[Mapserver-users] Corollary to the McNierney Principal (or setting up Windows 2003)

Sun Sep 7 07:54:15 PDT 2003

On Sat, 2003-09-06 at 03:32, Richard Greenwood wrote:
> I suspect that someone at  Microsoft has followed Ed's logic and applied it 
> to the security features in Windows 2003 Server / IIS 6.0. Here's the 
> story. Earlier this week I had the displeasure of setting up Mapserver on a 
> Windows 2003 / IIS 6.0 server. I've setup Mapserver on IIS enough times to 
> be confident with the process, and I had a laptop with a functioning IIS / 
> Mapserver installation at my side. But all I could get from the Windows 
> 2003 / IIS 6.0 server was 404 errors.
> 
> To make a long story short, Server 2003 and/or IIS 6 has a new top level 
> "Web Service Extensions node" which has all dynamic content turned off by 
> default. (A server that servers little or nothing is secure, hence the 
> corollary to the McNierney Principal (and I think that  a computer that is 
> turned off may be even more secure)).

So, Microsoft is finally starting to get at least a little bit sensible
about these topics; they are finally making a good decision about
default configuration (forcing you to whitelist, i.e. disallowing
everything and then you have to turn on what you need), and you are
actually _complaining_? Now this is new. One of Microsoft biggest
problems is that their default configurations are absolutely bonkers.
The way you described is the way it should be done - at least in theory,
since I can imagine that they screwed it somehow anyway.

Apart from that, static content != no content. This is different for a
CGI application like MapServer of course.

And a computer is not a secure one just because it's turned off.
<voice mode="monk" chant="repeating chant">Security is not a state, it's
a process.</voice> :)

> You can enable scripting and executables in all the usual IIS places for 
> individual virtual directories or entire web sites, but the top level 
> default setting for the computer will over-ride your settings for all web 
> sites and virtual directories.

This is what a default setting is supposed to do, right?

But to be honest, your sentence is confusing me a bit; do you really
mean that a top-level setting is overriding every other setting all the
time? That would be a bit weird. I would expect it to define ... well, a
default, and then you make changes to whatever places, overriding the
defaults.

> And IIS Service Manager will give you no 
> clue that that it is doing this aside from generating 404 errors. The 
> relevant MS pages are:

My favourite sentence from the first URL is the very first one:

"In order to take a more proactive stance against malicious users and
attackers, IIS is not installed on members of the Microsoft® Windows®
Server 2003 family by default."

Bravo! :)

> If you have read this far, I hope you realize that:
> 1. I am ranting (and I have a 12 oz aluminum can at hand)

So am I (without the can).

> 3. I have some disdain for Microsoft

Don't we all? :)

> Have a good weekend,

Yes, same to you. I will spend the remainder of mine with finding out
why my various flavours of queries are breaking in MapServer 4.0. Oh,
the sheer joy of it! :)

thorsten