> > We're not a hosting house, and from my perspective, free beats cheap. >The > > thing is, WebSite doesn't really offer any features that IIS doesn't, >and I > > don't think it's any better than IIS, really. IIS has to be set up > > correctly, but that's pretty trivial to do. In that sense, I'm a >satisfied > > IIS user. > > > > Dave Watts, CTO, Fig Leaf Software > >Even if it means having to apply a patch every other day? Just curious. >Ever since IIS started getting hacked left and right, I started leaning >towards Apache. Not starting a fight here, just having a discussion.
I'm just curious (since this thread is still active), is a product like Apache or other non-IIS products *proven* to be more secure, assuming you disable the IIS features you don't need and apply the appropriate patches? That's not a rhetorical question, I'm really asking for people's opinions. See, I've been of the school of thought lately that, while IIS does have its security flaws, I think that they get magnified 1000% because it's a Microsoft product, and hackers and the press will do anything they can to rip Microsoft. For example, Oracle touted Oracle9i as being "unbreakable." However, if you go and look at the security patches they've released for it (a veritable library, not just one or two little things), it clearly was "breakable!" However, because Oracle isn't as disliked by hackers or the press as Microsoft is, you don't read about it on the front page of technical web sites. As far as Apache and even Linux go, are they truly more secure? It seems to me that those willing to try are more focused on hacking MS products, and therefore Apache and Linux are as heavily scrutinized. Again, I'm not claiming that as fact, it's just my impression. I will concede that MS has had some pretty glaring security holes in the past with not just IIS, by other products as well. As a side note for those who haven't read or heard about it, criticism has gotten so bad that the MS has shifted raises and bonuses from being release-based (i.e., did your team release a product this year) to security-based (i.e., the fewer security flaws found, the higher your raise/bonus). To me, that's a step in the right direction. But anyway, we use Apache here at my job. While I have no complaints about it, I would argue that it's "more secure" (inherently, not after re-programming modules and such) because you have to be a true programmer to really get into the meat of the product and mess around. You can't just go into a GUI interface and click a few buttons to disable it. Thoughts? Regards, Dave. ______________________________________________________________________ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
