Gartner IIS Analysis Off-Target, Say Some Experts

Gartner Inc. recommends that organizations start looking at alternatives to IIS; not everyone agrees with that assessment, however.

“Nimda has again shown the high risk of using IIS and the effort involved in keeping up with Microsoft’s frequent security patches.

“iPlanet and Apache…have much better security records than IIS.

“Businesses using Microsoft’s IIS Web server software have to update every IIS server with every Microsoft security patch that comes out—almost weekly.”

Those are some of the reasons Gartner Inc. analyst John Pescatore gives for recommending that organizations start looking at alternatives to IIS, Microsoft’s Web server. He says that Nimda, combined with the Code Red outbreak, is ample evidence of IIS’ insufficiency as a secure Web server.

Not everyone agrees with that assessment, however.

“I would completely disagree” that iPlanet and Apache are more secure Web servers, says security consultant Greg Saoutine (who has written for this magazine). “I’m surprised with the one-sided approach Gartner took. They didn’t properly look into the core of the problem. They arrived at their conclusions based on two incidents this summer,” he says.

Another security expert, who asked not to be named, believes there may have been more at work than just objective analysis. “It looks like [Gartner] just wanted to influence the market” away from Microsoft, he comments. “They were politically based, not security-based suggestions.”

Another factor is that it’s much easier, in general, to attack IIS than some other Web servers. “There are scripts to exploit Microsoft that are very accessible over the Internet and easy to use,” Saoutine says. “Teenagers can use them. The tools to exploit Apache are harder to use, because you have to know PERL.”

While both security consultants say IIS is far from perfect and is vulnerable, they insist it’s not inherently more vulnerable than other Web servers on the market. The Gartner report “suggests one solution that may or may not work. It doesn’t say how moving away from IIS will help. It doesn’t address the problems Apache and iPlanet have, as well as other solutions. It proposes one option out of a zillion options out there and doesn’t prove how iPlanet and Apache would be more secure,” Saoutine says.

The other consultant says that Web servers will probably always have security concerns, because of their nature. “It’s important to understand what Web servers in general, and IIS specifically, were not designed to do. They were designed initially to serve static Web pages. A lot of the problem is that we’re trying to do too much using a protocol (HTML) that initially didn’t have any security mechanisms built in. The time has come to decide if we’re going to use HTML for all these things or [move]” to something more secure.

About the Author

Keith Ward is the editor in chief of Virtualization & Cloud Review. Follow him on Twitter @VirtReviewKeith.


comments powered by Disqus

Subscribe on YouTube