CGI is an example. "It's always on the IIS 6 box, whether you use CGI or not. It's off by default in IIS 6, but it's always there. So if a CGI patch comes out, you have to install it. With IIS 7, we've ported all those features that were previously baked into that one DLL on top of a new API, and we're porting them as individual modules—individual DLLs. So now if you're not using CGI, you don't have to install the CGI module. We now have more than 40 modules you can add and remove independently, which helps admins reduce their attack surface more than ever. Also, if you're not using the CGI module and a CGI patch comes out, you'll never even see it because the binary that implements it is not on the box."
What about rebooting? "A lot of the binaries that run inside the worker process are already installable without a reboot," Bill explained. "You can install the patch and recycle the worker process, and it automatically picks up the new DLL. Actually, I don't think there's any IIS reason for reboots. Sometimes you have to restart the service, but no reboots. Often, rebooting results from the patching infrastructure for Windows OS, but the Windows team is also working to minimize reboots."
Are We Secure Yet?
The security strategy for IIS 6 was locking down potential attack vectors. "As a result," Bill pointed out, "we haven't had a single critical security fix for IIS 6 since release." However, my takeaway from talking with Bill and Eric was that they realize they have to go beyond lockdown with IIS 7 and rebuild the product to incorporate security throughout.
Eric said they recognized that "there's a hangover effect from NT 4.0. Back then, we designed IIS for ease of use and getting up on the Internet fast. Code Red and Nimda cost our customers millions of dollars and hours of downtime. That's why now we think about how far out will security go."
Bill added, "Customers want Microsoft not only to prevent security issues but also to be proactive by helping customers stay secure in terms of detecting new vulnerabilities and helping customers understand how to cope better with the hostile environment on the Internet. So because of the secure defaults, internal code reviews, and new features we've built in, IIS 7 has multiple layers now protecting customers."
Register
