Microsoft: the system admins strike back (Part one)

In a silicon.com exclusive, a senior security chief at Microsoft claimed that the company's much-maligned IIS web server software is not as unreliable as many claim. Instead he insisted that if system administrators took more care to update patches, there would be far fewer security problems.

Click here for the whole story: http://www.silicon.com/a48169

The assertion has incensed silicon.com readers. Here's just some of the feedback we've received since we published the story.

Responsibilities
From Matt Jenkins
Surely it should be the responsibility of the application vendor to provide applications that work as they are supposed to? Microsoft's policy of making their products easy to use by the non-technically minded is all well and good, but the non-technically minded are not likely to be concerned with downloading patches and upgrading a product that was supposed to be secure in the first place.

A number of web providers run Microsoft IIS, and I know for a fact that they don't have much expertise in the field of the more technical aspects of server maintenance.

I feel that the main reason why IIS is seen as such a security nightmare is twofold:

1. The underlying operating system is inherently insecure - there should be no way that web server software would even know that the rest of the file system exists (i.e. like Unix's 'chroot()' function)

2. Apache and its brothers require considerably more knowledge about software, networks and security to be able to install and set up, and it is much more likely that the kind of people able to do this are also the kind of people that are likely to keep up to date with current software news.

By taking more and more control of the software out of the hands of the user and placing it in the unreliable hands of configuration 'Wizards' that try to be intelligent, Microsoft are opening the fragile world of internet service provision to less and less skilled people. And all in the name of increasing their already bloated profits.

More training required
No name supplied
Does Microsoft's comment say anything about the sys admins who choose to use their product?
Or the quality of the training they are given on approved MS courses?

It may be easy to install but perhaps it should carry a Microsoft Health warning on the packet&

I just got to....
By Andrew North
Hellen said the vulnerabilities of IIS are distorted because of a large user base, and because the easy installation option does not invoke the highest security settings available in the software.

IIS is not the most popular web server, Apache is. It does not command nearly 50 per cent of the server market. According to Netcraft, it manages a piffling 30 per cent, compared to Apache's 60 per cent.

To read more reader feedback, click here:
Microsoft: the system admins strike back (Part Two)
http://www.silicon.com/a48186

Let us know what you think. Are system administrators failing to perform essential upgrades to web server software or is Microsoft just offloading the blame?

Add a reader comment by clicking on the button below.