Gartner Group has issued a remarkable advisory recommending - in the strongest terms - that enterprises abandon their investments in Microsoft's web server IIS (Internet Information Server).The key point of the advisory is that Gartner has lost faith in Microsoft's ability to patch and fix the IIS. It recommends holding off from .NET products too, or at least those that are based on Microsoft's IIS until the latter is "completely rewritten".
Read Ditch Microsoft IIS now, says Gartner
Read Nimda Worm Shows You Can't Always Patch Fast Enough
4 weeks ago Gartner insinuates J2EE solutions as costly and overweight, and now it strongly recommends against Microsoft's IIS. What is Gartner recommending for serving web pages then, Cold Fusion???
I do agree Microsoft should be held accountable for their lack of effort in securing and patching IIS as well as Outlook clients. From Nimda we see that EVERYONE suffers, not just MS users. This is a black-eye on the entire tech industry as a whole.
Nimda, Code Red, and Code Blue (to name some recent examples) were all ugly situations enabled by vulnerabilities in Outlook, IE, and/or IIS. Rightly Microsoft should be held accountable. But the other side of the story is that fixes to all of the exploits used in these worms were available PRIOR to the attacks. In the case of Nimda, the fix was available 1 month prior to the attack. In the case of Code Blue, it was available 1 year prior to the attack.
So the administrators of the compromised systems must bear some responsibility. I am not absolving the manufacturer from its share of blame, only pointing out that multiple factors are in play here, and the net result is that this is a problem that Microsoft cannot solve on its own.
When automobiles first came into use, there were few cars, few roads. Drivers were assumed to be responsible. But as roads became more crowded, and cars became more widely used, there came a time when licensing and approval of drivers was necessary, to insure the common good and safety. In the US, the states take on the responsibility of certifying drivers.
This is a direct analogy to the internet. We depend on it, use it for conducting business and pleasure, but it is still unregulated territory. Anyone can set up a server on the net, without any qualifications whatever. That server can later become a target for exploits, which may have the effect of causing problems for many, many others. Should the sysadmin who owns that server be held responsible, just as the driver of a car is held responsible?
Currently the answer is "Nope, it's always the manufacturer's fault."
When sysadmins refuse to accept responsibility for maintaining their systems, producing a worm is as easy as monitoring Microsoft's public disclosure of fixed vulnerabilities, and then producing an exploit to them. Hackers and miscreants know they can count on the lack of responsibility of sysadmins of IIS.
(disclaimer: I work for Microsoft; these are my opinions.)
Whilst I agree with you that ultimately it is the responsibility of Sys Admins to apply patches...
I think that the Gartner report is making comment on *how often* this needs to be done. The main point I drew from that article is that the maintenance cost - just for the security of IIS - is very high. Whereas with other alternatives it is lower.
There is the cost of actually applying the patches (the time involved) - as well as then dealing with the obscure side-effect "bugs" that patches sometimes expose.
It is what the unix proponents have been saying for a long while about the M$ platform. Multiple inexpensive machines may be "inexpensive" to buy, but not to maintain.
Look at the TCO.
While it's true that the patches were available, applying a constant stream of patches is a challenging task. This is especially true when you have to verify for yourself that the patch doesn't break anything in your environment (as some service packs and patches from vendors, including Microsoft, have been known to do in the past).
This is a huge task. So huge, in fact, that Microsoft itself can not keep all of its public servers up to the current level. Microsoft got hit by Code Red badly, and apparently even Nimda got through, _despite_ a big clean up following Code Red.
If Microsoft can't keep it's own servers up to the current patch level, how do they expect us to?
The whole issue of releasing patches needs to be seriously overhauled, and a better mechanism found. Using the car analogy, the current situation is like a manufacturer posting a note saying that your cam shaft needs to be shortened, here's how much to cut off, and you can borrow our saw.
I do not want to tread down the Microsoft-bashing path, even if the title of this thread almost welcomes it. I do agree that administrators need to be accountable for applying the available patches that will circumvent these viri. HOWEVER, the current state of the IT industry, along with the rest of the economy, is in a state of unrest of disjointedness. Admins are hired and fired consecutively, so most are dealing with systems that they did not set up, and hence are unaware of the nuances and backdoors in these inherited systems.
Microsoft is NOT recognizing and taking proactive responsibilities for the flaws in its products the way other companies do. The best example of corporate responsibility and customer-first policy is Johnson and Johnnson's massive recall a few years back: a few people died from tainted Tylenol and J&J pulled every single bottle off the self, even though many suggested a limited recall would have sufficed. The same could be said of Ford's total recall of Firestone tires. Now Microsoft's flawed IIS/Outlook is not a life-and-death situation. However it is SEVERELY affecting the entire Internet industry, compromising security and reliability for all. I am afraid that MS will go down in Internet history as not only as being late to the game, but ironically first to bring down the whoel industry!
Should I say great to watch the list of patches for fixing the microsoft servers and others? Well personally I tried to fix the nimda virus using the available patch on microsoft site which was not working properly I also tried to download the worm but it doesnt let me to download as the link were saying this page has been moved.
I think it is not good example to say there is a hole in IIS specially the company who is leading the IT technology rather than it should be developed very carefully in order to provide the maximum securities as lot of businesses are depending on these products.
If you compare the NT with UNIX OS I never heard that some has crossed the Unix securities.
No wonder the microsoft has brought revolation in IT market and PC world but again it is matter of thinking and making it more seriously rather than blaming on administrators or users.
Applying patch process is not just reading readme.txt file and copy required file on production server. You have to test it to make sure it doesn't break your running appliction. For that you have to go through resource schedule. Resources are QA tester , Machines etc. PLEASE DON'T BLAIM SYS ADMIN. Every week, you can't patch *buggy* IIS server.
This is not pleasant news for Microsoft, that too at this time when it is trying to push XP & .Net in full swing. One thing that keeps on eating my brain is "Why is Microsoft Products often vulnerable to security attacks? "
Is it because they are not built in the right way?
Or every virus creator is targeting on only Microsoft products?
If the former is true then switching to other vendor products will help but if the latter is true. Then????
I guess only time has to answer these.....
I'd have to say a bit of both: (1) the technology is not the greatest (e.g. its basically a bunch of patches on top of patches, etc. from a product that is getting up in age) and (2) it may be easier for virus authors to have access to IIS, although I suppose since Apache is free, that argument doesn't make a whole lot of sense. Perhaps a 3rd reason could be because there are a lot of anti-Microsoft "terrorists" out there... Just my 2 cents. It certainly doesn't bode well for those developers and companies who are trying to work in these technologies if they need to constantly be defending the Gartner Group's statements.
As i see it, microsoft leaves itself vulnerable to virus writers primarily as a consequence of them trying to make their products easy to use.
vbscripts in mails - elegant in a benign all-microsoft world, not so elegant in the real world of malicious hackers
and the same goes for at least some of the various holes in iis.
"Why is Microsoft Products often vulnerable
> to security attacks? "
I used to work at Microsoft so I have a little bit of insight.
First, security is difficult. It is best implemented when it is a major part of the original architecture (as in Java). As a glued on afterthought, it always has holes that are difficult to find. In this case, Microsoft has the disadvantage of having built and shipped major systems that were not built from the ground up with security in mind.
So how did that happen? Microsoft has an obsession with being first to market, or at least close to it. They go so far as to calculate the amount of marketshare lost for each month that a non-OS product is late. With that kind of pressure to ship, security that was "good enough" was good enough.
Second, Microsoft has a corporate culture geared towards maximum profitability. Everything is triaged based on dev time and numbers of affected users. Therefore it is not maximally profitable to test and rearchitect major systems to defeat exploits that will never happen. Of course, this means that we suffer in order to maximize Redmond's profits, but that shouldn't surprise anyone.
I assure you, XP has some mind boggling security holes. Some of them are hard to find without the Windows source code, however, so why spend the major amounts of money to fix them if they'll probably never be found?
I'm not a disgruntled ex-employee. On the contrary, I enjoyed my time in Redmond. It is difficult for me to outright condemn MS for these practices because they occur virtually everywhere in the industry. In fact, most companies would argue that if they did NOT engage in them, they'd go out of business.
Still, as convicted monopolists (hehehe) and certainly as the brilliant marketers that they are, you'd think they'd have figured out a way to make money from tightening security a couple revisions ago. In terms of the pure business case, I think they missed the boat.
== Ross ==
Thank you for your insight, Ross. Security bugs are just like other bugs, a company under time pressure , which is not open source, can never produce perfect software.
I think that at last, most of the industry watchdogs
and or pundits are finally catching on.
Code Red != The Internet.
Code Red == Microsoft IIS!
It is not an "Internet" virus, but a "Microsoft" virus!
They want to be known as the "The Internet Company".
Deal with it!
Apache Groupd does not ask for money. Microsoft does. The implications are autrageous and the feeling is anger. Now, this obviously goes beyond viruses.
Frankly, we are being cheated. On the other hand, the software agreement gives them the freedom to produce faling products. It's the law influenced by their (SV) lobbying.
So what do I do? Hate their product. Use their product. Ditch their product. Start all over. Basically, live with it.
But I certainly use all my skills, directly and indirectly, upfront or discreetly to steer my team away from Microsoft products. Should they improve I will reconsider.
Enterprises abandon IIS and move to Apache? Well, nothing in this Gartner Report seems reasonable. First, it is not overall even difficult to maintain security in a web server environment. We did not get hit by any of theses worms, by applying well-known security receipts, and it costs almost nothing! It is all the same for whatever environment you choose. You can't just install Apache and forget it. Second, moving from IIS to J2EE can cause a company to go bankrupt. What about the enterprise applications targeting pure Microsoft platform? What is the cost to replace them? Does Gartner have a clue on this? I don't think so.
Hell thanks, I have coded and administered lots of 24x7 IIS projects with high transaction rates. I, and my clients can keep up with it. Would you curse the clouds for the rain? Blame yourself if you can't get secure.
IIS is webserver. To replace webserver,you need webserver,not J2EE based application server. Apache webserver is free & company will save $$$$ in software licenses. Total Cost of owenrship is only 10% of IIS.
Move to Apache ..
Yes, IIS is a web server. But it is so tightly integrated into COM+ (formerly MTS) that it is also an application server. If you own IIS, you own COM+ (which enables you develop component based applications that supports built-in security, safe threading, transactions, etc.). If you own Windows 2000, you own both. That is why migrating from IIS to Apache also means migrating your applications to another platform (of course, if we are not talking about static web sites).
Done ditching microsoft. Buggy technology, high price, lack of open documents make developing a much more challenging process than it should.