Gartner Group Suggests Dumping IIS For Now

sachmet is one of the many readers who contributed news that "Gartner Group is now recommending that IIS be replaced in corporate environments. This is based on the fact that TCO for IIS is rising due to the almost-weekly patches sent out by MS, and even then, it's nearly impossible to get patched quickly enough. Best part: 'Gartner remains concerned that viruses and worms will continue to attack IIS until Microsoft has released a completely rewritten, thoroughly and publicly tested, new release of IIS,' which they say has an 80% chance of happening by the end of next year." Gartner hasn't always said favorable things about Linux systems in the workplace, but the businesses that rely on this type of analysis to justify purchasing decisions may find this one interesting. Update: 09/24 22:04 GMT by T :As several people have pointed out, the 80% figure appears to be Gartner's odds that IIS won't be rewritten that soon, rather than the other way around (.673334 probability).

Actually...

[base2op]

There is an 80% chance of it not happening by the end of 2002:

Gartner believes that this rewriting will not occur before year-end 2002 (0.8 probability).

It seems like people are already doing it

[jsveiga]

Take a look at the data at:
http://www.securityspace.com/s_survey/data/20010 8/ index.html

Since July IIS market share has been falling.

Check the .mil, and .br graphs!

The share is flowing to Apache and Netscape servers.

Joao

Re:Regular patching only a small part of TCO

[baptiste]

In fact, apache.org [apache.org] was compromised this year due to a security hole

Well yes Apache.org did get compromised but NOT due to an Apache server problem. It was a complicated hack and took advantage of a configuration problem (mainly Apache had their incoming FTP tree viewable in their web space among others) Or perhaps you're referring to another event.

Yes, Apache is not all nice point and click, but there ARE tools out there (Webmin's Apache module is NICE) to make administration easier. Yes Apache has had vulnerabilities in teh past, but considering its widespread use and installed base, I'm extremely impressed with how secure its been - upgrades to Apache are rare which reduces TCO.

Yes, all systems and software have problems. But overall, I'll stick with OSS where appropriate and regarding your issues with MySQL and Apache, a few simple posts to mailing lists or news groups related to the software will often get your problem fixed faster than most 3rd party setups.

Re:You can't visit Windows Update?

[WNight]

The problem is that you can't trust MS's patches.

One of the early NT service packs was called the SP-of-Death. Even recently... Remeber SP6? Nope. It was pulled rather quickly and replaced with 6a (which is often referred to as 6) because it caused a ton of problem for Notes users.

Direct-X 7.0 was buggy and toasted a few systems, but couldn't be uninstalled.

MS has a long history of playing games with patches. Often they don't release patches, forcing an "upgrade" to a later version, other times they release a "patch" that (intentionally?) breaks other companies software.

Decent admins don't install MS patches until they've seen them in action and could evaluate them. The proper action with CRed and Nimda isn't to rush to patch the server, but to change the firewall to prevent malicious requests. To do otherwise is to risk having to reinstall the OS (without the patch) to get your servers working again.

Microsoft Tool to check Windows 2000 Adv Servers

[Sierpinski]

In recent dealings with the latest worms, I found a tool from Microsoft called Hfnetchk that will, with a valid connection to the internet, tell you exactly what patches you do or do not have installed. They cross list them by article (eg Q123455) and also by another form (eg MS01-077).

We're running Windows 2000 Adv Server (yeah yeah, I know, but we don't have the Cold Fusion package for Linux) with IIS 5, and were having an average of 30-45 minutes uptime before getting blasted by the worm(s).

After using the hfnetchk and downloading quite a few patches (burn them to a CD, having to reload the system isn't out of the question, even if it is working now), we have had about 5 days uptime, and *knocks on wood* no infections, although the log says there have been attempts.

Even though I'm spoiled to the ease at which I can find Linux updates, I found that the tool was very useful, especially since Microsoft's site is so unorganized when it comes to downloading patches and updates (I want a list, not having to search for something, especially when it never works right) that this tool was a big time saver for me.

Gimme a break!

[JediTrainer]

Rewriting is always an option. It's not a pretty one, but it CAN be done if you're dedicated enough.

Case in point - last year I saw the dead-end coming for my company's Enterprise solution, which was written in ASP/COM. The argument (er... *ahem*, discussion) I had with the higher-ups concluded that we HAD to continue moving forward. We couldn't wait 6 months for a rewrite (ambitious at best).

Fine, I said. Then let me do everything concurrently. Here's how it works:

Install Tomcat onto your Windows NT Server running IIS, along with JRE 1.3 and the HotSpot Server.

Link Tomcat in with IIS using the mod_isapi.dll you can get from the Tomcat site. Also install Tomcat as a service using jk_nt_service.exe.

Keep your Java session abstracted. The main session remains as-is within your ASP application. Write a bit of java.net code to hook in through a custom ASP page (note: security - ordinary clients can't access this page) to retrieve and update any session variables. This can be done by reading the ASPSESSION cookie, and spoofing it in your requests to IIS.

Any NEW components, write in Java. Remember - session variables get retrieved and saved from the ASP side still.

As you're working on new components, when you can arrange it, convert old components to Java one by one. Session still remains on ASP.

Wash, rinse, repeat until all components have been written in Java. Once this is done, convert your login into Java, and change your abstracted Session to be a Java session instead of hooking into IIS for the ASP one.

Voila. You are now 100% Java. Now get rid of IIS and switch to something else. This is the approach that my team took to rid ourselves of the VB horror that someone left me when I joined. It took about 8 months of solid effort, but it worked. We are now rid of all reliance on MS technologies from our site. We also managed to do it quickly because of good code layout, and the use of the most wonderful Velocity templates also available from the Jakarta site. This helped a lot.

The point is, you CAN do a rewrite. What you usually are NOT allowed to do is a code freeze. So... work around it! The beauty of this solution is that you are running two separate applications (technically) for a time. Keep a consistent look, and the users can't tell the difference between the ASP and the Java side. Change one function at a time, slowly, and eventually you'll reach the Utopia you're looking for.

M$ license restrictions on IIS alternatives

[MillionthMonkey]

Tim O'Reilly wrote a Salon article back in November 1999 about the obstacles M$ places in the path of people who want to run alternative web servers on NT:

In fact, the rise of Microsoft's Internet Information Server (IIS) as the dominant Web server on NT shows much the same pattern as the rise of IE as the dominant browser: Microsoft got pole position by exercising its unique leverage as an operating system vendor.
Originally IIS, Web server software that runs only on the NT operating system, was bundled "free" with a version of NT called NT Server. Web server vendors such as Netscape and O'Reilly responded by pointing out in our advertising and PR that if customers ran our third-party Web server software on NT Workstation (a less expensive version of NT, which came without the IIS Web server software), they would end up with a more powerful server than Microsoft's IIS running on NT Server -- and it would cost less too.
Much as it had done by bundling the browser with Windows 98, Microsoft was bundling an application -- the IIS Web server -- as part of an operating system, (NT Server). But in this case, the company offered another version of the same operating system without the bundle, (NT Workstation). It seemed natural to competitors to offer our products on top of the version of the operating system that came without IIS.
It did not, however, please Microsoft that we did so. In June 1996 Microsoft responded by changing the license to NT Workstation to prohibit its use as a server platform. (At first, the company went further, and actually crippled the version of TCP/IP provided in NT Workstation, but the outcry from users forced it to backtrack.)
Microsoft argued, quite rightly, that it had the right to create two different versions of NT, with different price points, and different functionality. But the company went a step further, and used its operating system license (and more specifically the license to the parts of the operating system that implemented TCP/IP, an industry standard protocol) to prohibit the use of third-party applications that duplicated the functionality of Microsoft's more expensive platform.
Microsoft's public rationale for the policy -- that it was protecting its customers because NT Workstation was not suitable for use as a server operating system -- was proven false by my colleague, former O'Reilly editor Andrew Schulman (working with Mark Russinovich). Shulman and Russinovich demonstrated that it was possible to convert NT Workstation to NT Server by changing only a few registry entries. NT Workstation contained all of the same program code as NT Server; the code was simply disabled, and some additional applications bundled.

This is admittedly an old story; I don't know if M$ is still legally implementing this particular "innovative" license restriction nowadays. Does anybody know?

Administering Two Owesses. A True Story. By Me.

[ballpoint]

System 1: IIS on Windows NT:

• monthly: download patch (click), execute it (click, click, click) and reboot (click, click, click)
• quarterly: reboot crashed system
• infected: never (yet)

System 2: standard Mandrake-Linux distro with manual install of current versions of Apache, PHP, mySQL, OpenSSL and mod_ssl.

• daily: Mandrake distro stuff:
  • Read email sent by Mandrake Security Announce .
  • Determine if the Security Announce concerns your installation. It does.
  • MandrakeUpdate the rpms as needed. Skip rpms that are wrongly marked as dependent on something you don't want to update. (Why is xyz dependent on emacs of all things ?)
  • Download the skipped rpms manually, and rpm -U.
• fortnightly: other stuff:
  • Check apache.org, mysql.com, php.net, modssl.org and openssl.org for updates as your attention gets caught by security bulletins.
  • download source code, tar gxf; ./configure --with-abc=def .......; make; su; make install; exit. Repeat, repeat, repeat, repeat due to interdependencies and changed config options. su; apachectl stop; sleep 5; apachectl startssl; enter passphrase; exit; gedit broken .conf files and repeat, repeat, repeat.
• yearly: reboot the system (uptime: 305 days and counting)
• infected: never (yet)

Now which system do you want to administer today ?