- A Catalog of Woes, Bad Defaults, and Vulnerabilities
- What About Server .NET and IIS 6.0?
- Living with IIS (Never Mind Which Version)
Like this article? We recommend
Like this article? We recommend
Like this article? We recommend
What About Server .NET and IIS 6.0?
In the wake of the Gartner recommendation, Microsoft has shown a markedly more serious attitude toward security matters in general, and toward IIS in particular. Because the release of the product is still between 6 and 14 months out (according to recent estimates), details are hard to come by. That said, here's what I'm seeing reported on this subject and hearing through various newsletters, mailing lists, and rumor mills about where IIS 6.0 is headed:
Microsoft won't make IIS part of a default Windows Server installation in the future. Only a specifically labeled Microsoft Web Server product will continue that tradition.
Microsoft claims it's going to review IIS and rewrite portions of code where potential security issues may be buried ( www.msgeek.org/html/article.php?sid=241). Gartner has suggested this may delay release of the product. Likewise, if Microsoft acts on Bill Gates' recently leaked internal memo, which asserts that security is top priority for Windows developers, product delays seem inevitable ( news.com.com/2100-1001-816880.html). Still, I'm hopeful that this means they'll address the most common causes for security concerns, especially issues related to buffer overflows and cross-site scripting exposures.
Microsoft has released (and plans further) security analysis and lockdown tools. Some are aimed at the operating system itself (for example, HFNetChk) while others are aimed specifically at IIS. The company's newly minted "Strategic Technology Protection Program" ( www.microsoft.com/security) is supposed to be a strong move in the right direction. It includes a downloadable Microsoft Security Tool Kit as well as a more dynamic Online Security Tool Kit.
Here's one statement from Microsoft about future directions: "Making it more manageable to 'stay secure' by developing enterprise security tools, creating auto-update functionality via Windows Update, and by producing bi-monthly product roll-up patches." While some perceive this as a stopgap measure, I'm encouraged that they're becoming more sensitized to customer needs and concerns.
Frequent updates and additions to the "Tools and Checklists" items at the www.microsoft.com/TechNet/Security Page. Right now, there are numerous items in that collection relevant to IIS implementers and administrators.
One thing's for certain: Microsoft knows IIS has security problems, and is taking steps to address them. Whether these steps transcend hype and hope into meaningful functionality is something that only time (and the release of IIS 6.0) will tell.