- Microsoft's Internet Information Server (IIS) is as secure as comparable products from other vendors, the company says after a Gartner recommendation that enterprises hit by both the Nimda and Code Red worms look at alternatives (see Gartner to IS managers: Drop IIS).
According to the advisory from Stamford, Connecticut-based Gartner, the success of the Nimda worm and of Code Red before that "highlights the risk of using IIS and the effort involved in keeping up with Microsoft's frequent security patches."
Gartner's advisory was issued in the wake of last week's attack by the mass-mailing Nimda worm that infected systems running Microsoft Windows 95, 98, Me, NT and 2000. Unlike other worms and viruses, Nimda spread via network-based email, as well as by web browsers, and exploited back doors left behind by previous viruses such as Code Red and Sadmind.
As it had with Code Red, Microsoft recommended installing patches and service packs on virtually every PC and server running the Internet Explorer web browser, IIS web servers or the Outlook Express email client, says John Pescatore, a Gartner analyst and author of the advisory.
Such constant patching and maintaining has resulted in a high cost of ownership for IIS, he says. For that reason, Pescatore recommended that enterprises hit by both Nimda and Code Red look at alternatives such as Sun Microsystems' iPlanet and the Apache web server software
"The Gartner recommendation overlooks the fact that security is an industrywide challenge and that serious vulnerabilities have been found in all web server products and platforms," a Microsoft spokesman says. "It is a folly to believe that if you switch from one product to another, you are protected."
Instead, the emphasis should be on ensuring safe security practices and making sure that all recommended patches are installed, he adds. "Those customers that installed all the [recommended] patches were protected from Nimda," the Microsoft spokesman says.
But Gartner's recommendation seems to be resonating with at least some users.
Palo Alto, California-based law firm Fenwick & West is planning on migrating off of its IIS servers to a Linux operating environment running Apache's web server software.
The decision was prompted by the continuing security concerns related to IIS, says Matt Kesner, the firm's chief technology officer. Also driving the move is cost: It's cheaper to run Apache on Linux than it is it to run IIS, Kesner says.
The law firm escaped being hit by last week's Nimda virus because it had all the appropriate patches in place. But the experience of dealing with a previous IIS-related vulnerability and the continuous effort needed to keep it secure aren't worth it, Kesner says.
Moving to Apache is going to be difficult, and it will offer less functionality than IIS, Kesner predicted. Even so, "we think it is a smaller target," he says. "For whatever reason, virus writers are not targeting Linux and Sun as much as they have been targeting Microsoft."
"Apache is a bit more difficult to set up, but it is much easier to maintain once the setup process has been completed," says Pat Quick, an information systems specialist at Planogramming Solutions Inc., a space management company in Jacksonville, Florida.
Because of security concerns, "we have considered trashing our MS BackOffice/ColdFusion development and are looking at a possible [Linux] setup," he says in an email to Computerworld.
"I know that Windows, Office and many other packages are very popular and have a wide reach that makes them the target to get to," Quick says. "But to be the biggest should carry some responsibility to be the best. This is, sadly, not the case."