Web Buyer's Guide: IIS 7 Shows Continued Security Push

Contact Us

Home > Developer Home > Reviews > Story

Developer

IIS 7 Shows Continued Security Push

By Jim Rapozza - eWeek

This year has seen more than its share of high-profile Microsoft beta releases, including Office 2007, Internet Explorer 7 and, of course, Vista.

A beta version of another Microsoft product was recently released, but it's gone mostly unnoticed, despite the fact that the application is the core engine for most of Microsoft's enterprise applications strategy: Internet Information Services 7.

Released in late June—at the same time as the Longhorn Server beta and Beta 2 of Vista—IIS 7 Beta 1 is worthy of a bit more attention than it is currently receiving.

When IIS 6 was released as part of Windows Server 2003, it signaled a major change in the way that Microsoft approached security in its Web server.

Versions of IIS prior to 6 were the main points of attack for major worms and viruses such as Nimda. With IIS 6, Microsoft moved the Web server to a default profile that was much more secure.

This and other security improvements have paid off, as IIS is nowhere near the major security problem it once was.

To a certain degree, IIS 7 carries on this move to greater security with a default install that is even more secure than Version 6's and improvements in security management.

But, by far, the biggest changes in the IIS 7 beta are in the areas of configuration and management.

In many ways, this release of IIS is a nod to its main competitor, and the market leader in Web servers, the open-source Apache. New IIS 7 features, such as a completely modular design and increased reliance on file-based configuration, have been hallmarks of Apache for many years.

But, no matter where they come from or are inspired by, the improvements in IIS 7 Beta 1 all look to be worthwhile, based on our tests, and should both ease the task of managing and securing the Web server while making it possible to build rich and dynamic applications on top of it.

Although it isn't installed by default on either Windows Vista or Longhorn Server, IIS 7 Beta 1 can be easily added to either through the Programs option in the Windows Control Panel or by defining the Server Manager in Longhorn Server.

IIS 7 is functionally equivalent on both platforms, although only the Longhorn Server version is configured to handle high traffic loads. (The Vista version is intended mainly for developers.)

During installation, we could choose from a wide variety of options and capabilities that we wanted to install with IIS 7.

The new modular design made it possible to give the Web server only the capabilities that it absolutely needed, which is a good way to avoid unnecessary exposure to security problems.

There are more than 40 modules currently available for IIS 7, handling everything from authentication to scripting support to backward compatibility.

Another big change in this version of IIS is the web.config file, an XML-based file that handles all of the core configuration for the Web server and can be easily ported to other servers (for example, when moving from development to staging servers).

This file has been used in IIS for ASP.Net configuration, but it now works for overall Web server configuration. As longtime veterans of Apache's httpd.conf and the web.xml configuration files in Java servers, we liked the similar flexibility and customizability that the web.config file brings to IIS 7.

IIS 7 also adds a completely revamped administration interface in the IIS Manager console. This tool moves away from the strictly MMC (Microsoft Management Console) interface of previous versions (which we were never a fan of) to a fairly intuitive hierarchical console that relies less on tabs and makes good use of context-sensitive information.

Remote administration has also been improved through the use of a standard secure HTTP connection, which should make remote management more VPN-friendly.

We also liked that remote management is not enabled by default, as many companies look at such functionality as a potential security problem.

Although this version of IIS 7 is a beta, we did do some simple performance tests to see how the new version is stacking up performance-wise against the current shipping version, IIS 6.

In our tests (which were run using IIS 7 on the Longhorn Server beta and IIS 6 on Windows Server 2003), there were only minor differences, with IIS 7 being slightly faster in some tests (such as average transactions and hits per second) and slightly slower in others (such as average throughput and page download times).

7/13/2006

Related Links:

Related stories on this topic

Related stories in this industy

Featured White Paper

Building a Virtual Infrastructure from Servers to Storage by NetApp

The Advantages of a Hosted Messaging Security Solution by Microsoft

Achieving Sales Success with Tablet PCs by Toshiba

What's Missing from SEM? by NetIQ

5 Essentials of Customer Experience Management by Tealeaf

The CIO’s Guide to Mobile Security by Research in Motion

On-Demand Versus On-Premise CRM: Are There Performance Differences? by Business Objects

Overcoming Data Protection Challenges of the Modern Distributed Business by Adaptec

Small and Medium Business Security Solutions by Trend Micro

Is Daily Defragmentation Needed in Today’s Environment? by Diskeeper

Performance Management: New “Hybrids” Combine Agent and Agentless Technology by BMC

A Proven WAN Optimization Approach by Riverbed

Mitigating Fire Risks in Mission Critical Facilities by APC

Architectural Considerations for Archive and Compliance Solutions by Network Appliance

Storage Virtualization: An Overview of Key Technologies and their Capabilities by Datalink

The World of IT has taken a Quantum Leap by Everdream

Fighting the Hidden Dangers of Internet Access by St. Bernard

Secure Optimized Data Protection for Remote Offices by Symantec

Workday Redefines Software by Workday

Simplify & Improve Enterprise Desktop Management by VMware

Spam Filtering: Building a More Accurate Filter by St. Bernard

Intel Energy-Efficient Performance by Dell

Business-Class Security and Compliance for On-Demand Instant Messaging by WebEx

Reducing the Risks of 64-bit Application Porting with Parasoft C++ Test and Parasoft Insure ++ by Parasoft

Reduce IT Costs and Complexity with Effective Application Problem Management by Identify

Understanding E-Mail Hygiene by Mirapoint

Automated Deployment by Dell Managed Services by Dell

From Crisis to Cruise Control: Creating a High-Performance IT Organization by Tripwire

Affordable Data Protection Without the Compromise by EMC

Breaking New Ground: The Evolution of Linux Clustering by Penguin

Preventing Insider Threat with Identity Compliance by Sailpoint

Backup Strategies Re-Examined In Wake of Natural Disasters by CDW

Use of this site is governed by our Terms of Use and Privacy Policy
Copyright © 1996-2007 Ziff Davis Enterprise Inc. All Rights Reserved. eWEEK and Spencer F. Katt are trademarks of Ziff Davis Enterprise Holdings, Inc. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Enterprise Inc. is prohibited.