Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Latest News

      Microsoft Locks Barn Door 2003; Horse Still Inside

      By
      Larry Seltzer
      -
      April 24, 2003
      Share
      Facebook
      Twitter
      Linkedin

        Perhaps Microsofts biggest mistake with Windows 2000 was including a number of services in the default installation that were not necessary for most servers—most prominently, Internet Information Server (IIS) Version 5. Im told by insiders that even during the Win2K beta, Microsofts JDP (Joint Development Program) partners—the very large customers who are the engine of the Microsofts Windows gravy train—suggested taking it out of the default install. Microsoft was too determined to market the living daylights out of IIS. It was a good thing that IIS would be running everywhere!

        The rest is history: Code Red and Nimda latched onto the zillions of forgotten, unsecured and unpatched IIS systems out there and were followed by a large number of lesser worms. In the meantime, administrators didnt buy into Microsofts vision of empowered information workers publishing business documents to Web servers, and a good thing too. We were forced to try to lock the barn door with tools like the IIS Lockdown Tool.

        With Windows Server 2003, Microsoft has begun to change things. Even though IIS6 incorporates numerous security enhancements, it is not installed by default. Installing and configuring it require numerous affirmative decisions on your part. Thats fortunate: Its usually a mistake to run IIS on the vast majority of servers, including domain controllers, terminal servers and most file servers. The simple fact that IIS isnt installed on servers will mean you wont have to patch those servers when the inevitable IIS6 patches come out.

        Actually, theres one exception: The new Windows Server 2003, Web Edition, which is designed only as a Web server. In fact, Microsoft doesnt want you running anything but Web servers on this version (which has no retail SKU—its only available in OEM versions and through special volume and developer licenses). The license prohibits running any database with more than 25 concurrent users, the capabilities for print sharing and domain controlling have been removed, and youre not allowed to run UDDI services. Its kind of confusing, but I assume that the Web Edition will be cheaper than the other editions (its pricing isnt listed alongside the other Windows Server 2003 flavors), and Microsoft wants to discourage customers from treating it as a cheaper version of the standard edition.

        It doesnt stop with the default install. In a network that includes only Windows 2003 domain controllers, several new and profound security policies are added to Active Directory. For instance, you can set a policy that IIS cannot be installed on any servers in a domain or organizational unit (Administrative TemplatesWindows ComponentsInternet Information ServicesComputer ConfigurationPrevent IIS Installation). Even administrator users cant install it as long as the policy is in effect.

        And by default IIS installs only static Web serving for IIS. If you want more than that, after installation you can use IIS to run the IIS Security Lockdown Wizard or Add/Remove Windows Components. IIS6 itself includes architectural changes that should improve application-level security, but in the big picture, security will be improved more significantly by minimizing unnecessary use of IIS itself.

        IIS6-based Web servers have been showing up for months in the Netcraft survey of Web servers; in fact, Netcrafts numbers show that Windows Server 2003 has already overtaken Solaris 9. But ironically, widespread adoption of Windows Server 2003 could lead to a drop in IIS share, as fewer Windows systems run IIS for no good reason at all. All in all, an entirely worthwhile trade-off.

        Security Supersite Editor Larry Seltzer has worked in and written about the computer industry since 1983.

        Larry Seltzer
        Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

        MOST POPULAR ARTICLES

        Cybersecurity

        Visa’s Michael Jabbara on Cybersecurity and Digital...

        James Maguire - May 17, 2022 0
        I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
        Read more
        Big Data and Analytics

        Alteryx’s Suresh Vittal on the Democratization of...

        James Maguire - May 31, 2022 0
        I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
        Read more
        Big Data and Analytics

        GoodData CEO Roman Stanek on Business Intelligence...

        James Maguire - May 4, 2022 0
        I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
        Read more
        Applications

        Cisco’s Thimaya Subaiya on Customer Experience in...

        James Maguire - May 10, 2022 0
        I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
        Read more
        Cloud

        Yotascale CEO Asim Razzaq on Controlling Multicloud...

        James Maguire - May 5, 2022 0
        Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
        Read more
        Logo

        eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

        Facebook
        Linkedin
        RSS
        Twitter
        Youtube

        Advertisers

        Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

        Advertise with Us

        Menu

        • About eWeek
        • Subscribe to our Newsletter
        • Latest News

        Our Brands

        • Privacy Policy
        • Terms
        • About
        • Contact
        • Advertise
        • Sitemap
        • California – Do Not Sell My Information

        Property of TechnologyAdvice.
        © 2021 TechnologyAdvice. All Rights Reserved

        Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

        ×