Gartner Group Suggests Dumping IIS For Now

sachmet is one of the many readers who contributed news that "Gartner Group is now recommending that IIS be replaced in corporate environments. This is based on the fact that TCO for IIS is rising due to the almost-weekly patches sent out by MS, and even then, it's nearly impossible to get patched quickly enough. Best part: 'Gartner remains concerned that viruses and worms will continue to attack IIS until Microsoft has released a completely rewritten, thoroughly and publicly tested, new release of IIS,' which they say has an 80% chance of happening by the end of next year." Gartner hasn't always said favorable things about Linux systems in the workplace, but the businesses that rely on this type of analysis to justify purchasing decisions may find this one interesting. Update: 09/24 22:04 GMT by T :As several people have pointed out, the 80% figure appears to be Gartner's odds that IIS won't be rewritten that soon, rather than the other way around (.673334 probability).

you know what'll happen

[Dr.+Awktagon]

More and more of these IIS "syadmins" (using the term loosely) will install Unix/Linux boxes, and forget about them, just like they installed the IIS boxes and forgot about them.

Then someone somewhere will find some little bug in some pre-installed convenience, some PHP shopping cart, some admin tool, some default password, something that comes on each machine. Then we'll have the same problem with some crazy Linux worm. And this time I bet the clueless M$-0wn3d media won't call it an "Internet worm", they'll be sure to call it a "Linux worm"!

Of course I could be wrong. Maybe Microsoft really can't code a proper webserver. But I think having sysadmins awake and at the wheel will help too.

Hmm, how about a web server that emails the admin saying "This web server will shut down in 15 days unless you run the up2date tool" or something similar? To force people to check for upgrades.

Re:Linux firms: replace IIS as a service?

[FatRatBastard]

There are other web servers out there that run perfectly well under Windows.

Very true. I know some folks running Apache/Tomcat-Jakarta on a W2K box and are pretty happy about it. I think in the short term (or mid term at least since some porting will be needed even if you only switch the web server) if the advice is followed they may stick with Apache, et al on Windows. But, since you save little to no $$ by purchasing NT/W2K/XP Server and not using IIS I would suspect those that did move off IIS would eventually lose NT/W2K/XP as the OS as well. I would imagine that the porting effort to move code the likes of PHP/JSP/servelets from Apache/MS to Apache/*BSD or Apache/Linux would be minimal.

Of course, I suspect that very few will switch. We got our asses handed to us last week, and the brass are sticking with MS anyway. Go figure.

Security

[quantum+bit]

(who DIDN'T get hit by Nimda?)

I didn't. IIS can be secured -- many things that MS releases patches for are not exploitable if you follow sane security practices. Stuff like deleting all the ISAPI crap that comes in the default setup, and putting your web root in a nonstandard location (preferably on a different partition), deleting all sample files, enforcing proper filesystem permissions, and running any applications in an isolated process.

Of course, one of the advantages of Apache is that it ships in a relatively secure configuration by default, it's better for dummys who install stuff and plug it into the network without bothering to check the configuration. It's a whole lot better by default than IIS, that's for sure. Most of the MS patches are for various add-ons like index service that most people don't use anyway and should be shut off.

DISCLAIMER: I use Apache for the primary web server for the business I work at. We run IIS as the secondary server for load-balancing and have yet to be compromised by anything, even though patches don't always get applied immediately (usually pretty soon after release though). I think Apache is great, but want to point out that anything can be secured if you put some effort into it.

Re:Ummm...

[stilwebm]

By completely rewriting it, you throw out that experience and start from zero.

I'd have to disagree with you on that one. They won't throw away the old experiences, in fact they will prove quite valuable. Most programmers encounter parts of a project that they would change if there were not the possibility of breaking things or hurting backwords compatability. When they start from the ground up, they can look at what worked well and what did not work well. Features that were added to later releases had to be designed to use the existing code base, which is often suboptimal. When they have a good idea of the types of features they will use (and even trends for adding features) they can make those features more optimal. It also makes it easier to understand the code in the short term. It is hard to understand code written years ago by yourself, and it is especially hard to understand code written by someone who left the company years ago. I'm sure bugs will be introduced, but it is much easier to prevent security problems if you start from the scratch (hint: check for buffer/stack overflows everywhere). When you rewrite, you draw heavily on previous experience, and get the chance to write things with more knowledge than you had when you wrote them a long time ago the first time around.

This is interesting, in a number of respects.

[jd]

Firstly, this is one of the few times the Garner Group has openly critisised a Microsoft product. Given that they -are- a major group, this has to be taken seriously, whether you trust them to tie their own shoelaces or not.

Secondly, the timing couldn't be worse for Microsoft. With XP only just hitting the shelves, this has the potential to seriously cripple the uptake of the new OS. (Note: I'm saying "potential" as you're bound to get plenty of execs who argue that nobody ever got fired for buying Microsoft. Even when it puts the entire company's public profile at risk.)

Thirdly, this also comes at a critical point in time, with respect to the European Union anti-trust investigation, the British fair trading investigation, and the US' very own anti-trust Lawsuit Revisited. Should the market-share of IIS continue to grow at the current rate, competitors may be able to argue the case that companies aren't heeding the report because they can't. That could seriously jeapordise Microsoft's arguments that they are not a monopoly, and that "future threats" could affect their market-share.

(Let's face it - if this isn't a "future threat", I don't know what is.)

Fourthly, this comes at a time when the economy is seriously wounded, and yet Microsoft's pricing continues to rise. As other posters have noted, this might persuade some accounts departments to start pushing the alternatives.

Lastly, homeless shelters are still pretty full, from the collapse of the dot-coms. This makes computer expertise very cheap. ("Will Code For Food" no longer sounds such a joke.) Thus, there is really little need to hold onto "old hands", who command high fees. You could probably pick up a webmaster and a couple of ASP/PHP/Perl gurus by going to the local K-Marts and asking the people collecting the carts. They'd cost a fraction of what most companies are paying for their IIS expert, and they'd probably worship the ground the management walk on.

HOWEVER, this is purely speculative. Although what I've written is a plausable scenario, companies could equally well ignore the report, the anti-trust lawyers might deem it too tenuous to be usable in court (if they notice it at all), and Microsoft might remain King Of The Hill by sheer default.