All in the <head>

– Ponderings & code by Drew McLellan –

– Live from The Internets since 2003 –

About

More on IIS Lockdown

19 September 2003

So I’ve been discussing the whole error message thing with two guys on the IIS team at Microsoft. Their opinion is that 403 would in fact be the most appropriate error code to issue. Their reasoning for using 404 is that “the client has no need to know” what the error is – simply that there has been an error. They say that it’s a security choice to return 404 as it gives the client “the least amount of information”.

I can see where they are coming from – if someone asks you where your safe is, you don’t tell them. However, if you’re going to be an HTTP server you have to play by the HTTP rules. I don’t agree that it’s none of the client’s business what the error is – it’s not a web server’s job to play judge and jury.

It’s slightly frustrating in that I can see that there’s probably little middle ground. You either have to be aggressively secure (or attempt that stance) or be completely transparent. This is one of those rare cases when the need for security gets in the way of those legitimately using a system. So it’s more ‘boooo!’ to the hackers than ‘boooo!’ to Microsoft. But I still don’t like it.

Here endeth my grumble.

- Drew McLellan

Comments

Tags

Comments

  1. § Jesse: ’Client has no need to know’ (insert favorite Microsoft annoyance here)...

    There is a reason why relatively no one uses IIS for serious web servers... You never know what is really going on with the server and it is really difficult to find out. Cryptic error messages should be patented by Microsoft - although that system error message with a bomb icon from Apple is probably the funniest one going.

    The whole culture at Microsoft on security is scary.. do they think not providing proper error messages will protect the server?
  2. § tomjleeds: Obviously. What’s even more scary at Microsoft is DRM.
  3. § Drew: Don’t get me started on digital rights management!
  4. § Drew: Jesse, I think the idea is that if the server just gives a 404, there’s no way to know it’s an IIS server. As soon as it gives a message like a 403 for a .asp file, the argument goes that this reveals that it’s an IIS server and opens the gate for further hack attempts.

    If IIS is truely secure and properly locked down, I’m not sure why it should matter. Security by obscurity.
  5. § Jesse: Yes but you can simply find the server type by NMAP why would you bother with HTTP? Is there an exploit that looks for IIS by detecting error messages?

    Security by obscurity is pointless as the past month of bugs have demonstrated.
  6. § Drew: Jesse, I agree.
  7. § Lonnie Olson: I agree that a 404 is the wrong error to provide, but 403 is also wrong. The error should not be a 4xx (Client error). It should be a 5xx (Server error). The problem is the fault of the server, not the client, therefore the best error would be either
    500 - Internal Server Error
    501 - Not implemented
    or even
    503 - Service Unavailable

    These errors will make end users happy knowing they can’t fix it and it isn’t their fault. And it remains secure.

Photographs

Work With Me

edgeofmyseat.com logo

At edgeofmyseat.com we build custom content management systems, ecommerce solutions and develop web apps.

Recent Links

Affiliation

  • Web Standards Project
  • Britpack
  • 24 ways

About Drew McLellan

Photo of Drew McLellan

Drew McLellan has been hacking on the web since around 1996 following an unfortunate incident with a margarine tub. Since then he’s spread himself between both front- and back-end development projects, and now is Director and Senior Web Developer at edgeofmyseat.com in Maidenhead, UK (GEO: 51.5217, -0.7177). Prior to this, Drew was a Web Developer for Yahoo!, and before that primarily worked as a technical lead within design and branding agencies for clients such as Nissan, Goodyear Dunlop, Siemens/Bosch, Cadburys, ICI Dulux and Virgin.net. Somewhere along the way, Drew managed to get himself embroiled with Dreamweaver and was made an early Macromedia Evangelist for that product. This lead to book deals, public appearances, fame, glory, and his eventual downfall.

Picking himself up again, Drew is now a strong advocate for best practises, and stood as Group Lead for The Web Standards Project 2006-08. He has had articles published by A List Apart, Adobe, and O’Reilly Media’s XML.com, mostly due to mistaken identity. Drew is a proponent of the lower-case semantic web, and is currently expending energies in the direction of the microformats movement, with particular interests in making parsers an off-the-shelf commodity and developing simple UI conventions. He writes here at all in the head and, with a little help from his friends, at 24 ways.

Recommended