Microsoft IIS: Fight or Switch?

Last year’s Code Red and Nimda worms hurt Microsoft’s prestige and raised questions about the company’s ability to conquer the security flaws plaguing its Web server and e-mail software.

PDF Download

Users shunned expert advice urging them to stop using the Internet server software. John Pescatore, research director for Internet Security at IT research consultancy Gartner Inc., was among IIS’ most vocal critics. His advice to jump ship was tantamount to a public flogging for Microsoft.

IIS suffered a dip in actively used servers from July through September when the worms took their toll, but came back strong in the last two months of 2001. According to server tracking firm Netcraft, IIS picked up a full point of Web server share in November and December, ringing out the year with 30.75% of the market, while leader Apache dipped a slight 0.31% to 56.5%.

Pescatore now says he advised companies to switch to a more secure server only if the ongoing risk and post-breach cleanup of IIS justified the transition costs.

“For 90% of organizations, the cost of switching was way too high,” he says.

There is no average cost of switching, but when an IIS server is running complex Active Server Pages, the work can be counted in man-years. “That can be $200,000 per application and is very difficult,” Pescatore says. But the problem of switching server platforms isn’t just cost.

“It’s functionality. IIS is part of the package along with SQL Server for our course selection, registration and alumni systems,” says Kevin Baradet, network systems director at Cornell University’s S.C. Johnson School of Management. “When we buy the package, it comes designed to use those products, and we’re not going to mess with them. You can’t switch.”

Why? Disruption, risk, technical incongruities and cost generally preclude such a move. Most Microsoft customers feel—rightly or wrongly—locked into IIS.

Microsoft’s competitors tried to exploit IIS’ black eye, claiming corporate defections were substantial. But its three main rivals—Zeus, Apache and iPlanet—could produce but one name of an IIS defector who’d speak on the record. They talked the talk but couldn’t walk the walk.

Fear itself
Peter Carter, enterprise service manager at systems integrator Nova Networks in Ottawa, says fears about switching are unfounded, if proper analysis is applied.

“There are two problems—ignorance and inertia. Once you have a certain path, it’s really tough to change everything, but if you truly know your boundaries, switching is pretty academic. I don’t know too many installations that can’t be switched.”

Nova’s company Web site and some complex development servers were changed from IIS to iPlanet in 2000, long before Code Red and Nimda appeared. IIS, Carter says, went down four to five times a day from hack attempts. Besides using two to three days of work, the switchover cost was $1,500 for a Netra server from Sun. Even if you buy Carter’s view, his point may be moot. With little or no appreciable Code Red/Nimda fallout, Microsoft dodged yet another bullet. The company freely admits IIS 5.0 and older had more holes than Swiss cheese. The current IIS patch rolls about a dozen fixes into one.

In one of his famous e-mail memoranda, chairman Bill Gates in mid-January called on all Microsoft employees to make the security of the company’s software a top priority. The clearest test of Microsoft’s emphasis on security will come later this year with the sixth release of its Internet server software.

If 6.0’s security is faulty—or if it’s not on par with that of its rivals—Microsoft might not be so lucky the next time around.