Posted on 04/04/2002 5:41:09 AM PST by colette_g
The move came after the company found the web servers had been installed by staff "without the correct authorisation procedures".
"As part of our normal housekeeping procedures we launched an internal review of our use of Microsoft web servers," said a BA spokesman. "We are undertaking a project to remove the product where it has been installed without the correct authorisation procedures."
According to internet consultancy Netcraft, all BA websites currently visible from the internet run Netscape Enterprise 4.1 on Sun Solaris. The BA spokesman said all the IIS servers ran departmental intranets and it was not possible to view them externally "unless this is configured in our web access control infrastructure".
If an IIS-based server is not properly configured and patched, it is vulnerable to external attacks by hackers.
The Code Red virus exploits a buffer overflow vulnerability in an unpatched machine that could let an attacker gain complete control of an affected web server.
Richard Barber of security consultants Integralis said BA had felt secure because it had a policy of using non-Microsoft web servers. "People inside a company can set up their own web servers and if these servers go to the internet through the firewall at HTTP, they become visible," he said. "It is then fairly obvious from the outside of the network to hackers."
In future BA hopes to keep tabs on its infrastructure "by regular audits and reviews of web servers".
Microsoft declined to comment.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.