Thoughts on IIS Security vs Apache, Part 3


Ok… I’m sure the zealots will eventually come tar and feather me and distort the conversation I started in this blog entry, but I will risk it anyways… I dislike biased and incomplete rationales.


Comment:


I’ve worked with both and while I haven’t had many security scares with either, I’d lean towards employing Apache as my server of choice. The White House uses it, ESPN, CNN, and E-Trade use it. That should answer those that just follow what big entities do. The second reason would be that it’s free, why pay for a Windows license (unless you already have one). Third, the bulk of the web server related worms out there are written to exploit IIS vulnerabilities. Don’t expose yourself to that potential risk.


Response:


True, some people are leaders, others are followers…


I think that both platforms, IIS6 and Apache, are viable to depend on. However, the reasons you give – “everyone is doing it”, OS license cost, and Security Worms – are not really reasons one should base decisions on.


I think that the web applications which you deploy should dictate the platform choice between IIS6 and Apache.


“Everyone is doing it”


For example, it makes no sense to deploy Apache if you want to use Sharepoint and Office integration or workgroup collaboration… regardless if the White House or ESPN uses Apache


Besides, plenty of big names run on IIS6 – NASDAQ and BankOne, for example. So, I do not buy the high-school-esque argument of “everyone is doing it”. 😉 I hope you are not interested in having others make decisions for you?


It’s “Free”


Regarding price – I do not focus on cost of acquisition as a determining factor since it is only one component of overall cost of ownership.


For example, which mortgage is “better” overall – one that has zero down but $2K/month payment, or one that requires 20% down but $1K/month payment? It depends on how long you intend to pay the mortgage… and NOT whether one is zero down.


Zero down is a deciding factor only when you have no money on hand… but of course it also restricts your choices and opportunities. So, one cannot say that “lack of Windows license acquisition cost” is a reason to choose a platform. Maybe you get a better long-term deal if you pay some money down – would you still go with zero-down or try to scrounge together some money? Depends on the individual circumstances…


In other words:



  • If you already have Windows sysadmins, why would you deploy Apache on Linux and require either re-training or hiring additional Linux sysadmin?
  • Where would you get guaranteed on-going support and how much does it cost? No business should run on an unsupported platform – you either pay to have support in-house or external contract, but it is a definite recurring cost.
  • What about application development costs? System maintenance/upgrade/patching costs (no software system is perfect or 100% secure)

Frankly, one cannot make a comprehensive cost argument by merely focusing on one component of cost. It’s like saying “two nickels are worth more than one quarter because two is bigger than one”. You focused on quantity and forgot about the “denomination” component of monetary worth.


All I am saying is that cost of acquisition is not a determining factor… lots of other things are involved when it comes to cost of ownership, and organizations have different ability to cope with each.


IIS is an Insecure Target


Ok, this statement is just sound-bite rhetoric and boils down to: “IIS is insecure and there are worms targeting it, so don’t expose yourself to potential risk and use Apache”. Plausible statement… but let’s look at its various facets objectively…


First, you need to come to the modern era and look at IIS6 vs Apache when it comes to security. I will let the numbers and the discussion thread do the talking:



As for “there are worms targeting it”… the “IIS worms” you talk about are all 5+ years old and basically irrelevant for IIS6, and I am not aware of any worms effective against IIS6… so what worms and risks are we talking about? The hypothetical ones from hackers, you say?


Well, I guess there is an implicit assumption that hackers write worms to primarily target IIS and not Apache, but is that really true. Hackers go for low-hanging fruit and attack whatever is easiest to achieve their objectives, and IIS4/5 are easy. IIS6 raised the bar significantly and likely led to a direct drop in attack interest, worms, etc… as hackers moved to other low hanging fruit.


At the end of the day, the more interesting determinant is probably the “security” of the platform and not the “risk”… because risk is simply a component in the calculation of security. Risk always exist, but without a vulnerability, the risk cannot turn into an exploit and cause damage that affect the security of the platform. In other words, suppose that a platform has very low risk, but it has a huge set of vulnerabilities… so even tiny amount of risk results in large number of exploits and decrease the security of the platform. At the same time, if the risks are high, your vulnerabilities better be low to control exploitation and damage to platform security.


Thus, I would not focus on simply decreasing risk but rather increasing security. As mentioned earlier, Security is a combination of Software, Configuration, and Policy, and I believe that the numbers support a statement like “from the Software perspective, IIS6 is comparable to Apache”… and assuming equal competence at configuration and policy, Security is really not a determining factor between IIS6 and Apache. Go read Gartner Group on IIS6 if you’d like…


Conclusion


I do not believe any of the three “reasons” are determinants in making a platform choice. IIS6 and Apache are both fine platforms choices.


Instead, I believe that the web application should determine the platform . I am not going to make my web server decision affect how my web applications are written because ultimately, customers use web applications, not web servers.


I rather concentrate on writing the web application in the most productive, efficient, and maintainable framework possible, and then coordinte on locating a web server platform to efficiently run and service the web application.


For example, if your web applications are using ASP.Net 2.0, I probably would not choose Apache+Mono to run it just because you run everything else on Apache. I would run it on IIS6+ASP.Net 2.0… and if you find that you are running more ASP.Net 2.0 applications, you need to evaluate your platform strategy… and not insist that application developers write less ASP.Net 2.0. The platform supports the application… not the other way around.


//David

Comments (13)

  1. John Ingres says:

    You forget one  factor: bad reputation

    Previous versions of IIS were unstable, often had leaks, and servers had to be rebooted periodicly. It was not patch-tuesday, but patch everyday. With lots of servers, that hurts. Maintenance cost was high too; think tens of servers, lots of patches:-(

    Patches also brought other problems and there were a LOT of IIS threats at the time.

    Sure, that was a few years ago, but people still feel the pain. Some clients just HATE IIS. I know some large clients that have enterprise policies to prevent them to install IIS for ANY reason. We loose those clients if we can’t use apache. I do prefer IIS (6), but I can’t blame them.

    If at least the name had been changed. MS changes product names some often, it is sometimes irritating. But "IIS" still lives and everybody must now forget its past sins. If you had worked with software that got you up at 3AM twice a week or worse for months, you would now use something else too.

  2. Trucker says:

    Your arguments are weak. Looks like you are arguing just for the heck of it.

    *EveryOne is doing it.

    Agreed, this should not be the deciding factor.

    *Free.

       * If you already have Windows sysadmins, why would you deploy Apache on Linux and require either re-training or hiring additional Linux sysadmin?

    This weak, if i wish to deploy Apache, i would look for linux admin in the first place.

       * Where would you get guaranteed on-going support and how much does it cost? No business should run on an unsupported platform – you either pay to have support in-house or external contract, but it is a definite recurring cost.

    Apache is a vast community, apart from that at much lesser cost i can get the support than IIS

       * What about application development costs? System maintenance/upgrade/patching costs (no software system is perfect or 100% secure)

    Linux upgrading hardly required frequent reboots , thius is just in contrast to windows. Everytime i have a critical vulnerability in windows, i need to update and reboot which adds to my downtime. which is bussiness loss. Development cost is almost same for windows/linux (mind giving me an example where development on linux will cost more).

    Agreed on you third point:

    Instead, I believe that the web application should determine the platform . I am not going to make my web server decision affect how my web applications are written because ultimately, customers use web applications, not web servers.

    However if i have linux+apache combination already installed, i would look for an app natively supported by this frame work , wouldnt i? Like if i have linux+apache installed wouldnt i use PHP/mod_python etc instead of ASP.NET

    just my $0.02

  3. David.Wang says:

    Trucker –

    On Cost, I’m merely pointing out that:

    1. the cost of a sysadmin is often ignored, mostly by power-user shops who can do this stuff themselves. But most users (90+%) are not power users, so trivializing/ignoring its cost is not realistic

    2. the cost of support is often neglected or minimized in non-realistic ways. All Apache users I have encountered say that Apache Community is great if you know roughly what you are doing (i.e. power user), and I am certain for these folks support costs are small. But most users (90+%) are not power users, and they get little sympathy, spend lots of time chasing down possibilities… basically supporting themselves at their own time, which has an unaccounted cost. I’m sure that more savvy Apache users can minimize their support costs through the Community (I see the same savvy IIS users minimize their support costs through the IIS newsgroups as well), but you cannot discount its cost in general – it doesn’t work for most people. At best, I consider them equal; try the IIS newsgroups sometime and find me.

    3. Show me something comparable to VS.Net 2005 Express Editions (free), Visual Web Developer 2005 (free), and ASP.Net (free) targeting Apache/Linux. I’m not aware of any study that shows a development environment for Cold Fusion, Java, PHP, etc to be cheaper, faster, more functional, richer control, etc than Visual Studio. I’m sure you can come up with various adhoc free environments that lower your costs, but none to the degree of cohoesiveness and distribution of the various free offerings of Visual Studio 2005.

    > However if i have linux+apache combination already installed, i would look for an app natively supported by this frame work , wouldnt i? Like if i have linux+apache installed wouldnt i use PHP/mod_python etc instead of ASP.NET

    This statement misses my point. You’re saying "if I select the platform, then it selects the technologies"… which is exactly what I am NOT saying… because you are letting the platform control the user’s web application experience.

    I’m saying "select the solution and technology, then the platform", which means you focus on satisfying your customers first, and then select the platform that satisfies those needs.

    I don’t know about you, but focusing on satisfying customers make a lot of business sense. Selecting a platform and letting it control/influence customer experience does not make sense to me.

    For example, I contrast chase.com (uses JSP) and bankone.com (uses ASP.Net) – both under the same company now. It doesn’t take a rocket scientist to notice that the ASP.Net on IIS web application is far better than the JSP based solution. If I was Chase and thinking for the customer, I would focus on getting the ASP.Net solution more widely deployed (or at least fix the JSP solution). I would not let my backend consolidation affect the customer-facing solution.

    //David

  4. David.Wang says:

    John – I won’t say that previous IIS versions were perfect, but I’m pretty certain that bad user code caused a lot of those crashes and instabilities as well.

    PSS numbers show that 90+% of user claims of "IIS is unstable" end up being caused by 3rd party code (including user’s own code) causing issues. Of course, it is easy to blame on "IIS instability" – just like everyone blames every BSOD or application crash as "Windows is not stable" when it is usually a bad 3rd party driver causing the BSOD or just plain bad programming of 3rd party applications running on Windows.

    It is hard for me to change this perception, especially when users never believe their code is at fault… until I debug and show them proof… this is why we produce tools like DebugDiag to help users help themselves and fix their own issues…

    Microsoft Field teams know about those large customers with IIS-bans. Many are getting lifted as they re-engage with IIS6 on projects and see what they have been missing.

    While I can’t erase the past, it is always fun to talk about IIS6 because it literally sells itself… as long as the user keeps a rational, open mind.

    I know that you cannot do much about these aspects, but the situation is far from permanent…

    //David

  5. Chad Humphries says:

    Interesting discussion.  In response to an earlier post I would say only that you can’t choose your os, or development platform based on the merits of the IDE.

    True, a great IDE helps, but many people in .NET, Java, Ruby, or a variety of other languages accomplish great thinks in notepad, vi, emacs, or TextMate.  

    For IDE’s though I’d recommend Eclipse, RadRails, TextMate, Xcode, or even WebSphere Studio depending on your language/destination in code land.

  6. Spinelli says:

    Chad (and others),

    It`s not just about the IDE, it`s about the Platform, and Platform is more than IDE or programming language.

    Develop software is much more than write code lines, its about manage requirements, versions, risks, people, budget, knowlegment, extensibilty and etc.

    You have to choose a platform that helps you effectively on these thinks, and do more with less.

    The focus is to make the customer happy.

    You can do small projects with notepad, but i don’t recommend this for the big ones.

    And first you have to know the problem to choose the correct tool to fix it.

  7. Nicholas says:

    David,

    Just wanted to say that I enjoy reading your blog, and that this is an excellent post. I have alot of "anti-Microsoft" friends, and they refuse to touch or even look at IIS just because it is a Microsoft product.

    They think "Apache+MySql+PHP is free, what more could you need?"

    Sometimes I think they’re living in a different world, or maybe just have never worked for a corporation on a big web project.

  8. Jack says:

    Nicholas, "They think "Apache+MySql+PHP is free, what more could you need?"

    the funny part is maybe half of your friends use Windows just like every slashdotters posting on slashdot and yelling Opensource, half of them are probably Windows users. LOL.

    "linux upgrading hardly required frequent reboots , thius is just in contrast to windows. Everytime i have a critical vulnerability in windows, i need to update and reboot which adds to my downtime. which is bussiness loss. Development cost is almost same for windows/linux (mind giving me an example where development on linux will cost more)."

    really?

  9. Gareth Rowlands says:

    "I won’t say that previous IIS versions were perfect, but I’m pretty certain that bad user code caused a lot of those crashes and instabilities as well."

    I like IIS(6) but I can’t let you blame users for the bad reputation of IIS. Its reputation for instability was because it could not tolerate failures in the applications it hosted. Don’t blame the users for writing buggy code – the design of IIS was at fault. IIS3/4/5 competed with Apache and application servers that were much more stable (due to techniques that everybody knows about: process isolation and managed code). It wasn’t until IIS6 that you got this right.

  10. David.Wang says:

    Gareth – I believe both IIS and its users are to blame.

    Users are to blame for writing bad code and expecting it to magically run like good code. IIS is to blame for assuming users should write good code when in reality they write bad code.

    The net result of this is bad reputation for IIS because a lot more crashes get blamed on IIS than in reality. And since IIS is not fault tolerant enough, it deserves the reputation.

    I am simply pointing out a fact that most Customers never believe – Customers can be at fault. Yes, users are a part of the problem, and I am not afraid to say it. You simply cannot say “users are users; it’s IIS’s problem to deal with it”.

    It’s like if you drive and crash your car – is it the car’s fault for not preventing the crash, or is it the driver’s fault for not paying attention and being more careful? Yes, it’s the car’s fault if the brakes suddenly fail, but it is also the driver’s fault if they were inebriated. But the end result is an accident statistic that gets counted as “statistic” which affects the reputation of that car.

    //David

  11. Zac Bowling says:

    I should probably give a disclaimer that I’m a Mono developer here 🙂

    Support for Apache is nice though. IIS isn’t really nice for mass scale virtual hosting like Apache is. Partly because Apache can be configured via a bunch of simple text files. IIS 4 and 5 could only be administered dynamicly from code with a weird COM object, and I have to give props to IIS 6 for using an easily modifable XML metabase. Still there are some limits with security and the complexity of setting up the security between each virtualy hosted site is mind boggling and there are always issues. It seems like Microsoft’s solution is to run Virtual Server with instances of another OS to isolate security between sites, which seems to me like a last step. Also that Apache is free and runs on a free OS, with a simple configuration system, makes it easy to deploy on thousands of servers and maintain everything using a few scripts and file copies for nearly nothing more then the cost of the hardware and a few employees that know their way around a command shell. IIS is great for some John Smith out there hosting his own sites on 1 or 2 of his own servers that doesn’t want to learn a bunch and can manualy change a few settings in a management GUI. However for many mass scale implimentations, it starts to hurt itself with those "features" even though the server can handle the traffic. Also many old school l33t power house users can’t get over the fact that their servers are running a GUI in ring 0 and eatting all their precious resources :-P. Then you are limited to 4000 virtual domains. I’ve got a server that is virtual hosting personal sites and it currently hosts over 20,000 virtual domains! Microsoft’s straigity to combat that is to support products like Community Server (Telligent was my former imployeer :-P) and DotNetNuke that do their own virutalized virtual hosting by inspecting the hostname in the header and loading different content internaly. One site in IIS but many domains can be hosted because the asp.net does the real switching and secuirty. GoDaddy now even hosts IIS with one of these apps because they can finally do mass scale hosting on IIS without pulling teeth or hire  tons of staff engineering staff to track down all the possible security issues. The problem is your restricted to what the app does and not to hosting your own code.

    Mono on Apache functions as an alternative. I myself work on our implimentation of XSP and mod_mono (the Apache support). I can safely say that our version of ASP.NET is nearly as fast as IIS6+ASP.NET, simply because we are trying to support more and we are doing almost EVERYTHING fully managed. The one major execption is that we are using an unmanaged stream to buffer html file uploads instead of using a basic stream reader before passing to the managed backed like we used to because we noticed that it was just to slow to even say it was useable.  

    Really all that mod_mono, is nothing more then a gloriffied proxy over an internal unix or tcp socket to an instance of our fully mananged asp.net runtime (aka XSP which is also a standalone http server itself if you lanch it manually) running the background for that specific application domain/pool. It’s almost identical to tomcat and many other J2EE connectors.

    What we are trying to do is offer an alternative. The class libraries themselves are complete for 1.x (minus Passport authentication support), and 2.0 is nearly ready (we are still working on System.Configuration additions for some of the features).  However, almost all of our class libraries (with the exception of our corelib and a few of the "Mono" namespace libraries like Mono.Unix.dll and Mono.Posix.dll) will work on MS.NET, giving people an Open Source alternative to run on MS.NET.

    I know of one company that is using a modified version of our System.Web libraries on MS’s ASP.NET in IIS on Win32 simply because they wanted to change some built in "features" of the Page class and a few built in controls that were driving them nuts.

    Another company offers an implimentation of ASP.NET that runs on any J2EE server. They use our ASP.NET class libraries compiling them with a C# to Java bytecode compiler that they wrote (http://www.mainsoft.com/products/vmw_j2ee.aspx).

    Now if IIS could rip out its core, and run it on Unix/Linux (even if it wasn’t free) OR come out with a new Windows OS that lacked a GUI and changed its configuration setup and command like (monad maybe?), it would get a massive number of supporters and raise up a few points on netcraft from being on only 20% of the web. Maybe even modifing WMI to support the computer managment console across multiple machines that are running non GUI versions of Windows at the same time? Maybe site templating with a root implimentation that all sites must inheirt? Maybe a modifing AD to support sub site security?

    Many thoughts…

  12. David.Wang says:

    Zac – one word – IIS7.

    IIS7 in a nutshell:

    1. A very simple and clean core (like Apache Core and APR)

    2. Loads modules for functionality (like Apache mod_*)

    3. Rehostable (i.e. if SQL or Word wanted a webserver, just pick up iiscore.dll, a config file, add your own custom modules, and go)

    4. Distributed configuration system (like .htaccess) that can be simultaneously configured via text-editor, commandline tool, Scriptable interface, and UI. Remotes over HTTP or remote process invocation.

    5. UI to support common admin scenario, including remote delegated scenario (imagine mass hosting scenario where user uses the UI to admin just their virtual site, while server admin can use the same UI to admin all virtual sites).

    In short, IIS7 takes all the parts you like about Apache, all the Windows know-how of IIS6 reliability/performance/scalability, and roll it into one.

    For example, IIS7 makes .htaccess actually work performantly, so we turn it on by default. FileChangeNotification is wonderful and only on Windows.

    Re: Scalability

    IIS6 is actually really nice for mass scale virtual hosting. The difference between Apache and IIS on that front? People have written the modules, configuration, and cookbooks necessary for Apache to handle it, but no one has done so for IIS. So no duh, it seems hard for IIS, but it does not mean it is impossible. It’s just that hosting was never a problem that anyone wanted to solve on IIS, including Microsoft.

    But now we are paying attention and showing how to solve that problem easily with IIS6. Expect to see definite improvements and trends in the coming months. Prepare to see massive numbers of sites switching from Apache to IIS6…

    IIS6 is not limited to 4000 virtual domains. It is not limited, like Apache. You just have to configure it with similar implementation and you get the same scalability. We’ve got the ISAPI modules to show you how… just like mod_vhosting.

    It always helps to compare apples to apples.

    //David

  13. jyner_bs says:

    <a href= http://www-s-x-fil.seinary.com >monroe county animal shelter in tn</a> <a href= http://www-asianpo.seinary.com >nysaves</a> <a href= http://www-xxxtube792.seinary.com >asian mothers and babies</a> <a href= http://www-bac-tn.seinary.com >california boost wirelss</a> <a href= http://www-sat-max.seinary.com >the falling sand game</a>