eWeek reviews IIS 7 Beta. "Versions of IIS prior to 6 were the main points of attack for major worms and viruses such as Nimda. With IIS 6, Microsoft moved the Web server to a default profile that was much more secure. This and other security improvements have paid off, as IIS is nowhere near the major security problem it once was. To a certain degree, IIS 7 carries on this move to greater security with a default install that is even more secure than Version 6's and improvements in security management."
Post a Comment
Member since:
2005-11-10
Actually, the biggest improvements come in configuration area. IIS7 is now fully componentized (obviously they looked at Apache http server) and all the settings are kept in XML file (web.config) (just like ASP.NET application config files; just like TomCat or JBoss). You can easily move settings to another server, etc.
Next, management interface (both graphical and command line) are much improved. You can now write modules for IIS using .NET. Delegation is there, too, etc, etc.
Sure, there is additional work on security but given almost perferct IIS 6 history for the past 3 years, I don't think it is the major factor. Even without extra work in this field, now fully modular structure greatly improves security. Of some 40 modules that ship with IIS7, most are disabled by default. Thanks God.
Now, if only Windows Server was free :-)
RE: IIS7 is not so much about security..
What the devil are you talking about??
RE: What the devil are you talking about??
Member since:2006-05-19
Member since:2005-07-09
Member since:2006-05-19
Member since:2005-11-10
Oh, man, of all things I wrote in that message you've noticed that I wrote "Thank God" and you won't stop making noise about it?
Yeah, as somone already said, it is commonly used expression (all over the world) meaning simply - "I'm glad that.." (Microsoft disabled those IIS modules by default).
Please, go troll somewhere else.
Member since:2006-03-12
Actually, you said "Thanks God." Thank God is different, and basically just means "It's a miracle," which can mean different things, like "I never expected this" or "this is what I hoped for." Thanks God sounds like you're addressing God directly and giving Him/Her/It/Them credit. It was probably just a typo, but the response was probably just a joke about your typo, so I thought I'd post because I don't like to see people's karma go down the drain just because they don't bother trying to understand what each other said. Or because someone is trying to blacklist this whole thread for being off topic, so...
IIS 7 has config files, eh? If Microsoft makes a habit out of this, one of my biggest complaints about their products may get crossed off the list. Cloning and config backup are essential for any OS that purports to offer services, regardless of whether it's over a network or to a range of users at the keyboard.
Member since:2005-11-10
Yes, I did, but how's that important for this topic? Big deal or anyhow relevant to IIS7?
Note that he kept on talking about that no matter what. And when other people modded him down for being OT he started modding down everyone else.
I really am not sure, but the guy is so lame to me.
One last thing - English is not my first language and I am still learning, including this 
Thanks for clearing things up. And thankS you 
Member since:2005-07-09
Member since:2005-07-09
Member since:2006-05-19
And by the way....
Member since:2005-07-09
Member since:
2005-07-06
Member since:
2005-07-06
I like the fact that they are moving the configuration solely to an external file that can be edited outside of the management screen. Maybe this is a sign of things to come with their other products too?
One thing though that I couldn't tell from the article. Are they going to supply some type of proxy setup for IIS like Apache has(mod_proxy)? Its really annoying that IIS (at least as of 6) doesn't have this type of plugin/configuration option anywhere.
I still think I'll prefer Apache over IIS (because I can use it on other platforms, and its Free), but improvements to IIS are certainly a good thing as I know somewhere down the line some client is going to be a pure MS shop I'll need to support.
Member since:
2005-07-06
Member since:
2005-07-09
Member since:2005-07-06
According to what I heard, you will able to do that. Almost every module in independent even if not all of them are. For example, you can install web server without NTLM or Digest authentication support if you don't need them. Of course, you can't install Digest auth module without web server itself...
Member since:
2006-03-12
Member since:2005-11-10
Member since:2005-07-06
Member since:
2005-07-06
I attended a presentation of IIS 7 in Milan a few weeks ago. It's been very fascinating.
To me, the best feature really is not modularization (that's not very impressive: IIS 6 already has a very good security score though this could improve performance) but the fact that .NET has been inserted into IIS pipeline and we will be able to actually leverage .NET features to control IIS behaviour. That's very impressive because .NET features are potentially extended to system itself and can affect other modules too. That's really nice.
Other than that, configuration files in plain text can be useful but we already had a very complete API to do that so I'm not that sold there.
Plus, there will be other significant improvements but main changes to me are related to how you can programmatically handle almost any aspect of IIS.
The only thing I didn't like (and I specifically asked Elly about this) was about the need to run ASP.NET at medium trust level to automagically achieve protection. I hoped they would fix this.
Member since:
2006-06-22
Member since:
2006-07-15
I'm sure the comments about the security of IIS7 are true in terms of web server administration/configuration/default settings etc.
However, given that some of the most commonly used protocols for admin/maintenance of a Windows server are FTP and RDP (without VPN) perhaps they should be improved. I haven't seen anything in the article that says FTPS (or similar) is part of the implementation here (it could be implemented and set as the default mode), and RDP using SSL could also be a default setting. As with other Windows changes there could be numerous warnings if the user tries to downgrade to less secure modes.
You'll probably think that the above is off topic...
Security aside, will IIS 7 provide a completely built-in method (e.g. config file) for URL re-writing?
Member since:2005-07-06
Yes. You will be able to use that via .NET HTTPModules and HTTPHandlers but since .NET pipeline is now integrated into IIS' then you can use available ASP.NET solutions for that and those will work for other modules too like PHP for example.
So you can have you ASP.NET HTTPModule solution to implement URL rewriting for your PHP application without PHP even know that.
As this is new to IIS, expect new "products" like those to come up very quickly as most of them will simply be modules you use in your application which will be "packetized" and released.
Another great thing you can do is controlling the way IIS will serve files as you can install a module which will "intercepts" all GIF downloads (for ex.) to provide them out of your DB or completely dynamic-generated without other users to know. Your Python / PHP / Perl scripts will simply get them.
