Dump IIS, says Gartner

US research firm Gartner has issued a stinging denunciation of vulnerabilities in Microsoft's IIS web server software, encouraging users to "immediately investigate" alternative products.

  • E-Mail
By  Jon Tullett Published  September 25, 2001

After the recent discovery of the Nimda worm (following on the heels of Code Red, Code Red II, Code Blue and numerous other vulnerabilities), research firm Gartner has come out and said it: users should consider dumping Microsoft's IIS web server platform until the vendor can come out with a more robust offering.

Nimda does nothing new - it combines several existing vulnerabilities into a single package, spreading through file-sharing, email, and direct attacks on unpatched IIS servers.

Gartner's John Pescatore says "Enterprises using Microsoft's IIS Web server software have to update every IIS server with every Microsoft security patch that comes out - almost weekly. However, Nimda (and to a lesser degree Code Blue) has again shown the high risk of using IIS and the effort involved in keeping up with Microsoft's frequent security patches."

While maintaining security is not impossible, Pescatore concludes "using Internet-exposed IIS Web servers securely has a high cost of ownership."

Gartner recommends that companies who have been exposed to attack "immediately investigate alternatives to IIS", such as iPlanet or the open source Apache. Pescatore acknowledges that these systems have a less than perfect security record, but notes that they have "much better security records than IIS and are not under active attack by the vast number of virus and worm writers."

Pescatore's hard-hitting judgement is not limited to IIS: he also targets Microsoft's .NET web services, saying that companies should not consider using IIS or .NET until the code has had a complete rewrite, with "thorough and public" testing. He suggests that Microsoft would not be able to accomplish this rewrite until the end of next year.

This is a damning indictment from a research company regarded highly at the board level of many powerful firms. Network managers pushing for more secure offerings will now have the ammunition of a respected research company behind them, a factor that has been lacking until now.

In the most recent (August) Netcraft survey, Microsoft's IIS had gained just over half a percent of market-share, to hold 26.47% of the market. IIS is in second position behind Apache, which dropped 0.65% to 58.08% market share. Those numbers could change to the drastic detriment of Microsoft should Garner's influence be felt by companies who have lost revenue and services to any of the numerous worms in the field.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code