September 26, 2001, 10:53 AM — On the heels of the Code Red and Nimda worms that plagued the Internet -- and especially Microsoft Corp.'s IIS (Internet Information Server) systems -- over the last few months, research firm Gartner Inc. released a report last week suggesting that users and companies "immediately investigate alternatives to IIS" because other Web server applications have better security records.
Although a good deal of frustration and anger has been vented at Microsoft as worms and viruses have proliferated through its products, analysts and many IIS users sharply disagree with Gartner.
IIS is used by an estimated 6 million Web sites worldwide. Because of the frequent discovery of security vulnerabilities in the software, those Web sites are constantly open to new attacks. About a dozen security flaws affecting IIS or various additional components of the software have been discovered in 2001. Microsoft offers frequent patches for these flaws on its Web site and has a large network of support personnel who work with customers to communicate needed information about patches. Nevertheless, most of the major worms that have caused trouble in 2001 have exploited problems in IIS.
Gartner's recommendation was released in the same week as the Nimda worm, which used months-old vulnerabilities in IIS, Microsoft's Internet Explorer Web browser and other software to spread to tens of thousands of computers in a matter of hours and degraded Internet performance for a time. The Code Red worm, which infected hundreds of thousands of IIS systems in July and August, also crept into servers that didn't possess a patch released in June.
IIS' central role in these incidents, and the need for constant patching of other Microsoft products, led Gartner to its recommendation, which was written by Information Security Strategies analyst John Pescatore. (Pescatore did not return calls requesting comment for this story.) Because of these worms and the need for patches to combat them, using IIS is both labor-intensive and resource-intensive, as well as risky, Pescatore wrote. In addition, the high visibility of IIS as a Microsoft product makes the software a bigger target for attack, he wrote. So, until a new version of IIS has been written from the ground up and publicly tested (an event Pescatore doesn't expect to see before the end of 2002), companies should seek out alternatives to IIS, he wrote.
Not surprisingly, Microsoft disagrees with Pescatore's recommendation, but many users and analysts have also come to the Redmond, Washington-based company's defense.
"The Gartner recommendation ignores the fact that security is an industrywide issue and that serious security vulnerabilities have been found in all Web server products and platforms," including IIS, said Jim Desler, a spokesman for Microsoft. IIS is "as secure as our competitor's products," he added.
Some users questioned Gartner's conclusions as well as the security procedures used by companies that were infected by Nimda, Code Red and other worms despite patches being available.
"If my IS director failed to keep patches up to date, then we, to put it mildly, would have 'a little chat' about his/her future," wrote Joe Everett, a senior software engineer in the Extended Care Solutions Group at McKesson Corp., a health care services company, in an e-mail to the IDG News Service.
"(Gartner's) logic is completely flawed. Since the patches that protect against both Code Red and Nimda were publicly available well before either of these worms struck, it seems that enterprises that were struck by these viruses might do better to first consider an alternative to their server administrators," wrote John Kenyon, president of e-commerce and Web services company FreshSpark Inc., in an e-mail.
Some of Pescatore's colleagues in the analyst community agree with Everett and Kenyon.
"If security is ever going to really be an enabler (of new products, services, etc.), we can't say 'stop using software solutions,'" said Pete Lindstrom, an analyst with Hurwitz Group Inc.
"We have to figure out a new paradigm" to allow users to get the features they need from their software while still being secure, he said. The cycle of patches and human administration may not be the answer. The future may lie with managed security services and software add-ons to IIS offered by companies such as eEye Digital Security Inc., Sanctum Inc. and Entercept Security Technologies Inc.
Another analyst who doubts all the blame ought to be laid at Microsoft's feet is Forrester Research Inc.'s Frank Prince.
