[2874] in WWW Security List Archive
Re: Security aspects of Microsoft FrontPage server extensions?
daemon@ATHENA.MIT.EDU (John Cronin)
Mon Sep 2 10:28:25 1996
From: John Cronin <John.Cronin@oit.gatech.edu>
To: markc@vv.com.au (Mark Constable)
Date: Mon, 2 Sep 1996 08:25:03 -0400 (EDT)
Cc: www-security@ns2.rutgers.edu
In-Reply-To: <32283665.14CBDDA2@vv.com.au> from "Mark Constable" at Aug 31, 96 10:56:05 pm
Errors-To: owner-www-security@ns2.rutgers.edu
Once upon a time, Mark Constable told me this tale:
->
->Michael Mathieu wrote:
->
->> I'm Mike Mathieu, the Group Program Manager for the Vermeer Technologies
->> group at Microsoft. I'm responsible for the design of FrontPage. As of
->> ...
->
->I also just joined this list in the hope of discovering the state of
->openly available security standards on the web. There is one course
->of action that M$ could pursue that would satisfy a lot of concerns,
->release the source for the FP server extensions and encourage an open
->standard as a genuine solution for all of us.
I don't think this is something that Microsoft will ever consider. It
just isn't in their mindset. That is one reason that there will always
be a Unix or some other thorn in their side, for which I am grateful.
They want to dominate the world, and they want it to be by magic. In
other words, you don't have to know what goes on inside, it's just magic,
and they, being wizards, know what is best for you. Unfortunately for
them, they are not the only ones who know how to make the magic work,
and many people don't even agree that they know how to do it best. I
certainly don't.
One of their biggest problems is that they know the individual non-networked
PC pretty good. They are even beginning to figure out some of the basic
networking stuff. But they don't seem to have the big business, it's a hard
world type of stuff figured out. This is evident in the way they setup
Frontpage to work. It is geared entirely towards the little guy with his
PC who wants a fancy web page, with very little thought about the guy who
has to support the machine that all these little guys (little in the sense
of the computing facilities they are attaching to the big guys). The
sysadmins know that there seems to be a lot of security holes in FrontPage.
The little guy doesn't see that and figures that it is the big guy's problem
anyway. The sysadmins know that when (not if) there is some kind of security
breach because of grand canyon sized holes in FrontPage, and the little guys
web page gets DOJ'd or the server is crashed and nobody's web page is avail-
able, the sysadmins will get the blame. Not Microsoft, who would not accept
the blame anyway. So some sysadmins decide not put FrontPage on their systems.
User's get mad and leave. These sysadmins don't have a favorable view of
Microsoft. Some other sysadmins are not as experienced and they put Front-
Page up without knowing the risks. They get burned because of the security
problems. Microsoft says "It's your fault, you didn't configure it correctly"
or something like that (even though it is at least partially their fault in
a lot of cases). These sysadmins don't have a favorable view of Microsoft.
Some other sysadmins grit their teeth and put up FrontPage even though they
know that there are problems - they just do the best they can because if
they don't, they will lose users. They get burned by hackers despite their
best efforts. They don't have a favorable view of Microsoft.
Point: Microsoft needs to start listening to the SysAdmins as well as the
end users, or they will have something that users consider pretty cool that
no sysadmin will put on their server, for good reasons.
->Anything less is a commercial posting which I personally find very
->distasteful.
I disagree with this statement. While I am a Unix head, and will stick with
the virtual world in which source code is generally available, Microsoft has
so far made it without releasing source code, and as I stated earlier, I don't
believe they will in my lifetime. So I won't buy any of their stuff for a
server. I would rather go with Solaris or Irix or something, than use
Windows NT. However, I believe it is possible to discuss the security issues
and problems with Microsoft FrontPage, IIS, etc without having them release
source code. Despite the late addition to this group, it is a start. The
question is, will Microsoft listen or lecture? There seems to be a lot of
anti-Microsoft sentiment in this group, so I would suggest to Microsoft that
it is in their best interest to listen at first. A lot of the people out
here know what they are doing. If Microsoft can improve their products
(they have shown they can in the past, even if it doesn't necessarily please
everybody), then it is to the sysadmins benefit, as well as the users.
--
John Cronin
Office of Information Technology Customer Support Center 0710
Georgia Institute of Technology, Atlanta Georgia, 30332
Internet: john.cronin@oit.gatech.edu
phone: (404) 894-7563
