Internet Information Server - don't do it

Analysts are advising against using Microsoft's Internet Information Server (IIS) because of its multitude of vulnerabilities that viruses like Nimda and Code Red exploit.

The Gartner Group has advised enterprises that had not yet made web server decisions to "weigh security heavily and to evaluate other web server software offerings" rather than opting straight out for IIS.

And for those which have already opted for IIS and have been hit by Code Red or Nimda, Gartner suggests "immediately investigating alternatives to IIS, including moving web applications to web server software from other vendors, such as iPlanet and Apache".

John Pescatore, information security strategies analyst at Gartner, said the track record of IIS should prompt enterprises with web applications to rethink their choices and "start investigating less vulnerable web server products".

He explained that, while platforms such as Apache or iPlanet have also required security patches in the past, they "have much better security records than IIS and are not under active attack by the vast number of virus and worm writers".

Pescatore said that IIS, and most likely Microsoft's .Net service too, would continue to be under attack until its code base is completely rewritten - something he doesn't envisage happening until 2003.

"For Microsoft's vision of .Net and web services to succeed, Windows XP will have to be significantly more secure than Windows 2000 has proven to be; otherwise, Microsoft risks losing some enterprise business to more secure implementations of web services," he said.

Pescatore maintained that the same old buffer overflow problems appearing in beta Windows XP code raise doubts over the effectiveness of Microsoft's security assurance tools.

Gartner's research also concluded that, based on how easy it is to attack IIS web servers, "using internet-exposed IIS web servers securely has a high cost of ownership".

For users already on the IIS path, Gartner emphasises that all enterprises should, as a minimum, go through the security checklist and install all patches.

But the analyst also warned that "the constant need to deploy these patches continues to increase the total cost of ownership of IIS web servers and always leaves periods of vulnerability", suggesting that users will always be on their toes, and never quite watertight.

Gartner's reports can be found here and here.