The number of Web sites using Microsoft's Internet Information Services (IIS) software continued to climb in September, despite the effects of Code Red, the closure of a major Web hosting company using IIS, and an analyst's warning that IIS users should look for more secure alternatives, according to a report from Netcraft Ltd. released Monday.
The number of active Web sites surveyed by Netcraft using Microsoft Web server software rose to 3,905,978 in September, from 3,356,363 in August. The number of sites using the open-source Apache Web server rose from 7,156,849 to 7,924,169.
The closure of Webjump, a mass hosting company that used Microsoft IIS for static content alongside the Apache Web server and Perl programming language for dynamic content, cut into the total number of sites using Microsoft software. Webjump closed in August and its 280,000 hosted sites disappeared soon afterwards, said Netcraft, which conducts regular automated polls of Web sites to identify what software they are using.
Also in September, IT analyst John Pescatore of Gartner Inc. warned businesses to "immediately investigate alternatives to IIS" which have better security records. Around 150,000 Microsoft IIS sites on 80,000 IP (Internet Protocol) addresses have been taken down since Code Red II was released, said Netcraft.
While the absence of so many sites using Microsoft IIS could be seen as management taking necessary steps to get rid of the software, only 2,000 of these IP addresses have been re-established on a competing Web server, Netcraft said.
This could be due to their being replaced on another IP address, but it is more likely that the sites have been taken down, said the survey, or port filtered as part of a general tightening of security, rather than the Windows disks being formatted and replaced with Linux/Apache.
The reluctance to switch is probably due to psychology rather than technology, said Netcraft spokesman Mike Prettejohn. Historically, Web site managers have been complacent about security, he said, and the switch to a Unix platform would involve a significant amount of effort for any site with dynamic content.
"It wasn't until Code Red that people started using patches at all," and they are obviously not keeping up because the number of insecure sites is still rising, said Prettejohn.
Gartner's advice to stop using IIS is not always practical, especially for companies with complex sites, said Prettejohn. They have often invested a lot of time and money in the site, and may have used Microsoft proprietary tools, which makes it difficult to change technology.
It is often better for companies to keep the sites they have, but improve their security procedures. Compared to the cost of setting up a site, the cost and effort involved in keeping it secure is minimal, said Prettejohn.