After years of downplaying the security offered by Windows Server products and Internet Information Server, I think Microsoft has finally made a solid and secure move in the right direction with Windows Server 2003. Win2K3, first and foremost, is an improved and security-tweaked foundational operating system that also includes a hardened version of Internet Information Server.
Internet Information Server 6.0 on Windows Server 2003 offers one key benefit that no previous Windows server product has offered -- namely that IIS is not installed by default. If you are not specifically planning to use IIS, this is a solid security design.
Obviously, if you are planning on hosting Web sites on Windows Server 2003, IIS 6.0 is your most logical option. The second most beneficial security change for the updated NOS is that IIS 6.0 no longer runs under the security context of the system. Rather, there is a new IIS service account that has limited administrative capabilities and only enough privileges, access and user rights to perform its duties as a Web server. In addition to this, IIS 6.0 is installed initially in a hardened "locked" mode. This initial mode will only serve static resources and not execute scripts of any kind.
If you are serious about using Windows as your platform for hosting Web sites, you owe it to yourself to seriously investigate Windows Server 2003 and Internet Information Server 6.0.
About the author
For more information, visit these resources:
- The Information Architect: To upgrade or not? NT users consider their options
- News & Analysis: Windows Server 2003 demands security policy
- News & Analysis: Is securing Windows Server 2003 futile?
This was first published in May 2003