IIS vs. Apache: Which is the right security choice?

Not long ago, Web administrators didn't have a great deal of input into their organization's Web server platform. If they worked in a Windows shop, they ran Microsoft's Internet

    Requires Free Membership to View

Information Server (IIS), while those in Linux/Unix shops were tied to Apache, and never the twain did meet. However, times have changed and the Apache HTTP Server Project has broken down the walls by releasing a Windows distribution of the Web server that traces its historic roots to the original NCSA httpd server. There are now two "big kids on the block" and Windows administrators, at least, have some flexibility. (Don't expect Microsoft to release IIS for Linux anytime soon!)

From a security perspective, the choice is debatable. Here are four factors that might sway your decision on the most secure platform for your organization:

  • Inherent server vulnerabilities. Despite the bad press Microsoft receives, the platforms are almost equally vulnerable to attacks. A recent search in the CERT Vulnerability Database yielded 28 hits for IIS vulnerabilities and 25 separate announcements of Apache vulnerabilities. That's as close as you get to a horse race in the information security world.

  • Existing Web administration knowledge. If your Web administrators are already using one of the platforms and are comfortable with its security settings, that's an extremely important factor. A large number of security breaches are due to misconfigurations by administrators whose skills aren't quite up to snuff. It's easier to make a mistake when you're working with a new platform!

    More on this topic

    Go to Web Security School and learn how to secure your Web server.

    Secure your IIS server with this hardening checklist.

    Secure your Web server from known vulnerabilities.

  • Comfort of OS administrators. A Web server's security is only as good as the underlying operating system. If an attacker is able to gain administrative rights to the OS, compromising the Web server is a trivial undertaking. Therefore, consider the skills of your system administrators in this decision. If you're a Windows shop, this isn't a major factor, as both IIS and Apache will run on Windows. However, if you're a Unix shop, you should give Apache extra bonus points in your analysis, as switching to IIS will require retraining administrators to work in a Windows environment.

  • Developer skills. If you're creating dynamic Web pages (ASP, PHP, CGI, etc.) consider the security skills of your developers. Just like OS administrators, developers are less likely to make security mistakes in a familiar environment. If your developers prefer to work in a specific environment, take that into account. However, you should also be aware that ports of many common Web development systems to platforms other than those they were designed for are available on the Internet. For example, Sun Java System ASP (formerly Chilisoft ASP) and Apache::ASP both allow the use of Active Server Pages on RedHat servers. Similarly, it's possible to install and configure PHP on IIS servers.
It's important to keep in mind that we've approached this question from an information security standpoint. Although both IIS and Apache are similar in features, if one has a bell or whistle that interests your organization, that's certainly something to weigh while performing the risk/benefit analysis. Happy Web serving!

About the author
Mike Chapple, CISSP, is an IT Security Professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles including the CISSP Prep Guide and Information Security Illuminated.

This was first published in August 2005

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.