This new installation behavior deserves some explanation. In all previous versions of Windows, Microsoft's goal was to make the product as easily managed as possible. In general, that meant installing all common network services?including IIS?by default, so that those services would be instantly available if needed. Those services were also configured to be fully operational by default, so that practically no administrative action was necessary to take full advantage of the product. IIS wasn't the only network service installed in this fashion, but it was the most talked about because IIS was plagued by security vulnerabilities. Most of these vulnerabilities stemmed from the product's advanced features, such as Active Server Pages (ASPs). Because IIS was installed in earlier versions of Windows by default, all Windows servers became victims of IIS security holes, even servers that weren't being used as Web servers. Further, even though Microsoft always responded to security vulnerabilities by quickly providing patches, many administrators patched only their Web servers, forgetting that every Windows server running IIS carried the vulnerabilities. As a result, many Windows servers continued to be vulnerable to IIS security flaws, even though fixes were readily available.
By not installing IIS by default, Microsoft allows administrators to avoid being blindsided by any future vulnerabilities. And, by configuring IIS to use a default locked-down configuration, Microsoft enables inexperienced administrators to install IIS while still avoiding the complex security issues associated with the product's more advanced features. Still, Microsoft's new security philosophy is no guarantee of a totally secure IIS. As an administrator, you must still keep up with Microsoft security bulletins and security updates to Windows Server 2003. Because IIS is most often used as an Internet Web server, it's placed in a position where it is more open to attacks than many other Windows network services, and Internet-based hackers are sure to discover any vulnerabilities that do exist. Visit Microsoft's Security Web site at www.Microsoft.com/security for more information on recent security updates and to subscribe to Microsoft's free security update email bulletins.