META Report: IIS Users Should Invest in Security, Not Migration

By CIO Update Staff

(Back to article)

By Meta Group Staff

News Item: Earlier this month, Microsoft announced a new initiative to help customers improve the security of their networks after a string of high-profile viruses targeted Microsoft software used to run Web sites.

Situation Analysis: Microsoft Internet Information Server (IIS - along with Windows NT and Win2000) suffers from more security vulnerabilities than its rivals, as witnessed by the high rate at which Microsoft issues security patches. Although this reflects some sloppiness in IIS coding, the main reason is simply that IIS is less mature - it has not been around as long as Apache and iPlanet, its Unix-based competitors.

IIS also is subject to more attention from hackers, in part because it is so widely used. All operating systems and Web servers have vulnerabilities, and all users need to track and implement security patches regularly. However, as a result of the code flaws and higher profile of Microsoft's software, IIS users must assign more resources simply to tracking and installing new patches as they come out.


"None of this should be a surprise," says META Group analyst Chris Byrnes. "All operating systems have needed several years to mature, and all of them - MVS, VMS, Unix, Linux, etc. - have had security problems in their early years. To expect that Microsoft has somehow 'done it right' and produced a new operating system and related services, such as IIS, with no security problems is totally unrealistic."

Because of the high frequency of patches for Windows and IIS, maintaining their security is more expensive compared to Unix-based alternatives. However, Windows/IIS systems typically cost much less than any of those alternatives, and we estimate that, in most cases, these competing cost factors roughly balance, making IIS about as expensive as its competition (exclusive of installation and development costs). We do not see the higher cost of Windows and IIS security as a reason for companies to go through the expense and pain of migrating their Web sites away from Windows and IIS onto an alternative server.

Other Recent META Reports
Value-Based Collaboration Strategies

Portfolio Management Helps Manage Through Uncertainty

The Hidden Costs of Handheld Devices

Order Your IT Investment Portfolio Lean, Well Done

Companies with large, transactional Web sites running over a large number of IIS servers face the greatest expense in maintaining security. However, we do not think even these organizations should automatically migrate their sites off Windows/IIS. Nor do we see the security issue as a reason, by itself, for an organization creating a new site to choose an alternative instead of IIS, though the security issue is something new site developers should take into account. Rather than act as a litmus test, the issues surrounding Windows/IIS security must be factored in to the overall selection process.

"Organizations choose application servers based first on functionality, second on total cost - the purchase price plus installation costs and the cost of building the site around it, and third on security," says Byrnes.

IT groups should recognize that IIS security is often compromised by Microsoft's policy of making its software as easy as possible to install - part of its legacy as a desktop system vendor. As a result, in the past Microsoft has shipped Windows and IIS with most security turned off and most services turned on. Unfortunately, this increases the risk exposure of standard installations. IT organizations then must customize the installation to obtain a reasonable base level of security.

For example, Department of Defense instructions on achieving military security levels with NT includes a list, several pages long, of NT services that must be turned off. Many IT shops have never gone through these services in NT and IIS to turn off those they do not need. This process greatly increases security by shutting off potential security holes. By contrast, most Unix versions and software ship with most services turned off for security reasons - but this makes installations more difficult.

IT departments must establish security processes that include limiting enterprise exposure to viruses by installing patches as soon as they become available. Some of the worms that have caused great damage and made headlines recently exploited old, well-known holes in IIS security for which patches have been available for some time. Their success was a measure of how careless many IT groups have been concerning security.

To fix that problem, the CIO must make the tracking and installation of security patches the primary responsibility of someone in the IT organization. This person will need to monitor the sites of all the organization's operating system vendors, but pay particular attention to Microsoft. Patches must be installed as soon as they become available on all systems, particularly those facing the Internet (using strong change management and production testing processes). This person should also pay close attention to PCs that employees - including senior management - use to work from home and laptops that employees carry so they can work on the road. These can become infected and carry such an infection through the corporate firewall.

Another particular danger of IIS is that because it is part of Win2000, it is present on all Win2000 desktops. IT should deactivate IIS on desktops and lock it so users cannot activate it to protect their desktops from attack by worms or viruses that get past the enterprise firewall.

Microsoft is now belatedly moving to lower the cost of IIS security, immediately by reorganizing parts of its Web site to make IIS security patches more accessible, and by shipping future versions of IIS with most services turned off. This will complicate installations by requiring that administrators identify and turn on the services they need, but it will ensure that unused services are not left on to create security holes. Longer term, Microsoft is promising a complete rewrite of IIS to eliminate many of the potential security breaches.

We expect that Microsoft will eliminate most of the security holes in IIS in the next 18-24 months. The more mature IIS that emerges in that time frame should have many fewer security problems, fewer patches, and, therefore, a lower cost of ownership. The IIS rewrite should hasten such maturation.

User Action: We do not recommend that Windows/IIS users migrate their Web sites to alternative technologies, such as Unix with Apache or iPlanet. Rather, we recommend that they concentrate on increasing security of their sites by turning off IIS (and Windows NT or Win2000) services that they do not need and instituting an active program to install all security patches as soon as they are released.

Although new site developers should consider the added security problems of IIS when choosing the base technologies on which to develop their sites, we do not believe that should be the only - or even the top - criterion in such a choice. IIS does suffer from immaturity at present, but it will mature and its maintenance costs will fall within the next 18-24 months.

META Group analysts Chris Byrnes, David Cearley, William Zachmann, Val Sribar, David Folger, Herb VanHook, and Dale Kutnick contributed to this article.