ITinfo: Comparing Microsoft IIS and Apache HTTP Server

Site Directory
Membership
Train-the-Trainer
Trainer Certification
Certified Training Materials
ITinfo E-zine
Responsible Training
White Papers
Trainer Resources
What's New
Speaking Engagements
Onsite Training
ITrain Gear

Secure & Free

Or Insecure and expensive: you choose

ITinfo Sponsor

ERROR: Random File Unopenable

The random file, as specified in the $random_file perl variable was unopenable.

The file was not found on your file system. This means that it has either not been created or the path you have specified in $trrandom_file is incorrect.

Comparing Microsoft IIS and Apache HTTP Server

by Dave Murphy
ISSN 1535-3613

Dennis Fisher and Timothy Dyck of eWeek reviewed Microsoft Internet Information Server and Apache HTTP server last week. Here's a synopsis of their reviews.

Users of Microsoft's Internet Information Server (IIS) find that keeping up with the near-weekly security patches is just about a full time job. Some compare their efforts at securing Microsoft's webserver to plugging the holes in a vegetable colander.

"We stay on top of what we do, but you never know," said Martin, CEO of isObject Inc., an independent software developer in Brentwood, Tenn. "Maintaining IIS servers is a cumbersome, tedious process. Any time you bring a new server online, you have to apply 40 or 50 patches."

IIS webmasters frequently resort to purchasing and installing after-market devices that harden IIS boxes. Keeping up with the security holes is just too costly. The manpower costs of dealing with the flood of security problems that have plagued Microsoft's webserver can cripple an IS department or an entire small business. Microsoft has issued 21 security bulletins for IIS 5.0 alone, a number that is increasing at the rate of about one every three weeks.

It's estimated that IIS holds 25 percent of the market for enterprise web servers; however, more than half of all defaced websites listed on attrition.org run IIS.

Webmasters are often forced to use Microsoft's IIS software because it's the default webserver for both Windows NT and Windows 2000. Since it's already available, IS managers are hesitant to authorize the purchase and installation of another software, regardless of the announced security warnings.

Many IIS security holes are routine flaws that grant unauthorized access to crackers who crash the server. However, an increasing number of flaws grant more general access to the webserver system. Crackers can breach the network security and gain access to file systems and other permission to execute commands.

Microsoft recognizes the risks to customers who use IIS. "There is a problem with IIS," said Scott Culp, security program manager at Microsoft, in Redmond, Wash. "We've just had too many vulnerabilities affecting IIS, especially this year. We recognize the need to do a better job of making it secure."

Alternative to Microsoft IIS

Although IS managers may not have a budget item for replacement webserver software, there's still an alternative. The Apache HTTP Server has earned an enviable security and reliability reputation. The Apache Software Foundation offers their webserver for free, even for commercial use. So arguing that new software costs too much doesn't hold water. Installing Apache is a snap, and it can be done by any competent webmaster in a few minutes.

The last serious security hole in the Apache webserver was reported and fixed in January 1997. Since then the only Apache security holes have been related denial of service (DoS) and unauthorized listing of filenames.

Comparing Apache and IIS

Why do most experienced webmasters agree that Apache is a secure alternative to IIS? First, Apache doesn't install a lot of extra programs. A default Apache build doesn't install any Apache modules (extensions) at all -- just a basic webserver. By default, Windows 2000 and IIS install seven external Dynamic Link Library (DLL) files plus FrontPage server extensions. Every one of these eight components has had security updates since Windows 2000 was shipped.

Second, Apache components, if their installed, run as a nonprivileged user, so if a buffer overflow occurs, damage is minimal. Conversely, Microsoft IIS allows system-level access, thereby potentially granting root (superuser) permission. Any user, even a remote one, who has root permission can access, change, and delete any file anywhere on the system.

Third, Apache gets all of its configurations from a single file, httpd.conf. Microsoft IIS gathers configuration data from several files.

Dave's Opinion

Although I maintain a Windows 2000 and IIS system, it's specifically to host Microsoft Access databases through Active Server Pages (ASP). All of my principal websites are hosted on Red Hat Linux with the Apache HTTP Server. I've found IIS insecure and way too buggy.

During my research I read that eWeek Labs discovered that when they manually removed all extensions from IIS, three (including the ones allowing the Index Server attacks) were silently restored by the Windows installer when they later removed the FrontPage components. This is unacceptable. It's a software program that reinstalls its security holes after they've already been patched.

Call for Comments

What do you think? Leave your comments on the message center.

References

Microsoft
Apache
Message Center

Windows NT/2000 Users Assessed Insurance Surcharge
ICQ Servers Cracked Through Hole In Microsoft IIS
Microsoft Reports Serious IIS Vulnerability
Worm Infects Microsoft IIS and Solaris Servers
Microsoft IIS 5.0 Opens Security Hole in Windows 2000
Microsoft Webservers Laid Open For All To See
Linux Under The Weather
Cross-Site Scripting Security Bug Hits the Web

Previous issues are on our website at http://itrain.org/itinfo/.

International Association of Information Technology Trainers
PMB 616
6030-M Marshalee Dr
Elkridge, MD 21075-5987

410.567.5366
1.888.290.6200
fax: 801.650.0423
Membership Director: member@itrain.org

Return to ITrain Homepage

http://itrain.org/itinfo/2001/it010723.html
updated July 23, 2001