Microsoft’s IIS version 5 continues to improve on an already great Web server. This version, which comes exclusively as part of the Windows 2000 Server operating system, contains many new features along with performance and reliability enhancements. Notable improvements include better and clearly documented security policies, support for the new WebDAV publishing standards, and faster restarts of both Web and FTP services.
IIS v5.0 is good as both a first-time Web server for those familiar and comfortable with Windows operating systems, and a high-end server for hosting providers and large corporate installations. It handles the basics well and is better integrated in Windows than previous versions. IIS v5.0 also comes with performance and feature enhancements that will be attractive for mission-critical tasks.
Microsoft’s IIS version 5 continues to improve on an already great Web server. This version, which comes exclusively as part of the Windows 2000 Server operating system, contains many new features along with performance and reliability enhancements.
Once an enterprise has upgraded its NT Server to Windows 2000, the basic IIS v5.0 software will take about 10 minutes to install and configure. When we installed it, most of that time was spent copying about 30 MB of files. Unlike previous versions, organizations do not have to install service packs or reboot the machine after installation — two welcome improvements. Another nicety is that IIS v5.0 will be installed by default when upgrading from NT to Windows 2000, if a previous version of IIS is found on the machine.
The ideal computer to run IIS on is at least a 200 MHz Pentium with 128 MB of RAM. Organizations should plan on doubling the RAM and CPU speed if they intend to run Advanced Server’s clustering, SQL or Transaction services on the same machine as the Web server. As with previous versions, IIS runs only on server editions of Windows 2000: Organizations planning to use Windows 2000 Professional, should get the stripped-down Peer Web Services version.
Speaking of clustering, Microsoft has improved the configuration and setup to enable multiple machines to share the load and deliver more reliable Web services. However, it is still far from simple to set up. Enterprises must carefully review the documentation and copy various settings files using command line utilities supplied with Windows 2000 to set up a cluster. Such clusters are supported only by Advanced Server versions.
Version 4 of IIS saw the beginnings of Microsoft’s Management Console to handle the configuration and setup of IIS. This has been extended to a variety of other non-Web services in Windows 2000 and renamed Computer Management, although for the most part, the screens will be familiar. New to IIS v5.0 are performance, application protection, and tuning enhancements. However, the documentation is inadequate to properly set up these new features without a lot of trial and error.
Microsoft has added a few new wizards to help simplify some common tasks. Three notable wizards are the Permissions Wizard (to synchronize and align Web and NTFS security settings), the Web Server Certificate Wizard (to obtain and install server certificates), and the CTL Wizard (to create and modify certificate trust lists). To get an SSL certificate, for example, a user must go to the Directory Security property sheet, then go to Secure Communications | Server Certificates. Unfortunately, this is not as easy as the equivalent operation on O’Reilly’s WebSite Web server.
Version 5 has various security enhancements as well. Microsoft has consolidated security tips in its documentation under Administration | Server Admin |Security | IIS Security Checklist. Tips include restricting guest accounts and setting appropriate file permissions. Setting up client-side certificates is still far too complex and poorly documented, however.
Of particular interest in IIS v5.0 is expanded support for several emerging standards including: Fortezza (a new U.S. government security standard), Transport Layer security using SSL v3.0, Digest Authentication (a method of hashing authentication information introduced in IE v5.0), and replacing NT LAN Manager authentication with the stronger Kerberos v5.0 authentication protocols used in Windows 2000.
One of the more significant enhancements in IIS v5.0 is Web-based Distributed Authoring and Versioning (WebDAV). WebDAV is an emerging standard designed to simplify the construction of intranets and enable multiple users to publish documents to a common Web server. This feature allows users to share Web directories as if they were standard Windows file shares, using Office 2000 and IE v5 tools running on Windows 98, NT and Windows 2000. WebDAV-enabled folders appear as “Web Folders” when users open files in Office 2000 from a remote Web site. File locking is supported, so more than one user cannot edit a file concurrently. More information can be found at www.webdav.org, along with a list of open source and other commercial products supporting this standard.
WebDAV worked flawlessly for us and was very easy to set up. Moving files between a Windows 98 client and the Web server took a second or two longer over a LAN than when using standard network file shares, a time difference almost not worth mentioning. WebDAV’s real benefit, however, is its support of a dispersed team of workers who want to be able to share files across the Internet but do not want to e-mail attachments back and forth.
There are a few problems worth mentioning. Microsoft’s FrontPage Server Extensions are not supported when the Web server is part of a cluster. The Reliable Restart feature is installed by default and will automatically restart Internet Web and FTP services if the Inetinfo.exe process terminates abnormally, or if Windows Task Manager or Kill.exe is used to stop Internet services. Users can turn this feature off if its is an issue, but we believe it is a good idea to leave alone, and it is a benefit if a Web server must be restarted. One default setting users will want to change is to give preference for network performance over local users. To change this, go to Settings | Network and Dial-up Connections | Local Area Connection | File and Printer Sharing for Microsoft Networks | Server Optimization, then select “Maximize data throughput for network applications.” Finally, the remote Web-based administration is still somewhat lacking: Organizations are better off running the Computer Management utility from either a local machine or another Windows 2000 Server on their local area network to configure servers.
Overall, Microsoft has made some significant improvements. Enterprises running version 4.0 of IIS should carefully consider upgrading to version 5.0.
Pros: 7 Indexing, performance and security enhancements 7 Well-integrated server administration tools 7 Easy to configure 7 WebDAV support makes for easier collaborative publishing
Cons: 7 No Unix version 7 Documentation lacking on newest features 7 Only runs on Server edition of Windows 2000
Security Patches Released 9/15/2000
MS00-057: Eliminates a security vulnerability where, under restricted conditions, the a malicious user could gain additional permissions to certain types of files hosted on a Web server.
Upgrade Meter: 2
Under certain conditions, a Web server could be manipulated to send the source code of certain types of Web files to a visiting user; problem is solved with the installation of Windows 2000 Service Pack 1;
Upgrade Meter: 2
What’s new in 5.1:
Shared sockets are used flexibly among all of the started sites to reduce resource consumption;
socket pooling results in IIS 5.1 listening to all IP addresses;
modified ASDI properties;
Upgrade Meter: 2
Security Patches Released 4/10/2002
Fixed 10 new vulnerabilities, the most serious of which could enable the code of an attackers choice to be run on a server;
Fixes a buffer overrun vulnerability involving the operation of the chunked encoding transfer mechanism via Active Server Pages in IIS 4.0 and 5.0 and a similar vulnerability that existed in the ASP data transfer mechanism;
fixed a buffer overrun with how IIS 4.0, 5.0, and 5.1 process HTTP header information in certain cases;
Version Reviewed: 5.0