eWeek reviews IIS 7 Beta. “Versions of IIS prior to 6 were the main points of attack for major worms and viruses such as Nimda. With IIS 6, Microsoft moved the Web server to a default profile that was much more secure. This and other security improvements have paid off, as IIS is nowhere near the major security problem it once was. To a certain degree, IIS 7 carries on this move to greater security with a default install that is even more secure than Version 6’s and improvements in security management.”
Actually, the biggest improvements come in configuration area. IIS7 is now fully componentized (obviously they looked at Apache http server) and all the settings are kept in XML file (web.config) (just like ASP.NET application config files; just like TomCat or JBoss). You can easily move settings to another server, etc.
Next, management interface (both graphical and command line) are much improved. You can now write modules for IIS using .NET. Delegation is there, too, etc, etc.
Sure, there is additional work on security but given almost perferct IIS 6 history for the past 3 years, I don’t think it is the major factor. Even without extra work in this field, now fully modular structure greatly improves security. Of some 40 modules that ship with IIS7, most are disabled by default. Thanks God.
Now, if only Windows Server was free 🙂
improves security. Of some 40 modules that ship with IIS7, most are disabled by default. Thanks God.
What an odd thing to say, What do you think:
1) God works for Microsoft?
2) She deserves all the credit for Microsoft’s work?
3) Microsoft is doing God’s work?
4) Only God can create a web server?
No message.
Can’t read? He was giving God all the thanks for Microsoft’s new code and software configuration and that struck me as rather wierd.
a little muddled. Besides, “Thank God”, is a pretty commonly used expression.
Sorry, “Thank God”, would have appeared to be a normal colloquialism yes, but, “Thanks God”, just struck me as odd.
That makes perfect sense. Perhaps you should’ve asked if it was typo first. Using common sense generally yields good returns.
Oh, man, of all things I wrote in that message you’ve noticed that I wrote “Thank God” and you won’t stop making noise about it?
Yeah, as somone already said, it is commonly used expression (all over the world) meaning simply – “I’m glad that..” (Microsoft disabled those IIS modules by default).
Please, go troll somewhere else.
Actually, you said “Thanks God.” Thank God is different, and basically just means “It’s a miracle,” which can mean different things, like “I never expected this” or “this is what I hoped for.” Thanks God sounds like you’re addressing God directly and giving Him/Her/It/Them credit. It was probably just a typo, but the response was probably just a joke about your typo, so I thought I’d post because I don’t like to see people’s karma go down the drain just because they don’t bother trying to understand what each other said. Or because someone is trying to blacklist this whole thread for being off topic, so…
IIS 7 has config files, eh? If Microsoft makes a habit out of this, one of my biggest complaints about their products may get crossed off the list. Cloning and config backup are essential for any OS that purports to offer services, regardless of whether it’s over a network or to a range of users at the keyboard.
Yes, I did, but how’s that important for this topic? Big deal or anyhow relevant to IIS7?
Note that he kept on talking about that no matter what. And when other people modded him down for being OT he started modding down everyone else.
I really am not sure, but the guy is so lame to me.
One last thing – English is not my first language and I am still learning, including this
Thanks for clearing things up. And thankS you 
Please, seek help. I’ve not modded down anything or anyone. I find it far easier and a better use of time just to ignore the stupid comments and mod up the smart ones. I try to stay positive, recommend it highly.
Can’t read either? You said, “Thanks God”, like he was the only one involved in the work and not the common expression, “Thank God”, maybe a Freudian slip, I don’t know, thought it was funny. Please over react and have a cow somewhere else.
@T#HB@#WHB
going through and voting my previous posts is quite immature.
Hmmm, I see, Freudian slip and now paranoia.
Yikes! I didn’t know they were working on IIS 7. Thats cool tho, I was impressed with IIS 6, well what little bit I did get to use it – small department web server.
I like the fact that they are moving the configuration solely to an external file that can be edited outside of the management screen. Maybe this is a sign of things to come with their other products too?
One thing though that I couldn’t tell from the article. Are they going to supply some type of proxy setup for IIS like Apache has(mod_proxy)? Its really annoying that IIS (at least as of 6) doesn’t have this type of plugin/configuration option anywhere.
I still think I’ll prefer Apache over IIS (because I can use it on other platforms, and its Free), but improvements to IIS are certainly a good thing as I know somewhere down the line some client is going to be a pure MS shop I’ll need to support.
I really liked that they finally got their act together for IIS6 security wise. I hope this extends to other products as well, but we’ll see.
They’ve shown some demo videos of IIS7 on channel9 if anyone is interested. They were pretty cool.
Can I install their FTP server without HTTP or HTTP without FTP?
According to what I heard, you will able to do that. Almost every module in independent even if not all of them are. For example, you can install web server without NTLM or Digest authentication support if you don’t need them. Of course, you can’t install Digest auth module without web server itself…
So, a default install may be more secure, but what about a real-life setup (with working modules)?!?
Well, based on IIS 6, I’d say they’re good. IIS 6 has almost perfect history securitywise, since it was released ~3 years ago.
Right. I can’t be sure but I can’t remember an update for IIS other than SP1 itself which changed behaviour of a few things.
Anyway, they had 0 critical vulnerabilities in 3 years. That’s great.
I attended a presentation of IIS 7 in Milan a few weeks ago. It’s been very fascinating.
To me, the best feature really is not modularization (that’s not very impressive: IIS 6 already has a very good security score though this could improve performance) but the fact that .NET has been inserted into IIS pipeline and we will be able to actually leverage .NET features to control IIS behaviour. That’s very impressive because .NET features are potentially extended to system itself and can affect other modules too. That’s really nice.
Other than that, configuration files in plain text can be useful but we already had a very complete API to do that so I’m not that sold there.
Plus, there will be other significant improvements but main changes to me are related to how you can programmatically handle almost any aspect of IIS.
The only thing I didn’t like (and I specifically asked Elly about this) was about the need to run ASP.NET at medium trust level to automagically achieve protection. I hoped they would fix this.
IIS is a powerful server with very good GUI configuration tools. I have been using it daily now that I work with ASP.net 2.0 applications. I hope it continues to improve. Good luck to them for IIS 7.x
I’m sure the comments about the security of IIS7 are true in terms of web server administration/configuration/default settings etc.
However, given that some of the most commonly used protocols for admin/maintenance of a Windows server are FTP and RDP (without VPN) perhaps they should be improved. I haven’t seen anything in the article that says FTPS (or similar) is part of the implementation here (it could be implemented and set as the default mode), and RDP using SSL could also be a default setting. As with other Windows changes there could be numerous warnings if the user tries to downgrade to less secure modes.
You’ll probably think that the above is off topic…
Security aside, will IIS 7 provide a completely built-in method (e.g. config file) for URL re-writing?
Yes. You will be able to use that via .NET HTTPModules and HTTPHandlers but since .NET pipeline is now integrated into IIS’ then you can use available ASP.NET solutions for that and those will work for other modules too like PHP for example.
So you can have you ASP.NET HTTPModule solution to implement URL rewriting for your PHP application without PHP even know that.
As this is new to IIS, expect new “products” like those to come up very quickly as most of them will simply be modules you use in your application which will be “packetized” and released.
Another great thing you can do is controlling the way IIS will serve files as you can install a module which will “intercepts” all GIF downloads (for ex.) to provide them out of your DB or completely dynamic-generated without other users to know. Your Python / PHP / Perl scripts will simply get them.