The HackIIS6.com contest has ended. Penton publishing, the sponsors of the event - [as in NOT MICROSOFT], heard the many posts and comments publicly and privately that contests like this don't actually prove anything.

So Penton decided to end the contest early and I think rightly so.  They simply turned the site off for a few days while they crafted a message about the changeup. It would have been best if they hadn't done things quite in that order, but that's what happend. The site was not hacked nor did it suffer a DoS attack.

I agree with Penton on this. This contest and others like it don't prove anything. If you want to show that IIS 6 is secure (or visa versa) do it with a record based on real world implementations, not unrealistic short term "hack me" events.

IIS 6 has already passed the most rigerous testing on the planet. The results are in and they come from the best lab in the world - live servers running mission critical applications with billions of dollars at stake on public networks. You cannot contrive an enviroment more severe. How did it go?

1. IIS runs 53% of the Fortune 1000 as shown at http://www.port80software.com/surveys/top1000webservers/.
Yes, I know that Netcraft surverys shows a big dominance by Apache but those numbers include all domains known to man. The problem with that strategy is that it overvalues the impact of web hosters. If a web hoster puts up a 10,000 websites on an OS, that's 10,000 apache servers counted but in fact is only a couple of servers. If they move that machine to another platform, there are big shifts in the numbers for "domains hosted by X" but in reality, only 1 web hoster made a decision to change a platform on a few servers. Why should this count 10,000 times but if when another company changes from one platform to another, that counts as 1. This is not at all to devalue Netcraft’s work, just to point out that Netcraft has its own unique scope and biases (and I mean biases in the scientific sense here, not a sinister one). 

Now maybe you don't believe the 53% number because the survey was done by Port80 who writes components for IIS. So, do it yourself! A friend of mine created a tool to just that and it validates these results. We're going to use it for some further study. You could to.

If 53% of the US's largest corporations are running on IIS -  that has some meaning cause they have choices.

2. Show me any reputable list of Apache vs IIS 6 hotfixes. What do you see? Try this one as an example: http://secunia.com/product/1438/ (3 for IIS 6 ) vs. http://secunia.com/product/73/ (24 for Apache 2.0.x). Be sure to compare apples to apples. In other words, if you count every Windows 2003 problem as an IIS problem, you also have to count any other OS's problems against its web server. No matter what list you use here, IIS 6's record is impressive.

3. Remember years ago when Gartner report that said you should remove IIS? Of course you do. Everyone remembers that. But how about this Gartner report from 2004, “IIS No Longer the Problem in Web Server Security"? Why is that most people I meet have not seem to heard about Gartner coming out with paper saying that IIS security is a not an issue. I can't post the paper here as it's copyright Gartner, but the title says it all.

4. Security Innovations made this report http://www.microsoft.com/windowsserversystem/facts/analyses/secinnovation.mspx  that shows Windows Server 2003 has a lower "days of risk" factor than Red Hat/Apache.

5. Five of the top 10 most available hosters in May 2005 run Windows according the Netcraft.

There is far more, but that should server to make my point.

If I sound like an evangelist for IIS, that's a good thing. I came to be one not because Microsoft offered me the job, but because simply reporting the facts about IIS 6 creates a complelling story that is persusive based on technical merits.

I have personally talked to many IIS administrators (hundreds) responsible for tens of thousands of IIS servers in the largest companies in the world. Not to mention that many hundreds of people managing small businesses that have their own severs that have contacted me via email or at presentations. Billions of dollars flow through these servers. Unthinkable quantities of data per minute collectively pass through all the IIS servers in the world every moment. What do managers of these server's tell me? Sounds like this:  "We love IIS 6", "It's so much better than what we were doing", "Our uptime doubled!” Here's what I was told recently by a server administrator for one of the undisputed largest .com's on the planet: (not Microsoft) "We have virtually no problems with our IIS servers". Are there problems? Of course - but security is not at the top of the list. (BTW, the list is operational in nature "how do I troubelshoot "x". How do I manage "y").

My point is simple. If you want to implent a web server other than IIS, fine with me - but do so for good reasons. If you choose to avoid IIS because you're concerned about IIS security, check out the above links and information. I'll be posting some more on this later.

- brett