Apache vs IIS (security)

Sorry about the cross post but I need some help fast (before my sys admin digs my grave)

We are currently hosting 3 sites with IIS on a NT4 box. For one of the sites, I want to install and run Apache 2.0 but our server admin got all emotional about me even suggesting such a thing.

He says that I can't do it becasue running two web servers on one machine is too much to ask of our IT support (mainly becasue they are not familiar with it). Also, he says that he gets update e-mails for Apache becasue of bugs almost on a daily basis and that IIS is far more secure (which I find very hard to believe).

Someone HELP!!!

What I need is proof that IIS is more secure and that all of those bugs that he gets for Apache are minor and are usually fixed quickly or with a small configuration change.

Any suggestions would be helpful...
Thx

it's a choice and ignorance thing!

i personally can't be doing with IIS, i'm required to use it sometimes but find the flexibility and openness of apache far more welcoming. there seems to be a fear among M$ shops that anything that isn't available via the monthly MSDN bundle should be avoided at all costs. never mind that for free and with shed loads of documentation i could deploy web services via PHP, XML and utilising a fully scalable relational database with, oh yeah on a free OS of course. i've found in the past that ignorance of what is possible is almost impossible to overcome.

IMHO of course

That IIS should be more secure is indeed absurd and wrong. IIS is one of the most insecure servers around. Obviosly apache isn't bug free either, but when comparing the two it's no contest. Allso, apache have a history of fixing bugs quickly.

Microsoft on the other hand has a history of actually DENYING the excistance of bugs that people have found explits to. An example is the bug in Micrisifts SSL protocol which several security firms have pointed out to Microsoft to be really serious, and they demonstrated to Reuters (the news org) how the bug can be used to break into banks using MS IIS with MS SSL as their security solution. When Reuters asked Microsoft about the problem, they reponded that the bug that the security firms had talked about didn't excist and that it wouldn't even work theoreticly. This was after the security guys had shown that it was indeed possible. This is very sad, since MS has stated that they are shifting towards a more secure OS... With this attitude it will forever be impossible for them to produce a secure enviroment.

Anyway, the point behind all of this is that having alot of bugs is not a bad thing at all. It means people are working hard at improving their software. There are no such thing as bug free software. However, it is only a good thing if the bugs are actually fixed, which they are in Apache while MS has choosen to deny the excistance, or claim that it only affects other servers. Some bugs even MS fix, but they are often slower than their open scource counterpart. That can be explained with them being a huge organisation though, and big organisations are usually slow moving becous of their size. Lots of paperwork for everything and several tiers of bosses that need to comment on things.
Oh, and MS have the added disadvantage of being every hackers primary target.

All of this said however, there is no way of proving that any specific webserver is better than the other one other than to look at their track record. Apache has a better track record, but I'm not going to say that the next bug that come out will be in IIS. there is just no way of knowing, but it is more LIKELY that it will be in IIS.

One valid point the sys admin have though is that it's just plain stupid to implement a system that people know little or nothing about. If the support and sysadmins knows IIS intimately, they should indeed stick to IIS instead of jumping on Apache if they know nothing on how to administer it safely. (Many admins don't know how to administer IIS safely either, they just know how to turn it on which is NOt the same thing.)

So, my conclution is that you are both right. You are right to say that Apache is most likely a safer webserver than IIS. But the sysadmin is right in saying they shouldn't use apache since they are unfamiliar with it. My suggestion is that you try to get permission to set up an apache webserver that is away from the internet and just host for your LAN and try to teach the sysadmin how to use it. When he or she knows how to use it properly, they will hopefully see the benefits and maybe switch.

It's sad that people get lulled into believing that MS is more secure/better/everybody-else-sucks just becous MS say so when it simply isn't true.

I posted something on the other thread along the same lines as Fjodor's post. This is why cross posting is a bad idea...


On another note, IIS is insecure out of the box, whereas Apache isn't. You actually have to make an effort to make Apache insecure. As long as you are running the latest version, which will be free from the recently discovered (and FIXED, I might add) chunk encoding exploit, you should be fine.

If you want to run SSL, make sure you run the latest version, to avoid the Slapper worm which is cruising around the place causing massive amounts of trouble.

I am an IIS administrator - we run almost a thousand servers. I also have extensive experience with Apache and several other less popular web servers.

IIS has a better security model than Apache (by far). That being said, IIS comes out of the box with everything turned on, which inherantly makes it insecure unless the administrator (a) spends time on it (b) knows what he or she is doing and (c) follows the NSA security recommendations to the letter. In other words, you CAN make IIS more secure than Apache, but most people don't.

IIS and Apache are very different in design and it's no small task for someone to come up to speed on either of them. It is asking a bit much for someone to manage both types of servers, especially "cold".

That being said, it's also very easy for adminstrators to fail to do their job at maintaining IIS and then blame MIcrosoft. IIS is not THAT hard to secure. It just requires some knowledge and understanding.

Richard Lowe

The reason for this being...?

By suggesting that its too hard for the IT staff to have to worry about two http servers, your admin has pretty much admitted that he is a lazy bum. Its not AT ALL hard to administer a web server, especially one running only 3 websites.

However, he may just be lying to you, which is probably the case. More than likely, he just doesn't want to run two http servers on one machine. I wouldn't either. Its best to stick with one product.

Here is a rundown of some info you might like to know (actually, these are just my opinions)

Assuming we are talking about the latest version of IIS:

- Apache running on UNIX is FAR better than IIS running on NT4.
- Apache running on NT4 is only a little (if at all) better than IIS running on NT4.
- Apache 2.0 is not nearly as solid as Apache 1.3 (yet). Give it another 9 months.
- Both Apache and IIS have flaws. The difference is that Apache is much more open about them, while Microsoft will usually try to cover them up. Such are the natures of open source vs. commercial software. Corporations don't want anyone to know that their software is flawed.
- By installing Apache and IIS on the same machine, they aren't covering up each other's flaws. In fact, the security holes double up, giving hackers twice the amount of ways to get in.


All in all, your admin is right that it is NOT a good idea to install Apache 2.0 and IIS on the same NT4 box. If you want to run Apache, I'd urge you to install it on a seperate machine.

As SuperShaz,
Set up a computer to run Apache, on a FreeBSD or Linux box.
See and feel the difference! :O)

Apache can be installed on nearly any platform

if installed on a *nix, it can be stripped down to the bones, making it less likely for hackers to find flaws in the webserver.

Linux has a lot of ways to help secure the server, such as SELinux (developed BY the NSA), IPtables which is considered the best firewall and snort

Most major webservers run *nixes with apache for the security and stability, hell, even microsoft has used linux http://www.google.com.au/search?hl=en&q=microsoft+%22uses+linux%22+webserver

Apache has more bugs reported then IIS simply because THEY REPORT THEM. Microsofts rule is "If they never know, dont tell them", why do you think a lot of the windows patches dont tell you much other then the fact "it stops hackers comprimizing your system".

Conclusion, Apache is the best choice if you are looking for a strong and secure solution. if you dont want to go in cold, read up on their manual, it's all there.

Windows is an easy and fast solution for people who dont want to read up on how to do things.

"Knowledge is power, power is knowledge, use it"

NB: Sorry for the mainly one sided discussion, but i dont see much for IIS unless a company requests it. I personally dont like how microsoft only cares about getting money any way possible, including lieing, desiving and foul play. Good software creators get screwed over by crappy companies such as microsoft.

Also another note on IIS, microsoft used FreeBSD for their hotmail internet webserver for years, which proved that microsoft didnt even trust thier own f*cking webserer applications and os.

This thread is nearly three years old.

<closed>