IIS vs Apache: Which is the Right Choice?

Last Updated: 08/26/2024

Both Apache and Microsoft IIS (Internet Information Services) have great abilities to host many kinds of websites for many kinds of people and businesses. If you are looking into starting your own web-server, you probably came across the old IIS vs Apache war.

True…Apache does have the most compatibility with websites mainly with .htaccess files and with older web applications, but IIS is a powerful, capable web-server as well (supports the ASP.Net framework, a powerful web application framework).

Over the years, IIS has gained much attention from the web hosting crowd in supporting web applications (e.g., WordPress). Also, PHP still supports Windows (as they have for years already).

Both IIS and Apache can be installed and used instantly, out of the box, with hosting HTML files. However, both need to be configured to make use of other technologies (such as PHP or Perl).

IIS also sandboxes people’s websites from each other (Application Pool Isolation), and allows for separate security permissions via Access Control Lists that are in the NTFS file-system as well as the rest of the Windows operating system.


Here are my opinions on which web-server software performs the best in certain areas.

Specific Area Winner
Easy Website Sand-boxing (websites, hosted on the same web server, protected from each other)  |  Application Pool Isolation IIS
Quick and Easy Initial Setup IIS & Apache (tie)
Easier to Manage IIS (because of its powerful graphical user interface)
Most Compatible with Websites (excluding ASP and ASP.Net websites) Apache
Amount of Available Internet Support Apache
Best PHP Performer (assuming Fast-CGI is used) IIS & Apache (tie)
Lighter on your System Resources IIS
Native ASP and ASP.Net Support IIS (there is .NET Core for Linux, but it is not 1:1 with the full .NET Framework)
Immune to the Slowloris attack IIS (Apache can be configured to be resistant to the Slowloris attack, but without a rewrite, will not be able to be immune to this type of attack.)

Notes

  • (Application Pool Isolation) IIS application pools isolate different web applications from each other. This means that if one application crashes or its security is compromised, it does not affect others running on the same server.
  • Fast-CGI allows servers to serve PHP enabled websites faster by keeping the PHP process or processes on, instead of turning them off when not in use, since creating a process and then terminating a process is resource intensive when a server has many requests to deal with.
  • There is Mono for Apache, but that does not count, since Mono is emulating ASP.Net. It’s not an authentic ASP.Net framework.
  • The Slowloris attack is a type of Denial-of-Service that causes a website to be temperately taken offline when using an affected web server (e.g., Apache).
    • The attack uses up all the connection slots on the web server, so legitimate web traffic cannot get through. Unfortunately, Apache can never be immune to this attack without a rewrite of its code.
    • There is an interesting Apache module you get get to help mitigate a Slowloris attack. In my testing, the mod_antiloris Apache module appears to mitigate the attacks quite effectively.
    • In addition, putting Apache behind a reverse proxy (e.g., Caddy) will also stop the Slowloris attack from affecting your Apache web server.

Now am I saying that Apache is not any good? No, not at all. I personally view web servers – and any other server software – as tools. Just as a mechanic has different tools for his work, so does a server administrator have different tools at his disposal. If you feel Apache gets the job done, use Apache. If IIS gets the job done, use IIS.


Posted in Internet and Servers, Software