Gartner to IS managers: Drop IIS

On the heels of the Code Red and Nimda worms that plagued the Internet – and especially Microsoft Corp.’s IIS (Internet Information Server) systems – over the last few months, research firm Gartner Inc. released a report last week suggesting that users and companies “immediately investigate alternatives to IIS” because other Web server applications have better security records.

Although a good deal of frustration and anger has been vented at Microsoft as worms and viruses have proliferated through its products, analysts and many IIS users sharply disagree with Gartner.

IIS is used by an estimated 6 million Web sites worldwide. Because of the frequent discovery of security vulnerabilities in the software, those Web sites are constantly open to new attacks. About a dozen security flaws affecting IIS or various additional components of the software have been discovered in 2001. Microsoft offers frequent patches for these flaws on its Web site and has a large network of support personnel who work with customers to communicate needed information about patches. Nevertheless, most of the major worms that have caused trouble in 2001 have exploited problems in IIS.

Gartner’s recommendation was released in the same week as the Nimda worm, which used months-old vulnerabilities in IIS, Microsoft’s Internet Explorer Web browser and other software to spread to tens of thousands of computers in a matter of hours and degraded Internet performance for a time. The Code Red worm, which infected hundreds of thousands of IIS systems in July and August, also crept into servers that didn’t possess a patch released in June.

IIS’ central role in these incidents, and the need for constant patching of other Microsoft products, led Gartner to its recommendation, which was written by Information Security Strategies analyst John Pescatore. (Pescatore did not return calls requesting comment for this story.) Because of these worms and the need for patches to combat them, using IIS is both labor-intensive and resource-intensive, as well as risky, Pescatore wrote. In addition, the high visibility of IIS as a Microsoft product makes the software a bigger target for attack, he wrote. So, until a new version of IIS has been written from the ground up and publicly tested (an event Pescatore doesn’t expect to see before the end of 2002), companies should seek out alternatives to IIS, he wrote.

Not surprisingly, Microsoft disagrees with Pescatore’s recommendation, but many users and analysts have also come to the Redmond, Washington-based company’s defense.

“The Gartner recommendation ignores the fact that security is an industrywide issue and that serious security vulnerabilities have been found in all Web server products and platforms,” including IIS, said Jim Desler, a spokesman for Microsoft. IIS is “as secure as our competitor’s products,” he added.

Some users questioned Gartner’s conclusions as well as the security procedures used by companies that were infected by Nimda, Code Red and other worms despite patches being available.

“If my IS director failed to keep patches up to date, then we, to put it mildly, would have ‘a little chat’ about his/her future,” wrote Joe Everett, a senior software engineer in the Extended Care Solutions Group at McKesson Corp., a health care services company, in an e-mail to the IDG News Service.

“(Gartner’s) logic is completely flawed. Since the patches that protect against both Code Red and Nimda were publicly available well before either of these worms struck, it seems that enterprises that were struck by these viruses might do better to first consider an alternative to their server administrators,” wrote John Kenyon, president of e-commerce and Web services company FreshSpark Inc., in an e-mail.

Some of Pescatore’s colleagues in the analyst community agree with Everett and Kenyon.

“If security is ever going to really be an enabler (of new products, services, etc.), we can’t say ‘stop using software solutions,’ ” said Pete Lindstrom, an analyst with Hurwitz Group Inc.

“We have to figure out a new paradigm” to allow users to get the features they need from their software while still being secure, he said. The cycle of patches and human administration may not be the answer. The future may lie with managed security services and software add-ons to IIS offered by companies such as eEye Digital Security Inc., Sanctum Inc. and Entercept Security Technologies Inc.

Another analyst who doubts all the blame ought to be laid at Microsoft’s feet is Forrester Research Inc.’s Frank Prince.

“People attack systems that are broadly deployed,” Prince said. A comparison between Web server packages that doesn’t attempt to take into account how their security would hold up with equal installation is misleading, Prince said, though he noted he has not seen Gartner’s report. Switching from one platform to another may not improve security, since whichever platform is the most widely used will be the most often attacked, he said.

“Firms have risk with the high-profile platforms no matter who built them,” he said.

Not all users are convinced, though. In an e-mail, Dave Knake, an employee of Apex Software Inc., decried what he said is a confusing system for identifying what patches are to be used for which versions of Microsoft software. In addition, applying the patches is time-consuming, he said. Knake added that some Microsoft utilities for tracking patches give incorrect information and that patching servers requires a reboot, which means downtime for a server and possibly any Web sites it hosts.

“In my opinion, Microsoft should begin to feel the pain from bad press, complaints from business, complaints from home users and refusal to buy additional products until Microsoft proves they care by taking real action to stop malicious code,” he wrote.

Phil Frisbie, Jr., who runs what he describes as a hobby site using IIS, is planning to switch to Linux when he buys a second server for his site.

“I look forward to not patching NT/IIS every month (or more),” he wrote in an e-mail message.

Hurwitz’s Lindstrom doesn’t believe that the Gartner report will necessarily lead to many IIS users switching platforms.

Companies have substantial investments in their software and applications and it is “completely unreasonable to believe that you could just do that” easily, he said.

Microsoft wasn’t surprised by the criticism, as it comes in for its fair share, said company spokesman Desler.

“We’re an industry leader. We’re held to a higher standard. We understand that and accept that responsibility,” he said, adding that the company is constantly working to upgrade security in all its products.

And it better.

“We’ve got many more problems looming on the horizon if we don’t change the paradigm (of how we think about and administer security),” he said.

Gartner, in Stamford, Connecticut, is at

Microsoft is at