Apache vs. IIS - Myths

deuceincurableSecurity

Jun 13, 2012 (5 years and 5 days ago)

665 views

IIS vs. Apache

Myths and Reality

Apache
-

Overview

Free web server.

Often combined with Linux,
MySQL
, and PHP to
make the LAMP stack.

First released in 1995.

Modular architecture.

Built using an open source development model.

Commercial friendly open
-
source license.

Current Version is 2.2.9 which was released in
June of 2008


IIS 6 Overview

IIS 6.0


A Solid Foundation

Shipped with Windows Server 2003

Proven Security

Significant reduction in attack surface compared to previous
releases

No security vulnerabilities since it’s release five years ago.

Proven Scalability and Stability

Used by many major sites and companies such as
MySpace.com, Match.com, US Bank, USA Today, Allstate,
Continental Airlines and others.

Significant increase in reliability of hosted web sites compared to
IIS 5.0.

A solid trusted foundation for IIS 7.0


IIS7 Overview

Benefits

Features

Modular and Extensible

Integrated with .NET

Improved Security

Agile Administration

Built in Request



Tracing

Reduced Attack

Surface

Easier to Manage

Fast Diagnostics

Extend/Modify

IIS Features

Create
Streamlined
Servers

Questions

“Which of the two platforms (IIS and
Apache) is more secure?”

“Which is easier to manage?”

“Is Apache or IIS easier to manage?”

“Which web server is more reliable?”

“Which is more modular, IIS or
Apache?”







“Is IIS or Apache more innovative?”

“Is IIS or Apache easier to
troubleshoot?”

“Does Apache support more
applications?”

“Does IIS or Apache have the lower
TCO?”

“Is Apache the best platform for PHP
Applications?”

Security

“Which of the two platforms, IIS and Apache, is more secure?”

IIS 7.0 Security

Minimal Surface Area

Automatic Site / Application Sandboxing

Anonymous User Account Changes

URL Authorization

Built in Request Filtering

Integrated Active Directory Authorization

IIS / Security Development Lifecycle

Automatic Update Patching

Security Tracking


Secunia

IIS 6 by comparison has only 5 advisories released to date.

http://secunia.com/product/1438/?task=advisories

Apache 2.0.x on the other hand has over 35, several of which are
critical rated.

http://secunia.com/product/73/?task=advisories



Security

Independent Commentary

Ad Host


“While files are being transferred to a Web server, it’s essentially in clear text, which
can pose security issues.” “Now our clients can download FTP software and create a
secure FTP connection to our IIS 7.0 FTP server. Secure FTP is something our
customers really want, and now we can offer it to them.”

UC
Berkely


“With Server Core, we saw a way to reduce a server’s vulnerability to attack, but also
its need for patches and our administrative overhead associated with patch
monitoring and installation.”

Management

“Is IIS or Apache easier to manage?”

IIS 7.0 Manageability

Centralized Web Farm Configuration

Streamlined and Focused Administration Tool

Remote Administration Tool

Command Line Administration

Rapid Troubleshooting and Limited
Downtime



AdHost

-

Able to Reduce Site Setup Time to a Quarter of the Previous Time with IIS 7.0

Management

Independent Commentary

Dell


“Windows Server 2008 and IIS 7.0 are absolutely cornerstone to how all this would work.” “We will no
longer have to touch individual machines; we’ll have a cloud of servers that we can direct in an automated
way.”

Vanderbuilt


“With IIS 7.0 we have one centralized hosting environment so we can do single
-
point deployment and
manage the services much more effectively. This is something we simply couldn’t do before.”

MaximumASP


“Before, we had to have a programmer to create batch files and automate processes.” “But with IIS 7.0,
anyone can do it, which makes management faster and easier.”

Ad Host


“With Windows Server 2008 and the Shared Configuration feature of IIS 7.0, we can go from a bare
bones box to a running Web server in about one hour

a four
-
hour savings over Windows Server 2003.”
“Site setup can be done in about a quarter of the time

10 minutes to activate a site via script versus 40
minutes. And we’re expecting to cut our webmaster and administration time in half as well.”

DiscountASP.NET


“Most large
hosters

are trying hard to lock down their systems.” “That makes it easier for them to manage
their systems, but it also makes them much less flexible. Our customers want to explore
all

the features of
a Web server. They want security, but flexibility too. With IIS 7.0 we can deliver exactly that.”

Performance / Scalability

“Does Apache have better performance /scalability than IIS?”

IIS 7.0 Performance/Scalability

Leaner Web Servers

Server Core

Static and Dynamic Compression

Output Caching Improvements

Enterprise Level Performance

“Match.com runs IIS 7.0 with 30 million page views daily.”

“PlentyOffFish.com gets 1.2 billion page views a month.”

“WS2008 and IIS 7.0 allow
www.microsoft.com

to process 122 million
more requests at the same CPU level


compared to IIS 6.0”

“MySpace.com runs IIS 7.0 with 23 billion page views a month.”


HostMySite

-

Now hosting 1,100 web sites per server / Up from 500 shared applications.

Performance / Scalability

Independent Commentary

Parking.Ru


“Based on our tests, by running Windows Server 2008 and Internet Information Services 7.0 on modern
multicore

Intel
-
based servers, we’ll be able to increase our system performance several fold.”

TeamZoneSports


“We’ve been able to significantly reduce our bandwidth and have seen a cost savings of 50 percent over
our previous video delivery method.”

Dell


“Our Windows Server 2008 machine scaled quite well while it handled as many as 1,800 connections
versus the 1,000 connections handled by our Windows Server 2003 systems and provided equal or better
performance.”

MaximumASP


“Using Windows Server 2008 instantly sped up my sites by more than 40 percent. It’s like getting a code
rewrite with no work.” “Everything that we create requires on
-
site editing, and the fact that pages load so
much more quickly results in significant
timesavings

for us every day.”

Barginland


“Our peak period is when auctions close, which is typically between 7:00 P.M. and 11:00 P.M. central time.
During that period, we may get 6,500 unique users and 200,000 page views. Bidtopia.com is our only
source of revenue now, so the more auctions we can support, the better. Based on the performance and
reliability we’ve seen since migrating to Windows Server 2008, we’ve just decided to accelerate the
schedule for allowing new sellers onto the site.”

Reliability

“Which web server is more reliable?”

IIS 7.0 Reliability

Proven and Trusted Platform

54% of the Fortune 1000 rely on IIS 7.0

Rapid diagnostics tools to troubleshoot any
concerns quickly

Failed Request Tracing

Runtime State and Control API.


HiChina

-

Reduced Application downtime by 99% for applications that were moved to


Windows Server 2008 and IIS.

Reliability

Independent Commentary

Hostbasket


“There hasn’t been any downtime for customers since [our migration to IIS in] August 2007

and that’s
rare.” “That’s one of the biggest benefits we can offer to our customers.”

Parking.Ru


“Even though our test hosting environment was based on a beta version of Windows Server 2008, we
experienced no failures of critical services for six months

no system restarts, not even a single
emergency situation.”

Ad Host


“We create a smaller footprint with IIS 7.0, which is important from both a memory point of view and a
security point of view.” “In terms of stability, we’ve been running Windows Server 2008 for two months
now and have been monitoring it every three minutes from five different Web servers. So far we haven’t
seen even a flicker of downtime.”

Modularity

“Which is more modular, IIS or Apache?”

IIS 7.0 Modularity

Server functionality is split into 40 modules

Only 10 modules installed by default

Modules and a Generic Pipeline

Extensibility

Modularity

Independent Commentary

ServiceU


The modular architecture of IIS7 and its integration with the newest version of the Microsoft .NET
Framework contribute to increased Web server performance.” “These same characteristics provide a
customizable platform where specialized server components such as authentication and logging can be
extended or replaced.”

TeaLeaf


"IIS7’s modularity is a good thing for us, particularly because we are writing system
-
intensive applications,
especially so when you start replaying sessions through a browser. On the capture side, the modularity
makes it much easier for us to add our parts into our customers’ application servers. Also, it’s exciting to
not have to work within the confines of an ISAPI filter.

WeatherBug


“We really like the ability to pick which components of IIS 7.0 we need

whether it’s using the integrated
mode to run ASP.NET applications, using the classic pipeline to run ASP.NET through the ISAPI filter, or
just running a streamlined HTTP Web server.”

MaximumASP


“We can install Windows Server 2008 at a more granular level than previous operating systems.” “By
specifying the function of a particular server, we can install only what we need, which means that the
servers are more stable and less open to vulnerabilities.”

Innovation

“Is IIS or Apache a more innovative platform?”

IIS 7.0 Innovation

IIS 7.0 Admin Pack

URL Rewrite Module (Technical Preview)

PowerShell

Provider for IIS

Remote Manager


IIS 7 UI for Down
-
level
Clients

Web Playlists


Innovation

Independent Commentary

Elima


“Microsoft really listened to the hosting community when it developed Windows Server 2008. The changes
in Internet Information Services 7.0 mean that we can tailor the system to do exactly what we want.”

SpotRunner


“IIS 7.0 is a more feature
-
rich platform than previous Web servers. IIS 7.0 reduces the amount of
foundational technology, such as logging and auditing, that we need to develop on our own and thereby
simplifies our services and, ultimately, our systems.”

TeamZoneSports


“We’re able to add functionality every month because we use integrated development technologies from
Microsoft.” “It doesn’t take much time or effort to include new features, so there’s little risk in
experimenting to see how innovative we can be to add value.”

Cason


“What we've learned from the experience is that the technology platform from Microsoft is the strongest
foundation on which to build our offerings"

Continental Airlines


“With IIS 7.0 we can provide rich infrastructure right out of the box.” “That’s less code we have to write for
infrastructure and more code we can write about the business of Continental Airlines.”

Troubleshooting

“Is IIS or Apache an easier platform to troubleshoot?”

IIS 7.0 Troubleshooting

Detailed Error Messages

Verbose Error Messages

Suggests Causes and Solutions

Details include configuration sections in question,
modules in use, page, etc.

Failed Request Tracing

Allows for custom failure criteria per URL

Persist Failure Log Files beyond process lifetime

Common Usages

Request take too long

Request Error (completes but with error code)


Troubleshooting

Independent Commentary

Parking.Ru


"Before, a script could cause problems for any number of sites, and tracking it down was difficult and
consumed a lot of IT resources. Now, with IIS 7.0, we see how the clients' scripts are running in real time.
Although third
-
party vendors provide solutions for resolving script
-
related problems, now this functionality
is built
-
in and operates at a core level. For us, as a host service provider, this feature turned out to be very
important.”

Continental Airlines


“The troubleshooting features in IIS 7.0 have been enhanced by leaps and bounds, at the end of the day,
what matters to us and our users is not just how well our IIS applications run, but also how fast we can
troubleshoot them if they go down.”

Combell


“Before, when a client’s Web site wasn’t performing well, the old debugging tools provided a lot of output.”
“With 500 Web sites running, it was nearly impossible to find the relevant error information. Failed request
tracing in Internet Information Services 7.0 makes it a lot easier to see just the requests that we’re
interested in, with the status codes and other details that we need to debug the site or the application.”

CrystalTech




IIS 7.0 allows us to pinpoint which particular script is causing which particular problem.” “It helps us
quickly resolve problems we deal with on a day to day basis.”

HostBasket


“There’s nothing cryptic about it. If something goes wrong, we track it, repair it, and quickly finish the
configuration.”

Application Support

“Does Apache support more Applications?”

IIS 7.0 Application Support

Extensible, modular architecture


add, remove or replace any built
-
in module

Enhanced ASP.NET integration including unified configuration, HTTP runtime
and administration tools

Caching support (kernel and user) for all types of dynamic content

Built
-
in
FastCGI

support for Open Source frameworks such as PHP and Ruby.

Strong integration with other Enterprise Products such as SharePoint

Extensive Support for Streaming Media


Application Support

Independent Commentary

TeamZoneSports


“By adopting Microsoft technologies and services, we’ve been able to create a flexible way for people to
quickly communicate, whether it’s through the main site or through a mobile application.”

CrystalTech


“We can work with whatever our customers want to write,” says Thompson. “They have access to ASP,
ASP.NET, PHP, and Perl as well.”

TCO

“Does IIS or Apache have the lower TCO?”

IIS 7.0
-

Cost of Ownership

Rapid Troubleshooting and Minimized Downtime

Minimized Surface Area

Isolation and Sandboxing

Scalable Multi
-
Tenant Hosting

Less Expensive Administrator Resources to Maintain

Delegated Control to Site Owners

Strong Microsoft Support Resources



HiChina

-

Reduced System Management costs by 10%

-

Saved nearly 20% in overall maintenance and operating costs.

TCO

Independent Commentary

Aruba.IT


“At
aruba.it
, Italy’s largest hosting service provider, Microsoft found that the TCO of its existing
Windows®

based shared hosted services was 16 percent lower than the TCO of its Linux

based
offerings. Moreover, the contribution margin from the Windows

based services was 14 percent higher
than the contribution margin from the analogous Linux

based services. Finally, the profit margin for
Windows was 81 percent compared to 77 percent for Linux”.

Pipex


“From what we’ve seen so far, we think it will be possible to significantly reduce the amount of ‘tin’ in the
data center. IIS7 appears to offer a great TCO benefit.”

Mosso


“We’ve reduced our hardware requirements by 16 to 25 percent,” says Odom. “We used to have to
dedicate servers to replication. With IIS 7.0, we were able to take those servers and dedicate them to
serving Web traffic.”

PHP Applications

“Is Apache the best platform for PHP?”

IIS 7.0 and PHP Support

Consolidate .NET and PHP applications on a
single server

Consolidate Web and Other Server
Management Frameworks to a single
platform

Better Web Platform Management

Host on Minimal / Headless Server with
Server Core

Powerful Media Serving

Microsoft Supported Solution


PHP Applications

Independent Commentary

Ad Host


“Being able to support peripheral components like PHP is going to be a big selling factor for us.”

Combell


“In the past, if a customer asked for PHP hosting, we offered them Linux; if they asked for ASP or
ASP.NET hosting, we offered Windows Server.”


“Now we have a bunch of test customers running PHP on Internet Information Services 7.0 and it is
working very well for them. The more customer requirements we can support with one operating system,
the more experts we can have developing new solutions on that operating system.”

Summary

IIS 7.0 has:

A Modular and Extensible Architecture

Deep integration with .NET Applications

Improved Security

Agile Administration


Built in Troubleshooting Tools such as Request
Tracing

This leads to a Web Platform that is:

Streamlined

Easy to extend

To Manage

Quick to Troubleshoot

Highly Secure







IIS Resources

Technical Communities, Webcasts, Blogs, Chats & User Groups

http://www.microsoft.com/communities/default.mspx


Microsoft Learning and Certification

http://www.microsoft.com/learning/default.mspx


Microsoft Developer Network (MSDN) & TechNet

http://microsoft.com/msdn


http://microsoft.com/technet


Trial Software and Virtual Labs

http://www.microsoft.com/technet/downloads/trials/default.mspx


IIS.Net

http://www.iis.net


http://forums.iis.net


http://blogs.iis.net


http://www.iis.net/downloads

© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be re
gis
tered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the
dat
e of this presentation. Because Microsoft must respond to changing market conditions,

it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any
inf
ormation provided after the date of this presentation.

MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.