IIS security, personal web servers, and virtualisation

Other people have addressed the reliability of these statistics given that Linux is frequently
downloaded and installed for free, and not 'sold' with hardware.

On the issue of "IIS giving better security than Apache" - do you have any references for this
statement at all? IIS7 sounds like a major rewrite which may be good for security and ease of
admin, but could also introduce new holes - see
http://blogs.iis.net/bills/archive/2007/05/07/iis-vs-apac... for blog posting by an IIS
developer who also professes some respect for Apache.

This Google survey from June 2007 shows that IIS is still responsible for far more malware
hosting per 1000 servers than Apache:
http://googleonlinesecurity.blogspot.com/2007/06/web-serv... .  Of
course, the hosting of malware can be due to web apps not just the web server, but this survey
implies that either IIS administrators are less competent in finding and security-updating
their web apps and web server, or that IIS itself makes it harder to run a secure web server
and to write secure web apps.

On the desktop web server side - I have some experience of this from writing install guides
etc for TWiki (http://twiki.org/) on Windows. Largely because it's so hard to configure CGI
apps under IIS (at least the versions I was helping with), some quite expert people simply
gave up on TWiki on IIS and went with Apache instead (see
http://twiki.org/cgi-bin/view/Support/TWikiWindowsIIS for some comments here).  IIS 7 may have
made it easier to configure IIS here, and includes FastCGI, which may help (although most CGI
apps don't support FastCGI out of the box - SpeedyCGI might be easier to support).

With non-IIS web servers, it's significantly easier to install TWiki - e.g.
http://twiki.org/cgi-bin/view/Codev/TWikiForWindowsPersonal can run from a USB flash drive, or
simply be unzipped onto the C: drive.  Or if you need a server that can start personal and
become a workgroup/corporate server without reinstallation, you can use the VMware route using
a VM such as http://twiki.org/cgi-bin/view/Codev/TWikiVMDebianStable - just download a
pre-installed Debian VM including TWiki, and run it with no configuration - this is
consistently one of the most popular pages on the TWiki.org site.

Of course, native IIS web apps may be easier to install than CGI apps, but Apache is still the
dominant player.  For the personal server market, I would also look carefully at the role of
virtualisation technology such as VMware (and Parallels on Mac) - it's far easier to simply
install a preconfigured 'virtual appliance' including a web server and web app than it is to
install and configure them by hand (well, unless you are on Debian or Ubuntu in which case a
TWiki install is just an 'aptitude install apache2 twiki').

Microsoft supports virtualization on desktops through Virtual PC, which I believe is quite
competitive - however, its restrictive licensing of what you can install in VMs means that you
can't use it with Home editions of XP or Vista, not even with Vista Premium which is quite
expensive: http://itmanagement.earthweb.com/entdev/article.php/ - and I don't think such home
editions include IIS anyway.

So...  if you want to rapidly install a desktop web server with web app, the quickest route is
to unzip a server+app combination onto a USB drive or hard disk, not using a Microsoft web
server.  Or if you have more RAM/CPU and want a more functional installation, you simply
download a virtual appliance and run that - but that can't include a Microsoft OS or web
server for licensing reasons.  VMware has a huge library of freeware and open source
appliances here: http://www.vmware.com/appliances/

I'm sure I have a somewhat biased view as TWiki is a CGI app that is developed on Linux/Unix,
but I have written a lot of material on how to install it on Windows, and it does seem that
Microsoft's proprietary software model leads to significant restrictions on what you can do,
particularly if you don't work in a large company with a corporate software assurance
agreement that ensures any version of Windows/IIS can be used without charge.