Banks' use of IIS ‘scary’

Three of the big four Australian banks rely on Microsoft's IIS as their preferred Web server, a technology renowned for being insecure and a preferred target by hackers.

One IT professional who certainly knows the strengths and weaknesses of the Internet Information Server (IIS) is the technical director of ALC Training, Matt Whelan who runs a three-day IIS hacking course.

"Consumers should hope that their local bank is employing the most proficient information security people in order to lock down their preferred Web server as the number of ways to break into its default installation is scary," he said admitting the high number of IIS exploits has given the server a bad name.

"If you put a lot of effort into [securing] it, it can be perfectly safe. However, 99 percent of IIS setups aren’t like that, so I’d be praying that the banks' ones are."

Part of the reason why IIS is insecure, Whelan said, is that so many installations are not professionally installed and just pushing the OK button leaves it wide open.

According to Internet security services company Netcraft, three of the big four Australian banks rely on IIS for Web serving.

Netcraft’s January 2004 survey of more than 46 million Web sites revealed that Microsoft is serving 21 percent of them with the open source Apache Web server at around 67 percent.

Of the four big banks, the NAB is the only one using Apache for its customer-facing Web site, according to Netcraft.

“It doesn’t matter if you choose Apache or IIS, the same amount of effort is required to protect them,” Whelan said. “Unix people are more aware [of vulnerabilities] and apply fixes, whereas IIS people don’t. A good example of this was the Blaster worm. But banks have knowledgable people in that area and therefore would be less dangerous than others.”

A reluctance to change may be why banks still languish with version 4.0 of IIS, Whelan said, most probably because it is a “perfect configuration”.

One indication of Apache’s acceptance by the banks as a secure Web server is demonstrated by Westpac’s adoption of it for the company’s secure site at Adelaide Bank is also using Apache running on the open source FreeBSD operating system for the Web front-end and IIS 5.0 on Windows 2000 for Internet banking.

If the banks are looking for an alternative to IIS then Apache is mature enough and due to it’s open source nature is more proactive when it comes to security, according to Brisbane-based security firm BSD Australia’s managing director Brian McKerr.

McKerr said that although Apache is inherently more scalable than IIS, a lot of security issues depend on the operating system it runs on.

“Apache is usually run on a more secure operating system than Windows, which IIS is tied to,” he said. “I recommend OpenBSD for Apache as it can’t be overlooked for edge security and there is no such thing as viruses for it.”

Web server*
Operating system*
Microsoft IIS 4.0
Windows NT/98
Microsoft IIS 4.0
Windows NT/98
Microsoft IIS 4.0
Windows NT/98
Bank of Queensland
Microsoft IIS 5.0
Windows 2000
Microsoft IIS 5.0
Windows 2000
Microsoft IIS 5.0
Windows 2000
Bendigo Bank
WebSEAL 3.9.0
Windows 2000
St George
Rethink! (formerly IIS 5.0)
Windows 2000
Adelaide Bank
Apache 1.3.26
Macquarie Bank
Anonymous/1 (formerly Apache 1.3.26)
Solaris 8
* As indicated by Netcraft’s “What’s that site running?” query service.