Servers

Is Apache inherently more secure than IIS?


Richard Stiennon at ZDNet argues that Apache is inherently less vulnerable to attacks than IIS, because it makes less system calls over the course of serving an HTML page, and is therefore less vulnerable to things like buffer overflow attacks. The argument, while have some prima facie appeal, is specious. Let us examine in depth the truth about what he says:

Both images are a complete map of the system calls that occur when a web server serves up a single page of html with a single picture.

It is odd, but I cannot remember the last time a Web server was exploited on basic static HTML serving functionality. Why? Because there is nothing to attack! The serving of static HTML pages simply does not leave room for a buffer overflow, because the server is not running any arbitrary code; all it is doing is mapping the URI request to a local file, and streaming the file to the client with the appropriate HTTP headers at the top. That is it. How are you going to attack that, except for attacking the method that the server uses to process the headers, or maybe getting it to serve a file it should not?

The more system calls, the greater potential for vulnerability, the more effort needed to create secure applications.

I can agree with this. Except there is one little problem: Apache cannot be compared to IIS! Take a close look at what Apache does, out of the box: it serves static web pages. CGI is disabled by default. Even if CGI were to be enabled any vulnerabilities at that point are not in Apache, but with whatever is fulfilling the CGI request. IIS, on the other hand, has all sorts of functionality built into it, such as running ASP scripts, .Net applications, and so on and so on that Apache cannot do without the aid of third party (or non-default) extensions. What does the system call tree look like for the entire LAMP stack compared to the Windows/IIS/ASP.Net/SQL Server stack? I bet they look much more similar. Sorry pal, but you are using an apples-to-oranges comparison when comparing IIS’s system calls to Apache’s.

Furthermore, how often does the Web server itself get attacked? Not nearly as often as the applications running on the Web server. Poor programming habits (such as not properly validating data, misuse of routines line printf() on input that was not validated, and so on and so on) are the cause of Web application vulnerabilities. There are not many Web server vulnerabilities out there now, or ever.

Poor systems administration is another source of common attacks. I don’t care what OS you are running, when you have your Web server running as root or Administrator because that is easier than properly setting up permissions, you have a problem. A Perl script that is running as root outside of a chroot jail is much more of a problem that even the naughtiest ASP.Net application running on IIS as a restricted user. Period.

Ignorance and laziness are the root cause of the vast majority of security breaches, not the server’s OS or application stack. PERIOD. No OS or Web server in the world will protect you if a programmer sticks the input from a Web form into the WHERE clause of a SELECT statement against a SQL injection. No amount of anti-virus or anti-whatever will help you if you have a sys admin who lets the user upload a file to an area outside the acceptable area and then execute that file while the Web server runs as root. No firewall will save you if the programmer uses a function with a known vulnerability on data that has not been scrubbed.

Those are the facts. Mr. Stiennon, I suggest that you learn the facts. You may not be a journalist and just a blogger (I am assuming by that, you mean “I write subjectively, not objectively” which equates to “this is my opinion, not fact”), but you still have a responsibility as a representative (employed or not employed) of a publication that is well regarded.

J.Ja

About

Justin James is the Lead Architect for Conigent.

29 comments
thexder1
thexder1

There are some flaws in your argument about IIS vs Apache. The major flaw in your argument is that you said that there are more system calls because IIS has so many other capabilities that are active. As has been proven time and again when there are more capabilities turned on there are more possible security holes. Just like in Windows you want to keep all services turned off that you aren't using because they can provide ways of hackers getting into the computer as well as use extra resources. You are correct in that the biggest problem is with the administrators not knowing their job well enough to close security holes. I believe that most Linux administrators do keep the security holes closed up because Linux does generally take more technical knowledge to run than Windows. I believe that Microsoft does have a bad design in their operating system and pretty much all of their other products. The only thing that Windows really has going for it is that it is easy enough that almost anyone can get it running. Linux takes a lot more to get running but if you know what you are doing it will normally be much more secure. I am not going to get into all of my problems with Microsoft but this at least gives you an idea of where I stand in this argument.

Jaqui
Jaqui

Apache is more secure than IIS, because the http server project team has made a concious decision that security is a primary concern. They purposely decided to limit default configuration to basic static html and to disallow many features built into a base apache installation for security reasons. Apache, without adding any more modules, can serve far more than static html, and allow far more activity than it seems, if you remove the rstictions put on it for security in the configuration file. shtml files are available in the default install, if you enable server side includes. conditional files, such as language specific versions of a website can be served with a basic install of apache, if you enable that functionality. Apache is also a local network file server and application server, with only the default install, if you want. Not recomended, adding authentication module(s) before enabling that is recommended.

jdawgnoonan
jdawgnoonan

IIS is not more reliable than Apache. I currently manage quite a few web servers for the Army and have been in this business for a long time. IIS 6 is only superior to the previous versions of IIS (they were terrible, IIS 6 is not terrible), however Apache is far superior.

aawolfe
aawolfe

Some of your arguments about "Apache has a simpler function map because it's less functional out of the box" do make sense, however I think you are missing something rather fundamental: Not all attacks on a web server come via HTTP from a remote host over port 80! In the simplest example, a static HTML page, either Apache or IIS *can* have an exploitable flaw triggered simply by serving up my specially crafted HTML page that contains the stack smashing, buffer overflowing, system owning code. It really doesn't matter at all what remote client requests it because the remote client has nothing to do with the attack. Rather its the HTML that I loaded onto the server via some other exploit, some insecured file share, some long forgotten FTP site still lurking on the network. Now, in this very real world situation, would you rather have to worry about thousands of interactions between system calls that are almost impossibly complex to trace, or a simple modular design with predictable and logical layout? I hope I've been clear, I am not always the most eloquent guy but I think its an important point to make.

baboval-com-com
baboval-com-com

I'm sure you had a hard time concentrating when you wrote this since you must have jerked your knee pretty hard into the underside of your desk, but that's no excuse! You say "Richard Stiennon at ZDNet argues that Apache is inherently less vulnerable to attacks than IIS, because it makes less system calls over the course of serving an HTML page, and is therefore less vulnerable to things like buffer overflow attacks." He says: "Windows is inherently harder to secure than Linux." Congratulations, you debunked an argument he wasn't making.

TINS
TINS

I am so tired of listening to idiot Windows users like yourself discussing things which you have no true understanding of.

cartrev
cartrev

I think you are missing the point by attacking the example. I believe that Richard presented the fact that Windows is implemented in a less modular, more complex way, with a lot of interdependencies (sometimes no so obvious). This is a fact accepted even by Windows development teams who are working in documenting the interdependencies and streaming the code to make it more modular. In Richard's opinion (and I agree) that complex code opens more opportunities for hackers to try for vulnerabilities, and make it more difficult for the developers to test against possible attacks. The complex code can be a result of more capabilities supported or caused by the historic evolution of Windows, it does not matter, the fact is that Windows is implemented in a more complex way.

Shaun.G
Shaun.G

The age old arguments... pc v mac windows v linux and others iis v apache Its all the same argument... it boils down to simple arguments and some are ones of policy: 1/. Economic reasons 2/. Logistical reasons 3/. Use of use 4/. Knowledge 5/. Preferences (the most important) 6/. security (not eery one understands how things work, and are not able to get or obtain or afford to get the right expertise to set up various items of software 7/. lack of awareness of security and how vulnerable they are or not And I am sure that there are many other valid reasons besides the ones focused on here. As I said, I do not profess to know the products, I use IIS - its available, its user friendly, and I have tried to use apache but I am not able to get past the idea of running the "welcome to apache" web page. I do not have the expertise available to me to do it... And before you think I know nothing I worked in computer for 6 years, and so I think I know how to turn them on and off... and I am now studying law. My priorities changed from which os, which web server and what anti-virus to use... Where there is will, there is ALWAYS a way to bypass ANY security. If man made it, man can break it... it requires time and effort, and perseverance and it can be done. So arguments about security are genuinely futile, and we can only endeavour to try our best to be secure against attack and have good service management, problem management, change management, and back up strategies in place.

Justin James
Justin James

Jaqui, I missed this thread's revival, when TR switch to WP, I lost any subscriptions to threads on already posted blogs, so please forgive the tardy response... I agree that the Apache team has put forth a lot more effort (with overall better results) than the IIS team. I also agree than Apache is beats the pants off of IIS for static HTML serving. Indeed, although for more complex configurations, httpd.conf is more effort to work with than IIS's click-n-point GUI, for a static HTML site, it is just as easy (if not easier). That being said... To judge the security of a piece of code on the number of system calls it makes is just silly. If a program makes a lot of system calls, it is simply pushing responsibility to the OS. Of course, skill of sys admins being equal, a *NIX server will be more secure than a Windows server. Therefore, Apache's call stack could be twice as nasty as IIS's without necessarily hurting the security. If anything, those system calls are hurting performance more than anything else. Viewed another way, what if IIS only made half as many system calls as Apache did, but all of those calls were with root permissions and using printf() with no validation of anything? It would certainly be a wet napkin, security wise. I do not debate the idea of IIS being less secure than Apache; I debate the idea of it being *inherently* less secure, based on the number of system calls that the code makes. J.Ja

Shaun.G
Shaun.G

I wont begin to pretend I understand either, however I do know that it is easier for me to use IIS than Apache. Also, a few things that are all unrelated to the essential gist of this topic... As far as my knowledge goes... 1/. IIS can access or give access to a number of 'web sites' on different drives and different computers, and Apache cannot 2/. IIS can set up FTP to run on the c: drive but the actual directory structure can be on various other computers, but apache is locked to one area 3/. Setting up Apache is inherently not user friendly at all, and IIS is. Now, like I said, I do not know either especially well, and I do know IIS has its flaws too... as does any product on the market... and essentially we use what we are comfortable with, what we know, and what we like... so just because one or more people do not like it, does not mean that its not good or in fact that it is good. Simply, does it meet the required need at the time? Yes, then no problem. We can fall into the trap of over analysis of products. They do similar jobs but are different. EDIT: just bringing it up again :)

Jaqui
Jaqui

since Apache doesn't execute any code in a static html file your example doesn't hold water. unless the exploit is in the network interface card's driver, there is zero interaction with the system for your example to work with. Apache reads the file into it's own ram stack, then pushes it through the network interface without involving the system at all. a shtml file, yes, your system would work, but then, that isn't a static html file.

Shaun.G
Shaun.G

My reply "idiot window users..." Your great lack of understanding of the word idiot is clearly demonstrated!

seanferd
seanferd

Right down to the box into which you seek to stuff Justin: "Windows user". How illustrative and precise you are! edit: And why am I replying to a thread from 2007? I don't know! Why is it the active Discussions list? Oh, wait. I see who pulled it up.

my-hi5
my-hi5

I have to agree with Shuan here 100%. To make such a generalization is outright obnoxious and you should be ashamed of yourself. It seems that everywhere I go there is always a comment like yours, very rarely do I see a comment going the other way. Think before you post

Justin James
Justin James

... I just replaced my FreeBSD 5.3 server at home(running Apache, thank you kindly) with a FreeBSD 6.2 server (also running Apache). I spent a lot more time with my head inside Apache and writing CGI/Perl code than I have with IIS or .Net. So to call me a "Windows user" is really far off the mark! J.Ja

Shaun.G
Shaun.G

To make such grand sweeping statement demonstrates an entire lack on intelligence on your part, TINS. You do not know ALL the window users in the world. There are about 6.5 billion people in the world, and you do not have enough time in your life to meet or ever meet or ever will have met, all the window users in the world. So, please, be sure of what you write before you write it. Its people like you that cause problems. If you dont like to use windows, fine, dont use it, but I bet that you do use windows, as many software developers develop for windows as it is so popular. And as for discussing, please go and re-read the article which, quite obviously, you have failed to comprehend...as the author quite clearly states, its his opinion. Furthermore, since you have not met (I am 98% certain of it) the author of the original article, you cannot determine his intelligence...however you display yours quite blatantly. Please ensure you read an article before passing unsubstantiated unvalidated comments.

crysis35
crysis35

Linux and UNIX are not magically more secure than Windows. It is up to the Administrator of all three to make sure his sever is setup correctly and secure.

crysis35
crysis35

"We can fall into the trap of over analysis of products. They do similar jobs but are different." I have that problem myself. You really just have to pick the best product for what you need and/or want. Over analysis ---> time wasted ---> frustration

aawolfe
aawolfe

And how exactly does apache read a file into it's ram? how does it request that ram be allocated by the system? how does it establish a socket, how does it pass data to the ip stack and ultimately to the network interface? The answer to ALL of these questions is calls to the OS. To say Apache "pushes it through the network interface without involving the system at all." really shows a lack of understanding, I mean do you think apache ships with an IP stack or NIC drivers??? Of course it does not. I think that upon closer inspection (or more careful thought), you might want to rethink your evaluation of my example.

crysis35
crysis35

By the way, no disrespect intended with my replies. ----- The only two things that I can say with Windows is that there are more viruses that target Windows (not to say that Windows will get a virus quickly, just that there are several viruses for Windows compared to Linux and Unix) and that you need to install an anti-virus on Windows (which it would be wise to put one on Linux and Unix as well, since they have the potential to catch a virus as well...if someone does not run an anti-virus on their Linux or Unix box, how can have some way of potentially knowing that they do not have a virus on their Linux or Unix box?). Other than those two cons for Windows, Windows is secure out of the box. On Vista - 8 you run as Administrator by default, but you are running as a limited user via UAC. This is similar to Ubuntu. You install as a limited user with sudo access to root. Windows XP is a different story (you run as the Administrator with full rights by default), however the user had the ability to setup themselves up a limited account. ---- "As for your friend if they where getting their Nix and Sun systems constantly hacked I would very much suggest unless there where Honey Pots and deliberately left open for abuse they need to get a job in a position that they could handle." Just because Linux and Unix got hacked all the time, is no proof that they could not handle their jobs. People are just people. They cannot be superman or something and permanently stop hackers from getting in. This was at a large university. Goodness knows who and how many people who were working on hacking the Linux and Sun servers at the university. "Sun Servers tend to be used in other places where Security Is Important and don't get Hacked all that often but Windows Servers do and they are the ones who are responsible for the bulk of the Cyber Espionage that the West suffers from and looses money over." Proof? ---- http://arstechnica.com/security/2013/05/critical-linux-vulnerability-imperils-users-even-after-silent-fix/ Quote from link : "For more than two years, the Linux operating system has contained a high-severity vulnerability that gives untrusted users with restricted accounts nearly unfettered "root" access over machines, including servers running in shared Web hosting facilities and other sensitive environments. Surprisingly, most users remain wide open even now, more than a month after maintainers of the open-source OS quietly released an update that patched the gaping hole." Quote from link : "The flaw affects versions of the Linux kernel from 2.6.37 to 3.8.8 that have been compiled with the CONFIG_PERF_EVENTS kernel configuration option." "Now that a fix is available in the kernel, it will be folded into all of the affected stable kernel releases offered by kernel.org, which maintains the Linux core code. Individual distributions are expected to apply the fix to their kernels and publish security updates in the coming days." What if a company can't apply the fix due to a technical reason (software may break due to changes, possible downtime)? How many people running custom kernels (that are vulnerable to this exploit) will still be affected a year from now? Will all distributions, using kernels that are vulnerable to this exploit, take charge and add the fix, or will they expect the users to do it themselves? ---- I could not get this vulnerability to work on CentOS (I think) 6.4. The kernel I was using was older than 2.6.37 (the lowest kernel version that the hack supposedly works on). I don't know if CentOS uses the option CONFIG_PERF_EVENTS in the kernels it uses. The idea that Linux (and Unix) being more secure out-of-the-box then Windows is no longer true. It was true before Win2000 or possibly before WinXP, but no longer is true now.

HAL 9000
HAL 9000

And open it for the first time which Account Type are you in? When you install Linux for the first time are you the Root User or do you have limited access until you enter the necessary password to give you Root Access? I didn't say one was better than the other I did say [b]Out of the Box[/b] one was more secure. As for your friend if they where getting their Nix and Sun systems constantly hacked I would very much suggest unless there where Honey Pots and deliberately left open for abuse they need to get a job in a position that they could handle. Nix servers are High Use and High Value Targets as they tend to run Important Things like Banks and other places where you have access to lots of other peoples money. If these where getting hacked so often then I very much doubt that Banks would be anywhere near as Profitable and you would be unlikely to be able to withdraw much of the money you deposit into them. Not to mention the fact that Nix runs the Net and it seems to be working most of the time. :^0 Sun Servers tend to be used in other places where Security Is Important and don't get Hacked all that often but Windows Servers do and they are the ones who are responsible for the bulk of the Cyber Espionage that the West suffers from and looses money over. Just the Blargingly Obvious though, if you do not work in that part of the industry and rely on Gossip for your information you at best will be being feed 1 persons personal preferences and dislikes not Fact. ;) Col

crysis35
crysis35

Windows, Linux, and UNIX all have security problems (hence why there are patches and updates). I know someone who helped manage Windows, Linux, and Sun computers at a university several years ago. Windows was hacked about one or so times. Linux and Sun were getting hacked all the time. Linux and Unix are not superior to Windows, nor is Windows superior to those. People have different needs, and each OS fulfills those needs. If the user is silly and runs as "root" all the time, then no amount of Linux will help you there. Same with Windows...If you run with an account that has Administrator privileges (with no UAC when using Vista-8), you pay the price. Both Windows and Linux can run users without Administrator (or "root" in Linux) privileges. If someone never runs an anti-virus on their Linux box, how can someone have the potential to know if they get a virus on their Linux box? Linux and UNIX are not magically more secure than Windows. There is a possibility of a virus gaining access to "root" in Linux via a security hole in the operating system (when the account is "non-root" and cannot "sudo" to "root". Even a virus in Windows running under a limited account still has the potential to gaining Administrator privileges. Of course everyone has the right to choose what operating system they want to use. I use Linux (on my router/firewall), but I prefer to use Windows for web, DNS, e-mail, etc.

HAL 9000
HAL 9000

There is no argument that Out of the Box Linux or Unix are More Secure than Windows could ever hope to be. That doesn't mean that they are unbreakable or even Locked Down but the basic design of Unix/Linux makes them More Secure than Windows in it's current form can ever be and that Includes Windows 8 which wasn't in development when this article was written. So 6 years after it was written it's still true which is something quite odd in the Tech World as the technology changes so fast. ;) Col

crysis35
crysis35

My comment above still applies today just as it would have six years ago.

CharlieSpencer
CharlieSpencer

Apparently both operating systems are vulnerable to zombies.

Tony Hopkinson
Tony Hopkinson

WEB functionality in apache's design is in configurable modules loaded into apache itself. In IIS that functionality is part of the monolithic OS, so programs other than IIS can call it. The code is common, therefore any changes to it can impact more than one program. Therefore IIS makes more operating system calls than apache. It's not the overall number of calls that is the issue, but what is being called.

aawolfe
aawolfe

"The error would have to be in the kernel or in an add on such as encryption." and... stop me if I'm wrong here.. but wasn't the article about the number of *system calls* made by the web server? not how the web server itself works, but how (and how often) it interacts with various parts of the os? Your argument, although seemingly in rebuttal of my comments, is essentially the same point I am trying to make! Even when serving up static html that the web server does little if any processing on, there are tons of calls to the underlying OS and therefore opportunity for exploit if these calls are not done safely.

Tony Hopkinson
Tony Hopkinson

Static HTML. The sort's of error you describe could only be affected by content if an other program was processing the file. All a web server does with static HTML is paste it into http response and fire it down socket. Not even IIS messes that part of it up. The error would have to be in the kernel or in an add on such as encryption.