In a recent newsletter item discussing the security vulnerabilities of Microsoft IIS, Timothy Dyck asked readers to relate their experiences with the server. The responses were as impassioned as they were many. IT managers are clearly fed up, but do they have to take it anymore? Following is a sampling of the e-mails Dyck received. For eWEEK Labs in-depth analysis on the realities of switching from IIS and, conversely, the means of hardening the system, go to www.eweek.com/article/0,3658,s%253D1884%2526a%253D17362,00.asp.
I think its time for a change. I inherited a small network running Back Office, and even though Ive managed to minimize the disruptions to our IIS and Exchange servers, I do have other things to do during the day. There are two Linux test boxes on my desk as I write this, but, contrary to what the Microsoft haters say, it may not be worth the effort. Two boxes, three NICs, two different distributions, no network yet. But I have to do something, so Im waiting for UPS to bring a box of goodies for my next assault on an Apache test box.
I have to say Ive been on IIS and ASP for years, and Im currently looking into PHP solutions in an attempt to migrate toward Apache and eventually Linux.
Right now, I barely cope. I get the IIS security patch e-mails and install the patches ASAP. Somehow, I still managed to get infected with CodeRed2. Thankfully, I spotted and fixed it one day before Nimda hit, and Ive avoided Nimda. What Id really like to do is get Apache and IIS running side by side, and gradually migrate my websites to Apache.
The problem, of course, is rewriting ASP pages. I dont want to do that, so theyll stay in ASP for now. Choosing Microsoft four years ago sure seemed to make sense ;-(
I, too, am severely disappointed with IIS and the constant vigil we are faced with, to make and keep it secure. So we have taken steps to remove IIS servers from direct contact with the Internet. What we do is implement firewalls between the servers and the Internet in an attempt to keep them free of direct attacks. We also use e-mail clients like Eudora instead of Outlook, and third-party calendars to take the place of most Exchange features. A great firewall we have found is made by Astaro (www.astaro.org). It is a Linux-based firewall (well, it uses a Linux kernel), but is hardened and very secure if properly configured. Its something we looked into for a while, and this is one of the nicer firewall products out.
I just thought it might be a good idea for you to run an article or something on researching firewall products to help protect IIS servers from direct contact to the Internet. Also, user education programs might be a good idea for large companies, since most internal threats come from uneducated users e-mail and surfing habits.
I am still a firm believer in using other, more secure methods to protect IIS. And, Ill point out, not one of my clients got hit with Nimda!:)
I am both an Apache user and, more in-depth, a very frustrated IIS 4/5 user. One need only look in the mirror and realize the TCO of IIS is much higher than need be due to the crazy security issues.
Im surprised its taken this long for someone in the tech-media to make the case for dropping IIS. I stopped using IIS two years ago because I saw the writing on the wall. The core problem is that Microsofts philosophy (and not technology) is at the root of the problem. And that philosophy has time and time again been defended by Redmond rather than altered to reflect the reality of the failure of Microsofts philosophy toward IIS security.
I decommissioned my IIS web server and went to a Web appliance (Cobalt RaQs) and havent looked back. I havent spent sleepless nights worrying about the security of my servers, or exposed my customers to unnecessary risks. This includes the discontinuation of Exchange server, as well–were just using regular SMTP/POP3/IMAP, firewalled, and virus-checking incoming and outgoing mailbox activity.
The added benefit to this is a significantly reduced technical support bill at the end of the year and a significant “simplification” of our computing environment. Our board of directors is very happy with our use of Outlook Express (free) rather than full Outlook ($$$), so there have been additional savings, as well. And, frankly, Microsofts holy grail of productivity has been surprisingly maintained as a result.
Perhaps our result isnt as feature-rich as an Exchange/IIS/Outlook solution, but our users arent mired in downtime due to client-level or server-level patches, security investigations and virus cleanouts. And my technical staff are moving forward with our customers rather than re-fighting the same brush fires that appear to pop up every week with IIS.
I think Microsoft has to see a wholesale shift away from IIS before it will do anything about it, but, by that time, it will be too late. I think IIS has been fatally wounded by this lack of attention to out-of-the-box security, and we may very well see an entirely new Web server product in .NET before too long, unless Microsoft is willing to risk their entire .NET strategy by defending a security philosophy that is impotent and leaves customers helpless.
Here is where Microsoft may be vulnerable to a plug-in replacement of IIS. Perhaps the new ports of Apache for Win32 can be tidied up, and, with an installer that could route-out IIS completely and replace it, Apache could would make some company out there very rich.
Incidentally, I am not a tilt-at-windmills/anti-Microsoft personality; I just got “tired,” as you put it, and looked for and found an alternative to the Redmond game.
Great article. I am the administrator at a small community college, but I have responsibility for 250 PCs and four servers. IIS [servers], even with the patches installed, were hit by Nimda. Not as bad as some, but enough to keep me at work overtime for three straight days. The most difficult part was that it took NAV 3 days to finish scanning the hard drives of two of our servers and quarantining the infected files.
At this point, I am actively researching an alternative to IIS. Im not a seasoned veteran on IIS or Web servers, but I know a very poorly designed product when I see one.
Thanks for the article and tips. I need all I can get.
I have just recently become an IIS administrator, and the city that I work for is committed to working with IIS. I am aghast at the number of patches that Microsoft has already put out for IIS 5.0. How am I supposed to keep up? Its a full time job, and, like others securing IIS against intrusions, it is not my only task.
We were hit hard by the Nimda virus, even on some machines that had the IIS patch installed. According to the Microsoft site, you must reinstall the patch every time you change your system configuration. Shades of service packs. It took us 160 man-hours to clean up the mess. I have nightmares about what would have happened if Nimda was actually harmful to our data instead of just a nuisance.
Since the city is committed to working with IIS and since security is my top priority, we are looking at Secure IIS as a solution. We will continue to do everything in our power to harden machines that are available to the outside world and to apply all the patches, but since we cant depend on that method, were going to have to spend money on other solutions.
Web site administrator
Im the CTO of a small technical analyst firm, without any IT staff. I do what needs to be done, or have one of my analysts do the work. I dont have the time to deal with many of the issues that come up, beyond backing up the servers and adding users. Other IT challenges have to wait. The good thing is, I dont have to explain the need to update anti-virus definitions, etc.
We use IIS for two reasons: It comes with our choice of OS, so the price and integration worked for us. Now were committed to it, especially for features like ASP, which have been incorporated in our web site. Thus, it becomes a major project to move platforms.
We also use some of the integration features of IIS and W2K for special purposes, such as printing and remote file access and mail (Outlook Web Access).
The security concerns and, more importantly, the need to address the security concerns with patches, etc., are having an influence on my perspective on staying with IIS and, for that matter, W2K as a server OS. Weve been looking at alternatives, especially NetWare 6. I dont have the expertise to use Linux or the expertise or time to learn and use Linux alternatives to Exchange and IIS. I do have enough Netware background to work with it, but dont know whether I can work with the Apache and Netscape servers included with that product. That will be an area of investigation in the future.
We have moved our public Web site to a service provider. Let them deal with the security issues for me. Then I only have to deal with our intranet/extranet servers, which are less exposed and thus easier to protect.
Of course, if NetWare were to regain its prominence as a NOS, it would be as subject to attacks as W2K is now. Cant win this battle–just have to keep on truckin.
IIS stands in the spotlight because people have chosen to write viruses that specifically target IIS. To label IIS as more insecure than other Web servers, when other products are susceptible to the same problems, is truly a disservice.
Microsoft is worthy of criticism in many instances, but this (I think) is not one of them. Please do not cloud the issue by claiming that all of our virus and security woes would be solved by replacing one Web server with another. Our security practices must change first.