Recently, a few choice diagrams from the past of the mapped system calls that Apache and IIS perform have been making another round on the internet. So I thought I would add my 2 cents worth on the matter…
Why Windows is less secure than Linux
“Both images are a complete map of the system calls that occur when a web server serves up a single page of html with a single picture.”
Diagram of Apache’s internal system calls…
Diagram of IIS’s internal system calls…
I’ll let the images speak for them selfs, and comment on not the above, or the interpretation, but rather on the following…
“Apache cannot be compared to IIS. Apples and oranges!”
What… Why not? They have the same function, right?
“Apache, out-of-the-box, only serves static pages! It needs modules to add functionality. IIS, on the other hand, has all sorts of functionality built into it, such as running .NET applications and ASP.NET scripts. IIS is tied into Active Directory and many other Windows Server-specific technologies. It integrates with the OS!”
You say that like it’s a good thing.
“When you add enough extensions to Apache to provide it with abilities equivalent to IIS’s base functionality, it will make just as many system calls and be just as complex.”
We only have the baseline of what happens on one static HTML page and one image request. Anything else is a guess.
“Apache has 33 reported vulnerabilities. IIS has only 3 advisories!”
Apache? Meant to say “Apache modules”, didn’t you? As far as I know, having someone actually looking at the source, working out the bugs, *is* a good thing. The matter of people being sued and/or having their carriers ruined by reporting vulnerabilities of proprietary products also plays into this, don’t you think so?
“IIS has come quite a long way since the days of Windows NT/2000. IIS6 is a major improvement and IIS7 is a thing of beauty. When I show people how IIS 6 works, they become impressed.”
Just to be fair, I will say this in defense of IIS…
Apache is written in C, while IIS is more of an OO C++ product — which can translate into more calls.
Taking another page from Apache’s playbook [good things get copied, right?]:
- Microsoft has switched to a completely modular setup design with IIS7.
- IIS 7 can now be configured from a text file (web.config).
- IIS 7 can be administered from the command line with the Windows PowerShell administration environment.
“First they ignore you, then they laugh at you, then they fight you, then you win.” – Mahatma Gandhi.