Gartner IIS Analysis Off-Target, Say Some Experts

Gartner Inc. recommends that organizations start looking at alternatives to IIS; not everyone agrees with that assessment, however.

“Nimda has again shown the high risk of using IIS and the effort involved in keeping up with Microsoft’s frequent security patches.

“iPlanet and Apache…have much better security records than IIS.

“Businesses using Microsoft’s IIS Web server software have to update every IIS server with every Microsoft security patch that comes out—almost weekly.”

Those are some of the reasons Gartner Inc. analyst John Pescatore gives for recommending that organizations start looking at alternatives to IIS, Microsoft’s Web server. He says that Nimda, combined with the Code Red outbreak, is ample evidence of IIS’ insufficiency as a secure Web server.

Not everyone agrees with that assessment, however.

“I would completely disagree” that iPlanet and Apache are more secure Web servers, says security consultant Greg Saoutine (who has written for this magazine). “I’m surprised with the one-sided approach Gartner took. They didn’t properly look into the core of the problem. They arrived at their conclusions based on two incidents this summer,” he says.

Another security expert, who asked not to be named, believes there may have been more at work than just objective analysis. “It looks like [Gartner] just wanted to influence the market” away from Microsoft, he comments. “They were politically based, not security-based suggestions.”

Another factor is that it’s much easier, in general, to attack IIS than some other Web servers. “There are scripts to exploit Microsoft that are very accessible over the Internet and easy to use,” Saoutine says. “Teenagers can use them. The tools to exploit Apache are harder to use, because you have to know PERL.”

While both security consultants say IIS is far from perfect and is vulnerable, they insist it’s not inherently more vulnerable than other Web servers on the market. The Gartner report “suggests one solution that may or may not work. It doesn’t say how moving away from IIS will help. It doesn’t address the problems Apache and iPlanet have, as well as other solutions. It proposes one option out of a zillion options out there and doesn’t prove how iPlanet and Apache would be more secure,” Saoutine says.

The other consultant says that Web servers will probably always have security concerns, because of their nature. “It’s important to understand what Web servers in general, and IIS specifically, were not designed to do. They were designed initially to serve static Web pages. A lot of the problem is that we’re trying to do too much using a protocol (HTML) that initially didn’t have any security mechanisms built in. The time has come to decide if we’re going to use HTML for all these things or [move]” to something more secure.

About the Author

Keith Ward is the editor in chief of Visual Studio Magazine.

comments powered by Disqus

Reader Comments:

Tue, Dec 4, 2001 isnord Anonymous

Business is the ultimate goal of web servers and the main problem with IIS is that it is so easy and CHEAP to meet business goals. There isn't a serious IT system available that doesn't require maintenance patches.

Tue, Dec 4, 2001 Troy Mpls

mlanman: Some would say your 'Windows of Vulnerability' are too large to be throwing stones. Choosing Apache doesn't automagically make you a good admin, but it is a point in your favor and a feather in your cap. :-)

james: I can only assume you still use Wordstar because dropping a lame product is 'the easy way out'.

Sun, Dec 2, 2001 james singapore

Security should always be balanced with operational. Microsoft, i believe is improving its product security as time pass. Don't tell me certain vulnerbaility exists, u have to drop the product completely. Then the person will be super busy uninstalling and installing products wasting organisation's time. This is taking the easy way out. What about Outlook ? do u drop outlook when virus can attack from there ?

Sun, Dec 2, 2001 e-guy from F500 web farm Anonymous

I knew this was coming and from MCPmag. Of course, you can find people to disagree. It does not make them right. Gartner did go too far in their assessment but they are correct. IIS is one the hardest and costly web platforms to manage from a security point. That is if you want to do it, properly which many are not. It is not impossible just very difficult compared to Apache and Iplanet.

Thu, Nov 29, 2001 mlanman oregon

Amen to that! Pescatore seems to say if you're a bad IIS admin, using Apache instead will magically make you a good admin. Sorry, John, that just doesn't wash. I keep my IIS servers patched - and I've only had to install service packs and rollups about three times this year!

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.