At the recent Microsoft Professional Developers Conference (PDC 2005), IIS Program Manager Chris Adams talked about upcoming features of IIS 7.0, some of which are security related.
IIS 7.0 is built on the IIS 6.0 platform, which is far more secure than previous versions of IIS. Adams said that IIS developers learned over time, particularly because of worms such as Code Red and Nimda, how to improve the Web server's security. Adams said that no security vulnerabilities have been discovered in what he calls the "IIS critical core" since the release of IIS 6.0. Therefore IIS 6.0 serves as a good base to build on.
IIS 7.0 brings new security features such as delegation of authority, which is a significant improvement. This means that people can perform delegated tasks without having administrator-level authority. So for example, in the course of developing a new Web page, a Web developer might want to use a new file extension type. Traditionally, an administrator would need to add that type to the server. But the new delegation features let an administrator delegate that authority to the developer. This capability will improve security administration and increase productivity.
If you've spent a lot of time developing secure applications that run on IIS 6.0, you won't have to spend much time moving them to IIS 7.0. Adams said Microsoft has made sure that IIS 7.0 will support "legacy applications."
Unlike Windows XP, which includes IIS 5.1, and Windows Server 2003, which includes IIS 6.0, Windows Vista and Longhorn Server will ship with IIS 7.0. The different IIS versions on XP and Windows 2003 posed some developmental and security problems; Microsoft is aiming to avoid those problems in the new Windows client and server OSs.
With previous versions of IIS, developers typically used Internet Server API (ISAPI) and Common Gateway Interface (CGI) to develop custom functionality. But IIS 7.0 will be more modular, which brings at least two benefits: Administrators will be able to deploy IIS 7.0 with only the modules that they require, and developers will be able to replace functionality that they might not like. For example, if you want to use an authentication method other than connecting to the SAM database, you can write a replacement for IIS 7.0's authentication module. The ability to replace this module means that developers can not only create their own means of authenticating users but developers can also more easily integrate support for other OSs such as Linux, BSD, and Mac OS X.
IIS 7.0 also has a new UI that exposes more of the central configuration (metabase) properties, possibly including some security properties. In previous versions, administrators had to modify some aspects of the metabase by using command-line tools or by manually editing configuration files with Notepad or the Microsoft MetaEdit tool.
That's a brief summary of what you can expect. Development tools and additional information for IIS 7.0 should be available on Microsoft Developer Network (MSDN) by the end of the year. In addition, Paul Thurrott will provide a more extensive review of IIS 7.0 on our Web site sometime in the near future.
