Microsoft stands by IIS despite Gartner recommendation

From...

By Jaikumar Vijayan

(IDG) -- Microsoft says its Internet Information Server (IIS) is as secure as comparable products from other vendors. This follows a Gartner recommendation that enterprises hit by both the "Nimda" and "Code Red" worms look at alternatives.

According to the advisory from Gartner -- which is based in Stamford, Connecticut -- the success of the Nimda worm and of Code Red before that "highlights the risk of using IIS and the effort involved in keeping up with Microsoft's frequent security patches."

Gartner's advisory was issued in the aftermath of last week's attack by the mass-mailing Nimda worm that infected systems running Microsoft Windows 95, 98, Me, NT and 2000. (See the link below: "Nimda worm hard to fight, but patches are available.") Unlike other worms and viruses, Nimda spread via network-based e-mail, as well as through contaminated Web browsers and exploited back doors left behind by previous malicious codes as Code Red and Sadmind.

IDG.net INFOCENTER Computerworld main page Computerworld's topic-oriented communities Computerworld's IT career center Free daily newsletters Related IDG.net Stories Nimda worm hard to fight, but patches are available Microsoft releases IIS server security tool Microsoft patches ActiveX hole in Outlook Features PC World.com Product Finder Mastering e-commerce by degrees Fast-track training puts nontechies in IT jobs Visit an IDG site Choose a site: IDG.net CIO Computerworld Darwin Dummies.com GamePro.com The Industry Standard ITWorld.com InfoWorld.com JavaWorld LinuxWorld Macworld Online Network World Fusion PC World Publish.com UnixInsider IDG.net search

As it had with Code Red, Microsoft recommended installing patches and service packs on virtually every PC and server running the Internet Explorer Web browser, IIS Web servers or the Outlook Express e-mail client, said John Pescatore, a Gartner analyst and author of the advisory.

Such constant patching and maintaining has resulted in a high cost of ownership for IIS, he said. For that reason, Pescatore recommended that enterprises hit by both Nimda and Code Red look at alternatives such as Sun Microsystems Inc.'s iPlanet and the Apache Web server software.

"The Gartner recommendation overlooks the fact that security is an industrywide challenge and that serious vulnerabilities have been found in all Web server products and platforms," a Microsoft spokesman said. "It is a folly to believe that if you switch from one product to another, you are protected."

Instead, the emphasis should be on ensuring safe security practices and making sure that all recommended patches are installed, he added. "Those customers that installed all the [recommended] patches were protected from Nimda," the Microsoft spokesman said.

But Gartner's recommendation seems to be resonating with at least some users.

Palo Alto, Calif.-based law firm Fenwick & West LLP is planning on migrating off of its IIS servers to a Linux operating environment running Apache's Web server software.

The decision was prompted by the continuing security concerns related to IIS, said Matt Kesner, the firm's chief technology officer. Also driving the move is cost: It's cheaper to run Apache on Linux than it is it to run IIS, Kesner said.

The law firm escaped being hit by last week's Nimda virus because it had all the appropriate patches in place. But the experience of dealing with a previous IIS-related vulnerability and the continuous effort needed to keep it secure aren't worth it, Kesner said.

Moving to Apache is going to be difficult, and it will offer less functionality than IIS, Kesner predicted. Even so, "we think it is a smaller target," he said. "For whatever reason, virus writers are not targeting Linux and Sun as much as they have been targeting Microsoft."

"Apache is a bit more difficult to set up, but it is much easier to maintain once the setup process has been completed," said Pat Quick, an information systems specialist at Planogramming Solutions Inc., a space management company in Jacksonville, Fla.

Because of security concerns, "we have considered trashing our MS BackOffice/ColdFusion development and are looking at a possible [Linux] setup," he said in an e-mail to Computerworld.

"I know that Windows, Office and many other packages are very popular and have a wide reach that makes them the target to get to," Quick said. "But to be the biggest should carry some responsibility to be the best. This is, sadly, not the case."

Not everybody shared those sentiments, though. "To be fair, Microsoft has responded well in every case," where its software has been attacked, said one user at a large Seattle-based company who requested anonymity. "Why would you move to [Linux] with effectively no support, running a web server that doesn't have as much functionality [as IIS]? There's a hidden cost of ownership in that model as well," the user said.

"There are problems with Microsoft software, but there are problems with other software as well," said Joel Snyder, CEO of Snyder Associates, a Long Island, N.Y-based management and engineering consultancy. The diffference is that the pervasivness and popularity of Windows makes it a more available hacker target, he said.

Security measures taken against the Code Red worm and the availability of a cumulative patch have also "significantly improved the security" of servers running IIS, according to a Web server survey by Netcraft Ltd., a U.K.-based network consultancy. The number of IIS servers with a vulnerability that allowed crackers to take administrative control of systems dropped from more than 27% in October 2000 to a little more than 10% in August 2001, according to the survey.

Similarly, the percentage of IIS servers with a hole that allowed cross-site scripting dropped from more than 80% to less than 20% during the same period, Netcraft said.