find me a worm capable of spreading through an apache setup please. i read every post on this bored and with as many patches (more than IIS is the arguement) there must be at least one exploit that would absolutely dominate the server it was on like a worm would. Surely there could be no arguement about "well if apache had as much exposure as iis" because clearly we know that apache has the majority in the past and will for sometime in the future.

(This will be meant as a joke, but is also true)

The USER exploit is the worse one to hit ;) (or just say humans in general, hehe)

Seriously, I don't think anyone can give a 100% accurate statement on who is more insecure and why, for the simple statement of "look at all the IIS exploits!" just means more people look for ways to exploit it over Apache. That doesn't make it more insecure to me, just like someone using a baseball bat to kill people doesn't make the bat any more of a weapon than when first made.
Some humans will ALWAYS try to find ways to cause harm, using software or hardware. I am just glad MS puts out the patches, and lets people know they are out.

James Wheat
http://belprecomputerwizard.com

That was a garbage dodgy comment and you know it. i specifically asked not to get "well if apache had as much exposure as iis" lame remarks and that’s the first thing i got. you didn’t need to say it word for word. the fact is that apache runs on Windows 2000 just as well as linux and therefore would be subject to just as much exposure as IIS. Here is what I requested to be produced. Find me a worm that exploits apache and kills windows. One worm. With all the "fixes" and such you are touting apache has there must be one that exploits it in such a way.

Please find it for me. If you can't you're arguments have very very little relevance to this post. If it's still running under windows it still falls under the vulnerabilities of a Windows system.

I personally can't wait for IIS 6, the security-focused rewrite of IIS due to ship in Win.NET, to end all this insecurity bs. The one big advantage of closed source over open source is that when a company really wants to write code right, it doesn't need to go through hordes of stubborn independent developers who prefer doing things their own way.

Of course IIS 6 won't end secutrity issues, but the intense auditing and careful programing that a determined company is able to force its programmers to do should greatly reduce the number of security problems.

Of course we really can't know how well MS will be able to succeed in this untill Win.NET actually ships (which'll be in a year), but i am hopefull that ms really has learned its lesson. After all, its security initiative has already postponed its OS releases by years, possible cutting MS's profit margins by quite a bit, in effect showing MS's determination and willingness to make sacrafices.

How do you figure that it has postponed it's OS releases? I have yet to see any meat out of Bill's initiative, though I was hopeful that he may actually be sincere for once. It's been what two months, and we've seen how many fixes? The same number as we had seen before. Nothing has changed, MS continues to blindly move forward.. It's unfortunate. I suspect IIS 6 will be no more secure than IIS 4 or 5, but only time will tell.

Come on fewt, give MS the benifit of the doubt just ONCE. I believe in IIS 6.0 everything will be closed by default and will have to be opened as needed. This is the exact opposite of IIS 4 and 5 where you had everything open by default and had to be closed as exploited or infected.

I am giving them the benefit of doubt, I am also stating up front that Apache 2.0 should also not be trusted until it's proven itself.

I also agree. The only reason I had mentioned 2.0 in my original post was a little tongue-in-cheek comment since a review recently tested it with IIS and their results showed that 2.0 "beat IIS at its own game." Even though it's actually up to 2.0.35, I would still leave it off of production machines for more reasons than the fact that it will break some compatibility with pre 2.x.x modules.

Hmm. I wonder if Microsoft is releasing stuff like this and delaying service pack 3 for Windows 2000. The filename for me was Q319733_W2k_SP3_x86_en.exe and I know it isn't service pack 3 yet.... maybe it's getting close to being done.

SP3 is pretty close to release, but that isn't what the SP3 in the name means.

The SP3 in the name indicates which service pack the hotfix will be included in later on.

So, for example, a hotfix released the day after SP3 is finalized would already have SP4 in the filename.

The purpose of this is to help identify which hotfixes are unnecessary for your system. If you have SP2 installed properly (for example), then you do not need any hotfixes with "pre-SP2" or "SP2" in the name, but any fixes with "post-SP2", "SP3", or "pre-SP3" (or later) would be needed.

Yeah I just figured that out :) Thx for the insight.

Or you can just install Apache 2.0 and be done with it. I don't care how many benefits or ease of use IIS may offer. How on Earth does it justify running a server that has more holes in it than Bonnie and Clyde? Any admin who ranks that higher than security deserves what he/she has coming.

'admins' don't make those kinds of decisions, mostly because they're incapable of weighing pros and cons - they just say "oh no a hole I'd have to get off my lazy a** and put a patch! We must use a different software!"

We've been using IIS for over 3 years and have never had a security compromise. IIS adds significant value, but yes it requires the 'admins' do their job.

I dont mind earning my money.

Do not fool yourself. I did a search in three different locations on Apache security and exploits. I averaged 1500 documents on holes that have been or are being patched.
Yes we all hate M$, but it would be nice to have some educated comments here.

The only secure system is an OFF system..

That is a company's management issues coming to head, then. And if they are hiring incompetent admins, then they deserve the results. The company I work for trusts that they hired a professional, knowledgeable individual to fill a position. As such, they are treated as the expert and their input is weighted heavier than anyone else's.

I personally know several instances where servers were compromised (at large universities no less) using IIS. Some that were unknowingly hijacked and used to serve porn. Some sites lost all of their information and the back-ups. Most ditched the server because it was too much to keep up with.

ack, I almost never reply to threads like this, but using a university web server as an example of anything just doens't seem right. I've been to a college or two and web servers there are always free game for ths comp sci and engineering students. Most are "run" by students and Id' guess that 90% of the reported hacks are done either by the people managing them or other students on campus... Not that it really matters, but the envionment in a university is *much* different that a corporate setup.

I used it as one example because it was one of the more sever instances.

It was not run by students. Nor the comp sci department.

severe even

I think you better worry more about fooling yourself than others.

I never claimed that Apache had no security holes. Nor any exploits. However, when you compare it to IIS, there are far fewer and they are less severe, in general.

I don't remember Microsoft ever coming into the discussion. At least not by me. I appreciate words being put in my mouth. When I first made the post, I was actually referring to running Apache instead of IIS on the server. And using the same platform, if you must. Apache runs quite well as a service on a Windows server.

Perhaps you should worry about your own "educated" opinions.

> "The only secure system is an OFF system.."
Brilliant. Such insight. You must be one of the infamous admins mentioned below by another reader.

Bulls***, IIS sucks. It's the worst product ever let loose on the internet. It takes a dedicated admin just to patch it 40 hours a week. Quit talking out your ass, you obviously haven't ever assumed a sysadmin role.

Actually, you are the one who suggested installing Apache as a more secure alternative to IIS.

He pointed out (quite correctly) that Apache has had just as many (if not more) security holes, exploits, and subsequent patches as IIS.

I'm not advocating one over the other, just pointing out that your statement of "Or you can just install Apache 2.0 and be done with it." is quite foolish since Apache is by no means any more secure as an alternative.

An odd comment considering the number of Apache patches that have been released.

Especially considering that it takes quite a bit less time and effort to install IIS patches than it does Apache patches.

And I personally know several instances of corporations that pulled their Linux/Apache servers because it became too much of a hassle to keep up with the security patches.

Not sure what point you were trying to make.

Does running an Internet conencted server (in any capacity) require time and effort to keep up with patches. Yes.

Will some people choose to give up on the server as a result. Yes.

Does this address at all your comments that installing Apache will allow you to "...be done with it." NO.

You have the exact same effort and issues with Apache. If you don't keep up to date with the patches, you will have problems sooner or later.

Apache 2.0 only became the recommended version a couple of weeks ago, and you're already claiming it's more secure than IIS? Right... For all we know, it could have more holes than IIS.

Best stick with Apache 1.3 if you want some sense of 'security'.

Sure, Apache may have more over time but the "exploitable time" which is really what counts is next to null. ;-) Though 2.0 is a new release and has yet to prove itself.

It takes less time?

download, untar, "./configure && make || (echo COMPILE FAILED | mail admin@pager);make install;/sbin/service httpd stop;/sbin/service httpd start" (5 minutes)

and walk away, or
click click reboot login click click click click wait reboot login click click click click reboot login OH s*** APP DOESN'T WORK ANYMORE!!! backout, reboot, pray. (1 hour)

I manage both, don't tell me Apache is dificult to manage, holes aren't found that often, and when they are they are usually fixed the same day. Tell me, if you are in a realtime transactional environment, and you have to reboot your servers to patch, how does that possibly make your bottom line look better? When you need to dollars lost per second of downtime, there is no room for error.

They must not have done critical business on those systems then, Apache is 100x easier to manage than IIS, even on the same platform.

Wow. You really need to brush up on your Windows admin skills there.

All it should have taken on the Windows side (and all it took here) was windowsupdate.microsoft.com, (click), (click), (OK), (OK), and wait for reboot to finish (average time across 34 servers here, including reboot, was 3 minutes 22 seconds)

As for Apache being difficult to manage, I never said that. You said that "It takes a dedicated admin just to patch it 40 hours a week." about IIS. I simply pointed out that it takes LESS time to patch IIS than it does to patch Apache. I never said that patching Apache was difficult, just slower than IIS.

As for downtime due to reboots, if your web availability time is that critical and expensive, you shouldn't be dealing with a single poiint of failure web server.

While all 34 web servers here required reboots after the patch, we had exactly 0 seconds of unavailability or downtime as a result.

As for holes being found and fixed in the same day for Apache....I certainly hope that you aren't using it in that "realtime transactional environment" you talked about, since that allowed absolutely NO time for testing the patch. If the patch is released less than 24 hours after the vulnerability is first detected, then you are running seriously untested code.

"easier to manage" is an entirely subjective choice.

And, quite frankly, not one that I would trust your opinion on after seeing your Windows admin skills described in your previous post.

"click click reboot login click click click click wait reboot login click click click click reboot login OH s*** APP DOESN'T WORK ANYMORE!!! backout, reboot, pray. (1 hour)" implies admin incompetence, not product or OS usability issues.

So if Apache has more over time (your words, not mine) then it would follow that keeping up with Apache patches would be MORE of a full time job than keeping up with IIS patches.

So if you feel that "It takes a dedicated admin just to patch it 40 hours a week" for IIS, then it must take 60 or 80 hours a week for Apache.

no, had you used Apache you would realize that is the farthest thing from the truth.

Oh yeah? hmm when I went to Window update this morning, I was facing 14MB in critical patches (fresh build) I install them, and move on to IE 6, after installing those I revisit windows update again to discover another 4MB worth of patches. Running Microsoft's systems management tools, I find that I am still 4 patches short of a fully patched IIS box. If you are relying only on Windows Update to secure your servers, I would fire you.

End of story.

FYI, testing patches also accounts for a significant amount of an IIS patch manager's work week. Apache patches on the other hand are simple, they are usually 5 lines of code that any good admin can eyeball and know exactly what it may break.

I beg to differ, my Admin skills aren't on trial here. They have been proven and continue to be proven to the persons that matter. I maintain 5 9's and would put any one of my systems up in a honey pot next to any of yours. I'm 100% confident that my servers would stand their ground no matter what OS/WWW server combo I threw up, as is my employer which is all that really matters. As for 5 9's yes, I can maintain them even with patch installation, however you must factor the time your farm is at risk having even one server out of the loop. To not do so is incompetence at it's best.

Not quite... What does IE 6 and most of the other 14MB of updates have to do with IIS? Nothing whatsoever.

"I maintain 5 9's and would put any one of my systems up in a honey pot next to any of yours. I'm 100% confident that my servers would stand their ground no matter what OS/WWW server combo I threw up".. Since you agree the combo doesn't matter, there's no security advantage in switching to Apache over IIS, then.

Tell me why I can't install IIS without having IE installed, and you will have your answer. ;-)

I suppose I could agree with that, exception being the amount of time that it takes to manage patches. MS's recent patch rollup initiative helps though.

"....4 patches short of a fully patched IIS box...."

Is that something like 2 cards short of a full deck?

Heh

If you say so. :)

I'm not exactly sure of the point you're trying to make either. Perhaps you had none?

As far as the "...and be done with it." comment - it was never implied that you could install it and never touch it again. If you drew your own conclusions about that, that's your own shortcoming. My reference was that you could install Apache and be done with all of the headaches of having IIS on your server and managing it. The statement was made because, yet again, a "holy Christ you need to patch this!" release was made.

You're very correct. See my post above (also quoted below):

I also agree. The only reason I had mentioned 2.0 in my original post was a little tongue-in-cheek comment since a review recently tested it with IIS and their results showed that 2.0 "beat IIS at its own game." Even though it's actually up to 2.0.35, I would still leave it off of production machines for more reasons than the fact that it will break some compatibility with pre 2.x.x modules.

I have and do still use Apache as well as IIS.

You are the one who said "Sure, Apache may have more over time..." and "It takes a dedicated admin just to patch it 40 hours a week" for IIS.

I'm just throwing your EXACT words back at you to show just how badly you contradicted yourself.

So if this is "the farthest thing from the truth" then it's your own words and posts that are untrue.

Any admin that trusts "eyeballing" a patch without testing it is an irresponsible fool.

What I am saying is that "based on YOUR posts" Apache patches are getting no compatibility testing before release, whereas Microsoft is taking the time to actually do that testing before releasing them to the general public.

Ah, see the flaw in his logic here.

He installs all of the critical updates....THEN he install IE6....then he is surprised that there are now more updates.

Gee, I bet on your APache/Linux box if you were to install all of the Apache 1.3 patches....THEN install Apache 2.0, you'd have more patches to install then as well.

You can play word games all you want, the truth is that had you not CHOSEN to upgrade to IE6, you would not have suddenly had additional patches to install and that the additional patches were all for IE6 and had nothing to do with IIS.

If you had the slighest clue what you were doing (and I know that you do, so stop pretending) you would also have upgraded to IE6 BEFORE installing the patches since you knew that you would have to downlaod the IE6 patches AFTER the IE6 install.

The answer is still "Nothing".

The fact that you had 4MB of additional patches for IE6 has nothing to do with IIS being fully patched.

It's no different than if you patched Apache fully, then installed some other software on your box (Netscape, an ftp serve, etc.) and then had to install patches for that new software.

Since Apache (including 2.0) has just as many "holy Christ you need to patch this!" releases, your statement is still wrong.

fewt says ".however you must factor the time your farm is at risk having even one server out of the loop."

I beg your pardon? How exactly is (for example) a 10 server farm "at risk" with one server out of the loop. I'm not sure you understand what you are talking about here.

As for you Admin skills being on trial.....YOU are the one who posted that you were unable to install a simple Microsoft security patch. (see your own post for your "1 hour" process that included backing out and praying)

Since it takes me less time to patch IIS than it took you to patch Apache, and you specifcally said that Apache has more patches over time than IIS, how exactly do you come up with IIS taking more time to manage patches?

Seems to me that (takes more time to patch Apache)*(more patches to apply to Apache) would equal (takes more time to manage patches for Apche than IIS)

Since your previous "point" [no comment warranted for the current one, since there wasn't one] was undeniably inaccurate (and hopefully facetious), it still remains just as ripe and smelly as the moment it came out.

I am glad to see that you are apparently the (self-appointed?) expert on all matters. And here I thought we would never find the definitive answer. Bravo!

Windows comes with IE preinstalled.

And you certainly don't need IE version *6* to run IIS.

Innacurate? No.
Facetious? No.

Go out right now and compare the number of new builds and patches for IIS in the past year, and the number of new builds and patches for Apache for the same time frame.

I stand 100% by my statement that Apache has had MORE problems and patches than IIS has.

YOU are the one who suggested Apache 2.0 as the answer because IIS had (to quote you) "more holes in it than Bonnie and Clyde" (you then tried to save face later by attempting to claim that it was only a "tongue in cheek" suggestion).

Since you apparently know little to nothing about either of them nor do you seem to have any experience with either of them (all you have is vague second hand references to servers at a university being compromised) I am even willing to wlak you though this little educational experience.

You can find the Apache builds and patches at http://www.apache.org/dist/httpd/
and the IIS builds and patches at
ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/

Go count them both.

Now which one has more problems/issues/holes/patches/fixes?

Heck, even fewt admitted that Apache has had more.

Actually you are twisting my words around in a pathetic attempt to make them suit your needs. It's not working.

Up until the SRP was introduced (which still is not comprehensive, and tends to break applications where patching Apache does not) it has been much more difficult to maintain IIS. Apache may have more bugs, there's no arguing that because there is no real way to tell just how many non published bug fixes IIS has had. Apache while having bugs here and there went for TWO YEARS without a critical exploit, and when configured properly can not be used to gain "root". IIS on the other hand hasn't even gone 4 months without a "root" sploit. I have not contradicted myself in any way shape or form.

How is it a flaw? Who defines application installation order, you? Application installation order is critical not only to application performance, but to stability as well as feature installation. ;-)

Really? hmmmm....

As long as there is application integration, it will be an issue.

There you go twisting my words again.. I said it *MAY* have had more, there is no way to prove that as fact without auditing IIS's source code. It'll be a cold day in hell before that happens.

If it took you less time than it took me, then you didn't spend enough time with your server. What's the name of your business so I'll know where not to put my credit card number.

I am fully able to install patches, you are yet again attempting poorly to twist my comments to suit yourself. If it took you 3 minutes to down/patch/reboot then you must run your farm on desktops. It takes more than 3 minutes just for my arrays to initialize.

I'm not 'talking out of my ass' you arrogant prick. I am responsible for keeping our IIS servers up to date. I spend about 10 mins a day just going through any new NTBugTraq alerts which could be related to IIS. Wow, 10 mins.

I can do anything on IIS you can do on apache but I guaratee you much faster. IIS is much more of a time saver than apache, apache is for bored college kids - not serious web hosting.

Come join the big dogs out on the block. Stop hiding behind a command line.

I you haven't contradicted yourself, then please explain how you reconcile your statement that Apache has had MORE patches than IIS with your claim that it takes more time to adminster patches on IIS than it does on Apache.

The only way both could be true would be if it took vastly longer to apply each IIS patch than it does each Apache patch....and I've already shown that to not be true.

Really? Twisting your words?

You said that many Apache patches are released the same day that the problem is found.

Where is there any time for compatibility testing in there?

You then tried to answer that by saying that "Apache patches on the other hand are simple, they are usually 5 lines of code that any good admin can eyeball and know exactly what it may break."

So clarify that statement.....is the admin in your statement accepting and applying the patch or not? If it was released the same day as the probelm was found, then it has had NO compatibility testing. Did you or did you not mean to imply by "know exactly what it will break" that compatibility testing is not necessary?

You claim to run Apache servers in real-time mission critical 5 9's uptime applications. So when an Apache patch comes out the same day as the problem....do you install it or not? It obviously had no compatibility testing before being released (not enough time). Are you "eyeballing" it an trusting that you know what it will break? (very bad choice in the environment you describe) Do you choose to wait a few days before instaling it? (thereby eliminating any benefit over IIS regarding how quickly the patch was released)

Nobody said anything about application installation order.

I was talking about the order of "application" versus "patches"

You're more than smart enough to know that patches (particularly application patches) need to be applied AFTER the application is installed/upgraded/etc.

You said that you installed all needed patches to your system.....then installed a new application....then acted surprised that you now needed more patches.

Might have made for good theatrics, but we all know that you're smarter than that. You knew good and well (in advance) that if you had installed IE6 and THEN downloaded the patches that the IE6 patches would have been included and you would have only needed one set. (Not to mention that you just wasted time patching IE5.x before you replaced it with a different version)

It's no different than if I spent time patching Apache 1.3, then replaced it with Apache 2.0, and then acted surprised that I now need more patches for Apache 2.0.

Oh really?

Go ahead, name ONE Internet Explorer patch that, if not applied, causes problems in IIS.

It's pretty easy to count the number of IIS releases and patches, and the number of Apache releases and patches.

Apache has more. (Not *may* have more.....*does* have more)

Wow, what Mickey Mouse disk arrays are you using? EMC Symmetrix disk arrays do not have to re-initalize when servers on the SAN are rebooted.

"spent enough time with my server"????

What is this? Day care?

Download patch, apply patch, reboot server. What more time would you suggest is necessary?

Yes. Really.

IIS (up to and including IIS5) does not require IE6.

IIS6 could be said to, simply becase the only platform that it runs on right now has IE6 already installed.

Much faster huh? That's a laugh. Big dogs huh? That's even better. 60% of the market runs Apache, maybe it's time you woke up.

Here's a good one, mix this with unpatched IIS, and what do you get? Oh yeah, NIMDA..

http://www.microsoft.com...y/bulletin/ms00-079.asp

"So clarify that statement.....is the admin in your statement accepting and applying the patch or not? If it was released the same day as the probelm was found, then it has had NO compatibility testing. Did you or did you not mean to imply by "know exactly what it will break" that compatibility testing is not necessary? "

No, I meant that it takes 1 day + the number of testing days to certify the patch (Which can be as easy as looking at the patch source itself, then testing it.) instead of 1 month + however long it takes to test the new binaries.

IE 6, I'll give you however IE 5 is a requirement if you want a secure server. (What a joke, IE on a server..)

It's not easy to count all of the IIS patches because the documentation isn't 100% public. Sure, Apache has had lots of bug fixes, how many of those bugs are capable of getting root? Oh how the scale tips when we stop talking bug fixes and start talking exploited holes that have been fixed.

So you've never used internal RAID huh? Sure, my XP-512 doesn't need to spin disks either, however when you have 4 channel raid cards using direct attached storage one needs to wait for the disks to be accounted for before one can boot the O/S.

Yes, IIS admin == Daycare. :-P

*MAY HAVE HAD* IIS also *MAY HAVE HAD* ..

I have found boxes to be more stable if I patch/install/patch/install/patch. It's unfortunate, however you should already be familiar with the process yourself.

s/spin disks/re-initialize/i

Count them yourself.

Apache has had far more patches and upgrades than IIS has.

So it's not "*may* have had"....it's "*does* have"

60%? not anymore. and the number is falling.

Quoted from http://story.news.yahoo....tc_cmp/iwk20020403s0008

>U.K. research firm Netcraft measured Web-server software
>use on more than 38 million Internet-connected computers
>in March. Linux-based Apache lost 4.67% market share,
>ending up with a total of 53.76%. Meanwhile, Microsoft's
>Windows gained 4.89%, for a share of 34.02%.

The cooked numbers still have Apache over 60%....but still losing ground to IIS.

>Separating active sites, Windows made only marginal gains,
>increasing 0.67%, to 26.81%. Apache lost 0.81%, dropping
>to 64.37%.

Ah, ok.

Looks like it just comes down to a matter of personal preference then.

I'd prefer that the vendor have done compatibility testing before releasing the patch, while you prefer to get the patch ASAP and possibly have to get a replacement if something shows up during testing (this has happened a few times with Apache patches)

Basically six of one, half dozen of the other. I can see the value to both.

Odd. Though if it works for you....go for it.

As a general practice, I find that my boxes have better stability if I don't install anything unnecessary on them (which would include the patches for the stuff that's being removed/replaced)

But, as always, the golden rule is "Do whatever works best in your particular environment"

Now that I'll agree with. (Which is why I thought it odd that you installed IE6 on your IIS box)

I consider IE to be an application and, like you, I dislike having to even have it on a server.

I understand Microsoft's reasoning and applaud their use of shared code.....but I dislike their choice to make the vehicle for all of the shared code be IE.

Though this thread has gotten me thinking. I may try deleting just the IEXPLORE.EXE component from an IIS test box and see what functionality it loses/retains. It'll still leave a lot of crap that isn't necessary, but eliminates the possibility of a night s*** server operator firing up IE and browsing possibly dangerous sites etc. from the server. (We already have OS security policies etc. that prevent this kind of thing, but I wonder if this might be a viable generic option as well)

Ah, but you're saying *unpatched* IIS.

I'm saying a fully patched IIS. If you have fully patched IIS, then choosing not to apply IE and other application patches will not affect IIS in any way.

jr and I were commenting that you said you needed the addtional 4MB of IE6 patches in order to have a fully patched IIS box. We were both saying that whether or not you installed the additional IE6 patches would have no effect of IIS (which you had already fully patched)

Tell me, are you including the patches rolled into service packs? I doubt it. Are you counting undocumented fixes? Again, I doubt it.

So it seems that talking out of your a** is indeed an art form you excel in. I knew there had to be some redeeming quality about you.

Fewt is entirely right. You don't pay any attention to what others are actually saying. Instead you not only mis-represent what they stated, but then you pick and choose and take them out of context.

You can go ahead and stand 100% behind your statements. It doesn't make them any more accurate and true.

And indeed, IIS does have "more holes in it than Bonnie and Clyde." This is a stand-alone statement. How on Earth you tried to reason out an argument with that is beyond me. I never tried to save any face with the "tongue in cheek" comment. Apparently some people just need to have things dumbed down for them. I'm sure you realize that, since you are quite obviously an intelligent person.

I have had first-hand experience with installing and maintaining both servers as well as others. But, again, thank you for putting words in my mouth. A vague second-hand reference to servers at a university? It was given as a brief example. I didn't realize that submitting a 10 page report was necessary. And it was given as *one* example. Perhaps you should read everything everyone has to say before you begin enjoying your little rouse. It might help your arguments.

Thank you for holding my hand for that little educational experience. Can we learn how to wipe next? Please? Please?

Only due to the fact that Network Solutions moved their domain parking business from Apache to IIS.

Agreed.

Agreed.

Sure I've used internal RAID and direct attached storage. Just not on any of our high end or mission critical servers.

You were accusing me of running my farm on desktops becuase of the fast boot time. You just overlooked the fact that high end servers with fibre channel SAN etc. will have much faster boot times than internal RAID direct attached storage.

You can delete it, though I don't expect it will buy you anything. It's only 89KB so the exe itself couldn't offer that much functionallity. haha

LOL

Ok, but I'll stick to uptime and productivity. I'll leave "spending quality time" with the servers to you.

Though our HP K-class and V-class boxes could probably use some "quality time"......or an exorcist.

It still proves my point that one must patch IE.. It can even harm a patched IIS box..

Hey, I'm qualified to fix those for you. :-P

Agreed. I'm sure you chuckled though when I claimed you ran your farm on desktops haha!

Yeah, I like and hate Windows, it ahs a lot improvements since 95 to XP. But still has problems. They release many patch, or Service Packs. But linux do the same, only change the name new kernel versión, Download it and then Compile the kernel.

Remember Software is not a static thing is like people, SW every day has to be improved.
ALL the Software isn't free of bugs of security holes, that's the true even linux Apache and of course MS products, but we mention more MS bugs, because the monopoly.

Yes. I am counting patches that were later rolled into service packs (got the stack of CD's in the closet)

Undocumented fixes? Not sure what you mean by that. I'm counting patches, fixes, and upgrades that were released to the public (i.e. that an admin would have needed to load if he kept up to date along the way)

The first set of numbers was, indeed, mainly due to that.

The second set, however, still indicates a decline in market share for Apache. (The second set, the "active" sites, excludes "parked" and unused domains)

True. The key is to prevent users and/or apps that launch it (intentionally or accidentally) from doing so.

Yep.

Though sometimes I wish I were running them on desktops.

Usually whenever I look at the price quotes when I have to add new servers to the farm.

When you get into six, seven, and even eight disgits to the left of the decimal point it gets so surreal. I love the look on my people's faces when they're lifting one into a rack and suddenly realize that if they drop it, it will cost more than their salary for the year, and their car, and their house, and their life insurance, to replace it. So if it starts to slip they're better off getting their body under it. :P
Never had it happen yet, but we did have a truck driver put one of the tines on a forklift through an $800,000 box. I would have lOVED to see the person's face at the insurance company when the claim came in.

Accident: Vhicle collison
Speed: Under 1 MPH
Injuries: None
Damage: $800,000

LOL

If you were in the area, I'd have you try.

Even HP has come around to agreeing that they're possessed.

They've had hardware failure that HP has NEVER seen in the field ever. One of the V class boxes that had been running fine for months, suddenly died one day. Turned out (eventually) to be a failure of a backplane in an EMPTY and UNUSED cardcage in the box.

Got so bad that HP gave us a brand new V-class box at no charge and hauled our old one away. We ran them in parallel for 3 months with no errors at all. Two days after they hauled the old one away we had 2 CPU failures, a power supply failure and a memory module failure on the box. (not all at the same time either)

We had an N fall off of a lift before it was delivered. $400K mistake haha!

Do you have the unit on the same set of PDU's that the old unit was on?

Nope. Completely isolated (and VERY heavily conditioned) circuits.

I would have figured so, but I thought I'd throw it out there..

>Remember Software is not a static thing is like people

What makes you think people are static? We have to patch and update fewt all the time. There was the "Linux is god" upadte, the "vitrolic insults" patch, The "open mined about Microsoft" patch (which was very buggy and had to be backed out).......

:P :P :P

s/Linux/Fewt/i :-P HAHAHAHAHAHA

undocumented patches are "silent" fixes, if you install and hotfix for IIS 99% of the time it also fixes something else that was a problem but not publically known (yet) or that became a problem because of the way that the hoxfix worked therefore requiring a hoxfix on that (sorry if you got confused)

thank god for that! i was getting a little worried then, was gonna go find myself a rock to hide under before the bombs start falling

:-P

technically fewt that would not happen with IE6, or pretty much any MS product as MS use "smart" updates which replaces EVERY file therefore replaceing the file your just patched, making it a waste of time. As you said you install all IE5.x patches then IE6, meaning all your IE5.x files were replaced or removed as they are not needed in IE6 and then needed up apply the IE6 patches. You did waste your time updating IE5.x if you were not going to use it. It is like saying you apply SP1 then SP2 in Windows 2000, it is pointless as SP2 includes SP1 fixes. as wendor said you are more than smart enough to know this. Looks like you are just making it look like patching windows apps is alot more work than it actually is.

come on patches differ in time from patch to patch! from the size of the download, actually patching (a 500K patch will be alot quicker than a 10MB patch) and the time taken to reboot as it is different for every machine even if they are identical. Unless you record the exact amount of time for every patch you did on either server and worked out a total time you cannot argue about which is quicker to patch!

cat ms fewt

http://www.whatthedilly....bs/still%20retarded.jpg

ehem. *bows*

if you like pulling your hair out, you have windows as your primary server platform, and check windowsupdate for funzies use IIS.

if you like the convenience of installing apache, the open source nature of quick fixes, the "logical" use of one configuration file in plain text and documented by default that lets you configure 90% of the document server options, and the smell of burning window panes from the neighboring win9x users beating their keyboards against their monitors then go with apache.

thats why we like alternatives. thats why we have options. when you have a microsoft budget and your whole staff is MCSE's and INET and CNE and all that other nonsense then sure. MS is an option. But when you want things cheap and you want things quick and you want all the options with none of the OS limitations go with apache.

http://www.whatthedilly....os/still%20retarded.jpg

sorry. that other link was a thumbnail.

"error too many connections"

personally, i love that one. haven't ever gotten it on apache though. maybe i'm *lucky* like that. IIS ran so fast the browser never cought the document

and yet, to fix Apache i've never had to upgrade to IE6.

once again. I am sooo so lucky.

like code red or nimda which diliberately targeted IE security related issues as well as Outlook express which is from my understanding also installed by default. and if you rely on windows update to update your server try visiting it sometime with a non MS browser and see what happens. I think it would be cute for you to destroy the browser microsoft deemed "vital" to the OS simply to disable its use for wrong over right. Since IIS is part of the microsoft world it bows to all the flaws of both the operating system and its uninstallable default components.

Dare I start the browser debate discussion once again? I dare not. I see no point in teaching monkeys to fly, or MS admins to pay for a new degree.

i know first hand through no fault of my own. watching nimda rip through the windows network at my old job was like watching backdraft and the slowmo footage of the flames roaring through the hallways engulfing all they encountered.

very very entertaining, and very very costly to whoever just lost their realestate.

I actually agree with that (the picture)!

James Wheat
http://belprecomputerwizard.com

cat NullEdge >/dev/null

:-P

No one has ever had to upgrade to IE6 to fix IIS either.

make sure you read the caveat in the fine print towards the bottom. If you install this rollup without also installing Microsoft's fix for this fix, you will have authentication problems in Site Server.

It appears Microsoft has also changed the way IIS works with the AUTH_USER, LOGON_USER variables. If you have a page set to allow anonymous users, it will leave the AUTH_USER, LOGON_USER variables empty. Prior to the patch, it would load the authenticated user name even if the page was set to allow anonymous users. Needless to say, I had code that broke because of this change.

Uh....wow....blocked from the internet even if IIS not running? ....

uh hu. sounds a bit odd doesnt it - like MS isnt telling the whole truth again. Its either microsoft bundling gone barmy again, or this issue is no where near as major as they are making it out to be in the hope that they can then say "look how serious we are about security!"

This, once again, demonstrates Microsoft's flaws in not allowing their software to be open source. Hopefully now with the latest decisions to open up some of their source code (Internet Explorer, .NET and so on), they'll follow suit with Windows and IIS, allowing people in the open source community to catch their mistakes.

if you push it on non-iis machines - it probably becomes a non-issue ONCE they enable iis. whats the point of an admin going around a dev house weekly to tell the "new" guy to run it...

this was an interesting (for lack of a better word :) webcast of the scenario:
http://support.microsoft...s/wc040902/WC040902.asp

Exactly what flaws does this demonstrate?

IIS (which is not open source) has security issues which get found, and patches are issued to fix them.

Apace (which is open souce) has security issues which get found, and patches are issued to fix them.

IIS (which is not open source) has security issues which get found, and patches are issued a month later to fix them.

Apace (which is open souce) has security issues which get found, and patches are issued usually the same day to fix them.

Since this implies that Microsoft takes the time to test patches before releasing them (average time to release security patch for IIS has been under 7 days - a far cry from "a month"), while you seem to indicate that Apache is releasing them WITHOUT any time allowed for testing (no serious real world compatibility testing can be done in under 24 hours).....this would tend to support IIS as the better and more stable of the two platforms.

You don't understand the open source movement.

If Microsoft had made the IIS source code open source, then instead of waiting through triage of the different bugs that are found with IIS, someone (possibly a system administrator) could find the hole, plug it and release the patch in a faster time span than it would take Microsoft to fix it.

The same thing goes for Apache. Apache is probably just as bug-prone and insecure as IIS when it's released, but it's the open source community that helps speed up the patching process.

Uhh, did you just say what I think you said? *I* don't understand the open source movement? ROTFLMFAO, I'm sure 100% of the other folks here would disagree with you. :-P

How much testing does it take when you change a non checked buffer to a checked buffer? 9/10th of the testing is required simply because the source is closed requiring a new binary, and potentially updated libraries. Before you go spouting that which you do not understand, do your homework.

No, Fewt. I was referring to Wendor. Your comments didn't warrant that kind of response from me. I'm surprised you didn't figure that out ;)

I should do a better job of making sure I respond to specific users instead of replying to the last person's post.

oh sorry, I didn't realize it. haha ;-)

And,

How much wood could a woodchuck chuck if a woodchuck could chuck wood?

How much testing?

You claim to be running a real-time transaction 5 9's availablity web server farm.

If you make ANY changes (no matter how trivial they seem) without redoing your compatibility testing then you should NOT be the one administering that setup.

What's so unusual about this?

All it is is that Microsoft made an internal decision that Internet access would be taken away from anyone who does not keep their machine up to date on ALL security patches (IIS or not)

Microsoft isn't the only company out there with a similar policy. If anything Microsoft has deserved criticism for going so long without a policy requiring people to keep their systems up to date on security patches.

sano says "...someone (possibly a system administrator) could find the hole, plug it and release the patch..."

Good grief! I certainly hope you aren't doing anything business critical in this scenario. No vendor testing of the patch at all? No vendor to take responsibility if the patch causes data loss and irrepairable business harm?

Sorry, for business critical stuff, I'll stick with something that is actually SUPPORTED and BACKED by a vendor who takes responsibility. (And before you ask, yes, Microsoft has taken responsibility for these kind of things and has reimbursed us for downtime caused by problems with patches they gave us. Specifically, they were custom hotfixes for SQL Server)

Fewt noone who has read any of your posts would ever post you dont know anything about the open source movement. you know more about computers in general than i have ever known, as much as it pains me to say it :-P

Wow, thx. :-)

"If you make ANY changes (no matter how trivial they seem) without redoing your compatibility testing then you should NOT be the one administering that setup. "

Wow, I learn something new every day! :-P hahahaha

How does it work with open source software then? When someone finds a hole, they write a patch. Who approves it?

My point exactly.

Open Source software has its place. But it does have the drawback of no vendor to take responsibility or support it.