IIS Rounds the Security Corner

Opinion: There are only two Web servers that matter. While two-thirds of domains run Apache, Web server share numbers show that Microsoft's IIS is also a respectable choice.

It used to be exciting to read the new Web server share numbers from Netcraft every month. For a while there, Apache and Microsofts IIS (Internet Information Services) were really duking it out. But these days, the survey has a look of obsolescence.

It looks like the market has hit an equilibrium, with Apache at about 67 percent, IIS at about 20 percent and the rest fighting over small niches. The basic numbers have been unchanged for about a year.

The way I see it, both Apache and IIS have won, and for IIS, this means that the security issue has been dealt with on IIS. While some of the great attacks in computing history were targeted at IIS, good standard practices and a default lockdown state for IIS 6 in Windows Server 2003 mean that the low-hanging fruit is all picked.

Its worth clarifying some of the frequently misrepresented Apache numbers. The public survey that receives so much attention is a survey of domains and the server software on which they run. It is not a measure of the number of copies of each program running or the number of servers on which they run.

A large percentage of the 55.4 million domains measured by Netcraft are parked on a comparatively small number of servers and arent really running at all. Every now and then, the survey is skewed when a large provider, such as Register.com, moves its very large number of parked domains from a Windows to a Linux server, or vice-versa. These sites are just dead weight in the survey because nobody has really made a decision to run the site on any particular software; its not running.

But lots of actual, running sites are run by hosting services where they share a single server with potentially thousands of other sites. This shared hosting market is dominated by Apache, where the cost benefits are overwhelming. In more complex, dedicated hosted servers—and in internal servers that dont show up on the Netcraft survey—IISs share is much higher.

SecurityFocuss vulnerabilities database shows no vulnerabilities reported for IIS 6.0 in the past year and a single one overall.

That one report, from July 2003, was based on a single, third-party assertion of problems in the Web administration interface for IIS6, and there was no follow-up to the initial report. I suspect the report wasnt confirmed. IIS6 has a pretty good security record.

This is in marked contrast to the default installations of IIS4 and IIS5, the Windows NT 4.0 and Windows 2000 versions. These had some vulnerabilities for the ages, but their real problems were that they installed turned on by default as part of a Windows server installation. This is why Code Red and Nimda were so successful, because they attacked many IIS servers that users didnt even know they had running.

But this hasnt been a problem with IIS6 which, like Apache always has, installs in a "locked-down" configuration. No doubt this has created extra work for some admins. Boo hoo hoo. And through the aggressive application of security patches and the use of third-party products for intrusion detection and other features, its possible to run very secure IIS servers.


Note that Netcrafts survey of the most-reliable hosting providers during September shows six of the top 10 running Windows, with three on Windows 2000 and three on Windows 2003. This shows the servers resistance to DDoS (distributed denial of service) attacks as well, although many of these providers surely use external protections against such attacks.

Its probably going too far to say that IIS is now as secure as Apache. In a sense, its an apples-and-oranges comparison. Out of the box, IIS6 still comes with far more complex and ambitious facilities than Apache—along with the accompanying risks. More importantly, an IIS server can become compromised through holes in other services running on the same box.

But there was a time where IIS could have lost out badly due to a poor security reputation, and Microsoft stopped the bleeding mostly through a technique it needs to use more aggressively elsewhere: defaulting services off.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.


Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.


Be sure to add our eWEEK.com Security news feed to your RSS newsreader or My Yahoo page

More from Larry Seltzer