Gartner Group Suggests Dumping IIS For Now

sachmet is one of the many readers who contributed news that "Gartner Group is now recommending that IIS be replaced in corporate environments. This is based on the fact that TCO for IIS is rising due to the almost-weekly patches sent out by MS, and even then, it's nearly impossible to get patched quickly enough. Best part: 'Gartner remains concerned that viruses and worms will continue to attack IIS until Microsoft has released a completely rewritten, thoroughly and publicly tested, new release of IIS,' which they say has an 80% chance of happening by the end of next year." Gartner hasn't always said favorable things about Linux systems in the workplace, but the businesses that rely on this type of analysis to justify purchasing decisions may find this one interesting. Update: 09/24 22:04 GMT by T :As several people have pointed out, the 80% figure appears to be Gartner's odds that IIS won't be rewritten that soon, rather than the other way around (.673334 probability).

wow...

[Wakko+Warner]

Gartner Group is usually not this anti-Microsoft, but given the events of the past week (who DIDN'T get hit by Nimda?), I can see why they're advocating switching, at least for the time being.

At work, we've been on-and-off contemplating switching a lot of our servers from IIS to something else. Our Linux and OpenBSD and Solaris boxes are all fine, but our unpatched IIS servers (the ones I don't admin, go fig) all got trashed. If you're gonna lose a day or two of work every month and you're paying the "cleanup people" $50 an hour or more, you can damn well bet you'll either start looking for new employees or new software.

- A.P.

Re:wow...

Wow! A lot of the problem must lie with Microsoft. A number of Microsoft's own servers were hit, with loud complaints from clients.

If Microsoft can't keep up with their own patches, why would you expect that ANYBODY could keep up.

Windows is known for its need to be re-installed when simple things go wrong. This, of course, means a re-application of all those patches, all in the right order, all with the recommended number of reboots. If you are going to rely on Windows update, you will be downloading for hours, punctuated only by all the reboots. Then you will re-install your applications, all with their patches applied in the correct order, all with the appropriate number of reboots.

T complicate things, lately Microsoft has been getting a reputation for patches that don't work.

To top it all off, if you use Microsoft's system file checker after a system freeze, and if you find and replace a corrupted system file, it had better not be one that has been updated by one of those patches, or your security hole may have come back. But which of those 77 security hole patches would that be? I guess that you have all those dll file names memorized as to which was fixed in which patch!

Happy guessing!!!

Re:wow...

[sheldon]

We got hit by Nimda, but only on our development machines. The production machines had been kept up to date with security patches.

In the specific case of Nimda, the patch was available in April of 2000. That gave everybody plenty of time to do something about it, however many didn't. i.e. most of our development machines.

What's more expensive? Spending an hour once a month patching your production web servers, or shutting down the company for half a day?

Linux firms: replace IIS as a service?

[Rev.LoveJoy]

Are any of the linux companies activly promoting reviews such as this by offering to replace the *functionality* of IIS in corporate environs?

Just curious,
- RLJ

Re:Linux firms: replace IIS as a service?

[FatRatBastard]

There are other web servers out there that run perfectly well under Windows.

Very true. I know some folks running Apache/Tomcat-Jakarta on a W2K box and are pretty happy about it. I think in the short term (or mid term at least since some porting will be needed even if you only switch the web server) if the advice is followed they may stick with Apache, et al on Windows. But, since you save little to no $$ by purchasing NT/W2K/XP Server and not using IIS I would suspect those that did move off IIS would eventually lose NT/W2K/XP as the OS as well. I would imagine that the porting effort to move code the likes of PHP/JSP/servelets from Apache/MS to Apache/*BSD or Apache/Linux would be minimal.

Of course, I suspect that very few will switch. We got our asses handed to us last week, and the brass are sticking with MS anyway. Go figure.

Gartner Leads Way

[gus+goose]

At least they appear to not be using IIS themselves, although their web-server has no indication of what server is behind it. This in itself indicates that it is not IIS.

Gartner wields a lot of influence, and this will raise heads. Congratulations.

gus

There's TCO on Apache, too.

[iturbide]

The problem is not just that IIS is a vulnerable piece of crap. The problem is the point and click admins who can only run setup and never ever will check for patches.

So you ditch IIS and install Apache. Do you honestly think that the guy who couldn't be bothered to update it will be bothered to check for Apache vulnerabilities and fixes?

Yes, because you will have to ditch that guy! And your new unix-savvy admin will be more expensive.

Oh well, only a matter of time before they think of that. The product is only as good as it's admin, and certainly not better.

you know what'll happen

[Dr.+Awktagon]

More and more of these IIS "syadmins" (using the term loosely) will install Unix/Linux boxes, and forget about them, just like they installed the IIS boxes and forgot about them.

Then someone somewhere will find some little bug in some pre-installed convenience, some PHP shopping cart, some admin tool, some default password, something that comes on each machine. Then we'll have the same problem with some crazy Linux worm. And this time I bet the clueless M$-0wn3d media won't call it an "Internet worm", they'll be sure to call it a "Linux worm"!

Of course I could be wrong. Maybe Microsoft really can't code a proper webserver. But I think having sysadmins awake and at the wheel will help too.

Hmm, how about a web server that emails the admin saying "This web server will shut down in 15 days unless you run the up2date tool" or something similar? To force people to check for upgrades.

Any step-by-step manuals out there?

[jdgreen7]

Does anyone have a step-by-step manual for how to implement an IIS replacement? I have been riding the MS bandwagon for about 12 years now, and I'm finally starting to open my eyes to the alternatives now that they've proven themselves (this is my first /. post, by the way). My company uses IIS, but we don't use many of the features. We use the VPN, Web server (basic ASP queries against Access databases), and that's about it. I've installed Linux a couple of times, but only for testing purposes and to satisfy my growing curiousity. To really get something out of the operating system, I need to be able to install and implement those features easily. The nice thing about IIS is that it's easy to install and administer for basic tasks for people used to the MS interface (most people that use computers). If I can be shown how easy it is to change to a Linux solution, I'd probably make the switch in a heartbeat. If nothing else, it'd cut back drastically on the number of patches/virii. Any and all links are welcome!

The problem

[Rick+the+Red]

The problem is that the crackers and script kiddies attack the lowest common denominator. In this case it's IIS and other Microsoft wares. But what if Gardner suceeds and the Fortune 500 dump IIS and switch to Apache? When that happens the safe thing to do will be to use the less-common and thus less-attacked IIS, because the crackers will make Apache too expensive to use. In other words, once again the best course of action is to do exactly the opposite of what Gardner recommends.

Re:The problem

[KC7GR]

You're missing some critical points: First, Apache is open-source. Yes, the crackers have access to it, but so does every single end user and Apache developer. How long do you think any Apache security hole would go unfixed?

Next point: Psychology. The Redmond Empire is greatly despised, often with good reason, by Lord only knows how many programmers and would-be crackers. Also, M$ is a Very Large Corporation, while the Apache foundation is microscopic in comparison. Large corporations have become something of a symbol of uncontrolled greed and (in many cases) environmental destruction.

Crackers, in many case, crave some sort of recognition for their work. Given that, plus all the above, you tell ME which package you think will be a more likely target no matter how many sites adopt Apache.

In any case, Apache would, I think, still turn up with far fewer holes per version than anything the Redmond Empire has cranked out to date, web server wise.

Security

[quantum+bit]

(who DIDN'T get hit by Nimda?)

I didn't. IIS can be secured -- many things that MS releases patches for are not exploitable if you follow sane security practices. Stuff like deleting all the ISAPI crap that comes in the default setup, and putting your web root in a nonstandard location (preferably on a different partition), deleting all sample files, enforcing proper filesystem permissions, and running any applications in an isolated process.

Of course, one of the advantages of Apache is that it ships in a relatively secure configuration by default, it's better for dummys who install stuff and plug it into the network without bothering to check the configuration. It's a whole lot better by default than IIS, that's for sure. Most of the MS patches are for various add-ons like index service that most people don't use anyway and should be shut off.

DISCLAIMER: I use Apache for the primary web server for the business I work at. We run IIS as the secondary server for load-balancing and have yet to be compromised by anything, even though patches don't always get applied immediately (usually pretty soon after release though). I think Apache is great, but want to point out that anything can be secured if you put some effort into it.

Re:Security

[plover]

That's all well and good, but you solved .001% of the problem.

Like everyone else, I found myself gettting hammered by Code Red infested servers when this whole thing came down last month. So I went and did a few directories on several of those machines using the newly installed back doors just to see what was going on. Know what I found? They were ALL default installations of Win2K, and most were installed sometime early in August (based on the dates of some of the directories I found. Many of those machines still served up the IIS default page when I checked.) It was evident that someone simply dropped in the CD, clicked on some install button, and called it done. And *I* suffered for it.

You cured ONE machine, and for that I thank you. As you say that a smart admin will prevent these problems, but that's not true enough. These machines are owned by cable-modem morons that don't understand that they've just become an admin. They dropped in a CD and checked a box that said "Make this computer a web server." Then they probably invited their friends over to see their awesome Quake playing machine.

That's why IIS is not a winning recommendation, but the people who need to know this wouldn't know the Gartner group from a garter snake.

Re:Great but...

[Mr.+Slippery]

This is great but many companys can't switch easily because they have web apps based on ASP/ActiveX.

Gee. So companies that based critical systems on proprietary technology now find that they have limited options and are basically screwed? Who'd have thought?

Make a deal with the devil, you're gonna get burned.

brain-damaged sysadmins

[maxpublic]

Imagine if business did dump all of it's IIS servers and replaced them with Apache - how many 'point and click' admins would suddenly be unemployed?

I mean christ, I hear people complaining about how complicated Apache is in comparison to IIS and I think to myself "if you can't figure this shit out, you have no business being a network admin because YOU'RE TOO STUPID TO DO THE JOB!".

Seriously, any network admin that bitches about Apache (which is bloody easy to use, in comparison to most previous tools) is too fucking braindead to be let anywhere near a server. Switching to Apache would at least show an organization where some of its dead weight is in the IS department.

Max

Re:Ummm...

[stilwebm]

By completely rewriting it, you throw out that experience and start from zero.

I'd have to disagree with you on that one. They won't throw away the old experiences, in fact they will prove quite valuable. Most programmers encounter parts of a project that they would change if there were not the possibility of breaking things or hurting backwords compatability. When they start from the ground up, they can look at what worked well and what did not work well. Features that were added to later releases had to be designed to use the existing code base, which is often suboptimal. When they have a good idea of the types of features they will use (and even trends for adding features) they can make those features more optimal. It also makes it easier to understand the code in the short term. It is hard to understand code written years ago by yourself, and it is especially hard to understand code written by someone who left the company years ago. I'm sure bugs will be introduced, but it is much easier to prevent security problems if you start from the scratch (hint: check for buffer/stack overflows everywhere). When you rewrite, you draw heavily on previous experience, and get the chance to write things with more knowledge than you had when you wrote them a long time ago the first time around.

This is interesting, in a number of respects.

[jd]

Firstly, this is one of the few times the Garner Group has openly critisised a Microsoft product. Given that they -are- a major group, this has to be taken seriously, whether you trust them to tie their own shoelaces or not.

Secondly, the timing couldn't be worse for Microsoft. With XP only just hitting the shelves, this has the potential to seriously cripple the uptake of the new OS. (Note: I'm saying "potential" as you're bound to get plenty of execs who argue that nobody ever got fired for buying Microsoft. Even when it puts the entire company's public profile at risk.)

Thirdly, this also comes at a critical point in time, with respect to the European Union anti-trust investigation, the British fair trading investigation, and the US' very own anti-trust Lawsuit Revisited. Should the market-share of IIS continue to grow at the current rate, competitors may be able to argue the case that companies aren't heeding the report because they can't. That could seriously jeapordise Microsoft's arguments that they are not a monopoly, and that "future threats" could affect their market-share.

(Let's face it - if this isn't a "future threat", I don't know what is.)

Fourthly, this comes at a time when the economy is seriously wounded, and yet Microsoft's pricing continues to rise. As other posters have noted, this might persuade some accounts departments to start pushing the alternatives.

Lastly, homeless shelters are still pretty full, from the collapse of the dot-coms. This makes computer expertise very cheap. ("Will Code For Food" no longer sounds such a joke.) Thus, there is really little need to hold onto "old hands", who command high fees. You could probably pick up a webmaster and a couple of ASP/PHP/Perl gurus by going to the local K-Marts and asking the people collecting the carts. They'd cost a fraction of what most companies are paying for their IIS expert, and they'd probably worship the ground the management walk on.

HOWEVER, this is purely speculative. Although what I've written is a plausable scenario, companies could equally well ignore the report, the anti-trust lawyers might deem it too tenuous to be usable in court (if they notice it at all), and Microsoft might remain King Of The Hill by sheer default.

Confused on this; help me

[ellem]

--Say you're a good MS admin and you ghave dutifully patched up your IIS machine and never got hit with Code Red or Nimda on your servers BUT your Win9x users who don't run Outlook (Express either) go to an infected webpage: How will not using IIS help?

--Yes the patch was there for months; but SARC (et al) was cuaght off guard, .DAT files were'nt ready until the next day and the "Fix" is so-so at best.

--I"m not blaming anti - virus companies but I am confused how IIS is the sole badguy.

--You can get hit with this thing from many directions (assuming WinXX.)

--Gartner even says you "Can't Patch Fast Enough"

Re:credibility

I agree 100%. The Gartner Group has their head so far up their ass, that any prediction they make is sheer luck.

Two years ago, my (ex-)company paid the Gartner Group a ton of money to forcast the future of our (hastily purchased, not thought out, piece of crap) B2B system. Gartner delievered a stack of papers with a lot of vague market-speak. Each prediction ended with a statement that said the probability of occurance was 70%. One year later, the company had hemmoraged 26 million dollars in one quarter. The only think left of the B2B system is a lot of cool hats and T-shirts.

Don't get me wrong. I think this particular recommendation is spot-on, but it was sheer luck that the Gartner Group stumbled on it.

Anonyomous Kev
proudly posting as AC since 1997

Re:You point at MSFT's biggest problem

[denshi]

Gartner is one of these "the sky is falling; change everything" analysts. They spent the last 3 years telling everyone to switch from Apache to IIS; now their only possible retraction is to switch everyone back. Moderation and smarter business practices aren't a part of their target market -- the ever fickle C*Os. I quote Greenspun:

a CTO is someone who can't or doesn't want to write code. After all, if Joe CTO writes a program he incurs the risk of a user sitting down in front of it and saying "this program doesn't work the way it needs to." So a CTO goes from meeting to meeting thinking profound thoughts about different brands of RDBMS server, operating systems, Web servers, etc.

So telling these people that the massive upheaval of switching platforms is the only thing that they understand.

On a different point, I have to disagree with this:

The main problem with IIS isn't that there are exploits for it, after all there are exploits for every major piece of server software from BIND to Apache to Sendmail. The problem is that there is no decent pathway to funnel patches to users of IIS.

No, I think the problem is that there are exploits for IIS, or at least, that there are so many. When was the last time Apache had a remote exploit? Okay, what year did Apache last have a remote exploit? BIND has had a huge number of exploits in its time, but its been quite stable for a while now; still, I use djbdns rather than BIND, qmail rather than sendmail. That's another major difference -- in the Unix world there are several tools that perform similar functions like DNS, FTP, and HTTP; any competent administrator will switch the default daemons over to the packages released by scary paranoid crypto motherfuckers. On Windows, you have the MS daemons and nothing else! That has always been the problem in MS paradise -- it's their way or no way.

Obviously, administration skill matters. Certainly, with a raft of technicians you can keep anything afloat. But that doesn't change the absolute fact that there are differences in software quality afoot, readiness to admit vulnerabilities, and ability for the community to contribute fixes and peer review. MS is absolutely failing in those respects, so much in fact that even their biggest syncophants are deserting them.

Re:Gimme a break!

[drodver]

I never claimed it is impossible to rewrite everything. There are at least three common situations in which your view on redoing the application fails

1. The most common would be an application writen and then barely maintained or maintained by someone who knows just enough to keep it working. This would be the case with a lot of web applications in none IT centered companys. Most companys aren't willing to rebuild an application that none of the programmers know much about and isn't broken, even if it may be annoying to maintain the server. Remember server people and progammers are often in different departments, so it becomes "their" problem.
2. IT companys that sell their ActiveX/ASP product basically can't do what you did. My company, for example, could not do a rewrite without a code freeze because you can't expect the customer to install a hybrid system, it goes beyond what the customers expect to have to do to install our product. A rewrite isn't feasible because in that time the industry would have passed us by as we rewrite 3 years of code.
3. For a large application you would need multiple people with the proper skill set to convert a large application in the way you propose. Finding and paying these people for would be expensive. What you did cost the company money because the time you spent rewriting little chunks at a time was time you could have been doing new production. Your company still paid the cost of a rewrite you just spoon fed it to management a little at a time. That doesn't work as well for a large development team.

I don't see a problem with your solution but just because it's possible doesn't mean it's in the best interest of a lot of companys. Unless the TCO of IIS is costing them more than the solution they are going to keep what they have. My argument is one of economics and managment behavior, not programming ability.

This is funny but sadly the truth sometimes!

[compugeek007]

I am a NT 4 and Win2k MCSE (can't believe I am admitting on /. I should post this Anonymous Coward.) I take every chance to remind the high-ups that blindly choosing one platform for all network functions is a BAD IDEA. Lets face it - if there is one thing *nix platforms and Open Source apps can do, is provide a QUALITY piece of infrastrucutre software.

Conversely, large applications (ERP's, N-tier web interfaces blah blah) work better on NT (generally) because the API is friendlier to your clients (which are naturally running MS.) If you don't believe me, try installing Sybase Enterprise Application Server on Unix and get clients to save files and print locally.

Being a Business major, I understand what MS brings to the table in TCO - mainly that they will always have the lights on, but so will Sun, HP-UX, and possibly Red Hat. The truth of the matter is that the OS level is going to be smaller of concern than the applications that run on them. I think that any PHB that decides on a platform across the board is managing from the advertisements in CIO magazine. I say you define your network logicaly and wisely pick your physical model utilizing the best solutions for each problem (infrasturucre = Linux, Database = Sun / HP-UX etc., App servers, desktops, misc servers = NT/2K.)

They can find personnel who know both well, and command a higher salary - or have redundant admins because you hire unix admins who have such a disdain for MS they won't touch it and the MS admins who have no clue about Unix. It may cost more, but tough luck - cost of doing business.

--cgeek--

Re:If It Weren't For Microsoft....

Perhaps there would be more interesting non-microsoft-related things going on-- and thus more non-microsoft-related things to write stories on and discuss -- if microsoft had not stifled 1/2 of the interesting new movement in the software industry in the last 10-15 years..

Just a thought.. when a company has as much money and political influence as MS, it's hard to avoid talking about them. Also, since MS is the biggest competitor of nine out of ten significant software packages it does not make, MS has at least SOME influence on the news connected to every single software package that could conceivably be a) important enough to be talked about for any length of time on slashdot b) important enough someone's job could be based on it.

Migration tool: ASP2PHP

[Walles]

I haven't seen any posts about it, but I think that ASP2PHP deserves some attention. A migration could (theoretically) be done like this:

• Download and install PHP for IIS on Windows.
• Convert your ASP pages to PHP (using ASP2PHP).
• Get it running on IIS.
• Replace IIS with Apache (still on Windows).
• Replace Windows with some secure Unix lookalike or other.

I haven't used ASP2PHP myself so I can't say whether it works or not. It's GPL though, so try it out if you're interested.

Cheers //Johan