Problem solve Get help with specific problems with your technologies, process and projects.

IIS vs. Apache: Which is the right security choice?

From vulnerabilities to administrator and developer skills, this tip analyzes the risks and benefits to weigh when selecting the right Web server for your organization.

Not long ago, Web administrators didn't have a great deal of input into their organization's Web server platform. If they worked in a Windows shop, they ran Microsoft's Internet Information Server (IIS), while those in Linux/Unix shops were tied to Apache, and never the twain did meet. However, times have changed and the Apache HTTP Server Project has broken down the walls by releasing a Windows distribution of the Web server that traces its historic roots to the original NCSA httpd server. There are now two "big kids on the block" and Windows administrators, at least, have some flexibility. (Don't expect Microsoft to release IIS for Linux anytime soon!)

From a security perspective, the choice is debatable. Here are four factors that might sway your decision on the most secure platform for your organization:

  • Inherent server vulnerabilities. Despite the bad press Microsoft receives, the platforms are almost equally vulnerable to attacks. A recent search in the CERT Vulnerability Database yielded 28 hits for IIS vulnerabilities and 25 separate announcements of Apache vulnerabilities. That's as close as you get to a horse race in the information security world.
  • Existing Web administration knowledge. If your Web administrators are already using one of the platforms and are comfortable with its security settings, that's an extremely important factor. A large number of security breaches are due to misconfigurations by administrators whose skills aren't quite up to snuff. It's easier to make a mistake when you're working with a new platform!
  • Comfort of OS administrators. A Web server's security is only as good as the underlying operating system. If an attacker is able to gain administrative rights to the OS, compromising the Web server is a trivial undertaking. Therefore, consider the skills of your system administrators in this decision. If you're a Windows shop, this isn't a major factor, as both IIS and Apache will run on Windows. However, if you're a Unix shop, you should give Apache extra bonus points in your analysis, as switching to IIS will require retraining administrators to work in a Windows environment.
  • Developer skills. If you're creating dynamic Web pages (ASP, PHP, CGI, etc.) consider the security skills of your developers. Just like OS administrators, developers are less likely to make security mistakes in a familiar environment. If your developers prefer to work in a specific environment, take that into account. However, you should also be aware that ports of many common Web development systems to platforms other than those they were designed for are available on the Internet. For example, Sun Java System ASP (formerly Chilisoft ASP) and Apache::ASP both allow the use of Active Server Pages on RedHat servers. Similarly, it's possible to install and configure PHP on IIS servers.

It's important to keep in mind that we've approached this question from an information security standpoint. Although both IIS and Apache are similar in features, if one has a bell or whistle that interests your organization, that's certainly something to weigh while performing the risk/benefit analysis. Happy Web serving!

More on this topic

About the author
Mike Chapple, CISSP, is an IT Security Professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles including the CISSP Prep Guide and Information Security Illuminated.

This was last published in August 2005

Dig Deeper on Web application and API security best practices