Microsoft IIS v7 Details Emerge

daria42 writes "According to several .NET and Longhorn bloggers, the next version of Microsoft's IIS web server will integrate ASP.NET and turn many core features into optional modules in order to provide a smaller security footprint for hackers to attack. In addition, the software's admin tool has been completely revamped, and will allow Web-based remote administration utilising SSL."

Apache

[The+Snowman]

...and turn many core features into optional modules in order to provide a smaller security footprint for hackers to attack.

In other words, Microsoft is learning lessons from open source software and making IIS more like Apache httpd.

Re:Apache

[KingSkippus]

Microsoft is learning lessons

That's not new, Microsoft has made a pretty profitable business from learning lessons (or stealing ideas, one could also argue) from its competitors. That is, after all, how we got Windows in the first place.

And as long as some people are dead-set on using IIS, it seems that making it more Apache-like in ways that Apache is superior to IIS is a good idea. Let's just hope that they continue to learn the more useful lessons and scrapping bad ideas.

Re:Apache

[CastrTroy]

If they started to give out modules that provided certain functionality, is it possible, that apache, through Wine, or some other interface, could make use of these components? Imagine having apache run .Net or ASP web applications. It may make the switch to Apache, and maybe eventually Linux cheaper and easier for many companies. Many companies have lots of money invested in .Net and ASP web applications.

Re:Apache

[j-pimp]

In other words, Microsoft is learning lessons from open source software and making IIS more like Apache httpd.

For better or for worse, Microsoft has definatly become a better company because of open source. Open source has definatly gotten better because of Microsoft too. Open source has harped on Microsoft because of security, and Microsoft has made itself more secure. Microsoft has bosted ease of use and a good office suite and as a result we get KDE, Gnome nad open office.

Competition is good.

Re:Apache

[cpghost]

Microsoft has bosted ease of use and a good office suite and as a result we get KDE, Gnome nad open office.

Agreed! It's just tood bad that KDE, Gnome and OO are getting so much bloated, that they won't (decently) run on small solid state devices or low-end, power saving slow or embedded CPUs. Of course there's xfce, fluxbox etc..., but it's sad that userfriendliness still attracts bloatedness so much.

Re:Apache

[/ASCII]

According to this ASP will be integrated into IIS. Exectly what that will mean is not very clear to me, but it is interesting to note that this is the opposite direction of what Apache is doing with PHP, mod_perl , etc.

Perhaps this is like when MS decided to mode the graphics subsystem into the kernel, a way to gain performance at the cost of security and stability.

Re:Apache

[gregorio]

If they started to give out modules that provided certain functionality, is it possible, that apache, through Wine, or some other interface, could make use of these components? Imagine having apache run .Net or ASP web applications. It may make the switch to Apache, and maybe eventually Linux cheaper and easier for many companies. Many companies have lots of money invested in .Net and ASP web applications.

This article (mostly because of the submitter's text) is a great disservice to technical information:

• This kind of modularity is a part of IIS since its first version.
• ASP.NET is already implemented as a module, in all ASP.NET-supporting IIS versions.

About your question: I'm not sure if ASP.NET can run on mod_isapi without too much trouble, but you can always try it, if you want to: ISAPI Apache module.

Anyway, Covalent already provides us with a .NET-ready version of Apache 2.0 for Linux.

oxymoronic?

[Kr3m3Puff]

"...provide a smaller security footprint for hackers to attack."

"Web-based remote administration utilising SSL."

Is it just me, or doesn't that sound contradictory. Opening up your application, let alone your OS for remote hacking. Also, why would Microsoft even blink at enabling remote monitoring/logging of the websites your visit for government agencies? Tell me that that isn't going to be exploited...

Re:oxymoronic?

[blowdart]

is it just me, or doesn't that sound contradictory

No. If everything is modular and you have to enable things by default then it will be off at install time, and won't have any footprint until you enable it. They started the "off by default" route with 2003, it just looks like Longhorn Server is taking it further.

Re:oxymoronic?

[Zocalo]

Is it just me, or doesn't that sound contradictory.

Not really, it depends upon the implementation and how Microsoft sets the defaults. The remote administration part is almost certainly going to be apart from the main server as one of the modular components mentioned in the article. I suspect what we will see is that the IIS admin tool will be an MMC snap-in, and that it will be MMC that will gain the remote HTTPS accessibility, which would make it little different from a remote access enabled install of WebMin.

If they are taking security as seriously as they like to make out, then they will be designing the thing with the possibilty of a remote exploit in mind. That means, having remote access disabled by default, warning the user of the security implications when they try and enable remote access, and making it easy for the user to lock down the remote access by IP as well as HTTPS authentication. Asking for some IP ranges right after the remote access functionality is enabled would be good, or better yet restricting to the local IP anyway and *forcing* the user to enter additional IPs. This data could then be passed to the Windows Firewall as well as used as a "double check" by the MMC console, for an additional layer of protection.

Regardless of the method and security of any implementation, that doesn't stop the usual bunch of losers with out a clue on security enabling global remote access of course. Nor, I suspect, will it stop Microsoft taking a good deal of the blame if and when a load of IIS7 servers get rooted by some future worm that exploits the remote mangement feature because some lunatics enabled it with minimal security.

Sounds good, but...

[Dink+Paisy]

IIS 6 already rivals (and may even exceed) Apache as far as security goes. These changes seem designed to reduce risk more than increase security, since the security is already there. The other features seem to address one of the biggest complaints with Windows from Administrators, namely that it is too centralized and too hard to administer remotely. Think of these as going further along the direction of the perfect operating system to run Hotmail on.

Even if Microsoft does release the most secure web server ever, they will still have a huge problem to address: how to convince customers to move off of IIS 5, which has been exploited many times. Until that happens, all the new features do them no good at all.

Re:Sounds good, but...

[codepunk]

Actually it still does not address the concerns of our IT manager. Hook it to a database and see how much that costs for licensing etc. On top of that it cannot possibly compete because the underlying operating system cannot perform active / active clustering and single image configuration. And even if it could perfom active /active clustering the cost would still be way too high, vs me downloading centos and GFS and bringing up a high performance cluster.

Re:Lame name alert

[PalmerEldritch42]

As opposed to what? Apache? At least IIS has the word Internet in it, so you aren't tempted into thinking that there is an war-painted Native American running your webserver!

Web based administration???

[Ucklak]

Umm, you could do that with IIS 4.0. Is this just marketing the same thing and labeling it as new?

Will they fix the backup and restore features so that you can transfer sites server to server without having to configure the whole damn thing?

Re:webbased admin tool bad idea

[lgw]

What good is a server without remote admin to a large shop? Far better to use something SSL-based than Remote Desktop to manage your servers, after all.

Whether it's "insanely stupid" to use IIS as a part of remote admin will depend on how small its footprint turns out to be. I'm skeptical as well, but not at the basic idea, just at MS's ability to implement. If they can deliver a very lightweight web server, more power to them. If not, it will still be useful for machines that have to run IIS for another reason.

[OT] werds was Re:Apache

[g0at]

For better or for worse, Microsoft has definatly become a better company because of open source.

Whenever someone misspells definitely as "definatly", I often read it as defiantly. Sometimes, depending on the context, it's an even more appropriate word.

-b