Gartner group : "don't use IIS"
-
Hello Chris, First of all, I do not receive notifications of response to my messages from the forum or lounge. Any reason (the check of Notify...is on)? Now, let me just take this... > "Gartner remains concerned that viruses and worms will continue to > attack IIS until Microsoft has released a completely rewritten, > thoroughly and publicly tested, new release of IIS" Your view of this statement still makes the "claim" of bias standing. Did you realized that you look at only one-REWRITTEN, forgetting about the other parts of testing. Of course everyone could just release a product with the mind that they will fixed the bugs through patches. But where someone's business is concerned, you can play XBox with it. Word and IIS are definitely not in the same category :-) And downloading a fix each month is not something most IT of big companies can easily do. Remember these products do not come with any insurance policy-so the less vunerable the better. Best regards, Paul. Paul Selormey, Bsc (Elect Eng), MSc (Mobile Communication) is currently Windows open source developer in Japan, and open for programming contract anywhere!
The huge flaw in that line of thinking is the other solutions are inherently more secure. If anybody thinks that Apache/Linux/FreeBSD/OpenBSD/OpenVMS/etc is more secure, you need to rethink your position. HOWEVER, it is TOTALLY valid to switch to those platforms because they are not as likely to be targeted. BUT, if one OS/Server/CPU becomes predominant, then it will also start becoming a target. Tim Smith Descartes Systems Sciences, Inc.
-
i doubt there's any kind of concerted group of virus/worm authors "gunning" for MS. if MS has 80-90% of the desktop market, they probably have the same percentage of virus/worm authors, too. but really, it's simple: these people want their code to get around, and they stand a better chance of that happening if they write for the OS with the most number of boxes. it's probably nothing to do with MS per se, and all about giving their code the best environment to live/breed in. and like you mention in your other post, the *nixes are all spread across different hardware, which makes writing binary distributions (which of course, worms and virues are) difficult. -c ------------------------------ Smaller Animals Software, Inc. http://www.smalleranimals.com
-
When I mention the MS haters, I really think that is a very small group. Somewhere around 1% of the total virus population. Tim Smith Descartes Systems Sciences, Inc.
Its true. Most virus guys love MS since their products are most widely used on desktop markets (home user), which makes it easy to spread their viruses. (2b || !2b)
-
"Gartner recommends that enterprises hit by both Code Red and Nimda immediately investigate alternatives to IIS, including moving Web applications to Web server software from other vendors, such as iPlanet and Apache. " http://www3.gartner.com/DisplayDocument?doc\_cd=101034 -c ------------------------------ Smaller Animals Software, Inc. http://www.smalleranimals.com
I seem to be the only person here who has experience of both IIS and Apache. I started with IIS and then our company moved to Apache. Here's my experience * Apache is easier to use * Apache is more flexible * Apache is more transparent; IIS hides "complexity" behind it's GUI; people at this level shouldn't need a GUI. Try writing MFC/C++ type software with a GUI only. * Apache viruses/holes etc. are reported very quickly and patches are distributed quickly. To the guy who says big companies cant afford updating once a month, they should be looking at once a week or less to be in any sense secure. * Apache's performance is much better than IIS. * Apache is virtually FREE :). * Apache is better in every way I have seen (and I'm NOT a Linux freak !) In short, I know it's a pain to switch, but it's worth it. I wonder why, I wonder why, I wonder why I wonderI wonder why, I wonder why, I wonder why I wonder ...
-
Hello Chris, First of all, I do not receive notifications of response to my messages from the forum or lounge. Any reason (the check of Notify...is on)? Now, let me just take this... > "Gartner remains concerned that viruses and worms will continue to > attack IIS until Microsoft has released a completely rewritten, > thoroughly and publicly tested, new release of IIS" Your view of this statement still makes the "claim" of bias standing. Did you realized that you look at only one-REWRITTEN, forgetting about the other parts of testing. Of course everyone could just release a product with the mind that they will fixed the bugs through patches. But where someone's business is concerned, you can play XBox with it. Word and IIS are definitely not in the same category :-) And downloading a fix each month is not something most IT of big companies can easily do. Remember these products do not come with any insurance policy-so the less vunerable the better. Best regards, Paul. Paul Selormey, Bsc (Elect Eng), MSc (Mobile Communication) is currently Windows open source developer in Japan, and open for programming contract anywhere!
First of all, I do not receive notifications of response to my messages from the forum or lounge. Any reason (the check of Notify...is on)? Yes - I just noticed that this afternoon. I'm working on it at the moment. Thanks for confirming my fears :) cheers, Chris Maunder (CodeProject)
-
"Gartner recommends that enterprises hit by both Code Red and Nimda immediately investigate alternatives to IIS, including moving Web applications to Web server software from other vendors, such as iPlanet and Apache. " http://www3.gartner.com/DisplayDocument?doc\_cd=101034 -c ------------------------------ Smaller Animals Software, Inc. http://www.smalleranimals.com
http://cnnfn.cnn.com/2001/09/25/technology/wires/yahoo\_hack\_ap/ Tim Smith Descartes Systems Sciences, Inc.
-
I seem to be the only person here who has experience of both IIS and Apache. I started with IIS and then our company moved to Apache. Here's my experience * Apache is easier to use * Apache is more flexible * Apache is more transparent; IIS hides "complexity" behind it's GUI; people at this level shouldn't need a GUI. Try writing MFC/C++ type software with a GUI only. * Apache viruses/holes etc. are reported very quickly and patches are distributed quickly. To the guy who says big companies cant afford updating once a month, they should be looking at once a week or less to be in any sense secure. * Apache's performance is much better than IIS. * Apache is virtually FREE :). * Apache is better in every way I have seen (and I'm NOT a Linux freak !) In short, I know it's a pain to switch, but it's worth it. I wonder why, I wonder why, I wonder why I wonderI wonder why, I wonder why, I wonder why I wonder ...
I gotta disagree with this one: * Apache is more transparent; IIS hides "complexity" behind it's GUI; people at this level shouldn't need a GUI. Try writing MFC/C++ type software with a GUI only. "People at this level" may be using hundreds of different applications each month. It shouldn't be neccessary to call in an expert every time you want to change some setting on a server. The already overburdened IT-staff doesn't have time to read through manuals everytime they wanted to accomplish something. The same one or two persons usually have responsibility for fileserver, printserver, webserver, databaseserver, firewall, mailserver... Without a GUI they wouldn't stand a chance. - Mort
-
> My respect for Gartner just went down a notch. Sounds like you have a bias way of giving respect :-( Have you also thought about the cost of demand caused by virus. Gartner is also a business entity and they most probably know what they are talking about-may be they have made the shift themselves. Best regards, Paul. Paul Selormey, Bsc (Elect Eng), MSc (Mobile Communication) is currently Windows open source developer in Japan, and open for programming contract anywhere!
-
I gotta disagree with this one: * Apache is more transparent; IIS hides "complexity" behind it's GUI; people at this level shouldn't need a GUI. Try writing MFC/C++ type software with a GUI only. "People at this level" may be using hundreds of different applications each month. It shouldn't be neccessary to call in an expert every time you want to change some setting on a server. The already overburdened IT-staff doesn't have time to read through manuals everytime they wanted to accomplish something. The same one or two persons usually have responsibility for fileserver, printserver, webserver, databaseserver, firewall, mailserver... Without a GUI they wouldn't stand a chance. - Mort
I spent a lot longer reading manuals to set virtual hosts and firewalling with IIS than with Apache; it's all in one .ini file there plainly labelled with examples. I wonder why, I wonder why, I wonder why I wonderI wonder why, I wonder why, I wonder why I wonder ...
-
Gartner is well known for taking money and writing whatever an entity wants them to say, which certainly may be the case considering the alternatives listed. I would like to know who paid for the "research" and how much was paid.
-
I doubt very much if the opensource community paid for it !! I wonder why, I wonder why, I wonder why I wonderI wonder why, I wonder why, I wonder why I wonder ...
This is well-thought response. Best regards, Paul. Paul Selormey, Bsc (Elect Eng), MSc (Mobile Communication) is currently Windows open source developer in Japan, and open for programming contract anywhere!
-
This is well-thought response. Best regards, Paul. Paul Selormey, Bsc (Elect Eng), MSc (Mobile Communication) is currently Windows open source developer in Japan, and open for programming contract anywhere!
Thanks Paul!;) By the way if this site was run on Apache + php with a MySQL back end instead of ASP on (I guess) NT/2000 + IIS it would be a hell of a lot faster. Try www.phpbuilder.net for a comparison. Bob I wonder why, I wonder why, I wonder why I wonderI wonder why, I wonder why, I wonder why I wonder ...
-
Thanks Paul!;) By the way if this site was run on Apache + php with a MySQL back end instead of ASP on (I guess) NT/2000 + IIS it would be a hell of a lot faster. Try www.phpbuilder.net for a comparison. Bob I wonder why, I wonder why, I wonder why I wonderI wonder why, I wonder why, I wonder why I wonder ...
That is a very blanket statement with little to support it. It's true that PHP is a pretty nice and fast system, however none of the PHP based sites do what Code Project does (and remember that CP gets thousands and thousands of hits a day). Code Project is a little unique in that it provides a much more concise forum structure than systems like Slashcode or Scoop or whatever. Most of those use the technique of of listing every message in a thread, or listing messages that appear at a certain level of a thread. Code Project displays only individual messages, which has a much higher CPU load, but is also easier to follow.
-
Well, I'm no expert on alternate systems, but it does seem to me that IIS needs to be hardened much further than it has been. I think it would have been much more appropriate for Gartner to reprimand MS for failing to take IIS security seriously enough than to generate a report telling people not to use IIS (and by extension .Net). Why exactly is it possible for an attack on IIS, which runs in a defined security account to gain _system_ level access? What kind of a whole is that, geez. Administration of these boxes, although much better than their competitors, is still way too complicated to ever feel like you've done it right. The number of times I've been in a group of really smart people, _completely_ dumbfounded over a W2K/IIS box cannot even be counted. David
While I agree with you about Gartner, I disagree with you about MS. I think MS takes security VERY seriously, it's just that even ONE bug can create a hole that can be exploited. If you look at the list of bugs in IIS in the last few years, most of them are in subservices of IIS (index server, ASP, front page extensions, etc..) rather than IIS itself. If you take into account patches of Apache modules such as PHP, mod_perl, etc.. you'll also find a large number of bugs. IIS is a pretty comprehensive piece of software, and considering the alternatives, I really don't think the number of bugs that have been found have been out of line with national bug averages. It's just that IIS is so high profile, and has so many more people beating on it.
-
That is a very blanket statement with little to support it. It's true that PHP is a pretty nice and fast system, however none of the PHP based sites do what Code Project does (and remember that CP gets thousands and thousands of hits a day). Code Project is a little unique in that it provides a much more concise forum structure than systems like Slashcode or Scoop or whatever. Most of those use the technique of of listing every message in a thread, or listing messages that appear at a certain level of a thread. Code Project displays only individual messages, which has a much higher CPU load, but is also easier to follow.
Exactly right. We've talked a lot about different methods of presenting the forums and the full thread display we have here just feels more natural than the 'tag your post to the end of the list' methods. While making sites very fast, they tend to discourage thread branching (maybe this isn't a bad thing some days ;) For a site getting a couple hundred thousand hits a day that runs pure ASP and uses 1 machine as a server, and 1 machine as a DB backend, I'm happy. cheers, Chris Maunder (CodeProject)
-
That is a very blanket statement with little to support it. It's true that PHP is a pretty nice and fast system, however none of the PHP based sites do what Code Project does (and remember that CP gets thousands and thousands of hits a day). Code Project is a little unique in that it provides a much more concise forum structure than systems like Slashcode or Scoop or whatever. Most of those use the technique of of listing every message in a thread, or listing messages that appear at a certain level of a thread. Code Project displays only individual messages, which has a much higher CPU load, but is also easier to follow.
Phpbuilder gets thousands and thousands of hits a day too ... I don't know the exact number but look at the number of posts to their forum on Coding Help alone for 2001: Week 4 (1637 msgs) August Week 1 (929 msgs) Week 2 (1060 msgs) Week 3 (1216 msgs) Week 4 (1629 msgs) September Week 1 (977 msgs) Week 2 (867 msgs) Week 3 (883 msgs) Week 4 (834 msgs) Try the link http://www.phpbuilder.net/forum/read.php3?num=2&id=151581&loc=0&thread=134714 for a forum layout similar to CodeProject. Don't get me wrong - I am not criticizing CodeProject, I think it's an excellent well-designed site, and I use it all the time when I'm windows programming, but phpbuilder.net is equally good, and I have to admit, faster. In fact I challenge you to find a site running on asp that is faster than php performing the same function with a similar number of hits (I know, too many variables, but still I make the challenge). I for one have yet to see it. :-D I wonder why, I wonder why, I wonder why I wonderI wonder why, I wonder why, I wonder why I wonder ...
-
While I agree with you about Gartner, I disagree with you about MS. I think MS takes security VERY seriously, it's just that even ONE bug can create a hole that can be exploited. If you look at the list of bugs in IIS in the last few years, most of them are in subservices of IIS (index server, ASP, front page extensions, etc..) rather than IIS itself. If you take into account patches of Apache modules such as PHP, mod_perl, etc.. you'll also find a large number of bugs. IIS is a pretty comprehensive piece of software, and considering the alternatives, I really don't think the number of bugs that have been found have been out of line with national bug averages. It's just that IIS is so high profile, and has so many more people beating on it.
I understand the "complicated software" argument, but I'm not sure that I buy it. I haven't spent a ton of time whiteboarding out a better way to do this, but it would seem to me that *all* requests to IIS should be funnelled to an iron-clad security system, which a dedicated group within MS would be responsible for, and held fully accountable. This subsystem should offer a 1st line of defense for out-of-bounds activity, such as mistakes in URL parsers, upload and download limits, DoS attacks etc. It's great that Microsoft created ISA, but 99% of the IIS sites out there aren't protected by it. Something like it needs to be integrated into IIS. Further, Microsoft's latest C++ compiler allows for active buffer overrun checking, a source of a great many holes in their products. I understand that there's a performance cost to using software compiled with this enabled, but I for one would *gladly* pay that price in extra hardware. Lastly, out of the box IIS installs like a piece of swiss cheese requiring the application of dozens of patches, running lock-down tools, and in our most recent efforts, disabling IIS's automatic handling of dozens of arcane file types. David