To fix that problem, the CIO must make the tracking and installation of security patches the primary responsibility of someone in the IT organization. This person will need to monitor the sites of all the organization’s operating system vendors, but pay particular attention to Microsoft. Patches must be installed as soon as they become available on all systems, particularly those facing the Internet (using strong change management and production testing processes). This person should also pay close attention to PCs that employees – including senior management – use to work from home and laptops that employees carry so they can work on the road. These can become infected and carry such an infection through the corporate firewall.
Another particular danger of IIS is that because it is part of Win2000, it is present on all Win2000 desktops. IT should deactivate IIS on desktops and lock it so users cannot activate it to protect their desktops from attack by worms or viruses that get past the enterprise firewall.
Microsoft is now belatedly moving to lower the cost of IIS security, immediately by reorganizing parts of its Web site to make IIS security patches more accessible, and by shipping future versions of IIS with most services turned off. This will complicate installations by requiring that administrators identify and turn on the services they need, but it will ensure that unused services are not left on to create security holes. Longer term, Microsoft is promising a complete rewrite of IIS to eliminate many of the potential security breaches.
We expect that Microsoft will eliminate most of the security holes in IIS in the next 18-24 months. The more mature IIS that emerges in that time frame should have many fewer security problems, fewer patches, and, therefore, a lower cost of ownership. The IIS rewrite should hasten such maturation.
User Action: We do not recommend that Windows/IIS users migrate their Web sites to alternative technologies, such as Unix with Apache or iPlanet. Rather, we recommend that they concentrate on increasing security of their sites by turning off IIS (and Windows NT or Win2000) services that they do not need and instituting an active program to install all security patches as soon as they are released.
Although new site developers should consider the added security problems of IIS when choosing the base technologies on which to develop their sites, we do not believe that should be the only – or even the top – criterion in such a choice. IIS does suffer from immaturity at present, but it will mature and its maintenance costs will fall within the next 18-24 months.
META Group analysts Chris Byrnes, David Cearley, William Zachmann, Val Sribar, David Folger, Herb VanHook, and Dale Kutnick contributed to this article.