Microsoft IIS v7 Details Emerge

daria42 writes "According to several .NET and Longhorn bloggers, the next version of Microsoft's IIS web server will integrate ASP.NET and turn many core features into optional modules in order to provide a smaller security footprint for hackers to attack. In addition, the software's admin tool has been completely revamped, and will allow Web-based remote administration utilising SSL."

Apache

[The+Snowman]

...and turn many core features into optional modules in order to provide a smaller security footprint for hackers to attack.

In other words, Microsoft is learning lessons from open source software and making IIS more like Apache httpd.

Re:Apache

[KingSkippus]

Microsoft is learning lessons

That's not new, Microsoft has made a pretty profitable business from learning lessons (or stealing ideas, one could also argue) from its competitors. That is, after all, how we got Windows in the first place.

And as long as some people are dead-set on using IIS, it seems that making it more Apache-like in ways that Apache is superior to IIS is a good idea. Let's just hope that they continue to learn the more useful lessons and scrapping bad ideas.

Re:Apache

[j-pimp]

In other words, Microsoft is learning lessons from open source software and making IIS more like Apache httpd.

For better or for worse, Microsoft has definatly become a better company because of open source. Open source has definatly gotten better because of Microsoft too. Open source has harped on Microsoft because of security, and Microsoft has made itself more secure. Microsoft has bosted ease of use and a good office suite and as a result we get KDE, Gnome nad open office.

Competition is good.

Re:Apache

[molnarcs]

...If they started to give out modules that provided certain functionality ...

I was looking for help on url_rewrite on google, when I bumped into some threads where users complained about $company's url_rewrite module not working as expected. He said that he regrets paying for it now. Others suggested him to try out isapi rewrite ... another pay for module that only provides freaking rewrite functionality. When I read those, I was soooo glad I never had to deal with IIS - I would have never thought that IIS users must go out hunting on google and actually pay for new modules for IIS that are compeletely free (and immediately available) for apache...

Re:Apache

[adolfojp]

"Imagine having apache run .Net or ASP web applications."

In my experience Mono http://www.mono-project.com/ has done a wonderfull job at runing ASP.NET apps and web services.

To run clasic ASP get this.
http://www.apache-asp.org/

If you are concerned with their legality go check Tomcat and JBoss ;-)

Cheers,
Adolfo

oxymoronic?

[Kr3m3Puff]

"...provide a smaller security footprint for hackers to attack."

"Web-based remote administration utilising SSL."

Is it just me, or doesn't that sound contradictory. Opening up your application, let alone your OS for remote hacking. Also, why would Microsoft even blink at enabling remote monitoring/logging of the websites your visit for government agencies? Tell me that that isn't going to be exploited...

Re:oxymoronic?

[Zocalo]

Is it just me, or doesn't that sound contradictory.

Not really, it depends upon the implementation and how Microsoft sets the defaults. The remote administration part is almost certainly going to be apart from the main server as one of the modular components mentioned in the article. I suspect what we will see is that the IIS admin tool will be an MMC snap-in, and that it will be MMC that will gain the remote HTTPS accessibility, which would make it little different from a remote access enabled install of WebMin.

If they are taking security as seriously as they like to make out, then they will be designing the thing with the possibilty of a remote exploit in mind. That means, having remote access disabled by default, warning the user of the security implications when they try and enable remote access, and making it easy for the user to lock down the remote access by IP as well as HTTPS authentication. Asking for some IP ranges right after the remote access functionality is enabled would be good, or better yet restricting to the local IP anyway and *forcing* the user to enter additional IPs. This data could then be passed to the Windows Firewall as well as used as a "double check" by the MMC console, for an additional layer of protection.

Regardless of the method and security of any implementation, that doesn't stop the usual bunch of losers with out a clue on security enabling global remote access of course. Nor, I suspect, will it stop Microsoft taking a good deal of the blame if and when a load of IIS7 servers get rooted by some future worm that exploits the remote mangement feature because some lunatics enabled it with minimal security.

Re:oxymoronic?

[ergo98]

Opening up your application, let alone your OS for remote hacking.

Well most servers have remote desktop enabled, and web administration of IIS has existed since IIS 5. I think the point was moreso that you'll be able to fully configure your site. One of the issues, mentioned in the article, that IIS currently has is that there is a disconnect, and overlap, between the settings necessary in IIS and ASP.NET to configure a site properly, and it would be nice if they merged them (which really would be mapping some of the IIS metabase XML into the Web.Config).

Reading this article, I'm still not sure what the real message is- You can already create fully managed handlers and modules for IIS, and the idea of it being pulled "into" IIS is frightening, actually (IIS 6 is a gorgeous design because it is like a microkernel web architecture, with an extremely minimalist server module and cache that communicates to external modules to handle things like ASP.NET processing). I suspect some information was misunderstood.

Wait!

[sammykrupa]

Microsoft putting cool features into Longhorn!

Next Slashdot Headline: Microsoft Takes IIS v7 Out of Longhorn

Sounds good, but...

[Dink+Paisy]

IIS 6 already rivals (and may even exceed) Apache as far as security goes. These changes seem designed to reduce risk more than increase security, since the security is already there. The other features seem to address one of the biggest complaints with Windows from Administrators, namely that it is too centralized and too hard to administer remotely. Think of these as going further along the direction of the perfect operating system to run Hotmail on.

Even if Microsoft does release the most secure web server ever, they will still have a huge problem to address: how to convince customers to move off of IIS 5, which has been exploited many times. Until that happens, all the new features do them no good at all.

NIHS

[putko]

I know it is against "not invented here", but why don't they take a decent BSD-licensed web-server, and then "embrace and extend" the thing to do their proprietary extensions?

If they've modularized their stuff, this should be possible. They've done this already with TCP/IP, Kerberos and so on.

The overall product, to the extent that it benefitted from the work of free BSD-licensed improvements, would be good for everybody.

Re:Lame name alert

[bigman2003]

Well since SEQUEL stood for 'Structured English Query Language' (which seems VERY language specific) I figured that SQL was just 'Structured Query Language.'

But SQL was just a shortening of SEQUEL for legal reasons...

Re:Why I hate IIS most.

[_ZorKa_]

Honestly who cares about ASP. No one today is really still writing in old ASP/VB (except may some intranents). However, if we are talking ASP.NET, in my repeated experience (since I work on a large team of web developers using multiple technologies), those migrating from PHP to ASP.NET constantly say "Wow, that would have taken me about 3 days to code that in PHP.". I mean simple things like caching are not built into PHP, you have to code it from scratch. Other things like OOP sessions don't exists. Everything is a freaking function for crying out loud. So you are left coding your own "framework" so to speak which is why there are a gazillion PHP frameworks out there all trying to immitate what ASP.NET provides you. Another example is the ever popular MVC model. ASP.NET does this out of the box. But with PHP you have to spend the time coding your own. I wrote PHP code for a long time dude, and switched to ASP.NET over a year ago and I haven't looked back. Open your mind. Do you want the green pill or the red pill?

Re:PHP not OOP??? Hah!

[SolidGround]

Usually it's people with no real programming experience that seem to prefer PHP over .NET. If you have any experience what so ever in general development you'd realize that loosely typed variables are very much a bad thing and that what PHP claims as OO doesn't even come close to the real deal. PHP's programming practices are something that just encourages hacking away at it to make up for bad design and invites bug-ridden, impossible to debug code. It's also very much lacking a framework to do some decent componentization and even PHP 5 manages to stay years behind with no support for SOAP or any of the WS-* technologies and OO manages to be a factor 2 to 3 times slower than it was in PHP 4 already. PHP is popular because it's cheaper to find hosting for and because 99% of the sites out there use pre-written scripts. PHP does have some really nice features but to me they just melt away as soon as you try to build a site with some degree of complexity. It's great for a small to large hobby site, but that's really about it. Lastly, for something that's generally accepted to be open-source, it's a remarkably expensive platform to develop for. $300 for Zend Studio, $2400 for Zend Encoder and/or Zend Accelerator for $300/year.