If you want a look at the future, hang out at Microsoft for a while.  You are quickly inundated with programs, projects, and products under development – some of which won’t be used by people for years.

What’s interesting is the effect this has on people here.  Imagine for a moment that everyone you worked with was working on a project all year, for a product that has another year to go before people see it. All you think about, all your time, all your creative work is going into unreleased, improved technology. By the time this gets to the public, while wholly new to the world, it’s seems been around for years to the authors. Uptake rates kick in and by the time the product is widely adopted, the authors are 4-5 years ahead of that curve.

That’s a pretty serious discontinuity and I see it all the time. I edited a powerpoint deck last week on Longhorn installation processes that referred to current technology as the “old” way. Another example, this week a presenter asked the audience how many were running IIS 6 and about ¼ of the room raised their hands, much to the surprise of the presenter (and this was an IIS 7 presentation!).

The risk here is that new technologies and organizations that create them become over time more and more distanced from the current experience of the customers. Eventually, technologies are released that improve on technologies that haven’t yet been widely adopted. At this point, companies that create these technologies run the risk of simply running too far ahead of the customer and eventually leaving the realm of dealing with their significant day to day realities. Yes the new stuff is way cool and really does have a lot to offer, but adoption rates do not keep pace with the torrent of new technologies, and this gap has got to have larger and larger impact over time.

The HackIIS6.com contest has ended. Penton publishing, the sponsors of the event - [as in NOT MICROSOFT], heard the many posts and comments publicly and privately that contests like this don't actually prove anything.

So Penton decided to end the contest early and I think rightly so.  They simply turned the site off for a few days while they crafted a message about the changeup. It would have been best if they hadn't done things quite in that order, but that's what happend. The site was not hacked nor did it suffer a DoS attack.

I agree with Penton on this. This contest and others like it don't prove anything. If you want to show that IIS 6 is secure (or visa versa) do it with a record based on real world implementations, not unrealistic short term "hack me" events.

IIS 6 has already passed the most rigerous testing on the planet. The results are in and they come from the best lab in the world - live servers running mission critical applications with billions of dollars at stake on public networks. You cannot contrive an enviroment more severe. How did it go?

1. IIS runs 53% of the Fortune 1000 as shown at http://www.port80software.com/surveys/top1000webservers/.
Yes, I know that Netcraft surverys shows a big dominance by Apache but those numbers include all domains known to man. The problem with that strategy is that it overvalues the impact of web hosters. If a web hoster puts up a 10,000 websites on an OS, that's 10,000 apache servers counted but in fact is only a couple of servers. If they move that machine to another platform, there are big shifts in the numbers for "domains hosted by X" but in reality, only 1 web hoster made a decision to change a platform on a few servers. Why should this count 10,000 times but if when another company changes from one platform to another, that counts as 1. This is not at all to devalue Netcraft’s work, just to point out that Netcraft has its own unique scope and biases (and I mean biases in the scientific sense here, not a sinister one). 

Now maybe you don't believe the 53% number because the survey was done by Port80 who writes components for IIS. So, do it yourself! A friend of mine created a tool to just that and it validates these results. We're going to use it for some further study. You could to.

If 53% of the US's largest corporations are running on IIS -  that has some meaning cause they have choices.

2. Show me any reputable list of Apache vs IIS 6 hotfixes. What do you see? Try this one as an example: http://secunia.com/product/1438/ (3 for IIS 6 ) vs. http://secunia.com/product/73/ (24 for Apache 2.0.x). Be sure to compare apples to apples. In other words, if you count every Windows 2003 problem as an IIS problem, you also have to count any other OS's problems against its web server. No matter what list you use here, IIS 6's record is impressive.

3. Remember years ago when Gartner report that said you should remove IIS? Of course you do. Everyone remembers that. But how about this Gartner report from 2004, “IIS No Longer the Problem in Web Server Security"? Why is that most people I meet have not seem to heard about Gartner coming out with paper saying that IIS security is a not an issue. I can't post the paper here as it's copyright Gartner, but the title says it all.

4. Security Innovations made this report http://www.microsoft.com/windowsserversystem/facts/analyses/secinnovation.mspx  that shows Windows Server 2003 has a lower "days of risk" factor than Red Hat/Apache.

5. Five of the top 10 most available hosters in May 2005 run Windows according the Netcraft.

There is far more, but that should server to make my point.

If I sound like an evangelist for IIS, that's a good thing. I came to be one not because Microsoft offered me the job, but because simply reporting the facts about IIS 6 creates a complelling story that is persusive based on technical merits.

I have personally talked to many IIS administrators (hundreds) responsible for tens of thousands of IIS servers in the largest companies in the world. Not to mention that many hundreds of people managing small businesses that have their own severs that have contacted me via email or at presentations. Billions of dollars flow through these servers. Unthinkable quantities of data per minute collectively pass through all the IIS servers in the world every moment. What do managers of these server's tell me? Sounds like this:  "We love IIS 6", "It's so much better than what we were doing", "Our uptime doubled!” Here's what I was told recently by a server administrator for one of the undisputed largest .com's on the planet: (not Microsoft) "We have virtually no problems with our IIS servers". Are there problems? Of course - but security is not at the top of the list. (BTW, the list is operational in nature "how do I troubelshoot "x". How do I manage "y").

My point is simple. If you want to implent a web server other than IIS, fine with me - but do so for good reasons. If you choose to avoid IIS because you're concerned about IIS security, check out the above links and information. I'll be posting some more on this later.

- brett