Slashdot Mirror
Gartner Group Suggests Dumping IIS For Now
sachmet is one of the many readers who contributed news that "Gartner Group is now recommending that
IIS be replaced in corporate environments. This is based on the fact that TCO for IIS is rising due to the almost-weekly patches sent out by MS, and even then, it's nearly impossible to get patched quickly enough. Best part: 'Gartner remains concerned that viruses and worms will continue to attack IIS until Microsoft has released a completely rewritten, thoroughly and publicly tested, new release of IIS,' which they say has an 80% chance of happening by the end of next year." Gartner hasn't always said favorable things about Linux systems in the workplace, but the businesses that rely on this type of analysis to justify purchasing decisions may find this one interesting. Update: 09/24 22:04 GMT by T :As several people have pointed out, the 80% figure appears to be Gartner's odds that IIS won't be rewritten that soon, rather than the other way around (.673334 probability).
Isn't it one of the greatest P2P app out there for automatic file sharing?
My PHB just saw this, screamed "MY PARADIGMS ARE MELTING!" and collapsed into a pile of goo. Many thanks to the Gartner Group!
More and more of these IIS "syadmins" (using the term loosely) will install Unix/Linux boxes, and forget about them, just like they installed the IIS boxes and forgot about them.
Then someone somewhere will find some little bug in some pre-installed convenience, some PHP shopping cart, some admin tool, some default password, something that comes on each machine. Then we'll have the same problem with some crazy Linux worm. And this time I bet the clueless M$-0wn3d media won't call it an "Internet worm", they'll be sure to call it a "Linux worm"!
Of course I could be wrong. Maybe Microsoft really can't code a proper webserver. But I think having sysadmins awake and at the wheel will help too.
Hmm, how about a web server that emails the admin saying "This web server will shut down in 15 days unless you run the up2date tool" or something similar? To force people to check for upgrades.
There are other web servers out there that run perfectly well under Windows.
Very true. I know some folks running Apache/Tomcat-Jakarta on a W2K box and are pretty happy about it. I think in the short term (or mid term at least since some porting will be needed even if you only switch the web server) if the advice is followed they may stick with Apache, et al on Windows. But, since you save little to no $$ by purchasing NT/W2K/XP Server and not using IIS I would suspect those that did move off IIS would eventually lose NT/W2K/XP as the OS as well. I would imagine that the porting effort to move code the likes of PHP/JSP/servelets from Apache/MS to Apache/*BSD or Apache/Linux would be minimal.
Of course, I suspect that very few will switch. We got our asses handed to us last week, and the brass are sticking with MS anyway. Go figure.
the overhead on keeping the win machines patched (5 on the network) is crazy, I spend too much of my valuable time hunting down patches for machines
.asp pages and custom server ActiveX objects then migrating from IIS is a fairly large expense. Even if you don't, the hassle of securely setting up a whole new web server is just asking for more holes to turn up. I'd be recommending companies don't ship at all, but pay attention to Microsoft's security bullitens (you ARE signed up, aren't you?)
Install Windows Critical Update Notification.
If it honestly takes you too long to visit the Windows Update web site once every week for the 5 machines, or get the users to visit the site and install the critical updates then there's a problem somewhere.
My Win2k machines WERE running IIS and had all critical updates installed. No Code Red. No Nimda. WTF is everyone else's problem? Even my web host which is running IIS didn't get hit.
As for rewriting IIS, it is a rather stupid idea. First of all the Code Red problem wasn't IIS at all, but the Index Server ISAPI DLL. Rewriting IIS will have zero effect on any of these extensions, much as rewriting Apache would have little effect on a bug in mod_php.
Honestly I don't get Gartner's points here - if you have a significant site with a large investment in
Fear: When you see B8 00 4C CD 21 and know what it means
(who DIDN'T get hit by Nimda?)
I didn't. IIS can be secured -- many things that MS releases patches for are not exploitable if you follow sane security practices. Stuff like deleting all the ISAPI crap that comes in the default setup, and putting your web root in a nonstandard location (preferably on a different partition), deleting all sample files, enforcing proper filesystem permissions, and running any applications in an isolated process.
Of course, one of the advantages of Apache is that it ships in a relatively secure configuration by default, it's better for dummys who install stuff and plug it into the network without bothering to check the configuration. It's a whole lot better by default than IIS, that's for sure. Most of the MS patches are for various add-ons like index service that most people don't use anyway and should be shut off.
DISCLAIMER: I use Apache for the primary web server for the business I work at. We run IIS as the secondary server for load-balancing and have yet to be compromised by anything, even though patches don't always get applied immediately (usually pretty soon after release though). I think Apache is great, but want to point out that anything can be secured if you put some effort into it.
Well yes Apache.org did get compromised but NOT due to an Apache server problem. It was a complicated hack and took advantage of a configuration problem (mainly Apache had their incoming FTP tree viewable in their web space among others) Or perhaps you're referring to another event.
Yes, Apache is not all nice point and click, but there ARE tools out there (Webmin's Apache module is NICE) to make administration easier. Yes Apache has had vulnerabilities in teh past, but considering its widespread use and installed base, I'm extremely impressed with how secure its been - upgrades to Apache are rare which reduces TCO.
Yes, all systems and software have problems. But overall, I'll stick with OSS where appropriate and regarding your issues with MySQL and Apache, a few simple posts to mailing lists or news groups related to the software will often get your problem fixed faster than most 3rd party setups.
Top Most Bizarre/Disturbing Error Messages
Love,
Bill
In recent dealings with the latest worms, I found a tool from Microsoft called Hfnetchk that will, with a valid connection to the internet, tell you exactly what patches you do or do not have installed. They cross list them by article (eg Q123455) and also by another form (eg MS01-077).
We're running Windows 2000 Adv Server (yeah yeah, I know, but we don't have the Cold Fusion package for Linux) with IIS 5, and were having an average of 30-45 minutes uptime before getting blasted by the worm(s).
After using the hfnetchk and downloading quite a few patches (burn them to a CD, having to reload the system isn't out of the question, even if it is working now), we have had about 5 days uptime, and *knocks on wood* no infections, although the log says there have been attempts.
Even though I'm spoiled to the ease at which I can find Linux updates, I found that the tool was very useful, especially since Microsoft's site is so unorganized when it comes to downloading patches and updates (I want a list, not having to search for something, especially when it never works right) that this tool was a big time saver for me.
And they said zombies weren't real!
Rewriting is always an option. It's not a pretty one, but it CAN be done if you're dedicated enough.
Case in point - last year I saw the dead-end coming for my company's Enterprise solution, which was written in ASP/COM. The argument (er... *ahem*, discussion) I had with the higher-ups concluded that we HAD to continue moving forward. We couldn't wait 6 months for a rewrite (ambitious at best).
Fine, I said. Then let me do everything concurrently. Here's how it works:
Install Tomcat onto your Windows NT Server running IIS, along with JRE 1.3 and the HotSpot Server.
Link Tomcat in with IIS using the mod_isapi.dll you can get from the Tomcat site. Also install Tomcat as a service using jk_nt_service.exe.
Keep your Java session abstracted. The main session remains as-is within your ASP application. Write a bit of java.net code to hook in through a custom ASP page (note: security - ordinary clients can't access this page) to retrieve and update any session variables. This can be done by reading the ASPSESSION cookie, and spoofing it in your requests to IIS.
Any NEW components, write in Java. Remember - session variables get retrieved and saved from the ASP side still.
As you're working on new components, when you can arrange it, convert old components to Java one by one. Session still remains on ASP.
Wash, rinse, repeat until all components have been written in Java. Once this is done, convert your login into Java, and change your abstracted Session to be a Java session instead of hooking into IIS for the ASP one.
Voila. You are now 100% Java. Now get rid of IIS and switch to something else. This is the approach that my team took to rid ourselves of the VB horror that someone left me when I joined. It took about 8 months of solid effort, but it worked. We are now rid of all reliance on MS technologies from our site. We also managed to do it quickly because of good code layout, and the use of the most wonderful Velocity templates also available from the Jakarta site. This helped a lot.
The point is, you CAN do a rewrite. What you usually are NOT allowed to do is a code freeze. So... work around it! The beauty of this solution is that you are running two separate applications (technically) for a time. Keep a consistent look, and the users can't tell the difference between the ASP and the Java side. Change one function at a time, slowly, and eventually you'll reach the Utopia you're looking for.
You can accomplish anything you set your mind to. The impossible just takes a little longer.
By completely rewriting it, you throw out that experience and start from zero.
I'd have to disagree with you on that one. They won't throw away the old experiences, in fact they will prove quite valuable. Most programmers encounter parts of a project that they would change if there were not the possibility of breaking things or hurting backwords compatability. When they start from the ground up, they can look at what worked well and what did not work well. Features that were added to later releases had to be designed to use the existing code base, which is often suboptimal. When they have a good idea of the types of features they will use (and even trends for adding features) they can make those features more optimal. It also makes it easier to understand the code in the short term. It is hard to understand code written years ago by yourself, and it is especially hard to understand code written by someone who left the company years ago. I'm sure bugs will be introduced, but it is much easier to prevent security problems if you start from the scratch (hint: check for buffer/stack overflows everywhere). When you rewrite, you draw heavily on previous experience, and get the chance to write things with more knowledge than you had when you wrote them a long time ago the first time around.
Secondly, the timing couldn't be worse for Microsoft. With XP only just hitting the shelves, this has the potential to seriously cripple the uptake of the new OS. (Note: I'm saying "potential" as you're bound to get plenty of execs who argue that nobody ever got fired for buying Microsoft. Even when it puts the entire company's public profile at risk.)
Thirdly, this also comes at a critical point in time, with respect to the European Union anti-trust investigation, the British fair trading investigation, and the US' very own anti-trust Lawsuit Revisited. Should the market-share of IIS continue to grow at the current rate, competitors may be able to argue the case that companies aren't heeding the report because they can't. That could seriously jeapordise Microsoft's arguments that they are not a monopoly, and that "future threats" could affect their market-share.
(Let's face it - if this isn't a "future threat", I don't know what is.)
Fourthly, this comes at a time when the economy is seriously wounded, and yet Microsoft's pricing continues to rise. As other posters have noted, this might persuade some accounts departments to start pushing the alternatives.
Lastly, homeless shelters are still pretty full, from the collapse of the dot-coms. This makes computer expertise very cheap. ("Will Code For Food" no longer sounds such a joke.) Thus, there is really little need to hold onto "old hands", who command high fees. You could probably pick up a webmaster and a couple of ASP/PHP/Perl gurus by going to the local K-Marts and asking the people collecting the carts. They'd cost a fraction of what most companies are paying for their IIS expert, and they'd probably worship the ground the management walk on.
HOWEVER, this is purely speculative. Although what I've written is a plausable scenario, companies could equally well ignore the report, the anti-trust lawyers might deem it too tenuous to be usable in court (if they notice it at all), and Microsoft might remain King Of The Hill by sheer default.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Do what I do. I'm too f-ing lazy to keep up with the weekly patches. So I spent a couple hours a year ago and properly configured my IIS servers, following the published checklists. Now I review bug after bug and say "ok, that one can't impact me so I'll patch it later."
There is no reason a properly configured but completely unpatched IIS 4 or IIS 5 server could not have survived both the Nimda and Code Red worms.
Nimda made use of the Unicode directory traversal bug, which only lets you move around on the drive where the web documents are stored. Move the wwwroot to another drive, set file permissions as tight as possible, remove the sample applications, and you would have been safe. Every one of those is on any decent IIS admin's checklist.
Code Red made use of a bug in the Index Server. Removing unused mappings is near the top of every decent IIS admin's list. In fact, one IIS server I have didn't have the patch applied when Code Red hit. I didn't bother to apply it until almost a month later.