> > We're not a hosting house, and from my perspective, free beats cheap. >The > > thing is, WebSite doesn't really offer any features that IIS doesn't, >and I > > don't think it's any better than IIS, really. IIS has to be set up > > correctly, but that's pretty trivial to do. In that sense, I'm a >satisfied > > IIS user. > > > > Dave Watts, CTO, Fig Leaf Software > >Even if it means having to apply a patch every other day? Just curious. >Ever since IIS started getting hacked left and right, I started leaning >towards Apache. Not starting a fight here, just having a discussion.
Sorry if this is a double-post, but I didn't see my first post come through before. I'm just curious, is a product like Apache or other non-IIS products *proven* to be more secure, assuming you disable the IIS features you don't need and apply the appropriate patches? That's not a rhetorical question, I'm really asking for people's opinions. See, I've been of the school of thought lately that, while IIS does have its security flaws, I think that they get magnified 1000% because it's a Microsoft product, and hackers and the press will do anything they can to rip Microsoft. For example, Oracle touted Oracle9i as being "unbreakable." However, if you go and look at the security patches they've released for it (a veritable library, not just one or two little things), it was "breakable!" However, because Oracle isn't as disliked by hackers or the press as Microsoft is, you don't read about it everywhere. As far as Apache and even Linux go, are they truly more secure? It seems to me that those willing to try are more focused on hacking MS products just because it's Microsoft, and therefore Apache and Linux are not as heavily scrutinized. I will concede that MS has had some pretty glaring security holes in the past with not just IIS. As a side note for those who haven't read or heard about it, MS has shifted raises and bonuses from being release-based (i.e., did your team release a product this year) to security-based (i.e., the fewer security flaws found, the higher your raise/bonus). But anyway, we use Apache here at work. While I have no complaints about it, could one argue that it's "more secure" (inherently, not after re-programming modules and such) because you have to be willing to open tons of code to really get into the meat of the product and mess around. You can't just go into a GUI interface and click a few buttons to disable it. Thoughts? Regards, Dave. ______________________________________________________________________ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
