Jan. 10, 2011, 5:21 a.m.
posted by jin
Internet Information Services
Internet Information Services (IIS) is a fully integrated Web, SMTP, NNTP, and FTP server. Since IIS is integrated at the operating system level, it is difficult to discuss Windows Server 2003 without major reference to it.
The version of IIS (5.0) shipped with Windows 2000 has been the focus of numerous security attacks. The resulting negative publicity together with customer vulnerability has led Microsoft to refocus its attention to IIS. After all, if the .NET Framework is to be embraced, this underlying Internet-directed server technology must be rock solid. The Windows Server 2003 version, IIS 6.0, includes many functional enhancements and stricter security features. An example is the new Web server Security Lockdown Wizard. Although IIS 6.0 is shipped with default settings, it is important to note that security functionality can be adjusted using this wizard as part of the IIS configuration routines. Of course, it would be naïve to assert that any new release of IIS will be impervious to the determined efforts of hackers and crackers. Nevertheless, breaches of IIS 6.0 will be significantly more difficult. In addition, the ability to rapidly apply patches has been improved.
In an attempt to tighten IIS security, Windows Server 2003 has instituted several global precautionary settings. Several areas of IIS have been secured to improve security by reducing the default functionality of the Web server. Some of the more prominent changes are:
IIS is not automatically installed by default on Windows Server 2003 and must be explicitly installed by the administrator.
By default, IIS installs only with the ability to service static pages and the use of Active Server Pages (ASP) and ASP.NET functions must be enabled.
ISAPI extensions and CGIs are disabled by default and must be explicitly enabled through the Web Service Extensions section in IIS Manager.
Application pools run under an identity with lowered privileges of the IIS_WPG group.
The Web server core runs under an identity with lowered privileges.
Despite these standard default restrictions and other enhancements, IIS will probably remain a primary target for the hacker community. Therefore, it is critical that administrators monitor security alerts from Microsoft and apply appropriate patches first to nonproduction machines. Once the stability of the patch can be confirmed in rapid fashion, then the patch should be applied to product IIS Servers.
Many of IIS's technological foundations are covered in other chapters, including key integration with the Active Directory, security, and remote networking. For that reason, this chapter centers on functional aspects of IIS, specifically,
Concepts and features
The Simple Mail Transfer Protocol server
The Network News Transfer Protocol server
The File Transfer Protocol server