> > > Database access is available for both platforms. IIS can talk to any > > database that can be accessed via ADO and/or ODBC. This includes SQL > Server, > > MySQL, and many others. Apache can do the same thing, > although you may > have > > to do some tweaking to get a Unix boxen to talk with an > MS-based database. > > I not sure where you heard that is hard to connect to > MS-based databases > from Unix. It's a completely false statement. First of, > Apache doesn't > control DB connections. The language like PHP or perl thats > there domain. > On the other hand, DB connections for Windows are handled by > the operating > system, which is bad design because if you have one rogue > connection or one > bad driver Windows crashes or IIS freezes. >
I didn't say it was hard, I just said you might have to do some tweaking. Many Windows-based RDBMS solutions don't come with drivers for unix, or for every flavor of it, and a lot of sysadmins are going to end up using free stuff like unixODBC, iodbc, and/or FreeTDS to get their data from an MS-based database. And you can't tell me this doesn't constitute "tweaking". Having done it (successfully), I wouldn't say it was hard, but it wasn't a slam-dunk, either. > > > There are generally going to be more security > vulnerabilities found in IIS > > than in Apache- there are a number of reasons for this, but > the main one, > I > > believe, is that IIS is the big fat wet target that people > are going to > > shoot for. Apache is popular, but you're not going to get > the same bang > for > > your buck if you're a blackhat by writing exploits for > Apache. Also, since > > it's open-source, the code for apache has been seen by many > eyes, none of > > whom have any particular reason to want to hide flaws in > the code, which > > could be argued to be the case for MS types working on the > source for IIS. > > HOWEVER, it should be noted that a properly maintained system can be > secured > > regardless of your platform. > > Wouldn't a big fat wet target be Apache because of it's on > the majority of > web servers(http://www.netcraft.com). > Well, Apache has had an exploit or two released for it (not as many as IIS, to be sure, by a long shot). I also noted that one reason IIS/Windows machines get targeted so often is because they are closed source and Microsoft has had little incentive to code securely until relatively recently. But my point wasn't that IIS was the big target (although it is), but Windows. Windows networks are ubiquitous, and the web server is simply one point of entry to them. Compromising an IIS machine is usually easier because the software is by default configured poorly. Unless a blackhat is just into defacing websites, their real interest in a web server is as a point of entry to the rest of the network. That's where a MS-based server is going to be more interesting as a compromised system, and one (of many) of the reasons that I think IIS systems are a more attractive target. > > > As an example, my IIS web servers were not vulnerable to > Code Red or Nimda > > before the original MS patch came out, because I configured > them properly, > > securing them at every possible point, removing unnecessary > handlers, > > changing settings, etc- all the things a good sysadmin is > supposed to do > and > > so often doesn't. Of course I test and apply the patches as > soon as they > are > > avaailable, but I don't rely on them to secure my system- that's my > > responsibility. Both Apache and IIS can be properly > secured, given the > > appropriate effort. > > I admit security is really based on the sysadmin not the > webserver. I blame > Microsoft for horrible out of box security with there > products. Some Linux > distributions are also not so secure out of box, but you have > a greater > field of choice than with Microsoft. > As I said, they can both be properly secured, given the appropriate effort. Don't blame software for stupid sysadmins, and, while it's a laudable goal, don't expect better default configurations to fix security flaws. Work instead on educating people charged with maintaining these systems. > > Support- Don't get me wrong, Apache support is great from > what I can tell. > > There's a ton of info out there on it, from FAQs and HOWTOs > to book-length > > PDFs on installing, configuring and running Apache. But you > generally > gotta > > find it, which can mean a lot of googling or emails to > people who don't > get > > paid and therefore may not be as responsive to you as you'd like. > > > > With IIS, however, you have a single point of contact and > have access to a > > lot of support resources which are all easy to find and in a central > > location. If you want to pay some dinero (usually not a > major problem if > > you're working for a company and not yerself), you can get > an MS support > > tech on the horn and help resolve your issues with the > software. Apache > > doesn't really have a similar facility. I'm guessing that > some of the *nix > > VAR resellers (like Red Hat, for example) provide a similar > service, so > you > > could probably go that route with a unix-based system. A > lot depends on > > whether you paid for your platform or not. > > I hate when people bash open source projects because of there lack of > support. Apache has excellent support from many companies > including many > different distributions. If money is a issue there are many Apache > volunteer mailing lists giving Apache support. Support used > to be a issue > with Linux and open source products, now it rarely is. > > Now, how can anything I said in that above paragraph be construed as "bashing" open-source? In fact, I praised the open-source methodology as a way of improving security, and I pointed out that Apache support really is great- IF you know where to look OR are willing to pay money. BUT, as just about anyone on a volunteer mailing list will tell you when someone gets too demanding with their requests for help, they're not getting paid. It's a fair and accurate response, but it is still not what someone on a deadline or under the gun needs to hear. If I'm working on my own, great. I can afford to be patient, because from experience, I know that eventually I'll get the answer, whether from experimentation or by googling my ass off or getting an answer from a mailing list. But if I'm on the clock and I need an answer because my manager expects the system up or something done by a deadline, I'm not going to rely on people who don't owe me anything. That's where paid support comes in, and you can get that on both the IIS and Apache side of things- as I pointed out. I only pointed out that with Apache, you can find paid support if you buy your distribution and/or support. But if you're looking at Apache to save money, then you better be prepared to take the risk of getting what you pay for. Apache is great, but it has risks associated with implementing it. So does IIS. I think I offered a pretty balanced view of what the two have as far as pros and cons. As an aside, I use, advocate, and support the use of open-source software wherever I think it's appropriate to do so. I also participate in mailing lists devoted to specific pieces of open-source software on my own time. I don't think that I have ever done anything that could be accurately construed as "bashing" open-source. It's not the be-all and end-all of software or security, and isn't always the answer to a problem. Regards, Corey Snow ######################################################### The information contained in this e-mail and subsequent attachments may be privileged, confidential and protected from disclosure. This transmission is intended for the sole use of the individual and entity to whom it is addressed. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this message in error, please e-mail the sender at the above e-mail address. #########################################################
