Jostling for Share in the Web Server Market

by Drew Robb

Although the Web server playing field has constricted, the technology continues to set the pulse for the Internet. We look at what the Big 3 players — Apache Software Foundation, Microsoft, and Sun Microsystems — are up to.

The world of Web servers has always moved at a clip, with the leading players sometimes changing faster than the technology itself.

In the beginning, Netscape Enterprise Server (NES) ruled the roost. Then, in 1995, the Apache Group released the open source Apache HTTP Server, which quickly took the top spot. Shortly after that, Microsoft released Personal Web Server and Internet Information Server. Personal Web Server has since been retired, and Internet Information Server (IIS) has been rechristened Internet Information Services (retaining the IIS acronym) and made part of Windows Server 2000 and, later, 2003.

Even with Microsoft's strong presence in the world of operating systems, however, Apache, by most accounting, has held fast to the No. 1 spot for Web server penetration.

The oft-cited survey from U.K.-based Netcraft, a self-described "Internet services company," shows Apache holding fast to being the Web server of choice for more than 67 percent of all Web sites and Microsoft's servers consistently hovering around 21 percent. Yet reading between the lines reveals a different story. A Port80 Software survey that focuses on Fortune 1000 companies' server deployments shows Microsoft's IIS with 53.9 percent share, followed by Apache with 20.3 percent, and NES with 14.6 percent.

It should be noted that Port80 Software has a horse in this race, however. The vendor's bread and butter comes from developing software that integrates with IIS to beef up the server's security and performance as well as enhance the IIS user experience.

Security Space, an online services portal published by Canada-based E-Soft, also publishes a monthly Web server survey measuring Web server penetration. Its requirements for site inclusion are much more stringent: The survey counts only those servers referenced on other sites. As a result, Security Space's numbers are much lower than those from Netcraft though the percentages and the key players are similar.

It's hard to discern which survey gives the fairest account. But whichever way the numbers are crunched, the same three Web servers come up on top.


The above numbers on Apache offer a clear picture of its basic use and function. With more than 3 million host names (compared to 1 million for IIS), Apache would win any "People's Choice Award" in the Web server category. The fact that it is not the choice of the Fortune 1000, though, indicates some of its shortcomings. While Apache is great for general usage, it does not have a broad enough feature set for the needs of many large enterprise customers.

"The success of Apache is another example of open source 'good enough'," Gordon Haff, an analyst with Illuminata, told ServerWatch. "There are more sophisticated solutions out there, but Apache is quite capable enough for many tasks."

Its "good enough" capabilities are demonstrated by its victory over other open source offerings, such as Sambar, Roxen, and Jigsaw, on its rise to the top.

Version 2.0 of Apache was deemed production ready in January 2002. It delivered a wealth of enhancements to features found in version 1.3: multiprotocol support, Unix threading (which improves scalability), improved support for non-Unix platforms (such as BeOS, OS/2, and Windows), a new native API, and a simplified configuration.

At press time, the latest version of "the world's most popular Web server" is Apache HTTP Server 2.0.50. This is principally a bug fix release aimed at two specific security vulnerabilities:

  • A remotely triggered memory leak that can allows a denial of service (DoS) attack due to excessive memory consumption
  • A buffer overflow bug for trusted client certificates

The biggest problem for Apache is the proliferation of outdated versions. Close examination of the ratings for Apache on Port80 Software's survey reveals an an interesting phenomenon: Many sites are still using older versions. More than 20 versions of Apache are in circulation, and Version 2.0 accounts for only about 1 in 40 Web servers. Users are almost universally advised to upgrade to take advantage of the new features, and to save themselves security headache, as hackers are increasingly targeting Apache boxes — yet they do not.

>> IIS and NES

Internet Information Services

Like Apache, IIS suffers from severe versioning lag. To its advantage, it has far fewer iterations than its open source counterpart. While 5.1 percent of Fortune 1000 sites remain on IIS 4, most (43.3 percent) are using IIS 5. That appears to be changing rapidly. During the past few months, IIS 6 has gone from having a negligible user base to being the Web server of choice for 5.5 percent of deployments. This is largely attributable to an increase in Windows Server 2003 adoption as enterprises migrate off of Windows NT and 2000. But IIS still has a long way to go to in Fortune 1000 updates. In the interim, organizations still on IIS 5 are vulnerable to password-stealing and other Trojans.

IIS 6, which ships with Windows Server 2003, has undergone architectural changes and improvements in performance, reliability, and security. In previous versions of IIS, for example, the failure of a single Web application could cause a failure of other Web sites and apps hosted on the same server. IIS 6 fixes this by separating the core logic from user apps, enabling a greater number of sites to be hosted on a single server. Essentially, IIS 6 separates Web sites into units called application pools. A failure in one unit does not affect other units. Predictably, it also provides SSL improvements, better ASP caching, and integration for .NET passports.

The IIS 6 and Windows Server 2003 combination is so appealing that some claim it is stealing business from Linux/Apache. Some 8,000 sites, according to Netcraft, have moved from Apache to IIS/Windows Server 2003. On the other side of the coin, it is equally likely that as many or more sites moved from older Microsoft versions to Linux-based Web servers. In addition, according to Port80, Apache has seen some gains at the expense of NES, which as of June had lost 4.0 percent for the year.

Netscape Enterprise Server

Once the undisputed heavyweight champion of Web servers with 66.8 percent of large enterprises running NES in 1998, it now has a presence in only 14.6 percent of large enterprises and is the power behind a mere 3 percent of total Web sites.

These days, Netcraft and others tend to lump NES with SunONE, iPlanet Enterprise, and Netsite as a general Web server grouping. At this time, NES and SunONE have the most activity.

NES is now up to Version 6.1 Service Pack (SP) 6. This version fixes backward compatibility issues in recent versions and SPs. It also offers improved SSL support. SunONE has gone through a series of name changes, the latest of which is the Java System Web Server 6.1. Its strengths lie with JavaServer Pages (JSP) and Java Servlet technologies. Apart from the name change, Sun's Web server underwent some security upgrades, including the addition of header masking, which hides Web server information from probes and scripts. Other improvements address bandwidth conservation and performance.

According to recent tests by KeyLabs, SunONE outperformed Apache in terms of CPU utilization and speed in serving pages. SunONE appears to be a lot faster, particularly when SSL is being employed. It should be noted, however, that these tests were sponsored by Sun.

Security Stroll

With so many massive security flaps hitting the IT world in recent years, and vendors bringing out new versions with improved security features, you might reasonably expect that everyone would be desperate to deploy them. But that is far from the case. A paltry 300,000 Web servers currently deploy Secure Sockets Layer (SSL), for example, according to Netcraft. While this is more than 50 percent more than last year, it still demonstrate the large amount gaping holes waiting to be exploited in the Web server ranks. And with many users holding on to old versions of the leading Web servers, old security holes will likely remain exploitable for quite some time.

This article was originally published on Wednesday Aug 25th 2004
Mobile Site | Full Site