XP Pro vs NT/2k/2k3 for IIS

Posted on 2006-03-30
Last Modified: 2010-07-27
Quick question. At my job we run a webserver on NT 4. This is the last of the NT4 boxes currently running. We have a W2K3 server running IIS as well just waiting on the move.

I am not by far a "web" guy by means of support. I installed IIS on a XP Pro workstation to test some changes I was making to our Intranet site. In this process, I was learning a bit more on how all this stuff works. I decided to design a website for our own department soon after.

   The question I have is whats the difference in security when running a published website on my XP pro box vs on one of our web servers? I currently have my workstation ported to an ext IP address. but port 80 is off. One of the guys said "I better tighten my workstation up" before he opens port 80. He suggested to me to put the website on the NT4 box (port 80 open of course)... can anyone tell me the differences in this? How unsecure is XP to NT4 or even Windows 2003 for that matter..

Question by:sumfknguy
    LVL 95

    Expert Comment

    by:Lee W, MVP
    All I can say is IIS 6 was rewritten from the ground up in 2003 and 2003 is FAR more secure than XP or NT4 (I'd say especially NT4).
    LVL 32

    Expert Comment

    It's a good idea to install all known patches, whether XP or 2000/2003 server.

    This is just my opinion, but I would think IIS on XP should be fairly secure if all you have open is port 80.
    I would also avoid using that XP station for email, web browsing etc. on any regular basis.

    However, IIS on XP is somewhat limited in features compared to IIS to Win/server.

    Run MBSA to check for any missing patches etc.
    LVL 38

    Accepted Solution

    IIS 5-6 are vast improvments over iis4, agreed. While XP is also more secure than NT4, IIS still needs to be treated seperately, doesn't matter what OS you have running it, the security of IIS depends on it's settings, and directory/file permissions. Read up on the best practices and tools used to secure IIS, again for the most part, the secuirty of IIS (5 and 6) depends more on those settings, rather than the OS running it. As always port 80 should be the only visible port from the outside, unless your running an FTP server or other such service...;EN-US;330692

    Apache is still the most previlent web-server used on the internet, and in my opinion more secure by default, however IIS6 can be made just as secure.
    LVL 25

    Expert Comment

    I think leew is right. It was rewritten and should be more secure than something that was out in 1997--long before the bad boys got so much smarter in their attacks.

    no matter what you use, if you open port 80, it is an open hole, a potential for attack.

    Software such as Ethereal can help you know what kind of traffic is happening on that machine.  There is also a bunch of software from System Internals such as TCPView that show you what traffic is occurring.

    You probably want to set up some sort of firewall if you don't already have one.  When you said port 80 was off, I assume maybe you do have a firewall?

    There are issues dealing with max number of connected users with XP that you didn't have with NT4.


    LVL 32

    Expert Comment

    Yes, do consider the limitations on XP, such as a max of 10 simultaneous connections, plus others such as not being able to host multiple sites etc. Best to see first if any of those would apply in your case.
    LVL 5

    Expert Comment

    Windows Server 2003 is THE choice for server setups.

    connection pooling, connection release time, scalability through upscale, faster performance that previous versions of windows, enhanced security-auditing-centralized user authentication and authorization, improved volume shadow copy, improved storage management (FSRM/SAN), the list goes on and on and on .. did i mention scalability ?


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Threat Intelligence Starter Resources

    Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

    Suggested Solutions

    I thought I'd write this up for anyone who has a request to create an anonymous whistle-blower-type submission form created using SharePoint 2010 (this would probably work the same for 2013). It's not 100% fool-proof but it's as close as you can get…
    Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now