> with the "IIS is rubbish" crowd, from my own painful personal
> experience.
>
> I've had no end of trouble with IIS over the years, from the constant
> security holes and exploits making it almost a full-time job just to
> keep the damn thing reasonably safe, to configuration being dropped and
> sites disappearing for no apparent reason, to the inability to have any
> confidence in backups, to the fact that it's totally insecure by default
> and you have to sit down and work at a vanilla install for several hours
> before anyone with an ounce of knowledge would dare make it public......
> etc etc, you get the idea
It doesn't take several hours to securely configure IIS. I've never had a
problem restoring from an IIS metabase backup in minutes. I deal with a lot
of IIS servers, and I don't usually have to deal with security problems, as
I've configured them securely before deploying them. The vast majority of
IIS exploits take advantage of functionality that practically no one uses,
and that can be safely disabled or removed.
IIS can be managed through a scripting interface, as well as through the IIS
management console, so it's pretty easy to build scripts that do repetitive
tasks and reuse those scripts.
> With Apache, all config is done with text files, which means that it
> can be easily backed-up, altered and re-applied by an automated release
> process (e.g. an ANT script) or even by a CF script, or rolled back to
> a previous version if you've made a mistake
You can do this with metabase backups in IIS as well, although it's a little
harder to alter an offline metabase backup.
> and when it goes wrong (which, in my experience, it virtually never
> has) you can easily look at it and see EXACTLY what the software itself
> is seeing, in a human-readable format. After a little practice, it's
> actually pretty easy to debug.
While you can't read the IIS metabase directly very easily, IIS isn't prone
to having people screw up the httpd.conf file with typos, either. In
addition, it's very easy to see what's going on in the IIS management
console.
> Admittedly, I haven't used IIS for a couple of years, so
> it may have improved a little...
IIS 6 uses XML for its metabase, and you can directly edit it if you like.
You can even have edits take effect without cycling the server, I think.
> Also, if you develop and test on Apache for Windows, you can very
> easily deploy a site on a UNIX or Windows platform without having to
> worry about the web server config side of things.
I suspect the most common web server configuration issue is the creation of
virtual directories, in which case paths would be different between Unix and
Windows.
> Apache is by far the most commonly-used web server out there ... and
> yet how many security alerts do you hear about worms / viruses / DDOS
> attacks targeting vulnerabilities in Apache? Now how many for IIS?
Who cares? What I care about is how many attacks target vulnerabilities on
my servers. I'm really not all that concerned about all the poor folks who
don't know how to configure their servers (or in the case of many desktop
users, don't even know they're running them!)
> The prosecution rests, m'lud.... (or "your honour", for you Americans
> ;P)
Case dismissed due to lack of evidence. The defendant is free to go.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
phone: 202-797-5496
fax: 202-797-5444
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
