Hack iis6 contest underway..

http://www.hackiis6.com/ ^ | 2005-05-05 | http://www.hackiis6.com/

[N3WBI3]

1) Most security breaches are caused by not following basic security guidelines and best practices. We want to put IIS 6.0 to the test to see if it is highly secure when you implement it correctly.

2) Because it's a fun way to engage with you, our audience!

3) It's a chance to share knowledge and demonstrate how to protect your system against hack attempts. Coming in our July issue, we'll publish an article "How to Set Up a Hackproof IIS" featuring Roger Grimes' recap of the contest, and sharing the secrets of how he created an impenetrable IIS environment.

[N3WBI3]

An iis6 guy putting his money where his mouth is. I dont advocate hacking other peoples boxes but as a hardening test it should be interesting

[softwarecreator]

We want to put IIS 6.0 to the test to see if it is highly secure when you implement it correctly.

And your reasoning for this is ...?

[stylin_geek]

Ping

[general_re]

These kinds of things typically don't amount to much - even if it stays up, that's hardly proof of invulnerability. Frankly, if I had a reliable, repeatable way of cracking into IIS, I'd want a heck of a lot more than an XBox in exchange for that information.

[stylin_geek]

I know I'm going to look at this, simply because we do multi million dollar secure bank transactions where I work. And the sites require IE.

[Flyer]

And your reasoning for this is ...?

I would bet it is to test to see if it is highly secure when you implement it correctly.

[t_skoz]

You get to say that you're the guy who hacked IIS. Nobody really cares about the XBox and most contestants aren't interested in that anyway.

[ShadowAce]

[struggle]

huh...? oh.

[general_re]

If I'm the guy who can hack IIS, I can probably parlay that skill into more tangible rewards than nerd-kudos ;)

[antiRepublicrat]

And your reasoning for this is ...?

Because the guy doing this makes his living pushing Microsoft products.

[N3WBI3]

Hey dont jump on me, this guy is a MS users and tech writer...

Roger A. Grimes
Contributing editor, Windows IT Pro Magazine

[N3WBI3]

Umm not really hacking iis is not a one in a million type of deal. There is a reason you secure in layers and thats because a naked iis6 box on the net is just waiting to be hacked..

[Bush2000]

even if it stays up, that's hardly proof of invulnerability.

True. But if it doesn't stay up, that's certainly proof of vulnerability. ;-p

[softwarecreator]

I wasn't. I was in the middle of writing it and had to go. Accidently pushed the "reply" button.

[general_re]

...a naked iis6 box on the net is just waiting to be hacked..

Oh, no - IIS 6/Windows Server 2003 is actually quite tight, even in the default configuration. I predict it won't be cracked, because the people most likely to be able to do it are the least likely to want to reveal that ability.

[Golden Eagle]

I know a guy that worked as a consultant to Microsoft when they did this for Windows 2000, and that box never got hacked. He said all they did was lock every port but 80 down with IPSec, and shut down every unneccesary service.

Despite what some people will tell you, a fully patched box with proper usernames/passwords implemented is practically impossible to hack, the only way is if you have access to a "zero day" exploit that no one knows about or has had time to develop a defense for. Anybody that has one of those probably isn't going to waste it for an XBOX, unless they really want to try to humiliate Microsoft. But give MS some credit, not only have they already tried this before, and succeeded, they're willing to risk it again.

[Bush2000]

Umm not really hacking iis is not a one in a million type of deal. There is a reason you secure in layers and thats because a naked iis6 box on the net is just waiting to be hacked..

Then go for it. If it's so easy, it should be a piece of cake for you. Or, are you just blowing smoke?

[softwarecreator]

because the people most likely to be able to do it are the least likely to want to reveal that ability

This was the point I wanted to make in #3, but got called away and accidently posted it.

If you are a 'expert' hacker, what reason would you have to expose yourself and your 'methods'?  An X-Box?  Makes no sense to me, but then I never understood the thrill of hacking anyway, so what do I know?

[softwarecreator]

Then go for it. If it's so easy, it should be a piece of cake for you. Or, are you just blowing smoke?

Well, N3WBI3, sounds like a dare ... you, and others like you, come here and say how easy it is ... go for it.

If no one here does it, then I guess you'll all have to stop the "see-how-vulnerable-MS-is" type of claims.

[N3WBI3]

Anything is hackable; apache, iis, sunOne, .... THats why I said security in layers. Whay the hell did you jump on me for that?

Can I hack it? maybe, if I really put my time into it. Im not a gifted hacker but I do have a good deal of experience on iis as an admin. Personally the amount of time I would have to put into it (if I could do it) is not worth an x-box to me..

[N3WBI3]

or it might be im too busy with a wife who is now two days past her due date, moving into a new house, finishing a class at school, and rebuilding our weblogic platform... A naked *anything out there* can be hacked..

[softwarecreator]

or it might be im too busy with a wife who is now two days past her due date, moving into a new house

Well, yeah, sure, it could be that too!  =)

Congrats on the upcoming baby!

My wife and I are also closing on a new house next week, so I know how you feel.

[N3WBI3]

new construction or an existing one?

[antiRepublicrat]

unless they really want to try to humiliate Microsoft.

That's about the only reason one of them would go for it. Unless they need a new computer and want the XBox to put Linux on.

[Golden Eagle]

That's about the only reason one of them would go for it. Unless they need a new computer and want the XBox to put Linux on.

Yep, being a hacker, probably would.