Secure & Free
Or Insecure and expensive: you choose
ITINFO SponsorMarketing On Chump ChangeIsn't that music to your ears? With FastTips Newsletters your clients rave about how smart you are for giving them so much free information. Click to Stop Wasting Money |
|
Comparing Microsoft IIS and Apache HTTP Server
by Dave MurphyISSN 1535-3613
Dennis Fisher and Timothy Dyck of eWeek reviewed Microsoft Internet Information Server and Apache HTTP server last week. Here's a synopsis of their reviews.
Users of Microsoft's Internet Information Server (IIS) find that keeping up with the near-weekly security patches is just about a full time job. Some compare their efforts at securing Microsoft's webserver to plugging the holes in a vegetable colander.
"We stay on top of what we do, but you never know," said Martin, CEO of isObject Inc., an independent software developer in Brentwood, Tenn. "Maintaining IIS servers is a cumbersome, tedious process. Any time you bring a new server online, you have to apply 40 or 50 patches."
IIS webmasters frequently resort to purchasing and installing after-market devices that harden IIS boxes. Keeping up with the security holes is just too costly. The manpower costs of dealing with the flood of security problems that have plagued Microsoft's webserver can cripple an IS department or an entire small business. Microsoft has issued 21 security bulletins for IIS 5.0 alone, a number that is increasing at the rate of about one every three weeks.
It's estimated that IIS holds 25 percent of the market for enterprise web servers; however, more than half of all defaced websites listed on attrition.org run IIS.
Webmasters are often forced to use Microsoft's IIS software because it's the default webserver for both Windows NT and Windows 2000. Since it's already available, IS managers are hesitant to authorize the purchase and installation of another software, regardless of the announced security warnings.
Many IIS security holes are routine flaws that grant unauthorized access to crackers who crash the server. However, an increasing number of flaws grant more general access to the webserver system. Crackers can breach the network security and gain access to file systems and other permission to execute commands.
Microsoft recognizes the risks to customers who use IIS. "There is a problem with IIS," said Scott Culp, security program manager at Microsoft, in Redmond, Wash. "We've just had too many vulnerabilities affecting IIS, especially this year. We recognize the need to do a better job of making it secure."
Alternative to Microsoft IIS
Although IS managers may not have a budget item for replacement webserver software, there's still an alternative. The Apache HTTP Server has earned an enviable security and reliability reputation. The Apache Software Foundation offers their webserver for free, even for commercial use. So arguing that new software costs too much doesn't hold water. Installing Apache is a snap, and it can be done by any competent webmaster in a few minutes.The last serious security hole in the Apache webserver was reported and fixed in January 1997. Since then the only Apache security holes have been related denial of service (DoS) and unauthorized listing of filenames.
Comparing Apache and IIS
Why do most experienced webmasters agree that Apache is a secure alternative to IIS? First, Apache doesn't install a lot of extra programs. A default Apache build doesn't install any Apache modules (extensions) at all -- just a basic webserver. By default, Windows 2000 and IIS install seven external Dynamic Link Library (DLL) files plus FrontPage server extensions. Every one of these eight components has had security updates since Windows 2000 was shipped.Second, Apache components, if their installed, run as a nonprivileged user, so if a buffer overflow occurs, damage is minimal. Conversely, Microsoft IIS allows system-level access, thereby potentially granting root (superuser) permission. Any user, even a remote one, who has root permission can access, change, and delete any file anywhere on the system.
Third, Apache gets all of its configurations from a single file, httpd.conf. Microsoft IIS gathers configuration data from several files.
Dave's Opinion
Although I maintain a Windows 2000 and IIS system, it's specifically to host Microsoft Access databases through Active Server Pages (ASP). All of my principal websites are hosted on Red Hat Linux with the Apache HTTP Server. I've found IIS insecure and way too buggy.During my research I read that eWeek Labs discovered that when they manually removed all extensions from IIS, three (including the ones allowing the Index Server attacks) were silently restored by the Windows installer when they later removed the FrontPage components. This is unacceptable. It's a software program that reinstalls its security holes after they've already been patched.
Call for Comments
What do you think? Leave your comments on the message center.
References
MicrosoftApache
Message Center
Related Articles
Windows NT/2000 Users Assessed Insurance SurchargeICQ Servers Cracked Through Hole In Microsoft IIS
Microsoft Reports Serious IIS Vulnerability
Worm Infects Microsoft IIS and Solaris Servers
Microsoft IIS 5.0 Opens Security Hole in Windows 2000
Microsoft Webservers Laid Open For All To See
Linux Under The Weather
Cross-Site Scripting Security Bug Hits the Web
Damar Group, Ltd. helps business use technology.
ITINFO is again accepting sponsors. Sponsor messages are included in ITINFO's email newsletter and are permanently posted to DGL's website and online reference areas.
ITINFO is an electronic publication of Damar Group, Ltd., publisher of Training Express computer learning guides. Comments and submissions to info@dgl.com.
Previous issues are on our website at http://dgl.com/itinfo/.
updated July 23, 2001
http://dgl.com/itinfo/2001/it010723.html
Return to DGL homepage
Copyright © 2001, Damar Group, Ltd., All Rights Reserved