IIS: High-end enterprise-level server for Windows NT platforms
Microsoft has quickly made its Internet Information Server (IIS) into one of the best Web servers on the 'net. While only available for Windows NT, IIS has transformed the NT platform into a viable solution for deliver Web-based applications. No longer do Web administrators have to turn to UNIX platforms for fast and reliable Web servers; IIS is just as powerful and much easier to set up and maintain than many of its UNIX-based competitors. IIS brings together the integration of its own Web services with the Windows NT core system and networking capabilities and the distributed application infrastructure of Microsoft's Transaction Server 2.0. IIS is only available for the Server edition of Windows NT 4.0, but it is a free download as part of the Windows NT 4.0 Option Pack.
IIS 4.0 offers a superb platform for building sophisticated internet and intranet applications. The latest release is vastly superior to previous versions and fixes most if not all of the weaknesses of prior offerings. Beyond the core HTTP 1.1 services are a variety of tools including a Transaction Server (for building distributed applications), Index Server (indexing of HTML pages and MS Office documents), Certificate Server (managing digital certificates), Site Analyst (site management and usage), Internet Connection Services for Microsoft Remote Access Service (creation of Virtual Private Networks), Mail Server, and NNTP News Server. Of these tools the NNTP and SMTP support are the least impressive. NNTP support only works for internal newsgroups; Usenet news feeds are unsupported. The SMTP support enables you to develop applications that send and receive messages; however, POP support is not provided. No longer do Web administrators have to turn to UNIX platforms for fast and reliable Web servers; IIS is just as powerful and much easier to set up and maintain than many of its UNIX-based competitors.
IIS features include crash protection for reliability, transactional Active Server pages, support for Java (accomplished with Microsoft's Java Virtual Machine), script debugging, support for multiple Web sites, integrated search engine capabilities (create custom search forms with Active Server pages, ActiveX Data Objects, and SQL queries), content management and site analysis tools, automated management support, integrated message queuing, full standards compliance (including HTTP 1.1 for increased Internet performance), and an integrated certificate server (with special security enhancements for international banks using 128-bit encryption Server Gated Crypto technology). For Windows 95 and Windows NT Workstation users, the NT 4.0 Option Pack also includes Microsoft's Personal Web Server 4.0 (PWS). PWS is a desktop Web server that makes it easy to publish personal home pages, serve small Web sites, and share documents via a local intranet.
Site administration for IIS is performed using the Microsoft Management Console (MMC). Via this interface you can manage access and security restrictions at the site, directory and file level. If you are using virtual sites you can specify the estimated daily traffic for each site (which controls how much memory IIS allocates for each Web site) and limit the amount of server bandwidth a particular site can use. Most settings can also be configured remotely using Microsoft Internet Explorer. Active Server Page (ASP) improvements in the latest release of IIS include additional support for transaction processing and memory isolation. A common problem in earlier versions of IIS was that a single ASP application crash on a virtual site could bring down the entire Web Server and other sites on the same box. This problem has been virtually eliminated with v4.0 of IIS.
One of IIS's few downsides is the lack of support for UNIX platforms. Performance is also a little slower than in IIS 3.0, but this won't be noticeable with most sites. All the product documentation is available online, but it pales in comparison to O'Reilly's WebSite's superb documentation, making third party documentation a likely necessity. Despite these minor drawbacks, the latest release of IIS far surpasses the competition and comes with an excellent price tag, making it the best choice for most NT-based Web sites.
Security Patch Notes: On February 3rd, Microsoft released a security patch that fixes the Microsoft IIS "Malformed FTP List Request" Vulnerability which could allow denial-of-service attacks against the server or, under certain conditions, could allow arbitrary code to be executed on the server. The FTP service in IIS has an unchecked buffer in a component that processes "list" commands. This results in the above vulnerability that poses a threat to safe operation.
Microsoft has also released a patch that fixes the Microsoft IIS "GET" Vulnerability which could allow denial-of-service attacks to be mounted against Web servers. The patch is available for versions 3.x and 4.x on both Intel and Alpha platforms. From Microsoft, "The vulnerability involves the HTTP GET method, which is used to obtain information from an IIS Web server. Specially-malformed GET requests can create a denial of service situation that consumes all server resources, causing a server to 'hang.'
"In some cases, the server can be put back into service by stopping and restarting IIS; in others, the server may need to be rebooted. This situation cannot happen accidentally. The malformed GET requests must be deliberately constructed and sent to the server. It is important to note that this vulnerability does not allow data on the server to be compromised, nor does it allow any privileges on it to be usurped."
Pros: Price (free download), Superior administration control, HTTP 1.1 support, Virtual Server support, Indexing tool also handles Microsoft Office documents, Excellent support for distributed application development, Excellent collection of server tools
Cons: No UNIX version, NNTP support doesn't support USENET feeds, SMTP support doesn't support POP mailboxes, Only runs on Server edition of Windows NT, Restricted to stripped-down Personal Web Server on Windows 95 or NT Workstation sites, Mediocre documentation, Complicated to configure, Slower than IIS 3.0
New: Updated versions of IIS, PWS, MQS (1.0), and Transaction Server (2.0)
Released for IIS -
Microsoft has released a patch for its Internet Information Server to fix two
potential security holes that allow users to gain access to previously assu
med secure areas of an IIS machine. -
Upgrade Meter: 5
Security Patch Released for IIS - eliminates a vulnerability in the SSL ISAPI filter that ships with IIS; if called by a multithreaded application under very specific, and fairly rare (according to MS), circumstances, a synchronization error in the filter could allow a single buffer of plain text to be transmitted back to the data's owner.
Upgrade Meter: 3
New: Three recently released security patches eliminate vulnerabilities that:
- Could cause a Web server to send the source code of .ASP and other files to a visiting user
(further details http://www.microsoft.com/security/bulletins/MS99-058faq.asp)
- Allow files on a Web server to be specified using an alternate representation, thus enabling access controls of some third-party applications to be bypassed
(further details http://www.microsoft.com/security/bulletins/MS99-061faq.asp)
- Enable an MCIS mail server to let a malicious user remotely cause services on the server to fail or cause arbitrary code to run on the server
(further details http://www.microsoft.com/security/bulletins/00/MS00-001faq.asp)
Various Security Patches Released (9/15/200)
MS00-057: Eliminates a security vulnerability where, under restricted conditions, the a malicious user could gain additional permissions to certain types of files hosted on a Web server.
Upgrade Meter: 2
Version Reviewed: 4.0
Date of Review: 12/23/98
Last Updated: 9/15/00
Reviewed by: Allison/Stroud