Working as a Network Administrator I, sadly, also have to deal with Windows servers. While this is bad enough in itself this article is not written as a way to rant about my general dislike of Windows, or even the lack of security often attributed to the Windows operating system.

This article, as the title states, tries to explain why I think that using Windows as a web server is an outrageously stupid idea.

Websites nowadays are not only tools where individuals and organizations present themselves, they are not pure advertising anymore, but often enough part of the product. But even when they are purely informational, no matter of what kind this information may be, they play a valuable part in corporate strategy. For this reason a website has to be available 25 hours a day, 8 days a week.

In order to ensure service availability a server has to work securely and reliably. Security and reliability are closely related and together ensure availability. In order for the website to stay available it is important to have a secure server, leaving aside, for the sake of the complexity of this article, the security of the hosted web application(s), because an insecure server might be compromised, which in turn would likely affect availability.

Server security, leaving aside the aspect of physical security, depends on the security of the software running on this server. Software has security problems. This is not limited to Windows, but can be seen on all platforms, including Linux or mobile platforms like iOS or Android. In order to mitigate these security problems updates are released.

If just some random program, for example Firefox (to pick something completely unrelated to server operation), you simply restart the application and you’re good to go.
Updates closer to the system are different. If, for example the web service is updated it is necessary to restart this service. The downtime involved in this is usually insignificant enough to not cause any complaints, especially if the updates are installed at night when nobody’s watching.
The problem, and the whole reason for the previous ~300 words, is that in Windows everything is somehow glued together into one massive chunk of bytes. More often than not installing an update requires not only a quick service restart, but the restart of the whole operating system. This, of course, means rebooting the server.

On a fast home PC that takes let’s say 30 to 60 seconds. Even in the middle of the night this is not an insignificant amount of time.
Considering that usually nobody sets up a regular PC to host their website, or any other service for that matter, but a proper server, this time usually is extended by several initialization steps which usually take a while by themselves. In this case we probably get closer to a downtime of 2 minutes, or maybe even 3.

So, while on Linux or BSD I would simply restart Apache, for example, in order to get the latest security fixes loaded, on Windows I would need to restart the whole system for the same effect, wasting not only my time (quite probably late at night, which is what the responsible admin does), but also risk damaging the client’s (and often enough it’s not only one client per server) reputation by bringing down their website for a couple of minutes, instead a couple of only a couple of seconds (which, by the way, can much more easily be blamed on other problems).

For this reason alone, aside from anything else which may or may not make Windows a bad choice for (web) servers, I think it is a stupid idea to use Windows to host web sites.

Thank you!
Dennis Wronka

Advertisements