Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gartner Group Suggests Dumping IIS For Now

Posted by ryuzaki0 on from the dump-dump-dump dept.

sachmet is one of the many readers who contributed news that "Gartner Group is now recommending that IIS be replaced in corporate environments. This is based on the fact that TCO for IIS is rising due to the almost-weekly patches sent out by MS, and even then, it's nearly impossible to get patched quickly enough. Best part: 'Gartner remains concerned that viruses and worms will continue to attack IIS until Microsoft has released a completely rewritten, thoroughly and publicly tested, new release of IIS,' which they say has an 80% chance of happening by the end of next year." Gartner hasn't always said favorable things about Linux systems in the workplace, but the businesses that rely on this type of analysis to justify purchasing decisions may find this one interesting. Update: 09/24 22:04 GMT by T :As several people have pointed out, the 80% figure appears to be Gartner's odds that IIS won't be rewritten that soon, rather than the other way around (.673334 probability).

9 of 502 comments (clear)

  1. Great but... by drodver · · Score: 2, Insightful

    This is great but many companys can't switch easily because they have web apps based on ASP/ActiveX. Unless it's something small they are stuck since rewriting it isn't probably an option.

  2. Regular patching only a small part of TCO by Pinball+Wizard · · Score: 4, Insightful
    From the article...


    using Internet-exposed IIS Web servers securely has a high cost of ownership. Enterprises using Microsoft's IIS Web server software have to update every IIS server with every Microsoft security patch that comes out -- almost weekly.


    I imagine you would need to patch Apache fairly regularly as well. Its not like its immune to worms or security holes. In fact, apache.org was compromised this year due to a security hole.


    I am in the process of converting from a Windows based web server to Debian/Apache, and the process is not without its problems. On the first try, Debian did not pick up both processors on my machine. Also, using mySQL, I can consistently crash my machine by trying to index a 5 million row table.


    So, I have some problems. As you might when converting from Windows to Linux. Where do I go? I can't just call my Debian rep and ask him to help me fix my problems. I have to hunt for the answers and spend a lot of time figuring out just what the heck is wrong with my system.


    So keep this in mind if you are switching because of TCO costs. Yes, you will need to patch once a week sticking with Windows. However, I don't think this report fully explains everything that may be involved when figuring out the TCO for a Linux system.


    That said, I expect to be able to solve my problems and end up with a very nice server.

    --

    No, Thursday's out. How about never - is never good for you?

  3. Why you shouldn't just depend on one OS... by nairnr · · Score: 2, Insightful

    I think this is a good indication of why you shouldn't just go with a single platform for all of your services. It may look good on paper, but the fact of the matter is that the Microsoft environment right now is so vunerable with regard to exploits, that it doesn't make sense any more.

    This kind of attack can be seen in the ecosystem as well. If everything is homogeneous, then a single form of attack can do a great deal of devastation.

    I guess the powers that be think that learning a new OS is bad, but it just proves "The Right tool, for the right job". Right now, IIS, is not it!

  4. Foot in the door... by Zergwyn · · Score: 4, Insightful
    "...but the businesses that rely on this type of analysis to justify purchasing decisions may find this one interesting."


    One of the biggest problems with getting Linux, OpenBSD, or any new OS widely adopted is that it costs a great deal to switch to a new system once a business has standardized on a different solution. So many corporations decided to use WinNT, and having made the investment need a great deal to sway them to something better. It has to be something very big, and these virii may do it. This could be good news for OS's competing with M$, because the investment thing works both ways. Once Linux is installed, companies are less likely to go back to Windows NT...

  5. Ummm... by Kevinb · · Score: 3, Insightful
    'Gartner remains concerned that viruses and worms will continue to attack IIS until Microsoft has released a completely rewritten, thoroughly and publicly tested, new release of IIS,'

    Am I the only one who thinks this is the absolute wrong thing to do? As vulnerable as IIS has proved as of late, completely rewriting any piece of software runs the risk of not only reintroducing old exploits but possibly generating new ones. IIS is a very complex piece of software with years of thorough public testing (in the form of live deployments) already in place. By completely rewriting it, you throw out that experience and start from zero.

  6. You can't visit Windows Update? by throx · · Score: 5, Insightful

    the overhead on keeping the win machines patched (5 on the network) is crazy, I spend too much of my valuable time hunting down patches for machines

    Install Windows Critical Update Notification.

    If it honestly takes you too long to visit the Windows Update web site once every week for the 5 machines, or get the users to visit the site and install the critical updates then there's a problem somewhere.

    My Win2k machines WERE running IIS and had all critical updates installed. No Code Red. No Nimda. WTF is everyone else's problem? Even my web host which is running IIS didn't get hit.

    As for rewriting IIS, it is a rather stupid idea. First of all the Code Red problem wasn't IIS at all, but the Index Server ISAPI DLL. Rewriting IIS will have zero effect on any of these extensions, much as rewriting Apache would have little effect on a bug in mod_php.

    Honestly I don't get Gartner's points here - if you have a significant site with a large investment in .asp pages and custom server ActiveX objects then migrating from IIS is a fairly large expense. Even if you don't, the hassle of securely setting up a whole new web server is just asking for more holes to turn up. I'd be recommending companies don't ship at all, but pay attention to Microsoft's security bullitens (you ARE signed up, aren't you?)

    --

    Fear: When you see B8 00 4C CD 21 and know what it means

  7. Configure, don't patch by Ratbert42 · · Score: 5, Insightful

    Do what I do. I'm too f-ing lazy to keep up with the weekly patches. So I spent a couple hours a year ago and properly configured my IIS servers, following the published checklists. Now I review bug after bug and say "ok, that one can't impact me so I'll patch it later."

    There is no reason a properly configured but completely unpatched IIS 4 or IIS 5 server could not have survived both the Nimda and Code Red worms.

    Nimda made use of the Unicode directory traversal bug, which only lets you move around on the drive where the web documents are stored. Move the wwwroot to another drive, set file permissions as tight as possible, remove the sample applications, and you would have been safe. Every one of those is on any decent IIS admin's checklist.

    Code Red made use of a bug in the Index Server. Removing unused mappings is near the top of every decent IIS admin's list. In fact, one IIS server I have didn't have the patch applied when Code Red hit. I didn't bother to apply it until almost a month later.

  8. Gartner's crystal ball is broken by Tony+Shepps · · Score: 4, Insightful

    If there's anyone reading this who's in charge of "decision-making" at the "enterprise level" --

    The question you should be asking yourself is not "Should I be replacing my IIS systems with Linux+Apache?" but, rather, "If I am relying on Gartner for recommendations on conditions in the future, why didn't they see this coming a year ago?"

    Well more than a year ago, the security benefits of open source were explored not only by /. but by almost every pundit on the web. Where was Gartner? Wouldn't it have saved you a ton of money if they had pointed out the probability of problems with security and patching in 1999 instead of late 2001? Isn't it amazing that they were near last to the table with this finding?

    Why does Gartner put probabilities on their expectations without showing their work? Does anyone go back in history and look at these probabilities?

    Doesn't Gartner have an interest in pressing the solutions that people expect them to press? And here's a HUGE question... if you're using the exact same solutions as every one of your competitors, are you prepared to give up the idea that IT could give your company a competitive advantage? Do your bosses agree with this?

  9. Duh!? by --daz-- · · Score: 2, Insightful

    Fact: All OSes and web servers have remotely exploitable vulnerabilities

    Fact: The scum that write these worms will target the most popular platform to get maximum impact.

    Fact: IIS holds a lion's share of the web server market for corporate installations and business

    Fact: There are a bunch of incompetent sysadmins out there who can't take the five minutes to follow MS' IIS Security Checklist (which would've foiled Code Red) or apply SP2 (which would've foiled Code Red II and Nimda)

    So, if we all dump IIS and go with, for example, Solaris+IPlanet, or Linux+Apache, the same lousy SA's will still not apply their patches and the Scum will not be writing worms for Linux+Apache or Solaris or whatever.

    The _REAL_ solution is to get people to be smart about installing Internet servers and make it dirt simple on all platforms to apply patches (MS has made great strides in this with the Network Hotfix Checker and the soon-to-be-released HF auto downloader).

    Blaming MS for lazy sysadmins isn't going to help anyone.