Should companies heed Gartner's advice on IIS?
Gartner's recent recommendation that its clients abandon Microsoft's Internet Information Server because of ongoing security problems makes a great deal of sense. At least to some people. After all, IIS has been chronically plagued by hackers, with last week's attack by the Nimda virus/worm just the latest example.
Yes, Microsoft does put out fixes, and if you stay current with them, you can avoid many troubles. But this takes time and energy. Some corporate IS types say they have better things to do than worry about who's hacking their Web servers. And Gartner, a research and advisory firm, agrees with them.
I see three ways of looking at this, and I will warn you up front that each may be equally valid. Some solutions are more viable to apply, depending on the circumstances.
Just do it. There are good reasons to dump IIS. Suppose you get the most current patches and miss the bullet this time? You can be certain that if you let your guard down the next time--and there will be a next time--you could be in trouble. So if people want to heed Gartner's advice, it's certainly understandable. Of course, switching to a different solution is expensive, and there may be things that are important to you that just don't move easily (or at all).
Want to open your Exchange mailbox and calendar from the Web? Like those Active Server Web pages you've created? Want to run SharePoint as a collaboration server? All these and a number of other Microsoft technologies are IIS-dependent. That speaks well for opening these standards, but it won't help right now.
One fairly open IIS technology is the extensions for FrontPage-based Web sites. For example, I have an Apache server running atop Linux that works with FrontPage quite nicely.
My mail server is on a similar machine, and while I miss the shared calendar that Exchange provides, I have learned to live without it.
But there is a downside, at least in the broad view: Dumping IIS makes the people who created these worms very happy. This is what they want you to do. Then they can go on to another Microsoft product and try to make you dump that, too.
Stop whining: The real problem is sloppy sysadmins. This is the school of thought that says keeping up with patches is just part of the job. And if you stay current, your potential losses are limited. Most of the people who think this are, presumably, not sloppy system administrators. But they make the point that you can protect yourself and go about life fairly normally without letting the cyber terrorists decide your strategy for you.
There are people who say the real problem is Microsoft's code. They say Microsoft could solve these problems if it wanted to.
I am not really qualified to judge the quality of Microsoft's code, so I don't know how much of this Microsoft brings upon itself through sloppy coding, vs. how much is simply a reflection of the number of enemies Microsoft has and how much their combined effort is directed at the company.
Some analysts say MS code isn't worse that anyone else's and I tend to agree, but I can't comment from experience. If the bad guys wanted to kill Apache as much as they want to do in Microsoft, I suspect Gartner would be telling people to abandon it, too.
My, what a great day to be outsourcing! Let someone else worry about security for all of us. This is actually my favorite of the three options, because it leaves the problems, presumably, to the experts and lets the rest of us get on with life. This doesn't mean Web service providers won't have trouble, but it means they are the ones who get fired for them and not you, dear reader.
Seriously, this isn't a panacea. There isn't one here. A mass migration off IIS is more than many companies can bear--even if they want to do it.
Microsoft is working to plug the leaks in IIS, but a determined assailant can still find more. Microsoft does, however, react quite quickly.
Hackers seem to be a permanent issue, especially for Microsoft customers. So the ultimate questions may be: How much protection is reasonable? And how do we keep the bad guys from winning?
If only the answers were easy.