A New IIS 6.0 Security Paradigm

Last week, while vendors feverishly readied virus updates for public distribution, the Nimda worm had plenty of time to damage systems around the world. I'm sure the worm affected many of you. Nimda certainly affected my company; the worm came in remotely through a VPN connection from an infected home computer that belongs to one of our employees. The worm infected several newly built machines, including all our Windows XP Release Candidate 2 (RC2) and Whistler Beta 2 copies; our virus software vendor has a policy of not releasing new versions of its software until Microsoft officially ships its OSs. We thought our computers were safe because they sit inside our firewall. How wrong we were!

The situation is frustrating, and it made me think. Shouldn't IIS come locked down by default? Doesn't that detail seem inordinately obvious? Why do we have to perform such a long and tedious process to lock down IIS after a default install? And why can't IIS automatically download and install service packs, hot fixes, patches, and updates when they're available? Keeping IIS servers up-to-date and protected against the world's malicious geniuses is almost a full-time job. Wouldn't it be great if you didn't have to waste your time with these mundane tasks and could move on to more productive and fun tasks such as administrative scripting? If you haven't installed IIS lately, take a look at the 3400-word Microsoft article that guides you through the lock-down process for IIS; it's an 8-hour ordeal.

Why do I pose these questions? Because IIS 6.0, which will ship with Windows.NET, overcomes all these weaknesses and more.

The press has criticized Microsoft for the security flaws and holes in its OSs, and the company is losing the public-relations battle. John Wurzler, an executive whose company insures businesses against hacking damages, says that premiums for Windows NT are 25 percent higher than for Windows 2000 "because NT is unprotectable." Although IIS 5.0 running on Win2K offers a secure Web platform, it doesn't do so by default.

IIS 6.0 is a complete paradigm shift; it provides an infrastructure that installs security hotfixes by default. IIS 6.0 also lets you download hotfixes and apply them automatically as they become available.

IIS 6.0 includes these security enhancements:

  • Configurable Worker Process Identities, which let you start services under the security context of LocalSystem, LocalService, NetworkService, or a configurable account.
  • Selectable Crypto Service Provider, which lets you use hardware-based Secure Sockets Layer (SSL). Hardware-based SSL is lightning-fast compared with the SSL latency we have to deal with today in IIS 5.0 and older releases.
  • Remotable Certificate installation and removal, which lets you install and remove certificates on remote computers.
  • Publishing, which you can disable.
  • Delegation for all protocols so you can securely distribute a Kerberos ticket when you use Digest, Basic, NT LAN Manager (NTLM), or Passport.
  • Sand-boxed FTP, which lets you configure FTP sites so only specific users can upload content.

These great, new IIS 6.0 security enhancements have one drawback: IIS 6.0 won't ship until first quarter 2002 (and that date is speculation on my part). Until then, we'll have to manually apply hotfixes and update virus files. Microsoft has done a great job with its Windows Critical Update Notification, but I look forward to the day when IIS not only automatically heals itself but also automatically updates itself. That day will come with IIS 6.0.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.