"In a recent report delivered by the Gartner Group,
Vice President and Research Director John Pescatore advised that
enterprises seek alternatives to the Microsoft IIS platform. After
analyzing the recent Code Red and NIMDA attacks, Gartner believes
that their clients should reconsider their investments in the
Microsoft infrastructure . They are not the first to say so. While
concern over these events is clearly merited, following this advice
would prove extremely costly, and would do little to address the
underlying problems that resulted in the spread of these attacks.
Let's take a look at an analogy for this situation. I live just
outside of Boston, Mass. Each winter we have fairly significant
snowfall, and each winter I invariably slip and fall on the ice. I
have chosen to live here for a variety of reasons, but falling on
the ground is not one of them. Based on Gartner's rationale for
avoiding the Microsoft IIS platform, I think that they would
recommend that I move to San Francisco, where there is little snow,
instead of simply telling me to use some salt and be more careful.
The problem with this advice is that I like living in Boston, I am
comfortable here, and the fact that living in San Francisco has its
own issues, like earthquakes. This lack of a broad perspective also
describes the problem with Gartner's advice, which ignores users'
comfort, familiarity and investment in the Microsoft IIS platform,
and does not take into account the fact that the alternatives can
prove to be just as slippery.
The recommendations indicate a limited understanding of the real
reasons why so many systems have inadequate security. This issue
has little to do with the Microsoft IIS server, or any platform,
but is a consequence of the lack of security awareness, training,
and resources in these organizations. Blaming the platform for the
NIMDA and Code Red attacks is itself inaccurate. The
vulnerabilities exploited by NIMDA and Code Red were addressed by
patches made available by Microsoft long before the attacks. As a
result, we know that the vulnerable machines were administered by
people who either did not understand the risk sufficiently to apply
proper urgency in updating their systems, did not have the
resources to apply new server protection technologies or who
assumed this risk knowingly. The vulnerability that was truly
exploited in these attacks was not a Microsoft coding error, but
rather a lack of understanding or implementation of strong security
Some of the products that appear on this site are from companies from which QuinStreet receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. QuinStreet does not include all companies or all types of products available in the marketplace.