Comments on: IIS websites are 1.4 times more secure than Apache sites

By: Michael

Michael — Wed, 09 Apr 2008 19:44:05 +0000

James, I am not trying to show that Microsoft has the better product. Actually, I prefer Open Source when it comes to web apps. There are so many great content management systems for LAMP environments. I absolutely agree that comparable systems are often too expensive for the Microsoft platform. My article was just about security. It seems that at least in this field, MS was able to catch up in the last years.

By: James

James — Thu, 03 Apr 2008 15:21:25 +0000

Interesting. With my experience I would still say that some of this is due to improper patching. I run both, both run fine for me. I have a tendency to shy ware from these simple comparisons. The numbers are too close imo to show one product is better than they other, which frankly you are trying to show. With Microsoft being the top dog shouldn’t this number be higher? You can show people all day that a Acura,BMW,etc is a better car but if I can’t afford it – what’s the point?

By: Michael

Michael — Mon, 31 Mar 2008 20:07:23 +0000

Lukas, you’re absolutely right. I didn’t think about this. It is probably not so much of an Apache issue, but more about the whole LAMP platform. I think, these environments suffer from the same problem as Windows on the desktop. Their popularity makes them attractive targets for the bad guys.

Lars, such personal experiences can be deceiving when it comes to security. I don’t remember ever having a virus on my Windows desktop. Yet, I know that Windows is the biggest virus hotbed in the universe.

By: lars

lars — Fri, 28 Mar 2008 13:54:35 +0000

hi,

I can just add the average on a very small base

running both IIS and Apache in a corporate environment for nearly six years now, we got here:

- three servers with apache on debian
- four servers with IIS on NT / windows 2000 server, windows server 2003

three of the four webservers running IIS have been hacked at least once, the three apaches remaining unhacked four over five years now …

very funny: we placed all the IIS-servers behind firewalls (though no application level gateways, I have to admit), whilst two of the apache-boxes are placed direct in the www.

and I like to add: running apache on debian is quite straight forward, there is plenty of documentation on the web and a reliable community. running apt-get upgrade once a week, change the passwords now and then (and using really secure passwords!), deny root-access, use tools like chkrootkit, rkhunter – these are our experiences.

By: Lukas Beeler

Lukas Beeler — Thu, 27 Mar 2008 21:16:32 +0000

I agree with you and add another point.

Very few website defacements happen because of the webserver used, much more because of the actual applications used.

Most community and private sites use widely deployed open source software, some of which is very poor when it comes to security (phpbb comes to mind).

In corporate environments, websites are also less likely to use plain off the shelf software, usually with heavy modifications, thus making completely automated exploits as they happened with phpbb completely impossible.

Nevertheless, i’ve seen some very poorly implemented ASP.NET projects but also some very poorly implemented PHP/Apache projects. They just weren’t hacked because nobody cared to.

Nevertheless, IIS6 had a better security track than Apache. Let’s see how IIS7 will fare.