Security
Support and Security Features in IIS 7.0
Thanks to its small attack surface, Windows Server 2008 has fewer security vulnerabilities than Apache. Simple management and set-up features also help keep the IIS 7.0 Web server running smoothly and safely, keeping your data and applications safe.
By Michael Pastore
Web application developers who make security a priority do all they can to make sure the applications they write and the databases they employ are secure and keep both data and users safe. There's one more part of the equation that needs to be considered: a secure Web server.
Earlier versions of Windows Server were at a disadvantage when it came to providing a secure environment because the plethora of features made for a large attack surface. In Windows Server 2008, Microsoft addressed this issue by introducing Server Roles that allow administrators to keep their server installation to a minimum.
Microsoft used a similar approach in IIS 7.0, the Web server included in Windows Server 2008. IIS 7.0 sports a modular architecture that lets administrators choose the options they need to get the job done without extras that are vulnerable to security and performance problems. Installing only the modules the administrator needs minimizes the attack footprint and conserves memory usage.
IIS 7.0 Security Enhancements
The default configurations for IIS 7.0 gives administrators the most secure base from which to start. Modules and features can be added from there. The default settings have only the modules needed to run IIS 7.0 as a static image server.
All worker processes in IIS 7.0 have a unique identity and a sandboxed configuration by default. Automatic application pool isolation gives each Web site on a server its own memory space with its own credentials, protecting each site from failures, security breaches, or potentially dangerous applications elsewhere on the server.
IIS 7.0 also includes an FTP Publishing Service that gives administrators an integrated management console. Because it is deeply integrated into Windows Server 2008 and IIS 7.0 administrators can use scripting tools like AppCmd and the IIS PowerShell Provider to manage their FTP configurations.
Integration with IIS 7.0 manager enables a more secure FTP experience for users of FTP for IIS 7.0. You no longer have to create Windows user accounts on your server to enable FTP publishing. Authentication can be done using IIS Manager user accounts and .NET membership. Users can reduce their attack service because FTP for IIS 7.0 allows you to enable FTP for an existing Web site, rather than creating separate FTP and Web sites.
WebDAV
A new WebDAV Extension for IIS 7.0 is written specifically for Windows Server 2008. For Web authors and content creators, the WebDAV extension lets them publish content more easily and securely than in previous versions. For Web administrators and hosts, the extension means improved integration, authorization, and configuration features.
Like FTP, WebDAV for IIS 7.0 integrates with IIS 7.0 Manager for secure publishing of content using HTTP over SSL. Unlike IIS 6.0, which enabled WebDAV at the server level through a Web Service Extension, WebDAV for IIS 7.0 can be enabled at the site level.
The per-URL authoring rules supported in WebDAV 7.0 let administrators specify custom WebDAV security settings for each specific URL and separate settings for WeDAV authoring and normal HTTP requests.
Access Protection
Earlier versions of IIS required permissions to be set at the content level in the file system. In IIS 7.0, URL authorization rules are stored in the application's web.config file, which allows the rules to follow the content should it be moved to a different server.
The Request Filtering module in IIS 7.0 helps administrators create a more secure Web server with multiple filtering options to prevent malicious URLs from being processed. URL acceptance policies can be implemented on both a globally and per-URL basis. This type of granular control allows administrators to set rules that define specific URL segments that should not be served.
The URL Scan 3.0 security tool Extension lets administrators block specific HTTP requests so potentially harmful requests can't reach applications on the server. It screens all incoming requests according to rules set by the administrator.
Using URL Rewriter for IIS 7.0, administrators can dynamically modify URLs based on rules defined by the site administrator. Thanks to rule templates, rewrite maps and other functionality integrated into IIS Manager, administrators can set up rules to define URL rewriting behavior based on HTTP headers and server variables.
As the number of Web applications and threats on the Web increases, the new security features in IIS 7.0 can help Web administrators and content creators keep their data safe. Building on the overall security enhancements made to Windows Server 2008, IIS 7.0 security is deeply integrated and simplified.
© 2009 Microsoft