From a security perspective, the choice is debatable. Here are four factors that might sway your decision on the most secure platform for your organization:
- Inherent server vulnerabilities. Despite the bad press Microsoft receives, the platforms are almost equally vulnerable to attacks. A recent search in the CERT Vulnerability Database yielded 28 hits for IIS vulnerabilities and 25 separate announcements of Apache vulnerabilities. That's as close as you get to a horse race in the information security world.
- Existing Web administration knowledge. If your Web administrators are already using one of the platforms and are comfortable with its security settings, that's an extremely important factor. A large number of security breaches are due to misconfigurations by administrators whose skills aren't quite up to snuff. It's easier to make a mistake when you're working with a new platform!
Go to Web Security School and learn how to secure your Web server.
Secure your IIS server with this hardening checklist.
Secure your Web server from known vulnerabilities.
- Comfort of OS administrators. A Web server's security is only as good as the underlying operating system. If an attacker is able to gain administrative rights to the OS, compromising the Web server is a trivial undertaking. Therefore, consider the skills of your system administrators in this decision. If you're a Windows shop, this isn't a major factor, as both IIS and Apache will run on Windows. However, if you're a Unix shop, you should give Apache extra bonus points in your analysis, as switching to IIS will require retraining administrators to work in a Windows environment.
- Developer skills. If you're creating dynamic Web pages (ASP, PHP, CGI, etc.) consider the security skills of your developers. Just like OS administrators, developers are less likely to make security mistakes in a familiar environment. If your developers prefer to work in a specific environment, take that into account. However, you should also be aware that ports of many common Web development systems to platforms other than those they were designed for are available on the Internet. For example, Sun Java System ASP (formerly Chilisoft ASP) and Apache::ASP both allow the use of Active Server Pages on RedHat servers. Similarly, it's possible to install and configure PHP on IIS servers.
About the author
Mike Chapple, CISSP, is an IT Security Professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles including the CISSP Prep Guide and Information Security Illuminated.
This was first published in August 2005