Gartner IIS Analysis Off-Target, Say Some Experts -- Redmondmag.com

Gartner IIS Analysis Off-Target, Say Some Experts

Gartner Inc. recommends that organizations start looking at alternatives to IIS; not everyone agrees with that assessment, however.

By Keith Ward
11/20/2001

“Nimda has again shown the high risk of using IIS and the effort involved in keeping up with Microsoft’s frequent security patches.

“iPlanet and Apache…have much better security records than IIS.

“Businesses using Microsoft’s IIS Web server software have to update every IIS server with every Microsoft security patch that comes out—almost weekly.”

Those are some of the reasons Gartner Inc. analyst John Pescatore gives for recommending that organizations start looking at alternatives to IIS, Microsoft’s Web server. He says that Nimda, combined with the Code Red outbreak, is ample evidence of IIS’ insufficiency as a secure Web server.

Not everyone agrees with that assessment, however.

“I would completely disagree” that iPlanet and Apache are more secure Web servers, says security consultant Greg Saoutine (who has written for this magazine). “I’m surprised with the one-sided approach Gartner took. They didn’t properly look into the core of the problem. They arrived at their conclusions based on two incidents this summer,” he says.

Another security expert, who asked not to be named, believes there may have been more at work than just objective analysis. “It looks like [Gartner] just wanted to influence the market” away from Microsoft, he comments. “They were politically based, not security-based suggestions.”

Another factor is that it’s much easier, in general, to attack IIS than some other Web servers. “There are scripts to exploit Microsoft that are very accessible over the Internet and easy to use,” Saoutine says. “Teenagers can use them. The tools to exploit Apache are harder to use, because you have to know PERL.”

While both security consultants say IIS is far from perfect and is vulnerable, they insist it’s not inherently more vulnerable than other Web servers on the market. The Gartner report “suggests one solution that may or may not work. It doesn’t say how moving away from IIS will help. It doesn’t address the problems Apache and iPlanet have, as well as other solutions. It proposes one option out of a zillion options out there and doesn’t prove how iPlanet and Apache would be more secure,” Saoutine says.

The other consultant says that Web servers will probably always have security concerns, because of their nature. “It’s important to understand what Web servers in general, and IIS specifically, were not designed to do. They were designed initially to serve static Web pages. A lot of the problem is that we’re trying to do too much using a protocol (HTML) that initially didn’t have any security mechanisms built in. The time has come to decide if we’re going to use HTML for all these things or [move]” to something more secure.

About the Author

Keith Ward is the editor in chief of Virtualization & Cloud Review. Follow him on Twitter @VirtReviewKeith.

Featured

Cisco Warns of Brute Force Attacks Targeting VPNs and Firewalls

Cisco has revealed that a global increase in brute force attacks targeting Virtual Private Networks (VPNs) and other devices is currently taking place.
What's Inside Microsoft 365's Security Toolbox?

Microsoft provides plenty of native tools to secure Microsoft 365. IT pros just have to know where to look.
Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.
Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.