http://www.osnews.com/story/15188/IIS_7_Shows_Continued_Security_Push Exploring the Future of Computing en-us Copyright 2001-2009, David Adams adam+nospam@osnews.com Tue, 10 Nov 2009 07:26:37 GMT http://www.osnews.com/images/osnews.gif http://www.osnews.com http://osnews.com/thread?142925 http://osnews.com/thread?142925 Actually, the biggest improvements come in configuration area. IIS7 is now fully componentized (obviously they looked at Apache http server) and all the settings are kept in XML file (web.config) (just like ASP.NET application config files; just like TomCat or JBoss). You can easily move settings to another server, etc.
Next, management interface (both graphical and command line) are much improved. You can now write modules for IIS using .NET. Delegation is there, too, etc, etc.

Sure, there is additional work on security but given almost perferct IIS 6 history for the past 3 years, I don't think it is the major factor. Even without extra work in this field, now fully modular structure greatly improves security. Of some 40 modules that ship with IIS7, most are disabled by default. Thanks God.

Now, if only Windows Server was free :-) Fri, 14 Jul 2006 12:57:00 GMT donotreply@osnews.com (gonzo) Comments http://osnews.com/thread?142938 http://osnews.com/thread?142938 improves security. Of some 40 modules that ship with IIS7, most are disabled by default. Thanks God.

What an odd thing to say, What do you think:
1) God works for Microsoft?
2) She deserves all the credit for Microsoft's work?
3) Microsoft is doing God's work?
4) Only God can create a web server? Fri, 14 Jul 2006 13:45:00 GMT donotreply@osnews.com (Sphinx) Comments http://osnews.com/thread?142942 http://osnews.com/thread?142942 No message. Fri, 14 Jul 2006 13:57:00 GMT donotreply@osnews.com (ivefallen) Comments http://osnews.com/thread?142951 http://osnews.com/thread?142951 Yikes! I didn't know they were working on IIS 7. Thats cool tho, I was impressed with IIS 6, well what little bit I did get to use it - small department web server. Fri, 14 Jul 2006 14:12:00 GMT donotreply@osnews.com (TaterSalad) Comments http://osnews.com/thread?142963 http://osnews.com/thread?142963 I like the fact that they are moving the configuration solely to an external file that can be edited outside of the management screen. Maybe this is a sign of things to come with their other products too?

One thing though that I couldn't tell from the article. Are they going to supply some type of proxy setup for IIS like Apache has(mod_proxy)? Its really annoying that IIS (at least as of 6) doesn't have this type of plugin/configuration option anywhere.

I still think I'll prefer Apache over IIS (because I can use it on other platforms, and its Free), but improvements to IIS are certainly a good thing as I know somewhere down the line some client is going to be a pure MS shop I'll need to support. Fri, 14 Jul 2006 15:05:00 GMT donotreply@osnews.com (nstuart) Comments http://osnews.com/thread?142975 http://osnews.com/thread?142975 Can't read? He was giving God all the thanks for Microsoft's new code and software configuration and that struck me as rather wierd. Fri, 14 Jul 2006 15:25:00 GMT donotreply@osnews.com (Sphinx) Comments http://osnews.com/thread?142976 http://osnews.com/thread?142976 I really liked that they finally got their act together for IIS6 security wise. I hope this extends to other products as well, but we'll see.

They've shown some demo videos of IIS7 on channel9 if anyone is interested. They were pretty cool. Fri, 14 Jul 2006 15:26:00 GMT donotreply@osnews.com (sappyvcv) Comments http://osnews.com/thread?142977 http://osnews.com/thread?142977 Can I install their FTP server without HTTP or HTTP without FTP? Fri, 14 Jul 2006 15:26:00 GMT donotreply@osnews.com (Sphinx) Comments http://osnews.com/thread?142978 http://osnews.com/thread?142978 So, a default install may be more secure, but what about a real-life setup (with working modules)?!? Fri, 14 Jul 2006 15:35:00 GMT donotreply@osnews.com (jcinacio) Comments http://osnews.com/thread?142983 http://osnews.com/thread?142983 Well, based on IIS 6, I'd say they're good. IIS 6 has almost perfect history securitywise, since it was released ~3 years ago. Fri, 14 Jul 2006 15:46:00 GMT donotreply@osnews.com (gonzo) Comments http://osnews.com/thread?142985 http://osnews.com/thread?142985 a little muddled. Besides, "Thank God", is a pretty commonly used expression. Fri, 14 Jul 2006 15:53:00 GMT donotreply@osnews.com (ivefallen) Comments http://osnews.com/thread?142987 http://osnews.com/thread?142987 I attended a presentation of IIS 7 in Milan a few weeks ago. It's been very fascinating.

To me, the best feature really is not modularization (that's not very impressive: IIS 6 already has a very good security score though this could improve performance) but the fact that .NET has been inserted into IIS pipeline and we will be able to actually leverage .NET features to control IIS behaviour. That's very impressive because .NET features are potentially extended to system itself and can affect other modules too. That's really nice.

Other than that, configuration files in plain text can be useful but we already had a very complete API to do that so I'm not that sold there.

Plus, there will be other significant improvements but main changes to me are related to how you can programmatically handle almost any aspect of IIS.

The only thing I didn't like (and I specifically asked Elly about this) was about the need to run ASP.NET at medium trust level to automagically achieve protection. I hoped they would fix this. Fri, 14 Jul 2006 15:55:00 GMT donotreply@osnews.com (TBPrince) Comments http://osnews.com/thread?142988 http://osnews.com/thread?142988 Right. I can't be sure but I can't remember an update for IIS other than SP1 itself which changed behaviour of a few things.

Anyway, they had 0 critical vulnerabilities in 3 years. That's great. Fri, 14 Jul 2006 15:58:00 GMT donotreply@osnews.com (TBPrince) Comments http://osnews.com/thread?142996 http://osnews.com/thread?142996 According to what I heard, you will able to do that. Almost every module in independent even if not all of them are. For example, you can install web server without NTLM or Digest authentication support if you don't need them. Of course, you can't install Digest auth module without web server itself... Fri, 14 Jul 2006 16:25:00 GMT donotreply@osnews.com (TBPrince) Comments http://osnews.com/thread?143017 http://osnews.com/thread?143017 Oh, man, of all things I wrote in that message you've noticed that I wrote "Thank God" and you won't stop making noise about it?

Yeah, as somone already said, it is commonly used expression (all over the world) meaning simply - "I'm glad that.." (Microsoft disabled those IIS modules by default).

Please, go troll somewhere else. Fri, 14 Jul 2006 17:57:00 GMT donotreply@osnews.com (gonzo) Comments http://osnews.com/thread?143027 http://osnews.com/thread?143027 going through and voting my previous posts is quite immature. Fri, 14 Jul 2006 19:08:00 GMT donotreply@osnews.com (ivefallen) Comments http://osnews.com/thread?143088 http://osnews.com/thread?143088 IIS is a powerful server with very good GUI configuration tools. I have been using it daily now that I work with ASP.net 2.0 applications. I hope it continues to improve. Good luck to them for IIS 7.x Sat, 15 Jul 2006 00:37:00 GMT donotreply@osnews.com (siimo) Comments http://osnews.com/thread?143106 http://osnews.com/thread?143106 Actually, you said "Thanks God." Thank God is different, and basically just means "It's a miracle," which can mean different things, like "I never expected this" or "this is what I hoped for." Thanks God sounds like you're addressing God directly and giving Him/Her/It/Them credit. It was probably just a typo, but the response was probably just a joke about your typo, so I thought I'd post because I don't like to see people's karma go down the drain just because they don't bother trying to understand what each other said. Or because someone is trying to blacklist this whole thread for being off topic, so...

IIS 7 has config files, eh? If Microsoft makes a habit out of this, one of my biggest complaints about their products may get crossed off the list. Cloning and config backup are essential for any OS that purports to offer services, regardless of whether it's over a network or to a range of users at the keyboard. Sat, 15 Jul 2006 02:14:00 GMT donotreply@osnews.com (atsureki) Comments http://osnews.com/thread?143131 http://osnews.com/thread?143131 Yes, I did, but how's that important for this topic? Big deal or anyhow relevant to IIS7?

Note that he kept on talking about that no matter what. And when other people modded him down for being OT he started modding down everyone else.

I really am not sure, but the guy is so lame to me.

One last thing - English is not my first language and I am still learning, including this Thanks for clearing things up. And thankS you Sat, 15 Jul 2006 03:37:00 GMT donotreply@osnews.com (gonzo) Comments http://osnews.com/thread?143217 http://osnews.com/thread?143217 I'm sure the comments about the security of IIS7 are true in terms of web server administration/configuration/default settings etc.

However, given that some of the most commonly used protocols for admin/maintenance of a Windows server are FTP and RDP (without VPN) perhaps they should be improved. I haven't seen anything in the article that says FTPS (or similar) is part of the implementation here (it could be implemented and set as the default mode), and RDP using SSL could also be a default setting. As with other Windows changes there could be numerous warnings if the user tries to downgrade to less secure modes.

You'll probably think that the above is off topic...

Security aside, will IIS 7 provide a completely built-in method (e.g. config file) for URL re-writing? Sat, 15 Jul 2006 12:06:00 GMT donotreply@osnews.com (cccc) Comments http://osnews.com/thread?143252 http://osnews.com/thread?143252 Sorry, "Thank God", would have appeared to be a normal colloquialism yes, but, "Thanks God", just struck me as odd. Sat, 15 Jul 2006 15:09:00 GMT donotreply@osnews.com (Sphinx) Comments http://osnews.com/thread?143255 http://osnews.com/thread?143255 Can't read either? You said, "Thanks God", like he was the only one involved in the work and not the common expression, "Thank God", maybe a Freudian slip, I don't know, thought it was funny. Please over react and have a cow somewhere else. Sat, 15 Jul 2006 15:14:00 GMT donotreply@osnews.com (Sphinx) Comments http://osnews.com/thread?143256 http://osnews.com/thread?143256 Hmmm, I see, Freudian slip and now paranoia. Sat, 15 Jul 2006 15:17:00 GMT donotreply@osnews.com (Sphinx) Comments http://osnews.com/thread?143257 http://osnews.com/thread?143257 Please, seek help. I've not modded down anything or anyone. I find it far easier and a better use of time just to ignore the stupid comments and mod up the smart ones. I try to stay positive, recommend it highly. Sat, 15 Jul 2006 15:20:00 GMT donotreply@osnews.com (Sphinx) Comments http://osnews.com/thread?143264 http://osnews.com/thread?143264 Yes. You will be able to use that via .NET HTTPModules and HTTPHandlers but since .NET pipeline is now integrated into IIS' then you can use available ASP.NET solutions for that and those will work for other modules too like PHP for example.

So you can have you ASP.NET HTTPModule solution to implement URL rewriting for your PHP application without PHP even know that.

As this is new to IIS, expect new "products" like those to come up very quickly as most of them will simply be modules you use in your application which will be "packetized" and released.

Another great thing you can do is controlling the way IIS will serve files as you can install a module which will "intercepts" all GIF downloads (for ex.) to provide them out of your DB or completely dynamic-generated without other users to know. Your Python / PHP / Perl scripts will simply get them. Sat, 15 Jul 2006 16:05:00 GMT donotreply@osnews.com (TBPrince) Comments http://osnews.com/thread?143299 http://osnews.com/thread?143299 That makes perfect sense. Perhaps you should've asked if it was typo first. Using common sense generally yields good returns. Sat, 15 Jul 2006 19:37:00 GMT donotreply@osnews.com (ivefallen) Comments http://osnews.com/thread?143300 http://osnews.com/thread?143300 @T#HB@#WHB Sat, 15 Jul 2006 19:39:00 GMT donotreply@osnews.com (ivefallen) Comments