Gartner IIS Analysis Off-Target, Say Some Experts
Gartner Inc. recommends that organizations start looking at alternatives to IIS; not everyone agrees with that assessment, however.
“Nimda has again shown the high risk of using IIS and the effort involved
in keeping up with Microsoft’s frequent security patches.
“iPlanet and Apache…have much better security records than IIS.
“Businesses using Microsoft’s IIS Web server software have to update
every IIS server with every Microsoft security patch that comes out—almost
Those are some of the reasons Gartner Inc. analyst John Pescatore gives
for recommending that organizations start looking at alternatives to IIS,
Microsoft’s Web server. He says that Nimda, combined with the Code Red
outbreak, is ample evidence of IIS’ insufficiency as a secure Web server.
Not everyone agrees with that assessment, however.
“I would completely disagree” that iPlanet and Apache are more secure
Web servers, says security consultant Greg Saoutine (who has written for
this magazine). “I’m surprised with the one-sided approach Gartner took.
They didn’t properly look into the core of the problem. They arrived at
their conclusions based on two incidents this summer,” he says.
Another security expert, who asked not to be named, believes there may
have been more at work than just objective analysis. “It looks like [Gartner]
just wanted to influence the market” away from Microsoft, he comments.
“They were politically based, not security-based suggestions.”
Another factor is that it’s much easier, in general, to attack IIS than
some other Web servers. “There are scripts to exploit Microsoft that are
very accessible over the Internet and easy to use,” Saoutine says. “Teenagers
can use them. The tools to exploit Apache are harder to use, because you
have to know PERL.”
While both security consultants say IIS is far from perfect and is vulnerable,
they insist it’s not inherently more vulnerable than other Web servers
on the market. The Gartner report “suggests one solution that may or may
not work. It doesn’t say how moving away from IIS will help. It doesn’t
address the problems Apache and iPlanet have, as well as other solutions.
It proposes one option out of a zillion options out there and doesn’t
prove how iPlanet and Apache would be more secure,” Saoutine says.
The other consultant says that Web servers will probably always have
security concerns, because of their nature. “It’s important to understand
what Web servers in general, and IIS specifically, were not designed to
do. They were designed initially to serve static Web pages. A lot of the
problem is that we’re trying to do too much using a protocol (HTML) that
initially didn’t have any security mechanisms built in. The time has come
to decide if we’re going to use HTML for all these things or [move]” to
something more secure.
Keith Ward is the editor in chief of Virtualization Review.