Slashdot Mirror
Microsoft IIS v7 Details Emerge
daria42 writes "According to several .NET and Longhorn bloggers, the next version of Microsoft's IIS web server will integrate ASP.NET and turn many core features into optional modules in order to provide a smaller security footprint for hackers to attack. In addition, the software's admin tool has been completely revamped, and will allow Web-based remote administration utilising SSL."
In other words, Microsoft is learning lessons from open source software and making IIS more like Apache httpd.
24 beers in a case, 24 hours in a day. Coincidence? I think not!
Is it just me, or doesn't that sound contradictory. Opening up your application, let alone your OS for remote hacking. Also, why would Microsoft even blink at enabling remote monitoring/logging of the websites your visit for government agencies? Tell me that that isn't going to be exploited...
D.O.U.O.S.V.A.V.V.M.
One can imagine that Microsoft are now targetting the homosexual market.
"Why did they cancel my favorite Sci-Fi show? I downloaded ALL the episodes!"
FP
This is what apache did with modules ages ago and webmin did years ago aswell. Although all of it seems to be good what MS is doing, it is late with a few years again.
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
What a shitty idea.
If they do this wrong, this'll be just another less-secure-than-Apache server, even with separated components.
This SSL security better be tough, lest they receive extra damage to their reputation.
You can hold down the "B" button for continuous firing.
Microsoft putting cool features into Longhorn!
Next Slashdot Headline: Microsoft Takes IIS v7 Out of Longhorn
Dashboard Widgets
"*nix had X feature back in Y date!"
Wah, SHA1 Broken! SSL!! WAAA, PANIC!!!
:)
just for all you tinfoilhats out there
Even if Microsoft does release the most secure web server ever, they will still have a huge problem to address: how to convince customers to move off of IIS 5, which has been exploited many times. Until that happens, all the new features do them no good at all.
Whoever corrects a mocker invites insult;
whoever rebukes a wicked man incurs abuse.
--Proverbs 9:7
but IIS 6.0 is a steaming pile of shit!
Don't believe me, go ahead and check MS IIS newsgroup and you'll find tons of desperate programmers like those of my team that, since W2k3 SP1, do not care about pretty icons any longer. The only thing we long for is that our legacy ASP will continue working on IIS 6.0 as it did on IIS 5.x for years!!!
MS please don't blow it the next time.
Apache folks, keep your "told ya" for yourself, it ain't gonna help me now.
I don't know I think they should improve the multimedia console one. Webbased admin tool might just end up full of holes anyways.
I also noticed the upcoming virtual server 2005 SP1 is using a webbased admin tool. Why something like a virtual machine needs IIS to run to mangage is a little baffling but there seems to be someone at microsoft who always comes up with these terrible ideas.
did you forget to take your meds?
Linked from the article: Guess he's using it already. ;)
Is it just me, or is the name "IIS web server" really lame? "Internet Information Server web server..." Yes, I know, Microsoft doesn't append "web server" to IIS, but if you have to tack on "web server" to remind people what the heck it is, then why not call it "Microsoft" web server instead of the nine-syllable babble-phrase? Sort of reminds me of PL/SQL, which when fully expanded is "Procedural Language/Structured Query Language".
Remain calm! All is well!
I know it is against "not invented here", but why don't they take a decent BSD-licensed web-server, and then "embrace and extend" the thing to do their proprietary extensions?
If they've modularized their stuff, this should be possible. They've done this already with TCP/IP, Kerberos and so on.
The overall product, to the extent that it benefitted from the work of free BSD-licensed improvements, would be good for everybody.
http://www.thebricktestament.com/the_law/when_to_
Bill Frist! Ho Ho Ho!
http://www.mcwdn.org/GOVERNMENT/Frist250.gif
-jim-e
Are they going to fix their totally, state-of-the-brain-damaged-art configuration interface? I was made a couple of times to try to fix IIS problems and damn, is that one misguided abomination if I ever seen one. I dunno - maybe they should make it - you know - well commented plain text configuration file? Or even XML? I heard this works for others ;) But all in all - ASP.Net aside (I have not yet encountered that closely enough, knocking on the wood) is there a reason to use IIS at all? Apache for Win32 works perfectly well. And the fact that IIS runs ASP (classic) is IMO a good enough reason to _disallow_ IIS usage anywhere you have authority to. (In my repeated experience a semi-intelligent ASP programmer with zero PHP experience is made 3-10 times more productive within a week of PHP exposure).
Umm, you could do that with IIS 4.0. Is this just marketing the same thing and labeling it as new?
Will they fix the backup and restore features so that you can transfer sites server to server without having to configure the whole damn thing?
if you steal from one source, that is plagiarism, if you steal from many, well, that's just research.
I don't know about you...but being an ex-ASP developer, I always found IIS to be rather bloated and testy. Even when I started using .NET and IIS 6 on a 2003 server...it still felt like bloatware! Give me an Apache server any day! :)
Jeff Whitfield jeffwhitfield@gmail.com "I can learn to resist anything but temptation..."
We tried working with Microsoft IIS v7.
An employee suggested to me that we load IIS v7 on a few machines here as an evaluation. I was skeptical at first but he explained the benefits of using it for our employee's day-to-day site management. So I decided to let him install the webserver onto 5 machines to see how the users got on. Besides, our IT manager had been using it on his system and it seemed to work fine, why not try it on the client machines?
Once he'd got the machines up and running with IIS v7 we let the users try it out. It all seemed fine to start with: IIS v7 was a pretty good replacement for their web server and the users could still do their work as normal.
Alas it did not stay that way. After a few days, I had lost count of the number of complaints received from users who could find things they were used to or tasks they could not perform that they previously could with their website. The final straw came when one employee lost several hours work when IIS v7 suddenly had an error reading from our intranet file server and corrupted his website.
Needless to say, the Microsoft team offered no support whatsoever. I made the employee uninstall IIS v7 from the machines and lets just say he's not with us anymore, because we had him teleported into the future.
Microsoft Longhorn: A False Hope. (I probably the only one who understood that, but it is to do with the let downs that the first 2 new Star Wars movies were, and the way that the titles of these movies where layed out. That or it just wasn't funny.)
" In addition, the software's admin tool has been completely revamped, and will allow Web-based remote administration utilising SSL."
So basically like plesk, welcome to the 00's.
My LAMP setup shines brightly enough for me.
Meh.
This is what apache did with modules ages ago and webmin did years ago aswell. Although all of it seems to be good what MS is doing, it is late with a few years again.
IIS is module-based (ISAPI) since the beginning.
"Developers are simply going to love IIS 7 because they finally will have the ability to configure the settings they need without having to request them from an administrator," he said.
Too bad he didn't mention the fact that developers would love IE 7 because the xhtml/css is being rendered the way w3c intended it. Or maybe he didn't mention it because that's no feature of IE 7. I develope web sites for the travel industry and IE 5.0 and up is our focus browser. I can't remember how many times I was hacking away in my solid xhtml/css design (working flawless in firefox) to make it look ok in IE. I'm not flaiming microsoft in this, but they sould really really really work at making sure their browser doesn't do 'funky' rendering stuff.
When that's done, I'll admire that "configure settings" gladly.
and how much do they want for it? And more importantly, how does it compare to my Apache/PHP setup?
Bear in mind this is for a home computer, not a fortune 400 company.
Runtime Error
Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine.
Details: To enable the details of this specific error message to be viewable on remote machines, please create a tag within a "web.config" configuration file located in the root directory of the current web application. This tag should then have its "mode" attribute set to "Off".
Hands up those of you who think this will be nice and secure, and won't have any flaws. Hands up, all of you - cmon, I can't see any hands up.
The best thing they could do is run it on a different port, so that (with correct firewalling) it would only be accessible from the company admin ranges.
Get your own free personal location tracker
This is what apache did with modules ages ago and webmin did years ago as well.
.htaccess kinds of files (the IIS configuration is already a big XML file, but it's not in your web directories), the use of a new service control manager, and a better admin console. Until more details come out, it really isn't that much of a schism.
Remember that this information is coming from bloggers. The barrier to entry to blogging about something is that you have the wherewithall to setup an account on a blogging host.
IIS has been module based since day one - ASP is nothing more than an ISAPI module. Logging can be configured as external modules. Filters are external modules.
I read a more detailed account and it really sounds like the big change is
No mod points, but this is exactly what I was thinking. This submission is much ado about nothing at all.
Anyone else noticed that the Hack IIS6 website from the previous slashdot article has gone down?
Microsoft's only plan is to sell the additional modules. IIS has been free for wayyy too long. You will get the 'basic' IIS for free, and then down the road, you will buy the SSL module, or buy the PHP module..
C# and the CLR (which .NET and mono run on) are open specs. JBoss, unless I'm mistaken, has an explicit exemption from Sun. I don't think there's any question that Apache using mono (which is backed by Novell) is legal....Just a thought.
You do realize Microsoft Europe funded development of the original EMWACS server, the predecessor to Apache, right?
Yes, they are learning lessons from something they funded.
The only thing we long for is that our legacy ASP will continue working on IIS 6.0 as it did on IIS 5.x for years!!!
I take it you are complainig because updates to your web server caused old applications to break? If you coded webapps in older versions of ASP you must be prepared for the fact that sooner or later Microsoft will drop legacy support for old features or change default settings and they are not alone in this. There have been changes in PHP for example that have broken people's code. Take for example the time the PHP team changed the value of register_globals from ON to OFF to increase security. Careless admins who didn't read the PHP 4.2 change-list before upgrading were in for a surprise when several dozen websites suddenly had problems because their developers had written their code without taking into account that this setting might be changed. Should the PHP team have kept the less secure register_globals=ON setting for legacy reasons? I don't think so, it is part and pacel of a developers job to deal with these issues and it is up to the admin to inform him self about what changed need to be made to old web-applications before rushing in and making an upgrade.
Only to idiots, are orders laws.
-- Henning von Tresckow
.. that they're making it more like Caudium.
Modular. Check (Caudium is *way* more modular than Apache.)
Web-based admin via SSL. Check
Integrated language for dynamic pages. Check.
Microsoft is right now getting sued by several companies for rights on some of those features they are announcing. How can they possibly announce those features as parts of their product while they are getting sued for them? I don't get it. Is Microsoft that overly gutsy or stupid or both?
Caching (of files, of DB calls, of anything) can easily be implemented via PEAR. OOP does exist, and I use full classes ALL THE TIME.
If you have coded PHP for a long time, you obviously where stuck on PHP3 and have not checked out any recent features. PHP has become much more robust and I'm willing to bet I can code a site in PHP at least as fast as you can code one in ASP.NET. Not trying to be flame bait and I'm not going to get in a flame war, but if you are trying to say "Yay ASP.NET, PHP sucks because it's not OOP and is slower to code for" you are mistaken. And yes, I have coded a web application in C# so I do have a reference point.
Cool. Drives adoption of alternatives...
What? How is Apache::ASP a solution for MS ASP? I have never met a person who codes ASP in Perl.
If Microsoft would only play nice with others. Yes, they are making better products now, but they are still using FUD and monopoly based tactics to shut down the competition or use their influence in government to make the competition illegal.
I honestly don't see WHY they need to develop a web administration tool. You can already use the MMC snap-in over a local network, or over a VPN tunnel, and terminal services duplicates practically everything you can do locally, which could be run over a VPN tunnel as well.
Oh, and the aspnet_isapi.dll extension (or the derivative of it) is mapped to every type of file in IIS, so your HttpHandlers/HttpModules can be used (it also means that forms authentication, as an example, would work for static content such as images as well. Right now unless you configure it otherwise the ASP.NET module doesn't handle that, so ASP.NET security and functions are irrelevant).
For better or for worse, Microsoft has definatly become a better company because of open source.
Whenever someone misspells definitely as "definatly", I often read it as defiantly. Sometimes, depending on the context, it's an even more appropriate word.
-b
myselfmusic
Which, somehow, will still be easily hackable rendering the other security improvments useless because every script kiddie and their sister will be able to get remote admin access.
btw, why didn't someone came up yet with the idea to make a putty MMC snap-in. I imagine something on the lines of the tsmmc.msc from the windows server 2003 admin pack which is a very handy tool if you have some more servers to work on (basically a tree with the servers on the left side and the RDP-view on the right, switching between servers by clicking on the entries on the left side)
SEO Test: TIGI und SEBASTIAN - Online Shop - V
http://www.studiodeluxe.net/pws/index.htm
how is babby formed?
There are many things that IIS has done better than Apache. Take user file permissions for example. On Apache a user can authenticate against, say a passwd file, but Apache still ignores the file permissions of the file system. On IIS, when you authenticate to the server the server impersonates your user account when it accesses files and so the file permissions (ACLs) still apply as they would when accessing files on the OS normally.
.htaccess helps).
Another advantage of IIS is it's ability to isolate applications running on it.
If an application crashes on IIS, it dies within its own isolated process and doesn't affect other applications or the core. Apache does this to an extent and will usually at least keep the core running if a module crashes, but there are still instances where it may need a restart. This is also the same reason Apache needs a restart to change configuration settings while IIS does not (although
Oh, so they'll integrate MSIE 7, Windows Media Player, and Clippy the talking paperclip into the core of IIS web server. That sounds like an excellent security policy to me!
just trying to bait the prove you're not a script thing in to showing upl ololo lololololol
just ignore me.
lolololololololololololololololololololololo
goatse:goatse:goatse:goatse
So, no, you can't really run ASP on Apache with free software. ChiliSoft has a package that _will_ run ASP with Apache on Linux/UNIX.
I don't think "stealing" is a very good word to use, or you start to fall into the same trap that a lot of people accuse organisations like the RIAA and MPAA of. ("Stealing" music, copyright "theft", etc.) That is, unless you agree with them that use of another person's ideas without asking is theft.
Personally I think it's good that Microsoft has finally decided to implement what everyone else has, for a long time, known to be useful. Just because Microsoft has done it doesn't mean that everyone else must stop doing it.
It is called "Internet Information Services". It also has FTP, SMTP, and a few other things.
Actually, URL rewrite in ASP.Net is very easy.
.htm or .html to the dotnet framework, just look at .aspx and copy it.
l e101.htm")) {i d=101");
1. Open up your IIS website and map
2. Put a regex or something in the BeginRequest event of the global.asax. The example dosn't include the regex, but you get the idea.
protected void Application_BeginRequest(Object sender, EventArgs e){
if (HttpContext.Current.Request.Path.EndsWith("artic
HttpContext.Current.RewritePath("getarticle.aspx?
}
}
Next microsoft products will be COOL!
hype! hype hype! tech blogs! coolness! buzzwords! "john, the cool IT guy"
are you as cool as the developers using microsoft tools?
download the FREE betas and GIVE microsoft YOUR TIME helping finding bugs.
Next year you'll be FREE to BUY the final version!
If you don't like it, don't buy it; but you'll have to use it anyway.
Join us and write some quality, maintainable and finally non-portable code! Because microsoft platforms always been and are always gonna be the best choice.
Who needs facts here!? I mean pure and hard facts of course! Its computer science after all... So Microsoft have cooked us the best real facts of the market about the real money it costs for running linux against windows. Read it (or look at the nice graph charts) and FEEL by yourself how much windows is THE clever option.
well, thats the way it works for any big markets on the planet. And it is killing us, I think.
Pierre