Cautious Optimism for .NET Server Security

IIS 6.0 security features look good, so far.

• By Matt Migliore
• 09/25/2002

By all accounts, Windows .NET Server will be commercially released with a new version of IIS 6.0 in the early part of next year. According to documentation in the beta versions of IIS, Microsoft has taken a number of steps to ensure the security of the solution, and has implemented a series of strategies to prevent the software from falling victim to hacker attacks, which have plagued it over the past few years.

Specifically, Microsoft has designed IIS 6.0 to be shipped in a “locked-down” state where only static content (.htm, .jpg, .bmp, etc.) is served. This is a marked improvement over previous versions of IIS, which focused more on ease-of-use than on security.

John Pescatore, a research director for the Internet Security group at analyst firm Gartner Inc., says installing IIS as secure by default will make sure the Web server function doesn’t automatically turn on index server and other features that may make the server vulnerable. Microsoft has also taken a number of steps with IIS 6.0 to make sure administrators can isolate several users on a single server. With the new version, processes can be run in an isolated mode to secure multiple applications on the same system.

In addition, IIS 6.0 has new security features to isolate FTP users. The user's top-level directory appears as the root of the FTP service, thus restricting access by disallowing further navigation up the directory tree.

Pescatore says the new isolation features of IIS also represent much-needed improvements over previous versions of the software. He notes that there doesn’t seem to be any holes in Microsoft’s overall security approach with the new version of IIS.

However, Pescatore says there are fears that Microsoft will change the security features of IIS prior to its commercial release, thus rendering the expected improvements irrelevant. He adds that the security features of IIS 6.0 will make it harder for administrators to configure, which, in turn, may entice Microsoft to ship tools to help undo the security parameters. “Can they resist the temptation to ship tools or wizards that will just open things up again?”

Pescatore is also worried that Microsoft may add a bunch of features just prior to the release of IIS 6.0 in an effort to steal some market share from Apache. Currently, Pescatore says, Apache owns about 66 percent of the Internet-exposed Web server market, while IIS holds about 25 percent.

“Microsoft usually attacks with features,” he says, which may open up new security holes. “Let’s hope that’s not the case this time.”

From the overall .NET server perspective, Pescatore says the addition of new Web services support could also pose security risks. “Anything that’s new is always a worry,” he observes.

But the worry, for Microsoft, is more pronounced. Earlier this month at Microsoft’s DevCon event in Seattle, Stephen Deasy, a software engineer with EMC, said Microsoft had to change its security strategy. “It got to a point [after the Nimda virus] where they were losing us,” he said. “You can only release the number of security patches they were releasing for so long before you start to ask, ‘Is there a better security option out there?’”

Pescatore says Microsoft can’t afford similar problems with Windows .NET Server. “I think if [Microsoft] were to have Nimda-class problems with Windows .NET Server, they’d definitely bring the window wide open for Linux and other Windows alternatives.” However, “If IIS 6.0 debuts with everything as advertised, and Microsoft does not have to offer security patches as frequently as they did with IIS 5.0, they will have done a lot to close the security gap [between themselves and a Sun or Apache Web server.]”

Currently, Pescatore is recommending customers wait one year before deploying Windows .NET Server. This is down from an 18-month waiting period for previous Windows server releases.