Gartner Group Suggests Dumping IIS For Now 502
sachmet is one of the many readers who contributed news that "Gartner Group is now recommending that
IIS be replaced in corporate environments. This is based on the fact that TCO for IIS is rising due to the almost-weekly patches sent out by MS, and even then, it's nearly impossible to get patched quickly enough. Best part: 'Gartner remains concerned that viruses and worms will continue to attack IIS until Microsoft has released a completely rewritten, thoroughly and publicly tested, new release of IIS,' which they say has an 80% chance of happening by the end of next year." Gartner hasn't always said favorable things about Linux systems in the workplace, but the businesses that rely on this type of analysis to justify purchasing decisions may find this one interesting. Update: 09/24 22:04 GMT by T :As several people have pointed out, the 80% figure appears to be Gartner's odds that IIS won't be rewritten that soon, rather than the other way around (.673334 probability).
wow... (Score:4, Interesting)
At work, we've been on-and-off contemplating switching a lot of our servers from IIS to something else. Our Linux and OpenBSD and Solaris boxes are all fine, but our unpatched IIS servers (the ones I don't admin, go fig) all got trashed. If you're gonna lose a day or two of work every month and you're paying the "cleanup people" $50 an hour or more, you can damn well bet you'll either start looking for new employees or new software.
- A.P.
Security (Score:5, Interesting)
(who DIDN'T get hit by Nimda?)
I didn't. IIS can be secured -- many things that MS releases patches for are not exploitable if you follow sane security practices. Stuff like deleting all the ISAPI crap that comes in the default setup, and putting your web root in a nonstandard location (preferably on a different partition), deleting all sample files, enforcing proper filesystem permissions, and running any applications in an isolated process.
Of course, one of the advantages of Apache is that it ships in a relatively secure configuration by default, it's better for dummys who install stuff and plug it into the network without bothering to check the configuration. It's a whole lot better by default than IIS, that's for sure. Most of the MS patches are for various add-ons like index service that most people don't use anyway and should be shut off.
DISCLAIMER: I use Apache for the primary web server for the business I work at. We run IIS as the secondary server for load-balancing and have yet to be compromised by anything, even though patches don't always get applied immediately (usually pretty soon after release though). I think Apache is great, but want to point out that anything can be secured if you put some effort into it.
Re:Security (Score:4, Interesting)
Like everyone else, I found myself gettting hammered by Code Red infested servers when this whole thing came down last month. So I went and did a few directories on several of those machines using the newly installed back doors just to see what was going on. Know what I found? They were ALL default installations of Win2K, and most were installed sometime early in August (based on the dates of some of the directories I found. Many of those machines still served up the IIS default page when I checked.) It was evident that someone simply dropped in the CD, clicked on some install button, and called it done. And *I* suffered for it.
You cured ONE machine, and for that I thank you. As you say that a smart admin will prevent these problems, but that's not true enough. These machines are owned by cable-modem morons that don't understand that they've just become an admin. They dropped in a CD and checked a box that said "Make this computer a web server." Then they probably invited their friends over to see their awesome Quake playing machine.
That's why IIS is not a winning recommendation, but the people who need to know this wouldn't know the Gartner group from a garter snake.
A solution! (Score:3, Informative)
First, if it were a "pay per play" I'd be far more interested in seeing it work properly than I would be if I were just clicking a box that said "Install web server?"
Second, attacks would make it much less likely that anyone would pay for their product until it was far more secure.
The same would be true for the other virus-prone applications bundled with the Windows operating systems: I wouldn't consider Outlook Express if I had to pay for an e-mail client, especially with all the viruses that it retransmits. Internet explorer? There's not a chance I would purchase an ActiveX container for surfing the web, but since that big blue "e" is already sitting on the screen and doesn't take me a half hour to download, sure, I'll use it.
And now the D.O.J. has dropped their only chance to prevent the tragedy from repeating itself on XP.
Re:Security (Score:2)
5 Minutes to run Windows Update, plus reboot time, which must be done outside of business hours, which is the big thing.
There's no "Stop Service, Patch, Restart Service" with IIS, everything requires a reboot. You can't just do that very often on a mission-critical server.
Re:Security (Score:2)
Windows Update is nice and convient when you set up a new PC, and need to get a bunch of patches on it quick and easy, but you should be conservative and assume that it is out-of-date, and double check.
Re:Security (Score:2)
I'll agree that once you get IE4+ going, Windows Update makes keeping a server up-to-date ridiculously easy. Getting the server to the point where it will work with Windows Update can be a minor pain, though.
New MS slogan.. (Score:2, Funny)
Re:wow... (Score:3, Interesting)
In the specific case of Nimda, the patch was available in April of 2000. That gave everybody plenty of time to do something about it, however many didn't. i.e. most of our development machines.
What's more expensive? Spending an hour once a month patching your production web servers, or shutting down the company for half a day?
Re:wow... (Score:2)
Re:wow... (Score:2, Interesting)
If Microsoft can't keep up with their own patches, why would you expect that ANYBODY could keep up.
Windows is known for its need to be re-installed when simple things go wrong. This, of course, means a re-application of all those patches, all in the right order, all with the recommended number of reboots. If you are going to rely on Windows update, you will be downloading for hours, punctuated only by all the reboots. Then you will re-install your applications, all with their patches applied in the correct order, all with the appropriate number of reboots.
T complicate things, lately Microsoft has been getting a reputation for patches that don't work.
To top it all off, if you use Microsoft's system file checker after a system freeze, and if you find and replace a corrupted system file, it had better not be one that has been updated by one of those patches, or your security hole may have come back. But which of those 77 security hole patches would that be? I guess that you have all those dll file names memorized as to which was fixed in which patch!
Happy guessing!!!
Dumping IIS? (Score:5, Funny)
credibility (Score:2, Troll)
It is true though: companies relies on these reports to make decisions, so it's still relevant.
Re:credibility (Score:2)
Linux firms: replace IIS as a service? (Score:3, Interesting)
Just curious,
- RLJ
Re:Linux firms: replace IIS as a service? (Score:2)
Um, what's that got to do with Linux? They are not saying "ditch Windows", they are saying "ditch IIS". IIS != Windows. There are other web servers out there that run perfectly well under Windows.
Re:Linux firms: replace IIS as a service? (Score:2)
Re:Linux firms: replace IIS as a service? (Score:5, Interesting)
Very true. I know some folks running Apache/Tomcat-Jakarta on a W2K box and are pretty happy about it. I think in the short term (or mid term at least since some porting will be needed even if you only switch the web server) if the advice is followed they may stick with Apache, et al on Windows. But, since you save little to no $$ by purchasing NT/W2K/XP Server and not using IIS I would suspect those that did move off IIS would eventually lose NT/W2K/XP as the OS as well. I would imagine that the porting effort to move code the likes of PHP/JSP/servelets from Apache/MS to Apache/*BSD or Apache/Linux would be minimal.
Of course, I suspect that very few will switch. We got our asses handed to us last week, and the brass are sticking with MS anyway. Go figure.
Re:Linux firms: replace IIS as a service? (Score:2)
Gartner Leads Way (Score:3, Interesting)
Gartner wields a lot of influence, and this will raise heads. Congratulations.
gus
Re:Gartner Leads Way (Score:2)
Gartner Leads Way
Heh.
Well, I suppose that Gartner wields a lot of influence among the consumers of IT evaluations that have more money than time in which to acquire the expertise.
But - and especially in this forum - this is not exactly a rocket science revelation.
The hassles of IIS administration have been widely known among IT worker bees for sometime. I guess it just takes a while for the information to trickle up.
Now if those Gartner reports were only released about 1 year earlier than they are, then they might be a little more timely and useful!
Only had to be a matter a time (and my 0.02$) (Score:3, Flamebait)
Will MS really write a new IIS from scratch I doubt it, and if they did would it really improve on where things are now.... it would take n months to write, beta and then lauch IIS+ 1.0 then people would want to know it was ok, some would try it, but most people would want to see IIS+ 2.0 before moving their web applications to it..... timescale ? how long is a piece of string.... and would it be any better, would MS allow external code reviews (or opensource) to ensure that IIS+ was better / secure. I doubt it....
Regards
Dave
----
"Iceberg dead ahead..... oh sorry, only joking !"
You can't visit Windows Update? (Score:5, Insightful)
Install Windows Critical Update Notification.
If it honestly takes you too long to visit the Windows Update web site once every week for the 5 machines, or get the users to visit the site and install the critical updates then there's a problem somewhere.
My Win2k machines WERE running IIS and had all critical updates installed. No Code Red. No Nimda. WTF is everyone else's problem? Even my web host which is running IIS didn't get hit.
As for rewriting IIS, it is a rather stupid idea. First of all the Code Red problem wasn't IIS at all, but the Index Server ISAPI DLL. Rewriting IIS will have zero effect on any of these extensions, much as rewriting Apache would have little effect on a bug in mod_php.
Honestly I don't get Gartner's points here - if you have a significant site with a large investment in
Re:You can't visit Windows Update? (Score:2, Informative)
http://www.microsoft.com/Downloads/Release.asp?
Re:You can't visit Windows Update? (Score:4, Informative)
One of the early NT service packs was called the SP-of-Death. Even recently... Remeber SP6? Nope. It was pulled rather quickly and replaced with 6a (which is often referred to as 6) because it caused a ton of problem for Notes users.
Direct-X 7.0 was buggy and toasted a few systems, but couldn't be uninstalled.
MS has a long history of playing games with patches. Often they don't release patches, forcing an "upgrade" to a later version, other times they release a "patch" that (intentionally?) breaks other companies software.
Decent admins don't install MS patches until they've seen them in action and could evaluate them. The proper action with CRed and Nimda isn't to rush to patch the server, but to change the firewall to prevent malicious requests. To do otherwise is to risk having to reinstall the OS (without the patch) to get your servers working again.
Patch games (Score:2)
Personally I trust script kiddies even less. If I see a published bug that allows root access from remote sites I close the damn thing straight away.
I remember SP6 very well. Downloaded the SP6a patch and had my eval boxes working before I deployed. There is NO excuse for waiting three months with an open root compromise though.
The proper action with CRed and Nimda isn't to rush to patch the server, but to change the firewall to prevent malicious requests.
No. By the time you've done this it is too late - the worm has already hit you. If you'd applied the patch (even taken a week, hell a month even, to evaluate it) then you wouldn't have to firewall things after the fact.
To do otherwise is to risk having to reinstall the OS (without the patch) to get your servers working again.
You don't reinstall after a root compromise? What sort of admin are you?
The risk of patching a single file or two with a hotfix (which saves backups anyhow for rollback) is significantly less than having your server root compromised.
Re:You can't visit Windows Update? (Score:3, Informative)
Also, if you're running NT4, there is no windows update for IIS.
Re:You can't visit Windows Update? (Score:2)
If you are a competent admin, I'd expect you to be on the mailing lists for security flaws in all systems you administer - if not then you aren't doing your job properly. There's no excuse for not having a patch for "Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise" [microsoft.com] installed on a web server.
Re:You can't visit Windows Update? (Score:3, Informative)
So I suffer the effects of his Code Red attacks because he's too busy playing Quake to read Microsoft's fix-of-the-week? Next time you see a random person who happens to own Win2K, ask him or her if he even knows what the phrase "Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise" means?
And your solution to us is to blame him, rather than solve the problem? I think the company that delivers the insecure system out-of-the-box is at fault. Don't blame the guy who just bought a Win2K CD at Best Buy and stuck it in his PC. He simply trusted Microsoft to provide him with an OS for his computer, and I think he's within reason to expect the software he paid for NOT to be full of holes.
As a matter of fact, one is attacking me as I write. Let me go see, yes, http://tsi-196.tsi-comm.com/ [tsi-comm.com] has the default IIS page up. This is a NOBODY, just some guy with a cable modem, money, and not enough brains to know what he's done. His box is so tied up I can't even NET SEND him a friendly "You've got worms!" messsage. And he's just one of many thousands. Even if every professional IIS admin were completely competent, Microsoft is shipping the same leaky IIS to every dot-com, Dick and Harry.
Quit attacking the victims.
Re:You can't visit Windows Update? (Score:2)
Microsoft claimed it was included in SP2. It wasn't. Yes, there's a bit of a complacent sysadmin problem here, but do you check to make sure that every single patch wrapped up in a service pack actually installed?
Re:You can't visit Windows Update? (Score:2)
Why do you need a web browser on a server????
I've been in computers for 10+ years now, and using linux in part of exclusively for 5 or more (pre kernel 1.0 young 'uns), and I've never understood why a machine that does NOTHING but server mail/news/http/whatever needs all the shit that MS forces you to install, such as a web browser. I realize that these days it's "built in" to the OS, but back in the '95 days it was the same way IIRC, when you installed IIS (or MS Dev Studio) you were asked/required to install a web browser...
That's part of the reason I like *nix, is that if I want to server webpages from a server with nothing running in it but a user account and httpd, I can. Yes, I need libc, libraries, and various support binaries, but if I want to delete df, du, cut, tr, and the rest of the 2 and 3 letter utils, I can!
</rant>
Why do you need a browser on a server? (Score:2)
Your question should really be "Why doesn't Microsoft ship a libhtml.rpm type of package instead of making us install IE(n+1)?".
The browser is no more "built-in" to the system than Konquerer is built into Linux (it's a user mode HTML renderer that the default GUI shell uses).
Re:You can't visit Windows Update? (Score:2)
If you can call http://www.microsoft.com/security "buried". Personally I get the bullitens emailed to me - that way I don't have to surf over there. Had you done that you would have been patched three whole months before the worm came out.
You point at MSFT's biggest problem (Score:2)
I foolishly used to go to the Windows Update site [microsft.com] to download all the security patches thinking that I was being smart only to find out after being infected by Nimda that Windows Update Doesn't Have IIS patches. Now considering that this is Microsoft's most central and visible update site plus the fact that IIS worms have caused so much damage over the past year, one wonders why IIS patches aren't on the windows update site or at the very least there isn't a site similar to Windows Update just for IIS?
Gartner is wrong for telling people to switch webservers because admins haven't applied a patch that is almost a year old (that's right, the CodeRed/Nimda patch is that old) because it is tackling the symptoms and not the root cause. Gartner should be bitching Microsoft out for not having a sophisticated update system in place similar to apt-get & cron but with a GUI for the clueless admin instead of asking people to blindly switch web servers as if the Ramen worm and Sadmind didn't affect non-MSFT platforms.
The more people who use non-MSFT platforms, the more worms we'll see on non-MSFt platforms. Instead of looking for the web server silver bullet, we shoyld be encouraging admins to take responsibility and do thier freaking jobs.
Re:You point at MSFT's biggest problem (Score:3, Interesting)
On a different point, I have to disagree with this:
No, I think the problem is that there are exploits for IIS, or at least, that there are so many. When was the last time Apache had a remote exploit? Okay, what year did Apache last have a remote exploit? BIND has had a huge number of exploits in its time, but its been quite stable for a while now; still, I use djbdns rather than BIND, qmail rather than sendmail. That's another major difference -- in the Unix world there are several tools that perform similar functions like DNS, FTP, and HTTP; any competent administrator will switch the default daemons over to the packages released by scary paranoid crypto motherfuckers. On Windows, you have the MS daemons and nothing else! That has always been the problem in MS paradise -- it's their way or no way.Obviously, administration skill matters. Certainly, with a raft of technicians you can keep anything afloat. But that doesn't change the absolute fact that there are differences in software quality afoot, readiness to admit vulnerabilities, and ability for the community to contribute fixes and peer review. MS is absolutely failing in those respects, so much in fact that even their biggest syncophants are deserting them.
It's not that difficult... sheesh (Score:3, Informative)
Here it is, one more time. Live it, learn it, love it.
http://www.microsoft.com/Downloads/Release.asp?
Besides as of right now there has been any major patches for about a month and you just need to do Win2k SP2 plus the August hotfix rollup. Over WinNT4 SP6a plus a similar rollup hotfix.
Now THATS Funny... (Score:4, Funny)
"Unix will be a dead OS in three years." Quoth one, on his reasoning behind implemening MS solutions for the enterprise. (~ 1995)
An expensive Gartner "analyst" told him so.
Shoulda gave me that budget...
HooHa!
Great but... (Score:2, Insightful)
Re:Great but... (Score:3, Interesting)
Gee. So companies that based critical systems on proprietary technology now find that they have limited options and are basically screwed? Who'd have thought?
Make a deal with the devil, you're gonna get burned.
Re:Great but... (Score:2)
D
Gimme a break! (Score:5, Informative)
Case in point - last year I saw the dead-end coming for my company's Enterprise solution, which was written in ASP/COM. The argument (er... *ahem*, discussion) I had with the higher-ups concluded that we HAD to continue moving forward. We couldn't wait 6 months for a rewrite (ambitious at best).
Fine, I said. Then let me do everything concurrently. Here's how it works:
Install Tomcat [apache.org] onto your Windows NT Server running IIS, along with JRE 1.3 and the HotSpot Server.
Link Tomcat in with IIS using the mod_isapi.dll you can get from the Tomcat site. Also install Tomcat as a service using jk_nt_service.exe.
Keep your Java session abstracted. The main session remains as-is within your ASP application. Write a bit of java.net code to hook in through a custom ASP page (note: security - ordinary clients can't access this page) to retrieve and update any session variables. This can be done by reading the ASPSESSION cookie, and spoofing it in your requests to IIS.
Any NEW components, write in Java. Remember - session variables get retrieved and saved from the ASP side still.
As you're working on new components, when you can arrange it, convert old components to Java one by one. Session still remains on ASP.
Wash, rinse, repeat until all components have been written in Java. Once this is done, convert your login into Java, and change your abstracted Session to be a Java session instead of hooking into IIS for the ASP one.
Voila. You are now 100% Java. Now get rid of IIS and switch to something else. This is the approach that my team took to rid ourselves of the VB horror that someone left me when I joined. It took about 8 months of solid effort, but it worked. We are now rid of all reliance on MS technologies from our site. We also managed to do it quickly because of good code layout, and the use of the most wonderful Velocity templates also available from the Jakarta site. This helped a lot.
The point is, you CAN do a rewrite. What you usually are NOT allowed to do is a code freeze. So... work around it! The beauty of this solution is that you are running two separate applications (technically) for a time. Keep a consistent look, and the users can't tell the difference between the ASP and the Java side. Change one function at a time, slowly, and eventually you'll reach the Utopia you're looking for.
Re:Gimme a break! (Score:2, Interesting)
1. The most common would be an application writen and then barely maintained or maintained by someone who knows just enough to keep it working. This would be the case with a lot of web applications in none IT centered companys. Most companys aren't willing to rebuild an application that none of the programmers know much about and isn't broken, even if it may be annoying to maintain the server. Remember server people and progammers are often in different departments, so it becomes "their" problem.
2. IT companys that sell their ActiveX/ASP product basically can't do what you did. My company, for example, could not do a rewrite without a code freeze because you can't expect the customer to install a hybrid system, it goes beyond what the customers expect to have to do to install our product. A rewrite isn't feasible because in that time the industry would have passed us by as we rewrite 3 years of code.
3. For a large application you would need multiple people with the proper skill set to convert a large application in the way you propose. Finding and paying these people for would be expensive. What you did cost the company money because the time you spent rewriting little chunks at a time was time you could have been doing new production. Your company still paid the cost of a rewrite you just spoon fed it to management a little at a time. That doesn't work as well for a large development team.
I don't see a problem with your solution but just because it's possible doesn't mean it's in the best interest of a lot of companys. Unless the TCO of IIS is costing them more than the solution they are going to keep what they have. My argument is one of economics and managment behavior, not programming ability.
Re:Great but... (Score:2)
OH MY GOD! (Score:5, Funny)
This is funny but sadly the truth sometimes! (Score:2, Interesting)
Conversely, large applications (ERP's, N-tier web interfaces blah blah) work better on NT (generally) because the API is friendlier to your clients (which are naturally running MS.) If you don't believe me, try installing Sybase Enterprise Application Server on Unix and get clients to save files and print locally.
Being a Business major, I understand what MS brings to the table in TCO - mainly that they will always have the lights on, but so will Sun, HP-UX, and possibly Red Hat. The truth of the matter is that the OS level is going to be smaller of concern than the applications that run on them. I think that any PHB that decides on a platform across the board is managing from the advertisements in CIO magazine. I say you define your network logicaly and wisely pick your physical model utilizing the best solutions for each problem (infrasturucre = Linux, Database = Sun / HP-UX etc., App servers, desktops, misc servers = NT/2K.)
They can find personnel who know both well, and command a higher salary - or have redundant admins because you hire unix admins who have such a disdain for MS they won't touch it and the MS admins who have no clue about Unix. It may cost more, but tough luck - cost of doing business.
--cgeek--
Actually... (Score:5, Informative)
There's TCO on Apache, too. (Score:4, Interesting)
So you ditch IIS and install Apache. Do you honestly think that the guy who couldn't be bothered to update it will be bothered to check for Apache vulnerabilities and fixes?
Yes, because you will have to ditch that guy! And your new unix-savvy admin will be more expensive.
Oh well, only a matter of time before they think of that. The product is only as good as it's admin, and certainly not better.
Re:There's TCO on Apache, too. (Score:2)
Excellent (Score:2)
There is no reason for those point and click admins to remain ignorant, except all that MS BS about "new mindsets" and "completely different" aproaches to programing. I can only imagine how knowledgable and valuable some of my frinds would be if they had not wasted a good portion of the last ten years chasing ever changing MS interfaces, specs and patches. Rise! and free yourselves.
Remember, it's not your ability to manipulate a product that makes you worth something. It's your ability to poduce results from given resources.
Re:There's TCO on Apache, too. (Score:3, Funny)
$ su -
Password:
# apt-get install clue
Its not just the server (Score:2)
Granted, a bad admin is a bad admin, but if you had to hedge your bets you'd also go with Apache. That's what the Gartner Group does, it tells you where to place your bets.
The most important factor is the estimate of future exploits. For IIS its pretty high, for Apache not so much.
In MS's defense their new securty tools are pretty nifty and there has to be some kind of boiling point where even the lowliest user knows the importance of patches after the 10th time their machine has been wiped due to a virus. That day may never come, or it may be next week, but no one is holding their breath.
Regular patching only a small part of TCO (Score:4, Insightful)
using Internet-exposed IIS Web servers securely has a high cost of ownership. Enterprises using Microsoft's IIS Web server software have to update every IIS server with every Microsoft security patch that comes out -- almost weekly.
I imagine you would need to patch Apache fairly regularly as well. Its not like its immune to worms or security holes. In fact, apache.org [apache.org] was compromised this year due to a security hole.
I am in the process of converting from a Windows based web server to Debian/Apache, and the process is not without its problems. On the first try, Debian did not pick up both processors on my machine. Also, using mySQL, I can consistently crash my machine by trying to index a 5 million row table.
So, I have some problems. As you might when converting from Windows to Linux. Where do I go? I can't just call my Debian rep and ask him to help me fix my problems. I have to hunt for the answers and spend a lot of time figuring out just what the heck is wrong with my system.
So keep this in mind if you are switching because of TCO costs. Yes, you will need to patch once a week sticking with Windows. However, I don't think this report fully explains everything that may be involved when figuring out the TCO for a Linux system.
That said, I expect to be able to solve my problems and end up with a very nice server.
Apache.org (Score:2, Informative)
Re:Regular patching only a small part of TCO (Score:5, Informative)
Well yes Apache.org did get compromised but NOT due to an Apache server problem. It was a complicated hack [obsess.com] and took advantage of a configuration problem (mainly Apache had their incoming FTP tree viewable in their web space among others) Or perhaps you're referring to another event.
Yes, Apache is not all nice point and click, but there ARE tools out there (Webmin's [webmin.com] Apache module is NICE) to make administration easier. Yes Apache has had vulnerabilities in teh past, but considering its widespread use and installed base, I'm extremely impressed with how secure its been - upgrades to Apache are rare which reduces TCO.
Yes, all systems and software have problems. But overall, I'll stick with OSS where appropriate and regarding your issues with MySQL and Apache, a few simple posts to mailing lists or news groups related to the software will often get your problem fixed faster than most 3rd party setups.
Re:Regular patching only a small part of TCO (Score:2)
Then buy a real DB.
Why you shouldn't just depend on one OS... (Score:2, Insightful)
This kind of attack can be seen in the ecosystem as well. If everything is homogeneous, then a single form of attack can do a great deal of devastation.
I guess the powers that be think that learning a new OS is bad, but it just proves "The Right tool, for the right job". Right now, IIS, is not it!
you know what'll happen (Score:5, Interesting)
Then someone somewhere will find some little bug in some pre-installed convenience, some PHP shopping cart, some admin tool, some default password, something that comes on each machine. Then we'll have the same problem with some crazy Linux worm. And this time I bet the clueless M$-0wn3d media won't call it an "Internet worm", they'll be sure to call it a "Linux worm"!
Of course I could be wrong. Maybe Microsoft really can't code a proper webserver. But I think having sysadmins awake and at the wheel will help too.
Hmm, how about a web server that emails the admin saying "This web server will shut down in 15 days unless you run the up2date tool" or something similar? To force people to check for upgrades.
Any step-by-step manuals out there? (Score:2, Interesting)
Favoring Linux? (Score:2)
M$ license restrictions on IIS alternatives (Score:4, Informative)
This is admittedly an old story; I don't know if M$ is still legally implementing this particular "innovative" license restriction nowadays. Does anybody know?
The problem (Score:3, Interesting)
Re:The problem (Score:2, Interesting)
Next point: Psychology. The Redmond Empire is greatly despised, often with good reason, by Lord only knows how many programmers and would-be crackers. Also, M$ is a Very Large Corporation, while the Apache foundation is microscopic in comparison. Large corporations have become something of a symbol of uncontrolled greed and (in many cases) environmental destruction.
Crackers, in many case, crave some sort of recognition for their work. Given that, plus all the above, you tell ME which package you think will be a more likely target no matter how many sites adopt Apache.
In any case, Apache would, I think, still turn up with far fewer holes per version than anything the Redmond Empire has cranked out to date, web server wise.
It seems like people are already doing it (Score:4, Informative)
http://www.securityspace.com/s_survey/data/2001
Since July IIS market share has been falling.
Check the
The share is flowing to Apache and Netscape servers.
Joao
Kind of ridiculous... (Score:2)
I think Gartner should be recommending an investment in competent IT staff if any enterprise was hit by both Code Red and Nimda, since the IIS exploits used in Nimda were the same as those in Code Red.
Re:Kind of ridiculous... (Score:2, Informative)
Nimda uses more ways to spread than the ones used by Code Red. Code Red used a buffer overflow, Nimda uses directory traversal to get the IIS.
Nimda does look for possible backdoors left by Code Red or other worm.
From CERT:
The "Code Red" worm is malicious self-propagating code that exploits Microsoft Internet Information Server (IIS)-enabled systems susceptible to the vulnerability described in CA-2001-13 Buffer Overflow In IIS Indexing Service DLL.
and:
The CERT/CC has received reports of new malicious code known as the "W32/Nimda worm" or the "Concept Virus (CV) v.5." This new worm appears to spread by multiple mechanisms:
from client to client via email
from client to client via open network shares
from web server to client via browsing of compromised web sites
from client to web server via active scanning for and exploitation of various Microsoft IIS 4.0 / 5.0 directory traversal vulnerabilities (VU#111677 and CA-2001-12)
from client to web server via scanning for the back doors left behind by the "Code Red II" (IN-2001-09), and "sadmind/IIS" (CA-2001-11) worms
Re:Kind of ridiculous... (Score:2)
Granted, there are plenty of ways a system and/or network could get infected despite the best efforts of a great IT staff, but it shouldn't have been through IIS, which was the easiest thing to fix. I don't see Gartner recommending people switch from Outlook to Pine or IE to Mozilla despite their roles in this.
Foot in the door... (Score:4, Insightful)
One of the biggest problems with getting Linux, OpenBSD, or any new OS widely adopted is that it costs a great deal to switch to a new system once a business has standardized on a different solution. So many corporations decided to use WinNT, and having made the investment need a great deal to sway them to something better. It has to be something very big, and these virii may do it. This could be good news for OS's competing with M$, because the investment thing works both ways. Once Linux is installed, companies are less likely to go back to Windows NT...
Ummm... (Score:3, Insightful)
Am I the only one who thinks this is the absolute wrong thing to do? As vulnerable as IIS has proved as of late, completely rewriting any piece of software runs the risk of not only reintroducing old exploits but possibly generating new ones. IIS is a very complex piece of software with years of thorough public testing (in the form of live deployments) already in place. By completely rewriting it, you throw out that experience and start from zero.
Re:Ummm... (Score:2)
**********
Normally I would agree with you. However, if you write a program without much concern for security, it's hard to go back through and find security breaches. However, if you start from the beginning with a strong, well-defined set of security policies, it's fairly easy to do the right thing. Obviously, after a rewrite, it won't be as featureful and will probably have some rough edges, but I think it really is needed to have security designed in from the outset.
Re:Ummm... (Score:5, Interesting)
By completely rewriting it, you throw out that experience and start from zero.
I'd have to disagree with you on that one. They won't throw away the old experiences, in fact they will prove quite valuable. Most programmers encounter parts of a project that they would change if there were not the possibility of breaking things or hurting backwords compatability. When they start from the ground up, they can look at what worked well and what did not work well. Features that were added to later releases had to be designed to use the existing code base, which is often suboptimal. When they have a good idea of the types of features they will use (and even trends for adding features) they can make those features more optimal. It also makes it easier to understand the code in the short term. It is hard to understand code written years ago by yourself, and it is especially hard to understand code written by someone who left the company years ago. I'm sure bugs will be introduced, but it is much easier to prevent security problems if you start from the scratch (hint: check for buffer/stack overflows everywhere). When you rewrite, you draw heavily on previous experience, and get the chance to write things with more knowledge than you had when you wrote them a long time ago the first time around.
Dear Gartner (Score:5, Funny)
Love,
Bill
If It Weren't For Microsoft.... (Score:3, Redundant)
Think about it guys...1/2 of the discussion today involves MS.
If you guys hate MS so much why do you spend so much energy talking about it?
woah great. (Score:2)
They have been told over and over to keep their software updated and patched yet they don't. What is going to start them doing it now?
I highly doubt that this is going to change anything. MS wrote a piece of shit software (go figure) and now the customers are paying the price (if they paid anything in the first place
I am sick and tired of seeing my logs flooded w/that crap. Fuck stupid admins. Anyone w/a brain can fix the problem. Give me the god damn job. I will make sure it ain't broken.
A Dose of Reality (Score:2)
if you are serving up pages that are dynamic that depend on database connections and what not this might prove to be a bit more troublesome, particularly if you are addicted to ADO and VbScript, but doable
I think, however, you have no choice not to switch if you depend on COM components hosted in MTS and depend on MTS to handle transactions for you unless you wish to write your own transaction monitor for the next couple of months.
Another Dose of Reality (Score:2)
Products offered by:
IBM (CICS)
Sybase (EAServer, Jaguar CTS)
Unisys (WebTS)
Compaq (NonStop Java Transaction server)
SAP (ITS)
There's quite a few of them that work rather well- some of them, of course, require new hardware. In the long run, though, which is more crushing- the web site being down for a day or more or spending more than you initially planned fixing the problem?
Microsoft Tool to check Windows 2000 Adv Servers (Score:5, Informative)
We're running Windows 2000 Adv Server (yeah yeah, I know, but we don't have the Cold Fusion package for Linux) with IIS 5, and were having an average of 30-45 minutes uptime before getting blasted by the worm(s).
After using the hfnetchk and downloading quite a few patches (burn them to a CD, having to reload the system isn't out of the question, even if it is working now), we have had about 5 days uptime, and *knocks on wood* no infections, although the log says there have been attempts.
Even though I'm spoiled to the ease at which I can find Linux updates, I found that the tool was very useful, especially since Microsoft's site is so unorganized when it comes to downloading patches and updates (I want a list, not having to search for something, especially when it never works right) that this tool was a big time saver for me.
read this (Score:3, Informative)
http://www.microsoft.com/technet/ [microsoft.com]. Go there, subscribe to the mailinglists on security and other useful things. Read the how-to's, walkthroughs and useful documents about administring a Win2k/NT4 server.
Now when you go to http://www.microsoft.com/downloads/search.asp? [microsoft.com], you will see a form. Select the product, win2k server, select Date to sort on, and hit 'find it'. All patches you need to have are there, plus other useful downloads.
Other USEFUL information about how to secure your box: http://www.securityfocus.com/cgi-bin/microsoft_top ics.pl [securityfocus.com]
Windows NT kernel based systems have excellent memory management. You should start/stop services (net start/stop w3svc) once in a while. Or use 'kill'. Reboot not needed. Honestly.
TCO Stats? (Score:2)
brain-damaged sysadmins (Score:4, Interesting)
I mean christ, I hear people complaining about how complicated Apache is in comparison to IIS and I think to myself "if you can't figure this shit out, you have no business being a network admin because YOU'RE TOO STUPID TO DO THE JOB!".
Seriously, any network admin that bitches about Apache (which is bloody easy to use, in comparison to most previous tools) is too fucking braindead to be let anywhere near a server. Switching to Apache would at least show an organization where some of its dead weight is in the IS department.
Max
Good news for Linux/Apache consultants (Score:2)
This is interesting, in a number of respects. (Score:5, Interesting)
Secondly, the timing couldn't be worse for Microsoft. With XP only just hitting the shelves, this has the potential to seriously cripple the uptake of the new OS. (Note: I'm saying "potential" as you're bound to get plenty of execs who argue that nobody ever got fired for buying Microsoft. Even when it puts the entire company's public profile at risk.)
Thirdly, this also comes at a critical point in time, with respect to the European Union anti-trust investigation, the British fair trading investigation, and the US' very own anti-trust Lawsuit Revisited. Should the market-share of IIS continue to grow at the current rate, competitors may be able to argue the case that companies aren't heeding the report because they can't. That could seriously jeapordise Microsoft's arguments that they are not a monopoly, and that "future threats" could affect their market-share.
(Let's face it - if this isn't a "future threat", I don't know what is.)
Fourthly, this comes at a time when the economy is seriously wounded, and yet Microsoft's pricing continues to rise. As other posters have noted, this might persuade some accounts departments to start pushing the alternatives.
Lastly, homeless shelters are still pretty full, from the collapse of the dot-coms. This makes computer expertise very cheap. ("Will Code For Food" no longer sounds such a joke.) Thus, there is really little need to hold onto "old hands", who command high fees. You could probably pick up a webmaster and a couple of ASP/PHP/Perl gurus by going to the local K-Marts and asking the people collecting the carts. They'd cost a fraction of what most companies are paying for their IIS expert, and they'd probably worship the ground the management walk on.
HOWEVER, this is purely speculative. Although what I've written is a plausable scenario, companies could equally well ignore the report, the anti-trust lawyers might deem it too tenuous to be usable in court (if they notice it at all), and Microsoft might remain King Of The Hill by sheer default.
Re:This is interesting, in a number of respects. (Score:2, Funny)
I hope they weren't using Frontpage when they wrote it. "Garner found in license violation."
New advert from M$ for servers shows sensitivity (Score:2)
Look, look. See, see [theregister.co.uk]
So what you're saying.. (Score:2)
So what you're saying is they may find this one interesting since it puts down Microsoft, but they should disregard the others because they put down Linux? Just checking..
Confused on this; help me (Score:4, Interesting)
--Yes the patch was there for months; but SARC (et al) was cuaght off guard,
--I"m not blaming anti - virus companies but I am confused how IIS is the sole badguy.
--You can get hit with this thing from many directions (assuming WinXX.)
--Gartner even says you "Can't Patch Fast Enough"
Incorrect statement on IIS rewrite timeline. (Score:3, Informative)
The actual quote is: "Gartner believes that this rewriting will not occur before year-end 2002 (0.8 probability)." That means there's an 80% probability that the preceeding statement is true, and that statement is that MS will _not_ have completed a rewrite in that timeframe.
So instead of MS being 80% likely to fix the problem, they're 80% UNlikely to do so in the timeframe specified.
Right... 20%? (Score:2)
"there is a 20% chance of MS rewriting IIS by the end of next year"
Re:Right... 20%? (Score:2)
Configure, don't patch (Score:5, Insightful)
Do what I do. I'm too f-ing lazy to keep up with the weekly patches. So I spent a couple hours a year ago and properly configured my IIS servers, following the published checklists. Now I review bug after bug and say "ok, that one can't impact me so I'll patch it later."
There is no reason a properly configured but completely unpatched IIS 4 or IIS 5 server could not have survived both the Nimda and Code Red worms.
Nimda made use of the Unicode directory traversal bug, which only lets you move around on the drive where the web documents are stored. Move the wwwroot to another drive, set file permissions as tight as possible, remove the sample applications, and you would have been safe. Every one of those is on any decent IIS admin's checklist.
Code Red made use of a bug in the Index Server. Removing unused mappings is near the top of every decent IIS admin's list. In fact, one IIS server I have didn't have the patch applied when Code Red hit. I didn't bother to apply it until almost a month later.
Administering Two Owesses. A True Story. By Me. (Score:4, Informative)
System 1: IIS on Windows NT:
System 2: standard Mandrake-Linux distro with manual install of current versions of Apache, PHP, mySQL, OpenSSL and mod_ssl.
Now which system do you want to administer today ?
Re:Administering Two Owesses. A True Story. By Me. (Score:2)
My Debian server.
Re:Administering Two Owesses. A True Story. By Me. (Score:2)
(* one administers an enema; one administrates a computer system, though sometimes, I know, it is hard to tell the difference)
Re:Administering Two Owesses. A True Story. By Me. (Score:2)
> System 2: standard Mandrake-Linux distro * daily: Mandrake distro stuff:
How is it that one needs daily checks for new patches, and the other only needs to be checked monthly? How, BTW, do you check that the new NT patch doesn't upgrade parts you don't want to upgrade? And why do you use Mandrake (basically a desktop distribution) instead of a more server orientated distribution?
This doesn't seem like a very apple to apple comparison.
*Sigh* (Score:2)
Gartner's crystal ball is broken (Score:4, Insightful)
The question you should be asking yourself is not "Should I be replacing my IIS systems with Linux+Apache?" but, rather, "If I am relying on Gartner for recommendations on conditions in the future, why didn't they see this coming a year ago?"
Well more than a year ago, the security benefits of open source were explored not only by
Why does Gartner put probabilities on their expectations without showing their work? Does anyone go back in history and look at these probabilities?
Doesn't Gartner have an interest in pressing the solutions that people expect them to press? And here's a HUGE question... if you're using the exact same solutions as every one of your competitors, are you prepared to give up the idea that IT could give your company a competitive advantage? Do your bosses agree with this?
Duh!? (Score:2, Insightful)
Fact: The scum that write these worms will target the most popular platform to get maximum impact.
Fact: IIS holds a lion's share of the web server market for corporate installations and business
Fact: There are a bunch of incompetent sysadmins out there who can't take the five minutes to follow MS' IIS Security Checklist (which would've foiled Code Red) or apply SP2 (which would've foiled Code Red II and Nimda)
So, if we all dump IIS and go with, for example, Solaris+IPlanet, or Linux+Apache, the same lousy SA's will still not apply their patches and the Scum will not be writing worms for Linux+Apache or Solaris or whatever.
The _REAL_ solution is to get people to be smart about installing Internet servers and make it dirt simple on all platforms to apply patches (MS has made great strides in this with the Network Hotfix Checker and the soon-to-be-released HF auto downloader).
Blaming MS for lazy sysadmins isn't going to help anyone.
Re:Microsoft Revamping of Software (Score:2)
Riiight... (Score:2)
Re:About to respond (Score:2)
I was about to respond to this article, but Slashdot broke and wouldn't accept any postings and wouldn't let me log in for several minutes. Then, it continually timed out. Apache? Ha!
Don't blame it on Apache - it's more likely that it's either the database server, or Slashcode throwing a fit again (probably the former, not the later.) Ever since thier last upgrade, the system seems to be a bit flakey at times - sometimes for hours, sometimes for a couple o' minutes.
And if it WAS Apache - well, why would it still be serving webpages? :-)
Re:Duh (Score:2)
Despite my best efforts to NEVER have and IIS server we in the travel industry need to have a "turn key" (oh I love marketing) solution to put reports on the web. ALL of the solutions use IIS as the server, Apache, iPlanet, Domino are NOT options.
So if you want reports on the web and don't want to spend a fortune having someone reinvent the wheel who has NO RELATIONSHIP with SABRE/Apollo/WorldSpan you buy and IIS server and run their products on it.