IT managers whose companies use Microsoft's Internet Information Services (IIS) Web server have experienced a tough year. Code Red, Code Red II, Nimda and other viruses, worms and their variants have been gradually multiplying over the Internet, and have caused major problems for businesses using IIS.
Given these difficulties, analyst group Gartner recently recommended that comp-anies running IIS should replace it. Some IT managers are ready to follow this advice, though others prefer to put patches and processes in place to improve the security of their IIS systems.
According to figures from Netcraft, a firm which specialises in monitoring the number and type of Web servers on the Internet, at least 150,000 sites worldwide across 80,000 IP addresses running IIS have been taken down since the Code Red II worm was released. The scale of disruption caused by Code Red prompted many sites to patch for the first time, but now the number of vulnerable IIS sites is starting to rise again.
High-maintenance system
It is a common complaint among IT managers that keeping patches and security up to date for IIS can be very time consuming. 'Right now, I barely cope,' says one IT administrator contacted by IT Week. 'I get the IIS security-patch emails and install them as soon as possible. Somehow, I still managed to get infected with Code Red II.' Another adds, 'I am aghast at the number of patches that Microsoft has already put out for IIS 5.0. How am I supposed to keep up? It's a full-time job and, like others, securing IIS against intrusions is not my only task.'
IT Week Labs recommends that systems with IIS must be very carefully configured, and vigilance is crucial. The level of IIS-hostile traffic currently present on the open Internet is so high that connecting a fresh default install of Windows NT Server or Windows 2000 Server to the outside world will result in infiltration in a matter of minutes.
Microsoft's IIS has certainly not been the only target of hacker attacks  in May, the Sadmind worm targeted IIS and Sun Microsystems' Solstice AdminSuite package; and February's Lion, or 1i0n, worm attacked Domain Name System servers on Linux-based servers. However, the attacks on IIS have been unique both in terms of severity and risk.
IIS is significantly more vulnerable than other Web servers because it ships with so many features enabled by default, and because a large number of these features pass user input to services with system-level access. An attack on IIS is often significantly more damaging than an attack on other Web servers.
The IIS bugs being exploited by these attacks are often fairly recent, many affecting IIS 4.0, which shipped with Windows NT Server, and the current IIS 5.0. IT administrators who have not kept up with patches released by Microsoft are guaranteed to be in trouble.
Because of these issues, the number of infected IIS servers on the Internet is large. And each infected server can generate many further attacks.
To see for ourselves how long a default installation of IIS would last in the wild, IT Week Labs connected a fresh install of Windows 2000 Server to the Internet. We immediately started downloading the network install of Windows 2000 Service Pack 2, and disconnected when this had been carried out.
The 110MB download took 25 minutes to complete. For the first 15 minutes, we saw no HTTP traffic at all. In the last 10 minutes of the download, we were infected with Nimda twice  once from two different servers and several times by our own server reinfecting itself.
Although steps can be taken to improve the security of IIS, many firms are considering a move to other Web servers which have fewer weaknesses, or are less targeted by viruses and worms. Deciding whether to stay with IIS or switch is a decision each firm will have to make based on their IT needs, in-house skills and experience with IIS.
At its heart, a Web server is a relatively simple system, so organisations carrying out straightforward tasks such as serving static pages and images will find it easy to switch to another option. The real costs and problems lie in trying to move Web sites with dynamic content, such as applications based on scripting languages; moving installed application servers and platform-specific components, such as Isapi extensions or Common Object Model (COM) components; and in the use of packaged applications such as search engines or e-commerce storefronts.
However, moving applications based on scripting languages and installed application servers may be easier than some think. All major scripting languages and application servers  with the notable exception of Windows itself  run on multiple Web servers and multiple operating systems, providing very good source-code compatibility.
Especially useful in this regard is Sun Microsystems' Sun ChiliSoft ASP  see Web address below  which provides an Active Server Pages (ASP) engine that works on several Unix operating systems, Linux, Windows, and servers including the Apache Software Foundation's Apache Web server, the Sun-Netscape iPlanet Web server and the Zeus Web server from Zeus Technology.
Sun's ChiliSoft ASP software costs US$495 (£340) per server, and is included free with iPlanet Web Server Enterprise Edition.
Code compatibility
ChiliSoft ASP provides source-code compatibility with ASP 2.0 Â the version that ships with IIS 4.0 and Windows NT Server 4.0 Â and with Microsoft's ActiveX Data Objects data access libraries.
In IT Week Labs, we set up ChiliSoft ASP on a Windows 2000 server with iPlanet Web Server Enterprise Edition 6.0. We then ran the Nile Bookstore, our standard ASP test application, on it. We experienced only one problem: there was a ChiliSoft error when we called Response.Redirect after outputting an HTTP header, because ChiliSoft ASP has buffering turned off by default.
We fixed the problem by turning buffering on for that page by adding a line  'Response Buffer=true'  to the file. We also could have edited a ChiliSoft ASP registry setting to turn on buffering for all pages. Otherwise, every page in the site worked as it did on IIS.
However, if a company relies on Isapi applications for its Web site, porting can be a lot more problematic.
IPlanet Web Server has no support for Isapi applications. By default, Apache loads a module called mod_isapi, which gives the open-source Web server basic support for Isapi. Using this, we were able to run several simple Isapi applications, including a page counter and a visitor guest book, on our Apache servers.
But a potentially large problem is that Apache's mod_isapi provides support only for Isapi extensions, not for Isapi filters, which are typically found in more advanced e-commerce Isapi applications.
Support for both extensions and filters is found in the Zeus Web server, which runs on many server operating systems but not Windows. Although Zeus costs $1,700 (£1,175)  unlike the free Apache and IIS products  it provides excellent performance and supports many other Web application languages.
Although ChiliSoft ASP and the Isapi support in these products can ease the pain of transferring applications from an IIS platform, companies that are serious about moving should consider recoding their applications in languages such as Java Server Pages (JSP) and PHP.
Although porting an application to a new language may sound daunting, the degree of difficulty depends on the application involved. Last year, when testing the benefits of dynamic Web development languages, we ported our Nile Bookstore application from ASP to JSP, PHP and Cold Fusion.
Any Web developer familiar with ASP should have little trouble moving to JSP. Also, a number of tools, such as Macromedia's UltraDev, make it possible to use the same development environment for coding in both languages. PHP can be a little more difficult for ASP developers, although any developer who is familiar with Perl should have little trouble using the open-source language.
Another option for IT managers is to move from in-house to hosted Web support. 'We have now moved our public Web site to a service provider. I can let them deal with the security issues for me,' says one administrator.
By Timothy Dyck, Jim Rapoza and Mary Stevens
How safe is your job?
If you run Microsoft's Internet Information Servicer then don't be surprised if your boss asks you to leave after the next break in.