A Chinese proverb warns against removing a fly from your friend's forehead with a hatchet. Users of Microsoft's Internet Information Server (IIS) should exercise similar caution when deciding the fate of their Web servers.
The last couple of weeks haven't been kind to IIS. Two high-profile virus attacks prompted many folks to question the security of the server. Analyst firm Gartner Group recommended certain users move to another Web server environment because of security concerns.
So should IIS users scrap the product? Not necessarily, experts say. But the recent security issues surrounding IIS underscore why users should evaluate their own security skills and needs.
For example, one of the strengths of IIS is its ease of use. However, this can cause security problems as users "underestimate the responsibility of running a Web server," said Tony Northrup, a Web administration expert and author of "Introducing Windows 2000 Server and NT Network Plumbing."
IIS' popularity is another reason why it's a target for virus writers, many of whom hate Microsoft, Northrup said. By contrast, other Web server platforms also need patches but not as many. Plus missing one isn't as bad given the chances of a vulnerability being exploited is much lower, he said.
Some companies are taking advantage of Microsoft's woes. Sun has a program where users can migrate to its iPlanet Web server for $940 per CPU, a discount of 37%. The company is throwing in (at no extra charge) Sun Chili!Soft ASP for Windows Software, which allows Active Server Pages (ASP) Web sites and Web applications to run on iPlanet.
Yet Northrup doesn't think mass migrations to other Web servers is the answer to IIS' problems. Such a radical approach may work for less sophisticated sites but not for robust e-commerce sites that leverage IIS with other Microsoft technology such as Active Server Pages and Microsoft Commerce Server 2000.
"It's not likely that many companies will be willing to commit to such a major development effort simply to offset the need to install patches on a regular basis," he said.
Northrup suggests a managed hosting provider "is much less labor-intensive than migrating a site to a new Web server platform."
Moreover, changing platforms may cause more problems for a company than it solves, according to Tom Mullen, CIO and chief software architect for AnchorIS.com, a developer of secure, enterprise-based accounting software. "Let's suppose the government saw that semi-trucks got into less accidents than passenger cars and said everybody had to buy a semi." Such a scenario is similar to a lot of IIS users trying a more complicated server product, he said.
For example, OpenVMS may be "virtually unhackable," but the skill required to run it is significant, Mullen said. "If a company can't keep a Windows server secure, then they would have a hell of a time keeping a Unix or Linux box secure."
Mullen cited the known IIS vulnerability that Code Red and Nimda exploited as something astute users should have patched years ago. Users should be up on the latest security discoveries. But on the other hand, Mullen said Microsoft probably has done as much as it should to get the word out about patches.
Earlier this month, however, Microsoft announced a new initiative focused on securing IIS servers. Mullen thinks Microsoft has embraced security more than it ever has before.
FOR MORE INFORMATION:
What's your take on IIS? Tell us in our searchWin2000 poll.