Gartner: Dump Microsoft IIS - Now!

Prestigious advisor to corporate giants tells clients Microsoft Internet Information Server is unsafe and too costly.





Gartner Group has long been criticised for unwavering support of Microsoft no matter what, and they've picked up plenty of Microsoft dollars on the way by churning out studies that produced "the right numbers". It appears even Gartner has its limits.

With Code Red and Nimda worms still ravaging companies that use IIS (Internet Information Server), Gartner has recommended its clients "immediately investigate alternatives" like iPlanet (Netscape) and Apache (Open Source). Gartner advised that although alternatives require patches now and then, they have a far better security record than Microsoft's IIS.

Gartner also recommended putting on hold any .NET projects that have any dependence on IIS until IIS is completely rewritten and passes thorough public testing. Gartner does not expect such a rewrite until at least the end of 2002.

Amusingly, we have inside information that one of the companies hard hit by Nimda was Microsoft itself. "Any company that applies good security practices has nothing to fear" - Microsoft.

[Update: 25-Sep-01 - Microsoft has announced they will indeed produce a rewritten release of IIS, version 6.0, expected by the end of 2002 ("80% probability", so don't exepct it until 2003) - but it's only a partial rewrite.

Disturbing to many is that in 6.0, Microsoft is moving some Web server functionality into the Windows kernel to improve performance. This means script kiddies will now be able to produce BSODs (Blue Screen of Death), bringing down the entire server. Once again, stability is being sacrificed for benchmark results. ]


What corporations are so brainless they have to wait for Gartner Group to tell them to abandon a product that is costing them countless millions? How many need a research firm to tell them to move to easily available and far safer alternatives? Most of them, I'm afraid.

So how many will heed Gartner's advice? Probably few. Moving to a non-Microsoft product is so scary for many business IS people, they'd rather risk destruction of their data systems than contemplate it. Most know only Microsoft, and have never known anything but Microsoft. That is the power of monopoly.

Virus and Worm vulnerability is far from the end of IIS problems. Most big credit card heists are also from IIS servers. It's so easy to deface an IIS hosted Web site even the script kiddies are embarrassed (the crew that defaced the Girl Scouts Web site apologized to their peers for hitting such an easy target).

I'm sure Gartner has already received a screaming phone call from Microsoft President Steve Ballmer but I hope they stick to their guns and issue similar advice about Internet Explorer and Microsoft Outlook. Any company that continues to standardize on these three products risks far worse than what we have seen so far. There are excellent alternatives that do not have these costly weaknesses.

- Andrew Grygus


©:Andrew Grygus - Automation Access - www.aaxnet.com - aax@aaxnet.com
Velocity Networks: Network Consulting Service - Internet Service Provider - Web Page Design and Hosting
All trademarks and trade names are recognized as property of their owners