Finally an analyst is willing to stick his neck out and tell it like it is. 01/09/26 ReleVents hed: Apache or IIS? dek: Finally an analyst is willing to stick his neck out and tell it like it is. by James Mathewson
Last week I pointed to the Nimba worm as an example of how our security attitudes must change, pointing out that those who were hit could have avoided trouble if they had downloaded available patches. That much is true, but some might think to look deeper in defending their Web sites. Some might ask, should I need to download a dozen patches per month to keep my systems safe from worms and other hacks?
The prevailing view is that Microsoft’s Web server–Internet Information Server, or IIS–is not inherently more or less secure than its competitors–Apache and iPlanet (formerly Netscape). It’s just that more hackers target Microsoft’s products because they hate the company and want to do something to affect the choke hold it has on the market. The same reasoning is behind the view that hackers don’t target Apache or iPlanet. Microsoft blames its users for not patching its software. Microsoft spokespeople spout the prevailing view. “It’s not our fault, it’s these viscous kids who hate us. Why do they hate us? Why do Islamic extremists hate Americans?” I have to say I contributed to this finger pointing in aforementioned column.
After reading a news item on our site today, I’ve had a change of heart. While I agree that there’s no excuse to not download patches in order to secure Internet servers, I can understand why some small companies have a hard time keeping up with all the patches. With that understanding in mind, it might be better for companies to realize that they don’t have the resources to keep their servers safe and instead switch to software that does not require as much security maintenance. This is essentially what John Pescatore, research director for Internet security at Gartner Group, recommends for small businesses. The argument is very simple: Who’s to blame is not the issue. For whatever reason, IIS is less secure than Apache. Use Apache.
According to an infographic in the October edition of Wired magazine, IIS is now the most popular Web server. While Apache still leads in the number of domains, IIS has a slight lead in the number of Internet servers running the software and a large lead in the number of Web servers running Secure Sockets Layer technology (i.e. e-commerce sites). These latter servers are the ones that need the most security. The graphic is disturbing because, as far as I can tell, most small enterprises use IIS for transactions simply because all the tools are bundled into the server, whereas Apache requires several components found in various places through the Net. Microsoft’s sales effort is that it’s easier to make e-commerce work on IIS because all the tools are readily at hand, and it’s working.
My question is, why do webmasters buy Microsoft’s argument? Though it may be easier to get e-commerce up and running, keeping it up and running is a lot harder than it is under Apache. As the old saying goes, you can pay me now or you can pay me later. I would much rather spend a little more initial effort to have a secure site than do it the easy way and have an insecure one. Again, our attitudes about security need to change, but so do our choices.
James Mathewson is editor of ComputerUser magazine and ComputerUser.com.