After the Nimda attack, Gartner's report argued, "Using Internet-exposed IIS Web servers securely has a high cost of ownership." Well, yes, that's right. You need to keep patching it constantly and all too many network administrators have fallen short on this job. And IIS, as the report points out, has a far poorer security history than such alternatives as iPlanet and Apache.
Microsoft and some analysts argue that IIS's bad security record isn't a problem with the program itself. Instead, the real problem is the crackers who like to attack IIS because of the Microsoft name and its market share. Though the crackers are the real problem, that argument doesn't hold as much water as Microsoft would like.
According to the latest Netcraft numbers, Apache--not IIS--is the number one Web server in terms of actual number of sites served, garnering 59.51 percent of active Web sites compared to Microsoft's 27.46 percent. Though Apache has had its share of security problems, they pale compared to the number of successful attacks made against IIS.
Still, in a way, Microsoft's argument is a red herring. Whether IIS is as tough as an Apache or Zeus isn't the point. The point is that if you use IIS today, you're much more likely to be successfully attacked.
So why not switch? Especially given that the estimated damages from Code Red and Nimda ran into the billions? Easy--you probably can't afford to make a change.
If all you're doing with your IIS Web site is running static pages of HTML and images, you could switch over to Apache or another Web server in a New York minute. But let's say you're running an advanced site with Active Server Pages (ASP), SQL Server 2000 links supplying real-time data, and you're starting to use .NET XML Web Services. With all that infrastructure behind IIS, can you afford to switch? Frankly, I doubt it.
There are tools available that will make a switch from IIS to, say, Apache easier. Apache::ASP provides an ASP port to Apache, regardless of the underlying operating system, but it only supports Perl scripting. Though it includes such goodies as session management and eXtended Markup Language (XSL) and Extensible Stylesheet Language Transformations (XSLT) support, it is itself an adaptation and extension of ASP. You simply couldn't take complex ASP code from IIS and move it to Apache::ASP without massive rewriting.
Sun's Chilli!Soft comes closer to enabling you to just take your existing ASP code and switch it over to the Apache, Domino, iPlanet, or Zeus Web servers on AIX, HP-UX, Linux, and W2K and NT. It also supports the very common--in Windows--VBScript language. But close counts more in horseshoes than it does in programming. For example, if you're using ASP in the first place, chances are you're pulling in data from a DBMS. Chilli!Soft supports many DBMSs, but it doesn't have Open DataBase Connect (ODBC) drivers for SQL Server 2000 on the Unix platforms.
My point: It's not that you can't switch an advanced Web site from IIS to another system. You can. And maybe you should, but don't kid yourself that it will be easy. IIS is simply the most visible part of an entire family of Microsoft servers and technologies. Sure, you can replace IIS in a second. Replacing the functionality that the entire IIS family gives you--that's another matter.
Steven has written about technology for more than 15 years. He was previously a programmer and network administrator for NASA and the Department of Defense. Steven is also currently chairman of the Internet Press Guild.
Who can't afford to? MS or...?
Let me see,
if I continue to ignore all warning signs could I be sued for negligence?
How safe would my job be and what would my future job prospects be?
Well, I am not a mercenary.
I have to use the best tools for the job, my loyalty is with my employer and I will continue to act in the best interest of my employer.
I have no intention to get sacked for using insecure software!