Microsoft Triumphant in OpenHack 4 Competition


Ok, this is somewhat old news, but somehow this slipped
off my radar back in February. Even when I showed it to a few IT admins today
that follow such news very closely, they mentioned to me that they don’t
remember seeing anything about this in the SANS newsletter, NTBUGTRAQ, or any
other security mailing lists.



Microsoft Triumphant in OpenHack 4
Competition


In October 2002, eWeek Labs launched its fourth
annual OpenHack online security contest. The year’s contest, the third year of
participation for Microsoft, was designed to test enterprise security by
exposing systems to the real-world rigors of the Web. Both Microsoft and
Oracle were given a sample Web application by eWeek and were asked to
redevelop the application using their respective technologies. Individuals
from throughout the world were then invited to attempt to compromise the
security of the resulting sites in exchange for cash prizes.


Microsoft developed its application using the
Microsoft .NET Framework, IIS 5.0, Windows 2000 Advanced Server, and SQL
Server 2000. (It should be noted that Microsoft Windows .NET Sever 2003 with
IIS 6.0 would have been used had it been released at the time of the contest.
In Windows .NET Server 2003, several of the steps we took to “lock down” the
operating system and Web server are already completed by default.)


The results of the competition may be found at:
href="http://www.eweek.com/category2/1,3960,600431,00.asp"
>http://www.eweek.com/category2/1,3960,600431,00.asp


In total, the Microsoft solution withstood over
82,500 attacks. Microsoft emerged from OpenHack 4 unscathed, as it did in its
previous engagements with the first and second OpenHack competitions.


An article explaining how the solution was built and configured,
including best practices for software developers and systems administrators to
secure their own solutions is available at:

href="http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/openhack.asp"
>http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/openhack.asp


(this text was copied from href="http://www.microsoftsoutheast.com/news/product_news_0302.asp"
>http://www.microsoftsoutheast.com/news/product_news_0302.asp)


I don’t know about you, but I’m sick an
tired of hearing people out there constantly bicker and complain about how
Microsoft sucks or how insecure their software is. Things like that just bother
me. Obviously if Microsoft WON the OpenHack 4 competition, then it’s been shown
that security on Windows can be achieved. There’s one caveat here… that is
that the person(s) setting up the box actually know
what they are doing and pay attention to proper setup. One of the major roots of
this problem is, I think, that some IT admins (ie: those that constantly
bicker and complain about Microsoft
) think that adminning a Windows Server is
the same as their PC at home. Well, IT’S NOT! Just because your Windows XP Home
Edition PC (or heaven forbid you’re still running Windows 95, 98, Me)
looks and feels
similar to your Windows Server at work doesn’t mean that they are the same!
Anyway, I think I’ve beaten this topic enough for now. But rest assured, this
gripe with come back every now and again because this post will not all of a
sudden magically cure all these admins who think like I’ve
described.

Comments (2)

  1. Anonymous says:

    Security poll… : A Blog for Graymad

  2. Julie Lerman says:

    Hey Rob! Eweek changed their links (I just posted something about openhack) You can grab them from my site if you want.