Bashing IIS: Bad For Security, Bad For Business

After two self-propagating worms - Code Red in August and Nimda in September - afflicted thousands of Microsoft Web servers, a well-connected IT analyst recommended that companies switch from Internet Information Server (IIS) to alternatives, notably Sun's iPlanet Web server. In this article, Gordon Benett explains why he thinks the analyst's opinion is unfounded and flat out wrong.
One of the debates to spring up in the wake of September 11's terrorist attack on the World Trade Center is how, and indeed whether, to rebuild the destroyed symbols. Should they be replaced on the same massive scale as the originals or with a renewed design? Should the center of world capitalism be reconstituted at all, or should lower Manhattan be transformed into a memorial park, human-scale and without commercial purpose?

For the most part these questions are healthy, but if there is a paranoia to guard against, it's an echo of "the bigger they are, the harder they fall" heard in some pundits' musings about whether the towers' collapse heralds the end of the Age of Skyscrapers. Implicit in this argument is the sense that ostentatious success deserves to be punished, so the successful had better keep a low profile.

This is called blaming the victim, and it's a dangerous capitulation to the real bad guys, who after all are the people who knock down buildings and not those who build them. It doesn't matter that in the case of the twin towers the victim happens to be rich beyond the dreams of Croesus. Leveling the playing field is one thing, and vigrous debate about urban architecture and economics is a perquisite of freedom. But laying low to appease terror is something else again.

Asking for it?

Which brings us to Microsoft-bashing in the wake of recent cyber-terrorist attacks on the Internet. After two self-propagating worms - Code Red in August and Nimda in September - afflicted thousands of Microsoft Web servers, a well connected IT analyst issued an advisory criticizing Internet Information Server (IIS) and recommending that companies running it switch to alternatives, notably Sun Microsystems' iPlanet Web server. Shortly afterward, Sun began citing this recommendation on its iPlanet Web site and discounting its Web server to take advantage of anti-Microsoft sentiment.

What's wrong with an analyst asserting his opinion and a vendor leveraging it to gain competitive advantage? Two things, in this case. First, the analyst opinion is unfounded and, as it happens, flat-out wrong. We'll get to that in a moment. But even if it had a modicum of merit, steering the market away from Microsoft in the wake of cyber-terrorist actions would be grossly wrong-headed, as the following sequence should make clear:

"You got hit by Code Red? Guess you shouldn't have been running IIS."

"You got mugged? Guess you shouldn't have been walking through Central Park."

"You got raped? Guess you shouldn't have been wearing that dress."

The appropriate response when a crime has been committed is to support the victim and punish the perpetrator. In the case of cyber-attacks, the crime is against the Internet and free communications generally, with the potential to erode confidence in e-Business and depress the economy long-term. Scapegoating and opportunism are outrageous responses to such a threat. The right response to Code Red, Nimda and other computer crimes is for the community of good-willed professionals to close ranks and work together to ensure network integrity. And integrity begins at home.

Lies, damned lies and statistics

As it turns out, besides being mean-spirited, the charge that Microsoft products are somehow to blame for the Internet's security problems is demonstrably false. Consider that the top 10 Internet security threats identified by the scrupulously vendor-neutral SANS Security Institute have for years been distributed between Unix and Windows systems. In fact, if there is any lean in the stats it's this: "Nine of the ten threats apply to a UNIX environment."

That's right. According to SANS, the lion's share of risk on the 'Net is due not to IIS but to Unix systems and the software layered on top of them. Not that Microsoft is anywhere near clean; SANS hosts plenty of articles detailing flaws in Windows software. But when they take the long view, Microsoft is not the bad guy.

Not familiar with SANS? Try another vendor-neutral source: the FBI. In December 1999, the FBI's National Infrastructure Protection Center (NIPC) issued an alert concerning massed attacks on networks by machines infected with a new class of Distributed Denial of Service (DDoS) software. The alerts cite "known Sun RPC vulnerabilities" as the primary source of DDoS attacks. In May 2000 the NIPC identified additional DDoS exploits attributable to "Linux and Unix computers" generally. Yet any suggestion that users should abandon those operating systems and switch to Windows would rightly be met with derision.

How about worms such as Code Red and Nimda - are they uniquely at home in the digestive tracts of Microsoft systems? Far from it. According to a definitive report by Carnegie-Mellon's security clearinghouse, CERT, "Automated attacks have historically targeted and leveraged vulnerabilities in UNIX-based operating systems." Thus this August, while Code Red was munching on Windows PCs, a worm called "x.c" was exploiting a buffer overflow vulnerability in the telnet daemon of FreeBSD-derived Unix systems, including Sun Solaris, IBM AIX, and several versions of Linux.

Such tit-for-tat listings of the bugs in various software systems can go on forever, but ultimately it's a fruitless exercise. Every non-trivial program has bugs. Given the complexity of e-Business systems and the demonstrated presence of hostile forces hell-bent on damaging them, we can expect the number and sophistication of attempted cyber-attacks to continue growing.

As with the WTC disaster, fear and the urge to scapegoat are understandable reflex reactions. But we must not act on them. The necessary response, in the case of cyber-attacks, is to support the victims and to raise the level of security awareness and dialogue throughout the professional community. We all have a stake in curing this problem, analysts by telling the truth and offering constructive criticism, customers by diligently applying patches, and suppliers by resisting the exploitative impulse and recognizing that in some areas a rising tide raises all boats.

Scapegoating by self-interested parties who know better is especially ugly. Don't buy into the shameful opportunism of hucksters who stand to profit by telling you Microsoft products are to blame for the Internet's security problems.

Gordon Benett is a technology strategist with more than 16 years' experience analyzing, architecting and developing information systems. He is currently with Aberdeen Group in Boston, where as a senior research analyst he follows the Enterprise Java and middleware markets. Gordon founded Intranet Journal in 1996 and remains a reader and contributing author. He welcomes your comments at

Comment and Contribute


(Maximum characters: 1200). You have characters left.