Microsoft IIS: Fight or Switch?
Microsoft's Internet Information Server was hit by worms, but everything's OK now. Oh, really?Last years Code Red and Nimda worms hurt Microsofts prestige and raised questions about the companys ability to conquer the security flaws plaguing its Web server and e-mail software. The worms caused servers to crash or to be taken out of service for purging at thousands of companies. But Microsoft sailed through the ordeal materially unscathed. Mass defections from Microsofts Internet Information Server (IIS) to rivals such as market leader Apache did not materialize.
Users shunned expert advice urging them to stop using the Internet server software. John Pescatore, research director for Internet Security at IT research consultancy Gartner Inc., was among IIS most vocal critics. His advice to jump ship was tantamount to a public flogging for Microsoft.
Peter Carter, enterprise service manager at systems integrator Nova Networks in Ottawa, says fears about switching are unfounded, if proper analysis is applied. "There are two problemsignorance and inertia. Once you have a certain path, its really tough to change everything, but if you truly know your boundaries, switching is pretty academic. I dont know too many installations that cant be switched." Novas company Web site and some complex development servers were changed from IIS to iPlanet in 2000, long before Code Red and Nimda appeared. IIS, Carter says, went down four to five times a day from hack attempts. Besides using two to three days of work, the switchover cost was $1,500 for a Netra server from Sun. Even if you buy Carters view, his point may be moot. With little or no appreciable Code Red/Nimda fallout, Microsoft dodged yet another bullet. The company freely admits IIS 5.0 and older had more holes than Swiss cheese. The current IIS patch rolls about a dozen fixes into one. In one of his famous e-mail memoranda, chairman Bill Gates in mid-January called on all Microsoft employees to make the security of the companys software a top priority. The clearest test of Microsofts emphasis on security will come later this year with the sixth release of its Internet server software. If 6.0s security is faultyor if its not on par with that of its rivalsMicrosoft might not be so lucky the next time around.