Gartner recommends dropping IIS
On the heels of the Code Red and Nimda worms that plagued the Internet -- and especially Microsoft Corp.'s IIS (Internet Information Server) systems -- over the last few months, research firm Gartner Inc. released a report last week suggesting that users and companies "immediately investigate alternatives to IIS" because other Web server applications have better security records.
Although a good deal of frustration and anger has been vented at Microsoft as worms and viruses have proliferated through its products, analysts and many IIS users sharply disagree with Gartner.
IIS is used by an estimated 6 million Web sites worldwide. Because of the frequent discovery of security vulnerabilities in the software, those Web sites are constantly open to new attacks. About a dozen security flaws affecting IIS or various additional components of the software have been discovered in 2001. Microsoft offers frequent patches for these flaws on its Web site and has a large network of support personnel who work with customers to communicate needed information about patches. Nevertheless, most of the major worms that have caused trouble in 2001 have exploited problems in IIS.
Gartner's recommendation was released in the same week as the Nimda worm, which used months-old vulnerabilities in IIS, Microsoft's Internet Explorer Web browser and other software to spread to tens of thousands of computers in a matter of hours and degraded Internet performance for a time. The Code Red worm, which infected hundreds of thousands of IIS systems in July and August, also crept into servers that didn't possess a patch released in June.
IIS' central role in these incidents, and the need for constant patching of other Microsoft products, led Gartner to its recommendation, which was written by Information Security Strategies analyst John Pescatore. (Pescatore did not return calls requesting comment for this story.) Because of these worms and the need for patches to combat them, using IIS is both labor-intensive and resource-intensive, as well as risky, Pescatore wrote. In addition, the high visibility of IIS as a Microsoft product makes the software a bigger target for attack, he wrote. So, until a new version of IIS has been written from the ground up and publicly tested (an event Pescatore doesn't expect to see before the end of 2002), companies should seek out alternatives to IIS, he wrote.
Not surprisingly, Microsoft disagrees with Pescatore's recommendation, but many users and analysts have also come to the Redmond, Washington-based company's defense.
"The Gartner recommendation ignores the fact that security is an industrywide issue and that serious security vulnerabilities have been found in all Web server products and platforms," including IIS, said Jim Desler, a spokesman for Microsoft. IIS is "as secure as our competitor's products," he added.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
