British punk rockers The Clash pretty much nailed the recent IIS hoopla/dilemma with the title of a cut from the classic album Combat Rock (1982)entitled "Should I Stay or Should I Go?" With analysts from the Gartner Group apparently encouraging those unwilling to assume the workload involved in constant monitoring and patching of the IIS environment, and committed developers touting the benefits of the IIS environment for all kinds of applications from e-commerce to Web services, it's hard to know which way to flop on this particular issue. For some fascinating reading on this subject, check out SearchWebManagement's November 11 article entitled
Your two cents on IIS
Basically, the issue boils down to a realistic assessment of your organization's special needs versus the costs of keeping up with the weekly (sometimes daily) need to patch and maintain your IIS environment. Personally, I work in a small company with less than 10 employees and no full-time Webmaster, and we somehow manage to stay on top of the "patch du jour" phenomenon without too much muss or fuss. We subscribe to the
Microsoft Security Notification Service
and keep an eye on numerous other Windows-oriented security alert services as well. When IIS-related items pop up, we analyze them to figure out if we should apply related patches, implement recommended workarounds or take other appropriate actions. For example, an alert related to a Visual Basic runtime module need not be handled unless you?re using that runtime module on your IIS server.
For organizations with deeper pockets and less time to spend on such maintenance activities, other options for handling IIS include outsourcing coverage to a managed security service provider, or licensing special IIS lockdown and upkeep software (David Strom covered an excellent but pricey product called Entercept's Web Server Edition software in the November 7 edition of
Strom's Security Tool Shed
. If you're not willing to tackle this job, you can find somebody else to tackle it for you.
To me, the real issue behind sticking with or leaving IIS depends on the kinds of applications and services an organization has built around this platform. Those with heavy investments in ISAPI, ASP, Visual Basic, Visual Studio or other Microsoft APIs, development tools and development environments will suffer most should they decide to migrate to other servers. Sure, you can emulate or add equivalent tools inside other environments, but it's important to weigh the costs and exposures involved in moving against the costs and exposures involved in staying put and dealing with the IIS situation as it is.
In fact, some expert IIS observers have accused other IIS experts of working from a "hidden agenda" when they raise the issue that sites that have developed large amounts of custom code, interactivity and so forth, will experience more difficulty in migrating away from IIS. Although the implication may be that blind defense of the IIS environment isn't warranted, it's completely legitimate to perform a cost-benefit analysis. That is, to balance the costs of continued exposures and security issues from IIS against the costs involved in migrating (and in some cases, re-implementing) key Web server functionality. I tend to look at this as a rather less emotional issue (Is IIS safe? Can we afford continued security risks with IIS?) than a technical and investment issue (Is it cheaper to stay put, or to move to another Web server? How much can a security breach cost us, versus the cost of migrating to Apache? iPlanet? WebSphere?...).
Ultimately, this decision comes down to application of well-understood security models and principles: performing a risk analysis and estimating the costs of migration. If the costs of migration outweigh the financial risks of staying put, don't migrate. If the risks of staying put outweigh the costs of migrating, migrate. Either way, be prepared to soothe ruffled feathers and deal with partisan politics as you try to get to the root of the matter!
About the author
Ed Tittel is a principal at a small content development company based in Austin, Texas and the creator of the Exam Cram series. He has worked on over 30 certification-related books on Microsoft, Novell and Sun related topics.
To read a spirited debate between a Gartner reps, IIS reps and searchWebManagement users, visit our IIS Discussion Forum.
For more information on IIS, visit our Best Web Links section on Microsoft IIS Management.