Q

Comparing Microsoft IIS and Apache Web servers

Would you please give me a comparison of Microsoft IIS and open source Apache Web servers for the following security

issues?

  • Number of security breaches
  • Time to provide a fix or patch for problems
  • Targeting by the hacker community
    The best compilation of such materials that I've seen is the work by Ron Ritchey. Hiswork is about two years old, but it still holds some valuable lessons. To summarize his findings, both Web servers have had major flaws. The number of IIS breaches has been higher in the past, and the time to release fixes was longer.

    More recently, Microsoft has worked to close this gap. I haven't seen a detailed survey of the issue since Ritchey's survey, but in my experience, Microsoft is meeting some success in IIS itself. (However, major problems, such as WebDAV from May 2003, continue to be discovered.)

    The hacker community has taken a keen interest in exploiting IIS, given its widespread use, history of flaws and Microsoft origin. While both Apache and IIS exploit research is ongoing, it appears that the number of people attacking IIS is higher.

    So, how should you decide whether to go with Apache or IIS? I advise that you focus on the one where your team has the most system administration expertise. Sure, Apache may be theoretically less vulnerable than IIS. But, if your team cannot administer an Apache box, you are hosed. A well-maintained IIS box is certainly more secure than a poorly maintained Apache box. Likewise, if your team has solid Apache expertise, go with that.


    For more info on this topic, visit these SearchSecurity.com resources:
  • Best Web Links: Web servers
  • Web Security Tip: Keep Apache patched
  • The Information Architect: Microsoft pushes security in IIS 6.0
  • This was first published in October 2003

    Dig deeper on Web Server Threats and Countermeasures

    Pro+

    Features

    Enjoy the benefits of Pro+ membership, learn more and join.

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    0 comments

    Oldest 

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    SearchCloudSecurity

    SearchNetworking

    SearchCIO

    SearchConsumerization

    SearchEnterpriseDesktop

    SearchCloudComputing

    ComputerWeekly

    Close