Slashdot Mirror
Microsoft IIS v7 Details Emerge
daria42 writes "According to several .NET and Longhorn bloggers, the next version of Microsoft's IIS web server will integrate ASP.NET and turn many core features into optional modules in order to provide a smaller security footprint for hackers to attack. In addition, the software's admin tool has been completely revamped, and will allow Web-based remote administration utilising SSL."
In other words, Microsoft is learning lessons from open source software and making IIS more like Apache httpd.
24 beers in a case, 24 hours in a day. Coincidence? I think not!
Is it just me, or doesn't that sound contradictory. Opening up your application, let alone your OS for remote hacking. Also, why would Microsoft even blink at enabling remote monitoring/logging of the websites your visit for government agencies? Tell me that that isn't going to be exploited...
D.O.U.O.S.V.A.V.V.M.
This is what apache did with modules ages ago and webmin did years ago aswell. Although all of it seems to be good what MS is doing, it is late with a few years again.
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
If they do this wrong, this'll be just another less-secure-than-Apache server, even with separated components.
This SSL security better be tough, lest they receive extra damage to their reputation.
You can hold down the "B" button for continuous firing.
Microsoft putting cool features into Longhorn!
Next Slashdot Headline: Microsoft Takes IIS v7 Out of Longhorn
Dashboard Widgets
"*nix had X feature back in Y date!"
Wah, SHA1 Broken! SSL!! WAAA, PANIC!!!
:)
just for all you tinfoilhats out there
Even if Microsoft does release the most secure web server ever, they will still have a huge problem to address: how to convince customers to move off of IIS 5, which has been exploited many times. Until that happens, all the new features do them no good at all.
Whoever corrects a mocker invites insult;
whoever rebukes a wicked man incurs abuse.
--Proverbs 9:7
I don't know I think they should improve the multimedia console one. Webbased admin tool might just end up full of holes anyways.
I also noticed the upcoming virtual server 2005 SP1 is using a webbased admin tool. Why something like a virtual machine needs IIS to run to mangage is a little baffling but there seems to be someone at microsoft who always comes up with these terrible ideas.
did you forget to take your meds?
Linked from the article: Guess he's using it already. ;)
Is it just me, or is the name "IIS web server" really lame? "Internet Information Server web server..." Yes, I know, Microsoft doesn't append "web server" to IIS, but if you have to tack on "web server" to remind people what the heck it is, then why not call it "Microsoft" web server instead of the nine-syllable babble-phrase? Sort of reminds me of PL/SQL, which when fully expanded is "Procedural Language/Structured Query Language".
Remain calm! All is well!
I know it is against "not invented here", but why don't they take a decent BSD-licensed web-server, and then "embrace and extend" the thing to do their proprietary extensions?
If they've modularized their stuff, this should be possible. They've done this already with TCP/IP, Kerberos and so on.
The overall product, to the extent that it benefitted from the work of free BSD-licensed improvements, would be good for everybody.
http://www.thebricktestament.com/the_law/when_to_
Told y.. No wait, okay.. what about something like Chill!soft ASP/Apache?
Do you have to upgrade to Windows 2003?
Join the Free Software Foundation
sorry but anyone who can't get it to work probably should go back to school and learn how to administrate a real server.
did you forget to take your meds?
The only thing we long for is that our legacy ASP will continue working on IIS 6.0 as it did on IIS 5.x for years!!!
Uh, ASP.NET has better performance *and* a better security model. If you don't care about security you can run a non-SP1 box. What's the big deal?
And if you would bother to share with us some details about your problems we could perhaps get an idea if you have any clue about what you are doing or not and if the problem is with IIS or somewhere else...
Are they going to fix their totally, state-of-the-brain-damaged-art configuration interface? I was made a couple of times to try to fix IIS problems and damn, is that one misguided abomination if I ever seen one. I dunno - maybe they should make it - you know - well commented plain text configuration file? Or even XML? I heard this works for others ;) But all in all - ASP.Net aside (I have not yet encountered that closely enough, knocking on the wood) is there a reason to use IIS at all? Apache for Win32 works perfectly well. And the fact that IIS runs ASP (classic) is IMO a good enough reason to _disallow_ IIS usage anywhere you have authority to. (In my repeated experience a semi-intelligent ASP programmer with zero PHP experience is made 3-10 times more productive within a week of PHP exposure).
might you mean "administer?"
We did actually. Did it all the way... to MS. They handle the case right now, and, frankly... they don't have a clue what went wrong with ASP engine! I bet they just can't handle the stream of support cases they got after 2003 SP1
Umm, you could do that with IIS 4.0. Is this just marketing the same thing and labeling it as new?
Will they fix the backup and restore features so that you can transfer sites server to server without having to configure the whole damn thing?
if you steal from one source, that is plagiarism, if you steal from many, well, that's just research.
I don't know about you...but being an ex-ASP developer, I always found IIS to be rather bloated and testy. Even when I started using .NET and IIS 6 on a 2003 server...it still felt like bloatware! Give me an Apache server any day! :)
Jeff Whitfield jeffwhitfield@gmail.com "I can learn to resist anything but temptation..."
And yet you still won't share details of the problem with this forum. We run a massive commercial ASP/ASP.Net web site on IIS6 with no problems whatsoever. I call BS.
They handle the case right now, and, frankly... they don't have a clue what went wrong with ASP engine!
As others have said, there are countless people who are running ASP sites on IIS. The fact that you encountered a quirk in an outdated hosting option is hardly surprizing. Most certainly your problem relates to some of the securing down of COM.
Microsoft Longhorn: A False Hope. (I probably the only one who understood that, but it is to do with the let downs that the first 2 new Star Wars movies were, and the way that the titles of these movies where layed out. That or it just wasn't funny.)
" In addition, the software's admin tool has been completely revamped, and will allow Web-based remote administration utilising SSL."
So basically like plesk, welcome to the 00's.
My LAMP setup shines brightly enough for me.
Meh.
This is what apache did with modules ages ago and webmin did years ago aswell. Although all of it seems to be good what MS is doing, it is late with a few years again.
IIS is module-based (ISAPI) since the beginning.
IIS != IE.
and how much do they want for it? And more importantly, how does it compare to my Apache/PHP setup?
Bear in mind this is for a home computer, not a fortune 400 company.
Runtime Error
Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine.
Details: To enable the details of this specific error message to be viewable on remote machines, please create a tag within a "web.config" configuration file located in the root directory of the current web application. This tag should then have its "mode" attribute set to "Off".
[reply] might you mean "administer?"
No, no, you see where he works they administrate their web servers as part of their effort to strategify maintenential servifaction. His suggestion that the parent educatify himself was within reasonification.
Hands up those of you who think this will be nice and secure, and won't have any flaws. Hands up, all of you - cmon, I can't see any hands up.
The best thing they could do is run it on a different port, so that (with correct firewalling) it would only be accessible from the company admin ranges.
Get your own free personal location tracker
Too bad I(nternet)E(xplorer) 7 has nothing to do (except an unfortunate version number "collision") with I(nternet)I(nformation)S(server) 7.
IIS7 will do nothing for you in terms of webdesign...
Too bad I(nternet)E(xplorer) 7 has nothing to do (except an unfortunate version number "collision") with I(nternet)I(nformation)S(server) 7.
So, they changed the "You need to install IE to view this site" to say Firefox?
This is what apache did with modules ages ago and webmin did years ago as well.
.htaccess kinds of files (the IIS configuration is already a big XML file, but it's not in your web directories), the use of a new service control manager, and a better admin console. Until more details come out, it really isn't that much of a schism.
Remember that this information is coming from bloggers. The barrier to entry to blogging about something is that you have the wherewithall to setup an account on a blogging host.
IIS has been module based since day one - ASP is nothing more than an ISAPI module. Logging can be configured as external modules. Filters are external modules.
I read a more detailed account and it really sounds like the big change is
No mod points, but this is exactly what I was thinking. This submission is much ado about nothing at all.
Anyone else noticed that the Hack IIS6 website from the previous slashdot article has gone down?
Microsoft's only plan is to sell the additional modules. IIS has been free for wayyy too long. You will get the 'basic' IIS for free, and then down the road, you will buy the SSL module, or buy the PHP module..
All of you are absolutely right. I misread the blob AND article. I'm truly shamed. I guess it makes me a designer that I could read an article like that and not notice the difference.
C# and the CLR (which .NET and mono run on) are open specs. JBoss, unless I'm mistaken, has an explicit exemption from Sun. I don't think there's any question that Apache using mono (which is backed by Novell) is legal....Just a thought.
You do realize Microsoft Europe funded development of the original EMWACS server, the predecessor to Apache, right?
Yes, they are learning lessons from something they funded.
The only thing we long for is that our legacy ASP will continue working on IIS 6.0 as it did on IIS 5.x for years!!!
I take it you are complainig because updates to your web server caused old applications to break? If you coded webapps in older versions of ASP you must be prepared for the fact that sooner or later Microsoft will drop legacy support for old features or change default settings and they are not alone in this. There have been changes in PHP for example that have broken people's code. Take for example the time the PHP team changed the value of register_globals from ON to OFF to increase security. Careless admins who didn't read the PHP 4.2 change-list before upgrading were in for a surprise when several dozen websites suddenly had problems because their developers had written their code without taking into account that this setting might be changed. Should the PHP team have kept the less secure register_globals=ON setting for legacy reasons? I don't think so, it is part and pacel of a developers job to deal with these issues and it is up to the admin to inform him self about what changed need to be made to old web-applications before rushing in and making an upgrade.
Only to idiots, are orders laws.
-- Henning von Tresckow
.. that they're making it more like Caudium.
Modular. Check (Caudium is *way* more modular than Apache.)
Web-based admin via SSL. Check
Integrated language for dynamic pages. Check.
Microsoft is right now getting sued by several companies for rights on some of those features they are announcing. How can they possibly announce those features as parts of their product while they are getting sued for them? I don't get it. Is Microsoft that overly gutsy or stupid or both?
Caching (of files, of DB calls, of anything) can easily be implemented via PEAR. OOP does exist, and I use full classes ALL THE TIME.
If you have coded PHP for a long time, you obviously where stuck on PHP3 and have not checked out any recent features. PHP has become much more robust and I'm willing to bet I can code a site in PHP at least as fast as you can code one in ASP.NET. Not trying to be flame bait and I'm not going to get in a flame war, but if you are trying to say "Yay ASP.NET, PHP sucks because it's not OOP and is slower to code for" you are mistaken. And yes, I have coded a web application in C# so I do have a reference point.
Cool. Drives adoption of alternatives...
What? How is Apache::ASP a solution for MS ASP? I have never met a person who codes ASP in Perl.
If Microsoft would only play nice with others. Yes, they are making better products now, but they are still using FUD and monopoly based tactics to shut down the competition or use their influence in government to make the competition illegal.
I honestly don't see WHY they need to develop a web administration tool. You can already use the MMC snap-in over a local network, or over a VPN tunnel, and terminal services duplicates practically everything you can do locally, which could be run over a VPN tunnel as well.
Oh, and the aspnet_isapi.dll extension (or the derivative of it) is mapped to every type of file in IIS, so your HttpHandlers/HttpModules can be used (it also means that forms authentication, as an example, would work for static content such as images as well. Right now unless you configure it otherwise the ASP.NET module doesn't handle that, so ASP.NET security and functions are irrelevant).
For better or for worse, Microsoft has definatly become a better company because of open source.
Whenever someone misspells definitely as "definatly", I often read it as defiantly. Sometimes, depending on the context, it's an even more appropriate word.
-b
myselfmusic
Which, somehow, will still be easily hackable rendering the other security improvments useless because every script kiddie and their sister will be able to get remote admin access.
Details:
- We have a simple ASP application, JS - server and client (not that the client matters)
- ASP pages call VB COM in COM+ that, in turn call SQL server and format the info out as HTML tables
I haven't seen more simple app than this one.
It never fails on IIS 5 / Windows 2000.
On Windows 2003 we had a problem admitted and fixed by MS in SP1 Beta. Surprise: everything worked well with SP1 Beta!! Once we installed SP1 Release - every now and then the ASP stops responding. Not even the dumbest Response.Write("kuku"). HTML are served fine.
I can provide more details if needed. Thanks for looking.
OK, this is pretty random. We had a JScript ASP app that was leaking memory. Turns out the programmer was destroying COM objects with a VBish statement:
myCOMObj = null;
When in fact the correct syntax is:
delete myCOMObj;
I've also seen COM+ apps hang because the object lifecycle wasn't handled correctly. Sorry if this seems trivial. If there's any more complicated problems with COM+, I'd make the $300 phone call rather than kvetch on message boards.
Whenever I hear the word 'Innovation', I reach for my pistol.
btw, why didn't someone came up yet with the idea to make a putty MMC snap-in. I imagine something on the lines of the tsmmc.msc from the windows server 2003 admin pack which is a very handy tool if you have some more servers to work on (basically a tree with the servers on the left side and the RDP-view on the right, switching between servers by clicking on the entries on the left side)
SEO Test: TIGI und SEBASTIAN - Online Shop - V
http://www.studiodeluxe.net/pws/index.htm
how is babby formed?
There are many things that IIS has done better than Apache. Take user file permissions for example. On Apache a user can authenticate against, say a passwd file, but Apache still ignores the file permissions of the file system. On IIS, when you authenticate to the server the server impersonates your user account when it accesses files and so the file permissions (ACLs) still apply as they would when accessing files on the OS normally.
.htaccess helps).
Another advantage of IIS is it's ability to isolate applications running on it.
If an application crashes on IIS, it dies within its own isolated process and doesn't affect other applications or the core. Apache does this to an extent and will usually at least keep the core running if a module crashes, but there are still instances where it may need a restart. This is also the same reason Apache needs a restart to change configuration settings while IIS does not (although
Oh, so they'll integrate MSIE 7, Windows Media Player, and Clippy the talking paperclip into the core of IIS web server. That sounds like an excellent security policy to me!
So, no, you can't really run ASP on Apache with free software. ChiliSoft has a package that _will_ run ASP with Apache on Linux/UNIX.
I don't think "stealing" is a very good word to use, or you start to fall into the same trap that a lot of people accuse organisations like the RIAA and MPAA of. ("Stealing" music, copyright "theft", etc.) That is, unless you agree with them that use of another person's ideas without asking is theft.
Personally I think it's good that Microsoft has finally decided to implement what everyone else has, for a long time, known to be useful. Just because Microsoft has done it doesn't mean that everyone else must stop doing it.
It is called "Internet Information Services". It also has FTP, SMTP, and a few other things.
Actually, URL rewrite in ASP.Net is very easy.
.htm or .html to the dotnet framework, just look at .aspx and copy it.
l e101.htm")) {i d=101");
1. Open up your IIS website and map
2. Put a regex or something in the BeginRequest event of the global.asax. The example dosn't include the regex, but you get the idea.
protected void Application_BeginRequest(Object sender, EventArgs e){
if (HttpContext.Current.Request.Path.EndsWith("artic
HttpContext.Current.RewritePath("getarticle.aspx?
}
}
Next microsoft products will be COOL!
hype! hype hype! tech blogs! coolness! buzzwords! "john, the cool IT guy"
are you as cool as the developers using microsoft tools?
download the FREE betas and GIVE microsoft YOUR TIME helping finding bugs.
Next year you'll be FREE to BUY the final version!
If you don't like it, don't buy it; but you'll have to use it anyway.
Join us and write some quality, maintainable and finally non-portable code! Because microsoft platforms always been and are always gonna be the best choice.
Who needs facts here!? I mean pure and hard facts of course! Its computer science after all... So Microsoft have cooked us the best real facts of the market about the real money it costs for running linux against windows. Read it (or look at the nice graph charts) and FEEL by yourself how much windows is THE clever option.
well, thats the way it works for any big markets on the planet. And it is killing us, I think.
Pierre