August 31st, 2002, 05:37 AM
Microsoft's IIS6 lockdown
It must really hurt developers at Microsoft to design IIS6 the way they've been designing it
It's been basic Microsoft philosophy forever to make products as available, as scriptable, and as powerful as possible. Things have changed. After two years of assaults from security consultants and Internet vandals, Microsoft has decided that discretion--when it comes to an Internet service--is the better part of valor. Now they have to sit and think of ways to prevent users from accessing features.
Since so many companies running Windows 2000 and NT4 had unknowingly installed IIS--until they were victimized--Microsoft has wisely seen fit to alter the default configuration for IIS6. After you install Windows .Net Server, IIS6 may or may not even be installed, depending on your license. Once it's installed, it is not automatically enabled. Once enabled, its default configuration is a locked-down state that can't do anything really useful. You must enable the features. Beyond that, there are new filtering features borrowed from firewalls, such as the ability to filter out potential attacking requests before they are processed. All this--in combination with the new Web Server Edition, and if Microsoft's performance claims for IIS6 are true--could make IIS6 very popular in hosting environments and other pure Web applications.
Ha, you say, everyone knows IIS is a bad security joke. But in fact, I think that in the last year or so the absence of any significant new attacks on IIS is partly a result of new tools and patches available from Microsoft. It's easier now to make IIS systems secure, and IIS6 extends that trend. Even though new vulnerabilities have been reported recently, many of these are already patched, and there has been a healthy dose of exaggeration related to some of the vulnerabilities.