Alternatives to IIS

[Guest]

It's likely that I will have to find another web server
to use in place of IIS due to its poor security. We have
already developed a reasonable amount of code in ASP.NET
however. I've heard that Apache can't be used with
ASP.NET and that the Cassini server is used mostly for
testing purposes. What options do I have (barring
starting all over using Apache and PHP)? Will any other
servers work with ASP.NET?

Thanks,
Dave

 

[IbrahimMalluf]

heh...trolling?

explain poor security?

 

[Hermit Dave]

Well try your luck with win2k3.
See the problem earlier was that microsoft used to provide a default
configuration for anything you installed.
Not any more... they heard ya.... with win2k3... you have to configure it
before you can use it.
and its pretty amazing as well... but if you wish you can try
http://www.go-mono.com/

they are linix based first none microsoft (though microsoft did give them
the green to go ahead with it)
you can enjoy configuring your linix box and since it will probably take you
days if not months to configure it... it will atleast give a good impression
of better security. (plus you have your apache module as well...)

and do let us know how good mono's implementation of .net framework is....

HTH

HD

 

[Michael Pearson]

Firewall + all the IIS patches solved all of our IIS security problems.
It's a constant battle no matter what platform you are on. You've gotta
make sure you limit as much access as you can, and stay on top of updates
for the software. I think that pretty much goes for any platform.

IIS is the best platform to run ASP.net on as far as I've read.

Michael

 

[Cowboy \(Gregory A. Beamer\)]

The security issue is a bit overblown, depending on how you have IIS set up.
Most of the security problems are due to the lack of locking the service
down. Of course, MS did make a FUBAR in Windows 2k and earlier by leaving so
much stuff open (Better in Windows 2k than before). If you move up to
Windows 2k3, you have a much stronger IIS, as not much is installed by
default.

Having said that, there is not a lot of choice. Cassini is a lightweight
server. You could download the code and add additional features, if you are
so inclined, but that is more development. Apache might be an option, but
only on Linux, with something like Mono or DotGNU. As with most open source
projects, they are a bit behind the ball, so you might have to alter code to
go this route.

If the time to recode is large, I would consider locking IIS down prior to
scrapping the code.

--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA

**********************************************************************
Think Outside the Box!
**********************************************************************

 

[Kevin Spencer]

No, no other servers will work with ASP.Net. However, you should brush up on
IIS security. It's really quite secure.

--
HTH,
Kevin Spencer
..Net Developer
Microsoft MVP
Big things are made up
of lots of little things.

 

[bruce barker]

your only alternative is mono project - not sure how far along their asp.net
is.

http://www.go-mono.com/asp-net.html

another approach is to use a firewall in front of the asp.net site, to
provide additional security. only open port 80, and only allow access to
asp.net site.

-- bruce (sqlwork.com)

 

[mikeb]

It's likely that I will have to find another web server
to use in place of IIS due to its poor security. We have
already developed a reasonable amount of code in ASP.NET
however. I've heard that Apache can't be used with
ASP.NET and that the Cassini server is used mostly for
testing purposes. What options do I have (barring
starting all over using Apache and PHP)? Will any other
servers work with ASP.NET?

Several possible solutions (most of which I've never tried, so they may
actually be worthless):

- Microsoft's IIS Lockdown tool can go a long way to making IIS secure.

- run something other than IIS as a proxy to an IIS machine hosting
the ASP.NET applications. While this doesn't remove IIS from the
picture, it reduces the 'attack surface'.

- Covalent (www.covalent.com) announced a while back (mid 2002)
that they supported ASP.NET running on Apache on Windows platforms.
However, when I poked around their site today (in response to your
question), they don't seem to mention it anymore, so they may have
dropped support for it.

- Mono claims to support ASP.NET:

http://www.go-mono.com/asp-net.html

- If Cassini can host ASP.NET, then I'd assume that you can write
your own Apache module to host ASP.NET and integrate it into Apache (or
something similar if you decide on a web server other than Apache). I
wouldn't be surprised if some has already done that for Apache.
Apparently, this is something the MOno project has done (for Apache and
with a stand-alone server written in C# called XSP).

 

[Jerry Boone]

You can also install software such as SecureIIS
(http://www.sunbelt-software.com/product.cfm?id=680) that actively monitor
what goes in and out of IIS via ISAPI. There is a great 10 minute video
that introduces the software quite thoroughly. The IIS Lockdown toolkit
from Microsoft is also a great way to "tighten" up security.

Putting this and a firewall together (as Michael Pearson recommends), along
with the updates will make for a bulletproof server worthy of serving secure
data for core financial institutions.