Thoughts on IIS Security vs Apache, Part 2

I got some interesting comments on my prior blog post, and since I started typing out a big essay in response, I figured I should just blog and link it instead. πŸ™‚


Hello, i have subscription of Redmond magainze and wow i can't believe i still remeber the artcle about Apache and IIS since the issue is dated back April 2005. anywho...

that's how some comapnies run Apache, they run it like MS ISA like the photo said a way to protect an IIS web server farm from the Internet.

It look like Apache in front and IIS at back of more secure network is very common.

forgot to add, if you like to read the article about using Apache as front use . here is the link


Thanks for the URL.

At the risk of starting a flame war (I have never met the author nor know anything about him), I have to say that in my opinion, the URL that you posted is unfortunately trivially non-substantive. It simply selectively rehashes a lot of the same words and rhetoric that has already been said the past five years, spinning the selected information in favor of the author's "point" of "there may be 6 good reasons to consider introducing/switching to Apache".

I don't know about you, but I am a simple techie, so I have no secret agenda nor care about Media/Spin. I believe in "improving technology to improve people's lives", so I believe in elucidating and explaining facts and letting them speak for themselves. Of course, I am aware of the political process and how it tends to slander and destroy voices like mine, but hey, that is why I am in Technology and not Politics; the political process mostly turns me off, but that is a whole other topic for another time... πŸ™‚

Thus, I am going to voice and add my own commentary based on the points from that aforementioned URL, against my better judgement (I really rather focus on the facts and not this commentary/opinion stuff)...

So, here goes my first big attempt at this...

40 Million Websites cannot be Wrong

Actually, the author admits that many Apache websites are held in the hands of a small number of mass web Hosters.

I think that reality is probably closer to 1000 mass web Hosters vs Fortune 1000 companies, except that each Hoster puts thousands of sites per server while Fortune 1000 companies just put up their corporate site - so it looks like millions of websites "vote" for Apache vs far fewer sites voting for IIS. These are the votes that Netcraft counts, so you can see their concern at Port80's methodology.

In other words, I do not look at the raw numbers and think "40 million websites cannot be wrong." It is like a couple thousand people which controls millions of "votes" - are those millions of votes really meaningful? Instead, I look at the number of entities that are pulling the strings BEHIND the numbers... and the competition there is a lot closer between Apache and IIS than what the numbers and media portrays.

And with efforts like Shared Hosting Accelerator for IIS6, I think that the mass web Hosting landscape is finally under contention... so stay tuned.

I run Apache because it is Secure

If you have read my earlier blog entry, you should quickly realize that this sort of statement is vacuous. Security is not just about the Software; it also involves Configuration and Policy. With IIS6, the IIS team, in conjunction with the predecessor of the Microsoft Security Business Unit, went all-out on security to analyze, understand, and quantify security, and the IIS team methodically improved and applied all aspects of the learning.

I think the proof is in the pudding, and the numbers and results have proven the approach for IIS6. Now, the author acknowledges this with numbers from Secunia, but he seems to ignore the order of MAGNITUDE less vulnerabilities in IIS6 vs Apache 2.0.x in the same comparable period of time and calls it a "mixed bag." Huh? Isn't the latest and greatest supposed to represent the current state-of-the-art? Then why is Apache 2.x regressing against Apache 1.x?

Meanwhile, he neglects to mention that Apache is the most defaced and hacked web server platform in the world in recent years... mostly due to software running on top of Apache... which definitely does not prove his point. See how Spin works? Did my statement just support or detract Apache security? Or did I do both? πŸ˜‰

Anyways, enough Spinning exercises... I think that all of the arguments simply reinforce the notion that secure Configuration is just as important as Software or Policy when it comes to overall "security." Thus, I would never heed statements such as "I run X because it is secure" or "X is more secure than Y" because those statements neglect the whole picture. Your system is as secure as the weakest link in the combination of Software, Configuration, and Policy.

More flamboyant readers may want to head over to Michael Howard's blog and read some of his past entries examining IIS/Apache security...

Customers run Apache in front of IIS to add a layer of Security

Once again, if you read my earlier blog entry, you should realize that this statement is also sketchy.

Running more code per request CANNOT make it more secure. Reducing the Attack Surface by introducing "layers" in your defenses, closing off ports and reducing exposed functionality CAN make it more secure.

Thus, putting web servers into a DMZ isolated from direct Internet access and then forwarding requests to it is a reasonable approach to improve security by layering and reducing Attack Surface, but these are general security concepts non-specific to Apache. Apache is simply one way to implement it. Simple Firewall plus URLScan can accomplish comparable goals with no extra hardware/system required. And with IIS6 on Windows Server 2003 SP1, it is all "built-in" with no extra cost.

Personally, I find this very amusing... because I don't know about you, but I find information and rationale more useful than Spin or anecdotes. I rather enlighten you with the raw facts, digested rationale, and let you make your own decisions; not spoon-feed you things that tell you how to think. πŸ™‚

Open Source "Costs" Less

Ok, this is standard rhetoric that has already been hashed over and over so I will not belabor the point. The general conclusions run something like:

  • Cost of acquisition is only part of the Total Cost of Ownership (TCO).
  • If you are already on *nix then moving to Linux on x86 is a viable cost-cutting move to take advantage of commodity hardware.
  • If you are on Windows then the migration really depends on your situation (though most of the time, TCO would favor Windows when you factor in things like training, support, migration, maintenance).

My instinct is to evaluate ALL your costs and stick with doing whatever you are most comfortable.

For example, some people say that IIS5 and Windows 2000 security is too costly to maintain, so Apache/Linux has to be cheaper. Well, what is commonly forgotten is that both are systems that need to be securely configured and maintained... and if you did not know to do this for Windows 2000, you certainly will not magically start doing so on Linux. At this point, I am willing to bet that your new system will be similarly attacked and compromised (remember, security is more than just the Software)... so is your migration worth it? Or is it cheaper to identify and quantify HOW you are insecure and address that deficiency?

Long-time readers should know that I believe the best way to address an issue is to identify the root problem and address that; then, the instance problems usually take care of themselves. Addressing the root problem is usually the most direct, fastest, and cost-effective way to resolve an issue. Thus, if your issue is that you do not know how to securely maintain an OS/Platform, then the best solution is to learn how to do it - you can then repeat that success on any platform and truly free yourself from lock-in.

I know, I know, I am not appealing to your inner penguin to bash evil Microsoft, but bear with me. πŸ™‚

Heterogenous Infrastructure is a Good Thing

This rhetoric sounds good on paper (i.e. homogenous systems are fertile grounds for catestrophic attacks, so heterogeneity must be better), but say this to any IT Administrator for networks, applications, or databases that is worth his/her salt, and s/he will probably laugh hysterically at your suggestion. Heterogenous infrastructure increases support costs, not to mention double/triple the amount of education/learning involved in maintaining and CONFIGURING multiple systems (recall that secure Configuration is an aspect of overall system security). So, the end result is really muddled: your network may not fall to one attack, but are you really safer with multiple systems, each with their own seams and incompatibilities that give attackers more Attack Surface to penetrate and more headache to you?

In my mind, it is better to stay with a homogenous but COMPARTMENTALIZED infrastructure so that you keep the best benefits of homogenous and heterogeneous systems at the same time. This way, you only have one system to learn, apply, and protect, and knowledge/skills easily scales across the entire infrastructure, but when it comes to deal with intrusions, damage is limited to compartment(s). Gee... Governments have been using this concept to protect Top Secret information for a long time; maybe the Public should consider adopting this approach when implementing security...

For example, a couple of IIS team members had a lively debate at TechEd 2005 with one customer who tenaciously defended his position of running his Web Services on multiple OS platforms, network stacks, and hardware switches simply because he did not want one single exploit to take down his entire system. Of course, the counterpoint revolved around the doubling of management, security, and configuration costs, not to mention twice the number of potential bugs in the combined system and the resulting LOWER reliability... but the notion of compartmentalized infrastructure really did not hit home. Sigh.

Another example: people nowadays like building security egg-shells - Single firewall separating the Internet from Intranet and completely unprotected machines in the Intranet because security can get in the way of productivity applications. Once you compromise the outer firewall, your internal, homogenous environment is child's play.

Now, the solution should not be to introduce Solaris, Windows, Linux, and BSD machines to make the internal environment heterogenous because that just gives the Intranet administrator MORE and DIFFERENT things to learn and secure. In my mind, it is easier to stay with a homogenous environment but make each internal machine more secure with a firewall, appropriate port/access policies, and maybe user policies that force users to login and run as non-admin... so that even if the outer egg-shell is penetrated, attackers simply find more egg-shells underneath. In other words, you get more bang-for-the-buck by focusing on introducing security layers to compartmentalize the issue of homogeneity INSTEAD of the reflexive "heterogenous infrastructure is a good thing."

Using Microsoft is lock-in and excludes other Platforms and Opportunities

Now, this is just BS... Java runs well on Windows and is supported by IIS. Microsoft is actually banned by Sun from providing such a plugin for you (remember, there was a certain lawsuit on this...), so you have to use third party plugins to do it. Java is supposed to be "Write Once, Run Anywhere" assuming you have a stable Java Virtual Machine, and Sun does provide a reference JVM for Windows, so it seems that the only exclusion going on is the Law preventing Microsoft from improving the situation, and other vendors do not seem to want Java to succeed on Windows/IIS for whatever reason. And the Customer suffers in the middle.

For example, IBM WebSphere runs on both Apache/IIS and Linux/Windows, though it definitely favors Apache since that is a platform they can control. Their ISAPI Filter plugin for IIS is really, really badly written and has not improved for years despite constant customer complaint - I had to debug it a few times and found that it does not follow basic quality coding guidelines like initializing variable values or checking for NULL pointers, etc. So, I always question their disparaging remarks/bias against Windows/IIS "crashing" WebSphere.

Why? Because I believe that Code cannot lie. Computers do exactly what program Code tells it to do, and Programmers of Organizations write the Code. The actions of the WebSphere ISAPI Filter plugin Code does not match their stated intentions... so you either fix the Code or you change your stated intentions...


Ok, that is about enough ranting from me. I will have to see how people respond. πŸ™‚

Really, I have no problems with criticisms of IIS and Security. You just have to back it up with proper support and acknowledgement of all sides of the argument, and focus on the facts!


Comments (12)

  1. Matt says:

    I think another thing favouring Apache in the Netcraft numbers are the bizarre restrictions on IIS in Windows XP. It’s next to impossible to set up a personal website at home using IIS because of them. I don’t want anyone with my IP address to know personal information so I need virtual hosts. The 10 user limit’s also a bit low. Why not make it 50 or 100? You’d satisfy your home users without seriously affecting server sales.

    I notice Vista’s a step in the right direction, but why can’t you fix the problem in XP today? People would be happier and your Netcraft figures would move a little if people didn’t have to resort to Apache hosters or Linux boxes for personal websites.

  2. David Wang says:

    Matt – Actually, IIS 5.1 in Windows XP Pro allows virtual hosts so you can use host headers to name websites. The restriction is that only one "website" can be running at any time, which should be all you need if you are running a "personal website."

    It is not certain to me what "personal information" you are trying to hide nor how Virtual Host help mask them – you MUST expose your public IP address in order for DNS to route and allow users to connect to your website.

    As for the connection limit, it is not clear why 50 or 100 is desirable. Personal websites probably do not reach the scope of needing 50 simultaneous connections (unless you are running a business, etc)… which is when we are hoping that you would switch to a business SKU like Small Business Server 2003 that gives a whole lot more for very little incremental cost.

    So, I am not certain how exactly the restrictions are causing problems for you.


  3. Matt says:

    The "personal information" is easy. My personal website contains my name. I don’t want any web admin to be able to look up that sort of information just because he’s found my IP address in his logs. (I do know there are other ways to get the same information, but it shouldn’t be that easy)

    The 10 connection limit is woefully inadequate with keep alives and possibly two connections per browser. It means you can’t reliably serve more than about 5 clients.

    I’ll half concede your point on virtual hosts. But in reality XP supports one virtual host, not virtual hosts. That means you can’t serve a personal website for more than one family member, or a personal website and a community web site, or a personal website and a test website.

    I have bought Small Business Server to solve my problems, though I think Exchange more than IIS was the reason I went that way instead of open source.

    I use IIS professionally and believe it to be superior to Apache. I just think it’s a shame the version (5.1) that most people have access to at home is so limited that it drives people away from hosting a website on it.

    If I didn’t like Exchange and didn’t have the professional exposure I do to IIS I’m pretty sure I’d switch to open source before I bought SBS.

    As an example, I work in a school where students host their own special interest forums for a couple of dozen of their peers. They’d easily reach the IIS 5.1 limits at certain times so they’re forced to use open source. A group of students using forums as a social place are not going to shell out for the Small Business SKUs. They’ll get comfortable with Apache and MySQL and possible move into the workplace promoting them.

    I think your losing mind share and market share by setting the IIS 5.1 limits so low. From what I’ve heard there is some recognition of that and Vista will be more generous, but you’re already losing people on XP today and that could be undone with a hotfix.

  4. David Wang says:

    Matt – I still do not see how Virtual Hosts help. It sounds like you both browse and serve websites from the same machine/IP, which makes that lookup easy. The only solution is to make those two IP different at the networking layer and then bind the website to one IP and browse with the other IP… but what does that have to do with Virtual Hosts, which is a IP:HostHeader to physical directory mapping?

    RE: the limits – thanks for giving me scenarios and a name to lend weight to my arguments. I actually think the limits in the Pro SKUs are silly because they hamper the Professional developer and the Hobbyist who buy it from using it effectively.

    – Consultants cannot work on >1 website for Clients without a whole bunch of contortions.

    – Students can only develop their own single website and cannot host/test for others.

    – Families can only run one website and not for each family member.

    Though some of the scenarios have work-arounds now. Consultants carry around Virtual PC on their XP Pro laptops and run server SKU inside the Virtual PC to demo/develop. But the Student/Family/Hobbyist audience is still neglected.

    I think that Mind-share is more dictated by technologies like ASP.Net and PHP and less by servers like IIS/Apache, and they drive the adoption/sales. Unfortunately, there is a bunch of business people to convince about these things – we in the product group are unfortunately not in control of these decisions, especially in IIS where people just expect us to be there and "work."


  5. exportgoldman says:

    People use Apache because it’s free, very easy to use, configure and migrate to different networks (copy the ini file and content.) Yes, I know if you buy the latest version of Windows/IIS you get the XML config – but you still have to BUY it on the old and new server to easily migrate, otherwise it’s the metadata binary config file, and registry settings.

    Why not get Apache, hit next 5 times, and have UNLIMITED connections? for free?

    Oh, and the whole security bulletin thing, it’s very hard to track now Microsoft does not release a single bulletin for a single security hole, take bulletin MS04-011 it’s got 14 different holes which are patched.

    For those which have been in the industry long enough to remember back to 1999, Microsoft nearly tipped 100 bulletins, freaked out and started ‘bundling’ as many security holes into one bulletin, the press looked at the raw bulletin numbers and noticed microsoft has been getting more secure.

    my own trials with apache (and I’m a Microsoft man through and through) begin about 18 months ago, after I wanted to run a web site on my laptop (sharing files at client sites without the pain of SMB) I gave apache a go, and remember 4-5 bulletins for IIS came out in the time apache released NONE. I had to go recheck my subscription to Apache’s security list to make sure I was ON IT, thats how little security traffic there was.

    Question, if Apache is more insecure than IIS, where’s it’s Code Red? proof is in the pudding my friend.

    Oh, and when are you going to fix the 20 UNPATCHED security holes in IE?


    I guess IE is MORE SECURE because there are LESS security bulletins for IE than firefox?

    It’s simply not a case of you FAILING TO PATCH YOUR PRODUCTS?

    Some of the 20 security holes in IE have been unpatched for MORE THAN A YEAR!

  6. David Wang says:

    exportgoldman – I have no idea why you are:

    – digressing back to the past

    – digressing to IE when the context is IIS

    – digressing into an "X is more/less secure than Y" argument

    I am only pointing out that security of Software is only part of what people perceive as security, so one should never accept an argument of "X is more secure than Y" as sufficient.

    You may want to post your IE-comments to the IE Team blog ( ) so that positive actions may take place.

    You may want to post the Security Bulletin counting question and Apache security list traffic comparison to Michael Howard’s blog ( ) so that positive actions may take place.


  7. Jack says:

    David, good stuff but as you can see from others comment. the "image" of Microsoft software being secure is a long way to go.

    i’ve two dedicated windows servers for sharehosting and i know a lot of sharehost providers will not touch IIS because they all have this "image" of insecure windows/iis

    i think Microsoft have a long way to go if they try to shake it off this "image". Opensource on the other hand have no problem. people alway think opensource is secure because the source code is free for anyone to check.

    p.s. let’s not forget Gartner Group telling people not to touch IIS. that was quite damaging to Microsoft.

  8. David Wang says:

    Jack – yeah, I understand the image and perception issues suffered by IIS4/IIS5 and how it will take IIS6 a long time to repair.

    But, I come from a technical background, so I look past all the marketing/media Spin, emotional knee-jerk rants, image/perception issue, etc , and I look directly at the issue of what makes a system Secure… because at the end of the day, most of the arguments, perceptions, and emotional choices are just feel-goods that do not tell you anything about sound Security practices and decisions and cannot consistently produce results. However, understanding and practicing sound Security decisions will consistently produce results.

    So, regarding Security, I have no interest in a tit-for-tat battle of history (IIS5 vs Apache 1.x), numbers (patch counts, security bulletins), or image (Gartner) because they are just sideshow distractions. People can go elsewhere to vent their opinions.

    I am simply pointing out that the Security of a system is more than just Software. It involves Configuration as well as Policy, and the effective Security of a system is the weakest link amongst all those facets.

    So, I pity the people that choose X simply because they heard it was more secure – and forget to Configure X securely and still get hacked. It is only through those painful lessons that they will hopefully come back around and heed suggestions like mine. And I really do not care whether they choose Apache, IIS, or any other web server – I just want to make sure they choose wisely and know how to build their system securely, and I am glad to help in whatever way I can.


  9. exportgoldman says:

    I point out the IE unpatched holes, because it begs the question that if Microsoft is UNABLE to patch holes in IE AFTER A WHOLE YEAR of it being discovered, what David, do you think the chances are that the same company is brushing under the rug security holes in their other products like IIS

    You failed to understand my point of Apache security bulletins.

    THERE WERE NONE in the time IIS had FOUR. There were SO LITTLE I thought my email was broken. Get it?

    You say you pity the people that choose X simply because they heard it was more secure – and forget to Configure X securely and still get hacked.

    What you don’t realise is that apache has BEEN secure BY DEFAULT, by DESIGN since since version 1.

    ONLY NOW has Microsoft ‘innovated’ this idea that OH MY GOD a web server should be SECURE BY DEFAULT.

    So, really you are only paying pitty on the fools which purchased IIS3, IIS4 and IIS5 right?

    OK Lets compare your CURRENT Web Server SKU "Windows Server2003, Web Edition" How MANY holes have been found and have to be patched on the product you purchase from Microsoft to stick on the net and dish out web pages.

    Theres 73 Security Bulletins. Yes, thats right, 73. Sure some are Minor, but thats still a HUGE number in your current web server solution.

    And Remember, thats not security holes, on no people, because Microsoft role and whole bunch of security fixes into one bulletin.

    Try this at home kids. Go to

    and select "Windows Server 2003, Web Edition"

    Look David, Microsoft makes some good software, I sell their products every day. But Apache has the edge over you.

    Why would I use a product that LIMITS me, unless I pay 10x more for the server version, and then have to manage these security bulletins, when I can put apache on a server, it’s secure by default and even blocks known exploits in Windows, yes David, you heard that right, Apache actually write blocks to guard against known security holes in Windows.

    Now thats secure by default.

  10. David Wang says:

    exportgoldman – You make good points, but unfortunately, you seem to misunderstand me. You seem to assume that since I was not pro-Apache that I must be attacking it, but that is far from reality.

    I simply want to point out that Security consists of three facets and that "Security" is the weakest link amongst those three facets.

    Thus, when an author gives numbers that say one thing but refuse to acknowledge it, that is Spin. When I bring out the fact that Apache is the most hacked platform… because of what runs on top of it, I acknowledge that Apache core is secure but the layers on top of it foul things up. I still have no idea why you jump into a tirade which only focus on Apache++ and MS– .

    – I now see why we are misunderstanding over IE/IIS. Unknown to you, IE and IIS have separate security teams and engagement models (there is a third team responsible to be public-facing and coordinates traffic to/from the right teams). So honestly, I know nothing about IE’s model nor how they decide to patch/not-patch, but I can say that IIS does NOT brush anything under the rug.

    – Unfortunately, the Security Bulletin numbers say nothing other than that no platform is 100% secure. I hope you agree that the "numbers" can vary depending on the time-period that you sample for Apache 1.x, Apache 2.x, IIS4/5, and IIS6. For example, by looking at 1999 and 2004 we can draw two different conclusions if we are just fascinated by the numbers.

    I only treat the numbers as a sign that improvements are still needed. By everyone.

    – Please keep the discussion to just IIS/Apache. If you want to bring in Web Server SKU, then you must bring in comparable *nix distro. I believe the numbers will still be quite comparable, so your point is purely sensationalism.


  11. exportgoldman says:

    I did some more research and have found your right, IIS6 has a very good record on security. Well done.

    I’ll tell you why I still run Apache:

    Don’t need a Windows Server license for more than 10 connections

    Easy to migrate between machines (config is a ini file) How do you export ALL the IIS Settings which hide in the registry and config files for IIS?

    You still have a horrific record for security in your other products, and so the Microsoft brands products get tarnished with the same brush.

    I look at IE/XP etc and see bulletins coming out each month for those, and the record levels of spyware – and assume Microsoft can’t code secure products.

    To make people realise IIS is secure is a hard sell – I didn’t realise theres only 2 bulletins out for it.

    But I think the main reason people run Apache is because it’s cool.

  12. David Wang says:

    exportgoldman – Thanks for the acknowledgement for IIS6.

    Regarding IIS settings – some history:

    – Since IIS6, IIS settings are no longer obeyed from the Registry. For legacy reasons, there are various Registry Keys specific to hotfixes or corner-case that are still read from the Registry but not necessary for core functionality (unless you required them before – but you’d know about them already), but IIS6 basically has no configuration hiding in the Registry.

    – IIS configuration used to all be in the Registry, then IIS4 introduced the Metabase (which is basically IIS-specific Binary Registry File that is encrypted with the machine’s private key, one of the reasons why the file is machine-specific and resistant to copying between machines so you cannot extract username/passwords).

    – In IIS6, we moved configuration into an XML file to help with human/machine manipulation, but the machine-specific encryption still remained, though you can run commandline tools to backup/restore to move configuration between servers

    – In IIS7, we have a configuration file that has no machine-specific information nor encryption. Basically adopting the ASP.Net .config system and using built-in "nobody" accounts, etc, so that you can copy/deploy configuration as a file alongside your application (of course, with a richer delegation/locking/extensibility model than .htaccess delegation).

    So, no, I do not expect you to switch, but if you ever decide that you want to run ASP.Net pages or extend the web server behavior by writing a module, I believe you will find the IIS7 experience superior to Apache. πŸ™‚

    Fair competition is always a good thing. It makes the products tune toward what the customer base wants.

    RE: Security

    I tend to think that Security is a hard concept for most developers to understand in the software industry, Open Source included (I’m not talking about security record/numbers; I’m talking about understanding of what it means to write secure code).

    As for the security record, I only see it as an opportunity for the entire software industry to improve. Microsoft gets the spotlight due to marketshare, but there is no way you can convince me that Microsoft is the only one with security issues (it may be the only one the Media focuses on), or that Open Source produces vulnerability-free products (even Apache and Firefox has bad ones, you have to admit). Thus, there are definitely improvements to be made everywhere by everyone, so what is interesting to me is what software security will look like in five, ten, fifteen years.

    And the sort of things happening in IE7, Windows Vista, etc make it clear that your current and future security complaints will be a thing of the past within a short time. Running IE as untrusted and not having users run as Administrator should single handedly fix most of the issues. Actually, you do not even need to wait, you can run in that mode right now on WXP/WS03 – I already do and I know it works well – so I look forward to seeing the general public experiencing the same.


Skip to main content