Market Analysis firm Gartner has issued a stunning recommendation regarding Microsoft's Internet Information Services (IIS) Web server: If you're currently deploying the software, the firm recommends, it's time to look for an alternative. And if you're not already running IIS, don't. Gartner blames the sheer number of recent hacker attacks on IIS for its recommendation, and it says that Microsoft simply doesn't respond quickly enough to the problems to keep its customers secure.
"The Code Red \[worm\] showed how easy it is to attack IIS Web servers," says John Pescatore, research director for Internet security at Gartner Group in a note condemning IIS. "Thus, using Internet-exposed IIS Web servers securely has a high cost of ownership. Enterprises using Microsoft's IIS Web server software have to update every IIS server with every Microsoft security patch that comes out--almost weekly. Nimda (and to a lesser degree Code Blue) has again shown the high risk of using IIS and the effort involved in keeping up with Microsoft's frequent security patches.
"Gartner recommends that enterprises hit by both Code Red and Nimda immediately investigate alternatives to IIS, including moving Web applications to Web server software from other vendors, such as iPlanet and Apache," the report continues. "Although these Web servers have required some security patches, they have much better security records than IIS and are not under active attack by the vast number of virus and worm writers…This move should include any Microsoft .NET Web services, which requires the use of IIS."
Microsoft, of course, denies that IIS is inherently unsafe. "Gartner's extreme recommendation ignores the fact that serious security vulnerabilities have been found in all Web server products and platforms," a Microsoft spokesperson said Monday. "This is an industry-wide challenge."
