Gartner group : "don't use IIS"
-
"Gartner recommends that enterprises hit by both Code Red and Nimda immediately investigate alternatives to IIS, including moving Web applications to Web server software from other vendors, such as iPlanet and Apache. " http://www3.gartner.com/DisplayDocument?doc\_cd=101034 -c ------------------------------ Smaller Animals Software, Inc. http://www.smalleranimals.com
-
"Gartner recommends that enterprises hit by both Code Red and Nimda immediately investigate alternatives to IIS, including moving Web applications to Web server software from other vendors, such as iPlanet and Apache. " http://www3.gartner.com/DisplayDocument?doc\_cd=101034 -c ------------------------------ Smaller Animals Software, Inc. http://www.smalleranimals.com
-
Which of course is totally stupid. 1. All operating systems have to be patched often for security problems. 2. All operating systems have easy to exploit bugs when left unpatched. Tim Smith Descartes Systems Sciences, Inc.
And what about the cost involved in moving to a different system? Or the time spent in rewriting all your ASP pages, ISAPI filters and extensions, and COM objects, and the cost (and downtime) involved in training to use a new OS. My respect for Gartner just went down a notch. cheers, Chris Maunder (CodeProject)
-
And what about the cost involved in moving to a different system? Or the time spent in rewriting all your ASP pages, ISAPI filters and extensions, and COM objects, and the cost (and downtime) involved in training to use a new OS. My respect for Gartner just went down a notch. cheers, Chris Maunder (CodeProject)
-
"Gartner recommends that enterprises hit by both Code Red and Nimda immediately investigate alternatives to IIS, including moving Web applications to Web server software from other vendors, such as iPlanet and Apache. " http://www3.gartner.com/DisplayDocument?doc\_cd=101034 -c ------------------------------ Smaller Animals Software, Inc. http://www.smalleranimals.com
Gartner group seems to always recommend expensive solutions which general require corporations to contract out the work to expensive third parties. Recently, Gartner group recommends that "Customer Intimacy" is more important that "Product Quality" which is plain stupid. The concept being that corporations should invest in customer service or help desk services rather than fund quality product development and testing. The customers I deal with expect the product to work the first time and the less reasons they have to call customer support the happier they are.
-
"Gartner recommends that enterprises hit by both Code Red and Nimda immediately investigate alternatives to IIS, including moving Web applications to Web server software from other vendors, such as iPlanet and Apache. " http://www3.gartner.com/DisplayDocument?doc\_cd=101034 -c ------------------------------ Smaller Animals Software, Inc. http://www.smalleranimals.com
Well, I'm no expert on alternate systems, but it does seem to me that IIS needs to be hardened much further than it has been. I think it would have been much more appropriate for Gartner to reprimand MS for failing to take IIS security seriously enough than to generate a report telling people not to use IIS (and by extension .Net). Why exactly is it possible for an attack on IIS, which runs in a defined security account to gain _system_ level access? What kind of a whole is that, geez. Administration of these boxes, although much better than their competitors, is still way too complicated to ever feel like you've done it right. The number of times I've been in a group of really smart people, _completely_ dumbfounded over a W2K/IIS box cannot even be counted. David
-
Well, I'm no expert on alternate systems, but it does seem to me that IIS needs to be hardened much further than it has been. I think it would have been much more appropriate for Gartner to reprimand MS for failing to take IIS security seriously enough than to generate a report telling people not to use IIS (and by extension .Net). Why exactly is it possible for an attack on IIS, which runs in a defined security account to gain _system_ level access? What kind of a whole is that, geez. Administration of these boxes, although much better than their competitors, is still way too complicated to ever feel like you've done it right. The number of times I've been in a group of really smart people, _completely_ dumbfounded over a W2K/IIS box cannot even be counted. David
My big question, which can't be answered is how many people are trying to write W32 worms compared to linux/bsd/i386/alpha/sun/etc worms. Is the MS really more buggy (which I actually think is true), or is it that more people are gunning for MS. Tim Smith Descartes Systems Sciences, Inc.
-
My big question, which can't be answered is how many people are trying to write W32 worms compared to linux/bsd/i386/alpha/sun/etc worms. Is the MS really more buggy (which I actually think is true), or is it that more people are gunning for MS. Tim Smith Descartes Systems Sciences, Inc.
See the following URL: http://www.netcraft.com/survey/ Apache is far and away the more prevalent web server out there. IIS' domain is mainly corporate Intranets. Jim
-
See the following URL: http://www.netcraft.com/survey/ Apache is far and away the more prevalent web server out there. IIS' domain is mainly corporate Intranets. Jim
Yup, but that wasn't my question. It isn't the number of installations, it is the number of people actively trying to write worms for them. With IIS, you have 1 OS you have to worry about. With Apache, you have not only multiple OSes, but multiple processor types. Thus, it makes it MUCH less attractive for hackers. Then, you also have to take into account the MS haters. Tim Smith Descartes Systems Sciences, Inc.
-
My big question, which can't be answered is how many people are trying to write W32 worms compared to linux/bsd/i386/alpha/sun/etc worms. Is the MS really more buggy (which I actually think is true), or is it that more people are gunning for MS. Tim Smith Descartes Systems Sciences, Inc.
i doubt there's any kind of concerted group of virus/worm authors "gunning" for MS. if MS has 80-90% of the desktop market, they probably have the same percentage of virus/worm authors, too. but really, it's simple: these people want their code to get around, and they stand a better chance of that happening if they write for the OS with the most number of boxes. it's probably nothing to do with MS per se, and all about giving their code the best environment to live/breed in. and like you mention in your other post, the *nixes are all spread across different hardware, which makes writing binary distributions (which of course, worms and virues are) difficult. -c ------------------------------ Smaller Animals Software, Inc. http://www.smalleranimals.com
-
My big question, which can't be answered is how many people are trying to write W32 worms compared to linux/bsd/i386/alpha/sun/etc worms. Is the MS really more buggy (which I actually think is true), or is it that more people are gunning for MS. Tim Smith Descartes Systems Sciences, Inc.
.. and by extension, is it the duty of responsible Windows programmers to write (benign) Linux viruses, so we can level the playing field vis-a-vis FUD?
-
And what about the cost involved in moving to a different system? Or the time spent in rewriting all your ASP pages, ISAPI filters and extensions, and COM objects, and the cost (and downtime) involved in training to use a new OS. My respect for Gartner just went down a notch. cheers, Chris Maunder (CodeProject)
> My respect for Gartner just went down a notch. Sounds like you have a bias way of giving respect :-( Have you also thought about the cost of demand caused by virus. Gartner is also a business entity and they most probably know what they are talking about-may be they have made the shift themselves. Best regards, Paul. Paul Selormey, Bsc (Elect Eng), MSc (Mobile Communication) is currently Windows open source developer in Japan, and open for programming contract anywhere!
-
"Gartner recommends that enterprises hit by both Code Red and Nimda immediately investigate alternatives to IIS, including moving Web applications to Web server software from other vendors, such as iPlanet and Apache. " http://www3.gartner.com/DisplayDocument?doc\_cd=101034 -c ------------------------------ Smaller Animals Software, Inc. http://www.smalleranimals.com
"Gartner recommends that enterprises hit by both Code Red and Nimda immediately investigate alternatives to IIS"
Why should it matter whether enterprises have been hit by both worms? The only possible answer is that this advice is meant for companies that don't apply patches at all. Perhaps the wiser (and more cost effective) advice would be "Gartner recommends that enterprises hit by both Code Red and Nimda get their act together and start applying patches on a regular basis."
Mike Sax
http://Sax.NET
Rock Solid Components™ -
> My respect for Gartner just went down a notch. Sounds like you have a bias way of giving respect :-( Have you also thought about the cost of demand caused by virus. Gartner is also a business entity and they most probably know what they are talking about-may be they have made the shift themselves. Best regards, Paul. Paul Selormey, Bsc (Elect Eng), MSc (Mobile Communication) is currently Windows open source developer in Japan, and open for programming contract anywhere!
Sounds like you have a bias way of giving respect Why? To me it seems they are presenting a knee jerk simplistic solution. Have you also thought about the cost of demand caused by virus. Applying a patch is a lot cheaper and easier than rewriting an entire site. MS have a security bulletin mail list, hotfix checking software and the Windows Update tool. Between these three there should be little excuse for not keeping on top of patches. Is moving to Apache going to make keeping up with patches any easier or less necessary? Yes - Apache or iPlanet or whatever may have a lower risk of attack or infection, but this does not mean they are safer. There may be gaping holes in any server - it's up to the virus writers which servers they decide to target. Gartner is also a business entity and they most probably know what they are talking about-may be they have made the shift themselves. Just because they are a business doens't give them divine knowledge. They make the statement: "Gartner remains concerned that viruses and worms will continue to attack IIS until Microsoft has released a completely rewritten, thoroughly and publicly tested, new release of IIS" This to me seems a tad ludicrous. Completely rewriting a product does not ensure it will be bug free or secure (in fact we all know what first release software is like). It's like Gartner are saying MS is doing nothing worthwhile to fix up the holes and that MS should finally just write a proper web server. Simple as that. I wonder why no one at MS has thought of writing a web server with no security holes before? I also think that the Gartner group should be more specific about the risk. It only affects IE 5.1/5.5 and IIS installs that haven't been patched properly, or IIS installs that have not been configured using best practices. cheers, Chris Maunder (CodeProject)
-
Sounds like you have a bias way of giving respect Why? To me it seems they are presenting a knee jerk simplistic solution. Have you also thought about the cost of demand caused by virus. Applying a patch is a lot cheaper and easier than rewriting an entire site. MS have a security bulletin mail list, hotfix checking software and the Windows Update tool. Between these three there should be little excuse for not keeping on top of patches. Is moving to Apache going to make keeping up with patches any easier or less necessary? Yes - Apache or iPlanet or whatever may have a lower risk of attack or infection, but this does not mean they are safer. There may be gaping holes in any server - it's up to the virus writers which servers they decide to target. Gartner is also a business entity and they most probably know what they are talking about-may be they have made the shift themselves. Just because they are a business doens't give them divine knowledge. They make the statement: "Gartner remains concerned that viruses and worms will continue to attack IIS until Microsoft has released a completely rewritten, thoroughly and publicly tested, new release of IIS" This to me seems a tad ludicrous. Completely rewriting a product does not ensure it will be bug free or secure (in fact we all know what first release software is like). It's like Gartner are saying MS is doing nothing worthwhile to fix up the holes and that MS should finally just write a proper web server. Simple as that. I wonder why no one at MS has thought of writing a web server with no security holes before? I also think that the Gartner group should be more specific about the risk. It only affects IE 5.1/5.5 and IIS installs that haven't been patched properly, or IIS installs that have not been configured using best practices. cheers, Chris Maunder (CodeProject)
Hello Chris, First of all, I do not receive notifications of response to my messages from the forum or lounge. Any reason (the check of Notify...is on)? Now, let me just take this... > "Gartner remains concerned that viruses and worms will continue to > attack IIS until Microsoft has released a completely rewritten, > thoroughly and publicly tested, new release of IIS" Your view of this statement still makes the "claim" of bias standing. Did you realized that you look at only one-REWRITTEN, forgetting about the other parts of testing. Of course everyone could just release a product with the mind that they will fixed the bugs through patches. But where someone's business is concerned, you can play XBox with it. Word and IIS are definitely not in the same category :-) And downloading a fix each month is not something most IT of big companies can easily do. Remember these products do not come with any insurance policy-so the less vunerable the better. Best regards, Paul. Paul Selormey, Bsc (Elect Eng), MSc (Mobile Communication) is currently Windows open source developer in Japan, and open for programming contract anywhere!
-
"Gartner recommends that enterprises hit by both Code Red and Nimda immediately investigate alternatives to IIS, including moving Web applications to Web server software from other vendors, such as iPlanet and Apache. " http://www3.gartner.com/DisplayDocument?doc\_cd=101034 -c ------------------------------ Smaller Animals Software, Inc. http://www.smalleranimals.com
And what happens when they find security flaws in the other products? Will they advise to switch back to IIS? (2b || !2b)
-
Hello Chris, First of all, I do not receive notifications of response to my messages from the forum or lounge. Any reason (the check of Notify...is on)? Now, let me just take this... > "Gartner remains concerned that viruses and worms will continue to > attack IIS until Microsoft has released a completely rewritten, > thoroughly and publicly tested, new release of IIS" Your view of this statement still makes the "claim" of bias standing. Did you realized that you look at only one-REWRITTEN, forgetting about the other parts of testing. Of course everyone could just release a product with the mind that they will fixed the bugs through patches. But where someone's business is concerned, you can play XBox with it. Word and IIS are definitely not in the same category :-) And downloading a fix each month is not something most IT of big companies can easily do. Remember these products do not come with any insurance policy-so the less vunerable the better. Best regards, Paul. Paul Selormey, Bsc (Elect Eng), MSc (Mobile Communication) is currently Windows open source developer in Japan, and open for programming contract anywhere!
The huge flaw in that line of thinking is the other solutions are inherently more secure. If anybody thinks that Apache/Linux/FreeBSD/OpenBSD/OpenVMS/etc is more secure, you need to rethink your position. HOWEVER, it is TOTALLY valid to switch to those platforms because they are not as likely to be targeted. BUT, if one OS/Server/CPU becomes predominant, then it will also start becoming a target. Tim Smith Descartes Systems Sciences, Inc.
-
i doubt there's any kind of concerted group of virus/worm authors "gunning" for MS. if MS has 80-90% of the desktop market, they probably have the same percentage of virus/worm authors, too. but really, it's simple: these people want their code to get around, and they stand a better chance of that happening if they write for the OS with the most number of boxes. it's probably nothing to do with MS per se, and all about giving their code the best environment to live/breed in. and like you mention in your other post, the *nixes are all spread across different hardware, which makes writing binary distributions (which of course, worms and virues are) difficult. -c ------------------------------ Smaller Animals Software, Inc. http://www.smalleranimals.com
-
When I mention the MS haters, I really think that is a very small group. Somewhere around 1% of the total virus population. Tim Smith Descartes Systems Sciences, Inc.
Its true. Most virus guys love MS since their products are most widely used on desktop markets (home user), which makes it easy to spread their viruses. (2b || !2b)
-
"Gartner recommends that enterprises hit by both Code Red and Nimda immediately investigate alternatives to IIS, including moving Web applications to Web server software from other vendors, such as iPlanet and Apache. " http://www3.gartner.com/DisplayDocument?doc\_cd=101034 -c ------------------------------ Smaller Animals Software, Inc. http://www.smalleranimals.com
I seem to be the only person here who has experience of both IIS and Apache. I started with IIS and then our company moved to Apache. Here's my experience * Apache is easier to use * Apache is more flexible * Apache is more transparent; IIS hides "complexity" behind it's GUI; people at this level shouldn't need a GUI. Try writing MFC/C++ type software with a GUI only. * Apache viruses/holes etc. are reported very quickly and patches are distributed quickly. To the guy who says big companies cant afford updating once a month, they should be looking at once a week or less to be in any sense secure. * Apache's performance is much better than IIS. * Apache is virtually FREE :). * Apache is better in every way I have seen (and I'm NOT a Linux freak !) In short, I know it's a pain to switch, but it's worth it. I wonder why, I wonder why, I wonder why I wonderI wonder why, I wonder why, I wonder why I wonder ...