Microsoft Releases IIS FastCGI Module

Marcy writes "Microsoft has just announced the final release of the IIS FastCGI module for IIS 5.1 (XP), 6 (2003), and 7 (2008). This FastCGI module was built with collaboration from Zend, the creators of PHP, and is intended to solve the CGI on Windows problem." It's free as in beer.

Why bother?

[FictionPimp]

What's wrong with apache?

Zend + MS

[thatskinnyguy]

This FastCGI module was built with collaboration from Zend, the creators of PHP, and is intended to solve the CGI on Windows problem.

Glad to see that we all can get along.

Re:Why bother?

[El Lobo]

The only problem is that IIS7 and even II6 have so few critical vulnerabilities that Apache IS a nightmare in comparation. let's no talk about text file configuration....

free as in beer?

[Locutus]

so you're paying out the nose, ears, ass for Windows and MS IIS and you care about free fastCGI?

And IMO, it may be free as in beer but it's poisoned beer by virtue of where it plays.

LoB

Re:Stop the insanity.

[bibel]

Sometimes you don't have a choice. If the client wants Windows, IIS, MSSQL, PHP (WIMP), who are you to argue ?

Re:Why bother?

[marcovje]

That's because Microsoft is quite reluctant to label anything "Critical". Nearly all superficial bug amount comparisons falter because of different habits to rate a bug.

Microsoft probably things "Huh, the world didn't end? Ahh, then it probably isn't critical."

Re:Why bother?

[sydb]

What's wrong with text file configuration? Some people happen to like it. For good reasons, like:

• you see your config right there in front of you
  
• you can do scripted configuration using standard unix tools
  
• you can archive config files and see what they do just by looking at them
  
• you can run diffs against configs
  
• you can adopt your own standards for commenting changes
  
• you can put your config in an SCM tool
  

Just because you don't know how to do it doesn't mean it's not a huge advantage for those of us who do.

Re:Why bother?

[sqldr]

let's no talk text file configuration

Oh, not you as well. There's absolutely nothing wrong with text file configuration. There's a whole world of things wrong with a pointy-clicky GUI interface to a config in the registry when there's no other way to edit it.

How do you search a gui interface? How do you generate a gui config? How can you minimalise a gui config to the bare essentials? How do you upload/download a config and email it to someone? How do you edit the config without having to run remote desktop client? And of course, with clicky configs, if they haven't provided an option for something, then you can't do it. Sorry, "computer says no".

I'll admit that IIS hasn't had many vulnerabilities recently, but this is partly because it's got bugger all functionality. Most new vulnerabilities in apache are usually found in one if its thousands of modular extensions.

Lets not talk about using domain credentials for HTTP authentication (in fact, having your web server assume that's what you want to do), lets not talk about your configuration appearing all over active directory. Lets not talk about how server 2003 starts up every bloody service on the system on boot, giving you about 30 seconds to download the service packs before you get pwned by a virus. Lets not talk about how it took microsoft months to fix a serious user-affecting exploit in word, but yet, when they give a shit (like when DRM got cracked), they have a fix out in a matter of hours.

Personally, I use thttpd, because, er, I don't like the config format for apache. That's not because I don't like having my configs in readable text files, I just don't like the cludgy way that apache does it.

Re:Why bother?

[morgan_greywolf]

Look, man, no one is ever going to take you seriously. You troll every Linux and Mac OS X article, and this post is clearly a flamebait, but to answer your post:

A comparison of critical vulnerabilities is an apples-to-oranges comparison between IIS and Apache. First off, IIS is more vulnerable because it only runs on one platform, Windows Server. This makes exploiting security bugs a known quantity. Security bugs in the OS aren't counted against IIS in many bugs counts, despite the fact that these security bugs often directly affect IIS and sometimes only IIS, despite the fact that IIS and the OS are essentially integral to one another.

Let's add to that the fact that Microsoft doesn't consider many security vulnerabilities to be 'critical'. Even some remotely-exploitable bugs that could lead to pwning the box aren't counted as 'critical' by Microsoft, because there is no known 'live' exploit for it.

Re:Problem?

[FooBarWidget]

Windows doesn't even support forking. You can start new processes, but forking the existing process is impossible. Even things like Cygwin only emulate it with threads.

Better late than never....

[alexborges]

Congrats, Microsoft, you came in late for about a FULL DECADE and STILL people buy your crap. No matter how unethical is the fact that your "web" thing never did anything other than crash for no reason, spawn windows when anyone hit the webserver, and eat away all resources; people do bow unto you, take your crap and PAY FOR IT.

I can understand Microsoft very well. What ill never understand is its fanbois.

Re:Problem?

[Foolhardy]

Win32 doesn't support forking, but the NT kernel does [cygwin.com]. For that matter, by far most of the expense of starting a Win32 process on Windows is due to Win32 subsystem overhead, including compatibility database lookups, not the kernel. SFU [google.com] processes (that belong to the POSIX subsystem) and native processes [microsoft.com] (that belong to no subsystem) are MUCH cheaper, and incidentally support true kernel level copy-on-write fork.

Cygwin doesn't use the kernel's fork support because Cygwin is built upon on Win32. SFU can because it runs parallel to Win32.

Re:free as in beer?

[cronot]

Funny, yes. But I think there's a bit of truth in there. That notion of "Free as in beer" is really confusing when you're explaining free as in freedom vs. free as in beer to someone that is new to the concept.

Re:Better late than never....

[jez9999]

I have been considering this much of late.

I really want OSS to succeed, really. I love the philosophy, and hate the idea of MS being the 'Rome' of my lifetime (the empire that collapses, but only a long time after I die). However, I can't see it happening. This is because it feels like OSS has a natural tendency to stagnate when most developers think things are 'good enough'.

Where's a reliable FastCGI module for Apache? Where's a good config file format, and a GUI to edit it, for Apache? Where's a Linux distro with a GUI as intuative as Windows Explorer? Yes, I recently tried Ubuntu and was very disappointed that its GNOME GUI is *still*, in my opinion, leagues behind what MS and Apple have to offer.

OSS devs develop stuff they care about, to the level that they find acceptable. They generally don't take no shit from nobody, and if you want something done, you can do it yourself. Patch it. I love the theory, but the practice is this: people DON'T HAVE FUCKING TIME to patch it. Businesses often DON'T HAVE THE MONEY. OSS needs to adapt to a philosophy of developing stuff to be better even when they personally don't get much benefit from it, because otherwise businesses WILL just pay MS to get what they want. It sucks, but there you go.

"Hey, boss, we need to push out group policies over all machines on domains foo and bar. Windows has Group Policy Editor and Active Directory. We can do the same thing with Linux, but it will mean spending 5000 man hours developing, testing, and deploying scripts, because nobody has bothered to come up with a solution yet."

What would you choose for your business??

Re:Why bother?

[IgnoramusMaximus]

The other responder covered your ignorance of the IIS metabase. Perhaps you should actually look something before commenting on it.

I am starting to believe that you XML turkeys operate in some alternative Universe where diarrhea like this:

<?xml version ="1.0"?><configuration xmlns="urn:microsoft-catalog:XML_Metabase_V61_0"><MBProperty><IIS_Global Location ="." BINSchemaTimeStamp="10d5deca4057c401" ChangeNumber="642" HistoryMajorVersionNumber="14" SessionKey="9431b62980000002a0...1ca113" XMLSchemaTimeStamp="b036da01ab56c532"></IIS_Global><Location ="/" AdminACL="49634462f0000000a4000...419891"></IIS_ROOT> <IIsComputer Location ="/LM" EnableEditWhileRunning="1" EnableHistory="1" MaxBandwidth="4294967295" MaxHistoryFiles="10">
</IIsComputer>

... is considered "easy to read" and "easy to maintain". Note the lovely formatting (as it appears in the actual file - less a few newlines as Slashcode wraps the crap) due to some inane Microsoft MMC GUI tool used to generate the thing. Also note the profuse commentary (that is assuming that you actually could ever properly comment this spew as comments are not allowed within tags, even ignoring the fact that the imbecilic MMC tool would simply remove them on the next use).

I will leave it as an excercise to the reader to conclude which one of us is operating based on delusional, emotional attachment to insanely misused formats and which one has an actual experience with configuration files in real life.

As to Semdmail, may I remind you that the so-called "config" file is an actual machine code of a state driven processor around which Sendmail itself was constructed. Apples and oranges. And no, it was no more easy or harder to read then any stream of machine instructions for any other machine to be directly executed by it. It was never meant to be easily human-readable and its syntax is driven by the extremely demanding resource limitations at the time when original Sendmail was developed. The fact that it proved a maintenance nightmare (despite of its extreme power and flexibility as compared to regular config files) was a leading impetus behind Sendmail losing to other MTAs as years went on and extreme frugality with resources became secondary to ease of maintenance.

Oh and your sanctimonious whining about "hopping into this century to drool at shiny but valueless stuff" does not help your cause either, as the basics of computer science remain unchanged since its very inception and they will remain firmly so even if our computers end up grown in vats out of quantum-mechanical nanomachines. And one of those fundamental, time-tested constants is the requirement for brevity, clarity and ability to comment extensively any configuration files, although untold numbers of misguided "innovators" have attempted to "improve" this in a countless number of ways, of which the XML insanity is but one of the later flops, standing atop of a heap of rotting carcasses of previous failures, which went by names such as "binary configuration databases" and "registry hives" and what not.

And so, long after your pet fad is gone, I am sure I will be having this same very conversation with some condescending accolyte of "Object Oriented Four Dimentional Cube, Buzzword Overloaded" config files or what not, who will snicker about how quaintly old-fashioned these fundamentals are, and that I should "get on with the times" to his new favourite, one-and-only, super-correct fad.

In short, your kind never learns.

I'll also note how you fail to mention any better alternatives in your inflammatory rant.

Quite a comedian you are. How about any other time-proven config file format used by just about any sane application? Bind, DHCP, SSH ... and on and on and on.