...20 companies have yet to see the light. The less I have to do with IIS, the happier I am.

Can there be any possible legitimate reason for this? Please investigate and report back, ASAP.

So, if half (49%) were positively identified as Apache, then I would guess that at least half of the unidentified 11 are also Apache.

Which means Apache probably account for about 55% of the total.

And why anyone would want to use IIS is beyond me.

I bet those 11 unidentified were IIS - just down at the time.

What do we care about the US sites when they have UK and even Global lists? Is El Reg no longer a UK site?

Who was the other one? Presumably one of them is Sun.......

<Leaves in a hail of Sun-branded merchandising tat.>

As the article points out, some people change the headers for security, in fact, netcraft up www.ebuyer.com and you'll see that one of their servers is reported as:

"Apache 2.0.59 ZX Spectrum 48k Rubber Keys"

"Apache 2.0.59 MSX Toshiba HX-10"

"Apache 2.0.59 CBM PET"

There used to be others (like a Cray II), but they must have been replaced as they are all now reporting as

"A Webserver running on A Machine"

It's powerful, fast, and WorksForMe™

Those who are bashing it probably never actually had to run hundreds of dynamic driven sites per server.

In fact, those who are bashing it probably aren't IT professionals, and so understand that software is just to be used for the task in hand and not some kind of holy object that must be worshipped.

...through obscurity.

I've heard that before somewhere...

Perhaps the Apache guys should start a new marketing campaign that says:

Be a man and show evil MS your headers.

If Apache was so bad then Micrsoft wouldn't be cloning it.

Have a look at the new Apache and open source style features featured in the Server 2008 platform:

http://port25.technet.com/archive/2008/02/27/opening-windows-server-2008.aspx

There's nothing wrong with "security through obscurity". The problem is with "security only through obscurity".

I'm not a security expert, but surely defence in depth should include measures to hide your vulnerabilities, if it costs next to nothing.

John

I run both Apache and IIS, IIS for most things and apache for a web application written in python. Both web servers have their advantages and disadvantages, although I would say the half-xml, half-ini file approach of Apache's configuration files is dreadful and seems to me to indicate that two developers didn't agree.

IIS7 is getting more and more similar to Apache: I like to be able to administer my server editing text file rather than clicking in a GUI (one could do it in IIS6, by editing the metabase, but that was risky), which is a pain to document. FastCGI support is also a huge bonus if you want PHP to perform decently.

Did I say there was anything wrong with Apache? Use the right tool for the right job. If you want .net hosting, Apache is not your friend.

If you want PHP hosting, Apache is your friend, however rapidly IIS is becoming just as friendly, and if you need asp.net *and* PHP, who you gonna call?

I like the new development model for IIS7 - modularised features, released out of step with the main OS. The model is not exclusive to linux, and it's been picked up because it fits the requirements of the internet, which is rapid change.

You could always configure IIS5 and 6 with command line tools if you wanted... or quickly write a tool that did the job you wanted. I've bashed out hundreds of quick scripts.

However, it's harder to get IIS into a state where it just won't start or serve webpages than with the flat arcane configuration of apache2.

"In fact, those who are bashing it probably aren't IT professionals, and so understand that software is just to be used for the task in hand and not some kind of holy object that must be worshipped."

Apart from the fact that IIS has traditionally been derided as a festering turd by anybody with half a brain, does being an "IT professional" (whatever that means) exclude you from allowing ethics to guide your decision-making?

I chose not to shop at Tescos, drive an American 4x4 or eat at McDonalds. I also don't use software produced by Microsoft.

It's probably www.onet.pl and their domain-parking service. It's unlikely to mean any growth, just the low base effect at work.

"If you want PHP hosting, Apache is your friend, however rapidly IIS is becoming just as friendly, and if you need asp.net *and* PHP, who you gonna call?"

Because using yesterdays technology in hopes the Lord Master(MS) will someday make it better is just what you want to bet your business on.

FYI, Microsoft will most always be catching up since their policy is first to react to threats and secondly to re-react to threats. So what developers get from MS is typically attempts to catch up to what the current market leaders are doing. Is there risk going with Microsoft's late-to-the-table solutions? YES because it is often constantly changing and the goal typically is designed around developer and platform lockin.

And why would someone attempt to justify the Microsoft product or platform? Are they being forced to use only Microsoft solutions so they must try to justify their caged existence? Very interesting indeed.

.net Who in their right mind would expose that to the Internet?

Is It Serving

It Isn't Secure

It Isn't Safe

Internet Infected Server

If GoDaddy and owner Bob Parsons didn't sell out rights to their domain parking system to Microsoft for millions of dollars and licensing breaks for hosting, Apache would still have the numbers (at least per netcraft). Unfortunately, management greed there succumbed to Microsoft's underhanded (but smart) tactics of waving money under their nose to migrate a web parking system that hosted millions of random domains on apache system to a (much larger and inefficient) IIS cluster. Overnight the landscape of webserver usage swung from Apache to IIS, hence giving the beast huge marketing rights to being the #1 webserver used across the Internet. Way to go Bob.

Hi mum - look at me, I'm on the interweb!!!!

As I know fuck all about Apache or IIS so I'm not going to comment.

You can tell an ASP site at a glance. It looks clunky and runs slowly.

MSFT reminds me of a type of programmer that you probably all have met. This person is clever, too clever, and in fact is so clever that they want to do the whole project themselves because they're the only ones who know how to make things work. We all know what we usually end up -- a pile of idiosyncratic, invariably undocumented and always not quite working crap. I've taken to describing MSFT's technology as "oddball" and "non-standard" (they definitely seem to go out of their way to make it "incompatible"!).

Software may be a tool to complete the task at hand, but when one has to move a tonne of gravel 15km, do you choose a wheelbarrow, or a truck?

IIS is like the wheelbarrow. It's easily operated by one person with extremely little training. Doesn't crash if it's configured incorrectly, and the controls are all obvious.

A bit slow going though, and plenty of opportunity for someone to steal the wheelbarrow when you're resting from all the work.

Apache is like the truck. More powerful, but if someone without some guidance tries to use it for the task, they could end up hurting things. But it's also more secure, because the doors lock.

...To say the same about ethics.

But I'm using an XP machine here.

In mitigation, M'lord, please take into account that my browser is Firefox.

I'm afraid that a major UK banking institution uses .net and IIS to run their online bank. From where I sit I can see the state of the web server farm and there is almost always at least one of them down...

An Apache box was configured to return IIS style headers and an IIS box was configured to return Apache style headers? Which one would get pwned first?

Heck, do IIS admins reconfigure server headers to return Apache strings just to reduce hack attempts?

You can always tell when you're dealing with an IIS box under load because it simply doesn't respond or returns something along the lines of 'too many users'.