Gartner group : "don't use IIS"
-
> My respect for Gartner just went down a notch. Sounds like you have a bias way of giving respect :-( Have you also thought about the cost of demand caused by virus. Gartner is also a business entity and they most probably know what they are talking about-may be they have made the shift themselves. Best regards, Paul. Paul Selormey, Bsc (Elect Eng), MSc (Mobile Communication) is currently Windows open source developer in Japan, and open for programming contract anywhere!
-
I gotta disagree with this one: * Apache is more transparent; IIS hides "complexity" behind it's GUI; people at this level shouldn't need a GUI. Try writing MFC/C++ type software with a GUI only. "People at this level" may be using hundreds of different applications each month. It shouldn't be neccessary to call in an expert every time you want to change some setting on a server. The already overburdened IT-staff doesn't have time to read through manuals everytime they wanted to accomplish something. The same one or two persons usually have responsibility for fileserver, printserver, webserver, databaseserver, firewall, mailserver... Without a GUI they wouldn't stand a chance. - Mort
I spent a lot longer reading manuals to set virtual hosts and firewalling with IIS than with Apache; it's all in one .ini file there plainly labelled with examples. I wonder why, I wonder why, I wonder why I wonderI wonder why, I wonder why, I wonder why I wonder ...
-
Gartner is well known for taking money and writing whatever an entity wants them to say, which certainly may be the case considering the alternatives listed. I would like to know who paid for the "research" and how much was paid.
-
I doubt very much if the opensource community paid for it !! I wonder why, I wonder why, I wonder why I wonderI wonder why, I wonder why, I wonder why I wonder ...
This is well-thought response. Best regards, Paul. Paul Selormey, Bsc (Elect Eng), MSc (Mobile Communication) is currently Windows open source developer in Japan, and open for programming contract anywhere!
-
This is well-thought response. Best regards, Paul. Paul Selormey, Bsc (Elect Eng), MSc (Mobile Communication) is currently Windows open source developer in Japan, and open for programming contract anywhere!
Thanks Paul!;) By the way if this site was run on Apache + php with a MySQL back end instead of ASP on (I guess) NT/2000 + IIS it would be a hell of a lot faster. Try www.phpbuilder.net for a comparison. Bob I wonder why, I wonder why, I wonder why I wonderI wonder why, I wonder why, I wonder why I wonder ...
-
Thanks Paul!;) By the way if this site was run on Apache + php with a MySQL back end instead of ASP on (I guess) NT/2000 + IIS it would be a hell of a lot faster. Try www.phpbuilder.net for a comparison. Bob I wonder why, I wonder why, I wonder why I wonderI wonder why, I wonder why, I wonder why I wonder ...
That is a very blanket statement with little to support it. It's true that PHP is a pretty nice and fast system, however none of the PHP based sites do what Code Project does (and remember that CP gets thousands and thousands of hits a day). Code Project is a little unique in that it provides a much more concise forum structure than systems like Slashcode or Scoop or whatever. Most of those use the technique of of listing every message in a thread, or listing messages that appear at a certain level of a thread. Code Project displays only individual messages, which has a much higher CPU load, but is also easier to follow.
-
Well, I'm no expert on alternate systems, but it does seem to me that IIS needs to be hardened much further than it has been. I think it would have been much more appropriate for Gartner to reprimand MS for failing to take IIS security seriously enough than to generate a report telling people not to use IIS (and by extension .Net). Why exactly is it possible for an attack on IIS, which runs in a defined security account to gain _system_ level access? What kind of a whole is that, geez. Administration of these boxes, although much better than their competitors, is still way too complicated to ever feel like you've done it right. The number of times I've been in a group of really smart people, _completely_ dumbfounded over a W2K/IIS box cannot even be counted. David
While I agree with you about Gartner, I disagree with you about MS. I think MS takes security VERY seriously, it's just that even ONE bug can create a hole that can be exploited. If you look at the list of bugs in IIS in the last few years, most of them are in subservices of IIS (index server, ASP, front page extensions, etc..) rather than IIS itself. If you take into account patches of Apache modules such as PHP, mod_perl, etc.. you'll also find a large number of bugs. IIS is a pretty comprehensive piece of software, and considering the alternatives, I really don't think the number of bugs that have been found have been out of line with national bug averages. It's just that IIS is so high profile, and has so many more people beating on it.
-
That is a very blanket statement with little to support it. It's true that PHP is a pretty nice and fast system, however none of the PHP based sites do what Code Project does (and remember that CP gets thousands and thousands of hits a day). Code Project is a little unique in that it provides a much more concise forum structure than systems like Slashcode or Scoop or whatever. Most of those use the technique of of listing every message in a thread, or listing messages that appear at a certain level of a thread. Code Project displays only individual messages, which has a much higher CPU load, but is also easier to follow.
Exactly right. We've talked a lot about different methods of presenting the forums and the full thread display we have here just feels more natural than the 'tag your post to the end of the list' methods. While making sites very fast, they tend to discourage thread branching (maybe this isn't a bad thing some days ;) For a site getting a couple hundred thousand hits a day that runs pure ASP and uses 1 machine as a server, and 1 machine as a DB backend, I'm happy. cheers, Chris Maunder (CodeProject)
-
That is a very blanket statement with little to support it. It's true that PHP is a pretty nice and fast system, however none of the PHP based sites do what Code Project does (and remember that CP gets thousands and thousands of hits a day). Code Project is a little unique in that it provides a much more concise forum structure than systems like Slashcode or Scoop or whatever. Most of those use the technique of of listing every message in a thread, or listing messages that appear at a certain level of a thread. Code Project displays only individual messages, which has a much higher CPU load, but is also easier to follow.
Phpbuilder gets thousands and thousands of hits a day too ... I don't know the exact number but look at the number of posts to their forum on Coding Help alone for 2001: Week 4 (1637 msgs) August Week 1 (929 msgs) Week 2 (1060 msgs) Week 3 (1216 msgs) Week 4 (1629 msgs) September Week 1 (977 msgs) Week 2 (867 msgs) Week 3 (883 msgs) Week 4 (834 msgs) Try the link http://www.phpbuilder.net/forum/read.php3?num=2&id=151581&loc=0&thread=134714 for a forum layout similar to CodeProject. Don't get me wrong - I am not criticizing CodeProject, I think it's an excellent well-designed site, and I use it all the time when I'm windows programming, but phpbuilder.net is equally good, and I have to admit, faster. In fact I challenge you to find a site running on asp that is faster than php performing the same function with a similar number of hits (I know, too many variables, but still I make the challenge). I for one have yet to see it. :-D I wonder why, I wonder why, I wonder why I wonderI wonder why, I wonder why, I wonder why I wonder ...
-
While I agree with you about Gartner, I disagree with you about MS. I think MS takes security VERY seriously, it's just that even ONE bug can create a hole that can be exploited. If you look at the list of bugs in IIS in the last few years, most of them are in subservices of IIS (index server, ASP, front page extensions, etc..) rather than IIS itself. If you take into account patches of Apache modules such as PHP, mod_perl, etc.. you'll also find a large number of bugs. IIS is a pretty comprehensive piece of software, and considering the alternatives, I really don't think the number of bugs that have been found have been out of line with national bug averages. It's just that IIS is so high profile, and has so many more people beating on it.
I understand the "complicated software" argument, but I'm not sure that I buy it. I haven't spent a ton of time whiteboarding out a better way to do this, but it would seem to me that *all* requests to IIS should be funnelled to an iron-clad security system, which a dedicated group within MS would be responsible for, and held fully accountable. This subsystem should offer a 1st line of defense for out-of-bounds activity, such as mistakes in URL parsers, upload and download limits, DoS attacks etc. It's great that Microsoft created ISA, but 99% of the IIS sites out there aren't protected by it. Something like it needs to be integrated into IIS. Further, Microsoft's latest C++ compiler allows for active buffer overrun checking, a source of a great many holes in their products. I understand that there's a performance cost to using software compiled with this enabled, but I for one would *gladly* pay that price in extra hardware. Lastly, out of the box IIS installs like a piece of swiss cheese requiring the application of dozens of patches, running lock-down tools, and in our most recent efforts, disabling IIS's automatic handling of dozens of arcane file types. David