Exploring Windows 2003 Security: IIS 6.0

By Marcin Policht (Send Email)
Posted Dec 31, 2003


There is probably no other component of Windows Server 2003 that better reflects Microsoft's dedication to its Secure Computing initiative than Internet Information Services 6.0. The latest version of the Web server constitutes significant architectural change from its predecessors, offering enhanced stability, security, and functionality. We conclude our Windows Server 2003 overview with a discussion of IIS 6.0 and its role in keeping the operating system safe and secure.

This article provides an overview of the new architecture and its implications on security and stability.

New Architecture

At the core of IIS 6.0 is the kernel mode driver HTTP.SYS. Its primary function is listening for, queuing, and managing incoming HTTP requests; however, it is also responsible for a number of other tasks, such as bandwidth throttling, logging, and caching. This not only speeds up the handling of all these features (since switching between user and kernel modes is no longer necessary, as it was in the previous versions of IIS), but also increases resilience and security. Since the core Web server functionality resides in the kernel component, which is part of the operating system code (and hence controlled strictly by Microsoft), it is not affected by Web applications running in user mode. This is different from older implementations of IIS, where the core Web server process, INETINFO.EXE, was running in user mode, along with Web application code and ISAPI filters.

Also new in this version of the Web server is the ability to configure applications to run in the dedicated application mode. This means one or more Web applications can be grouped together into so-called pools and run in isolation from others, assigned to other Web application pools. Prior to IIS 6.0, it was possible to run applications in either one shared process space or individually, which made applications more vulnerable to the impact of others (in shared configuration) or resulted in inefficient use of resources (when running each application individually).

Each application pool has a separate queue in which HTTP requests are placed (depending on their destination). These requests are subsequently handled by worker processes dedicated to each pool. The number of worker processes is configurable on a per-pool level (running a Web application with multiple worker threads is known as Web garden). One benefit of this is that it runs in the security context of a non-privileged account (Network Service by default). Hence, it is less likely to affect other Web applications or HTTP.SYS itself (especially since each application pool has its own worker process or processes). In addition, they can be easily managed in terms of recycling, performance, health, and identity (all of these characteristics are controlled by corresponding tabs on the Web Application Pool Properties dialog box), without affecting other application pools. This way, users have better control over performance, stability, or security problems resulting from badly designed Web applications.

With this better understanding of how IIS 6.0 has been designed, let's take a closer look at the resulting security-related changes:

  • Secure by default
  • New administration features
  • New authentication methods
  • Secure Sockets Layer 3.0
  • Ability to choose a cryptographic service provider
  • ASP.NET as the primary development platform
  • URL authorization

Secure by Default

This is one of new slogans describing Microsoft's design strategy applied to Windows Server 2003 and IIS 6.0 in particular. Unlike previous versions of operating systems, which favored ease of use and out-of-the-box functionality over security, the new version of the Web server requires the admin to do some extra work to get all the features needed.

To begin with, the IIS 6.0 component is not installed by default (with the obvious exception of Windows 2003 Web Server Edition). However, adding it is as easy as in the past, with the Add/Remove Programs Control Panel applet (IIS is listed as subcategory under Application Server item). Upgrade behavior has also been modified. World Wide Web Publishing service is disabled after upgrade from Windows 2000, as long as the IIS is configured with default settings (which indicates typically that installation was unintentional).

The default installation allows only static Web pages to be served. If the goal is to provide other functionality, you must install and enable it manually. This includes features related to serving dynamic Web content, such as Active Server Pages (both ASP and ASP.NET) and Server Side Includes, as well as these simplifying development and Web server management, such as FrontPage Server extensions and Web Distributed Authoring and Versioning (WebDAV). In addition, by default, all unknown ISAPI and CGI extensions are prohibited. To modify this setting, use the Web Services Extensions node in the IIS Managers MMC snap-in.

Page 1 of 2


Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.