Gartner Group Suggests Dumping IIS For Now

sachmet is one of the many readers who contributed news that "Gartner Group is now recommending that IIS be replaced in corporate environments. This is based on the fact that TCO for IIS is rising due to the almost-weekly patches sent out by MS, and even then, it's nearly impossible to get patched quickly enough. Best part: 'Gartner remains concerned that viruses and worms will continue to attack IIS until Microsoft has released a completely rewritten, thoroughly and publicly tested, new release of IIS,' which they say has an 80% chance of happening by the end of next year." Gartner hasn't always said favorable things about Linux systems in the workplace, but the businesses that rely on this type of analysis to justify purchasing decisions may find this one interesting. Update: 09/24 22:04 GMT by T :As several people have pointed out, the 80% figure appears to be Gartner's odds that IIS won't be rewritten that soon, rather than the other way around (.673334 probability).

You can't visit Windows Update?

[throx]

the overhead on keeping the win machines patched (5 on the network) is crazy, I spend too much of my valuable time hunting down patches for machines

Install Windows Critical Update Notification.

If it honestly takes you too long to visit the Windows Update web site once every week for the 5 machines, or get the users to visit the site and install the critical updates then there's a problem somewhere.

My Win2k machines WERE running IIS and had all critical updates installed. No Code Red. No Nimda. WTF is everyone else's problem? Even my web host which is running IIS didn't get hit.

As for rewriting IIS, it is a rather stupid idea. First of all the Code Red problem wasn't IIS at all, but the Index Server ISAPI DLL. Rewriting IIS will have zero effect on any of these extensions, much as rewriting Apache would have little effect on a bug in mod_php.

Honestly I don't get Gartner's points here - if you have a significant site with a large investment in .asp pages and custom server ActiveX objects then migrating from IIS is a fairly large expense. Even if you don't, the hassle of securely setting up a whole new web server is just asking for more holes to turn up. I'd be recommending companies don't ship at all, but pay attention to Microsoft's security bullitens (you ARE signed up, aren't you?)

Configure, don't patch

[Ratbert42]

Do what I do. I'm too f-ing lazy to keep up with the weekly patches. So I spent a couple hours a year ago and properly configured my IIS servers, following the published checklists. Now I review bug after bug and say "ok, that one can't impact me so I'll patch it later."

There is no reason a properly configured but completely unpatched IIS 4 or IIS 5 server could not have survived both the Nimda and Code Red worms.

Nimda made use of the Unicode directory traversal bug, which only lets you move around on the drive where the web documents are stored. Move the wwwroot to another drive, set file permissions as tight as possible, remove the sample applications, and you would have been safe. Every one of those is on any decent IIS admin's checklist.

Code Red made use of a bug in the Index Server. Removing unused mappings is near the top of every decent IIS admin's list. In fact, one IIS server I have didn't have the patch applied when Code Red hit. I didn't bother to apply it until almost a month later.