Microsoft stands by IIS despite Gartner recommendation

Computerworld - Microsoft Corp.'s Internet Information Server (IIS) is as secure as comparable products from other vendors, the company said after a Gartner Inc. recommendation that enterprises hit by both the Nimda and Code Red worms look at alternative products.

According to the advisory from Stamford, Conn.-based Gartner, the success of the Nimda worm and of Code Red before that "highlights the risk of using IIS and the effort involved in keeping up with Microsoft's frequent security patches."

Gartner's advisory was issued in the wake of last week's attack by the mass-mailing Nimda worm that infected systems running Microsoft Windows 95, 98, Me, NT and 2000 (see story). Unlike other worms and viruses, Nimda spread via network-based e-mail, as well as by Web browsers, and exploited back doors left behind by previous viruses such as Code Red and Sadmind.

As it had with Code Red, Microsoft recommended installing patches and service packs on virtually every PC and server running the Internet Explorer Web browser, IIS Web servers or the Outlook Express e-mail client, said John Pescatore, a Gartner analyst and author of the advisory (download .pdf).

Such constant patching and maintaining has resulted in a high cost of ownership for IIS, he said. For that reason, Pescatore recommended that enterprises hit by both Nimda and Code Red look at alternatives such as Sun Microsystems Inc.'s iPlanet and the Apache Web server software.

"The Gartner recommendation overlooks the fact that security is an industrywide challenge and that serious vulnerabilities have been found in all Web server products and platforms," a Microsoft spokesman said. "It is a folly to believe that if you switch from one product to another, you are protected."

Instead, the emphasis should be on ensuring safe security practices and making sure that all recommended patches are installed, he added. "Those customers that installed all the [recommended] patches were protected from Nimda," the Microsoft spokesman said.

But Gartner's recommendation seems to be resonating with at least some users.

Palo Alto, Calif.-based law firm Fenwick & West LLP is planning on migrating off of its IIS servers to a Linux operating environment running Apache's Web server software.

The decision was prompted by the continuing security concerns related to IIS, said Matt Kesner, the firm's chief technology officer. Also driving the move is cost: It's cheaper to run Apache on Linux than it is to run IIS, Kesner said.

The law firm escaped being hit by last week's Nimda virus because it had all the appropriate patches in place. But the experience of