Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft IIS v7 Details Emerge

Posted by ryuzaki0 on from the noting-the-future dept.

daria42 writes "According to several .NET and Longhorn bloggers, the next version of Microsoft's IIS web server will integrate ASP.NET and turn many core features into optional modules in order to provide a smaller security footprint for hackers to attack. In addition, the software's admin tool has been completely revamped, and will allow Web-based remote administration utilising SSL."

6 of 192 comments (clear)

  1. Apache by The+Snowman · · Score: 4, Insightful

    ...and turn many core features into optional modules in order to provide a smaller security footprint for hackers to attack.

    In other words, Microsoft is learning lessons from open source software and making IIS more like Apache httpd.

    --
    24 beers in a case, 24 hours in a day. Coincidence? I think not!
    1. Re:Apache by KingSkippus · · Score: 4, Insightful

      Microsoft is learning lessons

      That's not new, Microsoft has made a pretty profitable business from learning lessons (or stealing ideas, one could also argue) from its competitors. That is, after all, how we got Windows in the first place.

      And as long as some people are dead-set on using IIS, it seems that making it more Apache-like in ways that Apache is superior to IIS is a good idea. Let's just hope that they continue to learn the more useful lessons and scrapping bad ideas.

    2. Re:Apache by j-pimp · · Score: 5, Insightful

      In other words, Microsoft is learning lessons from open source software and making IIS more like Apache httpd.

      For better or for worse, Microsoft has definatly become a better company because of open source. Open source has definatly gotten better because of Microsoft too. Open source has harped on Microsoft because of security, and Microsoft has made itself more secure. Microsoft has bosted ease of use and a good office suite and as a result we get KDE, Gnome nad open office.

      Competition is good.

      --
      --- Justin Dearing http://www.justaprogrammer.net/ We're just programmers.
  2. oxymoronic? by Kr3m3Puff · · Score: 4, Insightful

    "...provide a smaller security footprint for hackers to attack."
    "Web-based remote administration utilising SSL."


    Is it just me, or doesn't that sound contradictory. Opening up your application, let alone your OS for remote hacking. Also, why would Microsoft even blink at enabling remote monitoring/logging of the websites your visit for government agencies? Tell me that that isn't going to be exploited...
    --
    D.O.U.O.S.V.A.V.V.M.
    1. Re:oxymoronic? by Zocalo · · Score: 4, Insightful
      Is it just me, or doesn't that sound contradictory.

      Not really, it depends upon the implementation and how Microsoft sets the defaults. The remote administration part is almost certainly going to be apart from the main server as one of the modular components mentioned in the article. I suspect what we will see is that the IIS admin tool will be an MMC snap-in, and that it will be MMC that will gain the remote HTTPS accessibility, which would make it little different from a remote access enabled install of WebMin.

      If they are taking security as seriously as they like to make out, then they will be designing the thing with the possibilty of a remote exploit in mind. That means, having remote access disabled by default, warning the user of the security implications when they try and enable remote access, and making it easy for the user to lock down the remote access by IP as well as HTTPS authentication. Asking for some IP ranges right after the remote access functionality is enabled would be good, or better yet restricting to the local IP anyway and *forcing* the user to enter additional IPs. This data could then be passed to the Windows Firewall as well as used as a "double check" by the MMC console, for an additional layer of protection.

      Regardless of the method and security of any implementation, that doesn't stop the usual bunch of losers with out a clue on security enabling global remote access of course. Nor, I suspect, will it stop Microsoft taking a good deal of the blame if and when a load of IIS7 servers get rooted by some future worm that exploits the remote mangement feature because some lunatics enabled it with minimal security.

      --
      UNIX? They're not even circumcised! Savages!
  3. Sounds good, but... by Dink+Paisy · · Score: 5, Insightful
    IIS 6 already rivals (and may even exceed) Apache as far as security goes. These changes seem designed to reduce risk more than increase security, since the security is already there. The other features seem to address one of the biggest complaints with Windows from Administrators, namely that it is too centralized and too hard to administer remotely. Think of these as going further along the direction of the perfect operating system to run Hotmail on.

    Even if Microsoft does release the most secure web server ever, they will still have a huge problem to address: how to convince customers to move off of IIS 5, which has been exploited many times. Until that happens, all the new features do them no good at all.

    --

    Whoever corrects a mocker invites insult;
    whoever rebukes a wicked man incurs abuse.
    --Proverbs 9:7