Microsoft Locks Barn Door 2003; Horse Still Inside

By Larry Seltzer  |  Posted 2003-04-24 Print this article Print

The rule with IIS6 on Windows Server 2003 is that everything is off unless you turn it on. If you want to loosen things up, cautions Security Supersite Editor Larry Seltzer, it's your responsibility.

Perhaps Microsofts biggest mistake with Windows 2000 was including a number of services in the default installation that were not necessary for most servers—most prominently, Internet Information Server (IIS) Version 5. Im told by insiders that even during the Win2K beta, Microsofts JDP (Joint Development Program) partners—the very large customers who are the engine of the Microsofts Windows gravy train—suggested taking it out of the default install. Microsoft was too determined to market the living daylights out of IIS. It was a good thing that IIS would be running everywhere!

The rest is history: Code Red and Nimda latched onto the zillions of forgotten, unsecured and unpatched IIS systems out there and were followed by a large number of lesser worms. In the meantime, administrators didnt buy into Microsofts vision of empowered information workers publishing business documents to Web servers, and a good thing too. We were forced to try to lock the barn door with tools like the IIS Lockdown Tool.

With Windows Server 2003, Microsoft has begun to change things. Even though IIS6 incorporates numerous security enhancements, it is not installed by default. Installing and configuring it require numerous affirmative decisions on your part. Thats fortunate: Its usually a mistake to run IIS on the vast majority of servers, including domain controllers, terminal servers and most file servers. The simple fact that IIS isnt installed on servers will mean you wont have to patch those servers when the inevitable IIS6 patches come out.

Actually, theres one exception: The new Windows Server 2003, Web Edition, which is designed only as a Web server. In fact, Microsoft doesnt want you running anything but Web servers on this version (which has no retail SKU—its only available in OEM versions and through special volume and developer licenses). The license prohibits running any database with more than 25 concurrent users, the capabilities for print sharing and domain controlling have been removed, and youre not allowed to run UDDI services. Its kind of confusing, but I assume that the Web Edition will be cheaper than the other editions (its pricing isnt listed alongside the other Windows Server 2003 flavors), and Microsoft wants to discourage customers from treating it as a cheaper version of the standard edition.

It doesnt stop with the default install. In a network that includes only Windows 2003 domain controllers, several new and profound security policies are added to Active Directory. For instance, you can set a policy that IIS cannot be installed on any servers in a domain or organizational unit (\Administrative Templates\Windows Components\Internet Information Services\Computer Configuration\Prevent IIS Installation). Even administrator users cant install it as long as the policy is in effect.

And by default IIS installs only static Web serving for IIS. If you want more than that, after installation you can use IIS to run the IIS Security Lockdown Wizard or Add/Remove Windows Components. IIS6 itself includes architectural changes that should improve application-level security, but in the big picture, security will be improved more significantly by minimizing unnecessary use of IIS itself.

IIS6-based Web servers have been showing up for months in the Netcraft survey of Web servers; in fact, Netcrafts numbers show that Windows Server 2003 has already overtaken Solaris 9. But ironically, widespread adoption of Windows Server 2003 could lead to a drop in IIS share, as fewer Windows systems run IIS for no good reason at all. All in all, an entirely worthwhile trade-off.

Security Supersite Editor Larry Seltzer has worked in and written about the computer industry since 1983.
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel