Product: Windows Server 2003 Company: Microsoft Website: http://www.microsoft.com MSRP: See Pricing Review By: Stewart Saathoff

Internet Information Server 6 (IIS)

IIS 6.0 has some of the best enhancements that are contained within Windows 2003 Server.  IIS has been completely redesigned not only to accommodate Microsoft’s new Security strategy, but also to function as a true Web-based Application Server.  Let me elaborate…

WORKER PROCESS ISOLATION

Worker process isolation is a new feature of the version of IIS that comes with Windows 2003 Server that isolates each server application that they can not interfere with a different application.  IIS 5.0 worked with two processes: InetInfo.exe and DLLHost.exe.  IIS 6.0 alternatively uses HTTP.sys and the WWW Service Administration and Monitoring Component.  Both of these applications do not directly integrate with any web server applications installed on the web server, but simply routes and parses any requests.  Processor Affinity is another new feature of IIS 6.0 that provides another substantial increase in performance.  Processor affinity, when implemented, forces IIS 6.0 worker processes to run on specific microprocessors or CPUs. 

The Security that is included with IIS is another of the chief enhancements that you will find.  Here are the top four, in my opinion, reasons why IIS 6.0’s security is far superior to any other versions of IIS:

1. IIS is disabled by Default
2. IIS can be disabled using a GPO.
3. When installed, it is in a “locked down” state.
4. When a 2000 Server is upgraded IIS is disabled unless the IIS lockdown utility is run or a registry entry is explicitly entered.

Whenever we were to lock down a Windows 2000 Server, one of my company’s first steps was to remove IIS where it was unnecessary.  As you may remember, Windows 2000 installed IIS by default.  Any half-intelligent security analyst knows that the first thing you need to do to close security holes in a server is to remove the holes where possible, and plug the others.  So, if you need IIS, you now have no need to plug the holes, Microsoft has done it by default for you.  To give administrators further control over their computer networks, Microsoft has provided us with another convenient feature: We can now remove IIS using a Group Policy Object.  So, if there is no reason to have IIS on any boxes on your network, you can handle that in one location.

IIS also lets you integrate your system with Microsoft’s .Net Passport Service in two ways.  The first way is by tying your Active Directory User Accounts with .Net Passports.  The second way is a tad bit more intriguing.  You can also integrate your web applications, running on an IIS 6.0 Web Server with the .Net Passport Authentication service.

Previously authentication through IIS was mostly object-based.  What I mean is; if you wanted to secure individual pages within your site, you used NTFS permissions.  IIS 6.0 changes authorization to be controlled more through a gatekeeper based on the URL.  That is right, authorization is now task-based, not object based.