icrosoft’s Internet Information Services (IIS) is one of the most popular Web servers in use on the Internet and in intranets throughout the world. A Web server is a common point of vulnerability to hackers because?by necessity?it exposes itself to the Web,. Previous Microsoft server OS versions installed IIS by default, and hackers used these installations to run “rogue” Web services without the knowledge of administrators. Microsoft has fixed that vulnerability; IIS 6.0 is no longer installed by default on Windows Server 2003 servers (with the exception of the Web Server Edition). When administrators do install IIS, it’s initially configured in a high security (“locked”) mode. Security is a priority in this new version. Consequently, administrators must explicitly enable a number of important Web services features which worked automatically in previous versions. This new focus on security means administrators must familiarize themselves with the changes to provide the Web server services needed on their networks.
Acknowledgements
The information contained in this article is based on Chris Peiris’ new book MCSA/ MCSE Exam 70-290 Study Guide : .NET Server 2003. The book provides sample exam questions for all the Windows 2003 server topics. Thanks to Mr. Jon Babcock for his help with this publication.
IIS 6.0 Installation Best Practices
To ensure the optimum scalability and performance of IIS 6.0, you should follow these steps:
- Make sure you install IIS onto a partition that uses the NTFS file system, not the FAT32 file system. If the partition is not already formatted as NTFS, upgrade the FAT32 file system to NTFS prior to installation or during the upgrade process.
- Make sure the Internet Connection Firewall (ICF) is enabled and configured properly unless you plan to rely on a separate firewall product.
- Use unattended setup to install IIS on multiple machines. You can create a setup script to configure a common IIS installation for multiple computers. The setup file is called an “Answer file” and eliminates the need for manual intervention while installing IIS 6.0.
Internet Connection Firewall
Windows 2003 comes with a very basic internal software firewall called the Internet Connection Firewall (ICF). This facility is disabled by default. If you enable it, you can configure the firewall to enable or disable HTTP, HTTPS, FTP, and SMTP protocol access through IIS. IIS 6.0 will not function correctly if the Internet Connection Firewall is enabled and the relevant protocols are disabled. For example, the IIS 6.0 Web server will not function if the HTTP and HTTPS protocols are disabled. You have two basic options for the Internet Connection Firewall.
- Disable the firewall. (Warning: That leaves your IIS installation at at the mercy of the corporate firewall!)
- Enable the firewall and filter for the correct protocols.
Microsoft recommends that you use the ICF for small to medium size Web project developments unless you have a more sophisticated firewall solution such as Internet Security and Acceleration Server (ISA) deployed. The ICF is adequate to protect Internet traffic on most Web sites; however, large organizations should consider ISA or another heavy-duty firewall product. You do not need to enable the Internet Connection Firewall if you have a corporate firewall to protect your Web servers.
Organizations often place Web servers accessible from the Internet in a “DMZ” or perimeter network (also sometimes called a screened subnet). To do that, you can configure a “tri-homed DMZ” in which you have a firewall server (such as ISA) with three interfaces (an internal network interface to the LAN, a public interface with a public IP address, and a DMZ interface with a public address). Alternatively, you can configure a “back to back DMZ,” where you have two firewall servers, an external one and an internal one.
The most cost effective method is to use the second option and maximize Windows 2003’s built-in functionality. Follow these steps to configure the protocols:
- Open Start | Control Panel | Network Connections | Local Area Connection
- Navigate to the Advanced tab and select the Protect my computer and network by limiting or preventing access to this computer from the internet checkbox. (see Figure 1)
![]() |
What’s New in IIS 6.0? Many of the new features in IIS address technical and architectural issues in IIS 5.0. The new features can be divided into three broad categories:
New Security Features Advanced Digest Authentication What’s the purpose of MD5 hashing? Basic authentication sends the user name and password details over the network medium in base64 encoded format. These details can be easily “sniffed” (captured with a protocol analyzer) and decoded by an intruder, who could then use the credentials for nefarious purposes. Digest security’s MD5 hash enhances security by applying cipher algorithms that are more sophisticated and more difficult to crack. An MD5 hash is binary data consisting of the encrypted user name, password and realm. The ‘realm‘ is the name of the domain that authenticates the user.
Advanced Digest Security takes the Digest authentication model a bit further by storing the user credentials on a domain controller as an MD5 hash in the Active Directory database. Intruders would need to get access to the Active Directory to steal the credentials. This adds another layer of security to protect access to Windows 2003 Web sites. You do not need to modify application code to accommodate this security feature. Both Digest and Advanced Digest Authentication only work on Web Distributed Authoring and Versioning (WebDAV) enabled directories. WebDAV (formerly called Web Folders) is a secure file transfer protocol that lets people download, upload, and manage files on remote computers across the internet and intranets WebDAV is similar to the File Transfer Protocol (FTP) except that WebDAV always uses password security and data encryption on file transfers, whereas FTP doesn’t support those features. Server-gated Cryptography A further extension of SSL/TLS is Server-gated Cryptography (SGC) which has been available in a 40-bit version since version IIS 4. IIS 6.0 adds a strong 128 bit encryption mechanism to SGC. Adding SGC encryption to your applications does not require any special application code on the client machines; however, it requires a valid certificate at the client Web browser, which can encode and decode the data. You need a special SGC certificate to enable the SGC support built into IIS 6.0, which you can obtain by contacting a certificate authority. You add the certificate to IIS just like you’d add any other certificate. IIS 6.0 supports both 40 bit and 128 bit encryption sessions, so your old 40 bit SGC certificates are still valid in IIS 6.0. So far, financial sector applications (such as banking and other financial institutions) are the most common users of SGC.
Selectable Cryptographic Service Provider (CSP) Microsoft implements two default security providers. Those are the Microsoft DH SChannel Cryptographic provider and Microsoft RSA SChannel Cryptographic provider. The Microsoft implementations are optimized for IIS 6.0 to provide faster communications. Windows stores the private keys for these implementations in the registry. The Microsoft Cryptographic API (Crypto API) for every provider contains an identical interface for all providers, so you can switch between providers to without modifying the code. Each provider creates a public and a private key to enable data communication. The private key is stored on hardware devices (such as PCI cards, Smart Cards etc.) or in the Registry. The other CSP keys can also be stored in the registry. It makes more sense to store private key as registry settings for computer access to the server. The private key is usually stored on Smart Cards and other portable devices for mobile distribution environments. (This is similar to Plug and Play support for devices on Windows 2000 and Windows 2003 environments.) The CSP can be configured using the “Welcome to the Web Server Certificate Wizard.” To reach the wizard, select the Directory Security tab from the site’s Properties dialog, and then click the Server Certificate button. Configurable Worker Process Identity IIS typically runs worker process threads with a permission level lower than that of the system account. The worker process shuts down the application if the IIS server is targeted with malicious code. IIS 6.0 itself (which does run as the local system account by default) is not affected because the worker process can be configured to run under a less privileged account. Default Lock-down Status New Authorization Framework File Authorization. The FileAuthorizationModule class is responsible for file authorization on Windows 2002 systems. The module is activated by enabling Windows Authentication on a Web site. This module does an access control list (ACL) check for the permissions a given user has to an ASP.NET file, which could be either an .asmx file for an ASP.NET application or an .asmx file for a Web service. The file is available to the user only if the ACL confirms the user has permission to access the file. URL Authorization: The URLAuthorizationModule class is responsible for URL authorization on Windows 2003. This mechanism uses the URL namespace to store user details and access roles. The URL authorization is available for use at any time. You store authorization information in a special XML file in a directory. The file contains
This file enables Chris or anyone in the Admins group to access the content in the directory. In contrast, the user Kirby is denied access. The wild card entry “?” means that no one else will be able to gain access to this directory. New Reliability Features IIS separates all user code from its WWW service. The user application (different Web sites) functions as a separate Internet Server Application Programming Interface (ISAPI) application. The separate ISAPI work space is called a worker process. IIS 5.0 ran each Web site configured as a separate application in its own memory space (a separate instance of the inetinfo.exe application). In contrast, IIS 6.0 worker process Web sites don’t run within the inetinfo.exe (WWW services) memory space at all; therefore an error (or malicious attack) in one particular Web site will not cause the entire Web server to shut down. You can configure worker processes to run on a specified CPU. Each worker process model stores application-specific data in its own memory space, whereas IIS 5.0 stored all application-level data within the inetinfo.exe memory space. This separation, which makes application-level data independent of other Web sites running on the same machine also makes it feasible to not only to assign a Web site to run on a specific CPU, but also to dedicate more resources to popular Web sites than to those that generate less traffic.
Health Detection New Request-processing Architecture
In IIS 5.0, the HTTP request was handled by the IIS inetinfo.exe application. In IIS 6.0, HTTP.sys relieves IIS of request-handling responsibility. In doing so, it enhances IIS performance in the following ways.
Other New Features
Unicode Transformation Format-8 (UTF-8) XML Metabase This design change has reduced the start-up and shutdown time of ISS considerably. Previously, IIS settings were stored in inetinfo.exe and in the system registry, which resulted in multiple reads from the registry and the necessity to load and access system resources at start-up time. Previous versions also needed to clear memory references at shutdown time. IIS 6.0 eliminates most of the overhead by storing all the settings in the XML Metabase. The Metabase consists of the following two XML files:
Both Metabase files are located in the SystemrootSystem32Inetsrv directory. You need administrator permission to view the contents of the Metabase entries. You can not edit the Metabase.xml file without admin access. You will not be able to edit the MBSchema.xml file directly even with Admin access. You make schema changes through the Active Directory Service Interface (ADSI). Editing a Metabase.xml file is a tedious task. A simple approach is to use the IIS Manager interface to make the changes. However editing the Metabase directly can save expert users some effort. It is possible to have simultaneous changes to the Metabase, for example, if one administrator changes the schema via ADSI and another administrator makes some changes to the Metabase.xml file. You can prevent this by using Access Control Lists (ACL) on the Metabase files to prevent XML file changes while schema changes are being made. The Metabase history feature stores a history of the Metabase.XML file changes. IIS uses this file to apply new Metabase changes if the configuration is lost. You can build up the Metabase with the help of the history and the backups of the Metabase.. You can back up the Metabase using the Backup/ Restore Configuration option on the All Tasks menu item by performing the following steps:
If the computer running IIS fails, you can restore the Metabase from this backup copy. You can also use the backup to create a duplicate setup on a new installation of Windows Server 2003 or even on a different computer (if you use secure backup). It’s possible to restore the Metabase using a copy of the Metabase files saved in the history folder; however, you can’t restore a backup from an earlier version of IIS, and if you restore from the history files, you can’t restore to a different IIS installation or to a different computer. IIS automatically makes regular backups of the Metabase in addition to any manual backups made by administrators. It also creates history files automatically, as long as the history feature is enabled (by default, it is). You can use the IIS Manager to restore history files, as well as restoring from backup. devx-admin
Share the Post:
![]() ![]() Germany Considers Limiting Chinese 5G Tech
Grace Phillips
September 25, 2023
A recent report has put forth the possibility that Germany’s Federal Ministry of the Interior and Community may consider limiting the use of Chinese 5G ![]() ![]() The Barak Tank is Transforming Modern Warfare
Lila Anderson
September 25, 2023
The Barak tank is a groundbreaking addition to the Israeli Defense Forces’ arsenal, significantly enhancing their combat capabilities. This AI-powered military vehicle is expected to ![]() ![]() AI Plagiarism Challenges Shake Academic Integrity
Jordan Williams
September 25, 2023
As generative AI technologies like ChatGPT become increasingly prevalent among students and raise concerns about widespread cheating, prominent universities have halted their use of AI ![]() ![]() US Approves Sustainable Battery Research
Noah Nguyen
September 25, 2023
The US Department of Energy has revealed a $325 million commitment in the research of innovative battery types, designed to enable solar and wind power ![]() ![]() Netanyahu and Musk Discuss AI Future
Johannah Lopez
September 25, 2023
On September 22, 2023, Israeli Prime Minister Benjamin Netanyahu met with entrepreneur Elon Musk in San Francisco prior to attending the United Nations. In a ![]() ![]() The Importance of Secure Age Verification in Online Transactions
DevX Editor
September 25, 2023
Did you know that an estimate of one in three internet users may be a minor? Although the reliability of this claim is questionable, according ![]() ![]() Germany Considers Limiting Chinese 5G Tech
Grace Phillips
September 25, 2023
A recent report has put forth the possibility that Germany’s Federal Ministry of the Interior and Community may consider limiting the use of Chinese 5G technology by local network providers ![]() ![]() The Barak Tank is Transforming Modern Warfare
Lila Anderson
September 25, 2023
The Barak tank is a groundbreaking addition to the Israeli Defense Forces’ arsenal, significantly enhancing their combat capabilities. This AI-powered military vehicle is expected to transform the way modern warfare ![]() ![]() AI Plagiarism Challenges Shake Academic Integrity
Jordan Williams
September 25, 2023
As generative AI technologies like ChatGPT become increasingly prevalent among students and raise concerns about widespread cheating, prominent universities have halted their use of AI detection software, such as Turnitin’s ![]() ![]() US Approves Sustainable Battery Research
Noah Nguyen
September 25, 2023
The US Department of Energy has revealed a $325 million commitment in the research of innovative battery types, designed to enable solar and wind power as continuous, 24-hour energy sources. ![]() ![]() Netanyahu and Musk Discuss AI Future
Johannah Lopez
September 25, 2023
On September 22, 2023, Israeli Prime Minister Benjamin Netanyahu met with entrepreneur Elon Musk in San Francisco prior to attending the United Nations. In a live-streamed discussion, Netanyahu lauded Musk ![]() ![]() The Importance of Secure Age Verification in Online Transactions
DevX Editor
September 25, 2023
Did you know that an estimate of one in three internet users may be a minor? Although the reliability of this claim is questionable, according to Unicef, children are on ![]() ![]() Creating Thriving Cities Through Urban Gardening
Grace Phillips
September 25, 2023
The rising popularity of urban gardening is receiving increased recognition for its numerous advantages, as demonstrated in a recent study featured in the Environmental Research Letters journal. Carried out by ![]() ![]() What You Need to Know About Cloud Security Strategies
DevX Editor
September 25, 2023
Today, many businesses are adopting cloud computing services. As a result, it’s important to recognize that security measures for data in the cloud are different from those in traditional on-premises ![]() ![]() Eastern Europe is Achieving Energy Security
Jordan Williams
September 25, 2023
Canada and Romania have solidified their commitment to energy security and independence from Russian energy exports by signing a $3-billion export development agreement. The deal is centered on constructing two ![]() ![]() Unlocking Seamless Smart Home Integration
Noah Nguyen
September 25, 2023
The vision of an intelligently organized and interconnected smart home that conserves time, energy, and resources has long been desired by many homeowners. However, this aspiration has often been hindered ![]() ![]() MicroAlgo’s Groundbreaking Algorithm
Johannah Lopez
September 25, 2023
MicroAlgo Inc. has revealed the creation of a knowledge-augmented backtracking search algorithm, developed through extensive research in evolutionary computational techniques. The algorithm is designed to boost problem-solving effectiveness, precision, and ![]() ![]() Westinghouse Builds Polish Power Plant
Lila Anderson
September 22, 2023
Westinghouse Electric Company and Bechtel have come together to establish a formal partnership in order to design and construct Poland’s inaugural nuclear power plant at the Lubiatowo-Kopalino site in Pomerania. ![]() ![]() EV Industry Hurting For Skilled Labor
Jordan Williams
September 22, 2023
The United Auto Workers strike has highlighted the anticipated change towards a future dominated by electric vehicles (EVs), a shift which numerous people think will result in job losses. However, ![]() ![]() Soaring EV Quotas Spark Battle Against Time
Noah Nguyen
September 22, 2023
Automakers are still expected to meet stringent electric vehicle (EV) sales quotas, despite the delayed ban on new petrol and diesel cars. Starting January 2023, more than one-fifth of automobiles ![]() ![]() Cybersecurity Crisis: Breach Exposes Sensitive Customer Data
Johannah Lopez
September 22, 2023
A major security breach recently occurred at a well-known company, leading to unauthorized access to sensitive customer data. Sources within the organization have confirmed that the technology team is diligently ![]() ![]() Tesla Rivals Make Bold Moves
Grace Phillips
September 22, 2023
Tesla, a name synonymous with EVs, has consistently been at the forefront of the automotive industry’s electric revolution. The products that Elon Musk has developed are at the forefront because ![]() ![]() Inside the Climate Battle: Make Sunsets’ Technique
Lila Anderson
September 22, 2023
On February 12, 2023, Luke Iseman and Andrew Song from the solar geoengineering firm Make Sunsets showcased their technique for injecting sulfur dioxide (SO₂) into the stratosphere as a means ![]() ![]() AI Algorithm Predicts Treatment Adherence
Jordan Williams
September 22, 2023
Swoop, a prominent consumer health data company, has unveiled a cutting-edge algorithm capable of predicting adherence to treatment in people with Multiple Sclerosis (MS) and other health conditions. Utilizing artificial ![]() ![]() Here’s Why You Need to Use JavaScript and Cookies
Noah Nguyen
September 22, 2023
In today’s increasingly digital world, websites often rely on JavaScript and cookies to provide users with a more seamless and personalized browsing experience. These key components allow websites to display ![]() ![]() Scientists Dimming the Sun: It’s a Good Thing
Johannah Lopez
September 22, 2023
Scientists at the University of Bern have been exploring geoengineering methods that could potentially slow down the melting of the West Antarctic ice sheet by reducing sunlight exposure. Among these ![]() ![]() The Top Reasons Why Startups Succeed
Macauley Keevins
September 22, 2023
Everyone hears the stories. Apple was started in a garage. Musk slept in a rented office space while he was creating PayPal with his brother. Facebook was coded by a ![]() ![]() Intel’s Bold Comeback
Grace Phillips
September 21, 2023
Intel, a leading figure in the semiconductor industry, has underperformed in the stock market over the past five years, with shares dropping by 4% as opposed to the 176% return ![]() ![]() Semiconductor Slump: Rebound on the Horizon
Jordan Williams
September 21, 2023
In recent years, the semiconductor sector has faced a slump due to decreasing PC and smartphone sales, especially in 2022 and 2023. Nonetheless, as 2024 approaches, the industry seems to ![]() ![]() Elevate Your Content Creation with Amazing Deals
Noah Nguyen
September 21, 2023
The latest Tech Deals cater to creators of different levels and budgets, featuring a variety of computer accessories and tools designed specifically for content creation. Enhance your technological setup with ![]() ![]() An Easy Way to Learn Web Security
Johannah Lopez
September 21, 2023
The Web Security Academy has recently introduced new educational courses designed to offer a comprehensible and straightforward journey through the intricate realm of web security. These carefully designed learning courses |