Problem solve Get help with specific problems with your technologies, process and projects.

Scrap IIS?

Thing twice before you migrate from Microsoft's Web server. An overreaction might trade your old problems for new.

Examine your options closely before you denounce Microsoft's Web server. Analysts think a migration in reaction to recent exposed vulnerabilities could trade in one set of problems for another.

In light of recent work attacks, many business people are wondering whether they should scrap Microsoft's Internet Information Server. There are no simple answers to that question.

For starters, IIS is a big, fat target for virus writers (and critics). Its sheer market penetration makes it a high-profile target. Moreover, Microsoft also has the ire of many virus writers, who love embarrassing Redmond.

Responsibility for the attacks depends on whom you ask. Microsoft accuses the security community of circulating detailed information about the vulnerabilities. Security experts accuse Microsoft of shoddy development and users for not patching their systems. Actual IIS users just want to be protected.

Over the summer, the Code Red worm hit IIS servers exploiting a known vulnerability. Just a few weeks later, the more complex Nimda worm erupted. Nimda took advantage of the same vulnerability but could also spread through Web page viewing and e-mail attachments.

Both Code Red and Nimda exploited a vulnerability that has been known for at least two years. Moreover, users saw the damage of Code Red (estimated in the billions for lost productivity) could have patched their systems for Nimda thus minimizing that outbreak.

Is migration the answer?
Last month, Stamford, Conn.-based analyst firm Gartner Inc. released an advisory recommending "enterprises hit by both Code Red and Nimda immediately investigate alternatives to IIS" such as Sun Microsystems' iPlanet Web server or the open source Apache Web server. "Although these Web servers have required some security patches, they have much better security records than IIS and are not under active attack by the vast number of virus and worm writers," the advisory said.

Securing IIS servers -- with virtually weekly patches -- makes the product have a high cost of ownership, Gartner concluded.

Yet migration may be overkill, said Tom Mullen, CIO and chief software architect for, a developer of secure, enterprise-based accounting software. "Let's suppose the government saw that semi-trucks got into less accidents than passenger cars and said everybody had to buy a semi," he said.

Open source Apache Web server doesn't offer the functionality of IIS. It may work for static Web pages but not necessarily for the e-business applications people created for IIS, Mullen said. Moreover, switching to other products may require more skills than a NT or Windows 2000 shop has.

"If a company can't keep a Windows server secure then they would have a hell of a time keeping a Unix or Linux box secure," Mullen added.

IIS's ease of use is a factor in the recent worm attacks on a couple of levels. First, many users tend to install the product "out of the box" with all the default features, Mullen said. Users should only install exactly what they need to minimize its exposure.

Second, IIS's ease of use has lulled some users into a false sense of security. Many of these people don't keep up on Microsoft patch notices.

Tony Northrup agrees that some IIS users "underestimate the responsibility of running a Web server." However, the time and effort of a full-scale migration is greater than installing even frequent security patches, said Northrup, a Web administration expert and author of "Introducing Windows 2000 Server and NT Network Plumbing."

Other Web server platforms also require patches "but not as many, and if you miss a patch, the chances are much lower that the vulnerability will be exploited," Northrup said. There is an alternative to migration, namely having an outsourcing company manage IIS server (including patches), he added.

Microsoft answers criticism
Microsoft has answered the criticism. Last month, it announced a security initiative. The Strategic Technology Protection Program gives users security tools that among other things make patches and other updates easier. Free technical support for security will also be provided. Microsoft also plans to automate security updates. IIS 6, the next release of the product, will come of the box with set to the highest security settings.

"Many people have faulted the patching process itself for the low uptake rate. Fair enough -- we do need to make it easier for users to keep their systems secure," Scott Culp, manager of the Microsoft Security Response Center, wrote in an essay on Microsoft's Web site.

Incidentally, Web sites using IIS rose 1.1% to 3,905,978 in September from August, according to the Netcraft Web Server Survey. Sites using the open source Apache Web server rose just over half a percent to 7,924,169.


Have an IIS question? Click here to ask searchWebManagement's IIS expert.

Click here for searchWebManagement's forum on IIS.

MS security: Too much information?.


EMC Corporation Delivers Open Software for Automated Information Storage

On October 29, EMC CEO Joe Tucci and CTO Jim Rothnie introduced new software products and technologies for automated information storage management.

Learn how you can benefit. Get an announcement overview, detailed product and technology information, links to the event webcast, and more at;3500462;5058249;e?

This was last published in November 2001

Dig Deeper on Network Infrastructure

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.