Microsoft IIS: Fight or Switch?

Microsoft's Internet Information Server was hit by worms, but everything's OK now. Oh, really?

Last years Code Red and Nimda worms hurt Microsofts prestige and raised questions about the companys ability to conquer the security flaws plaguing its Web server and e-mail software.

The worms caused servers to crash or to be taken out of service for purging at thousands of companies. But Microsoft sailed through the ordeal materially unscathed. Mass defections from Microsofts Internet Information Server (IIS) to rivals such as market leader Apache did not materialize.

Users shunned expert advice urging them to stop using the Internet server software. John Pescatore, research director for Internet Security at IT research consultancy Gartner Inc., was among IIS most vocal critics. His advice to jump ship was tantamount to a public flogging for Microsoft.

IIS suffered a dip in actively used servers from July through September when the worms took their toll, but came back strong in the last two months of 2001. According to server tracking firm Netcraft, IIS picked up a full point of Web server share in November and December, ringing out the year with 30.75% of the market, while leader Apache dipped a slight 0.31% to 56.5%.

Pescatore now says he advised companies to switch to a more secure server only if the ongoing risk and post-breach cleanup of IIS justified the transition costs.

"For 90% of organizations, the cost of switching was way too high," he says.

There is no average cost of switching, but when an IIS server is running complex Active Server Pages, the work can be counted in man-years. "That can be $200,000 per application and is very difficult," Pescatore says. But the problem of switching server platforms isnt just cost.

"Its functionality. IIS is part of the package along with SQL Server for our course selection, registration and alumni systems," says Kevin Baradet, network systems director at Cornell Universitys S.C. Johnson School of Management. "When we buy the package, it comes designed to use those products, and were not going to mess with them. You cant switch."

Why? Disruption, risk, technical incongruities and cost generally preclude such a move. Most Microsoft customers feel—rightly or wrongly—locked into IIS.

Microsofts competitors tried to exploit IIS black eye, claiming corporate defections were substantial. But its three main rivals—Zeus, Apache and iPlanet—could produce but one name of an IIS defector whod speak on the record. They talked the talk but couldnt walk the walk.

Fear itself
Peter Carter, enterprise service manager at systems integrator Nova Networks in Ottawa, says fears about switching are unfounded, if proper analysis is applied.

"There are two problems—ignorance and inertia. Once you have a certain path, its really tough to change everything, but if you truly know your boundaries, switching is pretty academic. I dont know too many installations that cant be switched."

Novas company Web site and some complex development servers were changed from IIS to iPlanet in 2000, long before Code Red and Nimda appeared. IIS, Carter says, went down four to five times a day from hack attempts. Besides using two to three days of work, the switchover cost was $1,500 for a Netra server from Sun. Even if you buy Carters view, his point may be moot. With little or no appreciable Code Red/Nimda fallout, Microsoft dodged yet another bullet. The company freely admits IIS 5.0 and older had more holes than Swiss cheese. The current IIS patch rolls about a dozen fixes into one.

In one of his famous e-mail memoranda, chairman Bill Gates in mid-January called on all Microsoft employees to make the security of the companys software a top priority. The clearest test of Microsofts emphasis on security will come later this year with the sixth release of its Internet server software.

If 6.0s security is faulty—or if its not on par with that of its rivals—Microsoft might not be so lucky the next time around.