Now more than ever before in your career as a Windows systems administrator, you may find yourself partially or fully responsible for the availability of your company’s Web applications. “But I’m not a Web admin!” you might exclaim. Like it or not, the migration of applications from the desktop to the Web browser means that we systems admins must take ownership of application uptime, regardless of form factor.

Here are some thought questions for you to consider: Does your organization do business over the Web? If so, how can you verify that your e-commerce engine is functional at any particular point in time? How can you diagnose bottlenecks and latencies in your Web application from the user’s’ perspective?

Many organizations rely upon internal line-of-business (LOB) Web applications. Again, we administrators are often faced with service-level agreements (SLAs) or organizational mandates that guarantee application availability for our users.

SolarWinds offers the free tool Web Transaction Watcher that enables you to run live transaction tests against your Web applications in a completely no-code, graphical environment.

The typical workflow for running Web application transaction tests is to author and run often complicated shell scripts or programming language scripts. By contrast, Web Transaction Watcher includes an intuitive recorder with which we step through a typical Web transaction and store those steps for analysis and future reuse.

Recording a Web transaction

To download Web Transaction Watcher, simply provide SolarWinds with a contact e-mail address. Once you have the software installed (the disk footprint is tiny; the installation .MSI weighs in at under 5 MB), fire up Web Transaction Watcher; the application view defaults to the Recording tab. Next, use the tool’s integrated Web browser to navigate to your desired Web application. The Web Transaction Watcher main interface is shown in the following screen capture.

Web Transaction Watcher main interface

Let’s use the previous screen capture as our reference as we walk you through the process of recording a Web transaction. After you have the integrated browser pointed at the proper page within your Web application, press the Record button (A) and begin your desired transaction. For our purposes, a Web transaction is simply a series of steps that an end-user might take in your app; these could include:

• Adding an item to an online shopping cart
• Completing an online purchase
• Posting a message to an online forum
• Downloading a file

You’ll notice that the Time Line (C) records each step in the transaction process in much the same way the macro recorder traces your steps in Microsoft Office applications. However, what sets Web Transaction Watcher apart from its competition is that you can actually edit and delete any step in your Web transaction during recording.

The process of editing a task sequence is easy; simply right-click the appropriate transaction step and select Edit or Delete from the shortcut menu. This is shown in the following screen capture.

Editing a Web transaction step

When your Web transaction is complete, press the Stop button (B). Make sure to save your recorded transaction for future playback. Web Transaction Watcher recording files use the intuitive .recording file extension.

Analyzing and replaying Web transactions

To analyze your recorded Web transaction, navigate to the Monitoring Console tab in the main interface. Web Transaction Watcher stores the last five runs of your recorded transaction and displays the status of each with a color-coded bubble icon (shown at A in the following screen capture).

Monitoring a Web transaction

In the Steps area of this interface (B in the above screen capture) you can check the status of individual steps in the captured transaction. Again, the feedback is color-coded: errors are shown with a gray callout bubble. Clicking the status indicator bubble calls up a dialog with timing information to help you diagnose and troubleshoot latency.

Examining latency

Do you see the hyperlink that says Try the SEUM evaluation for configurable thresholds? This is a reminder that the SolarWinds Web Transaction Watcher is the free “little sibling” to their enterprise product Synthetic End User Monitor (SEUM).

SEUM is cool because it greatly broadens and deepens the Web transaction monitoring functionality contained in the Web Transaction Monitor. For instance, SEUM has robust scheduling capability (Web Transaction Watcher includes limited functionality for automatically replaying your stored Web transaction sequences).

Moreover, SEUM makes it easy to run your Web application tests from multiple hosts. For example, you may want to simulate your Web app user experience from multiple locations around the world using various Internet connection speeds.

Conclusion

You should know that Web Transaction Monitor is only one of over 20 completely free utilities that are offered by SolarWinds. I’ve been a fan of these tools for many years; their Advanced Subnet Calculator has historically been one of my favorite free utilities from any vendor.

Web Transaction Watcher

• IEAK Boot Camp – Part 4: Maintaining Internet Explorer 9 (0)
• IEAK Boot Camp – Part 3: Deploying a custom build of Internet Explorer 9 (0)
• IEAK Boot Camp – Part 2: Creating a custom build of Internet Explorer 9 (0)
• IEAK Boot Camp – Part 1: Whys and Initial Configuration (0)
• Chromebooks – Eight disadvantages – Part 5: Costs and conclusion (2)

System Requirements and Preparations

Both Versions of SharePoint, SharePoint Foundation (the previous WSS) and SharePoint Server (the previous MOSS), require Windows Server 2008 SP2 or Windows Server 2008 R2. Besides that, you need Microsoft SQL Server for versions 2005 SP3, 2008 SP1, or 2008 R2. All of them have to be 64-bit installations—32-bit is not supported by SharePoint 2010.

Besides these prerequisites, your current SharePoint installation must have a version number not less than 12.0.0.6421. This number equals MOSS 2007 SP2. You can find the version number in the Central Administration, Operations tab, under the link “Servers in Farm.” With SP2, Microsoft added a new function to the stsadm command. It is called pre-upgrade-checker, and it reviews your SharePoint installation for possible compatibility issues with SharePoint 2010. It will not make any changes to your current SharePoint installation, so it is safe to run in a productive environment. Be aware that it is quite resource intensive, so I would recommend running it during the off times. To run it, just execute the following command:

Stsadm -o preupgradecheck

It will display a short summary of the results in the shell:

However, more helpful is the comprehensive HTML report generated when the command finishes. You will need some time to read and fully understand it. If some “potential upgrade blocking issues” are listed, you should solve them before you start upgrading to SharePoint 2010. Thankfully, most issues are linked to online resources, which help in finding the problem’s solution. If everything looks fine in the report, you are still not ready to upgrade…but almost. You have to review your customizations. For example, have you changed any files in the SharePoint Hive under %PROGRAMFILES%\Common Files\Microsoft Shared\web server extensions\12? Have you deployed any custom- or third-party solutions? If you have kept a detailed change log, it will be a great advantage now. If not, make one now. You will need it once the upgrade process has finished.

If everything is done, you have to consider which kind of migration you want to do. Microsoft provides two different approaches: In-place upgrade and database-attach upgrade.

In-place upgrade

An in-place upgrade is surely the more comfortable method, because it is fully automated and you upgrade all of your servers at the same time. This requires that the server fulfill the installation prerequisites. If you select the option “install software prerequisites” in the installation tool, this is checked automatically and all the missing software parts will be copied to the hard disk. Once the migration process has started, there is no way to interrupt it, or do a rollback. This sounds risky, but Microsoft did well with the implementation of the in-place upgrade and the upgrade will run without interruptions most of the time. Performing a full farm backup is obligatory, though. Before you initialize the upgrade process, you should stop the World Wide Web Publishing service to prevent http traffic. You can do this in the IIS Manager by right clicking on the server and selecting “stop” from the context menu. To start the upgrade process, you must run the SharePoint 2010 installation routine. Once started, the installer will recognize that an older version of SharePoint is running on the server. It will you guide you through the whole migration process. This has to be done on all servers of the SharePoint farm.

When the installation routine is finished, you have to go to the “SharePoint 2010 Product Configuration Wizard” and run it. It will take some time to run, but after it is complete and if no errors occurred, the migration process will have finished successfully. All content has been converted to SharePoint 2010, and you can start exploring the new possibilities that SharePoint 2010 offers you. But before the fun part of the migration can start, you should check out the error log file. It can be found in %PROGRAMFILES%\Common Files\Microsoft Shared\ web server extensions\14\LOGS. If any errors are listed in the log file, you should fix them before considering adding new features to your web applications.

Database-attach upgrade

This is the safer approach because it does not interfere with your running system. However, it is more complicated and more work intense because you have to reapply all farm settings and customizations manually. If you are running a 32-bit Server or Windows 2003 Server environment, it is your only option, though. First, you have to create a new SharePoint 2010 server farm and mirror the web applications settings of your running farm on the new servers. To avoid DNS problems, you have to add the web application’s host names to the server’s local hosts file. It can be found under %WINDIR%\system32\drivers\etc.

Now it is time to reproduce the customizations of your old SharePoint installation’s file system. SharePoint’s 2010 hive is located under %PROGRAMFILES%\Common Files\Microsoft Shared\ web server extensions\14. You have to mirror exactly all the changes you have done to the old SharePoint installation, because missing customizations can have serious side effects. If important files are missing, a whole web application could fail to run.

Once the customizations are finished, you have to attach the old content databases. For that purpose, I recommend deleting the default content databases that were initialized when you created the new web applications. To add a content database to your fresh installation you have to use stsadm:

stsadm -o addcontentdb -url <url>-databasename <databsename> -databaseserver <mssqlserver>

When the command is executed, the old database will be upgraded to a SharePoint 2010 compatible version. Depending on the size of the database, this process can consume quite some time. If the performance of your SQL servers allows it, you can run a few of these upgrades parallel. Stsadm creates detailed log files in the LOGS folder in your SharePoint hive. One of them (called Update-*-error.log) will only show the warnings and errors. You will definitely want to check this log file to figure out if everything ran smoothly.

The Shared Service Provider no longer exists in SharePoint 2010, so if you import the SSP database it will only add the user profiles to the new database and all other settings will be lost. You will have to create them from scratch.

Finalizing the migration

Once everything is done and you want to check out the new SharePoint 2010 interface, you might be disappointed because it looks exactly like your SharePoint 2007 websites. Before you start to worry that something has gone tremendously wrong in the migration process, I can assure you that this is intended. It makes the migration process more transparent. Because if you were to see a messy website with the new SharePoint 2010 UI, you would have to figure out if something on the backend migration failed or if the new UI is incompatible with your customizations. When you see the old UI and if everything looks fine, you can be sure that the migration process has been correct up to now. If the SharePoint 2010 UI gets messy after you switch to it, you know for certain that the only cause can be incompatible visual customizations. But how do you switch to the new UI?

There is nothing easier than that. You just have to go to the Site Actions menu and choose Visual Upgrade. You have three options: display the previous UI, preview the new UI, and use the new UI. Before using the new UI, you should use the preview option to test whether everything looks right. If you are content with the results, you will notice that the changes to the UI are quite significant. However, not only has the UI changed, but also many management tools have been tweaked.

Although I will end the post now, your work is not done yet. You have to get used to the new functions and the new UI. Besides that, you have to prepare training sessions for the users to help them understand the new interface and features. I am sure, though, that they will be very happy with the new opportunities that SharePoint 2010 offers.

• FREE: SolarWinds Web Transaction Watcher – Record and monitor a Web transaction (0)
• Scan your website for malware with free tools (11)
• Is the Web replacing Windows as the primary malware playground? (4)
• Free website monitoring services (9)
• Microsoft Azure Services Platform – a short introduction and its significance for Windows admins (0)

I already mentioned Google Safe Browsing and Bing’s malware detection in my last article. Today, I will introduce free third-party website malware detection tools.

Unmask Parasites

Unmask Parasites is a free service that allows you to scan a particular web page for malware. Thus, this service is only useful if you already suspect that something strange is going on your website. Unmask Parasites scans the entered page for malware and suspicious code. Because the tool uses heuristics to detect suspicious code, there is the danger that it will detect false positives.

The result page also lists all external references. If you find a URL in this list that you don’t know, you should have a closer look. By the way, Unmask Parasites classifies microsoft.com as suspicious. Not that we didn’t know that before.

Unmask Parasites also offers a good practical guide to deal with Google’s malware warnings.

StopBadware

The Badware Website Clearinghouse is a database of sites that contain what StopBadware calls “badware.” “Badware” is a general term that includes malware and software that behaves badly. Such bad software is doing things that visitors don’t expect and might not be approved by them. This could be code that violates the user’s privacy or installs additional software.

Unlike Unmask Parasites, StopBadware doesn’t scan your site. StopBadware uses data from Google, Sunbelt Software, and web users who reported badware URLs.

You can search for sites in the Badware database. Let’s hope that your site is not a badware site.

McAfee SiteAdvisor

SiteAdvisor was acquired by McAfee in 2006. The service crawls websites to search for spyware, spam, and scams and then assigns one of these ratings: Safe, Caution, or Warning. Sites that have not been scanned are marked as Unknown. McAfee also uses heuristics and in the past some websites have been flagged incorrectly.

McAfee offers free plugins for Firefox and Internet Explorer that warn users about flagged sites. There is also the third-party Chrome extension for SiteAdvisor.

You’d better ensure that SiteAdvisor judged your site correctly. You can search for the rating of your site in the sidebar on the SiteAdvisor homepage.

QualysGuard

Qualys is the only the free service I know of that allows you to scan your whole website for malware and suspicious code. You can manually start scans or schedule them. Qualys will send you an email informing you if malware has been found on your site. You can view a report online that includes all scanned pages.

QualysGuard scans quite thoroughly. It even executes JavaScript code. A Qualys representative told me that their scanner pretends to be a real browser on a real machine. Thus, hits from QualysGuard will look like true user visits.

This can be a problem in some environments. For example, QualysGuard’s scans could appear in your Web analytics statistics. If your site has many pages this can have a significant impact on your statistics if you let QualysGuard scan your site regularly. Hence, you have ensure that your analytics software filters QualysGuard visits.

Do you know of another malware scan service for websites? There are also commercial website scan services. If you can recommend one of these, please post a comment below.

• FREE: SolarWinds Web Transaction Watcher – Record and monitor a Web transaction (0)
• IEAK Boot Camp – Part 4: Maintaining Internet Explorer 9 (0)
• IEAK Boot Camp – Part 3: Deploying a custom build of Internet Explorer 9 (0)
• IEAK Boot Camp – Part 2: Creating a custom build of Internet Explorer 9 (0)
• IEAK Boot Camp – Part 1: Whys and Initial Configuration (0)

One point that advocates of Web applications argue is that Web apps are safer than desktop apps because they are not prone to infection from viruses and computer worms. In my view, this claim is no longer valid. The Web has become a dangerous place.

I think, there are two reasons for this development. Firstly, the bad guys have found out that the Web, not Windows, is the best place to spread their malware simply because the distribution options are more powerful. Popular sites have thousands of visitors who are not aware of the risks especially if the site owner is trustworthy.

Secondly, the growing complexity of content management systems and Web apps increases the likelihood of vulnerabilities that can be exploited by crackers, computer worms, and other vermin. The same applies to Web browsers that are supposed to replace full-blown operating systems. These new capabilities come at a price. More code always increases the risks for security holes. There is no such thing as a secure Web browser, just like there is no secure operating system.

In particular, popular content management systems are attractive for hackers because they can reach a large number of websites this way. In my view, Open Source CMS solutions are the most endangered systems because it is relatively easy for hackers to find vulnerabilities in the source code. The more complex these systems become the more difficult it gets for the corresponding Open Source community to detect the vulnerabilities before the hackers do.

Thus, even if you always update your CMS immediately and scan your site with vulnerability scanners regularly, you can’t be certain that a vulnerability in your CMS hasn’t been exploited already to upload malware to your site. The patch to close the security hole will come too late then because this won’t remove the malware from your site.

To find out if Google already detected malware on your site, you can use the Webmaster Tools. You’ll find the Malware menu point in the Diagnostics section. Bing’s Webmaster Center offers a similar service under the Crawl Issues tab.

If you don’t use the Webmaster Tools you can check your site with this URL: http://www.google.com/safebrowsing/diagnostic?site=4sysops.com. Replace 4sysops.com with the site you want to examine. You can also enter the form at GrapeThinking. Yet another option is the Google Safe Browsing plug-in for Firefox. As far as I know there is no such add-on for Internet Explorer or Chrome.

If Google or Bing identified your site as suspicious, it is already too late. I don’t have to tell you what it means if Google displays a warning page whenever a user clicks on a link to your site or removes your site from the index. Essentially, your website will cease to exist, not to mention the consequences for the reputation of your organization.

Hence, it makes sense to check your website regularly for malware with third-party tools. In my next article, I will discuss a couple of free website malware detection tools.

• FREE: SolarWinds Web Transaction Watcher – Record and monitor a Web transaction (0)
• IEAK Boot Camp – Part 4: Maintaining Internet Explorer 9 (0)
• IEAK Boot Camp – Part 3: Deploying a custom build of Internet Explorer 9 (0)
• IEAK Boot Camp – Part 2: Creating a custom build of Internet Explorer 9 (0)
• IEAK Boot Camp – Part 1: Whys and Initial Configuration (0)

To make sure that your website is available not only on the intranet but also on the Internet, your monitoring solution has to be outside your organization’s network. This is where web monitoring services come in. They are not expensive, and some of them even have free plans. In this post I compare three free website monitoring services: SiteUptime, HostTracker, and BasicState.

Of course, a free service has its price. The check period is usually longer than for the paid plans. SiteUptime and HostTracker check your site every 30 minutes and BasicState every 15 minutes. If you also have an internal monitoring solution, this time interval might be sufficient. However, the paid plans start at $5 per month. I’d say this is almost free.

To configure BasicState costs you only a few seconds. You just have to specify the address of your website and the alert destination. BasicState supports email and SMS. SMS messages have to be paid. In theory BasicState supports numbers outside the US, but in my test this didn’t work with a German cell phone number. You can configure multiple alert addresses and also multiple websites. BasicState only support hostnames as URLs, i.e., you can only specify addresses like http://www.domain.com.

However, the biggest problem with BasicState is that it doesn’t analyze http error codes. My test site was a WordPress installation where the MySQL database wasn’t accessible. That is, the web server was working, but the CMS wasn’t able to create the web page, and produced a 302 http error code. BasicState didn’t notify me that the website was down.

SiteUptime was a bit smarter. It had no problem recognizing that my test site wasn’t accessible. It also offers more options (see screenshot) than BasicState, although the free plan allows you to monitor only one website. Aside from http, SiteUptime also supports smtp, ftp, and pop3 monitoring. I found it useful that one can configure the number of failures after an alert is sent. Perhaps the web server was just a bit busy when it was checked, but it will be back in a few minutes. In such a case you wouldn’t like to receive a text message in the middle of the night. The free plan doesn’t support SMS messages, and you can only configure one mail address for the alerts.

HostTracker offers fewer options than SiteUptime, but it has one feature that I consider important. It allows you to specify a keyword that has to be present in the web page. This goes beyond the evaluation of http error codes, and might be useful in situations where a CMS has problems at times with generating a certain part of the web page. Unfortunately, this feature is not free. The free plan allows you to monitor up to two domains. It doesn’t support SMS alerting. After you sign up, you have 30 days to decide which plan suits you best.

All three web monitoring solutions have additional features such as reporting or multiple check locations which I didn’t discuss. My main intention was to find a free monitoring service that informs me whenever my web site is down. For my purposes, both SiteUptime and HostTracker are possible solutions. I can’t recommend BasicState because of the lack of http error code evaluation.

If the 30 minutes check period is too long for your purposes, you might consider using multiple different services. Statistically, this would also reduce the time interval. You might also want to check out the review by Aseem Kishore. He discusses two additional services, Pingdom and justUptime. I didn’t include them in my review because they don’t offer free plans.

Do you know of another free web monitoring service?

• FREE: SolarWinds Web Transaction Watcher – Record and monitor a Web transaction (0)
• Migrating to SharePoint 2010 (1)
• Scan your website for malware with free tools (11)
• Is the Web replacing Windows as the primary malware playground? (4)
• Microsoft Azure Services Platform – a short introduction and its significance for Windows admins (0)

The four services of the Azure Services Platform are: Windows Azure, .NET Services, SQL Services, and Live Services.

Windows Azure

As I outlined yesterday, the term “Windows Azure” is a bit misleading. Essentially, Windows Azure is a cloud-based Web platform. Even though it is running on Windows Server 2008, it is not a cloud-based Windows edition. Perhaps this might change though. David Chappell mentioned that Microsoft might support unmanaged code on Windows Azure in the future. Perhaps this is a hint that non- web-related applications will one day run on Windows Azure. Then it could be possible that we can move our complete Windows backend to Microsoft’s datacenters.

.NET Services

.NET Services is not really a new service. Microsoft just renamed the BizTalk Services, which were introduced a year ago. Perhaps they renamed it because many confused it with the BizTalk Server. I guess that many will confuse it now with Windows Azure because they are both related to .NET. The main difference is that Windows Azure is for hosting .NET applications whereas the .NET Services offer cloud-based infrastructure that helps integrate external applications. These applications can be cloud-based, i.e. they could run on Windows Azure, but they could also be on-premise applications, that is, apps running on your own servers. The .NET Services consist of three components: Access Control, Service Bus, and Workflow. Access Control is for identity federation (facilitates single sign-on), the Service Bus exposes application’s services on the Internet (makes them accessible via an URI), and Workflow implements the logic that coordinates the interaction of the applications. These components can be used by software vendors for their own applications.

SQL Services

The SQL Services were formerly called SQL Server Data Service (SSDS). Basically, it is a cloud-based service offering data storage capabilities. It is based on Microsoft SQL Server, but it only offers a subset of its data types and it is exposed as a web service, which means that it can be accessed over HTTP using the SOAP and REST protocols. “Cloud-based” means that Microsoft doesn’t just offer SQL Servers in its datacenters for rent. Users of this service would rather rent data storage. That is, you don’t have to manage the DBMS yourself. Therefore, you don’t have to worry about things like storage capacity, scalability, availability etc. Like .NET services, SQL Services can be used by software vendors for their own applications.

Live Services

The Live Services encompass Microsoft’s Internet applications such as Hotmail, Live Messenger, or Live Search. These services, or more specifically the data behind these services, can be accessed by applications via the so-called Live Operating Environment. For example, a software vendor could offer a VOIP application, which accesses the user’s Live contacts to retrieve their phone number. As with all the other services of the Azure platform, HTTP is the only protocol supported.

Thus, one can say that the Azure Services Platform is Web-based. However, contrary to some other cloud service providers, it is not solely browser-based. Furthermore, Microsoft is not trying to replace on-premise computing like Google. Microsoft mostly targets ISVs (independent software vendors) with Azure, who will provide new kinds of applications that will run partly in the cloud and partly on conventional servers and desktops. Microsoft’s marketing dubbed this approach, already for quite some time as S+S (Software + Service) as opposed to SaaS (Software as a Service). With Azure, it becomes clearer what S+S really is. It is not just that they want to continue selling software licenses. Microsoft brings to bear its huge Windows ecosystem. Microsoft alone might not be able to stop the Googles and Amazons, but together with an armada of ISVs who will develop for Azure and for Windows, it is quite likely that Microsoft will extend its dominance to the cloud.

For Windows admins, this means that the complexity of their environments will grow significantly within the next few years. You will have to manage software that runs on computers within your organization and also software that runs in third-party datacenters. In addition, you have to make sure that they interact properly. Contrary to many others, I believe that cloud computing will require more IT staff in most organizations, not less. Cloud computing certainly will rationalize IT tremendously. However, IT became more effective since Konrad Zuse invented the first computer almost 70 years ago. Ever since, the number of IT pros has been growing. The reason for this is that more effective computer technology always made new kinds of applications possible. This extended the complexity of IT, which increased the need for IT pros. I believe that this also applies to cloud computing. Within the next few years, we will move some of ours apps to the cloud, some will stay in our server rooms and completely new kinds of applications will be invented.

• FREE: SolarWinds Web Transaction Watcher – Record and monitor a Web transaction (0)
• Migrating to SharePoint 2010 (1)
• Scan your website for malware with free tools (11)
• Is the Web replacing Windows as the primary malware playground? (4)
• Free website monitoring services (9)

There are quite a few fundamental concepts related to Microsoft’s cloud initiative: Azure Services Platform, Windows Azure, .NET services, Live Services and SQL Services. The most interesting question is how these relate to each other. Some journalists seem to believe that Windows Azure is the fundamental platform and all the other services run on top of it. This picture is supported by the following diagram, which can be found in many articles.

However, there is a different diagram, which contradicts this view.

According to this diagram, Windows Azure is not some kind of cloud OS that hosts the other Azure services, but is just one of the four Azure services. The cloud itself probably represents the Azure Services Platform. So which is the true picture? I am not really sure, but David Chappell’s white paper (.docx), which outlines the technical details, indicates that the latter view is correct. The diagram below makes this clearer.

The VMs are virtual machines that run a 64-bit Windows Server 2008 with .NET 3.5. By the way, the hypervisor used is not Hyper-V. It is called Windows Azure hypervisor.

The Windows Azure applications are basically .NET 3.5 apps that run inside the VMs. An application consists of one or multiple instances. Each instance has its own VM. There are two kinds of Windows Azure instances: Web role instances and Worker role instances. A Web role instance is just a.NET program that works with IIS, for example ASP.NET or WCF (Web services). A Worker role instance is also a .NET app, but it doesn’t require IIS. What is important is that a Worker role instance isn’t allowed to have any incoming network connections. It receives its input only from a Web role instance. Instances communicate via the Windows Azure Fabric or the Windows Azure Storage. Web role instances communicate via HTTP with external entities, like a Web browser, for instance.

I think it becomes clearer now what Windows Azure really is. Basically, Windows Azure is just a virtualized Web server with runtime plus cloud technology. The latter just means that applications are sliced into smaller junks (the instances) which are running in a distributed infrastructure. Or even more simplified, Windows Azure is just a Web server running on multiple machines.

This (over)simplification removes a little of Windows Azure’s shine. I don’t want to downplay what Microsoft has accomplished; however, I think that some writers have exaggerated the significance of this new technology. From a user’s point of view, there won’t be much change in the near future. Windows Azure apps are simply Web apps. You won’t realize the difference if your Web mailer runs on Windows Azure or any other Web platform. Cloud computing is mostly about scalability. Therefore, we have a new platform now for the Facebooks and My Spaces out there. I don’t think that it will really offer new possibilities for small and mid-sized companies. If you don’t want to run your Web apps on your own servers, you can do that already now by renting Web space. The good news is that Web space might get even cheaper now.

I think it is also clear what Windows Azure is not. First of all, it is not a cloud-based Windows edition. You can’t run Office 2007 or Active Directory on it and most significantly, Windows Azure has no windows. Windows Azure is used and managed via a web browser. Perhaps IIS Azure would have been a more proper naming. As things stand now, Windows Azure is not really a competitor to Windows Server or the Windows Client. Windows Azure and the other components of the Azure Services Platform are just new technologies that extend the Web-based capabilities of Windows.

Even though I downplayed the significance of Windows Azure, I find it very interesting from a technical point of view. I also think that, in the long run (5 to 10 years), cloud technology will change IT notably. Rest assured that I will write more about it soon.

• FREE: SolarWinds Web Transaction Watcher – Record and monitor a Web transaction (0)
• Migrating to SharePoint 2010 (1)
• Scan your website for malware with free tools (11)
• Is the Web replacing Windows as the primary malware playground? (4)
• Free website monitoring services (9)

According to Netcraft 76,591,442 sites were running on Apache in December 2007 and IIS hosted 55,502,886 which corresponds to a ratio of 1.38. In January 2007 the ratio was 1.95. Despite the fact that IIS is catching up continuously, it also seems that IIS sites are more secure than those running on Apache.

The average Apache/IIS ratio should be about 1.66. I only used January and December to calculate this number because I was too lazy to add all months. But since Apache is continually losing ground against IIS I think that this number should be the mean value for 2007.

So in 2007, there were 1.66 more Apache sites than IIS sites and there were 2.32 times more Apache sites defaced than IIS sites. The Apache/IIS security ratio is just 2.32/1.66=1.40.

This number tells us that the probability of a certain website getting hacked is 1.4 times higher if it is running on Apache. It does not necessarily mean that Apache is more secure than IIS, though. The number one reason why websites get defaced is because of weak passwords. Shares misconfiguration is second.

So one might be tempted to conclude that Apache admins are just sloppier or don’t care that much about security. This might be due to the fact that Apache hosts mostly private sites where IIS is stronger in corporate environments. It could also be that configuring Apache is more complicated, therefore more prone to errors. I personally find password configuration a bit cumbersome with Apache. So my guess is that Apache admins change their passwords less often. Hmm, this reminds me that I didn’t change my Apache passwords for quite a while.

• FREE: SolarWinds Web Transaction Watcher – Record and monitor a Web transaction (0)
• Migrating to SharePoint 2010 (1)
• Scan your website for malware with free tools (11)
• Is the Web replacing Windows as the primary malware playground? (4)
• Free website monitoring services (9)

I rounded the numbers and compared different months. Considering the huge differences between those statistics, this doesn’t matter anyway.

Of course, the different results are due to different counting. However, all organizations claim that their numbers represent the Web server market shares. Netcraft seems to count every domain, Google excluded domains without root URL, Security Space only counts domains with backlinks, and Port80 only includes Fortune 1000 companies.

The Netcraft data includes tons of parked domains. Security Space tries to avoid this fallacy by including only domains that someone found interesting enough to link to. They claim that they exclude personal web sites this way which certainly is doubtful. I suppose their data contains mostly personal blogs. Google’s method probably excludes many professional sites, because only they work with redirects.

In my view, the data of Port80 is the only one where the word “market share” really makes sense, since they only count corporate sites where someone deliberately chose the Web server software. If you just count domains you inevitably include myriads of bloggers who don’t even know what Web server they are using.

However, it is also obvious that very big companies (IBM and Google excluded) tend to prefer commercial software over Open Source. I suppose that the market share of Apache is much bigger among mid-sized and smaller companies. Yet, most interesting is that Apache gained ground among Fortune 1000 companies. Last year Apache only had a market share of 20% in this field. This corresponds to an increase of 5% compared to 2007. I think this is due to the fact that Open Source content management systems are getting more and more powerful.

The recent rise of IIS in the Netcraft survey shows that Microsoft’s strategy to add more features for hosting companies is quite successful. Presumably, this didn’t increase their market share significantly, but it is quite helpful for marketing since the Netcraft study is the one most often cited. In the future, Microsoft will certainly try to convince developers of Open Source content management systems to move to the Windows platform. The better support of PHP in IIS7 is already one step in this direction.

Anyway, what is your favorite IIS-Apache market share statistics? I guess there are countless ways to interpret the differing numbers.

• FREE: SolarWinds Web Transaction Watcher – Record and monitor a Web transaction (0)
• Migrating to SharePoint 2010 (1)
• Scan your website for malware with free tools (11)
• Is the Web replacing Windows as the primary malware playground? (4)
• Free website monitoring services (9)

I always find it strange that even IT journalists speak about market shares when they refer to Netcraft’s survey. I blogged about this issue before. It is quite obvious that Netcraft can’t provide any interesting information about the market shares of web server software. I have just read now in the Infoweek article that the web hosting company Go Daddy moved to IIS in April 2006. In May 2006, the Netcraft curve shows a steep rise of the IIS share. This is no wonder considering that Go Daddy hosts 3.5 million domains. However, this rise has nothing to do with a change in market shares.

I have no doubt that Microsoft has been the market leader in web server software for a long time already. When it comes to market shares of web server software the only relevant figure is the number of installations and not the number of internet domains. However, it is interesting that Microsoft is even catching up now in this field. This is certainly due to the fact that more and more web hosting companies like Go Daddy are moving to IIS now.

I think that this trend will continue when Windows Server 2008 with IIS7 comes out. It is has a couple of new features which are interesting for web hosting companies: centralized web farm configuration, delegated remote administration, FastCGI, FTP/SSL, PowerShell support, Server Core support etc.

• FREE: SolarWinds Web Transaction Watcher – Record and monitor a Web transaction (0)
• Migrating to SharePoint 2010 (1)
• Scan your website for malware with free tools (11)
• Is the Web replacing Windows as the primary malware playground? (4)
• Free website monitoring services (9)

Seriously, I think that IIS is the better option on a Windows box. However, I would always go for a LAMP solution when it comes to Web technology. The only reason, I can think of for running Apache on Windows is that you have some apps that work better with the Open Source web server and you don’t want Linux in your network.

• FREE: SolarWinds Web Transaction Watcher – Record and monitor a Web transaction (0)
• Uninstall Windows 32-bit on Windows 64-bit (WoW64) on Windows Server 2008 R2 Server Core (0)
• Migrating to SharePoint 2010 (1)
• Scan your website for malware with free tools (11)
• Is the Web replacing Windows as the primary malware playground? (4)

Like most web hosting companies IPOWER works with Apache. Roger A. Grimes, the author of the InfoWorld article, calculated that an average every IPOWER server hosts about 910 virtual web servers.

Therefore, statistics like the one from Google or more prominently the ones from Netcraft, can’t tell you anything interesting about the market shares of IIS and Apache. They only provide information about internet domains, but not web server software. All those private homepage users didn’t choose Apache as their web server software. Most of them think of an Indian tribe when they hear “Apache”, not the software. So these statistics only show that web hosting companies prefer Apache.

Furthermore, you can’t get any other relevant information from the data provided by Google. In particular, you can’t draw any conclusion about the distribution of malware on IIS and Apache web servers. And, of course, it doesn’t tell you what web server software is more secure.

The fact that 66% of all internet domains (not web servers as the Google guys purport) run on Apache, but only 49% of all malicious domains (not web servers) use the Open Source Web server only reflects the differences in their user base, in my view. The typical “Apache user” only has a picture of himself and of his cat kitty on his “web site”. IIS most likely is used more often in corporate environments. Hence, you will find often more complex web applications on IIS systems thereby increasing their attack surface.

I think it is possible to gain more interesting information from the raw data of the Google log files, for example, if you take the IP addresses of the web servers into account. However, it seems that nobody at Google is really interested in this. If you give the same raw data to someone from Microsoft, you would most likely get exactly the opposite results. That’s why I only believe in such statistics if I was the one who forged them

• FREE: SolarWinds Web Transaction Watcher – Record and monitor a Web transaction (0)
• Migrating to SharePoint 2010 (1)
• Scan your website for malware with free tools (11)
• Is the Web replacing Windows as the primary malware playground? (4)
• Free website monitoring services (9)

My first thought was that it is really a great idea to run IIS7 on Server Core. The Web server is certainly the most endangered system. So if you run it on a server system with a reduced attack surface it should significantly decrease the risk of getting hacked.

However, a commentator on my blog post remarked that you can’t use ASP.NET on Server Core since .NET is not supported at all on this special edition of Windows Server 2008. The question now is, what is the use of a Web server without a web application framework?

The strange thing is that Microsoft made this move due to customer demand. Does this mean that there are many companies using a Web server without an application framework? Or does it just mean that those people who wanted IIS7 support in Server Core were just not aware of the fact that Server Core doesn’t support .NET?

I would go for the latter. I think someone who contacts Microsoft in the hope that they change something in a future product, doesn’t have static HTML pages on his Web server, right? Maybe I am just missing something here. However, I think it is quite probable that Microsoft will offer .NET support for Server Core soon. It seems the .NET team is already working on it.

I am quite sure, though, that we won’t use IIS7 on Server Core, anyway. Actually, we have just one IIS6 left where we host a self-developed ASP.NET application. We moved with the rest of our Web applications to Apache under Linux some years ago. I can’t imagine changing this in the near future.

In my view, Microsoft made web application development too complicated with ASP.NET. Even though, I worked through a whole C# book, it would cost me quite some time to change something in our own ASP.NET application. However, I always find it quite easy to make changes in PHP apps, although I have never learned this language. The fact that programming in PHP is so easy is one of the reasons why there are so many great Open Source content management systems available. Why should I spend thousands of Euros for a commercial CMS running on a Windows box if I can have a better system for free under Linux?

So reduced attack surface or not, Microsoft’s Web server probably won’t have a future in my department, even though we are mostly a Windows shop.

• Microsoft Exam 70-640 – DNS Zones – Overview (2)
• FREE: SolarWinds Web Transaction Watcher – Record and monitor a Web transaction (0)
• Uninstall Windows 32-bit on Windows 64-bit (WoW64) on Windows Server 2008 R2 Server Core (0)
• Migrating to SharePoint 2010 (1)
• Scan your website for malware with free tools (11)

• FREE: SolarWinds Web Transaction Watcher – Record and monitor a Web transaction (0)
• Migrating to SharePoint 2010 (1)
• Scan your website for malware with free tools (11)
• Is the Web replacing Windows as the primary malware playground? (4)
• Free website monitoring services (9)

I raised doubts before that many sysops will embrace Server Core just for security reasons. Since the roles that were originally planned are not really security sensitive, it is not clear how much Server Core can improve security. The roles supported in Beta 3 are usually only accessed from the company network. Why should you give up the comfort of GUI administration on a system that isn’t really endangered because it is behind your firewall, anyway?

I believe this announcement changes everything. It makes Server Core a very interesting product. The web server is certainly the most endangered system. It usually can be accessed from the Internet and it is the most visible server. You probably remember the countless security issues of IIS5. The security of IIS6 was greatly improved, and IIS7 will most likely be even more secure.

However, secure web server software isn’t enough. The underlying OS is certainly important, too. I think that many prefer Apache over IIS just because they can run it on a Linux box where they can remove all unnecessary services. That’s why, I think, this move might indeed increase the market share for IIS.

• Microsoft Exam 70-640 – DNS Zones – Overview (2)
• FREE: SolarWinds Web Transaction Watcher – Record and monitor a Web transaction (0)
• Uninstall Windows 32-bit on Windows 64-bit (WoW64) on Windows Server 2008 R2 Server Core (0)
• Migrating to SharePoint 2010 (1)
• Scan your website for malware with free tools (11)

First of all, Port80 only surveyed Fortune 1000 companies. It is interesting that very big companies prefer IIS over Apache, but this data doesn’t say anything about the overall market share of both systems. Netcraft, for example, has different data. According to them, Apache holds a market share of 61.28%, whereas IIS only has 32.13%.

Second, the fact that the number of IIS 6.0 installation increased recently is not surprising since more and more companies upgrade from IIS 5.0 now. If you compare the data of this press release with the data that Port80 published a year ago, you’ll realize that there is no big change in respect to the market shares of Apache and IIS among Fortune 1000 companies. According to their last survey, 54.9% use IIS, and Apache has a market share of 23.3%. In June 2005 IIS had 53.7% and Apache 22.7%. So both web servers gained ground.

In my view, though, neither the data of Port80 nor the data of Netcraft is convincing. Of course, Fortune 1000 companies are not representative. Commercial web applications running on IIS are often quite expensive and therefore not affordable for small and mid-sized companies.

What about Netcraft? They only count domains. Innumerable owners of private homepages and weblogs have their own domain nowadays. Often they don’t know the difference between Apache and IIS. They just rented some web space without even knowing which web server they use. Thus the Netcraft data doesn’t say anything interesting about the market shares of Apache and IIS. It only shows that Apache is a better choice if you want to host thousands of domains with very low costs for each of it.

So which web server has a greater overall market share? I don’t know of any reliable statistics about this. However, from my point of view, Apache is the better choice for mid-sized companies. We are mostly a Windows shop, but when it comes to web applications Microsoft’s solutions are not convincing. There are countless great Open Source tools for LAMP environments out there. Why should I spend thousands of Euros for a CMS, for example, if I can get the same thing for free? Plus, it is so much easier to find PHP or Java developers than for ASP.NET. I don’t see how this could change in the near future.

• FREE: SolarWinds Web Transaction Watcher – Record and monitor a Web transaction (0)
• Migrating to SharePoint 2010 (1)
• Scan your website for malware with free tools (11)
• Is the Web replacing Windows as the primary malware playground? (4)
• Free website monitoring services (9)