When will Redmond get it right?
"Microsoft's NT product line, including Windows 2000 and IIS [Internet Information Server], has the worst security track record of any operating system in the world," says John Schweitzer, chief security officer at Ogilvy & Mather. "That's why most security professionals reject their products out of hand."
Does this condemnation seem too harsh? Just visit Microsoft's support Web site for service packs, its Bug Center, or SecurityFocus's BugTraq to see the dozens of security patches, warnings, and problem advisories for IIS, Outlook, Exchange, Word, and Windows OSs.
With fixes and advisories for these applications posted more than once per week, IT managers must spend some part of every day checking for updates and a larger chunk of time installing the patches to keep their networks secure. Is it any wonder then, that IT managers end up fixing an endless stream of security flaws in Microsoft's enterprise software? Maybe that's why IT managers wryly suggest that the IIS acronym stands for It Isn't Secure.
Admittedly, perfect security is impossible, regardless of the operating system. However, you will come closer with Unix than with Windows. "With Microsoft products, you're starting much further behind the eight ball," says Schweitzer.
To its credit, Microsoft is usually quick to react to new threats. Usually, it posts fixes within days. On the other hand, the company seems oddly unable to anticipate and proactively prevent attacks. This is peculiar; many fixes are so simplistic that preventing the problem should be a no-brainer--for example, just turning off IIS's many default services, such as its Internet Database Connection and Internet Printing Services.
This strategy works for Apache HTTP Web Server. The darling of the open source software movement, Apache deserves its enviable security reputation. The last time a major flaw occurred was nearly five years ago, in the form of a buffer overflow issue. The Web server's minimalist design, solid coding, open code, and fanatical attention to detail simplify administering the system.
Apache proves that prevention is practical. Microsoft, conversely, prefers pointing its finger at others, saying that up to 50 percent of IIS's problems are caused by misbehaving third-party drivers. That's buck-passing. The reality is that if Microsoft produced more secure software and stopped using its customers as a real-world test bed, administrators could spend more time on strategic goals and less on keeping the barbarians from the gates. A more proactive solution would be for Microsoft to open the source code of its applications and operating system, thereby spreading both opportunity and responsibility around so that other experts could help it close the holes.
In the meantime, companies continue to use NT instead of Solaris, and Microsoft IIS instead of Apache. They also spend hundreds of dollars for Word instead of using Sun's free StarOffice. Why? Because despite all of the vulnerabilities, high acquisition costs, and high maintenance costs of Microsoft products, the pain of fixing the problems is less than the pain of switching operating systems. What's more, many IT managers have little choice or say in whose software their company uses, because no individual or company can withstand Microsoft's coordinated juggernaut. As long as this thinking prevails, every IT manager will have to continue patching holes in the company's Internet security armor.
Howard Millman, a writer and computer technology consultant based in Croton, New York, contributes regularly to CNET Enterprise and helps make computers behave.