Microsoft IIS v7 Details Emerge

← Back to Stories (view on slashdot.org)

Microsoft IIS v7 Details Emerge

Posted by ryuzaki0 on Monday May 30, 2005 @12:55AM from the noting-the-future dept.

daria42 writes "According to several .NET and Longhorn bloggers, the next version of Microsoft's IIS web server will integrate ASP.NET and turn many core features into optional modules in order to provide a smaller security footprint for hackers to attack. In addition, the software's admin tool has been completely revamped, and will allow Web-based remote administration utilising SSL."

9 of 192 comments (clear)

Min score:

Reason:

Sort:

Apache by The+Snowman · 2005-05-30 00:57 · Score: 4, Insightful

...and turn many core features into optional modules in order to provide a smaller security footprint for hackers to attack.

In other words, Microsoft is learning lessons from open source software and making IIS more like Apache httpd.

--
24 beers in a case, 24 hours in a day. Coincidence? I think not!
1. Re:Apache by KingSkippus · 2005-05-30 01:03 · Score: 4, Insightful
  
  Microsoft is learning lessons
  
  That's not new, Microsoft has made a pretty profitable business from learning lessons (or stealing ideas, one could also argue) from its competitors. That is, after all, how we got Windows in the first place.
  
  And as long as some people are dead-set on using IIS, it seems that making it more Apache-like in ways that Apache is superior to IIS is a good idea. Let's just hope that they continue to learn the more useful lessons and scrapping bad ideas.
2. Re:Apache by j-pimp · 2005-05-30 01:16 · Score: 5, Insightful
  
  In other words, Microsoft is learning lessons from open source software and making IIS more like Apache httpd.
  
  For better or for worse, Microsoft has definatly become a better company because of open source. Open source has definatly gotten better because of Microsoft too. Open source has harped on Microsoft because of security, and Microsoft has made itself more secure. Microsoft has bosted ease of use and a good office suite and as a result we get KDE, Gnome nad open office.
  
  Competition is good.
  
  --
  --- Justin Dearing http://www.justaprogrammer.net/ We're just programmers.
3. Re:Apache by gregorio · 2005-05-30 02:02 · Score: 3, Insightful
  If they started to give out modules that provided certain functionality, is it possible, that apache, through Wine, or some other interface, could make use of these components? Imagine having apache run .Net or ASP web applications. It may make the switch to Apache, and maybe eventually Linux cheaper and easier for many companies. Many companies have lots of money invested in .Net and ASP web applications.
  This article (mostly because of the submitter's text) is a great disservice to technical information:
  
  This kind of modularity is a part of IIS since its first version.
  
  ASP.NET is already implemented as a module, in all ASP.NET-supporting IIS versions.
  
  About your question: I'm not sure if ASP.NET can run on mod_isapi without too much trouble, but you can always try it, if you want to: ISAPI Apache module.
  
  Anyway, Covalent already provides us with a .NET-ready version of Apache 2.0 for Linux.
oxymoronic? by Kr3m3Puff · 2005-05-30 00:58 · Score: 4, Insightful

"...provide a smaller security footprint for hackers to attack."

"Web-based remote administration utilising SSL."

Is it just me, or doesn't that sound contradictory. Opening up your application, let alone your OS for remote hacking. Also, why would Microsoft even blink at enabling remote monitoring/logging of the websites your visit for government agencies? Tell me that that isn't going to be exploited...

--
D.O.U.O.S.V.A.V.V.M.
1. Re:oxymoronic? by blowdart · 2005-05-30 01:02 · Score: 3, Insightful
  
  is it just me, or doesn't that sound contradictory
  No. If everything is modular and you have to enable things by default then it will be off at install time, and won't have any footprint until you enable it. They started the "off by default" route with 2003, it just looks like Longhorn Server is taking it further.
2. Re:oxymoronic? by Zocalo · 2005-05-30 01:16 · Score: 4, Insightful
  
  Is it just me, or doesn't that sound contradictory.
  Not really, it depends upon the implementation and how Microsoft sets the defaults. The remote administration part is almost certainly going to be apart from the main server as one of the modular components mentioned in the article. I suspect what we will see is that the IIS admin tool will be an MMC snap-in, and that it will be MMC that will gain the remote HTTPS accessibility, which would make it little different from a remote access enabled install of WebMin.
  
  If they are taking security as seriously as they like to make out, then they will be designing the thing with the possibilty of a remote exploit in mind. That means, having remote access disabled by default, warning the user of the security implications when they try and enable remote access, and making it easy for the user to lock down the remote access by IP as well as HTTPS authentication. Asking for some IP ranges right after the remote access functionality is enabled would be good, or better yet restricting to the local IP anyway and *forcing* the user to enter additional IPs. This data could then be passed to the Windows Firewall as well as used as a "double check" by the MMC console, for an additional layer of protection.
  
  Regardless of the method and security of any implementation, that doesn't stop the usual bunch of losers with out a clue on security enabling global remote access of course. Nor, I suspect, will it stop Microsoft taking a good deal of the blame if and when a load of IIS7 servers get rooted by some future worm that exploits the remote mangement feature because some lunatics enabled it with minimal security.
  
  --
  UNIX? They're not even circumcised! Savages!
Sounds good, but... by Dink+Paisy · 2005-05-30 01:08 · Score: 5, Insightful

IIS 6 already rivals (and may even exceed) Apache as far as security goes. These changes seem designed to reduce risk more than increase security, since the security is already there. The other features seem to address one of the biggest complaints with Windows from Administrators, namely that it is too centralized and too hard to administer remotely. Think of these as going further along the direction of the perfect operating system to run Hotmail on.
Even if Microsoft does release the most secure web server ever, they will still have a huge problem to address: how to convince customers to move off of IIS 5, which has been exploited many times. Until that happens, all the new features do them no good at all.

--

Whoever corrects a mocker invites insult;
whoever rebukes a wicked man incurs abuse.
--Proverbs 9:7
1. Re:Sounds good, but... by codepunk · 2005-05-30 01:37 · Score: 3, Insightful
  
  Actually it still does not address the concerns of our IT manager. Hook it to a database and see how much that costs for licensing etc. On top of that it cannot possibly compete because the underlying operating system cannot perform active / active clustering and single image configuration. And even if it could perfom active /active clustering the cost would still be way too high, vs me downloading centos and GFS and bringing up a high performance cluster.
  
  --
  
  Got Code?