The Cost of Free IIS

I know it has been weeks, but I'm still reeling from the news. Earlier this month, Gartner Inc. strongly recommended "that enterprises hit by both Code Red and Nimda immediately investigate alternatives to IIS [Internet Information Server], including moving Web applications to Web server software from other vendors, such as iPlanet and Apache," (

Gartner has some fine people and produces some excellent data, but the outfit always struck me as one that looked at the world through Microsoft-colored glasses. Perhaps Gartner has finally seen the light. Or maybe this was payback for having bought into the success of Windows CE, Zero Administration Windows and the Net PC. Regardless, I was shocked.

Microsoft's official response could be paraphrased as "we're no worse than any of the alternatives." Normally, I would say this was an atypically anemic example of spin for Microsoft, but the quality of PR coming from the Redmond damage control squad has deteriorated dramatically over the past couple of years. I'm betting it's sleep deprivation from having their pagers beep nearly around the clock.

"They stink, too" is no excuse for providing a shoddy product, even if it were true. But it happens to be blatantly false. I don't know about iPlanet, but Apache has had an excellent record compared with Microsoft IIS.

See for yourself. If you visit SecurityFocus and look up Apache Group in the security alerts, you'll get a list of the last 20 known vulnerabilities. You can cross off eight of these entries because the problems stem from the server-side scripting languages that you add to Apache, not Apache itself. These add-ons are also available for Windows and IIS, so one has to either add these to the list of IIS vulnerabilities or place the blame where it belongs - on the add-on package.

Of the remaining 12 vulnerabilities, one problem is specific to running Apache on Windows, and two more are confined to Apache on the Macintosh. Barring pure stupidity on the part of an administrator, only the Windows-specific vulnerability was particularly dangerous.

If you look at the list of Microsoft alerts on the same site, only seven of the last 20 alerts are IIS-related. IIS has to compete for space with the security holes in other Microsoft products, such as Exchange, Proxy server and Windows itself.

The vulnerabilities in this list are more likely to lead to grave consequences, but it's not just the differences in severity that I find striking. It's the time it took to fill up 20 entries. The two bottom entries in the Apache list are dated September 1999. The two bottom entries in the Microsoft list are dated August 2001. Two months. Two years. You do the math.

If that isn't enough to get you to switch, then consider Microsoft's own reasoning. It claims that there are so many Windows-specific viruses, worms and Trojan horses not because Windows is so insecure, but because Windows has the largest market share.

According to the Netcraft Web survey (, Apache runs about 60% of Internet Web sites. About 28% are running a flavor of Microsoft IIS, which includes every Joe Blow with a cable modem running Windows 9x and the Microsoft Personal Web server. So, if the problem is market share and not bad software, then why over a five-day period did my Web servers log 35,000 Nimda and Code Red probes that exploit IIS- specific weaknesses, but not a single probe related to Apache?

Microsoft fans will no doubt point out that although the Netcraft survey says that Linux is growing faster than Windows, it also says that in terms of actual machines running Web sites, 50% of them run Windows. Linux takes second place, with 30%. Malicious software probes IP addresses, not machines, so it's a stretch to say that this proves Microsoft's point.

But even if one could win that argument, I'm not sure I'd trot out these figures in defense of IIS. Sooner or later, someone's going to wonder why it takes 50% of the machines on the Internet to run 28% of the Web sites. On the other hand, it does prove that Microsoft was right about one thing: the hidden costs of free software. Getting IIS free with Windows obviously doesn't mean it won't cost you in the long run.

Nicholas Petreley is a computer consultant and author in Hayward, Calif. He can be reached at


Copyright © 2001 IDG Communications, Inc.

Shop Tech Products at Amazon