By John Pescatore, Gartner Analyst
With the emergence of the Nimda worm--the latest in a long series to attack
Microsoft's Internet Information Server (IIS) and other software--Gartner
believes it's time for businesses with Web applications to start
investigating less vulnerable Web server products.
The Nimda worm can spread through e-mail, file sharing and Web
As a "rollup worm," Nimda bundles several known exploits against Microsoft's
IIS, Internet Explorer browser and operating systems such as Windows
2000 and Windows XP, which have IIS and IE embedded in their code. To
protect against Nimda, Microsoft recommends installing numerous patches and
service packs on virtually every PC and server running IE, IIS Web servers
or the Outlook Express e-mail client. As the earlier Code Red worm showed,
many servers and PCs running IIS Web server processes may not be obvious
because they may be run as personal Web servers on the intranet but are still be
exposed to the Internet.
Code Red also showed how easy it is to attack IIS Web servers. Thus, securely using
Internet-exposed IIS Web servers has a high cost of ownership.
Businesses using Microsoft's IIS Web server software have to update every
IIS server with every Microsoft security patch that comes out--almost
weekly. However, Nimda has again shown the high risk of using IIS and the effort involved in keeping up with Microsoft's frequent security patches.
Gartner recommends that businesses hit by both Code Red and Nimda
immediately investigate alternatives to IIS, including moving Web
applications to Web server software from other vendors such as iPlanet and
Apache. Although those Web servers have required some security patches, they
have much better security records than IIS and are not under active attack
by the vast number of virus and worm writers.
Gartner remains concerned that viruses and worms will continue to attack IIS
until Microsoft has released a completely rewritten release of ISS that is thoroughly and publicly
tested. Sufficient operational testing should follow to
ensure that the initial wave of security vulnerabilities every software
product experiences has been uncovered and fixed. This move should include
any Microsoft .Net Web service that requires the use of IIS. Gartner
believes that this rewriting will probably not occur before the end of 2002.
(For related commentary on the Code Red worm, see Gartner.com.)
Entire contents, Copyright © 2001 Gartner, Inc. All rights reserved. The information contained herein represents Gartner's initial commentary and analysis and has been obtained from sources believed to be reliable. Positions taken are subject to change as more information becomes available and further analysis is undertaken. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of the information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof.