IIS 7 Shows Continued Security Push

Review: eWEEK Labs' review of Microsoft IIS 7 Beta shows that the biggest changes are in configuration and management.

Download the authoritative guide:

This year has seen more than its share of high-profile Microsoft beta releases, including Office 2007, Internet Explorer 7 and, of course, Vista.

A beta version of another Microsoft product was recently released, but its gone mostly unnoticed, despite the fact that the application is the core engine for most of Microsofts enterprise applications strategy: Internet Information Services 7.

Released in late June—at the same time as the Longhorn Server beta and Beta 2 of Vista—IIS 7 Beta 1 is worthy of a bit more attention than it is currently receiving.

When IIS 6 was released as part of Windows Server 2003, it signaled a major change in the way that Microsoft approached security in its Web server.

Versions of IIS prior to 6 were the main points of attack for major worms and viruses such as Nimda. With IIS 6, Microsoft moved the Web server to a default profile that was much more secure.

This and other security improvements have paid off, as IIS is nowhere near the major security problem it once was. /zimages/2/140671.jpg

To a certain degree, IIS 7 carries on this move to greater security with a default install that is even more secure than Version 6s and improvements in security management.

But, by far, the biggest changes in the IIS 7 beta are in the areas of configuration and management.

In many ways, this release of IIS is a nod to its main competitor, and the market leader in Web servers, the open-source Apache. New IIS 7 features, such as a completely modular design and increased reliance on file-based configuration, have been hallmarks of Apache for many years.

But, no matter where they come from or are inspired by, the improvements in IIS 7 Beta 1 all look to be worthwhile, based on eWEEK Labs tests, and should both ease the task of managing and securing the Web server while making it possible to build rich and dynamic applications on top of it.

Although it isnt installed by default on either Windows Vista or Longhorn Server, IIS 7 Beta 1 can be easily added to either through the Programs option in the Windows Control Panel or by defining the Server Manager in Longhorn Server.

IIS 7 is functionally equivalent on both platforms, although only the Longhorn Server version is configured to handle high traffic loads. (The Vista version is intended mainly for developers.)

/zimages/2/28571.gifBeta 3 gets Internet Explorer 7 closer to the fast lane. Click here to read more.

During installation, we could choose from a wide variety of options and capabilities that we wanted to install with IIS 7.

The new modular design made it possible to give the Web server only the capabilities that it absolutely needed, which is a good way to avoid unnecessary exposure to security problems.

There are more than 40 modules currently available for IIS 7, handling everything from authentication to scripting support to backward compatibility.

Another big change in this version of IIS is the web.config file, an XML-based file that handles all of the core configuration for the Web server and can be easily ported to other servers (for example, when moving from development to staging servers).

This file has been used in IIS for ASP.Net configuration, but it now works for overall Web server configuration. As longtime veterans of Apaches httpd.conf and the web.xml configuration files in Java servers, we liked the similar flexibility and customizability that the web.config file brings to IIS 7.

IIS 7 also adds a completely revamped administration interface in the IIS Manager console. This tool moves away from the strictly MMC (Microsoft Management Console) interface of previous versions (which we were never a fan of) to a fairly intuitive hierarchical console that relies less on tabs and makes good use of context-sensitive information.

Remote administration has also been improved through the use of a standard secure HTTP connection, which should make remote management more VPN-friendly.

We also liked that remote management is not enabled by default, as many companies look at such functionality as a potential security problem.

Although this version of IIS 7 is a beta, we did do some simple performance tests to see how the new version is stacking up performance-wise against the current shipping version, IIS 6.

In our tests (which were run using IIS 7 on the Longhorn Server beta and IIS 6 on Windows Server 2003), there were only minor differences, with IIS 7 being slightly faster in some tests (such as average transactions and hits per second) and slightly slower in others (such as average throughput and page download times).

Microsoft recently unveiled a Web site dedicated to IIS.

This site provides access to IIS trials as well as lots of FAQs and other useful information about the Microsoft Web server.

Labs Director Jim Rapoza can be reached at jim_rapoza@ziffdavis.com.

/zimages/2/28571.gifCheck out eWEEK.coms for Microsoft and Windows news, views and analysis.