IIS vs Apache, in pictures

This is a stupid wasted exercise, the drawing shows nothing.

You're an idiot. IIS is a very capable web server and has been gaining ground steadily over Apache of late. But then you would be the last to know.

Please do some research before blogging mindlessly. Those figures tell you absolutely nothing though. Is Apache serving an HTML file? Is IIS serving an ASP file? Are there database calls?

Also, your "poorly conceived and even more poorly executed web server platform" currently has 0 unpatched issues out of 3 advisories at Secunia. Apache? has 3 out of 33 unpatched advisories.

Apache is great and I use it on my server (mainly because it's free), but I just hate to see obvious FUD being spread about.

http://secunia.com/product/1438/
http://secunia.com/product/73/

Sigh, man DS has become such a MS-bashing fest as of late. You and Block are two of a kind. It's becoming increasingly tempting to just remove this sucker from my feed reader as it's turning into a soapbox forum. (Not to mention, Block loves to post MS-bashing articles in Engadget when it's usually software-specific articles, which is the wrong venue for that type of stuff).

That diagram is already being disputed on the actual post link, as many commenters are pointing out plenty of factual inaccuracies.

Of COURSE IIS has many more system calls, it integrates directly into AD and many other proprietary system functions. And as others have and will point out, their security is becoming increasingly strong, as evidenced by the noticeably reduced patches and advisories that are made.

If it weren't for the GUI and web "control panel" frontends from countless third parties, Apache would experience such a substantial loss in users with the casual hobbyists and developers. Remember kids, command line nonsense scares people.

Actually, no Brian. IIS is not a very good web server. As someone with over 9 years in the web hosting business, on both Apache and everything from IIS v4 and up, there are many, many things that IIS fails at. IIS has been gaining ground due to the steady and rapid increase in always-on internet connections, which means anyone with a spare PC and a pirate copy of Windows server can "put up their own website".

From past experience, IIS does have an edge over Apache in serving static content. Dynamic content however is far better served by Apache. Apache is also far superior in shared hosting environments, simply for it's flexibility.

- Apache supports a simple username/password authentication system via two text files.
- IIS only supports authentication versus the local system or domain. Utterly useless in a shared server.

- Anyone that can write a program, can write one that will generate an Apache configuration.
- Anyone with a computer science degree and an in-depth understanding of LDAP can write a program that will generate an IIS configuration. Otherwise you're buggered.

- The vast majority of Apache's configuration can be tweaked on the fly via said text files and a quick 'apache2ctl graceful'.
- The vast majority of IIS's configuration can only be changed either via the MMC console or registry editing, and requires a full restart of the service.

- If a configuration change doesn't work, Apache will warn you, and either ignore the erroneous command (providing you're using the "graceful" command above) or ignore the new configuration altogether.
- If a configuration change doesn't work, IIS will often quite happily take down the entire service and/or website with no warning and no human-interpretable error without trawling through MSDN.

- Uploading a new PHP/Perl/Python/Whatever website to a Apache server does not require Apache to be restarted.
- Uploading a new .Net based website to an IIS can require IIS to be restarted for absolutely no discernible reason other than bad programming either in the website or in IIS (see diagrams above).

That IIS's code is a mess of cross-references is of no suprise to anyone. That's why bizaire things happen in it that noone can explain, because changing one small setting can affect a dozen other components.

@ Brian
Wow...relax man. MS has released a lot of "very capable" software. IIS may or may not be included in that list. Just because software is capable doesn't mean that it's either stable or secure. Look at the system call diagrams - even a novice could tell you that apache is much more well designed. The more complicated the system calls are in a project, the more difficult it become to debug and secure. Period.

So - use IIS if you wish. I'll stick with my Apache2, secured with mod_security.

Sadly, DS has fallen into a mindless pool of FUD-driven MS-bashing soapbox speaches, care of Block and gang. (Noooo, we can't detect the bias at all - the little slips of hope won't throw us off, we've been reading this blog for far too long to be mislead.)

Nice catch, Khuffie! That chart is already being torn to shreads by commenters. Also, IIS is tied into Active Directory and many other Windows Server-specific technologies, so OF COURSE it'd have more calls to the system. Duh?

Questions for Khuffie,

How many versions of IIS exist?
Are these "3 advisories" just from the current IIS version? or are they for the year/month/week?
How many platforms does IIS run on?

Now ask yourself those same questions concerning Apache.


I've always used other security sites... never heard of yours. I'll add it to my list, although ill keep it last.

"Also, IIS is tied into Active Directory and many other Windows Server-specific technologies, so OF COURSE it'd have more calls to the system."

You say that like it's a good thing...

Most readers (including commenters here, and definitely the DS hack) lack the ability to make sense of the diagrams. "Rick" is FUDing like mad about IIS and clearly is not well acquainted with it despite his assertions. IIS has come a long way since the NT days and the version in 2003 is a thing of beauty to work with. It is rock solid, easily configurable through XML files, performs very well under large load, and .NET is a developer's dream. Adding "a .NET-based website" (...) requires restarting IIS? ROTFL! Let me guess, you've been a .NET dev for over 9 years!

It's not even funny how full of it you are.

I know a lot of anti-MS, *Nix/Apache users. Funny, because just about everything they believe in (or their complaints about IIS/Windows Server) is based off of facts that are dated pre-Server 2003.

When I showed them how IIS 6 works, most of my friends actually conceded their snide little remarks and were impressed. Funny how a whole version/new platform can turn things around.

IIS, and Windows Server even, has come quite a long way since NT/2000. IIS7 with native FastCGI looks even more promising.

It seems meaningless quarrels and battles are everywhere. One's food is another's poison, it's just that simple.

I have both for my applications. Something works better on Apache and something else works better on IIS. Or it seems to be..
;)

It's crazy how people will jump out to defend some of these open source projects out there... Apache cannot really be compared to IIS in today's environment. .NET doesn't run on Apache... Period... If you need to be able to develop in ALL the languages available you need IIS. You can run PHP, Perl, etc on IIS... you can't on Apache... maybe that is why the diagram gets a little more confusing for IIS? Just becuase this diagram looks so simple for Apache doesn't mean that the product is in any way better.

IIS is main stream in businesses... fact in point is that there are MANY more Microsoft oriented network admins out there and when you go to put in an applicaiton server at your business you put in what you know your staff can support. Usually that is a Microsoft server and why install Apache on it when it comes with IIS already? Then you have 2 companies to deal with for support.

People need to realize that it isn't always whats best that gets used in this world and being a "fan" of a certain company or product (or most likely cost FREE open source?) doesn't mean that the industry agrees with you. If there was a $$$ amount associated with Apache and Unix they wouldn't be popular products with anyone.

For this article to state: "I don't understand what makes someone choose Microsoft's IIS over the open source Apache and, after seeing this, I don't think I ever will." is just dumb... you use what you can support and what has the features you need (.NET) to run that applications you want to.

"You can run PHP, Perl, etc on IIS... you can't on Apache..."

You can't possibly believe this. And really, .Net? I guess you've not seen this..

http://www.mono-project.com/ASP.NET#ASP.NET_hosting_with_Apache

"You can run PHP, Perl, etc on IIS... you can't on Apache"

".NET doesn't run on Apache..."

Have you been drinking, or are you one of these peolple who spout off without actually knowing what it is they're talking about?

I use IIS every day to manage more than 50 websites and a number of very complex web applications. I use it to serve ASP, ASP.NET, and PHP websites that link up with MySQL, MSSQL, and Oracle databases. I also have integrated a number of other third party tools, mostly heavy duty mapping applications, into IIS without a problem at all. I have a server running both IIS and Apache simultaneously, sharing requests. Again, there have been no problems with either one. I like how easy it is to use IIS and its GUI, which in this post has been mentioned as being a bad thing. I've either never seen any of the issues that have been mentioned or the few that have come up are so extremely insignificant that they don't really even matter. I've never had any problems with security on IIS either.
Finally, unless we have a really good idea of what is happening under the hood with IIS and also Apache, we can't conclude that one is written better than the other. The diagrams on this post, with their unreadable labels, don't allow us to conclude anything of value.

For those of you familiar with IIS 6.0, could you tell me why I kept geting 401.1 error when setting up an easy website on Win 2003. I used anonymous account access with a default account named "IUSR-SOA-2K3" or sth like that. The server just couldn't get me through.