Slashdot Mirror
Microsoft IIS v7 Details Emerge
daria42 writes "According to several .NET and Longhorn bloggers, the next version of Microsoft's IIS web server will integrate ASP.NET and turn many core features into optional modules in order to provide a smaller security footprint for hackers to attack. In addition, the software's admin tool has been completely revamped, and will allow Web-based remote administration utilising SSL."
Opening up your application, let alone your OS for remote hacking.
Well most servers have remote desktop enabled, and web administration of IIS has existed since IIS 5. I think the point was moreso that you'll be able to fully configure your site. One of the issues, mentioned in the article, that IIS currently has is that there is a disconnect, and overlap, between the settings necessary in IIS and ASP.NET to configure a site properly, and it would be nice if they merged them (which really would be mapping some of the IIS metabase XML into the Web.Config).
Reading this article, I'm still not sure what the real message is- You can already create fully managed handlers and modules for IIS, and the idea of it being pulled "into" IIS is frightening, actually (IIS 6 is a gorgeous design because it is like a microkernel web architecture, with an extremely minimalist server module and cache that communicates to external modules to handle things like ASP.NET processing). I suspect some information was misunderstood.
Well since SEQUEL stood for 'Structured English Query Language' (which seems VERY language specific) I figured that SQL was just 'Structured Query Language.'
But SQL was just a shortening of SEQUEL for legal reasons...
No reason to lie.
I was looking for help on url_rewrite on google, when I bumped into some threads where users complained about $company's url_rewrite module not working as expected. He said that he regrets paying for it now. Others suggested him to try out isapi rewrite ... another pay for module that only provides freaking rewrite functionality. When I read those, I was soooo glad I never had to deal with IIS - I would have never thought that IIS users must go out hunting on google and actually pay for new modules for IIS that are compeletely free (and immediately available) for apache...
IIS 6 already uses XML for all it's configuration files.
"Imagine having apache run .Net or ASP web applications."
;-)
In my experience Mono http://www.mono-project.com/ has done a wonderfull job at runing ASP.NET apps and web services.
To run clasic ASP get this.
http://www.apache-asp.org/
If you are concerned with their legality go check Tomcat and JBoss
Cheers,
Adolfo
It is not an oxymoron. The feature would be turned off by default. You are confusing the point you are trying to make, which is that this remote admin feature would be a good target for exploits. It is a valid comment.
But common sense would dictate that the web admin tool would not be turned on to connections from the general internet. Instead, it would be limited to the intranet. If it is turned on to the general internet, then they better be sure there aren't any exploits around. But the same is true of any outward facing service, isn't it? IIS v5 was a travesty in security, but IIS6 has had very little problems where vulnerabilities are concerned (check out http://secunia.com/product/1438/). One would hope IIS7 would be even better, given the draconian protocol we have to follow now within Microsoft when it comes to security in code.
Remote GUI administration is already available, by the way. Run IIS manager, choose 'connect' and point it to a remote IIS server with the service turned on, and you'll be able to admin it just as you do your local IIS server.
I would think this is a good thing for OSS enthusiasts. It means that if a corporation absolutely insists on running IIS, then all the other support servers could be Linux/OSX and you could admin the machine through the web interface. Now you still need MS machines running for support, so you can either Remote Desktop to the IIS box, or use IIS Manager.
This is what apache did with modules ages ago and webmin did years ago as well.
.htaccess kinds of files (the IIS configuration is already a big XML file, but it's not in your web directories), the use of a new service control manager, and a better admin console. Until more details come out, it really isn't that much of a schism.
Remember that this information is coming from bloggers. The barrier to entry to blogging about something is that you have the wherewithall to setup an account on a blogging host.
IIS has been module based since day one - ASP is nothing more than an ISAPI module. Logging can be configured as external modules. Filters are external modules.
I read a more detailed account and it really sounds like the big change is
With typical Apache hosting, individual users can modify their configurations on the fly with .htaccess files...
This is a majot deterrent for IIS, the first time I used it I was looking furiously for the config file.
All the config seemed to be scattered around little grey boxes, with "tabs" that had more little grey boxes, with circles and what-have-you...it was horrible.
I would have never thought that IIS users must go out hunting on google and actually pay for new modules for IIS that are compeletely free (and immediately available) for apache...
;)
I noticed the same thing a few years ago (5) with ASP. My roommate in university was an ASP developer, and I had been doing PHP for a couple years at that point. He was working on some application that required DNS lookups, and actually ended up paying for an ASP module/script/whatever to do them. I was totally surprised at this (since it's one of the core functions of php) and he started telling me how there were many many 3rd party modules you had to pay for. I showed him all the built-in stuff that PHP had, and then some of the places on the web you can get thousands of scripts, and he was amazed. Not sure if he ever converted
Speak before you think
ya, here's the link in case anybody missed that story.
Actually, on a Linux/Apache system with Mono installed, a lot of ASP.NET web apps run just fine...this was actually a major goal of Mono, iirc.
Well, imagine a rectangular hyperbola produced by this equation:
K = Security x Convenience
where K is a constant representing the level of design and implementation skill an organization has.
What I'm saying almost anybody can have an aribtrarily secure system, provided that they are willing to bear a sufficiently large degree of inconvenience. For example, a web site that is served by a diskless server that boots and serves information from a CD-ROM would present limited opportunities for somebody who wished to deface the site, although it is still possible. But such a CD-ROM based system obviously wouldn't be practical for most organizations. Practical systems require a certain level of convenience to be, well, practical. If that level of convenience entails unacceptable security risks, then you either give up on that application as being impractical, or you go looking for a more highly skilled team that can build systems on a tighter trade-off curve.
So, the very first choice is whether to have remote administration or not; I believe virtually everybody can agree that a practical web server has to be remotely administratable. Once you've made this decision, then you have taken a big step on our graph towards the orgiin point -- where real skill really comes into play. Which approach to doing this is the shrewdest? You can't make this decision using general philosophical principles, you need data; or at least assumptions.
For example, suppose I am considering two alternatives to managing my servers remotely: a self contained management system employing HTML forms and https, or one based on remote shell operations using ssh. Without going into this choice in great detail,a lot depends on your assumptions -- not only that, it depends on your marginal assumptions. If I recall correctly, SSH has had its share of vulnerabilities over the years. But I may feel comfortable with it at this point and regard it as "secure enough" for my application. I may have a queasy feeling about trusting IIS's TLS implementation, or IIS's ability to ensure that sensitive operations are properly authorized. This makes turning off IIs's own management system and using something like Remote Desktop tunneled over SSH through a firewall sound like a good bet.
But wait.
Suppose my web site is supposed to handle secure transactions. I'm relying on IIS's TLS to manage mutual authentication using client and server side certificates. I'm relying on it to enforce security policies I've set up. If IIS's security is broken, then I'm hosed. The marginal risk I am exposed to by managing my web server using it's built in tools doesn't seem so dramatic anymore. Using a separate mechanism to manage the web server actutally adds a second, independent channel by which my site can be compromised.
Intuition can be a faulty guide. If your goal is to get to market with close to a 100% of your eggs, you may be better off placing them in a single, well chosen basket, rather than distributing them between two baskets you don't have much trust in. Likewise, when the universe of choices is constrained by your employer or by your client, your best choice may be something you wouldn't have considered otherwise. Gambling when you need money is a fool's game, but if you're stuck in Casablanca without money for a good bribe, then Rick's roulette table starts to look pretty good, even though everyone knows its rigged.
Of course, I'm probably using Apache for this, but you can see the point. Speaking of Apache, Tomcat has a built in management application, and nobody I know of ever complains it is a security issue. That's because nearly everyone trusts Apache, and assumes that it is not a security issue.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
I dunno - maybe they should make it - you know - well commented plain text configuration file? Or even XML
ISS 6 already uses XML configuration files. It's in fact a quite rare move in the MS world - until then they only used their beloved "registry". I guess people asked them to use "configuration files", so they went for XML configuration files. But their approach is awkwards, when you edit the configuration file and save it, ISS detects it and the corresponding registry configuration is changed to reflect the changes in the configuration file - and viceversa.
http://www.studiodeluxe.net/pws/index.htm
how is babby formed?
The XML files are there to simplify deployment. Just unzip the files on a new server and your done with both content and site configuration.
.m
The synchronization with the registry is necessary for backwards compatibility, since many tools and applications expects to find configuration information in the registry.