps I've used are all written in Java. I'll be honest: I write my client programs in C++ and interoperate with the Java servers we use. Some software we just gotta use C++ and assembly because we need access to low-level system functionality. But for most applications, it suffices. Our accounting system, JD Edwards, integrates easily with Java.

Of course, there is ALWAYS a need to use C/++, assembly, and the like, just not dot-NET.

I made no reference to operating systems. I will stand by my IIS statement.

That's because it's easier to call you a Linux bigot (even though you never mentioned it) and say that if you didn't install IIS on Win2003.r5201 from a CD pressed yesterday and pray the current remote execution vulnerabilities don't affect you, you obviously have no understanding of the subject matter and are just repeating something you read of off your linux-on-bill-gates intarweb hate sites. The irony runs deep around here.


However, I really can't ever recommend EZboard to anyone. I know it looks easier, but invariably you're going to want to do something it doesn't, or have to put up with something it does. We procrasinated about moving forums off EZboard for years, and when we finally did it was like night and day, and ended up being overall less expensive.

That's because it's easier to call you a Linux bigot (even though you never mentioned it) and say that if you didn't install IIS on Win2003.r5201 from a CD pressed yesterday and pray the current remote execution vulnerabilities don't affect you, you obviously have no understanding of the subject matter and are just repeating something you read of off your linux-on-bill-gates intarweb hate sites. The irony runs deep around here.
Says Malse, after he failed to do anything but DoS my DMZ Windows 2000 machine, from an install that's 6 years old!
Can linux run ASP.NET applications? Thats pretty much all I play around with these days anyways.
I hear the mono project (http://www.go-mono.com) works pretty well. Seems like a lot of extra work though, compared to using IIS. I'm assuming they'll be way behind on 2.0 support too.

Says Malse, after he failed to do anything but DoS my DMZ Windows 2000 machine, from an install that's 6 years old!

The irony runs deep around here.

Does it ever . . .

I ran a portscan. My external machines get about 20 of those a day. Apparently that was enough to DoS his Win2k machine. Incidently his machine is in fact fairly secure .. because it's not actually running anything that listens externally, specfically not IIS -- definitely factory install, riiiight.

Hey, like I said, I administered it for about 5 minutes when I installed it. Just changed one dropdown box in the default IIS admin tool. Nothing special.

I dunno why I got the DoS effect. The portscan might have pissed off my ISP or something, is all I can figure.

Yeah, the IIS admin tool definitely reconfigures stuff like Server and the RPC listener to not bind to specific interfaces. You're "safe" because your ISP has aggressive filtering upstream, which is a remarkably good idea since I know you're smarter than the average person running a Windows server.

Still a ringing recommendation of IIS' security that you leave it off.

I didn't say I turned it off. I've got ten or so sites running on different ports on that server. I can't work without using IIS.

That's because it's easier to call you a Linux bigot (even though you never mentioned it) and say that if you didn't install IIS on Win2003.r5201 from a CD pressed yesterday and pray the current remote execution vulnerabilities don't affect you, you obviously have no understanding of the subject matter and are just repeating something you read of off your linux-on-bill-gates intarweb hate sites. The irony runs deep around here.

The suprising part is that I have always been a support of the Linux kernel and GNU-based operating system, having run System V in the late 80s, to MINIX-PC, then making the switch to Linux in '93.

However, it was around the time that Microsoft acquired the brains behind the DEC VAX/VMS system and began producing Windows NT that I started to begin looking at the Microsoft offerings again.

Once 2000 (and later 2003) came on the market, the path was clear and I have largely only run their software since then, haven chosen Windows XP Pro for my own personal use at home and my office desktop unit, though my web and database servers run Linux.

Synopsis: I believe any modern OS will get the job done, and it all comes down to personal preference. IIS, however, is a piece of crap. Microsoft should really re-evaluate their product and make some fundamental changes so that it may prove competitive on the market.

As for the mentions of PHP, ASP and Java, there are still other alternatives, which are quite popular: Perl, Ruby, Python, etc.

I'm still waiting for someone to show me proof that IIS is so bad, in its current incarnation.

Maybe I'm not looking hard enough, but I've yet to find a development platform I like as much as c# against the upcoming version of SQL Server. And again, I've yet to see a security breach caused by running up to date versions of IIS and Windows Server.

I've yet to see a security breach caused by running up to date versions of IIS and Windows Server.

Quite honestly this is the key point made here. If you keep your crap up to date you won't have issues. I don't care what platform you run on.

so that it may prove competitive on the market.

You must be referring to the "run a web server in my basement" market because it sure as hell isn't the corporate world. IIS remains the most widely used web deployment software. While us techno-geeks may find that hard to believe it doesn't make it any less true.

If you keep your crap up to date

Sure. Caveat: Run it in a production/factory environment where downtime is extremely difficult to obtain (always gotta reboot for a Windows update). You can become pretty vulnerable pretty fast.

You must be referring to the "run a web server in my basement" market because it sure as hell isn't the corporate world. IIS remains the most widely used web deployment software. While us techno-geeks may find that hard to believe it doesn't make it any less true.

This Netcraft monthly survey (http://news.netcraft.com/archives/web_server_survey.html) shows Apache as the clear and decisive winner over the Microsoft offering. To quote their listed results which are found a bit further down the page:

Apache hit another milestone earlier this month when our Web Server Survey found 40 million sites now running on the Apache server, which powers nearly 70 percent of web sites.

For reference, IIS's market share, which has been declining the past two months, is just 20.55%.

If you are instead referring to, or including, internal networks, then keep in mind that the number for those would be nearly impossible to calculate without the potential for biased data.

And before people bring it up, I understand that NetCraft's results may be flawed, but they are certainly the most comprehensive avaialble as of this date.

nerds

KMFMS, enough said.

http://www.kmfms.com (http://www.kmfms.com/)

or read the leaked Microsoft memos.

http://www.opensource.org/halloween/halloween2.php

that almost looks like KMFDM's website

www.kmfdm.com

You can't both make Netcraft the focus of your post and then say you don't want to debate it's validity.

Apache probably serves more pages than IIS. Probably. But all of those $7/mo costing companies -- they're running Apache. Those million free pages they gave out at 1&1? They all represent a "hit" on Netcraft, and only represent one server. Sure, there's IIS servers like that too; but I'm pretty CERTAIN that the number of installed PROCESSOR SEATS for IIS and Apache is a lot less than 80-20 like Netcraft thinks it is.

that almost looks like KMFDM's website

www.kmfdm.com (http://www.kmfdm.com)

Wow, Captain Perceptive strikes agian..

And before people bring it up, I understand that NetCraft's results may be flawed, but they are certainly the most comprehensive avaialble as of this date.

Actually I'm not, but good point.

I qualified my statement when I made it. The survey you refer to is gathering results from every tom, dick, and harry on the web. There was never any doubt in my mind Apache would have more hosted sites, it's free and readily available to the masses of computer nerds out there willing to put up a site in their basement.

Here's a stat for you:

. . . of all Fortune 1000 servers, 53.8% are run on IIS compared to 21.2% on Apache. (http://redmondmag.com/features/article.asp?EditorialsID=471)

Just so we can keep this all in perspective.

Interesting.

http://www.webpronews.com/news/ebusinessnews/wpn-45-20050421BallmerAnnouncesMicrosoftSupportForLinux.h tml


We've added support for non-Windows virtual machines being hosted on top of our Virtual Server product, including support for Linux. Remember what I said earlier about interoperability? We're really believing that. We know folks are going to want to run Windows systems and Linux systems and other systems together on top of our Virtual Server and Windows. You'll see support for that later in the year.



EDIT:

http://www.microsoft.com/presspass/exec/steve/2005/04-20ManagementSummit.asp

VMWare with ESX and GSX server has been hosting Linux and Windows-based OSs on both Windows and Linux OSs for a long time.

VMWare GSX server is for both Windows and *nix, and can host both Windows and *nix (and other) OSs.

VMWare ESX server is its own OS (a *nix base) that can host both Windows and *nix (and other) OSs.

ESX is their "enterprise" solution. GSX makes a better host for, say, a training room or lab that needs a multi-machine low-load environment. GSX is basically "advanced VMWare workstation."

I *live* in VMWare.

I haven't messed with it much, but our NT guys here do.... I don't think in any "production" enviornments though. What do you use it for Pali?

So bascially this is MS saying their version of VMware now supports open systems? lame...I didn't catch that at first.