12.1 What Is IIS?

IIS is an integrated collection of services for publishing information on the Internet. IIS is capable of publishing information using any of four Internet-standard protocols:

HyperText Transport Protocol (HTTP)

The protocol used to publish web pages on the World Wide Web.

File Transfer Protocol (FTP)

An older but still important protocol used to transfer files between computers.

Simple Mail Transport Protocol (SMTP)

A protocol used for sending email messages across the Internet. IIS' email support is primarily intended to allow web developers to send email messages from web sites. Although IIS does have limited capabilities to receive incoming email, it does not contain the functionality that would make it suitable for use as an email server like Microsoft Exchange Server. The most significant concern around SMTP today is spam, or undesired email, which is beyond the scope of this book.

Network News Transport Protocol (NNTP)

The protocol used to exchange Internet newsgroup (also called Usenet) messages between clients and servers. As of this writing, few exploits and security concerns exist for NNTP.

IIS is administered through the Internet Services Manager, a snap-in to the Microsoft Management Console (MMC), as shown in Figure 12-1.

Figure 12-1. The IIS MMC snap-in

IIS is capable of supporting multiple virtual servers. For example, IIS can run three virtual web servers, functioning as three independent (though not physically separate) web servers. This capability makes IIS suitable for large-scale Internet publishing, as well as for smaller-scale needs like a corporate intranet. Figure 12-1 shows the IIS MMC snap-in with multiple virtual web sites.

IIS also contains advanced functionality designed to help web developers quickly create dynamic, interactive web applications. Other web servers require developers to use complicated programming techniques and a special web server interface called the Common Gateway Interface, or CGI. CGI program execution can be time-consuming, because it's not usually as processor efficient as ASP code. While IIS supports CGI applications, it also supports Active Server Pages (ASP), a proprietary Microsoft technology that allows IIS to run server-side scripts written in languages like VBScript or JScript. ASP applications are interpreted on the fly, eliminating a separate compilation step for developers.

The ASP object model also provides developers with enhanced features, such as session management, that make many complex web programming tasks much easier. ASP is a major security concern, primarily because it's so powerful. Improperly secured, IIS can allow attackers to insert their own ASP scripts into a web server and execute them, opening the possibility for an infinite number of attacks.

IIS also supports ASP.NET, Microsoft's completely rewritten version of ASP for the .NET framework. Like ASP, ASP.NET offers an incredible amount of power and flexibility for developers; likewise, it offers a wide array of security vulnerabilities. Fortunately, the .NET framework itself has built-in security features designed to prevent ASP.NET from being used against you. I'll cover those features later in this chapter.

Is IIS Really Secure Enough?

IIS has taken a lot of heat in recent years for its perceived lack of security. Other web server products, including Apache and Sun Java System Web Server (formerly SunOne or iPlanet Web Server), have been touted as significantly more secure than IIS. In some ways, that's true. After initial installation, Apache (for example) is significantly more secure than IIS 5.0 (included in Windows 2000). However, Apache also has significantly less functionality than IIS 5.0 "out of the box," so the comparison between the two isn't quite equal. Were administrators to lock down IIS 5.0 to the degree of functionality supported by a default Apache installation, the two products would measure up pretty much the same as far as security goes.

IIS 5.0's most significant design flaw was that it enabled all its features, such as ASP, in a default installation. This behavior required administrators to proactively disable the pieces of IIS they didn't plan to use, a step most administrators never bothered to take. Because administrators weren't fully aware of the security risk presented by IIS' advanced features, they never took steps to secure the system. Apache looks secure by comparison because it uses the exact opposite approach: its default installation is a minimally functional web server with relatively few security holes. Apache supports advanced functionality similar to ASP, but administrators have to take special steps to install and enable that functionality. In doing so, administrators acknowledge the risk of those features and take steps to secure them. As a result, more Apache installations than IIS installations are fully secured.

IIS 6.0, however, adopts a security philosophy much like Apache's. IIS 6.0 isn't included in a default Windows Server 2003 installation. When you do install IIS 6.0, it's much more locked down and less functional by default. You have to deliberately enable advanced features, making it inherently more secure and ensuring that you're fully aware of the security impact of your configuration choices.

Bear in mind that all web servers are limited by the inherently insecure nature of the Internet protocols they use. Neither HTTP, FTP, SMTP, nor NNTP were originally designed with security in mind. HTTP, the newest of the protocols, is still more than a decade old and was designed at a time when the Internet was very small (and not even called the Internet), and everyone using it knew everyone else. Security wasn't necessary. As long as web servers?including IIS?continue working with these old protocols, despite recent security add-ons to those protocols, web servers have a long way to go before they are completely secure.