Microsoft Locks Barn Door 2003; Horse Still Inside

The rule with IIS6 on Windows Server 2003 is that everything is off unless you turn it on. If you want to loosen things up, cautions Security Supersite Editor Larry Seltzer, it's your responsibility.

Perhaps Microsofts biggest mistake with Windows 2000 was including a number of services in the default installation that were not necessary for most servers—most prominently, Internet Information Server (IIS) Version 5. Im told by insiders that even during the Win2K beta, Microsofts JDP (Joint Development Program) partners—the very large customers who are the engine of the Microsofts Windows gravy train—suggested taking it out of the default install. Microsoft was too determined to market the living daylights out of IIS. It was a good thing that IIS would be running everywhere!

The rest is history: Code Red and Nimda latched onto the zillions of forgotten, unsecured and unpatched IIS systems out there and were followed by a large number of lesser worms. In the meantime, administrators didnt buy into Microsofts vision of empowered information workers publishing business documents to Web servers, and a good thing too. We were forced to try to lock the barn door with tools like the IIS Lockdown Tool.

With Windows Server 2003, Microsoft has begun to change things. Even though IIS6 incorporates numerous security enhancements, it is not installed by default. Installing and configuring it require numerous affirmative decisions on your part. Thats fortunate: Its usually a mistake to run IIS on the vast majority of servers, including domain controllers, terminal servers and most file servers. The simple fact that IIS isnt installed on servers will mean you wont have to patch those servers when the inevitable IIS6 patches come out.

Actually, theres one exception: The new Windows Server 2003, Web Edition, which is designed only as a Web server. In fact, Microsoft doesnt want you running anything but Web servers on this version (which has no retail SKU—its only available in OEM versions and through special volume and developer licenses). The license prohibits running any database with more than 25 concurrent users, the capabilities for print sharing and domain controlling have been removed, and youre not allowed to run UDDI services. Its kind of confusing, but I assume that the Web Edition will be cheaper than the other editions (its pricing isnt listed alongside the other Windows Server 2003 flavors), and Microsoft wants to discourage customers from treating it as a cheaper version of the standard edition.

It doesnt stop with the default install. In a network that includes only Windows 2003 domain controllers, several new and profound security policies are added to Active Directory. For instance, you can set a policy that IIS cannot be installed on any servers in a domain or organizational unit (\Administrative Templates\Windows Components\Internet Information Services\Computer Configuration\Prevent IIS Installation). Even administrator users cant install it as long as the policy is in effect.

And by default IIS installs only static Web serving for IIS. If you want more than that, after installation you can use IIS to run the IIS Security Lockdown Wizard or Add/Remove Windows Components. IIS6 itself includes architectural changes that should improve application-level security, but in the big picture, security will be improved more significantly by minimizing unnecessary use of IIS itself.

IIS6-based Web servers have been showing up for months in the Netcraft survey of Web servers; in fact, Netcrafts numbers show that Windows Server 2003 has already overtaken Solaris 9. But ironically, widespread adoption of Windows Server 2003 could lead to a drop in IIS share, as fewer Windows systems run IIS for no good reason at all. All in all, an entirely worthwhile trade-off.

Security Supersite Editor Larry Seltzer has worked in and written about the computer industry since 1983.