Microsoft blames laidback sys admins for IIS breaches

NEWS A Microsoft security expert claims system administrators do not do enough to shore up IIS web servers from security threats, with the result that the software looks more vulnerable than it actually is. Ian Hellen, principal security consultant at Microsoft UK, said that a large percentage of system administrators' approach to updating patches on server software is too laidback, with the result that the company's reputation for server security has been distorted. Analyst house Gartner issued a controversial warning two weeks ago to companies using Microsoft's web server software, recommending them to seek alternatives to Internet Information Server (IIS) because of the serious security risks. However, Microsoft has defended its corner and said its software is as secure as its competitors, if not more so. Hellen said the vulnerabilities of IIS are distorted because of a large user base, and because the easy installation option does not invoke the highest security settings available in the software. He said: "When IIS gets hit by viruses the figures look a lot worse than they are because 50 per cent of the world's servers have IIS... Also there is always a risk of human error as lot of people just get the software up and running quickly and then just forget all about it." Hellen added: "There is a certain sys admin culture which might make the patches issued ignored." Gartner recommended that users consider products from vendors such as iPlanet, and the open source Apache server software instead. However, Hellen insisted that competing products are no better than IIS. "There were more patches issued for Apache servers last year than for IIS," he claimed. Gartner asserted that one reason the security risks in using IIS are so high is because Microsoft doesn't react fast enough to vulnerabilities and supply security patches in time. Microsoft has responded by changing the default security settings on the latest versions of IIS, and by making it easier for sys admins to find patches on its website.