On the heels of the Code Red and Nimda worms that plagued the Internet -- and especially Microsoft Corp.'s IIS (Internet Information Server) systems -- over the last few months, research firm Gartner Inc. released a report last week suggesting that users and companies "immediately investigate alternatives to IIS" because other Web server applications have better security records.

Although a good deal of frustration and anger has been vented at Microsoft as worms and viruses have proliferated through its products, analysts and many IIS users sharply disagree with Gartner.

IIS is used by an estimated 6 million Web sites worldwide. Because of the frequent discovery of security vulnerabilities in the software, those Web sites are constantly open to new attacks. About a dozen security flaws affecting IIS or various additional components of the software have been discovered in 2001. Microsoft offers frequent patches for these flaws on its Web site and has a large network of support personnel who work with customers to communicate needed information about patches. Nevertheless, most of the major worms that have caused trouble in 2001 have exploited problems in IIS.

Gartner's recommendation was released in the same week as the Nimda worm, which used months-old vulnerabilities in IIS, Microsoft's Internet Explorer Web browser and other software to spread to tens of thousands of computers in a matter of hours and degraded Internet performance for a time. The Code Red worm, which infected hundreds of thousands of IIS systems in July and August, also crept into servers that didn't possess a patch released in June.

IIS' central role in these incidents, and the need for constant patching of other Microsoft products, led Gartner to its recommendation, which was written by Information Security Strategies analyst John Pescatore. (Pescatore did not return calls requesting comment for this story.) Because of these worms and the need for patches to combat them, using IIS is both labor-intensive and resource-intensive, as well as risky, Pescatore wrote. In addition, the high visibility of IIS as a Microsoft product makes the software a bigger target for attack, he wrote. So, until a new version of IIS has been written from the ground up and publicly tested (an event Pescatore doesn't expect to see before the end of 2002), companies should seek out alternatives to IIS, he wrote.

Not surprisingly, Microsoft disagrees with Pescatore's recommendation, but many users and analysts have also come to the Redmond, Washington-based company's defense.

"The Gartner recommendation ignores the fact that security is an industrywide issue and that serious security vulnerabilities have been found in all Web server products and platforms," including IIS, said Jim Desler, a spokesman for Microsoft. IIS is "as secure as our competitor's products," he added.

Some users questioned Gartner's conclusions as well as the security procedures used by companies that were infected by Nimda, Code Red and other worms despite patches being available.

"If my IS director failed to keep patches up to date, then we, to put it mildly, would have 'a little chat' about his/her future," wrote Joe Everett,

• Email
• Print
• Share
  • Slashdot
  • Digg
  • Stumble
  • Reddit
  • Newsvine