News Item: Earlier this month, Microsoft announced a new initiative to help customers improve the security of their networks after a string of high-profile viruses targeted Microsoft software used to run Web sites.
Situation Analysis: Microsoft Internet Information Server (IIS - along with Windows NT and Win2000) suffers from more security vulnerabilities than its rivals, as witnessed by the high rate at which Microsoft issues security patches. Although this reflects some sloppiness in IIS coding, the main reason is simply that IIS is less mature - it has not been around as long as Apache and iPlanet, its Unix-based competitors.
Because of the high frequency of patches for Windows and IIS, maintaining their security is more expensive compared to Unix-based alternatives. However, Windows/IIS systems typically cost much less than any of those alternatives, and we estimate that, in most cases, these competing cost factors roughly balance, making IIS about as expensive as its competition (exclusive of installation and development costs). We do not see the higher cost of Windows and IIS security as a reason for companies to go through the expense and pain of migrating their Web sites away from Windows and IIS onto an alternative server.
|Other Recent META Reports|
|Value-Based Collaboration Strategies Portfolio Management Helps Manage Through Uncertainty The Hidden Costs of Handheld Devices Order Your IT Investment Portfolio Lean, Well Done|
"Organizations choose application servers based first on functionality, second on total cost - the purchase price plus installation costs and the cost of building the site around it, and third on security," says Byrnes.
IT groups should recognize that IIS security is often compromised by Microsoft's policy of making its software as easy as possible to install - part of its legacy as a desktop system vendor. As a result, in the past Microsoft has shipped Windows and IIS with most security turned off and most services turned on. Unfortunately, this increases the risk exposure of standard installations. IT organizations then must customize the installation to obtain a reasonable base level of security.
For example, Department of Defense instructions on achieving military security levels with NT includes a list, several pages long, of NT services that must be turned off. Many IT shops have never gone through these services in NT and IIS to turn off those they do not need. This process greatly increases security by shutting off potential security holes. By contrast, most Unix versions and software ship with most services turned off for security reasons - but this makes installations more difficult.
IT departments must establish security processes that include limiting enterprise exposure to viruses by installing patches as soon as they become available. Some of the worms that have caused great damage and made headlines recently exploited old, well-known holes in IIS security for which patches have been available for some time. Their success was a measure of how careless many IT groups have been concerning security.