Thoughts on IIS Security vs Apache, Part 3

Ok... I'm sure the zealots will eventually come tar and feather me and distort the conversation I started in this blog entry, but I will risk it anyways... I dislike biased and incomplete rationales.

Comment:

I've worked with both and while I haven't had many security scares with either, I'd lean towards employing Apache as my server of choice. The White House uses it, ESPN, CNN, and E-Trade use it. That should answer those that just follow what big entities do. The second reason would be that it's free, why pay for a Windows license (unless you already have one). Third, the bulk of the web server related worms out there are written to exploit IIS vulnerabilities. Don't expose yourself to that potential risk.

Response:

True, some people are leaders, others are followers...

I think that both platforms, IIS6 and Apache, are viable to depend on. However, the reasons you give - "everyone is doing it", OS license cost, and Security Worms - are not really reasons one should base decisions on.

I think that the web applications which you deploy should dictate the platform choice between IIS6 and Apache.

"Everyone is doing it"

For example, it makes no sense to deploy Apache if you want to use Sharepoint and Office integration or workgroup collaboration... regardless if the White House or ESPN uses Apache

Besides, plenty of big names run on IIS6 - NASDAQ and BankOne, for example. So, I do not buy the high-school-esque argument of "everyone is doing it". ;-) I hope you are not interested in having others make decisions for you?

It's "Free"

Regarding price - I do not focus on cost of acquisition as a determining factor since it is only one component of overall cost of ownership.

For example, which mortgage is "better" overall - one that has zero down but $2K/month payment, or one that requires 20% down but $1K/month payment? It depends on how long you intend to pay the mortgage... and NOT whether one is zero down.

Zero down is a deciding factor only when you have no money on hand... but of course it also restricts your choices and opportunities. So, one cannot say that "lack of Windows license acquisition cost" is a reason to choose a platform. Maybe you get a better long-term deal if you pay some money down - would you still go with zero-down or try to scrounge together some money? Depends on the individual circumstances...

In other words:

  • If you already have Windows sysadmins, why would you deploy Apache on Linux and require either re-training or hiring additional Linux sysadmin?
  • Where would you get guaranteed on-going support and how much does it cost? No business should run on an unsupported platform - you either pay to have support in-house or external contract, but it is a definite recurring cost.
  • What about application development costs? System maintenance/upgrade/patching costs (no software system is perfect or 100% secure)

Frankly, one cannot make a comprehensive cost argument by merely focusing on one component of cost. It's like saying "two nickels are worth more than one quarter because two is bigger than one". You focused on quantity and forgot about the "denomination" component of monetary worth.

All I am saying is that cost of acquisition is not a determining factor... lots of other things are involved when it comes to cost of ownership, and organizations have different ability to cope with each.

IIS is an Insecure Target

Ok, this statement is just sound-bite rhetoric and boils down to: "IIS is insecure and there are worms targeting it, so don't expose yourself to potential risk and use Apache". Plausible statement... but let's look at its various facets objectively...

First, you need to come to the modern era and look at IIS6 vs Apache when it comes to security. I will let the numbers and the discussion thread do the talking:

As for "there are worms targeting it"... the "IIS worms" you talk about are all 5+ years old and basically irrelevant for IIS6, and I am not aware of any worms effective against IIS6... so what worms and risks are we talking about? The hypothetical ones from hackers, you say?

Well, I guess there is an implicit assumption that hackers write worms to primarily target IIS and not Apache, but is that really true. Hackers go for low-hanging fruit and attack whatever is easiest to achieve their objectives, and IIS4/5 are easy. IIS6 raised the bar significantly and likely led to a direct drop in attack interest, worms, etc... as hackers moved to other low hanging fruit.

At the end of the day, the more interesting determinant is probably the "security" of the platform and not the "risk"... because risk is simply a component in the calculation of security. Risk always exist, but without a vulnerability, the risk cannot turn into an exploit and cause damage that affect the security of the platform. In other words, suppose that a platform has very low risk, but it has a huge set of vulnerabilities... so even tiny amount of risk results in large number of exploits and decrease the security of the platform. At the same time, if the risks are high, your vulnerabilities better be low to control exploitation and damage to platform security.

Thus, I would not focus on simply decreasing risk but rather increasing security. As mentioned earlier, Security is a combination of Software, Configuration, and Policy, and I believe that the numbers support a statement like "from the Software perspective, IIS6 is comparable to Apache"... and assuming equal competence at configuration and policy, Security is really not a determining factor between IIS6 and Apache. Go read Gartner Group on IIS6 if you'd like...

Conclusion

I do not believe any of the three "reasons" are determinants in making a platform choice. IIS6 and Apache are both fine platforms choices.

Instead, I believe that the web application should determine the platform . I am not going to make my web server decision affect how my web applications are written because ultimately, customers use web applications, not web servers.

I rather concentrate on writing the web application in the most productive, efficient, and maintainable framework possible, and then coordinte on locating a web server platform to efficiently run and service the web application.

For example, if your web applications are using ASP.Net 2.0, I probably would not choose Apache+Mono to run it just because you run everything else on Apache. I would run it on IIS6+ASP.Net 2.0... and if you find that you are running more ASP.Net 2.0 applications, you need to evaluate your platform strategy... and not insist that application developers write less ASP.Net 2.0. The platform supports the application... not the other way around.

//David