IIS vs. Apache ?

Now, from time to time you will see similar questions in newsgroups or discussion forums. One would asked 'IIS better or Apache?', 'Can you tell you whether I should pick IIS or Apache?' ...... well again - no one will be able to answer you unless you provide more detail including the detail requirements, operation environment, integration planning and etc. If it's just pure web server, both are decent and you can pickup either one you like. Of coz, there are cost factor, supports,  maintenance and etc considerations. Hence, only after all these facts are known, then you will begin to evaluate each product and see which one best fit your needs.

Next, just read this from Michael Howard's blog, where he is doing a study on the lastest IIS 6 vs Apache 2.x security. Part one was posted few days ago,  so there were two bugs filed against IIS6 since launched :) I did talk about this too... but I won't categorized it as a 'real BUG' if you had locked down the server properly. Anyway, there were some comments on why compare with 2.x because according to study 1.x cover majority of Apache share in Web server market. Hence, today - Micheal posted analysis compare IIS6 and Apache 1.x, detail in part two. Still not convince ? hmm.. wait till IIS 7.0 then :)

Published Tue, Oct 19 2004 17:47 by bernard
Filed under: ,

Comments

# bernard said on 24 October, 2004 07:54 AM
IIS vs Apache security http://dotnetjunkies.com/WebLog/stefandemetz/archive/2004/10/05/27720.aspx
http://dotnetjunkies.com/WebLog/stefandemetz/archive/2004/03/30/10388.aspx

# bernard said on 14 November, 2004 04:55 PM
Hi,

I wouldn't count much on such "studies". There are multiple reasons, e.g which some you also pointed out (more detail part).

In addition one could argue about locking down the server _properly_ in which case majority of the bugs are not exploitable - I can do such IIS, as well as Apache.

And even more; study is based on public information. Not all bugs are public, from either side (Open- or closedsource).

And last; I am slightly disappointed that such a great person as Michael starts "pissing" contest where objective information would do much better. In objective I mean that telling what you're doing regards security etc.
# bernard said on 14 November, 2004 07:34 PM
Hi Ted,
Thanks for the comment, those details as you mentioned are more towards 'FYI', I wouldn't count it as well, security is complex and messy, it's not about product at all, there are needs to 'integrate' with people and processes. I believed everyone would agreed with this.

and lastly :) I can't comment on behalf of Micheal, but I'm sure he is not 'pissing' around.

cheers.
# bernard said on 24 November, 2004 05:39 PM
Under a third of web servers running IIS [netcraft], which comprise a consistently higher proportion of compromised systems.
How can you swallow the creamy disinformation spread by microsoft, smile and say it tastes good.
# bernard said on 24 November, 2004 05:56 PM
Few points to take note.
a) This report is not about usage or market share. it's a study on security bugs filed between IIS 6 and Apache 1.x / 2.x

b) Again, we are not talking about exploited hosts counts here. Do you have the figures ?

c) IIS4/5 was not a quality webserver with many vulnerability and bugs. IIS 6.0 on the other hand has been improved. I have yet to receive any report for compromised IIS 6 boxes that due to IIS flaws. However, there are incidents which related to OS level exploits.
but that's not IIS if it's based on component level.

d)All products are subjected to bugs! and this post is FYI. not asking you MUST use IIS 6. I have talk about choosing the right prouduct for the right requirement and solution in the first paragraph.

e)I'm not 'pissing' around as well.

News

Search

Go

This Blog

Tags

Archives

IIS Sites

MVPs - MVPs

IIS Related

Syndication