Security Strengths and
Weaknesses of Two Popular Web Servers
August 19, 2001
As the mediator between your business and the world the Web Server that you choose must be completely sound in regards to security. You do have many options when choosing which Web Server package you will use to transmit your company's on-line presence to the rest of the world. There are two Web Server packages in particular that dominate the market for Web Servers. These two Web Server packages are Microsoft's Internet Information Server, and Apache.
What is a Web Server?
The definition and purpose of a web server is a software package that serves either static content to a Web browser at a basic level, or dynamic content that require end-user interaction. For example, a web server may receive a request for a Web page such as www.amazon.com/index.html. The Web Server would then map the Uniform Resource Locator (URL) to a local file on the host server. In this case the file, index.html is somewhere on the host file system. The server then loads this file from disk and serves it out across the network to the user's Web browser. The browser and the server are talking to each other using Hypertext Transfer Protocol (HTTP) which controls this entire exchange.
How does a Web Server transmit dynamic content?
Web Servers don't just send static
documents and files across the network they also transmit dynamic content.
This could be done through web pages created in response to a user input,
which is done directly or indirectly by the user. An example of the user
directly influencing the output of a web page could be through the use of
on-page forms backed by some sort of executable program or code. Also, an
example of a user indirectly influencing the results of a web page may be
through the use of "cookies." Cookies are short pieces of data
used by Web Servers to help identify web users.
following results on your web browser:
Serving data and information to people all over the world is a grand task. However when coupled with the related security issues and needs this task becomes monumental. Serving information over the internet securely was brought about with the introduction of Hypertext Transmission Protocol, Secure (HTTPS). This protocol allows for secure communication to go on between the browser and Web server. Basically this means that it is safe for a user and a server to transmit sensitive data to each other over what might be considered an insecure network. What either of the counterparts in this transmission does with the data is another story however.
More about HTTPS
The secure hypertext transfer protocol (HTTPS) is a communications protocol designed to transfer encrypted information between computers over the Internet. HTTPS is just HTTP using a Secure Socket Layer (SSL). A secure socket layer is an encryption protocol invoked on a Web Server that uses HTTPS. The main reasons for using HTTPS are online purchasing and the exchange of private information over the internet. An example of online purchasing would be something like purchasing a best-selling novel on amazon.com. Also, an example of exchanging private information might be the transmission of the credit card number used to purchase the novel off amazon.com.
IIS vs. Apache
Given the current environment of the Internet and how Web Servers interact with end-users we can begin to compare how two popular Web Servers, Microsoft Internet Information Server and Apache, perform. Specifically we can compare these two Web Servers in regards to the security they provide, and the problems and incidents that have occurred with these Web Servers since they have been in production.
Microsoft's flagship Internet product, Internet Information Server, is useful as both a first time Web Server for those comfortable and familiar with Microsoft products and as a high-end Web Server for hosting a large e-commerce web site. Since the vast majority of computer users are accustomed to using Microsoft based products and the similar interfaces that exist on these applications it is not a surprise that many people choose to use Microsoft's IIS for their Web Server. This alone is not an adequate reason to choose IIS as your web server, but it definitely accounts for some of Microsoft's market share of Web Server sales.
The Wrong Reason to choose IIS
When asked why a company is using IIS as it's web server application many times the appropriate IT employee will answer one of the following responses:
These are all reasons or excuses you would expect to hear in any standard organization for choosing IIS. However, none of the reason listed above are strong enough to justify choosing the software that will run your Web Server. For a decision of this magnitude more research is necessary.
Weaknesses of IIS
One of the major weaknesses of using IIS as your web server is that being a Microsoft product IIS automatically becomes a target for the software hacking community. There are many hackers around the world who would love to terrorize any piece of software produced by Microsoft. The notoriety of the company basically puts a target on any of its products for hackers. The level of testing of the software is also questionable when you consider the number of patches and updates that have been released by Microsoft for IIS. This brings into doubt the quality of the product that was developed in the first place. With all of the money available to Microsoft for Research and Development it is very surprising that so many patches have been released for IIS. This makes one wonder if IIS was a rushed product quickly put out by Microsoft with the sole intention of fixing any problem they encountered later on down the road. In fact, if you take this view point it is easy to see IIS as more of a money making scheme rather than a polished piece of software developed with pride.
IIS Code Red Virus
One example of an incident involving Microsoft's IIS web server was the Code Red virus that infiltrated systems all over the world in July and August of 2001. This virus worked by taking advantage of a ubiquitous software bug within IIS. The reason the Code Red virus worked was a buffer-overflow vulnerability in Microsoft's IIS web servers. This allowed system-level execution of code and thus presented a major security weakness. The virus ignored all physical and political boundaries and quickly spread all over the world. Luckily there was no real harm done from the virus. Its main purpose was to perform a denial of service attack on www.whitehouse.gov. The virus attacked based upon the IP address of the White House serve so the Denial of Service attack was easily fixed. This is just one example of how a web server can be vulnerable without the proper configurations or updates installed. Had the hacker's decided to they could have created much more havoc with this virus.
Reasons why companies are using IIS
When making a decision of this nature the person responsible should choose IIS as their Web Server package for the appropriate reasons. Many organizations and businesses do in fact choose IIS as their Web Server, and are very satisfied with the results that they have seen. A reason for this is the fact that many people are familiar with the Microsoft style graphical user interface, and can easily apply this to using and learning IIS. In fact, this interface can even remove the need for companies to hire expert help thus saving them money. Another reason why IIS would be a good choice is the fact that Microsoft offers downloadable tools to ensure that all of the latest software updates and patches are installed on your Web Server. Microsoft has also made available an IIS Security Configuration tool that will ease the process of securing any Web Server running off IIS. Additionally, with all of the security patches that Microsoft has released recently should cause more relief than concern. This is because with each additional security patch IIS becomes that much more "secure" as a product. In theory as these patches and updates are released the number of vulnerabilities should decrease.
Apache is a powerful, flexible web server that implements the latest protocols, including HTTP/1.1. Apache is highly configurable and extensible with third-party modules, and the custom modules that can be created using the Apache module API. Apache also functions on every major computer platform in existence including Windows NT/9x, Netware 5.x, OS/2, and most versions of Unix, as well as several other operating systems.
How did Apache come about?
Apache was first developed as a result of the National Center for Supercomputing Applications httpd project. Today Apache is one of the most functional and efficient web servers in existence. The name Apache is not a tribute to the native people of North America, but rather a direct representation of how the software was developed. The software was first known as "A PatCHy server" because it was based on some existing code and a series of patch files. There are some developers out there however who prefer to believe that the software was named Apache because of the superior skills in warfare strategy and inexhaustible endurance of the Apache Indian tribe of North America.
Weaknesses of Apache
Even with all of the strengths of Apache it is not the web server for all users. Setup of the server is performed through a command-line interface. Typical Microsoft users will have trouble navigating this interface. Apache does not have the user-friendly tools you would expect to see in a Microsoft product like Wizards, or other visuals. For some developers this is advantageous, but for others it can translate into expensive deployment and maintenance costs. Also, the technical support given through newsgroups may not be adequate for many users. You could imagine the scenario of an inexperienced user who is accustomed to graphical user interfaces trying to setup Apache as their web server with a command-line interface and hardly any technical help. It would be nearly impossible for this user to get the server up and running, and even if they did it definitely would not be configured correctly.
Strengths of Apache
One of the primary reasons people begin using Apache in the first place is the fact that it is a free and open-source product. All of the source code for Apache is freely distributed to any person or organization that wants it along with an unrestrictive license. The Apache Group also strongly encourages user feedback through new ideas, bug reports and patches. Apache's overall security performance is unquestionable. This is obvious when you consider the fact that many of the most accessed web sites in the world run Apache or Apache variants. The public distribution of the source code results in quick distribution of patches and updates for the software. This public scrutiny also ensures that any security hole is truly fixed according to the differing viewpoints of anyone investigating the software's security issue. As a result of this Apache's large base of users have ensured that its developers have created a package that is extremely stable and secure. Apache users also have the benefit of accessing technical support via Usenet newsgroups from anywhere in the world.
When it comes to deciding on which web server is right for your organization there is no clear-cut answer. Your basis for making this decision could be based upon many different sets of criteria. For instance you may choose Apache because it's free, or you may choose Microsoft's IIS because you have a large amount of faith in Microsoft products and their technical support. These are both good reason to choose a web server. No matter which web server you choose you must do several things in order to ensure that you have the security your organization needs. Any web server software package must be setup properly for the needs of your business. You must also continuously make certain that you have all of the most current updates and patches installed to defend against any security weakness that has been discovered within your web server of choice. Also, as incidents occur around the world you must have a designated employee or set of employees who stays in tune with all of this to make sure that your business will be safe and unaffected by any newly found security weakness. Both Microsoft's IIS and Apache can be secure if the proper configuration is done. Many of the weaknesses in IIS and Apache are from features in the software that are useful for one reason or another but they may present a security weakness if not configured properly. You would be well served by both of these web servers, but you must educate yourself and take the necessary precautions with either web server to ensure that your organization is safe and secure.
Honeycutt, Jerry. "Microsoft IIS: safe
or sorry?." 29 Jan. 2001.
Meloni, Julie. " Apache 1.3.14 - CNET
Linux Center - CNET.com." 18 Jan. 2001.
|NSF-Grant-01-11:Cybersecurity Education and Research Center for
Western Pennsylvania/Ohio/WV-Federal CyberService Training and
Education. P.I. Dr.
William Oblitey. Co-PI's: Dr. Dennis Giever firstname.lastname@example.org
; Dr. Mary Micco email@example.com.