Tip

New IIS 7 security adds value to Windows Server 2008

With its newest server operating system (OS), Microsoft hoped to make Windows Server 2008's security better than that of its predecessor, Windows Server 2003. So it should come as no surprise that Internet Information Services (IIS) 7, which is included with Windows Server 2008, is loaded with new security features.

Modular design

If you ever installed IIS 6, you know that it had a modular design, too. A default installation added the basic components, and there were several more components that you could install if you needed them. But with that design, many organizations wound up installing a number of unnecessary components.

When Microsoft created IIS 7, it took a slightly different approach to the deployment process. Initially, administrators must use the Server Manager to tell Windows that they want to install the IIS server role. A couple of screens into the installation process, however, the Add Roles Wizard displays the screen that is shown in Figure A.

Figure A

    Requires Free Membership to View


Windows allows you to choose which IIS components you want installed.

Windows now takes a more minimalist approach to IIS installation. Only the very basic components are installed by default, and you even have the option of disabling some of those before you install IIS 7. That way, you can achieve better performance and better security because you are not installing anything that isn't absolutely necessary.

When you scroll further down the list of IIS components, you will see an entire section dedicated to security. In Figure B, the only security component that is installed by default is the Request Filtering component. So if you want any additional features, take a look at the whole component list to find others that might benefit your website.

Figure B

Most of the security components are not installed by default.

Delegation of Administration

Delegation of administration is a new security concept in IIS 7. The idea is that if an administrator had access to an IIS server in IIS 6, then that person had the authority to fully manage the server and all of the websites that are hosted on it. In an enterprise environment, that's not always a good thing. IIS 7 remedies this situation by allowing you to delegate administrative responsibility in a way that limits administrators to managing certain websites or Web applications.

Microsoft built three different administrative roles into IIS 7: Web Server Administrator, Web Site Administrator and Web Application Administrator.

A Web Server Administrator is similar to an administrator in IIS 6. A Web Server Administrator has full control over IIS. He can manage all of the websites and Web applications that are hosted on the server and have full control over application pools, virtual directories and anything else that IIS might be using.

A Web Site Administrator is delegated full administrative control over a particular website hosted on the server. This means that the administrator has full control of any Web applications, virtual directories or physical directories that fall within the area of delegation.

A Web Application Administrator is given authority over a specific Web application, not over an entire website. A Web Application Administrator has full control over the virtual directories and physical directories in which the application resides.

ABOUT THE AUTHOR 
Brien M. Posey, MCSE, has received Microsoft's Most Valuable Professional Award four times for his work with Windows Server, IIS and Exchange Server. He has served as CIO for a nationwide chain of hospitals and healthcare facilities, and was once a network administrator for Fort Knox.

This was first published in May 2008

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.