Previous Section Table of Contents Next Section

IIS 4.0, 5.0, and 5.1 versus IIS 6.0

IIS 6.0 is the first time Microsoft has tried to create a more secure IIS "out of the box," as opposed to a more functional IIS. That's led to a lot of misconceptions, but keep in mind that IIS 6.0 isn't necessarily more secure than earlier versions-it's just that most of the functionality that includes security vulnerabilities is disabled by default on a new IIS 6.0 installation. Upgrades from previous versions are not necessarily more secure out of the box, as they inherit the settings from the old version being upgraded.

One of the first things you need to know about IIS 6.0 is that ASP is not installed by default. In other words, if you just select the Application Server component in Add/Remove Windows Components, IIS 6.0 will be installed without the ASP ISAPI filter, meaning ASP pages won't be executed. You must go into the Details of the component installation to enable ASP, as shown in Figure 23.3.

Figure 23.3. Installing ASP support with IIS 6.0

graphics/23fig03.jpg

IIS 6.0 also adds another authentication choice: Microsoft .NET Passport authentication. This authentication type requires special setup and developer support, as well as a paid license to the .NET Passport system. It's not something you'll typically use in an administrative script.

Much of IIS 6.0's new security features aren't actually part of IIS 6.0 at all; they're part of the .NET Framework, including ASP.NET, which is bundled with Windows Server 2003. However, "classic" ASP doesn't utilize any of the Framework's security features, so I won't cover them here.

NOTE

If you're an experienced IIS administrator and you'd like to learn more about what's new and changed in IIS 6.0, check out Microsoft® IIS 6.0 Delta Guide by Martin C. Brown, published by Sams Publishing.


IIS 6.0 does have an interesting new concept called application pools, which have their own security features. The application pools play into IIS 6.0's new architecture. First, each application pool has its own memory space, meaning a crash in one pool won't affect applications running in other pools. From a security standpoint, each pool has its own security context. By default this is a network service account, but you can also configure it to be a local system account or any specific user account you prefer, as shown in Figure 23.4.

Figure 23.4. Configuring application pool identity

graphics/23fig04.gif

You can configure as many application pools as you like, and each Web site is configured to run in a specific application pool. A pool can thus contain several Web sites, one site, or no sites. Figure 23.5 shows how a Web site is configured to exist within a specific application pool.

Figure 23.5. Configuring a site's application pool

graphics/23fig05.gif

If you're trying to configure IIS 6.0 to run your administrative Web pages, I recommend switching the application pool to use the Local System identity, and then disabling anonymous access. This provides a security model much like IIS 5.0, and will allow most administrative Web pages to run without errors.

TIP

Don't change the configuration of the default application pool (Default-AppPool), because that will change the security for any other sites using that pool. Instead, create a new pool, modify its identity, and assign the Web site containing your administrative Web pages to the new pool.


    Previous Section Table of Contents Next Section