From Netcraft’s latest web survey: “Microsoft adds 2.4 million sites this month, pushing the total number of sites running on Windows servers past 40 million, and helping Microsoft improve its market share by 1.01% to 32.8%. The open source Apache server has an increase of 556k, and slips back 1.11% to 52.65%. Google gains 592k sites this month, and now has 4.35% share. In active sites, Apache is now at 49.98% share, less than 14.5% ahead of Microsoft. While that’s still a considerable lead, Apache had a 33.4% advantage at this time last July, meaning MS has cut its deficit in half in the past 12 months.”
Apache is one of the best servers with lighttpd. I don’t understand why people still pay for an insecure beast like IIS.
I don’t understand why people still pay for an insecure beast like IIS.
IIS is insecure? How is that?
Please check your facts.. IIS did not have any security problems for years now. I don’t think there was a single critical hole found on it in last 4 years or so.
Not to say that it is perfect or that there won’t be something found eventually, but to call it “insecure” is simply out of tuch with reality.
To be more specific, it’s IIS6. IIS4 and 5 were buggy and terrible. IIS6 is much more secure and has had very few security holes. Less than apache.
To be more specific, it’s IIS6. IIS4 and 5 were buggy and terrible. IIS6 is much more secure and has had very few security holes. Less than apache.
Well, I don’t remember any major security holes in IIS 5 in the last 4 (or so) years. It’s not like MS didn’t fix IIS 5 too.
Uh…what? That’s because IIS6 was released 4 years ago. IIS5 was released somewhere around 7 years ago.
Secunia lists 14 vulnerabilities for IIS5, but their list only dates back to 2002. Some of those are highly and extremely critical. 1 remains unpatched.
IIS4 and 5’s security was poor. 6’s is good. What point are you trying to make?
What point are you trying to make?
What point am I trying to make? That IIS5 is quite secure today, so it is not only IIS6 as you said it. Who cares if IIS5 was insecure in 2001? Today is 2007. Software products get fixed by updates, you know.
But IIS5 has a bad history.
IIS6’s track record shows there was a true commitment to improving security and is more reliable and worth trusting.
Maybe because IIS 6.0 is secure:
http://secunia.com/product/1438/?task=statistics
in comparison to Apache
http://secunia.com/product/73/?task=statistics
and easy to manage (the latter is my personal opinion and might be wrong).
From secunia site:
“PLEASE NOTE: The statistics provided should NOT be used to compare the overall security of products against one another. It is IMPORTANT to understand what the below comments mean when using the statistics, especially when using the statistics to compare the vulnerability aspects of different products.”
Apache is equivalent of IIS in security. You just need to read the ENTIRE report to understand why.
Uh. Ok. 3 vulnerabilities in over 4 years for IIS6. 1 rated not critical, 2 rated Moderately Critical. 1 of the latter 2 only worked if the admin enabled remote administration (probably not a great idea).
33 vulnerabilities for apache 2.0 in over 5 years. 3 still unpatched. 2 of the 33 which were rated highly critical.
How exactly is apache equivalent?
No security advisory in entire 2007 so far and all critical holes as patched.
The ones unpached for such lenght period of time are clearly dismissed by apache dev team, and even secunia agree then to being non critical.
And secunia only lists vendor supplied or publicly listed vulnerabilities, MS stopped making that information available and now silently patches vulnerabilities they detect in-house.
And secunia only lists vendor supplied or publicly listed vulnerabilities, MS stopped making that information available and now silently patches vulnerabilities they detect in-house.
That makes zero sense. It isn’t necessary for MS to provide reports of vulnerabilities because THE FLAWS WILL BE FOUND AND REPORTED BY THIRD PARTIES, ANYWAY. Security through obscurity isn’t effective at containing vulnerabilities. This has been proven time and time again. So, really, you’re completely speculating when you suggest that MS is hiding vulnerabilities in IIS6, when Apache compares so poorly.
That makes zero sense. It isn’t necessary for MS to provide reports of vulnerabilities because THE FLAWS WILL BE FOUND AND REPORTED BY THIRD PARTIES, ANYWAY.
In a perfect world maybe, but in reality not everyone who finds a flaw will report it. Case in point, someone else already provided a link to symantec’s website which describes a professional kit called MPack which is sold by a Russia gang. They would obviously have no interest in reporting vulnerabilities they find.
The same can be applied to Apache as well, so the point is moot since it is too much of an unknown factor.
Ah, no it cant. My point was in reality not everyone who finds a flaw will report it, and I assure can you it is neither moot nor unknown.
What you are missing here is that Apache 2.0 is timeline equivalent of IIS3/4, IIS 5/6 are much closer time-wise to Apache 2.1/2.2, which are supposedly much more secure rewrites.
I must admit IIS 6 is getting strong recommendations from my Wintel colleagues, personally I’d stick with what I know as a Unix admin, but given the people telling me things have changed drastically I’d give IIS 6 a go.
The crux of it is, either will be swiss-cheeseware if misconfigured.
Apache 2.0 was released to the public in 2002 and IIS6 in 2003. Not that far off.
IIS is not insecure. At least since v6 which has had a near perfect track record.
What annoys me about IIS is how crippled it is (no ModRewrite / htaccess equivalent) and that you have to buy the Pro/Business versions of XP/Vista to get it, when you can download Apache for free and use on any system.
I’ve seen people who had to buy a £160 WinXP Pro licence just days after buying a new laptop because it came with XP Home and they didn’t realise XP Home is crippleware and didn’t know any better about servers/software.
There are a few ISAPI modules out there that bring the ModRewrite functionality to IIS, although I don’t recall seeing any high profile web sites using it for search engine friendly URLs.
As for htaccess, doesn’t web.config cover some of that functionality?
“although I don’t recall seeing any high profile web sites using it for search engine friendly URLs.”
A lot of asp.net sites use homegrown solutions for URL rewriting. I’m still surprised that ISAPI_Rewrite (which is functionally equivalent to mod_rewrite) hasn’t gained more traction, but then again URL rewriting didn’t really even become an asp.net buzzword until just a couple of years ago, which is something else I find a bit odd given other frameworks have had it for ages now.
IIS does appear to have support for .htaccess files, but it’s quite limited. E.g., only works for simple username/password protection of specific folders – doesn’t support customizing mimetypes, specifying default documents (or allowing/disallowing directory listings) for an individual folder, etc.
I think that today security, stability and performance are not enough. IIS is closing the gap. Apache needs new features for web authors and developers.
I am quite sure that some variant of ASP-like vbscript and server side javascript would help. Microsoft oriented developers would love vbscript, and almost everybody would like javascript.
It does not have to be 100% ASP compatible, just close enough. I think that there are ASP developers that have not embraced ASP.net, just like VB programmers still use old VB 6. I am sure that those folks would appreciate that a lot.
I am quite sure that some variant of ASP-like vbscript and server side javascript would help. Microsoft oriented developers would love vbscript, and almost everybody would like javascript.
I had often contemplated the same thing, however the problem is that ASP coders use a lot of COM objects. Most are third party (since ASP had such a poor library). For example, if you wanted to do an http GET, you needed a third party component.
In reality PHP is close enough to ASP for those old skool ASP coders, and it works well on windows servers as well.
I am aware of COM problem. On Windows, developers are still going to be able to use COM for some time. I’ve heard that ASP.NET is radically different from old ASP, and supposed “Apache ASP” might be more comaptible even on non Windows platforms.
ASP interface to COM objects are nothing else but wrapper classes and methods which could be rewritten to point to something else by the community of developers who might be interested to use them.
Old school ASP and ASP.net 2.0 are completely and totally different critters, sort of like VB6 and VB.net.
It’s interesting to see those major changes have happened to the market shares, while there was not any major change over either platform.
That’s what happens when hosting services become pawns in a battle for Netcraft superiority.
As lighttpd found some popularity, its time to give some attention to nginx http server which is even lighter and faster then lighttpd.
I’m a bit surprised by the number of Google-sites that suddenly pop up in the market share graph… they don’t really mention Google as being special, but it’s a enormous amount of servers they have there… And it seems a large increase, judging from the graph… perhaps it wasn’t counted before this survey?
In regard to nginx (pronounced “engine x”): I must add that I really like it too! It’s a good server, nice code and features, just the documentation could be a bit better (primary is in russian). But the author is very helpfull fortunally on the list, and there is a wiki you can contribute to.
Netcraft isn’t counting the number of servers (something that would be near impossible for them to do.) They’re counting the number of web sites. Google is hosting web sites now with their Google Apps service. This is what Netcraft is counting.
IIS I know, Apache I know, Lighttpd I know, what the heck is the Google web server? What is it based on?
After googling for GWS, it appears to be a customized Apache, which would explain some of the apparent Apache loss. To me, it should be a subset of Apache. Am I correct?
[EDIT: results of googling added]
Edited 2007-07-17 15:49
First, most companies have large windows support teams, and very small *nix teams (or no *nix team at all). So when they need to put up a web server they of course install windows.
Second, most windows people believe without a doubt that IIS is secure. Weather IIS is secure or not doesn’t really matter because they think it is secure, so they install and use it.
I don’t suspect this to be the norm, but I’ve been told by a few other IT guys that they switched from apache to IIS because of something to do with SharePoint.
I know IIS has gotten safer and better over the years, but I personally would rather support apache or some other open source web server.
At the end of the day though statistics don’t really mean a lot to me. You see numbers fluctuate all the time. So many factors and details aren’t accounted for or simply left out. Of course the worst part is some people base their buying options on those flawed statistics.
Six months ago I was having a job interview for a small-ish size company that provides networking & service plans for businesses (the local credit unions, etc), along with a bit of in house webhosting & webdesign.
I remember touting my almost 10 years of experience with unix/linux/bsd & opensource stuff (as I was hoping to get in on their hosting side of things)… wow, that was a big mistake. The reaction I got was basically “none of that is important to business”…
And even worse, they seemed to have it in their minds that OSS was mutually exclusive with all microsoft & windows stuff — and if I knew OSS stuff that meant I didn’t know anything about MS stuff.
This is the kind of strange mentality that many business-type people have — they create their own self-fulfilling prophecies by making decisions based upon what they think everyone else is doing.
This phenomenon is how A LOT of IIS sites get online.
Funny story about that. Years ago I worked for a company that prided itself on its Microsoft Partner status. Everything was Microsoft. Well, there were two of us Linux dudes at the company. We were considered oddballs. However, in order to be Microsoft Certified Solution Providers, they had to get some people with Microsoft certifications. Well, most of the Microsoft people had trouble passing the tests. So us Linux dudes went off and passed the tests and got certified so the company could meet its goal.
The point is, just because you like Linux, or are an OSS enthusiast, does NOT mean you are ignorant of Microsoft technologies. I am a .NET developer, and am very familiar with setting up Winders boxes. I just prefere Free Software for ethical and personal reasons.
iis is really hard to maintain. the settings are spread over multiple pages. with iis6 these are exportable to xml but not really human readable. ever tried to find quickly to which site an hostheader belongs? good luck the apache way of having a file with all the settings for that site in it is really a bliss. i have a perl script which generates a config file for me, i tried thesame using vbs for iis but the lack of transparency held me back.
iis can handle thesame load as apache and is just as secure, claiming otherwise means most likely the administrator is incompetent. the rise of iis is likely due to many people switching to .net 2.0. so, i expect to see a drop again in about 1 year
IIS7 is pretty much the same thing, only it uses .config files buried in system32/inetsrv instead of an exportable xml. I am not an admin, but I find at least for development purposes the config tool is very straightforward and easy to use.
I do agree with the rise being due to .net, but I don’t agree with it dropping again. I was a diehard Oracle/Java/JSP zealot for years, but now that I am doing freelance work for smaller companies, that stack isn’t exactly time efficient for development. Been using ASP.net 2.0 for awhile now, and it is really a dream to code in. I find that they are doing the best job of bringing OO concepts to front end web development, and I am consistently surprised by how quick I can bang out a small webapp. It is far from perfect, and when the nifty tools fall short on something, it often takes some rather ineligent hacks to get things the way you want them. But overall, ASP.net is IMHO one of the best platforms MS has ever put out.
100% agreed. And it’s speed and flexibility is quickly filling the gap with Oracle/Java/JSP stack, though I believe the latter still has some advantage.
Oracle/Java/JSP still has alot of advantages. I have yet to be involved in a major asp project, but I can say from experience that J2EE scales up pretty much as far as you need it. The problem is that it doesnt scale down that well. If you are going to be doing big enterprise software, that isnt a problem as you are going to be writing colossal amounts of foundation code anyways. But if you are just banging out a database front end with some real basic business logic for some small business, the differences are pretty big. On the other hand, J2EE is an industry standard for a reason. The platform is stable, robust, secure, and very rich. So far, I have yet to see anything like EJBs in .net.
A lot of ignorant comments on this thread – most of it from people who have no experience with IIS or ASP.NET and speculating about it. If you don’t know the platform, don’t criticize it.
IIS is extremely easy to admin, even for 100’s of sites – I’ve done plenty of this – just learn how to use adsutil.vbs. If you are smart enough to work with httpd.conf/.htaccess, etc then you can learn the metabase.
.htaccess/mod_rewrite – .htaccess is handled by the metabase and there are tons of 3rd party/open source projects in ISAPI or ASP.NET where you can do the same thing
security – as mentioned by many posters, saying IIS 6.0 is unsecure is just plain wrong
J2EE vs .NET – don’t want to get into a religious debate here, but from a capability perspective their equivalent. From a developer/ease of use/productivity perspective, it’s not even close – the .NET platform is the way to go – it’s had the advantage of learning from Java/J2EE’s mistakes. This by the way is the reason why Microsoft’s web server share is increasing. Many J2EE shops are migrating.
IIS is secure enough. You don’t need to choose between it and other webservers for that reason.
Apache is free and there are cheap GUI apps that make Apache very bit as friendly to configure as IIS. Some *nix distros include free GUI programs to configure it as well.
Lighttpd and GWS are gaining marketshare, so they must be an enticing offering. Either way, they run on *nix systems as well.
that make Apache very bit as friendly to configure as IIS
Friendly? I hope you’re kidding.
While IIS may seem friendly at first, you are in for a world of hurt when trying to: a) manage a large number of sites or b) want to migrate those sites to another box.
Sure, MS brought in an “xml” format, but that doesn’t mean that configuration migration is as easy as copying an xml file between machines. Those config files have *machine specific data* which makes them unportable. While there are scripts out there that can ease the pain, beware if your configuration includes ssl sites … I’ve had bad results which resulted in a long night of entering IIS configurations manually. Try adding 100+ sites manually and you’ll see how poor the IIS UI really is.
— former MS network admin
iis 7 in Windows 2008 server has one config file (much like httpd.conf) which you can copy to the other 100 sites to duplicate webservers
fyi
cheers
anyweb
I’ve worked with both quite a bit, and have never seen any recent evidence that IIS is less secure than Apache.
Apache is much more flexible than IIS, and its configuration is accordingly more complex, at least in theory. Of course, most people don’t use all of the myriad advanced features Apache offers, so its complexity never enters into it.
I don’t have a preference. I do both Rails development and ASP.NET development. With Rails I use Apache and with ASP.NET I use IIS. Both work very well.
Does Netcraft count all the parked web sites that dont belong to anyone? I remember when parking first appeared, it counted for a huge rise in IIS numbers because a large hosting service (godaddy maybe) moved everything to IIS. I dont think those pages should be counted because even a perl script can serve out a static page like that.
From TFA:
“In active sites, Apache is now at 49.98% share, less than 14.5% ahead of Microsoft. While that’s still a considerable lead, Apache had a 33.4% advantage at this time last July, meaning MS has cut its deficit in half in the past 12 months.”
NetCraft’s definition of an ‘active’ site:
http://survey.netcraft.com/index-200007.html#active
So in a nutshell, if you only count active sites, MS is actually gaining even more ground than if you count all sites (parked and otherwise).
Everyone concentrating on the percentages and share when fact is…
Everyone had growth in actual numbers. MS didn’t ‘lose any installations’ and neither did Apache. Yes IIS saw more growth, but nobody actually ‘LOST’ anything.
If you treat Google as Apache (since it is just a fork) adding their numbers for ‘active sites’ together, Apache had a 2.1% growth in installs and IIS gained a 4.1% growth in installs (at least for active sites).
Bottom line there’s room for both and both are growing.. but of course that’s not sensationalistic enough so we have to use ‘share’ to make somebody look like the loser… The article using share makes it sound like there’s a great egress from Apache, which is the farthest thing from the truth. More people are using Apache today than a year ago, AND more people are using IIS than a year ago.
Ah, card stacking… Stating some facts while omitting others – at least netcraft lists their actual numbers so you can make the real determination, instead of just throwing out meaningless percentages only like another recent article.
Edited 2007-07-18 03:52
Uh. Actually Apache did lose market share. Market share is percentage of the total market, and that percentage went down.
It’s a pretty simple concept.
Everyone concentrating on the percentages and share when fact is…
Absolute numbers mean nothing if not compared to other players. And the only sane way to compare is % share, not absolute value.
Yes, Apache increased its number of websites hosted but, as article correctly states, IIS gap is less than half it was 1 year ago. That’s an huge gain.
When numbers are too big to be analyzed as units, % becomes the notable value. That’s normal not only for websites but in every field of society.
The analysis here on the ‘trend’ is pretty thoughtful:
http://searchenterpriselinux.techtarget.com/originalContent/0,28914…
The numbers are a lot more complex than they appear to be at a glance.