IIS Continues Security Push

Review: management changes stand out in v7.0 beta 1

This year has seen more than its share of high-profile Microsoft beta releases, including Office 2007, Internet Explorer 7 and, of course, Vista. A beta version of another Microsoft product was recently released, but its gone mostly unnoticed, despite the fact that the application is the core engine for most of Microsofts enterprise applications strategy: Internet Information Services 7.0.

Released in late June—at the same time as the "Longhorn" Server Beta and Vista Beta 2—IIS 7.0 Beta 1 is worthy of a bit more attention than it is currently receiving.

When IIS 6.0 was released as part of Windows Server 2003, it signaled a major change in the way that Microsoft approached security in its Web server. Versions of IIS prior to 6.0 were the main points of attack for major worms and viruses such as Nimda. With IIS 6.0, Microsoft moved the Web server to a default profile that was much more secure. This and other security improvements have paid off, as IIS is nowhere near the major security problem it once was.

To a certain degree, IIS 7.0 carries on this move to greater security with a default install that is even more secure than Version 6.0s and improvements in security management. But, by far, the biggest changes in the IIS 7.0 beta are in the areas of configuration and management.

In many ways, this release of IIS is a nod to its main competitor and the market leader in Web servers, The Apache Software Foundations open-source Apache. New IIS 7.0 features, such as a completely modular design and increased reliance on file-based configuration, have been hallmarks of Apache for many years.

But, no matter where they come from or are inspired by, the improvements in IIS 7.0 Beta 1 all look to be worthwhile, based on eWeek Labs tests, and should both ease the task of managing and securing the Web server while making it possible to build rich and dynamic applications on top of it.

Although it isnt installed by default on either Windows Vista or Longhorn Server, IIS 7.0 Beta 1 easily can be added to either through the Programs option in the Windows Control Panel or by defining the Server Manager in Longhorn Server. IIS 7.0 is functionally equivalent on both platforms, although only the Longhorn Server version is configured to handle high traffic loads. (The Vista version is intended mainly for developers.)

During installation, we could choose from a wide variety of options and capabilities that we wanted to install with IIS 7.0.

The new modular design made it possible to give the Web server only the capabilities that it absolutely needed, which is a good way to avoid unnecessary exposure to security problems. There are more than 40 modules currently available for IIS 7.0, handling everything from authentication to scripting support to backward compatibility.

Another big change in this version of IIS is the web.config file, an XML-based file that handles all the core configuration for the Web server and can be ported easily to other servers (for example, when moving from development to staging servers). This file has been used in IIS for ASP.Net configuration, but it now works for overall Web server configuration. As longtime veterans of Apaches httpd.conf and the web.xml configuration files in Java servers, we liked the similar flexibility and customizability the web.config file brings to IIS 7.0.

IIS 7.0 also adds a completely revamped administration interface in the IIS Manager console. This tool moves away from the strictly MMC (Microsoft Management Console)-style interface of previous versions (which we were never fond of) to a fairly intuitive hierarchical console that relies less on tabs and makes good use of context-sensitive information.

Web-browser-based administration also has been improved through the use of a standard secure Web connection, which should make remote management more VPN-friendly. We also liked that remote Web management is not enabled by default, as many companies look at such functionality as a potential security problem.

Microsoft recently unveiled www.iis.net, a Web site dedicated to IIS. This site provides access to IIS trials as well as lots of FAQs and other useful information about the Microsoft Web server.

Labs Director Jim Rapoza can be reached at jim_rapoza@ziffdavis.com.