Gartner Group Suggests Dumping IIS For Now

sachmet is one of the many readers who contributed news that "Gartner Group is now recommending that IIS be replaced in corporate environments. This is based on the fact that TCO for IIS is rising due to the almost-weekly patches sent out by MS, and even then, it's nearly impossible to get patched quickly enough. Best part: 'Gartner remains concerned that viruses and worms will continue to attack IIS until Microsoft has released a completely rewritten, thoroughly and publicly tested, new release of IIS,' which they say has an 80% chance of happening by the end of next year." Gartner hasn't always said favorable things about Linux systems in the workplace, but the businesses that rely on this type of analysis to justify purchasing decisions may find this one interesting. Update: 09/24 22:04 GMT by T :As several people have pointed out, the 80% figure appears to be Gartner's odds that IIS won't be rewritten that soon, rather than the other way around (.673334 probability).

wow...

[Wakko+Warner]

Gartner Group is usually not this anti-Microsoft, but given the events of the past week (who DIDN'T get hit by Nimda?), I can see why they're advocating switching, at least for the time being.

At work, we've been on-and-off contemplating switching a lot of our servers from IIS to something else. Our Linux and OpenBSD and Solaris boxes are all fine, but our unpatched IIS servers (the ones I don't admin, go fig) all got trashed. If you're gonna lose a day or two of work every month and you're paying the "cleanup people" $50 an hour or more, you can damn well bet you'll either start looking for new employees or new software.

- A.P.

Re:wow...

The company I work for didn't get hit, and we run IIS. HOWEVER, we spend WAY TOO MUCH TIME AND ENERGY to making sure this sort of thing doesn't happen. And, like the GG things points out, this is costly, so we are getting off of IIS at our earliest possible convenience.

This doesn't mean we can be any less diligent in our security efforts, it just means that being diligent will take a lot less effort.

Re:wow...

[Non-Newtonian+Fluid]

Duh, he was speaking for himself, and there wasn't a problem. Read the post again dumbass.

Re:wow...

[jiheison]

our unpatched IIS servers (the ones I don't admin, go fig) all got trashed.

He was talking about someone else.
There was a problem.

Maybe you should follow your own advice before you get testy.

Re:wow...

Wow! A lot of the problem must lie with Microsoft. A number of Microsoft's own servers were hit, with loud complaints from clients.

If Microsoft can't keep up with their own patches, why would you expect that ANYBODY could keep up.

Windows is known for its need to be re-installed when simple things go wrong. This, of course, means a re-application of all those patches, all in the right order, all with the recommended number of reboots. If you are going to rely on Windows update, you will be downloading for hours, punctuated only by all the reboots. Then you will re-install your applications, all with their patches applied in the correct order, all with the appropriate number of reboots.

T complicate things, lately Microsoft has been getting a reputation for patches that don't work.

To top it all off, if you use Microsoft's system file checker after a system freeze, and if you find and replace a corrupted system file, it had better not be one that has been updated by one of those patches, or your security hole may have come back. But which of those 77 security hole patches would that be? I guess that you have all those dll file names memorized as to which was fixed in which patch!

Happy guessing!!!

Re:wow...

[sheldon]

We got hit by Nimda, but only on our development machines. The production machines had been kept up to date with security patches.

In the specific case of Nimda, the patch was available in April of 2000. That gave everybody plenty of time to do something about it, however many didn't. i.e. most of our development machines.

What's more expensive? Spending an hour once a month patching your production web servers, or shutting down the company for half a day?

Re:wow...

[onki]

Well, suppose it had to come this way. People have been taking the MS troubles for far to long now. Been running a small app, server-side, myself and I decided I will not support ISS anymore (b.t.w, this was before I saw the Gartner announcemnt). I still wonder what would happen if people would bill Bill for all the time they have wasted fixing their servers. I know, their license won't allow us to bill them .... Onki -- :wq

Re:wow...

[SilentChris]

That's funny, too, because the company I recently went to work for has a majority of Windows-based solutions on the client and server (we're moving most of the machines to Windows 2000 right now, which I recommend). However, the only two machines we run outside our firewall is the mail and www server, which are FreeBSD.

Asking my boss why we didn't use IIS, he smiled and was like "What are you crazy?" :) Having Windows 2000 do the domain controlling and file serving is one thing (it actually does a reasonable job) but we've removed IIS (by default, installed) from every server that runs Windows. Too many chances for breaking and entering.

Re:wow...

[Paul+Komarek]

What's less expensive than both? Tackling the "learning curve" and running Apache. This is oversimplified, but I think the answer comes out the same in the complicated version.

-Paul Komarek

Re:wow...

[n-baxley]

I think the reason they suggested this is important. It's not just that there are viruses that attack it, it's that it takes so much work to continuously apply the patches that are coming from MS.

Re:wow...

[sheldon]

Apache is not a direct one for one replacement for IIS, and no amount of learning curve is going to change that.

Dumping IIS?

[Guillaume+Ross]

Isn't it one of the greatest P2P app out there for automatic file sharing?

Re:Dumping IIS?

[sharkey]

Maybe this should be pointed out to the RIAA, then sit back and watch the vultures attack the Borg.

credibility

I used to work for the Gartner Group. I wouldn't use their analysis to anything but ass wiping, as they are about as inaccurate as /. polls.

It is true though: companies relies on these reports to make decisions, so it's still relevant.

Re:credibility

[stilwebm]

Interesting... I've participated in several of their surveys and focus groups, and I always find that their surveys are some of the best written out there. Unlike USA Today polls, there were no questions designed to steer you in a certain direction and all of the questions were well designed. No survey or analysis is going to be perfect, but theirs always seem to be better than most.

Re:credibility

[Tiny+Elvis]

Had to have posted AC then used his own mod points to mod it up..

Re:credibility

I agree 100%. The Gartner Group has their head so far up their ass, that any prediction they make is sheer luck.

Two years ago, my (ex-)company paid the Gartner Group a ton of money to forcast the future of our (hastily purchased, not thought out, piece of crap) B2B system. Gartner delievered a stack of papers with a lot of vague market-speak. Each prediction ended with a statement that said the probability of occurance was 70%. One year later, the company had hemmoraged 26 million dollars in one quarter. The only think left of the B2B system is a lot of cool hats and T-shirts.

Don't get me wrong. I think this particular recommendation is spot-on, but it was sheer luck that the Gartner Group stumbled on it.

Anonyomous Kev
proudly posting as AC since 1997

Re:credibility

[abulafia]

Hm, are you talking money?

Or effort?

What exactly was it you thought? Please, share with the group.

-j

Re:credibility

[Dolly_Llama]

True. If you go back and re-read the article, Gartner recommends replacing IIS with CowboyNeal.

Re:credibility

[blazerw11]

I used to work for the Gartner Group.

I don't think you did, at least not in any important capacity. You can't write.

Re:credibility

[t]

Congratulations, you just said that MacOS X is the greates O/S in the world. Why? Because the Mach Kernel has the most R+D in CS oriented colleges.

Speaking of R+D, has everyone forgotten the recent /. article on MS and all the dough they spent? And for what? Jack shit.

Research and Development does not guarantee results.

t.

Re:credibility

[sheldon]

My experience with reading Gartner group reports over the past six years indicates they typically correct maybe 50% of the time.

The cool thing is that they'll recommend you replace IIS in one report, and then recommend in another report you replace everything else and move to IIS.

This allows them to always be right on any given issue, regardless of their overall batting average.

Re:credibility

[whereiswaldo]

I don't know how accurate GG's studies are, but I do find it interesting that they held off on saying "toss IIS" until a virus actually attacked a large number of the IIS installed base.
Prior to that, everyone _knew_ how insecure IIS was, and that means of course it was only a matter of time before someone really wreaked havoc. Too bad they didn't publish a prediction - until it happened.

Re:credibility

[Tiny+Elvis]

Yeah I was thinking more along the lines of using a friend's PC to post AC, then his regular station to mod up.

Re:credibility

[blazerw11]

There is not knowing English, and then there is writing like a 13 year old. "Ass-wiping" and 3 sentences crammed into one run-on are signs of bad writing in almost any language. These are not just examples of bad English.

Linux firms: replace IIS as a service?

[Rev.LoveJoy]

Are any of the linux companies activly promoting reviews such as this by offering to replace the *functionality* of IIS in corporate environs?

Just curious,
- RLJ

Re:Linux firms: replace IIS as a service?

[quartz]

Um, what's that got to do with Linux? They are not saying "ditch Windows", they are saying "ditch IIS". IIS != Windows. There are other web servers out there that run perfectly well under Windows.

Re:Linux firms: replace IIS as a service?

[Khazunga]

No. IIS is integrated into the system in such a way that it cannot be uninstalled, and it cannot be disabled.

Bottom line: you can't ditch it. It'll always be there, and since it is there it must be patched to prevent security risks.

Re:Linux firms: replace IIS as a service?

[KjetilK]

It is relevant to linux advocacy: If there were a few Linux firms out there who could say: "You know what Gartner said, and we can transfer your web services tonight, no downtime, to a Linux+Apache system", it could actually make an impression on those making the decisions.

Re:Linux firms: replace IIS as a service?

[FatRatBastard]

There are other web servers out there that run perfectly well under Windows.

Very true. I know some folks running Apache/Tomcat-Jakarta on a W2K box and are pretty happy about it. I think in the short term (or mid term at least since some porting will be needed even if you only switch the web server) if the advice is followed they may stick with Apache, et al on Windows. But, since you save little to no $$ by purchasing NT/W2K/XP Server and not using IIS I would suspect those that did move off IIS would eventually lose NT/W2K/XP as the OS as well. I would imagine that the porting effort to move code the likes of PHP/JSP/servelets from Apache/MS to Apache/*BSD or Apache/Linux would be minimal.

Of course, I suspect that very few will switch. We got our asses handed to us last week, and the brass are sticking with MS anyway. Go figure.

Re:Linux firms: replace IIS as a service?

[Rev.LoveJoy]

Good point, I should have elaborated:

The arguement I read most is: IIS v. Apache / PHP. I have a small shop whose servers host HTTP, IMAP, SMTP, FTP and windows file sharing. More and more I come to the conclusion that there is very little reason to run a non-OSS server. I'm sure I'm not alone here. The problem being, most small shops (mine included) do not have the deapth in expertise to rehost everything to a non-windows server environment.

So, are there $YOUR_FAVORITE_OSS -related companies playing off this sentiment?

Most of the advertising I see from Red Hat and the like is "screw licensing" and not "we can help you replace costly windows servers." I think that's an important distinction to any business.

- Cheers,
- RLJ

Re:Linux firms: replace IIS as a service?

[Havokmon]

You mean write an Apache Module that will run your existing FoxPro apps without any special modifications?

Whoever came up with that IIS bastard hack needs to be flogged, or worshiped.
I'm still not sure which..

Re:Linux firms: replace IIS as a service?

[dj_flux]

Err, this is incorrect. Stop and disable the WWW publishing service (IIS), install Apache as a service, start it, viola.

Re:Linux firms: replace IIS as a service?

[RedX]

You don't use Windows much, eh? Not only can the IIS services be stopped and/or disabled from starting, they can be uninstalled and are an optional service that you can choose to not even install when building the server. Perhaps you're thinking of IE, which Microsoft claims is "integrated".

Re:Linux firms: replace IIS as a service?

[Jburkholder]

I think you are thinking of Internet Explorer. Here at work we have a Windows 2000 server running IBM's http server (basically Apache) with WebSphere. IIS was never installed on this box (this is an option in the custom/advanced install).

Re:Linux firms: replace IIS as a service?

[WasterDave]

the porting effort to move code the likes of PHP/JSP/servelets

...is all well and good, but most people using IIS are doing so because they are using ASP. Now, while you can get a relatively inexpensive ASP engine from Sun (via Chilisoft) it won't allow you to use any custom ActiveX's ... and I've not heard any news on ADO compatibility or similar japes.

Anyone got any experience with Chilisoft ASP? I'm considering using it for a project here and would like to know how transparent it is for the ASP weenies...

Dave

Re:Linux firms: replace IIS as a service?

[FatRatBastard]

...is all well and good, but most people using IIS are doing so because they are using ASP.

Yup. Which is why I said *only* if they heed Gartner and switch to another webserver. My gut feeling is Win/IIS -> Win/Apache (et al) would be much harder than Win/Apache -> Un*x/Apache. *If* (and I agree, its a big if) they do step one, then there's little insentive not to do step two.

Re:Linux firms: replace IIS as a service?

[FatRatBastard]

Do you really need to purchase both NT *and* IIS per-seat licenses? (really, I don't know.. I always assumed they were one and the same). The only reason I ask was I was dickering around with shares and crap at work today which required a gander at the Licensing control panel. There were options for NT 4 and SQL 6.5 (yes, someone still runs that crap in a production environment) but none for IIS.

Re:Linux firms: replace IIS as a service?

[Howie]

IIRC, Halcyon InstantASP does do ADO. It's a Java Servlet implementation of ASP and VBScript.
With native JDBC drivers (several vendors do them) for MS SQL, you could even keep your MS database, should you prefer to. It also has a Java-COM bridge to allow you to talk to your custom COM objects.

Gartner Leads Way

[gus+goose]

At least they appear to not be using IIS themselves, although their web-server has no indication of what server is behind it. This in itself indicates that it is not IIS.

Gartner wields a lot of influence, and this will raise heads. Congratulations.

gus

Re:Gartner Leads Way

[elgee]

From Netcraft

The site www3.gartner.com is running Netscape-Enterprise/4.1 on Solaris.

Re:Gartner Leads Way

[4of12]

Gartner Leads Way

Heh.

Well, I suppose that Gartner wields a lot of influence among the consumers of IT evaluations that have more money than time in which to acquire the expertise.

But - and especially in this forum - this is not exactly a rocket science revelation.

The hassles of IIS administration have been widely known among IT worker bees for sometime. I guess it just takes a while for the information to trickle up.

Now if those Gartner reports were only released about 1 year earlier than they are, then they might be a little more timely and useful!

Re:Gartner Leads Way

[St.+Vitus]

winter:~$ lynx -head -dump http://www3.gartner.com/
HTTP/1.1 200 OK
Server: Netscape-Enterprise/4.1
Date: Mon, 24 Sep 2001 23:51:09 GMT
Content-type: text/html
Content-length: 0
Connection: close

Replace it with what tho?

[purduephotog]

Of course it's easy to say 'replace' - just don't give any details and do some hand waving ...

Although I am definately taking it down to the clusters' group and adding some more fuel for their fires :)

Only had to be a matter a time (and my 0.02$)

[davidfsmith]

To be honest i'm surprised it took this long for a report like this to appear, I maintain a small network in a small company, we have mainly win machines except for one server and my laptop... the overhead on keeping the win machines patched (5 on the network) is crazy, I spend too much of my valuable time hunting down patches for machines.... luckily at the moment IIS is shutdown as all of the dev work is being completed on linux. however I have to keep the patches up to date otherwise I'll be spending a week or 2 updating the server in a month or so time.

Will MS really write a new IIS from scratch I doubt it, and if they did would it really improve on where things are now.... it would take n months to write, beta and then lauch IIS+ 1.0 then people would want to know it was ok, some would try it, but most people would want to see IIS+ 2.0 before moving their web applications to it..... timescale ? how long is a piece of string.... and would it be any better, would MS allow external code reviews (or opensource) to ensure that IIS+ was better / secure. I doubt it....

Regards
Dave
----
"Iceberg dead ahead..... oh sorry, only joking !"

Re:Only had to be a matter a time (and my 0.02$)

[aulendil]

.... it would take n months to write, beta and then lauch IIS+ 1.0

Of course you meant IIS XP, didn't you?

Now THATS Funny...

[FatHogByTheAss]

I've quit jobs due to PHB reliance on the morons over at Gartner.

"Unix will be a dead OS in three years." Quoth one, on his reasoning behind implemening MS solutions for the enterprise. (~ 1995)

An expensive Gartner "analyst" told him so.

Shoulda gave me that budget...

HooHa!

Re:Now THATS Funny...

[Dexx]

I've heard the comment in our office that 'if you ever need to prove anything, there's a gartner report out there to back it up'

Great but...

[drodver]

This is great but many companys can't switch easily because they have web apps based on ASP/ActiveX. Unless it's something small they are stuck since rewriting it isn't probably an option.

Re:Great but...

[dreamquick]

They could easily switch if there was a 100% compatible extension for apache (or your w3 server of choice) that allowed it to process the latest ASP specification without the need for any rewrites to the source.

Active X should still work assuming that *heaven forbid* you kept to the same win32 platform as in theory the scripting language should still work the same way but on a different "brand" of server.

Re:Great but...

[Mr.+Slippery]

This is great but many companys can't switch easily because they have web apps based on ASP/ActiveX.

Gee. So companies that based critical systems on proprietary technology now find that they have limited options and are basically screwed? Who'd have thought?

Make a deal with the devil, you're gonna get burned.

Re:Great but...

[daviddennis]

I don't remember the name of the product, but at least one ASP emulator for Linux is available. I don't think it was open source, but it was definitely there.

D

Re:Great but...

[KC7GR]

My take: There are WAY too many web sites on the air today that are so crammed with graphics, Java applets, ActiveX crap, and whizzy animations that the useful information (if any in many cases) is lost to the visual and audible noise. When I'm looking for product information, I want a clear photo of the product, a clear and concise list of features AND SPECIFICATIONS, and perhaps some comparisons on how it stacks up against its competition.

I neither want nor need animated fonts, flashing colors, or crappy electronic "music." If you can't say what you need to say with plain ASCII text, and maybe a photo or two, then no amount of Shockwave animations or fancy electronic noise is going to help you get your message across. In fact, it may have the opposite effect: It may well drive people AWAY from your site.

The bottom line: Maybe switching away from IIS would be of benefit in the area of cleaning up a great deal of electronic noise, as it would give the web developer(s) in question reason to re-write the site in question.

Re:Great but...

[drodver]

ActiveX isn't just for running things in a browser. It's common to have ActiveX components generating the page dynamically on the server. Also many large windows applications use ActiveX.

Re:Great but...

[jiheison]

I don't remember the name of the product, but at least one ASP emulator for Linux is available.

Might be Chilisoft.

Re:Great but...

[Teferi]

Chilliware sells software that lets you run ASP on Linux.

Re:Great but...

[daviddennis]

Yes, that sounds right - Thanks.

D

OH MY GOD!

My PHB just saw this, screamed "MY PARADIGMS ARE MELTING!" and collapsed into a pile of goo. Many thanks to the Gartner Group!

Actually...

[base2op]

There is an 80% chance of it not happening by the end of 2002:

Gartner believes that this rewriting will not occur before year-end 2002 (0.8 probability).

Re:Actually...

[sulli]

Wow, a 2002 prediction without a $2B market size attached to it? I didn't think Gartner could do that!

There's TCO on Apache, too.

[iturbide]

The problem is not just that IIS is a vulnerable piece of crap. The problem is the point and click admins who can only run setup and never ever will check for patches.

So you ditch IIS and install Apache. Do you honestly think that the guy who couldn't be bothered to update it will be bothered to check for Apache vulnerabilities and fixes?

Yes, because you will have to ditch that guy! And your new unix-savvy admin will be more expensive.

Oh well, only a matter of time before they think of that. The product is only as good as it's admin, and certainly not better.

Re:There's TCO on Apache, too.

[jslag]

Do you honestly think that the guy who couldn't be bothered to update it will be bothered to check for Apache vulnerabilities and fixes?

No, but compare the number of IIS patches needed over the last couple years to the number of apache patches over the same time period.

Re:There's TCO on Apache, too.

[DrXym]

The difference is that apache *requires* the installer to do some manual work to get it working properly. Perhaps the point and click admin would learn something during this process of learning.

Re:There's TCO on Apache, too.

[stilwebm]

Honestly, in most metro areas Microsoft admins get paid more or similar amounts as the Unix admins. Sure, the Microsoft admins need less knowledge to get by. But a HUGE number of businesses have Windows web servers because all of their workstations are using Windows. The demand drives up the price, which is employee compensation in this case. Why else would there be so many MCSE courses advertised at $1,500+?

Re:There's TCO on Apache, too.

[jiheison]

The difference is that apache *requires* the installer to do some manual work to get it working properly.

If by working properly you mean w/o security holes, I son't see the difference. Bottom line, you have to pay attention to what you are doing.

Re:There's TCO on Apache, too.

[sporty]

But now its a matter of updating a few binaries. Simply recompile, and use a system such as rdist to through the new binaries out there.

Just a matter of hupping all your servers.

Note, rdisting/hupping systemtically to make sure you don't down a cluster of servers is required. Once the little bit of programming is in place, it's really not that hard to update all the time.

With IIS, there are DLL's and binaries to update, which we don't have a list of. Well, the list isn't the one time I installed IIS. Apache has a bit more obvious since you set a single prefix directory to install to, so just a "find . -type f" will give you a straight list. To boot, the number of files is small. Even better, it compresses well to send across a network.

-s

Re:There's TCO on Apache, too.

[sporty]

Wll, there wasn't a list the one time I installed IIS. Ug

Re:There's TCO on Apache, too.

[Phexro]

"The difference is that apache *requires* the installer to do some manual work"

$ su -
Password:
# apt-get install clue

read the article

[SuperQ]

read the article, it says use apache or iPlanet. sheesh.. the article was out last week.. read first, then post.

Regular patching only a small part of TCO

[Pinball+Wizard]

From the article...

using Internet-exposed IIS Web servers securely has a high cost of ownership. Enterprises using Microsoft's IIS Web server software have to update every IIS server with every Microsoft security patch that comes out -- almost weekly.

I imagine you would need to patch Apache fairly regularly as well. Its not like its immune to worms or security holes. In fact, apache.org was compromised this year due to a security hole.

I am in the process of converting from a Windows based web server to Debian/Apache, and the process is not without its problems. On the first try, Debian did not pick up both processors on my machine. Also, using mySQL, I can consistently crash my machine by trying to index a 5 million row table.

So, I have some problems. As you might when converting from Windows to Linux. Where do I go? I can't just call my Debian rep and ask him to help me fix my problems. I have to hunt for the answers and spend a lot of time figuring out just what the heck is wrong with my system.

So keep this in mind if you are switching because of TCO costs. Yes, you will need to patch once a week sticking with Windows. However, I don't think this report fully explains everything that may be involved when figuring out the TCO for a Linux system.

That said, I expect to be able to solve my problems and end up with a very nice server.

Re:Regular patching only a small part of TCO

[ethereal]

Of course, if you went with RedHat, you could call up your rep and ask for a solution. Not that I'm anti-Debian, I'm just saying that you could get support if you really wanted to pay for it. Is it cheaper and/or better than Microsoft support? I don't know, you'll have to decide that.

Re:Regular patching only a small part of TCO

[planet_hoth]

I imagine you would need to patch Apache fairly regularly as well. No, you do not. In fact, apache.org [apache.org] was compromised this year due to a security hole. ...which had nothing to do with Apache's security. The intruder grabbed an admin password by exploiting an unpatched copy of OpenSSH (IIRC). Apache was not in any way at fault. Where do I go? I can't just call my Debian rep and ask him to help me fix my problems. Um, you could cough up some money and buy a commercially supported distribution from, for example, Red Hat?

Re:Regular patching only a small part of TCO

[baptiste]

In fact, apache.org [apache.org] was compromised this year due to a security hole

Well yes Apache.org did get compromised but NOT due to an Apache server problem. It was a complicated hack and took advantage of a configuration problem (mainly Apache had their incoming FTP tree viewable in their web space among others) Or perhaps you're referring to another event.

Yes, Apache is not all nice point and click, but there ARE tools out there (Webmin's Apache module is NICE) to make administration easier. Yes Apache has had vulnerabilities in teh past, but considering its widespread use and installed base, I'm extremely impressed with how secure its been - upgrades to Apache are rare which reduces TCO.

Yes, all systems and software have problems. But overall, I'll stick with OSS where appropriate and regarding your issues with MySQL and Apache, a few simple posts to mailing lists or news groups related to the software will often get your problem fixed faster than most 3rd party setups.

Re:Regular patching only a small part of TCO

[Mr.+Slippery]

Where do I go? I can't just call my Debian rep and ask him to help me fix my problems.

You could buy a distribution that offers support (RedHat leaps to mind). You could purchase after-market support (search Google for leads). If you want outside support, it's out there for you to purchase.

Re:Regular patching only a small part of TCO

[duffbeer703]

Maybe you should stop consistently indexing 5 million row tables with MySQL.

Then buy a real DB.

Re:Regular patching only a small part of TCO

[dan_bethe]

On the first try, Debian did not pick up both processors on my machine. Also, using mySQL, I can consistently crash my machine by trying to index a 5 million row table.

I don't mean to sound like a jerk, but choosing Debian for guaranteed specific commercial support and choosing MySQL for stability sound like about the opposite of what you should do. Debian has an excellent product and I'm sure the Debian community has top notch aggregate support but perhaps a commercial contract would be better for very specific needs, and perhaps you'd get that with Redhat, Mandrake, TerraSoft, etc. MySQL wasn't originally designed for high reliability either; for example, PostgreSQL and Oracle were.

Sounds like you're in for some nontrivial work due to your arbitrary choices, especially with trying to scale MySQL.

Re:Regular patching only a small part of TCO

[Omega]

I imagine you would need to patch Apache fairly regularly as well.

On CERT, I can find SIX exploits in IIS in this year alone.

http://www.cert.org/advisories/CA-2001-26.html

http://www.cert.org/advisories/CA-2001-19.html

http://www.cert.org/advisories/CA-2001-13.html

http://www.cert.org/advisories/CA-2001-12.html

http://www.cert.org/advisories/CA-2001-11.html

http://www.cert.org/advisories/CA-2001-10.html

The last Apache exploit mentioned on CERT happened in 1996.

And remember, IIS only accounts for 26% of all web servers on the net (and Apache accounts for 59%) -- so it's NOT just a matter of there being more IIS servers out there to hit.

By in large, Apache will run just fine OOTB. Can you say the same for IIS?

Re:Regular patching only a small part of TCO

[ckaminski]

Why does the replacement have to be Linux/Apache? Why not Solaris/Apache?

Apache is a fine product, I'm proud to run it!! Linux on the other hand, I have to really talk myself into running Mission critical applications on it (I'm usually forced to use Windows because of COM Objects I have no control over).

I have zero issues with deploying Mission Critical Apps on Solaris.

Granted, patch-wise all these options need work, but Linux is by far the worst offender in this regard. Don't get me started on RedHat 6.2. :-)

-Chris Kaminski

Re:Regular patching only a small part of TCO

[Master+Bait]

Support for your learning how to use your Debian system is definitely available. A quick search on Google brought me 302,000 results, including Progeny Linux Systems which offers paid tech support. There are free IRC channels for instant help, there is the debian site, there is usenet and Dejanews, etc. etc.

You are lucky you get to be paid to learn how to use Linux, and if that is part of the TCO, then be glad!

Re:Regular patching only a small part of TCO

[Tom7]

One thing you could do is to run a web server not written in C (highly susceptible to buffer overflows). Like maybe one written in Java or SML.

Anyway, I actually think apache is pretty secure. It was not hacked because of holes in apache, but in Bugzilla, I believe. I haven't patched my apache in ages, nor seen any (non-alarmist) bugtraq tickets...

Re:Regular patching only a small part of TCO

[lewiscr]

I can consistently crash my machine by trying to index a 5 million row table.

If you're using a threaded MySQL server, try creating the file /etc/my.cnf and insert the lines:
[mysqld]
set-variable = thread_stack=128k

And restart MySQL.

If MySQL keeps crashing, try doubling it. I'm up to thread_stack=1M on my development servers, and thread_stack=2M on my production servers. Igenerally need to double the thread stack size every time we add a 1 million rows to the table.

Since my problem is related to thread stack, its a coding issue, not a "My Database is better that yours" issue.

Here's a development /etc/my.cnf for a Sun Solaris 2.7 machine with 2 Gigs of RAM. Several tables are above 6 million rows. Large updates to keyed fields cause MySQL to hang.

Re:Regular patching only a small part of TCO

[Pinball+Wizard]

That was very helpful. Thanks. After implementing your suggestion I was able to create the indexes. However, its still weird that mySQL was able to take down the whole machine. I appreciate you pointing me in the right direction.

Re:Regular patching only a small part of TCO

[lewiscr]

When I have that problem, MySQL just hangs, using a lot of memory. At a guess, I'm thinking that MySQL sucks up all available RAM and swap, then hangs.

If you start reproducing the problem again, you might want to watch the output of vmstat (I use 'vmstat 5'), up until the machine hangs. That'll tell you if its a memory hog problem or not.

Re:Regular patching only a small part of TCO

[bero-rh]

I imagine you would need to patch Apache fairly regularly as well. Its not like its immune to worms or security holes.

It is not immune, but far less prone. In the approx. 5 years I've been using Apache on Linux, I've had to upgrade Apache for security reasons exactly 3 times.

Also, using mySQL, I can consistently crash my machine by trying to index a 5 million row table

If MySQL is causing problems, use Postgres (and vice versa).

As you might when converting from Windows to Linux. Where do I go? I can't just call my Debian rep and ask him to help me fix my problems.

If you need someone to blame, pick one of the commercially supported distributions.

Re:TCO?

[rossz]

How much crack have you smoked today?

It's obvious you took a document about Windows and used a find/replace to change it to Linux.

The most obvious is the "crashes constantly" statement. What utter crap. Windows crashes constantly, usually for no apparent reason. The only times I've crashed my Linux box (SuSE 7.1) is when I am playing around with low level system configurations. I'm still learning Linux, so sometimes I do stupid things and don't know the proper way to recover (I'm getting better, though!).

Seek help. Your drug usage is destroying your brain cells.

Why you shouldn't just depend on one OS...

[nairnr]

I think this is a good indication of why you shouldn't just go with a single platform for all of your services. It may look good on paper, but the fact of the matter is that the Microsoft environment right now is so vunerable with regard to exploits, that it doesn't make sense any more.

This kind of attack can be seen in the ecosystem as well. If everything is homogeneous, then a single form of attack can do a great deal of devastation.

I guess the powers that be think that learning a new OS is bad, but it just proves "The Right tool, for the right job". Right now, IIS, is not it!

80% chance of brand new IIS next year???

[Khazunga]

Microsoft has released a completely rewritten, thoroughly and publicly tested, new release of IIS,' which they say has an 80% chance of happening by the end of next year.

Hey! Even the Mozilla team took way over one year to get a good browser out of the door. I don't see MS being 4x faster.

Not to mention "thoroughly and publicly tested". Hah! It's M$ for Christ's sake! Testing hurts the bottom line!

Re:80% chance of brand new IIS next year???

[CaptSwifty]

The quote:

Gartner believes that this rewriting will not occur before year-end 2002 (0.8 probability).

That's an 80% chance of NOT happening by year-end 2002.

Re:80% chance of brand new IIS next year???

[DavidRavenMoon]

Hey! Even the Mozilla team took way over one year to get a good browser out of the door.

Mozilla got a good browser out the door? Must have missed that one! ;-)

you know what'll happen

[Dr.+Awktagon]

More and more of these IIS "syadmins" (using the term loosely) will install Unix/Linux boxes, and forget about them, just like they installed the IIS boxes and forgot about them.

Then someone somewhere will find some little bug in some pre-installed convenience, some PHP shopping cart, some admin tool, some default password, something that comes on each machine. Then we'll have the same problem with some crazy Linux worm. And this time I bet the clueless M$-0wn3d media won't call it an "Internet worm", they'll be sure to call it a "Linux worm"!

Of course I could be wrong. Maybe Microsoft really can't code a proper webserver. But I think having sysadmins awake and at the wheel will help too.

Hmm, how about a web server that emails the admin saying "This web server will shut down in 15 days unless you run the up2date tool" or something similar? To force people to check for upgrades.

Re:you know what'll happen

[iturbide]

Looks like a probable scenario. What I predict will happen is that the PHB's won't want to pay more for knowledge and hire more expensive admins. They'll cover their asses and move to .NET. You sell your soul, but at least you'll get the updates stuffed down your throat. Did you really think all those infected boxes in china and turkey and poland have payed for their license? Well, I don't.

Re:you know what'll happen

[nicku]

I think the Redhat Network is a great idea when it comes to stuff like this...It will deliever patches to your machine for you...and you can monitor and schedules updates from a web interface...havent really used it yet, but it looks sweet.

.n.

Re:you know what'll happen

[sys$manager]

There are already a lot of 'sploitz in PHP carts and forums and so on, as well as perl based ones, asp based, etc. etc. There are even CGI scanners for the kiddiez to find them. If someone used the functionality of those CGI scanners for a worm, what you're proposing would be simple. I'm suprised it hasn't happened yet. There is the sadmind worm on Sun though.

Re:you know what'll happen

[RandomPeon]

You get the frickin security advisory email, you run up2date. RedHat, unlike MS, is not afraid to email customers running servers and say, "You got a hole. Go fix it!" I've never had one Linux patch regress another.

Re:you know what'll happen

[Bastian]

hmm, how about a web server that emails the admin saying "This web server will shut down in 15 days unless you run the up2date tool" or something similar? To force people to check for upgrades.

I doubt it.

At my school, we made a script that watches for students with computers infected by nimda and sends them an e-mail threatening to shut them off the network unless they either clear the virus off their computer or call the helpdesk so we can clear it off. . . kids would still not phone in until they were shut off long enough to figure out that all the pr0n went away. . .

I admit, I have my prejudices, but I still don't think much more highly of point-and-click admins than I do the average student computer user.

Will anyone listen though

[bryan1945]

They are a fairly respected organization, but will it be enough to sway IT department heads? Assuming it does, I don't think thousands of IIS servers are going to be swapped out tomorrow. So Microsoft has time to release a new version before everyone jumps ship.

Of course, releasing a new version opens up a whole new set of possible security flaws. Security quality assurance has never been Microsoft's strong point.

Re:Will anyone listen though

[FatHogByTheAss]

They are a fairly respected organization, but will it be enough to sway IT department heads?

It used to be "Nobody ever got fired for buying IBM." Then it became "Nobody ever got fired for buying Microsoft."

Hopefully, this will change things.

will never happen

[iguana]

Companies relying on IIS will most likely never dump it. I just started at a shop using ASPs, VB, and IIS with SQL Server. Top to bottom, a Microsoft shop. To convert all that VB to PHP/Perl/Python (yes, there are tools) is scarier for them than just staying with IIS and riding out the crashes, the viruses, and the constant reboot-to-make-it-go-away problems.

Better the devil you know than the devil you don't.

Most end-user business types aren't interested in what's technically superior. They're just interested in what's easiest. It's a time versus money thing; Microsoft gets them up and running faster in the short run. Once you start using MS software, it's a tarpit. It's easier and easier to continue to use MS once you have MS. And harder and harder to move to something better when all the problems start to appear.

Will that make PHBs switch?

[lightspawn]

A friend lost 3 work days last week (as did everybody in his company) when their systems got hit. He's been telling the boss for, what, three years now that IIS is a time bomb. Last week's events didn't convince the boss, of course - everybody knows windows is the only OS and IIS is the only web server so we have no choice etc.

I don't know whether to hope this report makes them reconsider - how is my friend supposed to feel if they run over and make Gartner-induced changes after his similar recommendations were repeatedly ignored just because he's a geek and we all know geeks hate microsoft but we smart business types know microsoft is rich so their products must be the best and I'm ranting and raving and need to stop now.

Re:Will that make PHBs switch?

[tyoud1]

I know what you mean; sometimes you have to see these problems as opportunities though. Like, let's say you know Apache is better - why not go make a consulting company, use Apache in house, and stop worrying? Your competition is out there, using IIS, getting clobbered, while you rake in the dough. Who cares what the other guy's doing?

Probably NOT

[consumer]

Um, no, the article says that a re-write is 80% likely to NOT occur before the end of 2002, i.e. only 20% like to occur.

Any step-by-step manuals out there?

[jdgreen7]

Does anyone have a step-by-step manual for how to implement an IIS replacement? I have been riding the MS bandwagon for about 12 years now, and I'm finally starting to open my eyes to the alternatives now that they've proven themselves (this is my first /. post, by the way). My company uses IIS, but we don't use many of the features. We use the VPN, Web server (basic ASP queries against Access databases), and that's about it. I've installed Linux a couple of times, but only for testing purposes and to satisfy my growing curiousity. To really get something out of the operating system, I need to be able to install and implement those features easily. The nice thing about IIS is that it's easy to install and administer for basic tasks for people used to the MS interface (most people that use computers). If I can be shown how easy it is to change to a Linux solution, I'd probably make the switch in a heartbeat. If nothing else, it'd cut back drastically on the number of patches/virii. Any and all links are welcome!

Re:Any step-by-step manuals out there?

[pdqlamb]

>>Does anyone have a step-by-step manual for how to implement an IIS replacement? ... My company uses IIS, but we don't use many of the features. We use the VPN, Web server (basic ASP queries against Access databases), and that's about it. ... To really get something out of the operating system, I need to be able to install and implement those features easily. The nice thing about IIS is that it's easy to install and administer for basic tasks for people used to the MS interface (most people that use computers). If I can be shown how easy it is to change to a Linux solution, I'd probably make the switch in a heartbeat.

It looks like you're going to let yourself be driven by ease of use. I sense you're planning to sit down one afternoon, try to learn a whole new set of tools, and then throw in the towel because it's too difficult.

Let me make a counter-suggestion. Instead of trying to learn Linux, Apache, and one of the Linux-based databases, why don't you try to learn how to harden Windows/IIS? NIST put out a document this summer on how to do that. Follow all the steps. Install all the updates. Start logging, and monitoring the logs.

Point is, it isn't a one-time operation to harden either Windows or Linux. It isn't all as easy as clicking your way through pop-up windows. If you make an honest attempt to harden Windows, that may suffice. If it doesn't, you'll know just how hard the process is; you'll be able to support a proposal to switch to something more secure; you'll have a clue what you're up against, and hopefully you'll be willing to invest the time and effort, on a continuous basis, to secure your operation.

Re:Any step-by-step manuals out there?

[gergi]

I've found Webmin to be about the coolest configuration tool I've seen. Check it out.

Re:Any step-by-step manuals out there?

[Arondylos]

Hello,
for a VPN solution try IPSec, it's powerful and secure though a little complex. There's also a PPTP solution out there for Linux that's interoperable with the MS one (If I recall correctly). For a web server with an ASP/Access replacement, try Apache with PHP and MySQL. However, MySQL is "just" the database itself, not a frontend (Access is both). If you need a frontend, there are some, StarOffice might even fit the bill.

If you need easy administration, try Webmin, it allows you to configure your system via a web interface. If you want rapid and easy deployment, you might want to use Redhat as a base distro, if you want a powerful Linux with a learning curve, try Debian (administration after the initial installation and configuration gets very easy with Debian, though install and config take a while). But I'll not get into distro wars further, SuSE and Mandrake also earn their points :)

Hope this helps. Oh, and as to where to find information on those applications, just type them into google and they're bound to be among the first few hits.

Hope this helps
Yours Malte #8-)

Re:Any step-by-step manuals out there?

[NotoriousQ]

Hi, and welcome to the club. I am glad that you are now considering the transition. Just to give some of my credentials: I am ungraduate at a fairly well known university, taking computer science. I also have about 3 years of summertime employment in ASP, VB, and minimal web server management.

Well now to the point. I have made the transition to linux environment about a year ago -- and I now consider myself an average user/admin. The main question in performing the transition is to ask yourself, how much unix/linux/BSD you already know. If the answer is none -- I recommend to not do an immediate transition, but instead get a separate computer, install a distro of linux, and just play with it, to get stuff figured out and working. This step will take a few weeks of devoted time. The main thing is DO NOT GIVE UP. Linux has all the features, but if you do not know where they are, stuff won't work. In which cases post questions to those who know. Or even better yet get a book. $50 will give you up front useful info on networking, and may tell you how to get the webserver running. I am using the book Using Linux, Sixth Edition SE. It has been a lifesaver, although it is oriented towards redhat, debian, and caldera versions.

Some usefel links:

RedHat Linux

Mandrake Linux

Debian

Linux Documantation Project

I recommend downloading (or purchasing) one of the distros above. The first two try to be really user friendly, and do a decent job at it. The third one is a bit more cryptic, but you will probably want that version for your real server, since it does not have a ton of annoying unnecessary flashy things, like graphical bootup. Besides the install the real diference is update management, which both redhat and mandrake do using rpm system. It is easy to figure graphical rpm. Once you get comfortable with that, consider using that book that yau bought, along with linuxdoc (the fourth link) to figure out how to get all that networking, like VPN, DNS, etc, using the configuration files -- the only good way of setting up the network.

After you figure out basic administartion, Try getting some simple pages to learn apache.

Apache web server
Perhaps a book on apache Perl and PHP programming might help. Do not actually know any specific titles. Basic idea is the same as in IIS. There is a public directory, similar to inetpub\wwwroot. where you can put the files. I believe that PHP is most similar to ASP. And since you did not use SQL server for database access, but Access, I assume that you do not need the speed of a full blown server. In this case MYSQL will do the trick. For something more significant you should check out Postgres db, or a commercial product such as db2. Learning these will take some time, but remember, these things have been written with an simplicity in mind. It just takes a little bit, to see where this simplicity is.

Well this msg is already too long. To sum it up, do not throw away your old system yet. Take time to learn linux, and in a little time you will possess the necessary skills to do transition. As for the tools that will make the transition for you, I have not heard of them, however they probably do exist. And starting somewhat anew is not always a bad thing. A lot of us hope that some version of windows will be written anew, but I doubt it will happen.

Well, good luck! The switch is not easy, but there are plenty of benefits in the long run. Do not give up, and you will see them soon.

80% chance?

[spagiola]

'Gartner remains concerned that viruses and worms will continue to attack IIS until Microsoft has released a completely rewritten, thoroughly and publicly tested, new release of IIS,' which they say has an 80% chance of happening by the end of next year."

As I read their article, what they're saying is that there's an 80% of this NOT happening before the end of the year. That's a pretty significant difference.

Favoring Linux?

[NitsujTPU]

No offense... but they didn't say anything favoring Linux this time either. They said to dump IIS, they didn't suggest moving to Linux. There ARE other webservers for Windows.

The problem

[Rick+the+Red]

The problem is that the crackers and script kiddies attack the lowest common denominator. In this case it's IIS and other Microsoft wares. But what if Gardner suceeds and the Fortune 500 dump IIS and switch to Apache? When that happens the safe thing to do will be to use the less-common and thus less-attacked IIS, because the crackers will make Apache too expensive to use. In other words, once again the best course of action is to do exactly the opposite of what Gardner recommends.

Re:The problem

[Enzondio]

IIS is already the less-common web server.

http://www.netcraft.com/survey

Re:The problem

[KC7GR]

You're missing some critical points: First, Apache is open-source. Yes, the crackers have access to it, but so does every single end user and Apache developer. How long do you think any Apache security hole would go unfixed?

Next point: Psychology. The Redmond Empire is greatly despised, often with good reason, by Lord only knows how many programmers and would-be crackers. Also, M$ is a Very Large Corporation, while the Apache foundation is microscopic in comparison. Large corporations have become something of a symbol of uncontrolled greed and (in many cases) environmental destruction.

Crackers, in many case, crave some sort of recognition for their work. Given that, plus all the above, you tell ME which package you think will be a more likely target no matter how many sites adopt Apache.

In any case, Apache would, I think, still turn up with far fewer holes per version than anything the Redmond Empire has cranked out to date, web server wise.

Re:The problem

[jiheison]

I think both of your points show that Apache is becoming a more attractive target.

First, exploiting IIS is old news. Anyone looking for recognition should be looking at Apache.

Second, on the point of psychology, people despise M$ inlarge part because of their arrogance. Unfortunately, arrogance is yet another area where Open Source seems to be rivaling M$. How much more of this "our software is invulnerable" bluster will it take before people set out to prove you wrong?

Remeber, many large scale exploits take advantage of holes for which patches have already been released. Releasing a patch does not mean that the problem is fixed. As more of the same people who don't patch IIS migrate to Apache, Apache will increasingly be the target of exploits.

Re:The problem

[fidros]

IIS isn't the lowest common denominator. Apache has around 59% installed user base and it IS still "safer".

IIS is attacked because:
1. Problematic design decisions.
2. No code peer review.
3. "Admins" who think running a public service (web server) in a hostile enviorment (the internet) should be something easy done through a GUI...

Re:The problem

[_typo]

You're missing the obvious point, Apache is already the most used webserver. So if a script kiddie wants to release a worm, if he could do it with a Apache hole he'd hit alot more servers (roughly twice as more).

This just goes to prove that Apache is a much better alternative, since even with a much broader use in the field it's alot less vulnerable.

C|Net article

[VP]

C|Net ran the story here last Thursday (my submission to /. was rejected). The part I think is most important (emphasis mine):
Gartner remains concerned that viruses and worms will continue to attack IIS until Microsoft has released a completely rewritten release of ISS that is thoroughly and publicly tested. Sufficient operational testing should follow to ensure that the initial wave of security vulnerabilities every software product experiences has been uncovered and fixed. This move should include any Microsoft .Net Web service that requires the use of IIS.

Maybe this is the chance for Mono Miguel has already seen?

It seems like people are already doing it

[jsveiga]

Take a look at the data at:
http://www.securityspace.com/s_survey/data/20010 8/ index.html

Since July IIS market share has been falling.

Check the .mil, and .br graphs!

The share is flowing to Apache and Netscape servers.

Joao

Re:It seems like people are already doing it

[shibut]

The actual site is this . I think it's interesting to note that the .us domains have a very different distribution from the .com, .edu, .org, etc.

Re:It seems like people are already doing it

[n-baxley]

It's One stinking percent. I think you're over reacting a bit. You wouldn't even metion it if it were the other way around. Let's have some consistency.

Apache.org

[Srin+Tuar]

Apache.org was comprimised due to a misconfiguration- not an exploit. Totally different. You could *not* write a nimda to take advantage of that.

Re:Apache.org

[jiheison]

Many IIS exploits take advantage of previously known but widely unpatched exploits. The same could be done for known/likely misconfigurations. As long as lazy and/or inept administration (or simple human error) is platform independant, dumping IIS won't prevent exploits.

Kind of ridiculous...

[cowboy+junkie]

"Gartner recommends that enterprises hit by both Code Red and Nimda immediately investigate alternatives to IIS..."

I think Gartner should be recommending an investment in competent IT staff if any enterprise was hit by both Code Red and Nimda, since the IIS exploits used in Nimda were the same as those in Code Red.

Re:Kind of ridiculous...

[jsveiga]

Not quite.

Nimda uses more ways to spread than the ones used by Code Red. Code Red used a buffer overflow, Nimda uses directory traversal to get the IIS.

Nimda does look for possible backdoors left by Code Red or other worm.

From CERT:

The "Code Red" worm is malicious self-propagating code that exploits Microsoft Internet Information Server (IIS)-enabled systems susceptible to the vulnerability described in CA-2001-13 Buffer Overflow In IIS Indexing Service DLL.

and:

The CERT/CC has received reports of new malicious code known as the "W32/Nimda worm" or the "Concept Virus (CV) v.5." This new worm appears to spread by multiple mechanisms:
from client to client via email
from client to client via open network shares
from web server to client via browsing of compromised web sites
from client to web server via active scanning for and exploitation of various Microsoft IIS 4.0 / 5.0 directory traversal vulnerabilities (VU#111677 and CA-2001-12)
from client to web server via scanning for the back doors left behind by the "Code Red II" (IN-2001-09), and "sadmind/IIS" (CA-2001-11) worms

Re:Kind of ridiculous...

[cowboy+junkie]

I dunno - can you honestly tell me that a competent IT person who patched IIS after Code Red wouldn't have either gotten the 'all-in-one' MS fix that fixed all of the post SP6A-issues or at least checked for other possible IIS problems?

Granted, there are plenty of ways a system and/or network could get infected despite the best efforts of a great IT staff, but it shouldn't have been through IIS, which was the easiest thing to fix. I don't see Gartner recommending people switch from Outlook to Pine or IE to Mozilla despite their roles in this.

Re:Kind of ridiculous...

[jsveiga]

I totally agree with you about the importance of a competent IT staff. Any OS or web server (or browser, or email client) is only as secure as its admin (or user) can be.

I just wanted to comment on the "...IIS exploits used in Nimda were the same as those in Code Red." part.

Besides, at least here in Brazil, Windows/IIS(/Outlook/IE) skilled people are much easier to find than Linux/Apache(/Pine/Mozilla) skilled people, so TCO could be actually higher for non-MS solutions.

(never mind lots of so-called Win/IIS "skilled" people think they are web admins because they've dropped a Win2k installation CD on their PC and after some days found out the thing was serving web pages!)

Re:Kind of ridiculous...

[Hanno]

since the IIS exploits used in Nimda were the same as those in Code Red.

Nope. Nimda uses *more* and *different* exploits. Just compare a typical scan of Nimda in your logs with those of the two Code Red variations.

We had a IIS NT machine that had all the patches installed recommended by Microsoft against Code Red. Still, it was infected with Nimda.

Partly, we are to blame, as we are more familiar with Unix than with NT. Partly, I blame Microsoft because it does not offer a single "patch clearinghouse" that lists all currently necessairy patches for NT on one single page. You have to hunt down each patch on its own at MS.

Foot in the door...

[Zergwyn]

"...but the businesses that rely on this type of analysis to justify purchasing decisions may find this one interesting."

One of the biggest problems with getting Linux, OpenBSD, or any new OS widely adopted is that it costs a great deal to switch to a new system once a business has standardized on a different solution. So many corporations decided to use WinNT, and having made the investment need a great deal to sway them to something better. It has to be something very big, and these virii may do it. This could be good news for OS's competing with M$, because the investment thing works both ways. Once Linux is installed, companies are less likely to go back to Windows NT...

80% chance

[pete-classic]

The article says that there is an 80% chance that there WON'T be a total re-write by year end 2002.

-Peter

Ummm...

[Kevinb]

'Gartner remains concerned that viruses and worms will continue to attack IIS until Microsoft has released a completely rewritten, thoroughly and publicly tested, new release of IIS,'

Am I the only one who thinks this is the absolute wrong thing to do? As vulnerable as IIS has proved as of late, completely rewriting any piece of software runs the risk of not only reintroducing old exploits but possibly generating new ones. IIS is a very complex piece of software with years of thorough public testing (in the form of live deployments) already in place. By completely rewriting it, you throw out that experience and start from zero.

Re:Ummm...

[pkesel]

Probably. You think they're going to throw out all their software engineers and systems analysts and go to zero? I think the idea is to USE all that experience and start at 1.5 rather than circling around 0.9 and never reaching a solid 1. A good design and a year of solid, well thought, methodical testing is likely to be far better than years of frustrated mouse clickers reporting often unsubstantiated and non-recreatable errors.

Re:Ummm...

[johnnyb]

Am I the only one who thinks this is the absolute wrong thing to do? As vulnerable as IIS has proved as of late, completely rewriting any piece of software runs the risk of not only reintroducing old exploits but possibly generating new ones.

**********

Normally I would agree with you. However, if you write a program without much concern for security, it's hard to go back through and find security breaches. However, if you start from the beginning with a strong, well-defined set of security policies, it's fairly easy to do the right thing. Obviously, after a rewrite, it won't be as featureful and will probably have some rough edges, but I think it really is needed to have security designed in from the outset.

Re:Ummm...

[stilwebm]

By completely rewriting it, you throw out that experience and start from zero.

I'd have to disagree with you on that one. They won't throw away the old experiences, in fact they will prove quite valuable. Most programmers encounter parts of a project that they would change if there were not the possibility of breaking things or hurting backwords compatability. When they start from the ground up, they can look at what worked well and what did not work well. Features that were added to later releases had to be designed to use the existing code base, which is often suboptimal. When they have a good idea of the types of features they will use (and even trends for adding features) they can make those features more optimal. It also makes it easier to understand the code in the short term. It is hard to understand code written years ago by yourself, and it is especially hard to understand code written by someone who left the company years ago. I'm sure bugs will be introduced, but it is much easier to prevent security problems if you start from the scratch (hint: check for buffer/stack overflows everywhere). When you rewrite, you draw heavily on previous experience, and get the chance to write things with more knowledge than you had when you wrote them a long time ago the first time around.

Re:Ummm...

[tshak]

Doesn't matter. As a previous poster mentioned, the problem is not in IIS, it's the ISAPI.dll filter (which handles all dynamic and index queries). This would be relatively easy to rewrite if it doesn't have to be compatible with ASP (boo hoo). As long as it's a ".NET" only filter, people can then disable ISAPI.DLL and run NETAPI.DLL - I'd be happy, for one.

You can't visit Windows Update?

[throx]

the overhead on keeping the win machines patched (5 on the network) is crazy, I spend too much of my valuable time hunting down patches for machines

Install Windows Critical Update Notification.

If it honestly takes you too long to visit the Windows Update web site once every week for the 5 machines, or get the users to visit the site and install the critical updates then there's a problem somewhere.

My Win2k machines WERE running IIS and had all critical updates installed. No Code Red. No Nimda. WTF is everyone else's problem? Even my web host which is running IIS didn't get hit.

As for rewriting IIS, it is a rather stupid idea. First of all the Code Red problem wasn't IIS at all, but the Index Server ISAPI DLL. Rewriting IIS will have zero effect on any of these extensions, much as rewriting Apache would have little effect on a bug in mod_php.

Honestly I don't get Gartner's points here - if you have a significant site with a large investment in .asp pages and custom server ActiveX objects then migrating from IIS is a fairly large expense. Even if you don't, the hassle of securely setting up a whole new web server is just asking for more holes to turn up. I'd be recommending companies don't ship at all, but pay attention to Microsoft's security bullitens (you ARE signed up, aren't you?)

Re:You can't visit Windows Update?

[sys$manager]

What I can't believe is how many people didn't apply the patch that protected against Code Red. It was out for SIX MONTHS before Code Red hit!

Re:You can't visit Windows Update?

[RocketScientist]

Yeah, I have a great idea. Let's all surf over to Windows Update from our web servers.

Sorry, all of my servers are blocked for outbound HTTP. Can't surf from them. Why? To prevent people (or a worm) from installing unauthorized patches from outside our network. I mean, if you're going to allow surfing, why don't you just pull up Outlook and check your email while you're at it?

I agree, however, that I don't get Gartner's points either, but for a different reason. Attention managers: If you hire bad Sys Admin folks, you're going ot have problems. It doesn't matter if it's a Windows shop or a UNIX shop or whatever. Good admins take care of things, bad admins don't. Pretty cut and dried. This isn't a Windows problem directly, it's an admin problem.

Re:You can't visit Windows Update?

[humanasset]

There is actually a better way to do this. Use the Windows 2000 IIS 5.0 Hotfix Checking Tool. It works pretty well and you can customize it to your needs. It can write to the event log, send an email, etc.

http://www.microsoft.com/Downloads/Release.asp?R el easeID=24168

Re:You can't visit Windows Update?

[jnik]

What I can't believe is how many people didn't apply the patch that protected against Code Red.

Microsoft claimed it was included in SP2. It wasn't. Yes, there's a bit of a complacent sysadmin problem here, but do you check to make sure that every single patch wrapped up in a service pack actually installed?

Re:You can't visit Windows Update?

[WNight]

The problem is that you can't trust MS's patches.

One of the early NT service packs was called the SP-of-Death. Even recently... Remeber SP6? Nope. It was pulled rather quickly and replaced with 6a (which is often referred to as 6) because it caused a ton of problem for Notes users.

Direct-X 7.0 was buggy and toasted a few systems, but couldn't be uninstalled.

MS has a long history of playing games with patches. Often they don't release patches, forcing an "upgrade" to a later version, other times they release a "patch" that (intentionally?) breaks other companies software.

Decent admins don't install MS patches until they've seen them in action and could evaluate them. The proper action with CRed and Nimda isn't to rush to patch the server, but to change the firewall to prevent malicious requests. To do otherwise is to risk having to reinstall the OS (without the patch) to get your servers working again.

Re:You can't visit Windows Update?

[AugstWest]

Index Server is part of IIS. The problem is that IIS encompasses a large number of seervices that are enabled by default, and 90% of the people using it will never use them.

Also, if you're running NT4, there is no windows update for IIS.

Re:You can't visit Windows Update?

[jiheison]

Sorry, all of my servers are blocked for outbound HTTP. Can't surf from them. Why? To prevent people (or a worm) from installing unauthorized patches from outside our network.

If your security is lax enough to allow a worm or rogue user to attempt to install an unauthorized patch, what is to stop these same agents from unblocking outbound HTTP or simply installing the patch directly?

Re:You can't visit Windows Update?

[Alan]

This brings up a big bitch of mine... And I realize I'm being a linux bigot here, and that my dis-like of MS will be evident, but...

Why do you need a web browser on a server????

I've been in computers for 10+ years now, and using linux in part of exclusively for 5 or more (pre kernel 1.0 young 'uns), and I've never understood why a machine that does NOTHING but server mail/news/http/whatever needs all the shit that MS forces you to install, such as a web browser. I realize that these days it's "built in" to the OS, but back in the '95 days it was the same way IIRC, when you installed IIS (or MS Dev Studio) you were asked/required to install a web browser...

That's part of the reason I like *nix, is that if I want to server webpages from a server with nothing running in it but a user account and httpd, I can. Yes, I need libc, libraries, and various support binaries, but if I want to delete df, du, cut, tr, and the rest of the 2 and 3 letter utils, I can!

</rant>

Re:You can't visit Windows Update?

[Maserati]

Use hfnetchk.exe to scan you network for machines needing hotfixes. Then use SMS to push them out. Terminal Services will come in handy for rebooting servers that need it. Can't reboot a machine ? Why do you only have one of a mission-critical server ? At least maintain some scheduled downtime for maintenance if you can't put up a backup machine.

hfnetchk is available here

Funny thing is, the search engine returns broken links to the KB article. I submitted feedback to get 'em fixed.

Re:You can't visit Windows Update?

[throx]

Index Server is not part of IIS. You install and uninstall it independantly and it runs as a separate service with isapi hooks into IIS.

If you are a competent admin, I'd expect you to be on the mailing lists for security flaws in all systems you administer - if not then you aren't doing your job properly. There's no excuse for not having a patch for "Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise" installed on a web server.

Re:You can't visit Windows Update?

[throx]

Actually the patches for the flaws that Code Red and Nimda exploit were pretty well buried on Microsoft's site.

If you can call http://www.microsoft.com/security "buried". Personally I get the bullitens emailed to me - that way I don't have to surf over there. Had you done that you would have been patched three whole months before the worm came out.

Re:You can't visit Windows Update?

[GunFodder]

If you have a significant investment in .asp and ActiveX objects then you get what you deserve for deciding to trust Microsoft. Next time try using an open architecture with multiple vendors so you will have choices when you realize that your platform sucks.

Re:You can't visit Windows Update?

[sheldon]

It's weird. I usually don't install service packs right away, but wait a few weeks. Even if I do, I install it to a test machine first to see what it does.

There are sometimes reports of problems, and I'm smart enough to know that some applications that do low level bit tweaking may not work. (Firewalls come to mind)

And strangely enough, I've never had any problems with any Microsoft service patches.

As far as your proper action. That's incorrect. You should do both.

You may also want to look at the new URLCheck utility from microsoft which also tries to prevent malicious requests.

Re:You can't visit Windows Update?

[sheldon]

That's incorrect. The patch that fixed the problem Code Red exploited was only released a month previous.

However in the case of Nimda, you had 16 months to patch your IIS server.

Re:You can't visit Windows Update?

[sheldon]

Microsoft never claimed it was in SP2.

Re:You can't visit Windows Update?

[budcub]

One of the early NT service packs was called the SP-of-Death.

That was Service Pack 2. It was very buggy, and broke things (RAS for instance). From then on no real problems with the service packs for NT4. Except your right about Service Pack 6. It introduced a problem for Lotus Domino, so they released Service Pack 6a instead. That took care of that.

I used to be leary of applying patches myself. From what I was taught and from what I'd heard, "if it ain't broke, don't fix it". Well not anymore. Shortly after a patch comes out, we apply it. Its insurance against getting hit with the next code red that comes around.

Re:You can't visit Windows Update?

[esper_child]

Where do you get that you can't uninstall direct-X (any version) I have done it here several times. some how i wound up with a beta directx with a expired time limit and had to uninstall it so i could put on an older version. and no despite what microsoft says, it comes out cleanly if you do it right.

As far as installing MS patches, i highly suggest putting them on a mini-network to test them away from the primary network. It is always wise to do a tape back up before you actually install any service pack incase something bad happens with it.

Also, I don't suggest using NT for a server (win2k isn't too hateful as a client though, but anything earlier should be scrapped and XP is not on my list of things that are useful), instead use a *nix operating system. There is, to the best of my knowlage, no real reason to ever use NT of a *nix anyways (unless you are lazy and don't have the knowlage of how it works, in which case I probly wouldn't allow you near my computer room)

Also, don't use IIS for a webserver, in my experience it is a little on the sad side, personally I would be using apache for a web server (if i even had one up right now, which i don't as I don't need it). I don't think I have tried other webservers out there, so I can't really comment on them.

Re:You can't visit Windows Update?

[Hanno]

However in the case of Nimda, you had 16 months to patch your IIS server.

Funny. We installed a brand new edition of German Windows 2k (fresh CD from the store) and then the recommended patches from Microsoft's site, only three weeks before Nimda hit. Still, it appears we didn't catch all those necessairy. Our server got infected.

Embarassing for me, yes. But I also wonder why their update site does not list the patches for this problem in a concise manner and why a current, brand-new OS install CD is still affected by problems that are 16 months old (as you claim).

Re:You can't visit Windows Update?

[plover]

Please, you are continually blaming the owners of these machines for not being "competent". The machines are owned by a wide range of people, most of whom are your brother-in-law's cousin's co-worker who thinks that if Windows ME costs $100 then Win 2K must be three times better because it costs $299.

So I suffer the effects of his Code Red attacks because he's too busy playing Quake to read Microsoft's fix-of-the-week? Next time you see a random person who happens to own Win2K, ask him or her if he even knows what the phrase "Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise" means?

And your solution to us is to blame him, rather than solve the problem? I think the company that delivers the insecure system out-of-the-box is at fault. Don't blame the guy who just bought a Win2K CD at Best Buy and stuck it in his PC. He simply trusted Microsoft to provide him with an OS for his computer, and I think he's within reason to expect the software he paid for NOT to be full of holes.

As a matter of fact, one is attacking me as I write. Let me go see, yes, http://tsi-196.tsi-comm.com/ has the default IIS page up. This is a NOBODY, just some guy with a cable modem, money, and not enough brains to know what he's done. His box is so tied up I can't even NET SEND him a friendly "You've got worms!" messsage. And he's just one of many thousands. Even if every professional IIS admin were completely competent, Microsoft is shipping the same leaky IIS to every dot-com, Dick and Harry.

Quit attacking the victims.

Re:You can't visit Windows Update?

[linuxelf]

Our company maintains its own firewall, but we are on a corporate WAN, so we are basically forced to trust the firewalls of all the other sites back here with us. Even if our firewall is 100% imune to these things, we can still get hit.

Obviously I wouldn't advocate moving away from IIS if your whole company is built on it, with ASPs and Indexing etc etc, but if you're using it for bringing up intranet reports, or other tasks that don't require ASP, switch. You'll save a lot of headache.

The last round of Microsoft Updates designed to prevent Nimda caused one of our IIS servers to Dr. Watson whenever you tried to start it up. That was the last straw for me.

Re:You can't visit Windows Update?

[throx]

Perhaps if you bothered to read the parent to my original post you would have noticed it was a network admin whining about how much time it took him to keep 5 (yes, only five) Windows machines patched.

Of course, you are probably much happier flaming me than actually reading the context of my posts so, whatever...

I hope you spare some time in your rightoeus indignation to give Microsoft some kudos for making the critical updates part of XP. Oh, wait! You are probably going to flip to the other side of the fence and scream privacy issues?

Re:You can't visit Windows Update?

[sheldon]

Service Pack 2 included the patch for the exploit Nimda used.

However if you had not patched for Code Red in June and were infected by that, Nimda utilized one of the backdoors left behind. That's been the primary reason behind every claim of "we were patched and still got infected", and you should investigate that possibility.

Of course that just covers the IIS exploit. There were other ways of Nimda spreading, and if you were web browsing or running random executables on the machine that may also be a concern.

Security

[quantum+bit]

(who DIDN'T get hit by Nimda?)

I didn't. IIS can be secured -- many things that MS releases patches for are not exploitable if you follow sane security practices. Stuff like deleting all the ISAPI crap that comes in the default setup, and putting your web root in a nonstandard location (preferably on a different partition), deleting all sample files, enforcing proper filesystem permissions, and running any applications in an isolated process.

Of course, one of the advantages of Apache is that it ships in a relatively secure configuration by default, it's better for dummys who install stuff and plug it into the network without bothering to check the configuration. It's a whole lot better by default than IIS, that's for sure. Most of the MS patches are for various add-ons like index service that most people don't use anyway and should be shut off.

DISCLAIMER: I use Apache for the primary web server for the business I work at. We run IIS as the secondary server for load-balancing and have yet to be compromised by anything, even though patches don't always get applied immediately (usually pretty soon after release though). I think Apache is great, but want to point out that anything can be secured if you put some effort into it.

Re:Security

[AugstWest]

If you have to set up a new NT4/IIS web server and make sure that every patch has been installed, how long do you think it would take?

There are answers here:

http://wired.com/news/infostructure/0,1377,45763 ,0 0.html

Quote (from Russ Cooper of NTBugTraq):

"Another site, for Windows NT 4.0 users, offers a Security Rollup Package. An SRP has all the patches needed for the NT wrapped up into one nifty download --including the Code Red patch -- except for the two most recent ones. To get those, you have to find the latest update to the SRP, posted July 26. But none of this will do much good without Service Pack 6a.

Confused yet? So was Cooper. Rather than taking any chances, he went to every site and downloaded the bulletin lists, then read each bulletin -- 78 in all -- just to be sure he had them all. He eliminated the ones that were redundant or outdated (some patches negate earlier patches)."

Re:Security

[wcb4]

There is a muich simpler way......

start ---> windows update ---> product updates

select the ones under critical and hit download. They install automagically. been running 2k since it came out... Had IIS running on it since day 1....never been hit. Takes 5 minutes per week to run windows update.

Re:Security

[jallen02]

5 minutes per week * 300 machines in a big corporation....

1500 minutes a week. Or roughly 3 days out of an admins day running windows updates. There is a more effecient solution for it actually :)

Jeremy

Re:Security

[AugstWest]

Again, there isn't a windows update for IIS on NT4. There are a massive number of NT4 machines out there still, and there will be for years to come.

5 Minutes to run Windows Update, plus reboot time, which must be done outside of business hours, which is the big thing.

There's no "Stop Service, Patch, Restart Service" with IIS, everything requires a reboot. You can't just do that very often on a mission-critical server.

Re:Security

[sharkey]

You'd be better off signing up to the MS security lists. Their security bulletins are posted, updated with patch info, and patches posted in the security sections LONG before they show up on Windows Update. IIRC, last year, one of the IE 5.0 buffer overflows, which was posted to MS Security bulletins, and passed around the electronic news sites, took over 3 weeks to appear on Windows Update after the fix was made available through the MS Security bulletins.

Windows Update is nice and convient when you set up a new PC, and need to get a bunch of patches on it quick and easy, but you should be conservative and assume that it is out-of-date, and double check.

Re:Security

[ncc74656]

There is a muich simpler way......

start ---> windows update ---> product updates

Try doing that on a fresh NT4 install...it doesn't work so well with IE2 (which is what's in a fresh NT4 install). www.microsoft.com won't even come up in IE2, so you have to download a newer browser on another box (preferably another NT box or Win9x; you can't use Win2K as it won't let you download all the files to a directory for a later installation) and somehow transfer it to the new server (CD-R or FTP will work). Before that, you have to install SP3, though...and again, you'll need to download that on another machine.

I'll agree that once you get IE4+ going, Windows Update makes keeping a server up-to-date ridiculously easy. Getting the server to the point where it will work with Windows Update can be a minor pain, though.

Re:Security

[KingAdrock]

I'm sorry, but I have to argue this point. Everyone on the 'net got hit by Nimda. Maybe you wern't directly compromised, but you certainly were affected to some degree by the insane amount of network traffic generated by this thing.

He may have been affected by the virus, but ditching IIS would not have solved this. That is unless everyone in the entire world stopped using IIS. And as long as Microsoft is in business -- that won't happen. So his point was that his server wasn't comprimised, and therefore his operation ran as smoothly as any other server would have been under the same circumstances.

Re:Security

[DavidJA]

If you had 300 machines & you had 1/2 a clue you would either:
1. Run Windows Update in a Network logon script or run it using the schedular.
2. Use Systems Managment Server.

Re:Security

[jallen02]

Right :P

I have automated all five of our systems updates at work and it saves me a lot of time not having to track which machine has which patch.

Then image one well setup secured lock downed system :)

Code Red and Nimda never touched our machines because they were patched weeks before the worms hit.

Im not crazy about windows or anything but my machines have had zero penetrations in over a year with high visibility and many attempts :)

Jeremy

Re:Security

[larzgold]

Actually talking to microsoft the security patches are NOT included in the windows update. Larzgold

Re:Security

[biohazard99]

Thank god for apache.
Saturday morning I installed Apache 1.3.20, PHP 4.0.6, and MySQL 3.23.42 to test some PHP code on my home (WinME machine). 2 minutes after startup of httpd, the first nimda attack came, so I spent the rest of the morning hunting down a suitable kill script for the attacking machines.
<div class="rant">
It pisses me off to no end that 1. MS has such a grip on the corporate world's mind that they couldn't consider trying a more secure platform (Apache win32 isn't up to its big brothers quality yet, but at least it has fewer attacks running against it). 2. That when the little bastards who write this shit get caught, they get comunity service and minimal restitution.
We don't need draconian laws regarding privacy, registering "Hackers" DNA samples, etc. What we do need is stiff punishment for those who do cost us millions of dollars in bandwidth and support time. Has anyone calculated how expensive the four biggest MS targeted attacks(ILOVEYOU, SirCAM, Sadmind/Code Red/Nimda, Anna Kournikova) were, I'd gamble it be enough to stuff a few pineapples up Bin Laden's ass.
</div>
Time for a beer

Re:Security

[sphealey]

"There is a muich simpler way......
start ---> windows update ---> product updates "

Followed by: ERP system crash. Custom-coded warehouse system crash. Intranet apps don't load. And that's just the normal course of business, not even taking into account that Microsoft might salt product updates to make competing products less stable (can you say Novell?).

In a production environment, you test before you deploy.

sPh

Re:Security

[ttfkam]

Unless you were connected to a different Internet than the rest of us, you did. We all did whether we run with Apache on Linux or IIS on Windows. You just kept that one particular (group of?) server from adding to the overall problem.

I and many of my coworkers run Linux at the office. Those that were running Windows machines (IIS for development purposes and not production) got hit and started saturating the local network.

Folks who aren't even running Windows are more than pissed. With old time bootsector viruses, those of us with sane virus protection and/or non-Windows systems could scold from afar. With the advent of (equivalent of) remote root exploits popping up on a regular basis, everyone is getting hit with a DoS attack.

I'm glad to hear that there is at least one more IIS administrator out there with half a brain and thinking about security. Unfortunately we need far greater numbers of IIS administrators than one more.

As the old adage goes, "If any idiot supposedly can administer a Windows box, any idiot will."

Re:Security

[shyster]

start ---> windows update ---> product updates select the ones under critical and hit download. They install automagically. been running 2k since it came out... Had IIS running on it since day 1....never been hit. Takes 5 minutes per week to run windows update.

Windows Update is not supported with the server OS's. While, true, you can get many updates there, server specific ones (such as IIS) will not show up there. Do yourself a favor, run HFNetChk on your servers....

Re:Security

[plover]

That's all well and good, but you solved .001% of the problem.

Like everyone else, I found myself gettting hammered by Code Red infested servers when this whole thing came down last month. So I went and did a few directories on several of those machines using the newly installed back doors just to see what was going on. Know what I found? They were ALL default installations of Win2K, and most were installed sometime early in August (based on the dates of some of the directories I found. Many of those machines still served up the IIS default page when I checked.) It was evident that someone simply dropped in the CD, clicked on some install button, and called it done. And *I* suffered for it.

You cured ONE machine, and for that I thank you. As you say that a smart admin will prevent these problems, but that's not true enough. These machines are owned by cable-modem morons that don't understand that they've just become an admin. They dropped in a CD and checked a box that said "Make this computer a web server." Then they probably invited their friends over to see their awesome Quake playing machine.

That's why IIS is not a winning recommendation, but the people who need to know this wouldn't know the Gartner group from a garter snake.

Re:Security

[quantum+bit]

That is unless everyone in the entire world stopped using IIS.

Maybe MS should put up a big red warning screen when you install IIS that it requires a dedeicated admin whose full-time job is installing patches and removing MS bloat-components and won't let you continue until you click that you have. Though for some reason I don't think even that would stop some PHBs...

Hehe, one of the (few) advantages of working for an accountant is that they know so little about the technical stuff they don't even try to mandate particular software or methods.

<RANT>A big part of the problem is that companies like MS cater to the lowest common denominator and happily let users install and activate potentially and probably dangerous services without fully understanding the responsibilities involved in it. Witness the number of Win2k boxes whose 'admins' installed with the "give me everything" option and didn't even know they had a web server running...</RANT>

Re:Security

[jallen02]

Awful boasting? Its the truth. And, FYI I was stating it to make a point. It took me about four hours of reading to get the details worked out and the systems locked down and updating themselves. Im not saying the systems are hack-proof, I am sure a determined soul with the actual desire to get in can. The actual point is with a minimal amount of work the systems don't take much to secure and make life easier so you don't have to worry about every new worm that uses exploits that have been patched for weeks.

Re:Security

[Blackneto]

1. Run Windows Update in a Network logon script or run it using the schedular

The only problem i see with approach #1 is the chance that one of the updates might break some app. happens all the time. If you have 300 machines hopefully you have a test enviroment to check these things out before pushing them out using sms or what have you..
Then you have the problem of testing these patches in a timely fashion before the exploit or problem they fix hits your enviroment.
Vicious evil circle.

Re:Security

[Paul+Komarek]

What happens when the Windows Update server is infected? Don't laugh, it's happened. Okay, laugh. I am.

-Paul Komarek

Re:Security

[webcrafter]

I completely agree. SP6a breaks MS Message Queue, for example. It's been a pain in the ass :/

Re:Security

[iMMersE]

I bet you're not as pissed as some innocent victims were two weeks ago.

Re:Security

[quantum+bit]

Bah, ./ sucks! Tried to post this last night by MySQL was being gimpy...

I'm sorry, but I have to argue this point. Everyone on the 'net got hit by Nimda.

I guess it depends on the semantics of what the original poster meant by "hit". Yeah, I got plenty of crap in my logfiles, but then again so did everyone else. At least my IIS box (I'd love to run Apache on the Exchange server, but stupid Outlook Web Access doesn't seem to like it for some funny reason :) wasn't contributing to the problem.

Slightly offtopic, I'd like to know which crack-smoking moderator modded the parent as Flamebait. It's a valid point worth exploring and no more flamebait than my original post :)

FBSD/Apache

FreeBSD rocks!

Verizon decided the proper response was to ingress filter port 80 traffic for all residential DSL customers (something they'd never done in almost three years of service).

Okay, now this is another rant entirely... I automatically hate any ISP who does port filtering/transparent proxying of any sort.

...or because other nimrods can't be bothered to do any kind of bounds checking.

The original CodeRed exploited a buffer overflow in the Index Server DLLs (the authors of which should be shot). Nimda, on the other hand, exploited a bug in the decoding of Unicode/UTF-8 character sets in URLs. To be fair, UTF-8 decoding is so complex and non-trivial, it's arguable that nobody has gotten it right yet. There may be one, two, or even zero correct implementations. Perhaps making the security check (rather naive filtering for ../) depend on correctly decoding the URL is inexcusable bad design, but it's certainly not as mind-numbingly stupid as not doing proper bounds checking...

Unix: Where /sbin/init is Job 1

Re:Security

[SimCash]

As a user, I have avoided all these by a combination of luck and choice. I use an old Netscape email client so I can control when attachments are opened. Sometimes I even snoop at the byte level before I open them.

About to respond

[NineNine]

I was about to respond to this article, but Slashdot broke and wouldn't accept any postings and wouldn't let me log in for several minutes. Then, it continually timed out. Apache? Ha!

Re:About to respond

[Midnight+Ryder]

I was about to respond to this article, but Slashdot broke and wouldn't accept any postings and wouldn't let me log in for several minutes. Then, it continually timed out. Apache? Ha!

Don't blame it on Apache - it's more likely that it's either the database server, or Slashcode throwing a fit again (probably the former, not the later.) Ever since thier last upgrade, the system seems to be a bit flakey at times - sometimes for hours, sometimes for a couple o' minutes.

And if it WAS Apache - well, why would it still be serving webpages? :-)

Dear Gartner

Sorry I was late with the usual monthly cheque. I assure you that this will never happen again.

Love,
Bill

If It Weren't For Microsoft....

[quakeaddict]

What would /. use for stories?

Think about it guys...1/2 of the discussion today involves MS.

If you guys hate MS so much why do you spend so much energy talking about it?

Re:If It Weren't For Microsoft....

[soup]

If you guys hate MS so much why do you spend so much energy talking about it?

It's like sex; If you talk about it, you ain't doing it...

Re:If It Weren't For Microsoft....

[Alakaboo]

Three reasons:

1) We spend so much time cleaning up after them.

2) We rely on each other for assistance; this open discussion can help a lot.

3) It's funny. (Read: Instead of firebombing Redmond, we're cracking jokes.)

Re:If It Weren't For Microsoft....

Perhaps there would be more interesting non-microsoft-related things going on-- and thus more non-microsoft-related things to write stories on and discuss -- if microsoft had not stifled 1/2 of the interesting new movement in the software industry in the last 10-15 years..

Just a thought.. when a company has as much money and political influence as MS, it's hard to avoid talking about them. Also, since MS is the biggest competitor of nine out of ten significant software packages it does not make, MS has at least SOME influence on the news connected to every single software package that could conceivably be a) important enough to be talked about for any length of time on slashdot b) important enough someone's job could be based on it.

Re:If It Weren't For Microsoft....

[ignavus]

If you guys hate MS so much why do you spend so much energy talking about it?

If you are so annoyed about guys hating MS and talking about it, why do *you* spend so much energy talking about it?

Warning: this thread is recursive.

Re:If It Weren't For Microsoft....

[izzertaq]

KDE vs. GNOME. Microsoft vs. Linux vs. FreeBSD. The nebulous "big-hairy-anti-civil-rights-entity" versus the "red-blooded-programmer." These are the pointless battles waged by the world's geeks. Our lives are so boring in front of our computers that we need to act like these things have thoughts and feelings and motives ... it's all a pretty daft soap opera, if you ask me, and we all really need to get out more. Who's with me?

Microsoft Revamping of Software

[huckda]

This is LOOOOONG past due...

I think MS OWES it to the millions of users to take the entirety of their products off the shelf, and to keep them off the shelf until they are fully fully fully tested and THEN release them...

I'm tired of buying software and having to update it the next day because of 40 new security issues and then having to do it again the next week...
DEVELOPMENT time and BETA release time is when you should be scouring these monoliths of megabytes for their faults...not after MS as a company has INFESTED millions of computers.

Re:Microsoft Revamping of Software

[johnnyb]

The problem with this idea is that most real testing must be done in production. There is no way to simulate production exactly in testing. What really needs to happen is for more clueful IT managers to come onboard.

woah great.

[garcia]

so after weeks of everyone telling you to shutdown IIS b/c it is vunerable to such-and-such you are only going to listen to the Group? Blah.

They have been told over and over to keep their software updated and patched yet they don't. What is going to start them doing it now?

I highly doubt that this is going to change anything. MS wrote a piece of shit software (go figure) and now the customers are paying the price (if they paid anything in the first place ;))

I am sick and tired of seeing my logs flooded w/that crap. Fuck stupid admins. Anyone w/a brain can fix the problem. Give me the god damn job. I will make sure it ain't broken.

New MS slogan..

[nickmdf]

"Where do you want your security hole today?"

Re:New MS slogan..

[SumDeusExMachina]

Or, an even better slogan for MS sysadmins:

"Which hole do you want plugged today?"

A Dose of Reality

[quakeaddict]

If you are serving static pages you could easily switch.

if you are serving up pages that are dynamic that depend on database connections and what not this might prove to be a bit more troublesome, particularly if you are addicted to ADO and VbScript, but doable

I think, however, you have no choice not to switch if you depend on COM components hosted in MTS and depend on MTS to handle transactions for you unless you wish to write your own transaction monitor for the next couple of months.

Re:TCO?

[np_geek]

You must not be doing anything with them. Just in my office I've got 2 Linux boxes with uptimes in the months and they're running all kinds of services. Meanwhile, the corporate Exchange 2000 / Windows 2000 servers are now on a 2-3 day reboot cycle to keep them from eating up a gigabyte of RAM.

Microsoft Tool to check Windows 2000 Adv Servers

[Sierpinski]

In recent dealings with the latest worms, I found a tool from Microsoft called Hfnetchk that will, with a valid connection to the internet, tell you exactly what patches you do or do not have installed. They cross list them by article (eg Q123455) and also by another form (eg MS01-077).

We're running Windows 2000 Adv Server (yeah yeah, I know, but we don't have the Cold Fusion package for Linux) with IIS 5, and were having an average of 30-45 minutes uptime before getting blasted by the worm(s).

After using the hfnetchk and downloading quite a few patches (burn them to a CD, having to reload the system isn't out of the question, even if it is working now), we have had about 5 days uptime, and *knocks on wood* no infections, although the log says there have been attempts.

Even though I'm spoiled to the ease at which I can find Linux updates, I found that the tool was very useful, especially since Microsoft's site is so unorganized when it comes to downloading patches and updates (I want a list, not having to search for something, especially when it never works right) that this tool was a big time saver for me.

You point at MSFT's biggest problem

[Carnage4Life]

Your post has shown a lot more insight than that Gartner report which is unsurprising given the typical quality of Gartner's work. The main problem with IIS isn't that there are exploits for it, after all there are exploits for every major piece of server software from BIND to Apache to Sendmail. The problem is that there is no decent pathway to funnel patches to users of IIS.

I foolishly used to go to the Windows Update site to download all the security patches thinking that I was being smart only to find out after being infected by Nimda that Windows Update Doesn't Have IIS patches. Now considering that this is Microsoft's most central and visible update site plus the fact that IIS worms have caused so much damage over the past year, one wonders why IIS patches aren't on the windows update site or at the very least there isn't a site similar to Windows Update just for IIS?

Gartner is wrong for telling people to switch webservers because admins haven't applied a patch that is almost a year old (that's right, the CodeRed/Nimda patch is that old) because it is tackling the symptoms and not the root cause. Gartner should be bitching Microsoft out for not having a sophisticated update system in place similar to apt-get & cron but with a GUI for the clueless admin instead of asking people to blindly switch web servers as if the Ramen worm and Sadmind didn't affect non-MSFT platforms.

The more people who use non-MSFT platforms, the more worms we'll see on non-MSFt platforms. Instead of looking for the web server silver bullet, we shoyld be encouraging admins to take responsibility and do thier freaking jobs.

Re:You point at MSFT's biggest problem

[denshi]

Gartner is one of these "the sky is falling; change everything" analysts. They spent the last 3 years telling everyone to switch from Apache to IIS; now their only possible retraction is to switch everyone back. Moderation and smarter business practices aren't a part of their target market -- the ever fickle C*Os. I quote Greenspun:

a CTO is someone who can't or doesn't want to write code. After all, if Joe CTO writes a program he incurs the risk of a user sitting down in front of it and saying "this program doesn't work the way it needs to." So a CTO goes from meeting to meeting thinking profound thoughts about different brands of RDBMS server, operating systems, Web servers, etc.

So telling these people that the massive upheaval of switching platforms is the only thing that they understand.

On a different point, I have to disagree with this:

The main problem with IIS isn't that there are exploits for it, after all there are exploits for every major piece of server software from BIND to Apache to Sendmail. The problem is that there is no decent pathway to funnel patches to users of IIS.

No, I think the problem is that there are exploits for IIS, or at least, that there are so many. When was the last time Apache had a remote exploit? Okay, what year did Apache last have a remote exploit? BIND has had a huge number of exploits in its time, but its been quite stable for a while now; still, I use djbdns rather than BIND, qmail rather than sendmail. That's another major difference -- in the Unix world there are several tools that perform similar functions like DNS, FTP, and HTTP; any competent administrator will switch the default daemons over to the packages released by scary paranoid crypto motherfuckers. On Windows, you have the MS daemons and nothing else! That has always been the problem in MS paradise -- it's their way or no way.

Obviously, administration skill matters. Certainly, with a raft of technicians you can keep anything afloat. But that doesn't change the absolute fact that there are differences in software quality afoot, readiness to admit vulnerabilities, and ability for the community to contribute fixes and peer review. MS is absolutely failing in those respects, so much in fact that even their biggest syncophants are deserting them.

Every week????

[tsmit]

Uh, actually, the 5 vulnerabilities that Nimda exploited have all been patched for more than 3 months (one dating back to August of 2000). Maybe IIS shouldn't be used by administrators who have no clue what they're doing, but for people with somewhat of an IQ and the ability to patch their systems, IIS is a fairly good alternative to running another webserver.

Gartner

[RandomFactor]

Hmmm, guess who won't be invited to TechED NEXT year...

80% or a rewrite by end of 2002

[Erore]

Actually, what it says is that there is an 80% chance that a rewrite will not occur before the end of 2002. That means that there is no chances given that there ever will be a rewrite.

TCO Stats?

[scott1853]

Does anybody have any stats on the time spent administrating Linux boxes vs. NT boxes, and how much time is spent learning the systems in order to administrate them at a competent level?

Re:TCO Stats?

[scott1853]

That's very interesting, thanks.

brain-damaged sysadmins

[maxpublic]

Imagine if business did dump all of it's IIS servers and replaced them with Apache - how many 'point and click' admins would suddenly be unemployed?

I mean christ, I hear people complaining about how complicated Apache is in comparison to IIS and I think to myself "if you can't figure this shit out, you have no business being a network admin because YOU'RE TOO STUPID TO DO THE JOB!".

Seriously, any network admin that bitches about Apache (which is bloody easy to use, in comparison to most previous tools) is too fucking braindead to be let anywhere near a server. Switching to Apache would at least show an organization where some of its dead weight is in the IS department.

Max

Re:brain-damaged sysadmins

[tshak]

Yes, but for the most part Apache is easier to administer then IIS. (DISCLAIMER: I'm pro IIS for a lot of projects, I just like Apache's httpd.conf better than the ADSI metabase API).

Re:brain-damaged sysadmins

[MegaFur]

While I'm sure you're right about Apache being fairly easy to administer, and I *know* you're right that anyone who bitches about it not being `point-and-click' has no business being a network admin, this got me thinking..

Perhaps, all of the point-and-click in IIS is a design flaw (that plus installing insecure by default--that's an obvious design flaw). I mean if the product *seems* really simple to use, then some (clueless) people will start to think that it really *is* simple and not pay attention to security at all.

I guess all I'm saying is complicated or dangerous things should look that way. They should not have nice big smiley faces or dopey `OK' buttons on them.

Good news for Linux/Apache consultants

[flatrock]

Right now the MS consultants are making a lot off money off on these worms. But if enough corporate sites go to Apache on Linux you'll likely see a lot more worms/viruses/trojans writen for Linux and Apache. Sure these systems are more secure, but there are plenty of skilled crackers that will find a way to screw up these systems if there get to be enough systems out there. An let's face it. If the people who currently run unpatched IIS servers switch to Apache, there will be a lot of unpatched Apache servers. Right now Microsoft is the Apache advocate's best friend, because they attract the largest number of lazy admins. If this changes, you'll likly see a lot more attacks going after Apache.

Re:Good news for Linux/Apache consultants

[SecurityGuy]

Of *course* Microsoft runs the net. IIS is the dominant webserver. IE is the dominant web browser. You don't read your advertising, do you? I still remember reading the ads for IE's debut on Solaris. Remember their slogan? "Bringing the web to Unix." It's not often I fall out of my chair laughing, but that merited it. :)

Outlook should be non-recommended too

[101010]

IIS isn't the only problem. Since outlook treats users like they are stupid (hey, let me open this attachment for you) it has become my biggest potential problem. Users are going to be stupid so they really need an email client that is just as stupid (hey let me display this text for you and nothing else). I have a hard time stopping people from turning the Autopreview and Preview Pane back on after I go around and shut them off. Why does your email client need to be able to execute scripts anyway? Oh and let's not forget Outlook's ugly step-sister, Outlook Haxpress.

Hacked?

[Pierre]

So does this mean that Gartner's website has been hacked?

Complete rewrite is exactly the wrong thing to do.

[PhipleTroenix]

Joel on software makes the case much better than I can.

href=http://www.joelonsoftware.com/stories/story Re ader$47

Riiight...

[Svartalf]

According to Mindcraft, Apache is the most widely used webserver- wanna try making that statement again?

Gimme a break!

[JediTrainer]

Rewriting is always an option. It's not a pretty one, but it CAN be done if you're dedicated enough.

Case in point - last year I saw the dead-end coming for my company's Enterprise solution, which was written in ASP/COM. The argument (er... *ahem*, discussion) I had with the higher-ups concluded that we HAD to continue moving forward. We couldn't wait 6 months for a rewrite (ambitious at best).

Fine, I said. Then let me do everything concurrently. Here's how it works:

Install Tomcat onto your Windows NT Server running IIS, along with JRE 1.3 and the HotSpot Server.

Link Tomcat in with IIS using the mod_isapi.dll you can get from the Tomcat site. Also install Tomcat as a service using jk_nt_service.exe.

Keep your Java session abstracted. The main session remains as-is within your ASP application. Write a bit of java.net code to hook in through a custom ASP page (note: security - ordinary clients can't access this page) to retrieve and update any session variables. This can be done by reading the ASPSESSION cookie, and spoofing it in your requests to IIS.

Any NEW components, write in Java. Remember - session variables get retrieved and saved from the ASP side still.

As you're working on new components, when you can arrange it, convert old components to Java one by one. Session still remains on ASP.

Wash, rinse, repeat until all components have been written in Java. Once this is done, convert your login into Java, and change your abstracted Session to be a Java session instead of hooking into IIS for the ASP one.

Voila. You are now 100% Java. Now get rid of IIS and switch to something else. This is the approach that my team took to rid ourselves of the VB horror that someone left me when I joined. It took about 8 months of solid effort, but it worked. We are now rid of all reliance on MS technologies from our site. We also managed to do it quickly because of good code layout, and the use of the most wonderful Velocity templates also available from the Jakarta site. This helped a lot.

The point is, you CAN do a rewrite. What you usually are NOT allowed to do is a code freeze. So... work around it! The beauty of this solution is that you are running two separate applications (technically) for a time. Keep a consistent look, and the users can't tell the difference between the ASP and the Java side. Change one function at a time, slowly, and eventually you'll reach the Utopia you're looking for.

Re:Gimme a break!

[drodver]

I never claimed it is impossible to rewrite everything. There are at least three common situations in which your view on redoing the application fails

1. The most common would be an application writen and then barely maintained or maintained by someone who knows just enough to keep it working. This would be the case with a lot of web applications in none IT centered companys. Most companys aren't willing to rebuild an application that none of the programmers know much about and isn't broken, even if it may be annoying to maintain the server. Remember server people and progammers are often in different departments, so it becomes "their" problem.
2. IT companys that sell their ActiveX/ASP product basically can't do what you did. My company, for example, could not do a rewrite without a code freeze because you can't expect the customer to install a hybrid system, it goes beyond what the customers expect to have to do to install our product. A rewrite isn't feasible because in that time the industry would have passed us by as we rewrite 3 years of code.
3. For a large application you would need multiple people with the proper skill set to convert a large application in the way you propose. Finding and paying these people for would be expensive. What you did cost the company money because the time you spent rewriting little chunks at a time was time you could have been doing new production. Your company still paid the cost of a rewrite you just spoon fed it to management a little at a time. That doesn't work as well for a large development team.

I don't see a problem with your solution but just because it's possible doesn't mean it's in the best interest of a lot of companys. Unless the TCO of IIS is costing them more than the solution they are going to keep what they have. My argument is one of economics and managment behavior, not programming ability.

This is interesting, in a number of respects.

[jd]

Firstly, this is one of the few times the Garner Group has openly critisised a Microsoft product. Given that they -are- a major group, this has to be taken seriously, whether you trust them to tie their own shoelaces or not.

Secondly, the timing couldn't be worse for Microsoft. With XP only just hitting the shelves, this has the potential to seriously cripple the uptake of the new OS. (Note: I'm saying "potential" as you're bound to get plenty of execs who argue that nobody ever got fired for buying Microsoft. Even when it puts the entire company's public profile at risk.)

Thirdly, this also comes at a critical point in time, with respect to the European Union anti-trust investigation, the British fair trading investigation, and the US' very own anti-trust Lawsuit Revisited. Should the market-share of IIS continue to grow at the current rate, competitors may be able to argue the case that companies aren't heeding the report because they can't. That could seriously jeapordise Microsoft's arguments that they are not a monopoly, and that "future threats" could affect their market-share.

(Let's face it - if this isn't a "future threat", I don't know what is.)

Fourthly, this comes at a time when the economy is seriously wounded, and yet Microsoft's pricing continues to rise. As other posters have noted, this might persuade some accounts departments to start pushing the alternatives.

Lastly, homeless shelters are still pretty full, from the collapse of the dot-coms. This makes computer expertise very cheap. ("Will Code For Food" no longer sounds such a joke.) Thus, there is really little need to hold onto "old hands", who command high fees. You could probably pick up a webmaster and a couple of ASP/PHP/Perl gurus by going to the local K-Marts and asking the people collecting the carts. They'd cost a fraction of what most companies are paying for their IIS expert, and they'd probably worship the ground the management walk on.

HOWEVER, this is purely speculative. Although what I've written is a plausable scenario, companies could equally well ignore the report, the anti-trust lawyers might deem it too tenuous to be usable in court (if they notice it at all), and Microsoft might remain King Of The Hill by sheer default.

Re:This is interesting, in a number of respects.

[ghostlibrary]

>Firstly, this is one of the few times the Garner Group has openly critisised a Microsoft product

I hope they weren't using Frontpage when they wrote it. "Garner found in license violation."

Re:WHAT BULL!!!

[hyperstation]

scuse me, but IIS is not the most widely used webserver, by any measure - apache is.

http://www.netcraft.com/survey/

New advert from M$ for servers shows sensitivity

[ackthpt]

Capitalising on disaster, the Redmond way.

Look, look. See, see

So what you're saying..

[OblongPlatypus]

Gartner hasn't always said favorable things about Linux systems in the workplace, but the businesses that rely on this type of analysis to justify purchasing decisions may find this one interesting.

So what you're saying is they may find this one interesting since it puts down Microsoft, but they should disregard the others because they put down Linux? Just checking..

What did they say before?

[pkesel]

Does anyone know what Gartner has been saying about web servers in the last few years? Have they ever been pushing IIS?

Confused on this; help me

[ellem]

--Say you're a good MS admin and you ghave dutifully patched up your IIS machine and never got hit with Code Red or Nimda on your servers BUT your Win9x users who don't run Outlook (Express either) go to an infected webpage: How will not using IIS help?

--Yes the patch was there for months; but SARC (et al) was cuaght off guard, .DAT files were'nt ready until the next day and the "Fix" is so-so at best.

--I"m not blaming anti - virus companies but I am confused how IIS is the sole badguy.

--You can get hit with this thing from many directions (assuming WinXX.)

--Gartner even says you "Can't Patch Fast Enough"

Re:Confused on this; help me

[dasunt]

Well, if your IE users were running IE 6.0, the exploit doesn't work.

Just another reason to stay up to date.

Re:Confused on this; help me

[mrdisco99]

Who said IIS was the only bad guy?

Outlook and IE certainly contributed to the spread of this thing, as well. IIS just happens to be another contributor. Our networks got hit simply because IE users visited infected sites and dumped crap all over our file servers running Netware.

My take -

[Jeremiah+Cornelius]

This is from Gartner, and they have credibility - even when they are only half right. Dilbert's boss has probably already suffered a Nimda coronary, and this may hurt MS.

The problem is you will still have Admins and developers accepting un-reviewed default configurations for Apache or iPlanet - transferring the arena of vulnerability.

This article reinforces the notion that security can be achieved with the right purchases - rather that the right process and personnel.

jeremiah cornelius

Incorrect statement on IIS rewrite timeline.

[mikej]

The submitter says that IIS needs to be rewritten, something that "[Gartner says] has an 80% chance of happening by the end of next year." This is incorrect.

The actual quote is: "Gartner believes that this rewriting will not occur before year-end 2002 (0.8 probability)." That means there's an 80% probability that the preceeding statement is true, and that statement is that MS will _not_ have completed a rewrite in that timeframe.

So instead of MS being 80% likely to fix the problem, they're 80% UNlikely to do so in the timeframe specified.

Easy to rewrite IIS

[sterno]

Remember, Apache is released under a BSD style license. Therefor it would require little effort for them to re-write IIS since they could just use the code base from apache :)

Re:Easy to rewrite IIS

[cnelzie]

How do you know that IIS isn't already based on Apache codebase? Isn't Apache based on something slightly older than IIS? (I am unsure, but I feel that the answer is yes.)

--
.sig seperator
--

Configure, don't patch

[Ratbert42]

Do what I do. I'm too f-ing lazy to keep up with the weekly patches. So I spent a couple hours a year ago and properly configured my IIS servers, following the published checklists. Now I review bug after bug and say "ok, that one can't impact me so I'll patch it later."

There is no reason a properly configured but completely unpatched IIS 4 or IIS 5 server could not have survived both the Nimda and Code Red worms.

Nimda made use of the Unicode directory traversal bug, which only lets you move around on the drive where the web documents are stored. Move the wwwroot to another drive, set file permissions as tight as possible, remove the sample applications, and you would have been safe. Every one of those is on any decent IIS admin's checklist.

Code Red made use of a bug in the Index Server. Removing unused mappings is near the top of every decent IIS admin's list. In fact, one IIS server I have didn't have the patch applied when Code Red hit. I didn't bother to apply it until almost a month later.

Re:Configure, don't patch

[pheede]

Mod this *way* up there.

While you can blame Microsoft for enabling a lot of unnecesarry (in most cases) junk, there is no excuse for not using the *published checklists*. For God's sake, even if you're lazy, you can simply download the IIS lockdown tool that does a lot of the work for you.

Advocating switching away from IIS because of incompetent server admins is shortsighted at best.
You should switch away from IIS, if another platform gives you better performance, features or whatever it is you're going for. If your problem is, that you have selected a numbnut as the administrator of your IIS machines, you'll get no sympathy from me.

Re:Configure, don't patch

[mckyj57]

Yet Microsoft itself was hit with Code Red. How many "decent IIS admins" are there out there? More than a dozen?

Re:Configure, don't patch

[embo]

I agree to a point, but to another degree, this is bullshit. My point being that you shouldn't HAVE to go through that much work just to get security on a web server.

This would be similar to GM telling you that if you want to be safe from side impact hits in your new car, you should relocate the steering wheel and gas pedal to the back seat, and sit in the back seat buckled in as tightly as possible. "There is no reason a properly configured automobile driver could not have survived both a front and side impact."

The default configuration should be more secure.

M$ license restrictions on IIS alternatives

[MillionthMonkey]

Tim O'Reilly wrote a Salon article back in November 1999 about the obstacles M$ places in the path of people who want to run alternative web servers on NT:

In fact, the rise of Microsoft's Internet Information Server (IIS) as the dominant Web server on NT shows much the same pattern as the rise of IE as the dominant browser: Microsoft got pole position by exercising its unique leverage as an operating system vendor.
Originally IIS, Web server software that runs only on the NT operating system, was bundled "free" with a version of NT called NT Server. Web server vendors such as Netscape and O'Reilly responded by pointing out in our advertising and PR that if customers ran our third-party Web server software on NT Workstation (a less expensive version of NT, which came without the IIS Web server software), they would end up with a more powerful server than Microsoft's IIS running on NT Server -- and it would cost less too.
Much as it had done by bundling the browser with Windows 98, Microsoft was bundling an application -- the IIS Web server -- as part of an operating system, (NT Server). But in this case, the company offered another version of the same operating system without the bundle, (NT Workstation). It seemed natural to competitors to offer our products on top of the version of the operating system that came without IIS.
It did not, however, please Microsoft that we did so. In June 1996 Microsoft responded by changing the license to NT Workstation to prohibit its use as a server platform. (At first, the company went further, and actually crippled the version of TCP/IP provided in NT Workstation, but the outcry from users forced it to backtrack.)
Microsoft argued, quite rightly, that it had the right to create two different versions of NT, with different price points, and different functionality. But the company went a step further, and used its operating system license (and more specifically the license to the parts of the operating system that implemented TCP/IP, an industry standard protocol) to prohibit the use of third-party applications that duplicated the functionality of Microsoft's more expensive platform.
Microsoft's public rationale for the policy -- that it was protecting its customers because NT Workstation was not suitable for use as a server operating system -- was proven false by my colleague, former O'Reilly editor Andrew Schulman (working with Mark Russinovich). Shulman and Russinovich demonstrated that it was possible to convert NT Workstation to NT Server by changing only a few registry entries. NT Workstation contained all of the same program code as NT Server; the code was simply disabled, and some additional applications bundled.

This is admittedly an old story; I don't know if M$ is still legally implementing this particular "innovative" license restriction nowadays. Does anybody know?

Re:M$ license restrictions on IIS alternatives

[n-baxley]

I fail to understand your point. The article only talks about running a web server under NT Workstation. If you're going to run a web server, you'd want to do it under NT Server because it's tuned differently (Yes, these are just registry settings, but the fact remains that you're violating your license if you try to do this to NT WS).

So you're saying that we can't tune the software we buy for ourselves? Why shouldn't I be allowed to change the configuration of software that I paid good money for? Please, someone explain why people keep accepting this crap. The fact that you're thinking that way IS the point. Get a clue, have an independet thought and stop being complacent!

Re:Duh

[ellem]

Not true. Totally not true.

Despite my best efforts to NEVER have and IIS server we in the travel industry need to have a "turn key" (oh I love marketing) solution to put reports on the web. ALL of the solutions use IIS as the server, Apache, iPlanet, Domino are NOT options.

So if you want reports on the web and don't want to spend a fortune having someone reinvent the wheel who has NO RELATIONSHIP with SABRE/Apollo/WorldSpan you buy and IIS server and run their products on it.

Another Dose of Reality

[Svartalf]

There are other transaction server frameworks- many of them scale to larger loads than MTS could ever dream of being able to handle...

Products offered by:

IBM (CICS)
Sybase (EAServer, Jaguar CTS)
Unisys (WebTS)
Compaq (NonStop Java Transaction server)
SAP (ITS)

There's quite a few of them that work rather well- some of them, of course, require new hardware. In the long run, though, which is more crushing- the web site being down for a day or more or spending more than you initially planned fixing the problem?

OpenBSD

[atomray]

I installed the OS, and it's been running ever since. The product, in this case, is better then the admin. I knew my limitations and chose an OS that I knew would be secure and safe to place on the net, and over time, I've learned how to activate more and more of it's functionality.

With MS, I would have had to install, then hunt for patches, then disable services that I didn't need. In that case, yes, the product is only as good as the admin. But this doesn't have to be the case.

What does this mean for .Net?

[PineHall]

It means that businesses and people will not be using .Net until these security issues are taken care of. You can not have Internet security problems and then say "Trust us with your credit card numbers." People will not listen. They will go somewhere else. If Microsoft is betting the farm on .Net, they need to get these security problems taken care of. Otherwise they are toast.

Gartner blah

[drwho]

Gartner and its ilk are mercenaries. They don't care for anything but money and attention in the most immediate sense. There's always another sucker down the road, these guys think. Well, you screwball liars, you and your cohorts on Wall Street, pumped & dumped the entire Internet economy. Neither you nor the big six accounting firms have much credibility left in the tech industry.

Microsoft should release patches, as often is neccessary to patch security holes. Don't pick on them for this. Pick on them for not remembering the KISS rule (Keep it simple, stupid), which would have avoided most of the problems in the first place.

Administering Two Owesses. A True Story. By Me.

[ballpoint]

System 1: IIS on Windows NT:

• monthly: download patch (click), execute it (click, click, click) and reboot (click, click, click)
• quarterly: reboot crashed system
• infected: never (yet)

System 2: standard Mandrake-Linux distro with manual install of current versions of Apache, PHP, mySQL, OpenSSL and mod_ssl.

• daily: Mandrake distro stuff:
  • Read email sent by Mandrake Security Announce .
  • Determine if the Security Announce concerns your installation. It does.
  • MandrakeUpdate the rpms as needed. Skip rpms that are wrongly marked as dependent on something you don't want to update. (Why is xyz dependent on emacs of all things ?)
  • Download the skipped rpms manually, and rpm -U.
• fortnightly: other stuff:
  • Check apache.org, mysql.com, php.net, modssl.org and openssl.org for updates as your attention gets caught by security bulletins.
  • download source code, tar gxf; ./configure --with-abc=def .......; make; su; make install; exit. Repeat, repeat, repeat, repeat due to interdependencies and changed config options. su; apachectl stop; sleep 5; apachectl startssl; enter passphrase; exit; gedit broken .conf files and repeat, repeat, repeat.
• yearly: reboot the system (uptime: 305 days and counting)
• infected: never (yet)

Now which system do you want to administer today ?

Re:Administering Two Owesses. A True Story. By Me.

[Nerds]

Now which system do you want to administer today ?

My Debian server.

Re:Administering Two Owesses. A True Story. By Me.

[kindbud]

Not a fair comparison. Of course it is easier to administrate* a NT system with no apps or services installed, than it is to administrate a Linux box that is actually does something useful.

(* one administers an enema; one administrates a computer system, though sometimes, I know, it is hard to tell the difference)

Re:Administering Two Owesses. A True Story. By Me.

[dvdeug]

> System 1: IIS on Windows NT: * monthly: download patch (click)

> System 2: standard Mandrake-Linux distro * daily: Mandrake distro stuff:

How is it that one needs daily checks for new patches, and the other only needs to be checked monthly? How, BTW, do you check that the new NT patch doesn't upgrade parts you don't want to upgrade? And why do you use Mandrake (basically a desktop distribution) instead of a more server orientated distribution?

This doesn't seem like a very apple to apple comparison.

Re:Administering Two Owesses. A True Story. By Me.

[Error27]

Why do you download source code?

I'm only used to Debian, but in my experience downloading source code is a good way to screw up your system. Over time you forget which files each programs installs. Then three years later, you come back and you can't figure out what libraries you need for foo program and which ones you are supposed to delete. If install an official package, on the other hand, then the computer remembers all that stuff for you.

I would report a bug against the packages that upgraded stuff you didn't want upgraded. That sounds like a bug.

Debian stable is pretty good in this regard. You just put security.debian.org into your sources.list file. Then every morning you type "apt-get update && apt-get upgrade -u". One simple command updates all the security patches on your system. You don't need to type in each package individually. And there's no need to click anything. :)

My vote goes with Debian. It combines the ease of Debian with the high standards of Debian. Nobody else comes close.

Re:Administering Two Owesses. A True Story. By Me.

[ballpoint]

Thanks for catching the unintended pun. From now on, I'll be administering patches while administrating systems.

Re:Administering Two Owesses. A True Story. By Me.

[ballpoint]

Well, that's just because of the frequency these patches are coming out. Monthly for NT, daily for Mandrake. I just swallow what I'm being fed, and pray for a good aftertaste.

Same reason why I chose Mandrake. It just happened to be at the right place (my desktop) at the right time, and it did the job. NT is also a desktop OS btw.

Of course this is not an apple to apple comparison. It's an apple to pear comparison. They're both fruits, but they just taste and smell differently.

Re:Administering Two Owesses. A True Story. By Me.

[dvNull]

I admin 3 NT boxes, 3 Linux boxes and 2 FreeBSD boxes. I check for security updates and patches every day .

Have done this ever since I joined up as sysadmin. Never had a problem ;)

Re:Administering Two Owesses. A True Story. By Me.

[md17]

With all the time you spend doing that on the linux box, why don't you write some program that does it all for you automatically using some AI engine. That way you and the rest of the people using Mandrake as a server (for some strange reason), could all benefit. Or as a number of others have mentioned use Debian.

Also, I think you forgot a step... Shouldn't you run make -n install before you actually install?

Re:Administering Two Owesses. A True Story. By Me.

[stephend]

No, an apple to apple comparison is MacOS 9 to MacOS X. Sorry, bad joke.

Re:Administering Two Owesses. A True Story. By Me.

[jotaeleemeese]

May I ask why you choose to check emails daily for Mandrake but choose to patch only monthly IIS?

That would suggest a quite uneven approach to system administration depending on the OS, and thus any comparision you make seems unfair.

Re:Administering Two Owesses. A True Story. By Me.

[Random+Walk]

Also, I think you forgot a step... Shouldn't you run make -n install before you actually install?

Good idea, wrong step. You should check the PGP signature on the tarball. Or forget about the source code if no signature is provided. Or download from two locations and compare (this is the way I found a trojan in a tarball just recently.)

Re:Administering Two Owesses. A True Story. By Me.

[robinjo]

Sheesh... just read the security section of Linux Weekly News every thursday and you're more than safe.

Re:Administering Two Owesses. A True Story. By Me.

[jsse]

I'm a 30% NT admin and 70% UNIX admin. I see from the above comparison you've seldom admin an NT server at all.

I also found your lacking of business experience when you said administering NT is simply clicking jobs. The production server is NOT your personal server, it can't be updated without justifications and business cases. I found it extremely hard to justify as many updates are not well-documented.

Most important, I can never guarantee the next update will not screw up the NT.

PHB ...

[Midnight+Thunder]

For those of you, who like me have no idea what PHB means ( I do now ) :

PHB /P-H-B/

[Usenet; common; rarely spoken] Abbreviation, "Pointy-Haired Boss". From the Dilbert character, the archetypal halfwitted middle-management type. See also pointy-haired.

Thanks to The Jargon File

Re:PHB ...

[Lonath]

It's a cancer that eats up valuable IP like Pac-Man eats up those little dots. And not only that, using it makes you fat and unpopular with the ladies. Trust me, I know. :(

Excellent

[twitter]

The difference is that apache *requires* the installer to do some manual work to get it working properly. Perhaps the point and click admin would learn something during this process of learning.

There is no reason for those point and click admins to remain ignorant, except all that MS BS about "new mindsets" and "completely different" aproaches to programing. I can only imagine how knowledgable and valuable some of my frinds would be if they had not wasted a good portion of the last ten years chasing ever changing MS interfaces, specs and patches. Rise! and free yourselves.

Remember, it's not your ability to manipulate a product that makes you worth something. It's your ability to poduce results from given resources.

80% chance of it NOT happening by eoy 2002

[Baboshka]

Gartner believes that this rewriting will not occur before year-end 2002 (0.8 probability).

Big difference.

At least one line is a load of crap...

[Jayde+Stargunner]

I'm sure I will be be trounced by negitive moddings just for suggesting that a Microsoft product works...however...

"This is based on the fact that TCO for IIS is rising due to the almost-weekly patches sent out by MS"

Bull. Yeah, because it's so amazingly hard to open IE, Pull down "Tools", hit "Windows Update", select "Critical Updates Package", a hit "Download".

Ohhhhhhh yeah. I can see how that's raising the TCO incredibly. Heaven forbit you have to hire sysadmins that know how to use Windows Update. *whew*

Come on... That's such a load of crap. Keeping IIS patched is so amazingly simple. Heck, just install the "Critical Update Notification". When the little globe appears in the task-bar, click it (and it pops up little tooltip notifications until you pay attention--for those more dense sysadmins) and it will automatically take you to the WIndows Update page with Critical Updates selected. Double-click globe, hit "Download" button. Man... Hope I just didn't raise the TCO of IIS by explaining this super-complex process that will require everyone to get new certification and spend days perfecting their technique. *rolls eyes*

-Jayde

*Sigh*

[szcx]

Yeah, that's right kids... when it's pro-Microsoft, Gartner are paid shills. When it's critical of Microsoft, Gartner are an unbiased research agency deserving of our undivided attention.

Re:You have no clue.

[gorgon]

The analogy isn't that bad since the crack of apache.org had nothing to do with the security of the apache web server

windows update doesn't encompass IIS

[gruntvald]

Many of the critical patches for IIS are an entirely separate, often CLI versioned, process. Windows update does a great job of most patching, but it doesn't extend to IIS.

Re:windows update doesn't encompass IIS

[Jayde+Stargunner]

Actually, this is more of a past tense thing. Microsoft has decided to incorperate Server and IIS patches into Windows Update.

It may not have been the case in the past, but AFAIK, it is the case now.

-Jayde

Right... 20%?

[slashkitty]

I believe you are correct with that analysis. Should it have read:
"there is a 20% chance of MS rewriting IIS by the end of next year"

ummm... debian.

[dalutong]

I think it is obvious. debian, apt-get update/upgrade nightly. and you are set.

*poof*

Gartner's crystal ball is broken

[Tony+Shepps]

If there's anyone reading this who's in charge of "decision-making" at the "enterprise level" --

The question you should be asking yourself is not "Should I be replacing my IIS systems with Linux+Apache?" but, rather, "If I am relying on Gartner for recommendations on conditions in the future, why didn't they see this coming a year ago?"

Well more than a year ago, the security benefits of open source were explored not only by /. but by almost every pundit on the web. Where was Gartner? Wouldn't it have saved you a ton of money if they had pointed out the probability of problems with security and patching in 1999 instead of late 2001? Isn't it amazing that they were near last to the table with this finding?

Why does Gartner put probabilities on their expectations without showing their work? Does anyone go back in history and look at these probabilities?

Doesn't Gartner have an interest in pressing the solutions that people expect them to press? And here's a HUGE question... if you're using the exact same solutions as every one of your competitors, are you prepared to give up the idea that IT could give your company a competitive advantage? Do your bosses agree with this?

Re:Gartner's crystal ball is broken

[jafac]

I think that the greatest benefit that an analyst company like Gartner could provide would be a web page that tracks:

Product announcments, projected release dates, and every company's performance with regard to how accurate those release dates projections typically are.

Simple Answer?

[DavidJA]

It seems to me that IIS (and Win2k server) has two main problems.
1. It ships with everything enabled by default.
2. The number of security patches you need to apply to your servers on an ongoing basis.

Why can't Microsoft write a tool to make both of these tasks easy and painless?

When first run this app could list everything turned on by default, tell you what it does then give your the option to turn it off. This app should be able to drill right down to individual ISAPI extensions & sample code.

The app should also come with a service that acts like the HFNetChk tool, but works automaticly: At a specified time period it should connect to microsoft's update servers, D/L the patches, e-mail the administrator telling them that these patches are now available. The admin opens up their Microsoft Security Console, which shows all servers, what new patches are available the admin click a button to apply patches....

Yes: an admin can (and prob. should) do all of the above manually, but at the end of the day, a set of apps like this would go along way to improving IISs reputation)

Re:Simple Answer?

[bruns]

Well, you see, if they cared as much about security as the Apache guys do, you wouldn't have this problem in the first place.

Cant remember the last time I really had to rush to patch or upgrade apache... Hell, I still have old 1.2 apache systems up.

Re:Simple Answer?

[DavidJA]

I don't think its a matter of not caring about security, I think its more because Micosoft tries to package EVERYTHING into their software. Print Management via IIS, indexing services, etc, etc. The more features that you cram into software the greater the chance of bugs & security holes. I dare say that if Linux did as much as Windows 2000 does (with such a short development time) it would have just as many problems!

Even simpler

[dameatrius]

start--> run --> http://www.freebsd.org/doc/en_US.ISO8859-1/books/h andbook/install.html

Read, download, install. 1 simple patch.

At least where I work, it has been a complete joke recently, losing 1 or more days each time a new virus comes out because our sysadmin can lock the system down enough to not give any of us any sort of admin rights on our computers but not enough to stop the spread of all these virii. The fact that we don't have a good NA compounds the issue of MS products being rushed and barely usable at best. MS has written some good applications, but they have not QA'd them enough to release them. Maybe they will start looking into their release process.

Dumping IIS? Not very realistic

[Hooky1963]

First of all, I'd like to say that keeping IIS4/5 secure and patched takes effort. All those "net admins" being churned out by those tech schools are useless or don't care enough to do a good job. That in my experience sums up about 90% of the IIS webmasters out there.

Replacing IIS in the corporate environment? Not going to happen any time soon. Why? Here's why:

• organizations like ours have invested quite a bit of money in third-party solutions which want IIS. My manager is not going to get himself fired by saying "Let's drop that $250k document management system."
• staff, too easy to get MS monkeys nowadays, but UNIX folks tend to avoid large corporations and corporate management find them "strange"
• most corporations run a MS-only shop, it will be hard to convince them to use Apache or iPlanet

I try to keep an open mind and I have been actively working on getting most of my apps working under Apache/Red Hat Linux.
I hate the fact that my IIS boxes are such easy targets and I hate the fact MS doesn't give a shit (if they released SP7 for NT4, it would've helped a lot of people out there).
I don't have a choice, but I'm keeping my options by playing around with Apache. Who knows what tomorrow may bring?

I'm not a MS-flunkie and I'm not going to rely on a corporation who doesn't security seriously.

Why do you need a browser on a server?

[throx]

You don't need the browser on the server. You need some of the HTML related libraries on there that only get shipped with the browser.

Your question should really be "Why doesn't Microsoft ship a libhtml.rpm type of package instead of making us install IE(n+1)?".

The browser is no more "built-in" to the system than Konquerer is built into Linux (it's a user mode HTML renderer that the default GUI shell uses).

This is funny but sadly the truth sometimes!

[compugeek007]

I am a NT 4 and Win2k MCSE (can't believe I am admitting on /. I should post this Anonymous Coward.) I take every chance to remind the high-ups that blindly choosing one platform for all network functions is a BAD IDEA. Lets face it - if there is one thing *nix platforms and Open Source apps can do, is provide a QUALITY piece of infrastrucutre software.

Conversely, large applications (ERP's, N-tier web interfaces blah blah) work better on NT (generally) because the API is friendlier to your clients (which are naturally running MS.) If you don't believe me, try installing Sybase Enterprise Application Server on Unix and get clients to save files and print locally.

Being a Business major, I understand what MS brings to the table in TCO - mainly that they will always have the lights on, but so will Sun, HP-UX, and possibly Red Hat. The truth of the matter is that the OS level is going to be smaller of concern than the applications that run on them. I think that any PHB that decides on a platform across the board is managing from the advertisements in CIO magazine. I say you define your network logicaly and wisely pick your physical model utilizing the best solutions for each problem (infrasturucre = Linux, Database = Sun / HP-UX etc., App servers, desktops, misc servers = NT/2K.)

They can find personnel who know both well, and command a higher salary - or have redundant admins because you hire unix admins who have such a disdain for MS they won't touch it and the MS admins who have no clue about Unix. It may cost more, but tough luck - cost of doing business.

--cgeek--

Re:Right... 20%?

[sachmet]

Yeah, my bad, sorry. I read that as an 80% probability that somethhing will be done before the end of next year. Sometimes it's not so clear if you're not devoting 100% attention to it...

Duh!?

[--daz--]

Fact: All OSes and web servers have remotely exploitable vulnerabilities

Fact: The scum that write these worms will target the most popular platform to get maximum impact.

Fact: IIS holds a lion's share of the web server market for corporate installations and business

Fact: There are a bunch of incompetent sysadmins out there who can't take the five minutes to follow MS' IIS Security Checklist (which would've foiled Code Red) or apply SP2 (which would've foiled Code Red II and Nimda)

So, if we all dump IIS and go with, for example, Solaris+IPlanet, or Linux+Apache, the same lousy SA's will still not apply their patches and the Scum will not be writing worms for Linux+Apache or Solaris or whatever.

The _REAL_ solution is to get people to be smart about installing Internet servers and make it dirt simple on all platforms to apply patches (MS has made great strides in this with the Network Hotfix Checker and the soon-to-be-released HF auto downloader).

Blaming MS for lazy sysadmins isn't going to help anyone.

Patch games

[throx]

The problem is that you can't trust MS's patches.

Personally I trust script kiddies even less. If I see a published bug that allows root access from remote sites I close the damn thing straight away.

I remember SP6 very well. Downloaded the SP6a patch and had my eval boxes working before I deployed. There is NO excuse for waiting three months with an open root compromise though.

The proper action with CRed and Nimda isn't to rush to patch the server, but to change the firewall to prevent malicious requests.

No. By the time you've done this it is too late - the worm has already hit you. If you'd applied the patch (even taken a week, hell a month even, to evaluate it) then you wouldn't have to firewall things after the fact.

To do otherwise is to risk having to reinstall the OS (without the patch) to get your servers working again.

You don't reinstall after a root compromise? What sort of admin are you?

The risk of patching a single file or two with a hotfix (which saves backups anyhow for rollback) is significantly less than having your server root compromised.

Re:Patch games

[WNight]

"You don't reinstall after a root compromise? What sort of admin are you?"

Did I say that I wouldn't? That's a red herring.

"There is NO excuse for waiting three months with an open root compromise though."

Sure, but you could also firewall it as soon as details of the exploit got out. If, MS released details on what their fixes do. (They do to a degree, if you want to dig deep in MSDN, but often even then, it's only barely documented.)

Just today I had a case of a hotfix screwing things up.

I can't remember what it's called exactly, drive mapping fix, or something. One of our low-level techs was doing some routine upgrades on some 98SE machines, applying critical updates and such. They'd been in storage for a year, so there was a lot. He tested our drivers, then started updating. After every step he tested them again (it's a network card, simply connecting to download the next update is testing.) When he installed that last 'update' it hosed the computer. It wouldn't get to the login screen, in regular or safe-mode.

Essentially toast. Was quicker to re-install the OS than fight with it. Gotta love how that's always the answer with MS software. Reboot, if that doesn't work, reinstall.

He tested that hotfix by ghosting the drive after the reinstall and trying that update again, it hosed it in the same way. Even without any custom drivers (he reverted to a 3com NIC) in the way.

That's an all-to regular occurance in windows. Taking basic safety-precautions can reduce those problems (ghost the system before each round of changes, change one system, then do the rest later, etc) but they're still there, to be worked around.

Which is why a lot of admins go the firewall route. When friends of mine who work at an ISP saw that customers parked servers were getting probed by code-red (when code-red showed up on /. basically) they firewalled them all and ended up without having any customers infected, despite most of the boxes being unpatched NT/2k.

You can't firewall everything, but most IIS buffer exploits you can.

Re:Patch games

[throx]

Patch scenarios in Win9x have about as much relavance with IIS/NT patches as they do with Linux patches. They are different products, different teams and different focuses.

I wouldn't argue with anyone saying Win9x locks up, even if they weren't applying a patch at the time - it's fairly common knowledge what a complete mess the core is in.

Simply griping about Win9x problems and saying that NT is bad is just wrong though. May be the same company, but very different attitude to the two.

Re:New advert from M$ for servers shows sensitivit

[J4]

That ad also ran in DDJ a month or two ago. So what's your point?

Its not just the server

[gad_zuki!]

Its the Microsoft "all-in-one" solution as much as it is the server. Once you get into asp, activeX, etc you're entering a more patch intensive environment. Patch the IIS, patch the client, patch the OS, and so on.

Granted, a bad admin is a bad admin, but if you had to hedge your bets you'd also go with Apache. That's what the Gartner Group does, it tells you where to place your bets.

The most important factor is the estimate of future exploits. For IIS its pretty high, for Apache not so much.

In MS's defense their new securty tools are pretty nifty and there has to be some kind of boiling point where even the lowliest user knows the importance of patches after the 10th time their machine has been wiped due to a virus. That day may never come, or it may be next week, but no one is holding their breath.

Keep in mind that not using IIS is != Pro-Linux

[OS24Ever]

Apache runs just fine on NT, as do many other web servers such as Notes, Websphere, and others. They aren't telling everyone to dump Windows NT and IIS, just IIS.

Re: not a windows problem directly???

[CodeShark]

To quote you: "This isn't a Windows problem directly, it's an admin problem". 'Xcuse me, but that's utter bulls---. As other posters have noted, M$ install programs are notorious for mucking up previously stable machines in areas that may or may not have anything to do with the install because their cross-application quality control and error testing is absolute crap.

Service packs can be even worse -- by the time the OS is re-stabilized, the service packs are usually hopelessly out of date, the documentation for them fluctuates almost daily, and very few of their support sites or personnel seem to accept the idea that honesty is the best policy, instead relying on corporate supplied FUD and arrogance about market share to tell the unfortunate user(s) that "it must be their machine, because we don't see that kind of problem here in Redmond..." [insert obligatory ostrich photo here.

Gartner's point isn't that the WinXX OS's can't be kept stable, it is that the TCO (total cost of ownership) for the software and endless admin chores do not compare favorably with other choices any more.

I agree: my life is about ten times simpler since I dumped M$ products for everything except a few non-essential word processing, spreadsheet, and imaging apps on one M$ workstation so that I can exchange files with clients when they need M$ based softcopies of project data, etc.

It's not that difficult... sheesh

[sheldon]

I must have posted this at least a dozen times to /. alone over the past few months. It's been posted to ntbugtraq and every other support mailing list.

Here it is, one more time. Live it, learn it, love it.

http://www.microsoft.com/Downloads/Release.asp?R el easeID=24168

Besides as of right now there has been any major patches for about a month and you just need to do Win2k SP2 plus the August hotfix rollup. Over WinNT4 SP6a plus a similar rollup hotfix.

Re:It's not that difficult... sheesh

[Velox_SwiftFox]

Besides as of right now there has been any major patches for about a month and you just need to do Win2k SP2 plus the August hotfix rollup.

Tried that.

Nimda ate the server two weeks later.

Evidently someone had installed a new Microsoft software component and not run through the reinstall SP2+August Hotfix cycle again afterwards. They didn't have an extra hour or so to do it and couldn't get permission to take the site down that often when the site was being changed; a demo was scheduled! Oops! Better not let anyone but the Security Administrator install anything!

Typical MicroSoft Security gotchas:

Installing the preliminary version of any of the following Windows 2000 hotfixes on a computer that is running Windows 2000 Service Pack 2 (SP2) causes the loss of some of the fixes that are included in SP2. This occurs regardless of the order of installation.

Following this is a list of 91 hotfixes you had better not mix up with the "final" SP2 version of.

Keeping up with Patches is Hard in a Corp Evironme

[larzgold]

The issue I have is that we have many applications running on IIS/COM and everytime MSFT adds a new patch, then we have to retest every application. Assuming a 4-6 week testing/release cycle, I cound employ people permanently just releasing patches. The question is would it be different on any other environment (LAMP, SUN). Would the cost of converting all applications be worth it?

Say, 1/2 of the applications running on IIS/ASP be converted, will we suffer from the "toilet seat" theory. (For those who do no know what that is, it states, if you invent something invent the best toilet seat thus you can sell it to everyone since everyone has at least one toilet - yes there is a mercedes corollary) If LAMP becomes popular, and because of its open source nature, would people then attach it?

These are the questions I am supposed to give an answer to my managers by tommorrow morning, so the timing of this article and couldn't be anymore relevant.

Larzgold

btw - when my life theory site is up, I will let you know so you can learn about my stupid theories

Re:how you save with Apache on Windows

[Rinikusu]

No it doesn't.. I'm running Win2K PRO with IIS 5.0. you have to install from add/remove programs, windows stuff. IIS is in there. Just remember to patch.

I hear IIS will not be in the Pro version of XP, though.

Apache == A Patchy

[sterno]

Yes, Apache is based of the NCSA webserver and was derived primarily from a base of patches to that original server. It's name was derived from the original incarnation being referred to as a "patchy webserver". Or so the lore goes :).

So it's quite possible that IIS is based in some part on the original NCSA server but not certain.

You get wot you pay for Re:credibility

[Zeinfeld]

My company uses Gartner to produce PR material, oops completely impartial and unbiased explanations of why our products are good and our competition is rubbish.

I am amazed that people give Gartner, Giga and the rest any credibility at all. We don't hire them to make impartial analyses of the market. We hire them to push our product. If they concluded that the competition was better then they would never get another gig from us in the future.

What is amazing however is that the same people who purchase PR fluff then go and read other people's PR fluff and believe it.

People who really know about technology don't spend their time writing PR fluff for Gartner etc.

The idea that companies using IIS can switch to something else simply because security maintenance is lower cost is pretty idiotic. If you have an IIS site you are almost certainly doing so because you have a reason and will probably have a non-negligible switching cost. If you have developed ASP scripts you can't just switch to Apache overnight.

Re:You get wot you pay for Re:credibility

[ttfkam]

Apache (and others) runs on Windows. ASP can be served from non-IIS boxes.

http://www.chilisoft.com/chiliasp/windows.asp

That being said, why do people have to run IIS? Granted, ISAPI filters need IIS (to my knowledge). How many ASP shops are dependent upon ISAPI filters? 1 out of 100? 1 out of 1,000? The vast majority are simply VBScript talking to COM objects; hardly bleeding edge technology.

asp?

[wobblie]

This is hardly possible, since AFAIK, IIS is the only server which can parse asp scripts, which is why these morons are running IIS. There are thrid party options to run asp on Apache, but they are exorbitantly expensive.

Re:OH MY GOD!

[RubberDuckie]

Be aware, that 'goo' is considered a hazardous waste, and must be disposed of at an authorized facility.

DirectX (OT-ish)

[Cato]

I recently installed DirectX on my sister's PC so her kids could play a particular game that required it. After four hours of downloading, installing, re-installing, upgrading (of course you can't uninstall DirectX - amazing...), changing sound card, upgrading drivers, etc, the PC was left with no sound in ANY games at all. This is a classic - Microsoft makes it 'easy' to upgrade and your system is left in a mess that can't be undone without a Windows re-install.

With this sort of philosophy, it's easy to understand why IIS/NT patching is also a mess.

Re:DirectX (OT-ish)

[linzeal]

Ever heard of Directx Buster?

Killed many a alpha and beta release for me and allowed me to reinstall the older one that worked....

Slagging of IIS: Poor sysadmin problem

[HaggiZ]

I'm in the position at my place of employment that I have to ensure the uptime of all our IIS boxen. We've yet to be infected by one worm or have any security compromisations of any way, shape or form.

This isn't because I'm on top of security patches before they are released, it's just a basic principle I learnt before I even knew what a sysadmin was... dont run anything you dont have to. Admittedly out of the box IIS is a pig and full of holes, but remove the default website, the administration site, and all script mappings except .asp and .asa and you are pretty right. I mean who here has actually used a .idq file and couldn't survive without them?

Re:Microsoft Tool to check Windows 2000 Adv Server

[Sierpinski]

The uptimes that I listed were after fresh OS installs, meaning that the initial worm attack caught us off guard... (I'm a linux sysadmin who was told to manage a Win2k box)

Also, just because the server is running fine doesn't mean that you shouldn't reboot it once in a while. It frees up memory, clears bogus pointers, etc.

If your uptime is measured in months, maybe you should stop comparing uptimes like the jocks in the lockerrooms who compare the sizes of their 'equipment'. It makes sense to cycle any windows box (server or not) relatively frequently. Not doing so is just poor administration. (Only because Windows has poor memory management and garbage collecting.) My linux webserver has an uptime of going on 11 months, and that was only because I moved into a new office. Couldn't turn down the window.

Re:wow... slashdot has a apache prob?

[onki]

Hmm, weird, trying to change the password brings up the download popup, lol, maybe they should use IIS instead?

Onki -- :wq

IIS and Updates

[delus10n0]

The truth is, IIS isn't a bad web server. Why everyone makes it out to be is beyond me. Everything has exploits. Everything is going to have "patches" or "fixes". If you properly configure your IIS server (remove "internet printer" ISAPI driver, default directories, etc.) and make sure security measures are in place (Running OS on a different partition/security than the "inetpub" partition).. and keep up with the patches (by checking Shavlik's personal security advisor or by using Microsoft's HotFix checker) you'll be fine. It's amazingly stupid that the patches to protect against CodeRed came out almost a year ago, along with patches to protect against NIMDA. It's ridiculous if someone, who is knowingly running IIS on a server (NT4 or otherwise) does not keep up with such fixes. Now then again, there are a lot of people who install Win2k with default options.. and that includes IIS (I believe so anyhow?).. and in that case, the user most likely will not know to keep up with patches/hotfixes. Then again, Windows 2000 isn't a "consumer" OS, it's meant for a business environment where hotfixes/patches/systems should be managed by an IT staff.

I will say this much...it's an Admin issue

[mbpark]

Here's how I look at it (and with one IIS box on the Internet at a colo location, the rest being UNIX or Linux).

1. Most of IIS you don't need. My script mappings in IIS are .shtml, .asp, and .pl. Period. I have one DLL allowed, and that's SDIIS.DLL, for RSA AceServer authentication, and that's done in a virtual directory with its own mapping for just that dll. The rest of it that I deleted is a gaping large maw of security hell and buffer overflows like Index Server, .htr files, and .idc files.

2. My web root is not in the \inetpub directory.

3. ALL extraneous services are turned off.

4. ALL web directories except the site's are turned off.

IIS is an insecure piece of crap in its default install, but Apache and Netscape/iPlanet can be as well.

It's a matter of actually auditing your systems, whether they run Linux, NT, or some other OS, and making sure that you audit them properly and only allow what you need. Make sure the system serves its purpose. And make sure IUSR_ only has read access to \winnt, and only gets create/read/write access to \winnt\system32\logfiles. Period. You also want to make sure it has read access to its webroot directory, and no ability to write anything except to that one logging directory.

This was not an issue of the virus. This was an issue of poor adminstration.

I just went through 3 days of logfiles from that NT server (4.0, SP6A, with over 50 hotfixes ARGH!), and because we followed some basic configuration guidelines that come naturally with Apache admins apparently, we had 17,000 attempted break-ins, and 404's for all.

You can't point and click your way to good security. It's a matter of making sure that you only allow in what you want, and making sure the patches are THERE.

Apparently this isn't a problem with some Linux distributions, especially Debian and Slackware, because they actually care enough to not install many things you do not need. Red Hat is another issue :). If people install Red Hat with a default install instead of IIS and think switching to Linux solves their problems, someone will make another Ramen worm.

It's not just an IIS problem. It's an administration problem. People have to be educated to not turn on world+dog with their web server, and keep up with patches, or else this happens. I hope at the least it causes some admins to realize that ANY OS+Web Server must be configured properly before putting it out on the Internet for public view, because not even a PIX is going to protect you from bad configuration.

Re:I will say this much...it's an Admin issue

[izzertaq]

Well said, except for the RedHat bashing. It's fashionable to say such things on slashdot, but isn't it a little silly? Not really any better than bashing Microsoft, IMO ...

Re:TCO?

[delus10n0]

I have a Win2k Server sitting next to me that has been up (really fully up) for almost a year. If you know what you're doing, you can build a stable and reliable server/box in Windows. Fairly easy actually. It's running IIS, Exchange, and SQL server. Gigabyte of RAM, P3-800. ASUS P3B-F motherboard. The Intel i440BX chipset rocks.

Why download source ?

[ballpoint]

I would like to avoid installing source code. But sometimes you need to correct things immediately (PHP, mySQL) instead of waiting for the official updated packages to become available, or the distro simply does not offer what you need (the mod_ssl, OpenSSL and Apache combination).

You're not the only one in suggesting Debian over Mandrake, which, I agree, seems to be positioned more for desktop use.

But for now, I'll just try to keep the uptime going.

Re:Why download source ?

[Error27]

Apache-ssl is another great reason to use Debian.

But I've been enough of a Debian bigot already and so I'll stop.

It does seem like you have ended up investing more time into the Linux server than the Microsoft server. It could be that you do this because Linux is harder. Or it could be that you actually like tinkering around with the stuff more.

I'd almost swear that there are Microsoft email lists where you can read pretty much the same stuff as the Mandrake list does. Or if you wanted, you could update the Microsoft server more often.

My guess is that you'll move everything to Linux eventually. Not because it's cost effective but because you just get a kick out of compiling source code yourself and having high uptimes...

Re:OH MY GOD!

[coyul]

What was that sound?

That was a paradigm shifting without a clutch...

Second System Syndrome (was:Ummm...)

[cotu]

Do a google search on second system syndrome.

I work at a large silly valley employer who just
found out yet again that this is just as real an
effect today as it was 25 years ago.

For the time being?

[crucini]

Porting a web application from NT/IIS to Unix/Apache is a serious undertaking. Anyone who makes that investment isn't doing it "for the time being." Microsoft would have to offer some incredible value to lure you back.

Inertia is Microsoft's greatest advantage and selling point. At this stage in the game, I don't see them winning back any ground they lose.

How ya gonna keep 'em down on the farm After they've seen Paree?

Previous Advice

[ClosedSource]

Aren't these the same guys that said you could save a ton of money by switching from PCs to Sun's Java Network Computer.

not bleeding edge

[KyleCordes]

[VBScript talking to COM objects; hardly bleeding edge technology]

With the impending arrival of .NET, they are soon to be Legacy technology.

A solution!

[plover]

I just realized how these attacks could all have been prevented: fair market forces. If Microsoft had to sell IIS competetively, they'd have about a 2% market share. Code Red, Nimda, all the other worms would have much less of a foothold in an environment that IIS had to fairly compete in.

First, if it were a "pay per play" I'd be far more interested in seeing it work properly than I would be if I were just clicking a box that said "Install web server?"

Second, attacks would make it much less likely that anyone would pay for their product until it was far more secure.

The same would be true for the other virus-prone applications bundled with the Windows operating systems: I wouldn't consider Outlook Express if I had to pay for an e-mail client, especially with all the viruses that it retransmits. Internet explorer? There's not a chance I would purchase an ActiveX container for surfing the web, but since that big blue "e" is already sitting on the screen and doesn't take me a half hour to download, sure, I'll use it.

And now the D.O.J. has dropped their only chance to prevent the tragedy from repeating itself on XP.

Re:A solution!

[PhilHibbs]

I just realized how these attacks could all have been prevented: fair market forces. If Microsoft had to sell IIS competetively, they'd have about a 2% market share. Remind me, how much does Apache cost?

Re:A solution!

[Znork]

Remind me, how much does apache cost to produce, as opposed to IIS?

Re:A solution!

[Omnifarious]

There is cost to buy, and there is cost to install. IIS costs nothing to install because it comes with the stupid OS. Apache costs to install on an NT system because it doesn't.

Apache reverse proxy

[spectro]

I have a bunch of IIS servers behind a linux box running Apache as reverse proxy. It filters all malformed URL's and so far no hits by any worm.
This can be a pretty good solution to all these corps stuck with ASP sites while they migrate to JSP.

5 million rows + MySQL? Very Bad

[g8oz]

Your quest for a nice server will be a lot easier if you dump MySQL. With the amount of data you are handling you *need* PostgreSQL.

Don't want to start a db flame war, but come on, you've read about Tim Perdue's experiment at Sourceforge.

MySQL is convenient but thats about it. Otherwise its just a speedy SQL frontend to the filesystem.

PostgreSQL on the other hand is a real, bad-ass, ACID-compliant mother that is almost ready to go toe to toe with Oracle.

Oh yeah, just switch.....no prob....

[zerofoo]

What? The TCO for IIS is rising so just....spend alot of time and money to switch to another web server????? Does this make sense? Who pays for the migration to another platform? Who pays to rewrite all the ASP stuff in Perl? I love these "business consultants". Lower your TCO by spending a crap load of money. What happens if/when apache becomes insecure? Big corporations can't just deploy different web-servers every other weekend!

-ted

Re:Oh yeah, just switch.....no prob....

[ClosedSource]

When I visited the apache web site 2 weeks ago the documentation for the Win32 version said that it was "experimental" and that it might not run as described in the documentation "or at all".

I wasn't able to find that disclaimer tonight. In any case, it doesn't give me a lot of confidence in Apache on Windows if the implementors don't stand behind it.

Migration tool: ASP2PHP

[Walles]

I haven't seen any posts about it, but I think that ASP2PHP deserves some attention. A migration could (theoretically) be done like this:

• Download and install PHP for IIS on Windows.
• Convert your ASP pages to PHP (using ASP2PHP).
• Get it running on IIS.
• Replace IIS with Apache (still on Windows).
• Replace Windows with some secure Unix lookalike or other.

I haven't used ASP2PHP myself so I can't say whether it works or not. It's GPL though, so try it out if you're interested.

Cheers //Johan

This is finally a nice argument

[lightweave]

Finnaly this makes an argument that can be used to show it to managment. I already forwarded that article tou my boss. Maybe it helps. At least it is good to know that Linux now gets support from groups like Gartner, that are considered more than a "hackers" view.

Re:Microsoft Tool to check Windows 2000 Adv Server

[SmittyTheBold]

Anybody else realize that "hfnetchk" is just a bad-ass program name? It looks like it could be Russian, but it's just some bastardized English abbreviation.

Damn I love MS sometimes.

Though I really wonder about their dedication to user-friendliness. I don't even know what the "hf" stands for, but even "HF Network Check Tool" would be much simpler for the end-user.

And don't you dare say it's because of the 8.3 limitation. This is NT/2000 software here. Any filename restrictions that OS has is strictly ornamental. (Well, for backwards-compatibility, but for my purposes it might as well be vestigial organ #37)

Huh?

[r2ravens]

"But if enough corporate sites go to Apache on Linux you'll likely see a lot more worms/viruses/trojans writen for Linux and Apache."

I'm confused. Elsewhere on the front page of /. is a link to a site where the survey indicates that Apache is in use by roughly 60% of sites and IIS is less than 30%.

With Apache having a larger market share (by 2 to 1), wouldn't Apache be more likely to be attacked? Or is there some other reason why we don't see as many exploits on Apache? Perhaps because it's designed to be secure instead of to be everything to everybody and be incetuous with the Windows OS?

I guess you're differentiating between servers running corporate sites and private/non-profit/etc. sites, but since Apache has the larger share, why should a difference in the ratio of the *type* of site matter?

I do agree that Apache servers are more often administered by clueful admins that the average MCSE, but your logic that the product with the largest market share is most likely to be attacked is not borne out by the numbers.

If I'm missing something here, please let me know.

Microsoft 'not ready for prime time'

[holdp]

Says Gartner.

The .asp stuff can be migrated with ASP2PHP

[Walles]

ASP2PHP will convert the ASP code into PHP for you. Haven't used it myself so I don't know how well it works, but it's GPL so you can just download it yourself and try it out if you're interested. I agree that ActiveX stuff (aka "vendor lock in") is still a problem though, but ASP2PHP may be a good first step.

Cheers //Johan

Gartner use...

[PhilHibbs]

Netscape on Solaris. According to Netcraft.

(and this is to get past the lameness filter)

read this

[Otis_INF]

Bookmark this site:
http://www.microsoft.com/technet/. Go there, subscribe to the mailinglists on security and other useful things. Read the how-to's, walkthroughs and useful documents about administring a Win2k/NT4 server.

Now when you go to http://www.microsoft.com/downloads/search.asp?, you will see a form. Select the product, win2k server, select Date to sort on, and hit 'find it'. All patches you need to have are there, plus other useful downloads.

Other USEFUL information about how to secure your box: http://www.securityfocus.com/cgi-bin/microsoft_top ics.pl

Windows NT kernel based systems have excellent memory management. You should start/stop services (net start/stop w3svc) once in a while. Or use 'kill'. Reboot not needed. Honestly.

LINK!

[Howie]

Oops, forgot the link!
Halcyon Software

Another person misses the point

[Quila]

...being that because of constantly having to patch IIS, the TCO is starting to get too high.

Re:Microsoft Tool to check Windows 2000 Adv Server

[greenrd]

It almost makes you wonder whether there aren't still some 8.3 limitations in the OS or IIS that they haven't bothered to fix yet...

No, don't get out more

[eWulf]

I don't think it's necessary to do anything as extreme as getting out more. Just give Slashdot a break and change to a different site like www.adequacy.org.

Switching from IIS

[linuxelf]

Funny, seeing this article. We just did this. We switched all of our NT IIS servers to NT Apache for Web and CesarFTP for FTP services. No IIS, no IIS problem.

Apache drop in replacement for IIS

[criquet]

Just a thought. It'd be pretty cool if there was an installation for Apache that could stop IIS services and configure itself similar (but securely) to IIS (i.e. virtual directories, ports, modules, ...).

Tim makes an understatement

[Paul+Bain]

Timothy wrote:

Gartner hasn't always said favorable things about Linux systems in the workplace.

Ordinarily, the posters (and sometimes even the editors) at Slashdot are prone to overstatement, making this understatement somewhat refreshing. Of the companies in its industry, Gartner is perhaps one of the most extreme shills for Microsoft.

You have to wonder

[twitter]

With M$ spending $1,000,000 to promote XP, has Gartner done itself out of anything? Even if it's just M$ recomending another consulting firm in it's literature.

The damb has split wide open?

I like Gartner's solution better.

[twitter]

Apache.

I'd suggest running it on Debian. As you say, Go there, subscribe to the mailinglists on security and other useful things. Read the how-to's, walkthroughs and useful documents about administring. Well, the mailinglist is optional as setting up a cron job (type man at) to apt-get updgrade and apt-get update will do better.

Debian boxes can be remote administered through a secure shell (ssh), without loosing the connection. Try running dselect through one some time, it's really cool. Did that to install and then uninstall proftp.

I thought I was OK and got burned

[ab762]

...because I made a serious mistake and uninstalled some commercial software. Not naming names - I think the problem is common.

A certain package's uninstaller careless nuked HKLM ...\ODBC - all of it. To fix this up, I had to repair Win2K, reapply SP2, and reinstall my commerical ODBC software. And I blew it, I didn't repatch afterward! :-(

Therefore, Nimda ate my machine. Had to entirely format and reinstall. Puts me in the Dilbertian position "dealing with the loss of beloved data".

My experience is that the uninstallers of software are rarely well-tested.

Blackhole these hits in Apache

[babbage]

Granted that these hits are just a annoying to Apache, not a compromise, but still you can try to plug up attacking servers a bit:

RedirectMatch 301 ^/(_mem_bin.*) http://127.0.0.1/$1
RedirectMatch 301 ^/(_vti_bin.*) http://127.0.0.1/$1
RedirectMatch 301 ^/(msadc.*) http://127.0.0.1/$1
RedirectMatch 301 ^/(MSADC.*) http://127.0.0.1/$1
RedirectMatch 301 ^/(scripts.*) http://127.0.0.1/$1
RedirectMatch 301 ^/(default.ida.*) http://127.0.0.1/$1

Wash, rinse, repeat as needed. This doesn't make the hits go away, at least immediately, and it's probably only marginally more efficient than the 404 result that you'd ordinarily get, but at least it sends the traffic back where it came from. Since applying these rules the load on the servers I look over has fallen off nicely.

I would think that a properly patched & maintained copy of IIS should be able to do the same thing, or similar, but I don't know what the syntax would be.

Re:Blackhole these hits in Apache

[locofungus]

Or redirect them to www.microsoft.com. :-)

Re:Blackhole these hits in Apache

[babbage]

I was doing that for a while actually, but decided it didn't have much of a chance of helping anything. If a human was causing all that traffic, then redirecting them to a security bulletin might make sense, but of course that's not the case here. If a human was trying to get to that security bulletin, I wouldn't want all my redirected traffic (& anyone else's) to make it harder to reach that site. As much as I hold MS to blame for this mess, insult to injury won't help anything.

On the other hand, trying to swamp their Passport servers might not be such a bad idea... :)