Microsoft IIS really not the villain

Guest columnist Jack Danahy says Microsoft's vulnerabilities are caused, at least in part, by the richness of features that are offered.
Written by Jack Danahy, Contributor

COMMENTARY-- In a recent report delivered by the Gartner Group, Vice President and Research Director John Pescatore advised that enterprises seek alternatives to the Microsoft IIS platform. After analyzing the recent Code Red and NIMDA attacks, Gartner believes that their clients should reconsider their investments in the Microsoft infrastructure. They are not the first to say so. While concern over these events is clearly merited, following this advice would prove extremely costly, and would do little to address the underlying problems that resulted in the spread of these attacks.

Let's take a look at an analogy for this situation. I live just outside of Boston, Mass. Each winter we have fairly significant snowfall, and each winter I invariably slip and fall on the ice. I have chosen to live here for a variety of reasons, but falling on the ground is not one of them. Based on Gartner's rationale for avoiding the Microsoft IIS platform, I think that they would recommend that I move to San Francisco, where there is little snow, instead of simply telling me to use some salt and be more careful. The problem with this advice is that I like living in Boston, I am comfortable here, and the fact that living in San Francisco has its own issues, like earthquakes. This lack of a broad perspective also describes the problem with Gartner's advice, which ignores users' comfort, familiarity and investment in the Microsoft IIS platform, and does not take into account the fact that the alternatives can prove to be just as slippery.

The recommendations indicate a limited understanding of the real reasons why so many systems have inadequate security. This issue has little to do with the Microsoft IIS server, or any platform, but is a consequence of the lack of security awareness, training, and resources in these organizations. Blaming the platform for the NIMDA and Code Red attacks is itself inaccurate. The vulnerabilities exploited by NIMDA and Code Red were addressed by patches made available by Microsoft long before the attacks. As a result, we know that the vulnerable machines were administered by people who either did not understand the risk sufficiently to apply proper urgency in updating their systems, did not have the resources to apply new server protection technologies or who assumed this risk knowingly. The vulnerability that was truly exploited in these attacks was not a Microsoft coding error, but rather a lack of understanding or implementation of strong security practices.

Similar vulnerabilities have been exposed in all platforms at one point or another, so switching platforms does not eliminate this problem. Administrators, working in an IIS environment, who have not yet learned how to secure it, are extremely unlikely to have the time or wherewithal to learn the security of an entirely new platform. As a result of this learning curve, operational security will clearly decrease as a practical matter. Add to this the fact that the recommended platforms are known to require more skilled administrative practices, and the overall result is the opposite of what one would expect from the recommendations provided.

If one still adopts the position that switching platforms will improve security, there are many new costs to consider. This type of migration will require that applications are ported and rewritten. These applications will then require full interoperability and coexistence testing, as well as new licenses for many platform-specific products. The existing systems management staff will require training in the new platforms, and in the management of content on the new infrastructure. We must also acknowledge that Microsoft's vulnerabilities are caused, at least in part, by the richness of features that are offered. Mapping those capabilities into the products recommended is a complex and possibly unachievable task.

As a result of all of these factors, and even more, I believe that the Gartner recommendations, while understandable, are too drastic to be practical. Their focus on the platform as the genesis of security issues will distract enterprises from the actual problem: the lack of attention to security that is the real root cause of most successful attacks and system compromises. Instead of trading one platform for another, organizations must focus their efforts and investments on better management of existing systems, on applying new technologies to protect existing investments, and on empowering administrators to protect systems more actively. In so doing, security will be drastically improved at a level of expense that a majority of businesses can bear.

Jack Danahy is senior vice-president and general manager of Server Security at WatchGuard Technologies, a leading provider of Internet security solutions.

Editorial standards