Microsoft IIS market share threatens to overtake Apache

Microsoft IIS web server has slowly crept closer to the market share of Apache web server in recent times, but among active and popular websites is still lagging behind.

According to Netcraft's monthly report for April 2014, nine million new websites running on Microsoft IIS were added while 4.3 million sites running on Apache were added in the same duration. Although there was an increase in the number of sites running Apache web server, the overall market share declined.

When considering active websites, Apache has a strong lead with 52.3% among all the web servers followed by nginx at 14.4% and Microsoft IIS at 11.3%. The number of sites running on nginx declined over the month by 3.7 million.

Among the new websites running Microsoft IIS, 11,000 websites were found to be hosted on the Microsoft Azure platform, continuing Microsoft's run as the leading Windows hosting company.

Microsoft still has a long way to go, as the majority of websites using IIS web server have been located in the United States and other parts of North America which may be due to the slow rollout of Azure to other territories in the world. It must also be noted that Microsoft IIS has seen a decline among busy websites while nginx has seen an increase among such websites.

Source: Netcraft | Images via Netcraft and Microsoft

Report a problem with article
Previous Story

Selfies? They're so 2013. Huawei wants you to take a 'groufie' instead

Next Story

Air traffic control system delays flights, lack of memory to blame

47 Comments

Commenting is disabled on this article.

I'm not surprised apache is down, it's became incredibly bloated in recent years and back in the dial-up days you didn't notice it, with high speed broadband you certainly do!

we run a ton of IIS servers, problem is when people query us to see what server we are running, they get Linux back.. why? because our web load balancer is a Linux system... and it reports it's server os back... talk about a way to skew the stats

neufuse said,
we run a ton of IIS servers, problem is when people query us to see what server we are running, they get Linux back.. why? because our web load balancer is a Linux system... and it reports it's server os back... talk about a way to skew the stats

It wouldn't unless you're using a strange load balancing system. The majority I've seen use a round robin system to just pass-through the connection to one of the web hosts. Your idea would be that there would be a dedicated web server running on the load balancer... And it'd only be able to load balance HTTP connections in that case making it mostly useless.

n_K said,

It wouldn't unless you're using a strange load balancing system. The majority I've seen use a round robin system to just pass-through the connection to one of the web hosts. Your idea would be that there would be a dedicated web server running on the load balancer... And it'd only be able to load balance HTTP connections in that case making it mostly useless.

He is probably talking about a reverse proxy. A very usual thing to do.

Yea, it really depends on what tools you're working with.. only thing it says is that IIS has gotten a lot more popular, but neither Apache/etc or IIS is the magic bullet for every setup. Right tool for the job.

Shadowzz said,
IIS is free and comes with almost every Windows, except basic/starter/home IIRC.

It's not installed or enabled by default however. (Nor is it suitable for production systems, it's the lightweight version.)

Max Norris said,

It's not installed or enabled by default however. (Nor is it suitable for production systems, it's the lightweight version.)

Yeah okay, but its in the features section and installer is included in the Windows installation. And it does perfectly fine for most websites unless you get into the amounts of traffic where load balancing and such is required. But then you _should_ have a Windows Server 20** which comes with the more professional IIS.

Shadowzz said,
Yeah okay, but its in the features section and installer is included in the Windows installation. And it does perfectly fine for most websites unless you get into the amounts of traffic where load balancing and such is required.

Sure but it doesn't really add anything to marketshare, I'd suspect most people don't even know it's actually there. And it has some pretty hefty restrictions on it as well, it won't do perfectly fine for most websites except maybe something for your own personal use or development purposes before deployment, under any sort of load it'll slow down by design. As you say, you want the full version of IIS or another web server for production use.

Fair enough, most that require a production IIS should have a server OS already anyways. But Desktop IIS is still quite a capable 'simple' HTTPD.
But my original argument was versus 'people pay money to use IIS'. While essentially thats false :p

Shadowzz said,
But my original argument was versus 'people pay money to use IIS'. While essentially thats false :p

Oh sure, no arguments there. IIS Express is a freebie too and works rather well for what it's intended to do. I was just commenting on the marketshare aspect, never mind you can also use other web servers on a Windows box too easily enough.. just make sure to lock the thing down obviously, web servers don't have a stellar track record when it comes to security, especially when it's one that didn't have Windows in mind to begin with.

Yeah things like running Apache under root or Administrator, rather then its own user.
They both have pros and cons. I wish I had Apache's Mod_rewrite, IIS's is decent but still lacks certain stuff. Plus .htaccess > web.config.

I've never had security issues much with both. As you said, just set them up properly, take some time and effort into learning how the HTTPD works and should be used.
Most just go to install.exe or aptitude and click next or type y. And thats about it.

Its sounds like a forged information. For example:

http://w3techs.com/


1 April 2014
1. Apache 60.5% -0.2%
2. Nginx 20.6% +0.4%
3. Microsoft-IIS 13.9% -0.2%
4. LiteSpeed 2.0%
5. Google Servers 1.3%

In my experience, IIS is quite popular inside intranet. So, it is quite difficulty to know how many IIS are running inside the intranet unless Netcraft is cooking the data or simply is spying the users.

I wouldn't say that the results are forged. Unfortunately there's no 100% perfect way to scan usage statistics on the web, so results from different services can vary wildly.

Brony said,
Its sounds like a forged information

Indeed! Isn't "Netcraft" quite closely affiliated with Microsoft, and therefore results may tend to be more biased in favor of Microsoft products like IIS?

GreatMarkO said,

Indeed! Isn't "Netcraft" quite closely affiliated with Microsoft, and therefore results may tend to be more biased in favor of Microsoft products like IIS?

And what good would that do to Microsoft ? Not to mention the fact that these figures are internet facing websites only, the number of IIS instances would certainly be a lot higher if intranet facing webservers would count (of course that wouldn't be possible or practical).

I like IIS, very easy to deploy .NET Web Apps. Not sure how IIS compares to Apache, pretty sure you can only run open source stuff on Apache and .NET stuff on IIS.

_Alexander said,
I like IIS, very easy to deploy .NET Web Apps. Not sure how IIS compares to Apache, pretty sure you can only run open source stuff on Apache and .NET stuff on IIS.

You can run .NET on Apache using Mono. Not sure how the two compare in terms of simplicity of setup or compatibility. Mono did seem to work well when I last used it though.

What is IIS like nowadays? I used to work with it quite a lot in the Windows Server 2003 days, and XP/Visual Studio 2008 development with IIS was a pain in the arse frankly. With Apache, I could download, install and do some minor configuration to get started, but with IIS on Windows there was all kinds of shenanigans with Windows Authentication, concurrent connection limits, and so on. The whole "fake IIS for .NET development" was equally irritating.

Presumably things have moved on significantly since then, given the uptake in adoption? I expect that Azure has had a significant impact on these figures, it'd be interesting how many non-corporate websites are running IIS too. I don't think I know of any websites (Neowin included) that use IIS, except for a few corporate websites I used (online banking, bill payment, that kind of thing).

IIS before 7 or rather 7.5 was horrible IMO, nothing more then some basic HTTPD for the people who want a hobby website on their home computer or something.
I used Apache mainly up to IIS 7.5, started for a few simple things. And within a few months. Everything I personally did was on IIS.
PHP before 7.5 was horrible because MS never optimized IIS for anything other then their own ASP.net.
The default setup of IIS 7.5 and 8.0 are fine for simple webhosting. It's really easy to configure it for servers with thousands of concurrent connections, load balancing it over a couple of physical (virtual) servers. I switched a 100k community from Debian + Apache to Windows 2008 R2 with IIS 7.5 and couldnt be more happier.
No need to write a bunch of scripts to simplify things (adding subdomains and such), management became so much easier, if I wanted to change anything there was no horrible vhosts folder I had to dig through. Was not to bad since it was through SSH, so its just a lot of 1-2 letter typing + tabcompletion. Still, I had to keep at it, if I didn't do it for months on end, i would start forgetting syntaxes and what not, making it slower.
But replacing that with a simple graphical overview (RDP isn't slower then SSH when the bandwidth is sufficient) and everything within 2-3 mouse clicks away instead of cd'ing through dozens of folders or looking at hundreds of line of configuration code/settings.

Problem with Apache mainly is, a few years ago. People started noticing it was getting bloated, slow and needed proper updates. They failed, many skipped off to other HTTPD's. At least people around me all started favoring NGINX, LightHTTPD and some people skipped Linux entirely and went Windows + IIS.
And most cases where people work with apache, they still use GUI tools and what not, or prefer to.

But its all a personal preference whether to pick which HTTPD. They all have their advantages and disadvantages. Apache can be unbloated without to much trouble (but most dont seem to bother and run almost default configs). But from my own experience, if you use a Windows machine, just stick to IIS, if you use Linux or BSD, get NGINX or LightHTTPD.

Apache was great, but as market leader.. law of the handicap of a head start :)
Took a lot longer then I expected before any other HTTPD would start challenging Apache.

heh, lots of TL:DR i supose, but that was kinda my experience, I still have love for Apache, but my overall preference goes out to IIS. And from a couple of friends around me, I heard good things about LightHTTPD.

Cant say I'm surprised. Few years ago I personally switched from Apache to IIS because one simple reason. It is by far the best http server environment around.
After MS investing effort into optimizing FastCGI and PHP, it even beats Apache in performance.

Configuring and setting up IIS is way to easy, anyone can do it. (Opposed to Apache unless you use WAMP or similar) Adding new features and mods is incredibly easy compared to Apache.
Don't think there's a feature it lacks compared to Apache, but haven't used apache more then once in the last year.

Shadowzz said,
It is by far the best http server environment around.

Perhaps for people who are.. let's just say "typical Windows administrators" but for those of us who actually know what we are doing, nginx or Apache+Varnish is vastly superior.

Shadowzz said,
After MS investing effort into optimizing FastCGI and PHP, it even beats Apache in performance.

I'd love to see you prove this, I'll pit my Varnish+Apache combination against any IIS you can come up with.

Also the article is a bit of a play on statistics - IIS isn't actually getting more popular than Apache, it's just being run on more ghost servers (ie. non-active ones).

CuddleVendor said,

Perhaps for people who are.. let's just say "typical Windows administrators" but for those of us who actually know what we are doing, nginx or Apache+Varnish is vastly superior.

How very arrogant of you...

CuddleVendor said,

Perhaps for people who are.. let's just say "typical Windows administrators" but for those of us who actually know what we are doing, nginx or Apache+Varnish is vastly superior.

Well, hello there, superior human being.

CuddleVendor said,

Also the article is a bit of a play on statistics - IIS isn't actually getting more popular than Apache, it's just being run on more ghost servers (ie. non-active ones).

Strange assumption to make, you could make the same of Apache? :s

Shadowzz said,

Configuring and setting up IIS is way to easy, anyone can do it. (Opposed to Apache unless you use WAMP or similar)


Configuring PHP on APACHE is as simple as edit 4 lines in httpd.conf then restarting the service. And most of the lines are always the same.

CuddleVendor said,

Perhaps for people who are.. let's just say "typical Windows administrators" but for those of us who actually know what we are doing, nginx or Apache+Varnish is vastly superior.

Yeahhh, nice try. I've used Debian since Sarge. And setting up Apache is a piece of cake on Linux, BSD or even OSX. Not the point. IIS is much, much easier, you can not argue that. And if you do, you clearly havent used it.
But using Apache vs IIS is clearly different. Oh god the horror of Apache and multiple domain configuration, yes there's a bunch of addons and packages to make it hell of a lot easier. But plain Apache with no 3rd party applications or a ton of admin scripts is a pain in the ass and you know it.


I'd love to see you prove this, I'll pit my Varnish+Apache combination against any IIS you can come up with.

Also the article is a bit of a play on statistics - IIS isn't actually getting more popular than Apache, it's just being run on more ghost servers (ie. non-active ones).


IIS won't hold up against a few other of the light weight httpd's out there but against the bloated and slow Apache, it does.

Brony said,

Configuring PHP on APACHE is as simple as edit 4 lines in httpd.conf then restarting the service. And most of the lines are always the same.

On IIS its a matter of clicking "Install PHP". That's it.

IIS has much better administration tools than Apache or nginx, but it's not as good an actual server as those products.

IIS is the reason browsers don't do pipelining by default, because IIS had such bad support for HTTP (lol) that it broke when browsers attempted to use it.

Steven P. said,
Strange assumption to make, you could make the same of Apache? :s

The article explicitly states it's being used vastly more on active servers.

Antaris said,
How very arrogant of you...

I've met hundreds upon hundreds (and more so through the Internet) of "IT professionals" in the last 20 years.

The amount of incompetent "Windows administrators" I've met over the years is nothing short of scary. They have no idea of security, they have no understanding of optimization, network management or anything that isn't guided by a GUI tool or dictated on a howto or a book.

The concept of not having to wave a mouse to configure something is so foreign to them, I can't possibly understand how any of them were hired for anything in the first place.

The amount of Unix people (and I don't mean "I downloaded Linux, now I know all the things!") that are so inept, so clueless or in generally incompetent I can count with my fingers. For the Windows ones I need a god damn calculator.

Sorry if this causes massive butthurt for some of you but the reality of the situation is; I demand that you are a true professional and not some "I can configure GPO, I am an Admin!".

CuddleVendor said,
The amount of Unix people (and I don't mean "I downloaded Linux, now I know all the things!" that are so inept, so cluess or in general incompetent I can count with my fingers. For the Windows ones I need a god damn calculator.

That is super subjective and borderline meaningless. I've met plenty of people who have been trained to properly lock down a Windows based server. And I've met plenty of people who think that "apt-get install apache" is good enough and it's secure out of the box, never mind not knowing how to deal with intrusions or other problems.. just as dangerous as installing Apache on Windows and taking zero measures to actually secure the thing. Bottom line is that clueless is clueless no matter what OS you're on and it's just as dangerous. Hyperbole has nothing to do with it.

CuddleVendor said,

I've met hundreds upon hundreds (and more so through the Internet) of "IT professionals" in the last 20 years.

The amount of incompetent "Windows administrators" I've met over the years is nothing short of scary. They have no idea of security, they have no understanding of optimization, network management or anything that isn't guided by a GUI tool or dictated on a howto or a book.

The concept of not having to wave a mouse to configure something is so foreign to them, I can't possibly understand how any of them were hired for anything in the first place.

The amount of Unix people (and I don't mean "I downloaded Linux, now I know all the things!") that are so inept, so clueless or in generally incompetent I can count with my fingers. For the Windows ones I need a god damn calculator.

Sorry if this causes massive butthurt for some of you but the reality of the situation is; I demand that you are a true professional and not some "I can configure GPO, I am an Admin!".


This is pathetic.

Hmm, according to the lastest data regarding heartbleed, the Unix/Linux admins don't know what they are doing either. Only 43% actually bothered to replace their certificates, only 20% revoked the old one and 7% has reissued their certifcate without generating a new private key, hence the public key hasn't been changed either.

Plain and utter incompetence, and for all to see.

http://news.netcraft.com/archi...placement-certificates.html

IIS is a great webserver and apart from the GUI can be configured with powershell as well.

It is faster and uses less resources then Apache and is also easier to configure, especially in a Multi tenant environment.

Nginx still beats IIS in terms of resource usage, something that cannot be said from resource hog Apache.

sjaak327 said,
Hmm, according to the lastest data regarding heartbleed, the Unix/Linux admins don't know what they are doing either. Only 43% actually bothered to replace their certificates, only 20% revoked the old one and 7% has reissued their certifcate without generating a new private key, hence the public key hasn't been changed either.

Plain and utter incompetence, and for all to see.

http://news.netcraft.com/archi...placement-certificates.html

IIS is a great webserver and apart from the GUI can be configured with powershell as well.

It is faster and uses less resources then Apache and is also easier to configure, especially in a Multi tenant environment.

Nginx still beats IIS in terms of resource usage, something that cannot be said from resource hog Apache.

I didn't get new keys but I got dirt cheat wildcard certs that I'll never get the price on again, the provider that supplied the keys refuse to do anything in terms of reissuance, and I'll likely have to change my tact on the keys in the future.

Just saying.

P.S. - My site is so horribly inactive that most likely it wasn't going to be an issue anyways but just in case I ensured my server was patched up.

Shadowzz said,

[snip]
But using Apache vs IIS is clearly different. Oh god the horror of Apache and multiple domain configuration, yes there's a bunch of addons and packages to make it hell of a lot easier. But plain Apache with no 3rd party applications or a ton of admin scripts is a pain in the ass and you know it.
[snip]

Among all things it was because of Apache's weird vhost arrangement in 2.4 that I decided against it. I was using Lighttpd but it hasn't been updated in ages so I was planning on moving to Apache and had one heck of a time getting SSL (SNI) vhosts to cooperate. I eventually moved to nginx and couldn't be happier. All vhosts on the same ip still end up with SSL but at least I can define per vhost and the individual ip gets its own "default" website which for some reason I couldn't get configured on Apache.

TL;DR - I use the ip for testing so it defaults to a red page with red text. Text only browsers will just see that it's a test page. GUI browsers likely will just see red and won't even notice the text (even though it renders).

shinji257 said,

I didn't get new keys but I got dirt cheat wildcard certs that I'll never get the price on again, the provider that supplied the keys refuse to do anything in terms of reissuance, and I'll likely have to change my tact on the keys in the future.

Just saying.

P.S. - My site is so horribly inactive that most likely it wasn't going to be an issue anyways but just in case I ensured my server was patched up.

Patching your server is only half the measure. What good does ssl encryption do if your private key has been leaked during the time your server was vulnerable. Not much would be the answer.

As long as your site doesn't offer anything financial or a site were people can order stuff, I guess you wouldn't be liable in case people loose money, if you do these things, the price of a new certificate would be vastly lower than running the risk of being held liable for negligence.

CuddleVendor said,
....

And 50% of your cohorts can't even apply the OpenSSL patch, so don't tell me incompetence is limited to Windows administrators.
Get your head out from under your seat and take a look at modern Windows.

With Server2012 R2 ALL administrative tasks can be configured using PowerShell.

deadonthefloor said,

And 50% of your cohorts can't even apply the OpenSSL patch, so don't tell me incompetence is limited to Windows administrators.
Get your head out from under your seat and take a look at modern Windows.

With Server2012 R2 ALL administrative tasks can be configured using PowerShell.


Better yet, MS suggests setting up Server 2012 without a GUI.

sjaak327 said,

Patching your server is only half the measure. What good does ssl encryption do if your private key has been leaked during the time your server was vulnerable. Not much would be the answer.

As long as your site doesn't offer anything financial or a site were people can order stuff, I guess you wouldn't be liable in case people loose money, if you do these things, the price of a new certificate would be vastly lower than running the risk of being held liable for negligence.

I really mean it got very little attention. I used the keys for testing.