Windows .Net Server Security Is Looking Up | eWeek

Windows .Net Server Security Is Looking Up

Écrit par
Timothy Dyck
Timothy Dyck
Aug 19, 2002
2 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus

The preventative focus on secure installations in the upcoming Windows .Net Server is visible right from almost the first click on the installer. When we did an upgrade test on a Windows 2000 Server system to Windows .Net Server Release Candidate 1, the installer noticed that the IIS (Internet Information Services) Lockdown Wizard had not been run on the machine and so automatically disabled IIS itself as part of the upgrade process (see review).

Terrific! This single action alone is a great advance for Internet security, as out-of-the-box or otherwise poorly maintained IIS installations were the reason the Code ver. 2 worm was able to infect more than 350,000 servers last year (see www.eweek.com/links).

Unfortunately, when we loaded IIS management tool after the upgrade and restarted the Web site, the tool re-enabled the server and made no further mention of the Lockdown Wizard. It should run automatically and apply its settings before the Web server is re-enabled, particularly since the many default Web server extensions installed by Windows 2000 are left enabled in an upgrade to .Net Server.

On a new .Net Server installation, IIS, the Windows FTP server and the SMTP server are not installed by default. In addition, all IIS extensions except those we enabled during the IIS installation process are disabled through a version of the Lockdown Tool now integrated with the IIS admin tool. This is a big security step forward for new IIS setups.

Simple things such as password security are also improved. When doing a new install (not an upgrade), the installer checked our Administrator password and required us to OK passwords that didnt meet basic complexity guidelines. In comparison, Windows 2000 Server blithely lets an administrator click the Next button through the installation, leaving the Administrator password blank.

After installation, we were prompted to configure the automatic updates agent in .Net Server: The default behavior for the agent is to automatically download updates but not apply them.

As with Windows XP, .Net Server has a built-in simple firewall (in addition to the IP Security support in Windows 2000) that can also be used to filter Internet traffic. The firewall is not enabled by default and simply blocks all incoming traffic not sent in response to traffic that originated on the server. The IPSec firewall features do not track the connection state but do allow outgoing traffic to be filtered as well as incoming traffic.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.