• silicon.com
• Technology
• Hardware

By editorial@silicon.com, 12 October 2001 12:25

NEWS In a silicon.com exclusive, a senior security chief at Microsoft claimed that the company's much-maligned IIS web server software is not as unreliable as many claim. Instead he insisted that if system administrators took more care to update patches, there would be far fewer security problems. Click here for the whole story: http://www.silicon.com/a48169 The assertion has incensed silicon.com readers. Here's just some of the feedback we've received since we published the story. Good Choice
From Graham Rowe
Hmmm, of all the people involved in the food chain - blame the people who are responsible for making your software run securely in the business. Smacks of shooting self in foot Blaming the sys admins
No name supplied
Without wishing to get into an argument of which OS is best, I can't help but think that a lot of the problems is caused by:
1. The belief that because Windows NT/2000 looks like a desktop OS, it must be easy to manage, so skill levels aren't as high as they could be (this is unrelated to the certification level, which I believe is quite high).
2. High workloads for sys admins, so many of them are in a position that they don't have the opportunity to be proactive in keeping patched (whatever the OS). In a production web server environment with availability KPIs, patching can be a major logistical challenge. From my perspective, these are real reasons for companies to consider outsourcing web facilities, and allowing hosting companies to start getting some economies of scale in server management. Hellen is right
From: Andrew North
And that's precisely the culture that Microsoft cashed in on - all in one - cheap and cheerful. Now MS wants to be a grown-up. How much for a Sun or IBM server? Big difference. But that's the cost of reliability and security (with patches on a CD that are issued rather often more than once a year). We're learning. We'll get there in the end - and pay a lot more. Why MS is far more insecure than Apache
From Adam L. Gibson
I hate to burst his bubble, but Apache itself has not had a root compromise vulnerability in years. If someone manually installs some insecure CGI and causes Apache to get hacked, that is much different that how vulnerable IIS is with its built in vulnerable components. IIS should not install anything but static html ability by default, That is where MS is failing...
Let us know what you think. Are system administrators failing to perform essential upgrades to web server software or is Microsoft just offloading the blame? Add a reader comment by clicking on the button below.