Thoughts on IIS Security vs Apache, Part 2
I got some interesting comments on my prior blog post, and since I started typing out a big essay in response, I figured I should just blog and link it instead. :-)
Question:
Hello, i have subscription of Redmond magainze and wow i can't believe i still remeber the artcle about Apache and IIS since the issue is dated back April 2005. anywho...
https://mcpmag.com/images/0405red_F2Apache_chart1.jpg
that's how some comapnies run Apache, they run it like MS ISA like the photo said a way to protect an IIS web server farm from the Internet.
It look like Apache in front and IIS at back of more secure network is very common.
forgot to add, if you like to read the article about using Apache as front use . here is the link https://redmondmag.com/features/article.asp?EditorialsID=471&a=#findit
Answer:
Thanks for the URL.
At the risk of starting a flame war (I have never met the author nor know anything about him), I have to say that in my opinion, the RedmondMag.com URL that you posted is unfortunately trivially non-substantive. It simply selectively rehashes a lot of the same words and rhetoric that has already been said the past five years, spinning the selected information in favor of the author's "point" of "there may be 6 good reasons to consider introducing/switching to Apache".
I don't know about you, but I am a simple techie, so I have no secret agenda nor care about Media/Spin. I believe in "improving technology to improve people's lives", so I believe in elucidating and explaining facts and letting them speak for themselves. Of course, I am aware of the political process and how it tends to slander and destroy voices like mine, but hey, that is why I am in Technology and not Politics; the political process mostly turns me off, but that is a whole other topic for another time... :-)
Thus, I am going to voice and add my own commentary based on the points from that aforementioned URL, against my better judgement (I really rather focus on the facts and not this commentary/opinion stuff)...
So, here goes my first big attempt at this...
40 Million Websites cannot be Wrong
Actually, the author admits that many Apache websites are held in the hands of a small number of mass web Hosters.
I think that reality is probably closer to 1000 mass web Hosters vs Fortune 1000 companies, except that each Hoster puts thousands of sites per server while Fortune 1000 companies just put up their corporate site - so it looks like millions of websites "vote" for Apache vs far fewer sites voting for IIS. These are the votes that Netcraft counts, so you can see their concern at Port80's methodology.
In other words, I do not look at the raw numbers and think "40 million websites cannot be wrong." It is like a couple thousand people which controls millions of "votes" - are those millions of votes really meaningful? Instead, I look at the number of entities that are pulling the strings BEHIND the numbers... and the competition there is a lot closer between Apache and IIS than what the numbers and media portrays.
And with efforts like Shared Hosting Accelerator for IIS6, I think that the mass web Hosting landscape is finally under contention... so stay tuned.
I run Apache because it is Secure
If you have read my earlier blog entry, you should quickly realize that this sort of statement is vacuous. Security is not just about the Software; it also involves Configuration and Policy. With IIS6, the IIS team, in conjunction with the predecessor of the Microsoft Security Business Unit, went all-out on security to analyze, understand, and quantify security, and the IIS team methodically improved and applied all aspects of the learning.
I think the proof is in the pudding, and the numbers and results have proven the approach for IIS6. Now, the author acknowledges this with numbers from Secunia, but he seems to ignore the order of MAGNITUDE less vulnerabilities in IIS6 vs Apache 2.0.x in the same comparable period of time and calls it a "mixed bag." Huh? Isn't the latest and greatest supposed to represent the current state-of-the-art? Then why is Apache 2.x regressing against Apache 1.x?
Meanwhile, he neglects to mention that Apache is the most defaced and hacked web server platform in the world in recent years... mostly due to software running on top of Apache... which definitely does not prove his point. See how Spin works? Did my statement just support or detract Apache security? Or did I do both? ;-)
Anyways, enough Spinning exercises... I think that all of the arguments simply reinforce the notion that secure Configuration is just as important as Software or Policy when it comes to overall "security." Thus, I would never heed statements such as "I run X because it is secure" or "X is more secure than Y" because those statements neglect the whole picture. Your system is as secure as the weakest link in the combination of Software, Configuration, and Policy.
More flamboyant readers may want to head over to Michael Howard's blog and read some of his past entries examining IIS/Apache security...
Customers run Apache in front of IIS to add a layer of Security
Once again, if you read my earlier blog entry, you should realize that this statement is also sketchy.
Running more code per request CANNOT make it more secure. Reducing the Attack Surface by introducing "layers" in your defenses, closing off ports and reducing exposed functionality CAN make it more secure.
Thus, putting web servers into a DMZ isolated from direct Internet access and then forwarding requests to it is a reasonable approach to improve security by layering and reducing Attack Surface, but these are general security concepts non-specific to Apache. Apache is simply one way to implement it. Simple Firewall plus URLScan can accomplish comparable goals with no extra hardware/system required. And with IIS6 on Windows Server 2003 SP1, it is all "built-in" with no extra cost.
Personally, I find this very amusing... because I don't know about you, but I find information and rationale more useful than Spin or anecdotes. I rather enlighten you with the raw facts, digested rationale, and let you make your own decisions; not spoon-feed you things that tell you how to think. :-)
Open Source "Costs" Less
Ok, this is standard rhetoric that has already been hashed over and over so I will not belabor the point. The general conclusions run something like:
- Cost of acquisition is only part of the Total Cost of Ownership (TCO).
- If you are already on *nix then moving to Linux on x86 is a viable cost-cutting move to take advantage of commodity hardware.
- If you are on Windows then the migration really depends on your situation (though most of the time, TCO would favor Windows when you factor in things like training, support, migration, maintenance).
My instinct is to evaluate ALL your costs and stick with doing whatever you are most comfortable.
For example, some people say that IIS5 and Windows 2000 security is too costly to maintain, so Apache/Linux has to be cheaper. Well, what is commonly forgotten is that both are systems that need to be securely configured and maintained... and if you did not know to do this for Windows 2000, you certainly will not magically start doing so on Linux. At this point, I am willing to bet that your new system will be similarly attacked and compromised (remember, security is more than just the Software)... so is your migration worth it? Or is it cheaper to identify and quantify HOW you are insecure and address that deficiency?
Long-time readers should know that I believe the best way to address an issue is to identify the root problem and address that; then, the instance problems usually take care of themselves. Addressing the root problem is usually the most direct, fastest, and cost-effective way to resolve an issue. Thus, if your issue is that you do not know how to securely maintain an OS/Platform, then the best solution is to learn how to do it - you can then repeat that success on any platform and truly free yourself from lock-in.
I know, I know, I am not appealing to your inner penguin to bash evil Microsoft, but bear with me. :-)
Heterogenous Infrastructure is a Good Thing
This rhetoric sounds good on paper (i.e. homogenous systems are fertile grounds for catestrophic attacks, so heterogeneity must be better), but say this to any IT Administrator for networks, applications, or databases that is worth his/her salt, and s/he will probably laugh hysterically at your suggestion. Heterogenous infrastructure increases support costs, not to mention double/triple the amount of education/learning involved in maintaining and CONFIGURING multiple systems (recall that secure Configuration is an aspect of overall system security). So, the end result is really muddled: your network may not fall to one attack, but are you really safer with multiple systems, each with their own seams and incompatibilities that give attackers more Attack Surface to penetrate and more headache to you?
In my mind, it is better to stay with a homogenous but COMPARTMENTALIZED infrastructure so that you keep the best benefits of homogenous and heterogeneous systems at the same time. This way, you only have one system to learn, apply, and protect, and knowledge/skills easily scales across the entire infrastructure, but when it comes to deal with intrusions, damage is limited to compartment(s). Gee... Governments have been using this concept to protect Top Secret information for a long time; maybe the Public should consider adopting this approach when implementing security...
For example, a couple of IIS team members had a lively debate at TechEd 2005 with one customer who tenaciously defended his position of running his Web Services on multiple OS platforms, network stacks, and hardware switches simply because he did not want one single exploit to take down his entire system. Of course, the counterpoint revolved around the doubling of management, security, and configuration costs, not to mention twice the number of potential bugs in the combined system and the resulting LOWER reliability... but the notion of compartmentalized infrastructure really did not hit home. Sigh.
Another example: people nowadays like building security egg-shells - Single firewall separating the Internet from Intranet and completely unprotected machines in the Intranet because security can get in the way of productivity applications. Once you compromise the outer firewall, your internal, homogenous environment is child's play.
Now, the solution should not be to introduce Solaris, Windows, Linux, and BSD machines to make the internal environment heterogenous because that just gives the Intranet administrator MORE and DIFFERENT things to learn and secure. In my mind, it is easier to stay with a homogenous environment but make each internal machine more secure with a firewall, appropriate port/access policies, and maybe user policies that force users to login and run as non-admin... so that even if the outer egg-shell is penetrated, attackers simply find more egg-shells underneath. In other words, you get more bang-for-the-buck by focusing on introducing security layers to compartmentalize the issue of homogeneity INSTEAD of the reflexive "heterogenous infrastructure is a good thing."
Using Microsoft is lock-in and excludes other Platforms and Opportunities
Now, this is just BS... Java runs well on Windows and is supported by IIS. Microsoft is actually banned by Sun from providing such a plugin for you (remember, there was a certain lawsuit on this...), so you have to use third party plugins to do it. Java is supposed to be "Write Once, Run Anywhere" assuming you have a stable Java Virtual Machine, and Sun does provide a reference JVM for Windows, so it seems that the only exclusion going on is the Law preventing Microsoft from improving the situation, and other vendors do not seem to want Java to succeed on Windows/IIS for whatever reason. And the Customer suffers in the middle.
For example, IBM WebSphere runs on both Apache/IIS and Linux/Windows, though it definitely favors Apache since that is a platform they can control. Their ISAPI Filter plugin for IIS is really, really badly written and has not improved for years despite constant customer complaint - I had to debug it a few times and found that it does not follow basic quality coding guidelines like initializing variable values or checking for NULL pointers, etc. So, I always question their disparaging remarks/bias against Windows/IIS "crashing" WebSphere.
Why? Because I believe that Code cannot lie. Computers do exactly what program Code tells it to do, and Programmers of Organizations write the Code. The actions of the WebSphere ISAPI Filter plugin Code does not match their stated intentions... so you either fix the Code or you change your stated intentions...
Anyways...
Ok, that is about enough ranting from me. I will have to see how people respond. :-)
Really, I have no problems with criticisms of IIS and Security. You just have to back it up with proper support and acknowledgement of all sides of the argument, and focus on the facts!
//David
Comments
- Anonymous
October 01, 2005
I think another thing favouring Apache in the Netcraft numbers are the bizarre restrictions on IIS in Windows XP. It's next to impossible to set up a personal website at home using IIS because of them. I don't want anyone with my IP address to know personal information so I need virtual hosts. The 10 user limit's also a bit low. Why not make it 50 or 100? You'd satisfy your home users without seriously affecting server sales.
I notice Vista's a step in the right direction, but why can't you fix the problem in XP today? People would be happier and your Netcraft figures would move a little if people didn't have to resort to Apache hosters or Linux boxes for personal websites. - Anonymous
October 01, 2005
The comment has been removed - Anonymous
October 01, 2005
The "personal information" is easy. My personal website contains my name. I don't want any web admin to be able to look up that sort of information just because he's found my IP address in his logs. (I do know there are other ways to get the same information, but it shouldn't be that easy)
The 10 connection limit is woefully inadequate with keep alives and possibly two connections per browser. It means you can't reliably serve more than about 5 clients.
I'll half concede your point on virtual hosts. But in reality XP supports one virtual host, not virtual hosts. That means you can't serve a personal website for more than one family member, or a personal website and a community web site, or a personal website and a test website.
I have bought Small Business Server to solve my problems, though I think Exchange more than IIS was the reason I went that way instead of open source.
I use IIS professionally and believe it to be superior to Apache. I just think it's a shame the version (5.1) that most people have access to at home is so limited that it drives people away from hosting a website on it.
If I didn't like Exchange and didn't have the professional exposure I do to IIS I'm pretty sure I'd switch to open source before I bought SBS.
As an example, I work in a school where students host their own special interest forums for a couple of dozen of their peers. They'd easily reach the IIS 5.1 limits at certain times so they're forced to use open source. A group of students using forums as a social place are not going to shell out for the Small Business SKUs. They'll get comfortable with Apache and MySQL and possible move into the workplace promoting them.
I think your losing mind share and market share by setting the IIS 5.1 limits so low. From what I've heard there is some recognition of that and Vista will be more generous, but you're already losing people on XP today and that could be undone with a hotfix. - Anonymous
October 01, 2005
Matt - I still do not see how Virtual Hosts help. It sounds like you both browse and serve websites from the same machine/IP, which makes that lookup easy. The only solution is to make those two IP different at the networking layer and then bind the website to one IP and browse with the other IP... but what does that have to do with Virtual Hosts, which is a IP:HostHeader to physical directory mapping?
RE: the limits - thanks for giving me scenarios and a name to lend weight to my arguments. I actually think the limits in the Pro SKUs are silly because they hamper the Professional developer and the Hobbyist who buy it from using it effectively.
- Consultants cannot work on >1 website for Clients without a whole bunch of contortions.
- Students can only develop their own single website and cannot host/test for others.
- Families can only run one website and not for each family member.
Though some of the scenarios have work-arounds now. Consultants carry around Virtual PC on their XP Pro laptops and run server SKU inside the Virtual PC to demo/develop. But the Student/Family/Hobbyist audience is still neglected.
I think that Mind-share is more dictated by technologies like ASP.Net and PHP and less by servers like IIS/Apache, and they drive the adoption/sales. Unfortunately, there is a bunch of business people to convince about these things - we in the product group are unfortunately not in control of these decisions, especially in IIS where people just expect us to be there and "work."
//David - Anonymous
October 02, 2005
The comment has been removed - Anonymous
October 02, 2005
exportgoldman - I have no idea why you are:
- digressing back to the past
- digressing to IE when the context is IIS
- digressing into an "X is more/less secure than Y" argument
I am only pointing out that security of Software is only part of what people perceive as security, so one should never accept an argument of "X is more secure than Y" as sufficient.
You may want to post your IE-comments to the IE Team blog ( http://blogs.msdn.com/ie/ ) so that positive actions may take place.
You may want to post the Security Bulletin counting question and Apache security list traffic comparison to Michael Howard's blog ( http://blogs.msdn.com/michael_howard/ ) so that positive actions may take place.
//David - Anonymous
October 02, 2005
David, good stuff but as you can see from others comment. the "image" of Microsoft software being secure is a long way to go.
i've two dedicated windows servers for sharehosting and i know a lot of sharehost providers will not touch IIS because they all have this "image" of insecure windows/iis
i think Microsoft have a long way to go if they try to shake it off this "image". Opensource on the other hand have no problem. people alway think opensource is secure because the source code is free for anyone to check.
p.s. let's not forget Gartner Group telling people not to touch IIS. that was quite damaging to Microsoft. - Anonymous
October 02, 2005
The comment has been removed - Anonymous
October 02, 2005
The comment has been removed - Anonymous
October 04, 2005
exportgoldman - You make good points, but unfortunately, you seem to misunderstand me. You seem to assume that since I was not pro-Apache that I must be attacking it, but that is far from reality.
I simply want to point out that Security consists of three facets and that "Security" is the weakest link amongst those three facets.
Thus, when an author gives numbers that say one thing but refuse to acknowledge it, that is Spin. When I bring out the fact that Apache is the most hacked platform... because of what runs on top of it, I acknowledge that Apache core is secure but the layers on top of it foul things up. I still have no idea why you jump into a tirade which only focus on Apache++ and MS-- .
- I now see why we are misunderstanding over IE/IIS. Unknown to you, IE and IIS have separate security teams and engagement models (there is a third team responsible to be public-facing and coordinates traffic to/from the right teams). So honestly, I know nothing about IE's model nor how they decide to patch/not-patch, but I can say that IIS does NOT brush anything under the rug.
- Unfortunately, the Security Bulletin numbers say nothing other than that no platform is 100% secure. I hope you agree that the "numbers" can vary depending on the time-period that you sample for Apache 1.x, Apache 2.x, IIS4/5, and IIS6. For example, by looking at 1999 and 2004 we can draw two different conclusions if we are just fascinated by the numbers.
I only treat the numbers as a sign that improvements are still needed. By everyone.
- Please keep the discussion to just IIS/Apache. If you want to bring in Web Server SKU, then you must bring in comparable *nix distro. I believe the numbers will still be quite comparable, so your point is purely sensationalism.
//David - Anonymous
October 04, 2005
I did some more research and have found your right, IIS6 has a very good record on security. Well done.
I'll tell you why I still run Apache:
Don't need a Windows Server license for more than 10 connections
Easy to migrate between machines (config is a ini file) How do you export ALL the IIS Settings which hide in the registry and config files for IIS?
You still have a horrific record for security in your other products, and so the Microsoft brands products get tarnished with the same brush.
I look at IE/XP etc and see bulletins coming out each month for those, and the record levels of spyware - and assume Microsoft can't code secure products.
To make people realise IIS is secure is a hard sell - I didn't realise theres only 2 bulletins out for it.
But I think the main reason people run Apache is because it's cool. - Anonymous
October 05, 2005
exportgoldman - Thanks for the acknowledgement for IIS6.
Regarding IIS settings - some history:
- Since IIS6, IIS settings are no longer obeyed from the Registry. For legacy reasons, there are various Registry Keys specific to hotfixes or corner-case that are still read from the Registry but not necessary for core functionality (unless you required them before - but you'd know about them already), but IIS6 basically has no configuration hiding in the Registry.
- IIS configuration used to all be in the Registry, then IIS4 introduced the Metabase (which is basically IIS-specific Binary Registry File that is encrypted with the machine's private key, one of the reasons why the file is machine-specific and resistant to copying between machines so you cannot extract username/passwords).
- In IIS6, we moved configuration into an XML file to help with human/machine manipulation, but the machine-specific encryption still remained, though you can run commandline tools to backup/restore to move configuration between servers
- In IIS7, we have a configuration file that has no machine-specific information nor encryption. Basically adopting the ASP.Net .config system and using built-in "nobody" accounts, etc, so that you can copy/deploy configuration as a file alongside your application (of course, with a richer delegation/locking/extensibility model than .htaccess delegation).
So, no, I do not expect you to switch, but if you ever decide that you want to run ASP.Net pages or extend the web server behavior by writing a module, I believe you will find the IIS7 experience superior to Apache. :-)
Fair competition is always a good thing. It makes the products tune toward what the customer base wants.
RE: Security
I tend to think that Security is a hard concept for most developers to understand in the software industry, Open Source included (I'm not talking about security record/numbers; I'm talking about understanding of what it means to write secure code).
As for the security record, I only see it as an opportunity for the entire software industry to improve. Microsoft gets the spotlight due to marketshare, but there is no way you can convince me that Microsoft is the only one with security issues (it may be the only one the Media focuses on), or that Open Source produces vulnerability-free products (even Apache and Firefox has bad ones, you have to admit). Thus, there are definitely improvements to be made everywhere by everyone, so what is interesting to me is what software security will look like in five, ten, fifteen years.
And the sort of things happening in IE7, Windows Vista, etc make it clear that your current and future security complaints will be a thing of the past within a short time. Running IE as untrusted and not having users run as Administrator should single handedly fix most of the issues. Actually, you do not even need to wait, you can run in that mode right now on WXP/WS03 - I already do and I know it works well - so I look forward to seeing the general public experiencing the same.
//David