recommendation that its clients abandon Microsoft's Internet
Information Server because of ongoing security problems makes
a great deal of sense. At least to some people. After all, IIS
has been chronically plagued by hackers, with last week's attack
by the Nimda virus/worm just the latest example.
Yes, Microsoft does put out fixes, and if you stay current
with them, you can avoid many troubles. But this takes time
and energy. Some corporate IS types say they have better things
to do than worry about who's hacking their Web servers. And
Gartner, a research and advisory firm, agrees with them.
I see three ways of looking at this, and I will warn you up
front that each may be equally valid. Some solutions are more
viable to apply, depending on the circumstances.
Just do it. There are good reasons to dump IIS. Suppose
you get the most current patches and miss the bullet this time?
You can be certain that if you let your guard down the next
time--and there will be a next time--you could be in trouble.
So if people want to heed Gartner's advice, it's certainly understandable.
Of course, switching to a different solution is expensive, and
there may be things that are important to you that just don't
move easily (or at all).
Want to open your Exchange mailbox and calendar from the Web?
Like those Active Server Web pages you've created? Want to run
SharePoint as a collaboration server? All these and a number
of other Microsoft technologies are IIS-dependent. That speaks
well for opening these standards, but it won't help right now.
One fairly open IIS technology is the extensions for FrontPage-based
Web sites. For example, I have an Apache server running atop
Linux that works with FrontPage quite nicely.
My mail server is on a similar machine, and while I miss the
shared calendar that Exchange provides, I have learned to live
But there is a downside, at least in the broad view: Dumping
IIS makes the people who created these worms very happy. This
is what they want you to do. Then they can go on to another
Microsoft product and try to make you dump that, too.
Stop whining: The real problem is sloppy sysadmins.
This is the school of thought that says keeping up with patches
is just part of the job. And if you stay current, your potential
losses are limited. Most of the people who think this are, presumably,
not sloppy system administrators. But they make the point that
you can protect yourself and go about life fairly normally without
letting the cyber terrorists decide your strategy for you.
There are people who say the real problem is Microsoft's code.
They say Microsoft could solve these problems if it wanted to.
I am not really qualified to judge the quality of Microsoft's
code, so I don't know how much of this Microsoft brings upon
itself through sloppy coding, vs. how much is simply a reflection
of the number of enemies Microsoft has and how much their combined
effort is directed at the company.
Some analysts say MS code isn't worse that anyone else's and
I tend to agree, but I can't comment from experience. If the
bad guys wanted to kill Apache as much as they want to do in
Microsoft, I suspect Gartner would be telling people to abandon
My, what a great day to be outsourcing! Let someone
else worry about security for all of us. This is actually my
favorite of the three options, because it leaves the problems,
presumably, to the experts and lets the rest of us get on with
life. This doesn't mean Web service providers won't have trouble,
but it means they are the ones who get fired for them and not
you, dear reader.
Seriously, this isn't a panacea. There isn't one here. A mass
migration off IIS is more than many companies can bear--even
if they want to do it.
Microsoft is working to plug the leaks in IIS, but a determined
assailant can still find more. Microsoft does, however, react
Hackers seem to be a permanent issue, especially for Microsoft
customers. So the ultimate questions may be: How much protection
is reasonable? And how do we keep the bad guys from winning?
If only the answers were easy.