Internet Information Services
Internet Information Services IIS 6.0, included with Windows Server 2003, is a fundamental redesign of the 5.0 version of IIS included with Windows 2000 Server. The new architecture provides greater modularity, speed and configurability, while IIS 6.0s updated management tools make it much easier than before to understand how IIS is configured and to modify the server so it provides only needed functionality. These changes bring IIS up to par with the good security and design practices of the Unix world and provide compelling reasons to upgrade.Those who install Windows Server 2003 on a new machine will find IIS 6.0 much more secure out of the box. In fact, the Web server is not even installed by default, a big change from Windows 2000. We were impressed to see that a default installation really is just a static content Web serverno IIS filters are installed, and no extensions are enabled. This is a huge security step forward, as every extension installed with IIS 5.0 proved to have security flaws after that product shipped, enabling massive worldwide infections of IIS servers. During tests, turning on selected extensions was simple using a new Web Services Extensions folder in the Application Server Management snap-in (
see screen). However, some extensionssuch as those for FrontPage 2002 Server or Internet Printingneeded to be enabled or disabled through the Add or Remove Programs icon in the Control Panel. Integrating all IIS configuration settings into the Application Server Management tool would be a welcome future change.
IIS extensions also now run under a new user-level account rather than the system-level LocalSystem account previously used.
However, those who install the IIS 6.0 software on existing Windows servers will lose many of these benefits because the very insecure IIS 5.0 default configuration is preserved when upgrading. In upgrade tests, IIS 6.0 defaulted to an IIS 5.0 compatibility mode that continued to run extensions under the LocalSystem account and left extensions and filters in place.
The IIS service is disabled by default upon upgrades of Windows 2000 systems where the IIS 5.0 Lockdown Tool has not already been installeda symbolic smack to the head for careless administrators to wake up and use the tools Windows Server 2003 provides to tighten IIS security before re-enabling the service.
IIS uptime and performance have been improved with a new in-kernel HTTP request queue and static and dynamic content cache called http.sys. This approach has proved effective on other platforms; Red Hat Inc.s Red Hat Linux, Sun Microsystems Inc.s Solaris and IBMs AIX all offer in-kernel HTTP page caches.
IIS now stores its configuration in a single XML file called metabase.xml. After enabling a configuration setting that allowed live edits of the file, we opened up the file in Notepad, altered the home directory of a Web site we created and saved the file. The changes were applied automatically. This kind of easy automated site configuration using a single text file is a hallmark of The Apache Software Foundations Apache HTTP Server and a welcome IIS addition. Timothy Dyck
However, with careful administration and use of Microsofts free IIS Lockdown Tool and Urlscan tools, current IIS administrators can gain many of the security benefits IIS 6.0 provides. Lockdown Tool is also built into IIS 6.0s management tools, although Urlscan is not integrated into the product (something we would like to see).