Microsoft IIS vs. Apache

[ThePreacher]

I was reading a more recent issue of PC magazine, and they had a comparison article on five different sets of web server software. Anyway the article gave IIS 5.0 a higher score and a better review than Apache. Some things in the article suggested that IIS was more secure than Apache since it included SSL. It was also stated that a much higher server load could be handled by IIS than Apache. Finally they believe that Apache was too difficult to use with its editing of text files. I was wondering for those of you with experience on these servers, which one is better. Is there truth in this article? Is one of the open source community's greatest successes a second rate product?

[Stronzo]

IIS is much easier to set up for newbies since it's all point and click. I had to feel my way through setting up my Apache server. But I personally like apache much better. One particular reason not needing to reboot for anything! (yah!)

[TheCorinthian]

Well... the servers we use for production at our website www.borsen.dk are 95% apache servers on debain systems. We had to set up a single IIS server because some partners of ours only had software for windows and one required us to use som IIS objects.

All that aside, let me try and compare the two systems.

Speed: both are excellent in terms of speed. Neither of the two software dists have ever been a bottleneck in themselves.

Stability: both are good. Apache takes the crown here, mainly because it runs on linux and thus doesn't have to be restarted every time microsoft releases a patch for a security flaw (every second week ). Also, a webserver that rund independet of a graphical interface is much more diserable in my book, since it's much more efficient and always reachable despite various your (X)windos fscking up.

Security: Oh please. IIS go home. Even though microsoft has dedicated patch making staff, it's still a shame they release a system that is already broken security wise. I have crashed _a lot_ of microsoft products via security exploits... all legal... of course :P I haven't found any way to bring down an apache server; of course there are ways, there always is. I'm just not that much of a geek that I would would spend my evenings finding them.
And oh yeah, there is a ssl enabled apache server (well, actually there are several). We use one called apache-ssl for our online payment solution (which we made our selves... well, which I made actually - thank you, thank you, no more applause ). No problem with apache there.

Anyways, I'm not a microsoft basher in any way. It is worth considering though, that your entire website can be free, FREE!, linux-php-mysql-apache <-- the magic combo. Stable software, made to be a server, for free... in constrast to MS products that will cost you your left arm and your dog. Think about it.

[Vorlin]

Ok, I'm gonna be a unix/linux/apache bigot real quick...

<BIGOT MODE>

IIS has got to be the worst "server" package I've ever seen in my life. There's a new bug every week that allows for remote/local "root" access with CodeRed and various others. It's easy to configure no doubt because hey, point and click is all NT admins know (for the most part) but security-wise, that's a joke.
Add in the over 5000 attempts to install/abuse the CR exploit on my own personal linux box on my RoadRunner account and you have a whole slew of internet traffic being held up because of all this extra garbage. Not to mention it slows me down too, as well as others.

Apache, while not very easy to configure, has been modified as of 1.3.19 so that everything is in one file, httpd.conf. It's got an internal documentation that's installed off the main index.html page that's phenomenal in getting you going and pointing you in the direction of online help.

You want a good package that'll do what you want and you can configure it anytime with a restart of the httpd daemon without rebooting the box and has very good security right out of the box? Go with apache. You want to join the misguided masses that think MS is the best? Go with IIS 5. You'll be one of the infected hosts no doubt trying to break my box, hehe. But that's ok because ipchains will deny your address.

</BIGOT MODE>

[chsh]

I'll respond point by point.

Originally posted by ThePreacher
I was reading a more recent issue of PC magazine, and they had a comparison article on five different sets of web server software. Anyway the article gave IIS 5.0 a higher score and a better review than Apache.

I think I heard about this review from a colleague. If it's the one he's talking about, I have a feeling that it's a funny joke.

Some things in the article suggested that IIS was more secure than Apache since it included SSL.

1) There's this thing called mod_ssl which is designed to allow Apache to interface with OpenSSL. There's also this other lovely project called Apache-ssl.
They are correct (IIRC) when they state that it comes with, but it's trivial to download the ssl component.

2) Whomever suggested that IIS is more secure than Apache needs their head examined. There have been a few flaws in Apache, but those are usually patched immediately, and rarely lead to root exploits. IIS is a completely different story. Something like 50 of the 58 security bulletins so far in 2001 have been related to IIS. IIRC around 30-35 of them have been of the MUST PATCH variety.

It was also stated that a much higher server load could be handled by IIS than Apache.

In my experience this is completely untrue.

Finally they believe that Apache was too difficult to use with its editing of text files.

1) I don't know why people have this phobia with editing text files. I mean, GUI isn't everything you know. There's no need to have a GUI taking up processor cycles when you don't need one.

2) I have to question who it's too difficult for. A journalist, or a Network Admin? The documentation is great, and it's dead simple to configure if you've read the documentation.

I was wondering for those of you with experience on these servers, which one is better. Is there truth in this article? Is one of the open source community's greatest successes a second rate product?

Apache, Not much, and No.

[deadpaperplate]

As everyone else pointed out the article is false in its statments of IIS being superior in stability and security, I could go into the details but I think thats already been covered. My main beef is the fact that PC mag tends to be very intel/MS biased. Here is an example:
In one issue they were comparing the Athlon 1+ GHz with P3 1+GHz, and they concluded that the P3 out performed the athlon.
Here is what they used to do the test.
computer using p3 1+GHz, running win2k pro.
computer using athlon 1+GHz running winME!!!!!!!

can you see the obvious reason the P3 machine beat the athlon? And they had the gall to call this a valid test.

[ThePreacher]

For those who didnt read the article here are some stats.

Setup and config. ease: Apache 3 of 5, IIS 5of 5
Administration power: Apache 3 of 5, IIS 3 of 5
Programming interfaces: Apache 3 of 5, IIS 3 of 5
Security Standards: Apache 2 of 5, IIS 5 of 5
Performance: Apache 2 of 5, IIS 5 of 5
Overall: Apache 3 of 5, IIS 4 of 5

Other things the article stated were:

"Limited support, base version lacks SSL, requires expertise, mediocre performance"

[Vorlin]

If that isn't a Microsoft-funded 'test', I don't know what is. The *only* thing I can see IIS having over Apache is 'ease of installation' because everything else, Apache stomps a mudhole in IIS all the way around. Add in the fact that the NT admins I worked with openly admitted that ISS was holier than 20 pounds of aged swiss cheese, that tells me something.

[linuxcomando]

All i have to say is that i would much rather have an apache server then a damn windows server.Now most script kiddies only know microsoft and not unix and if your running apache your most likly running *inx. So my feeing is that IIS is more liky to get hacked/cracked etc...

[Vorlin]

Add in the inherent bad "programming" in IIS and yeah, you have a much easily hacked server. And the thing is, IIS is a lot of bloated code, whereas Apache 1.3.22 (version I use) was about 13 megs total uncompressed. I cannot see how anyone can even try to step up to apache as far as security and stability are concerned. As TheCorinthian said "Oh please. Go home.", hehe...