Skip navigation

Security UPDATE--More Flexible Security Control in IIS 7.0--October 5, 2005

This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE.

Free Webcast from Postini: Risks of Unmanaged IM

Panda Software


1. In Focus: More Flexible Security Control in IIS 7.0

2. Security News and Features

- Recent Security Vulnerabilities

- Latest Office Updates Improve Outlook Security

- Symantec to Acquire WholeSecurity

3. Security Toolkit

- Security Matters Blog


- Security Forum Featured Thread

4. New and Improved

- A Security Partner


==== Sponsor: Postini ====

Free Webcast from Postini: Risks of Unmanaged IM

Join noted electronic messaging expert and author Michael Osterman on Thursday, October 20, 2005 as he explores the growing threats associated with Instant Messaging (IM) in your enterprise and what to do about them. In one short hour you'll learn how to find out where your enterprise is vulnerable ... protect against IM-borne threats ... and ensure regulatory compliance within IM.

Register today and learn why IM is the "next frontier" for hackers, spammers, and phishers ... what IM means to your compliance initiatives ... why you can't stop IM threats with typical network safeguards ... and how an integrated message management strategy provides IM threat prevention and compliance. Free white paper and technology overview when you attend. Register now.


==== 1. In Focus: More Flexible Security Control in IIS 7.0

by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

At the recent Microsoft Professional Developers Conference (PDC 2005), IIS Program Manager Chris Adams talked about upcoming features of IIS 7.0, some of which are security related.

IIS 7.0 is built on the IIS 6.0 platform, which is far more secure than previous versions of IIS. Adams said that IIS developers learned over time, particularly because of worms such as Code Red and Nimda, how to improve the Web server's security. Adams said that no security vulnerabilities have been discovered in what he calls the "IIS critical core" since the release of IIS 6.0. Therefore IIS 6.0 serves as a good base to build on.

IIS 7.0 brings new security features such as delegation of authority, which is a significant improvement. This means that people can perform delegated tasks without having administrator-level authority. So for example, in the course of developing a new Web page, a Web developer might want to use a new file extension type. Traditionally, an administrator would need to add that type to the server. But the new delegation features let an administrator delegate that authority to the developer. This capability will improve security administration and increase productivity.

If you've spent a lot of time developing secure applications that run on IIS 6.0, you won't have to spend much time moving them to IIS 7.0. Adams said Microsoft has made sure that IIS 7.0 will support "legacy applications."

Unlike Windows XP, which includes IIS 5.1, and Windows Server 2003, which includes IIS 6.0, Windows Vista and Longhorn Server will ship with IIS 7.0. The different IIS versions on XP and Windows 2003 posed some developmental and security problems; Microsoft is aiming to avoid those problems in the new Windows client and server OSs.

With previous versions of IIS, developers typically used Internet Server API (ISAPI) and Common Gateway Interface (CGI) to develop custom functionality. But IIS 7.0 will be more modular, which brings at least two benefits: Administrators will be able to deploy IIS 7.0 with only the modules that they require, and developers will be able to replace functionality that they might not like. For example, if you want to use an authentication method other than connecting to the SAM database, you can write a replacement for IIS 7.0's authentication module. The ability to replace this module means that developers can not only create their own means of authenticating users but developers can also more easily integrate support for other OSs such as Linux, BSD, and Mac OS X.

IIS 7.0 also has a new UI that exposes more of the central configuration (metabase) properties, possibly including some security properties. In previous versions, administrators had to modify some aspects of the metabase by using command-line tools or by manually editing configuration files with Notepad or the Microsoft MetaEdit tool.

That's a brief summary of what you can expect. Development tools and additional information for IIS 7.0 should be available on Microsoft Developer Network (MSDN) by the end of the year. In addition, Paul Thurrott will provide a more extensive review of IIS 7.0 on our Web site sometime in the near future.


==== Sponsor: Panda Software ====

Stopping Crimeware and Malware

Computer users can no longer wait for a new vaccine every time a new security threat appears. How do you defend your network in a world of smarter, faster, Internet-borne zero-day attacks? Find out about Intrusion Prevention that can detect and destroy unknown malware with virtually zero false positives.


==== 2. Security News and Features ====

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

Latest Office Updates Improve Outlook Security

Microsoft released Office 2003 Service Pack 2 (SP2) and junk email filter updates for Office Outlook 2003. Together they can help protect against phishing attacks. Read more about the updates in this news story on our Web site.

Symantec to Acquire WholeSecurity

Symantec announced that it entered into an agreement to acquire privately held WholeSecurity. The deal is scheduled to close in October. WholeSecurity offers behavior-based security solutions and antiphishing technology.


==== Resources and Events ====

Get Ready for the SQL Server 2005 Roadshow in Europe

Back By Popular Demand--Get the facts about migrating to SQL Server 2005! SQL Server experts will present real-world information about administration, development, and business intelligence to help you implement a best-practices migration to SQL Server 2005 and improve your database-computing environment. Receive a one-year membership to PASS and one-year subscription to SQL Server Magazine. Register now.

Windows Connections 2005 Conference--October 31 - November 3, 2005

At the Manchester Grand Hyatt in San Diego, Microsoft and Windows experts present more than 40 in-depth sessions with real-world solutions you can take back and apply today. Register now and attend two conferences for the price on one!

Discover SQL Server 2005 for the Enterprise. Are you prepared?

In this free half-day event, you'll learn how the top new features of SQL Server 2005 will help you create and manage large-scale, mission-critical enterprise database applications and make your job easier. Find out how to leverage SQL Server 2005's new capabilities to best support your business initiatives. Register today!

Deploy VoIP and FoIP Technologies

Voice over Internet Protocol (VoIP) is the future of telecommunications, and many companies are already enjoying the benefits of transporting voice over IP networks to significantly reduce telephone and facsimile costs. Join industry expert David Chernicoff for this free Web seminar to learn the "ins and outs" of boardless fax in IP environments, tips for rolling out fax and integrating fax with telephony technologies, and more!

Microsoft IT Forum 2005 November 15-17, Barcelona, Spain

Microsoft's European conference for IT professionals on planning, deploying, and managing the secure connected enterprise. Three days of learning, one year of solutions. With a choice of 325+ Technical Learning Sessions, increase your productivity and support your business with new opportunities and ideas. See the Web site for registration information


==== Featured White Paper ====

Build a Superior Windows File Serving Environment

In this free white paper, get the tools you need to provide a scalable, highly available CIFS file service using inexpensive, industry-standard servers that you can add to incrementally as demands require, while retaining the management simplicity of a single server and a single pool of exported file systems.


==== Hot Release ====

Maximizing Network Security Against Spyware and Other Threats

Spyware installation usually exploits an underlying security vulnerability in the OS. You can remove spyware, but if you don't also patch the underlying vulnerability, you don't solve the real problem. By leaving your systems open to reinfestation, you risk surging bandwidth consumption, system instability, overwhelmed Help desks, lost user productivity, and other consequences. Unauthorized applications can even result in noncompliance with regulatory requirements. This free white paper addresses the need to manage both the threats and vulnerabilities from one console as a comprehensive security solution.


==== 3. Security Toolkit ====

Security Matters Blog: Synopsis of MS Security Bulletin Creation

by Mark Joseph Edwards,

Ever wonder what goes on during the creation of a Microsoft security bulletin? Read this blog article to get a synopsis.


by John Savill,

Q: Can I change the type of logging that Active Directory (AD) uses?

Find the answer at

Security Forum Featured Thread: Too Many Security Log Entries

A forum participant writes that he needs to identify user logon and logoff events. However he needs to know only logon and logoff times and wants to log the minimum number of related events. He wants to know what policies to adjust to make that happen. Join the discussion at


==== Announcements ====

(from Windows IT Pro and its partners)

Become a VIP Subscriber!

Get inside access to ALL the articles, tools, and helpful resources published in Windows IT Pro, SQL Server Magazine, Exchange and Outlook Administrator, Windows Scripting Solutions, and Windows IT Security--that's more than 26,000 articles at your fingertips. Your VIP subscription also includes a valuable one-year print subscription to Windows IT Pro and two VIP CDs (includes the entire article database on CD). Sign up now:

Windows IT Pro Has Answers

You won't want to miss any of the fall issues! Subscribe now and discover the best ways to plan for Longhorn, what you need to know about VBScript, ways to make sense of SQL Server, the 10 Security Tools You Can't Live Without, and much more. You'll also gain exclusive access to the entire Windows IT Pro online article database (more than 9000 articles) and you'll SAVE 44% off the cover price. Click here:


==== 4. New and Improved ====

by Renee Munshi, [email protected]

A Security Partner

Integralis announced Secure Watch, a co-managed security service in two levels: Level 1 for small businesses and Level 2 for large businesses. Secure Watch lets customers work with Integralis Security professionals to protect their corporate networks. For Secure Watch Level 2, Integralis uses its Security Service Appliance (SSA) to monitor customer networks for thousands of unique problems. When it finds a problem, it alerts the customer's security team, which can then solve the problem or consult with Integralis professionals. Secure Watch Level 1 monitors system health and availability without the need for customer-premises equipment. For more information, go to

Tell Us About a Hot Product and Get a T-Shirt!

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to

[email protected].

Editor's note: Share Your Security Discoveries and Get $100

Share your security-related discoveries, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to [email protected]. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.


==== Sponsored Links ====

Admins rush to install BLOG servers

How to run your own blog server. Free 5-user license.


==== Contact Us ====

About the newsletter -- [email protected]

About technical questions --

About product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]


This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today.

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.

221 East 29th Street, Loveland, CO 80538

Attention: Customer Service Department

Copyright 2005, Penton Media, Inc. All rights reserved.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.