Gartner analyst John Pescatore's research note "Nimda Worm Shows You Can't Always Patch Fast Enough" (FT-14-5524, dated September 19, 2001), which recommends enterprises investigate alternatives to Microsoft IIS, certainly has caused a lot of discussion. Embattled Windows administrators, probably still coping with the effects of various virus attacks, now must deal with senior management asking whether the enterprise can replace IIS with an alternative Web infrastructure.
The simple answer is that moving away from IIS is difficult and will become even more difficult as more companies migrate to Windows 2000. IIS is part of the basic Win2K infrastructure and probably will be an increasingly important component in Windows .NET Server (formerly code-named Whistler). Microsoft Exchange 2000 Server is the first application to depend on IIS; you can't install or operate Exchange 2000 without running IIS on every Exchange 2000 server in the enterprise. In fact, Exchange is a pretty good pointer to a future .NET world in which more and more applications will depend on Web services and, implicitly, IIS. The question, therefore, isn't whether to move away from IIS, but whether to move away from Windows to another infrastructure that comes with its own set of problems. I fear that Gartner might have lost sight of this important point in its rush to condemn IIS. (For further details about why turning away from IIS might not be a realistic solution and for steps to tighten your Web server's security, visit the Windows 2000 Magazine Web site for the rest of this article.)