 |
|
| Windows Security Tips: |
|
|
|
Microsoft pushes security in IIS 6.0
by Garry Kranz
07.24.2003
Rating: --- (out of 5)
Mark Adams knows how new software code can gum up the works.
As IT director for HomeLoanCenter.com, an online direct lender in
Irvine, Calif., Adams oversees a development team that churns out
code about every two weeks. That's one reason Adams is pleased about
several enhanced security features included in version 6 of Microsoft
Corp.'s Internet Information Server (IIS).
HomeLoanCenter.com is a Microsoft programming shop that has used
previous versions of IIS, which is Microsoft's Web server product.
Adams says improved kernel processes in IIS6 helped developers
accelerate code launches for online applications that furnish
interest rates and other mortgage information to homebuyers. Uptime
and productivity have risen, with fewer application errors.
IIS6 is also helping the company as it develops new applications using the .NET framework.
IIS6 provides threads that isolate processes, so dynamic code running
in one application doesn't interfere with other programs. "We have a
lot of user-level code that tends to overlap into some of the IIS
applications," Adams says. "The kernel of IIS6 is a lot better at
managing the shutdown of processes that otherwise would kill our IIS
[5.1] servers."
This is one of the ways Microsoft is trying to bolt down security in
the new Web server. Once the poster child for how not to build an
HTTP server, IIS has come to symbolize Redmond, Wash.-based
Microsoft's newfound emphasis on security over open functionality.
Microsoft founder Bill Gates made a splash last year by announcing
his company's new Trustworthy Computing initiative. Experts say IIS6
shows Microsoft is serious about its new security orientation.
"In terms of Microsoft delivering on its promise to deliver more
secure software, this is it," says Brett Hill, a consultant who runs
IISTraining.com in Boulder, Colo.
Since its inception as part of Windows 2000 Server, IIS has been
plagued by well-chronicled security holes, most of which resulted
from buggy software. The principal culprit: IIS default settings,
which permitted programs to run automatically when Windows 2000 was
installed.
"It wasn't that IIS was so full of holes as much as it was the
applications that were enabled by default. The applications had the
bugs, but IIS was the gateway to those applications," says Hill.
In the new version, default settings are turned to the "off"
position, which means administrators have greater control over which
applications run automatically. Rather than locking down programs and
assigning user privileges after Windows 2000 is installed,
administrators now can tighten things up at the outset.
This is a 360-degree reversal for Microsoft, which built the
formative releases of IIS to be as functional as possible out of the
box. "In the past, partly because of its role in corporate LANs, IIS
was relatively biased toward functionality and ease of use, not
security," says Joseph Lima, vice president of product development
with San Diego-based Port80 Software Inc., which develops specialized
applications for IIS. "Now, you have to select even the installation
of IIS."
Also, associated software --- legacy applications for integrating
Windows NT file systems, Web-based printing, tracking usage on
servers, and other features --- automatically are disabled. That
removes a hacker's chief attack point. The locked-down approach
extends to all basic configuration tasks, including access control
lists and the use of third-party software. "All of this has to be
specifically enabled by the administrator, whereas before it would
have been the exact reverse," says Lima.
Microsoft made important changes to the metabase, which stores
metadata about IIS' configuration settings. "You can configure your
pager, set up security, set up your directory structure, and do it
[in the database] through an easily navigable interface," says
HomeLoanCenter.com's Adams.
The reworked metabase is more "Apache-like," says Lima, referring to
the Apache Web server, an open-source product favored by Unix and
Linux shops. "The changes should help in a lot of ways with
troubleshooting."
Indeed, Apache is in Microsoft's crosshairs. Microsoft wants to
deepen its penetration into the Web-server market, which has been
dominated by Apache. About 63% of Web sites are served by Apache,
according to a July 2003 survey by Netcraft Ltd. Microsoft captured
about 27% of the market.
Still, a body of myth has developed that Apache is more security
oriented than IIS -- a perception not shared by IISTraining.com's
Hill. "Apache and Unix- and Linux-based systems have had their fair
share of fixes, too. If you stack up the number of fixes of Apache
against Microsoft, IIS compares quite favorably," he says.
New licensing programs by Microsoft may offer potential savings in
the form of server consolidation. Windows 2003 is the first version
of Windows to include a Web edition -- an exclusive operating system
for enterprises that only want an HTTP server. Internet service
providers, for instance, could replace server farms with one or two
IIS6 boxes, which can handle between 10,000 and 15,000 Web sites.
"Your cost savings [for fewer licenses] are dramatic, plus your
uptime increases," says Hill.
The 32- and 64-bit enterprise editions of Windows 2003 Server are
priced around $4,000. The Web edition does not have standard pricing,
so administrators should check with authorized Microsoft resellers
for the best deal.
MORE INFORMATION ON THIS TOPIC
Click here for additional IIS resources and links
Listen to Brett Hill's webcast on "Getting ready for IIS 6.0"
|
|
Rate this Tip
|
To rate tips, you must be a member of SearchWindowsSecurity.com.
Register now
to start rating these tips. Log in if you are already a member.
|
DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.
|
|
|
|
|
|
|
|
|
|
| TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of . |
|
| | |
All Rights Reserved, , TechTarget |
|
|
|
|
|
