I post this because I remember when I was in a meeting with several managers and other techies regarding a requirement to host an IIS-based web-application. The corporate standards for 5 years have dictated no use of IIS for external-facing web-services.
However, this particular application is specifically coded to run on IIS, and it’s meant to be publicly available over the Internet.
I started the meeting saying that, contrary to popular belief, IIS can actually be hardened to be secure enough to serve on Internet now. I can see rather shocked faces of people in the room, seeing this statement coming from an Apache “specialist” and open source advocate.
But that’s the truth as I know it, and I think nobody would benefit by hiding it.
However, the problem with IIS nowadays lies somewhere else :
- Cost: Another popular belief is that IIS, being bundled by Windows server, is free. This can be very untrue. So far I’ve found 2 scenarios where using IIS may cost you dearly; for commercial webhosting, and when used to authenticate Internet users against Active Directory. And this may change (God knows for better or worse) in the future if Microsoft feels like it.
Apache doesn’t and won’t cause you to suffer from these things. - Dependencies: I must admit that Microsoft is doing such an excellent job on getting their developers happy and make most of them uses Microsoft products. This is because Microsoft has made it easy to do so, and hard to do otherwise. However, this means that an IIS-application will be, most of the time, dependent to other Microsoft products – Active Directory for authentication, MS-SQL for database server, Exchange for email, and so on. So if one day you’re offered an IIS-application at a bargain price, examine again – it may require you to deploy a plethora of other products, that may cost you an arm and a leg.
- Support: The dependency issue (see above) brings another issue – support. When you buy IIS and got Active Directory/MS-SQL/Exchange/etc as well; you need to ask yourself, do you have the staff to provide support to those products in case of problem ? If you don’t, then when a problem occured, then it will be you that’ll be under fire from the users – not Microsoft.
(technical support ? obviously, you still think that paying thousand of dollars for silver level support will enable you to solve all problems in your mission critical apps in minutes – sorry, that’s not the case. Not even in hours in many cases. Yes, I’m being grim, or should I say realistic instead) - Security : Hey, didn’t I said that IIS6 is secure now ? OK, so IIS6 isn’t so full of holes like IIS4/5. However, when a hole is found, can you expect Microsoft to promptly patch it ? Unfortunately, this is not always the case. It’s already known that it may take even years sometimes for Microsoft to close a severe security hole. It doesn’t really give you a peace of mind, especially when you know that there are tools available in the underground communities that exploits this.
Apache, and other open source software, on the other hand have been known to patch their security hole very quickly, sometimes in hours. - Lock-in : Miguel de Icaza and his Mono team does a stellar job making sure .NET is available on other platforms – not just Windows. However, the Windows lock is still there – a few months ago I was evaluating a .NET application, and found that it won’t run on Mono because it depends on an ActiveX component. So do be careful.
- Security : Hey, again ?! Yes, I’ve seen cases where the security administrator wants to significantly secure the IT infrastructure by replacing the browser with alternatives (such as Firefox) – but can’t, because some critical IIS-applications tend to require, guess what, Internet Explorer.
I think there are a few more problems with IIS, but I’m very tired at the moment so that’s it for now. Hope it helps enlighten someone else out there.
Put your IIS server behind something like Linux Virtual Server or Squid cache. Then you only need to worry about IIS specific security problems. Exposing a Windows server directly to the Internet is insane.
With most attacks nowadays mostly done by malicious URL / XSS / SQL injection / etc, actually (I think) doing this doesn’t do too much good anymore.
Our corporate standards used to dictate this (if really need to use IIS, then put it behind a Linux box), however things have changed dramatically in the past few years.
Nowadays, having put a firewall and a secure webserver just doesn’t cut it anymore. You need to secure your web application as well, and / or install an application firewall (such as mod_security)
Even then I’m still not sure that my server is secure enough now. Such is the life of a sysadmin I guess 🙂