Gartner Group Suggests Dumping IIS For Now

sachmet is one of the many readers who contributed news that "Gartner Group is now recommending that IIS be replaced in corporate environments. This is based on the fact that TCO for IIS is rising due to the almost-weekly patches sent out by MS, and even then, it's nearly impossible to get patched quickly enough. Best part: 'Gartner remains concerned that viruses and worms will continue to attack IIS until Microsoft has released a completely rewritten, thoroughly and publicly tested, new release of IIS,' which they say has an 80% chance of happening by the end of next year." Gartner hasn't always said favorable things about Linux systems in the workplace, but the businesses that rely on this type of analysis to justify purchasing decisions may find this one interesting. Update: 09/24 22:04 GMT by T :As several people have pointed out, the 80% figure appears to be Gartner's odds that IIS won't be rewritten that soon, rather than the other way around (.673334 probability).

Actually...

[base2op]

There is an 80% chance of it not happening by the end of 2002:

Gartner believes that this rewriting will not occur before year-end 2002 (0.8 probability).

It seems like people are already doing it

[jsveiga]

Take a look at the data at:
http://www.securityspace.com/s_survey/data/20010 8/ index.html

Since July IIS market share has been falling.

Check the .mil, and .br graphs!

The share is flowing to Apache and Netscape servers.

Joao

Apache.org

[Srin+Tuar]

Apache.org was comprimised due to a misconfiguration- not an exploit. Totally different. You could *not* write a nimda to take advantage of that.

Re:Kind of ridiculous...

[jsveiga]

Not quite.

Nimda uses more ways to spread than the ones used by Code Red. Code Red used a buffer overflow, Nimda uses directory traversal to get the IIS.

Nimda does look for possible backdoors left by Code Red or other worm.

From CERT:

The "Code Red" worm is malicious self-propagating code that exploits Microsoft Internet Information Server (IIS)-enabled systems susceptible to the vulnerability described in CA-2001-13 Buffer Overflow In IIS Indexing Service DLL.

and:

The CERT/CC has received reports of new malicious code known as the "W32/Nimda worm" or the "Concept Virus (CV) v.5." This new worm appears to spread by multiple mechanisms:
from client to client via email
from client to client via open network shares
from web server to client via browsing of compromised web sites
from client to web server via active scanning for and exploitation of various Microsoft IIS 4.0 / 5.0 directory traversal vulnerabilities (VU#111677 and CA-2001-12)
from client to web server via scanning for the back doors left behind by the "Code Red II" (IN-2001-09), and "sadmind/IIS" (CA-2001-11) worms

Re:Regular patching only a small part of TCO

[baptiste]

In fact, apache.org [apache.org] was compromised this year due to a security hole

Well yes Apache.org did get compromised but NOT due to an Apache server problem. It was a complicated hack and took advantage of a configuration problem (mainly Apache had their incoming FTP tree viewable in their web space among others) Or perhaps you're referring to another event.

Yes, Apache is not all nice point and click, but there ARE tools out there (Webmin's Apache module is NICE) to make administration easier. Yes Apache has had vulnerabilities in teh past, but considering its widespread use and installed base, I'm extremely impressed with how secure its been - upgrades to Apache are rare which reduces TCO.

Yes, all systems and software have problems. But overall, I'll stick with OSS where appropriate and regarding your issues with MySQL and Apache, a few simple posts to mailing lists or news groups related to the software will often get your problem fixed faster than most 3rd party setups.

Re:You can't visit Windows Update?

[humanasset]

There is actually a better way to do this. Use the Windows 2000 IIS 5.0 Hotfix Checking Tool. It works pretty well and you can customize it to your needs. It can write to the event log, send an email, etc.

http://www.microsoft.com/Downloads/Release.asp?R el easeID=24168

Re:You can't visit Windows Update?

[WNight]

The problem is that you can't trust MS's patches.

One of the early NT service packs was called the SP-of-Death. Even recently... Remeber SP6? Nope. It was pulled rather quickly and replaced with 6a (which is often referred to as 6) because it caused a ton of problem for Notes users.

Direct-X 7.0 was buggy and toasted a few systems, but couldn't be uninstalled.

MS has a long history of playing games with patches. Often they don't release patches, forcing an "upgrade" to a later version, other times they release a "patch" that (intentionally?) breaks other companies software.

Decent admins don't install MS patches until they've seen them in action and could evaluate them. The proper action with CRed and Nimda isn't to rush to patch the server, but to change the firewall to prevent malicious requests. To do otherwise is to risk having to reinstall the OS (without the patch) to get your servers working again.

Re:You can't visit Windows Update?

[AugstWest]

Index Server is part of IIS. The problem is that IIS encompasses a large number of seervices that are enabled by default, and 90% of the people using it will never use them.

Also, if you're running NT4, there is no windows update for IIS.

Microsoft Tool to check Windows 2000 Adv Servers

[Sierpinski]

In recent dealings with the latest worms, I found a tool from Microsoft called Hfnetchk that will, with a valid connection to the internet, tell you exactly what patches you do or do not have installed. They cross list them by article (eg Q123455) and also by another form (eg MS01-077).

We're running Windows 2000 Adv Server (yeah yeah, I know, but we don't have the Cold Fusion package for Linux) with IIS 5, and were having an average of 30-45 minutes uptime before getting blasted by the worm(s).

After using the hfnetchk and downloading quite a few patches (burn them to a CD, having to reload the system isn't out of the question, even if it is working now), we have had about 5 days uptime, and *knocks on wood* no infections, although the log says there have been attempts.

Even though I'm spoiled to the ease at which I can find Linux updates, I found that the tool was very useful, especially since Microsoft's site is so unorganized when it comes to downloading patches and updates (I want a list, not having to search for something, especially when it never works right) that this tool was a big time saver for me.

Gimme a break!

[JediTrainer]

Rewriting is always an option. It's not a pretty one, but it CAN be done if you're dedicated enough.

Case in point - last year I saw the dead-end coming for my company's Enterprise solution, which was written in ASP/COM. The argument (er... *ahem*, discussion) I had with the higher-ups concluded that we HAD to continue moving forward. We couldn't wait 6 months for a rewrite (ambitious at best).

Fine, I said. Then let me do everything concurrently. Here's how it works:

Install Tomcat onto your Windows NT Server running IIS, along with JRE 1.3 and the HotSpot Server.

Link Tomcat in with IIS using the mod_isapi.dll you can get from the Tomcat site. Also install Tomcat as a service using jk_nt_service.exe.

Keep your Java session abstracted. The main session remains as-is within your ASP application. Write a bit of java.net code to hook in through a custom ASP page (note: security - ordinary clients can't access this page) to retrieve and update any session variables. This can be done by reading the ASPSESSION cookie, and spoofing it in your requests to IIS.

Any NEW components, write in Java. Remember - session variables get retrieved and saved from the ASP side still.

As you're working on new components, when you can arrange it, convert old components to Java one by one. Session still remains on ASP.

Wash, rinse, repeat until all components have been written in Java. Once this is done, convert your login into Java, and change your abstracted Session to be a Java session instead of hooking into IIS for the ASP one.

Voila. You are now 100% Java. Now get rid of IIS and switch to something else. This is the approach that my team took to rid ourselves of the VB horror that someone left me when I joined. It took about 8 months of solid effort, but it worked. We are now rid of all reliance on MS technologies from our site. We also managed to do it quickly because of good code layout, and the use of the most wonderful Velocity templates also available from the Jakarta site. This helped a lot.

The point is, you CAN do a rewrite. What you usually are NOT allowed to do is a code freeze. So... work around it! The beauty of this solution is that you are running two separate applications (technically) for a time. Keep a consistent look, and the users can't tell the difference between the ASP and the Java side. Change one function at a time, slowly, and eventually you'll reach the Utopia you're looking for.

Incorrect statement on IIS rewrite timeline.

[mikej]

The submitter says that IIS needs to be rewritten, something that "[Gartner says] has an 80% chance of happening by the end of next year." This is incorrect.

The actual quote is: "Gartner believes that this rewriting will not occur before year-end 2002 (0.8 probability)." That means there's an 80% probability that the preceeding statement is true, and that statement is that MS will _not_ have completed a rewrite in that timeframe.

So instead of MS being 80% likely to fix the problem, they're 80% UNlikely to do so in the timeframe specified.

M$ license restrictions on IIS alternatives

[MillionthMonkey]

Tim O'Reilly wrote a Salon article back in November 1999 about the obstacles M$ places in the path of people who want to run alternative web servers on NT:

In fact, the rise of Microsoft's Internet Information Server (IIS) as the dominant Web server on NT shows much the same pattern as the rise of IE as the dominant browser: Microsoft got pole position by exercising its unique leverage as an operating system vendor.
Originally IIS, Web server software that runs only on the NT operating system, was bundled "free" with a version of NT called NT Server. Web server vendors such as Netscape and O'Reilly responded by pointing out in our advertising and PR that if customers ran our third-party Web server software on NT Workstation (a less expensive version of NT, which came without the IIS Web server software), they would end up with a more powerful server than Microsoft's IIS running on NT Server -- and it would cost less too.
Much as it had done by bundling the browser with Windows 98, Microsoft was bundling an application -- the IIS Web server -- as part of an operating system, (NT Server). But in this case, the company offered another version of the same operating system without the bundle, (NT Workstation). It seemed natural to competitors to offer our products on top of the version of the operating system that came without IIS.
It did not, however, please Microsoft that we did so. In June 1996 Microsoft responded by changing the license to NT Workstation to prohibit its use as a server platform. (At first, the company went further, and actually crippled the version of TCP/IP provided in NT Workstation, but the outcry from users forced it to backtrack.)
Microsoft argued, quite rightly, that it had the right to create two different versions of NT, with different price points, and different functionality. But the company went a step further, and used its operating system license (and more specifically the license to the parts of the operating system that implemented TCP/IP, an industry standard protocol) to prohibit the use of third-party applications that duplicated the functionality of Microsoft's more expensive platform.
Microsoft's public rationale for the policy -- that it was protecting its customers because NT Workstation was not suitable for use as a server operating system -- was proven false by my colleague, former O'Reilly editor Andrew Schulman (working with Mark Russinovich). Shulman and Russinovich demonstrated that it was possible to convert NT Workstation to NT Server by changing only a few registry entries. NT Workstation contained all of the same program code as NT Server; the code was simply disabled, and some additional applications bundled.

This is admittedly an old story; I don't know if M$ is still legally implementing this particular "innovative" license restriction nowadays. Does anybody know?

Administering Two Owesses. A True Story. By Me.

[ballpoint]

System 1: IIS on Windows NT:

• monthly: download patch (click), execute it (click, click, click) and reboot (click, click, click)
• quarterly: reboot crashed system
• infected: never (yet)

System 2: standard Mandrake-Linux distro with manual install of current versions of Apache, PHP, mySQL, OpenSSL and mod_ssl.

• daily: Mandrake distro stuff:
  • Read email sent by Mandrake Security Announce .
  • Determine if the Security Announce concerns your installation. It does.
  • MandrakeUpdate the rpms as needed. Skip rpms that are wrongly marked as dependent on something you don't want to update. (Why is xyz dependent on emacs of all things ?)
  • Download the skipped rpms manually, and rpm -U.
• fortnightly: other stuff:
  • Check apache.org, mysql.com, php.net, modssl.org and openssl.org for updates as your attention gets caught by security bulletins.
  • download source code, tar gxf; ./configure --with-abc=def .......; make; su; make install; exit. Repeat, repeat, repeat, repeat due to interdependencies and changed config options. su; apachectl stop; sleep 5; apachectl startssl; enter passphrase; exit; gedit broken .conf files and repeat, repeat, repeat.
• yearly: reboot the system (uptime: 305 days and counting)
• infected: never (yet)

Now which system do you want to administer today ?

It's not that difficult... sheesh

[sheldon]

I must have posted this at least a dozen times to /. alone over the past few months. It's been posted to ntbugtraq and every other support mailing list.

Here it is, one more time. Live it, learn it, love it.

http://www.microsoft.com/Downloads/Release.asp?R el easeID=24168

Besides as of right now there has been any major patches for about a month and you just need to do Win2k SP2 plus the August hotfix rollup. Over WinNT4 SP6a plus a similar rollup hotfix.

A solution!

[plover]

I just realized how these attacks could all have been prevented: fair market forces. If Microsoft had to sell IIS competetively, they'd have about a 2% market share. Code Red, Nimda, all the other worms would have much less of a foothold in an environment that IIS had to fairly compete in.

First, if it were a "pay per play" I'd be far more interested in seeing it work properly than I would be if I were just clicking a box that said "Install web server?"

Second, attacks would make it much less likely that anyone would pay for their product until it was far more secure.

The same would be true for the other virus-prone applications bundled with the Windows operating systems: I wouldn't consider Outlook Express if I had to pay for an e-mail client, especially with all the viruses that it retransmits. Internet explorer? There's not a chance I would purchase an ActiveX container for surfing the web, but since that big blue "e" is already sitting on the screen and doesn't take me a half hour to download, sure, I'll use it.

And now the D.O.J. has dropped their only chance to prevent the tragedy from repeating itself on XP.

Re:You can't visit Windows Update?

[plover]

Please, you are continually blaming the owners of these machines for not being "competent". The machines are owned by a wide range of people, most of whom are your brother-in-law's cousin's co-worker who thinks that if Windows ME costs $100 then Win 2K must be three times better because it costs $299.

So I suffer the effects of his Code Red attacks because he's too busy playing Quake to read Microsoft's fix-of-the-week? Next time you see a random person who happens to own Win2K, ask him or her if he even knows what the phrase "Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise" means?

And your solution to us is to blame him, rather than solve the problem? I think the company that delivers the insecure system out-of-the-box is at fault. Don't blame the guy who just bought a Win2K CD at Best Buy and stuck it in his PC. He simply trusted Microsoft to provide him with an OS for his computer, and I think he's within reason to expect the software he paid for NOT to be full of holes.

As a matter of fact, one is attacking me as I write. Let me go see, yes, http://tsi-196.tsi-comm.com/ has the default IIS page up. This is a NOBODY, just some guy with a cable modem, money, and not enough brains to know what he's done. His box is so tied up I can't even NET SEND him a friendly "You've got worms!" messsage. And he's just one of many thousands. Even if every professional IIS admin were completely competent, Microsoft is shipping the same leaky IIS to every dot-com, Dick and Harry.

Quit attacking the victims.

read this

[Otis_INF]

Bookmark this site:
http://www.microsoft.com/technet/. Go there, subscribe to the mailinglists on security and other useful things. Read the how-to's, walkthroughs and useful documents about administring a Win2k/NT4 server.

Now when you go to http://www.microsoft.com/downloads/search.asp?, you will see a form. Select the product, win2k server, select Date to sort on, and hit 'find it'. All patches you need to have are there, plus other useful downloads.

Other USEFUL information about how to secure your box: http://www.securityfocus.com/cgi-bin/microsoft_top ics.pl

Windows NT kernel based systems have excellent memory management. You should start/stop services (net start/stop w3svc) once in a while. Or use 'kill'. Reboot not needed. Honestly.