IIS 5.0's Hidden Differences

Knowing IIS 5.0's secrets will make your upgrade more safe and secure

Windows 2000 is host to many new features, including Microsoft IIS 5.0. No longer relegated to mere Microsoft Windows NT 4.0 Option Pack status, IIS 5.0 is considered a core component and comes on the Win2K CD-ROM.

IIS 5.0 is a faster, more stable Web server than IIS 4.0. Some businesses that use IIS 4.0 need to schedule reboots of their servers to avoid problems with Web server functionality. When Microsoft developed IIS 5.0, the company concentrated its efforts on stability and performance at the expense of new features. IIS 5.0 is now a key reason for businesses to adopt Win2K.

Although new features aren't IIS 5.0's main goal, the product is significantly different from IIS 4.0. Many of IIS 5.0's differences are widely known: new authentication methods, better performance, and the option to run applications as pooled-out-of-process. Some differences, however, are obscure but important.

Installation
When you install IIS 4.0, the software asks where you want to place your Web and FTP root folders. This option lets you locate your Web root on the volume of your choice. For security and optimization purposes, administrators commonly place the Web root on a volume other than drive C.

However, a typical Win2K installation automatically places the IIS 5.0 Web root on drive C without giving you an option to place it elsewhere. The only way to install IIS 5.0 on a drive other than C is to perform an unattended installation. To start such an installation, you can use the Sysocmgr utility, which Win2K installs, and specify the location of the Web root, the FTP root, and the \inetsrv folder, which is typically under C:\winnt. If you install IIS 5.0 on drive C and find that you don't want it there, uninstall it immediately and use unattended installation to place it wherever you want. For information about unattended installations, see the Microsoft article "How to Change the Default Installation Paths for FTP and the Web" (http://support.microsoft.com/support/ kb/articles/q259/6/71.asp), the Deployment Planning Guide of the Win2K resource kit, and "Microsoft Windows 2000 Guide to Unattended Setup" (unattend.doc), which you can find in the\support\tools\deploy.cab folder of the Win2K installation CD-ROM.

File and Directory Changes
IISHelp. You can find IIS 5.0's IISHelp directory at \%systemroot%\winnt\help\iishelp. IIS 4.0's Help files are in the same path, but the folder is \iis instead of \iishelp. Help files often have links to administrative features, wizards, and programs that you don't want typical users to access. So IIS 4.0 contains a security risk because the product shares and maps the entire Help folder, including NT Help, as a virtual directory in the Default Web site. To address this problem, IIS 5.0 maps the virtual directory Help in the Default Web site to the \iishelp folder, not to the \help parent folder.

Adminscripts. Adminscripts in IIS 5.0 contains sample .vbs scripts that illustrate using Microsoft Active Directory Service Interfaces (ADSI) to manage the Web server. You can find the Adminscripts folder under \inetpub. In IIS 4.0, a similar folder, Adminsamples, resides at \%systemroot%\system32\inetsrv.

Default documents. Installing IIS 4.0 creates the Default and Administrative Web sites. In the Default Web site, IIS 4.0 places a default document that appears when you access your newly installed server. IIS 5.0 doesn't create this default document but instead creates IISStart .asp. When you access IISStart.asp, it checks whether the access request is local or remote. When it's local, IISStart .asp launches localstart.asp. When the request is remote, you see an Under Construction message. IISStart.asp is executed only if no default.asp or default .htm file exists. If you create a default document, IIS 5.0 shows that document at startup instead of IISStart.asp.

IISADMPWD. IIS 4.0's Default Web site contains a virtual folder, IISADMPWD, which holds files that let users change their user-account passwords through a Web browser. If you performed a clean install of IIS 5.0 (i.e., you didn't upgrade from IIS 4.0), the Default Web site doesn't contain the IISADMPWD virtual folder. However, although the virtual folder is absent, the files that let users change passwords through a Web browser exist on the server. To let users access these files, follow the instructions in the Microsoft article "IISADMPWD Virtual Directory Is Not Created During Clean Install of IIS 5.0" (http://support.microsoft.com/support/kb/articles/q269/0/82.asp). Letting users change user accounts through a Web server has security implications. For information about possible security exposures, see the Microsoft articles "Malformed HTR Request Returns Source Code for ASP Scripting Files" (http://support.microsoft.com/support/kb/articles/q260/0/69.asp) and "GET on HTR File Can Cause a 'Denial of Service' or Enable Directory Browsing" (http://support.microsoft.com/support/kb/articles/q267/5/59.asp). Also see Ken Spencer, "Changing Passwords over the Web," page 121.

Operational Changes
Persistent anonymous user account. During installation, IIS 5.0 and IIS 4.0 create the user account IUSR_servername. This account logs anonymous connections to the Web server. For security purposes, IIS 4.0 administrators often remove or rename IUSR_servername. If you try to remove or rename the IUSR account in IIS 5.0, the program recreates the account when you reboot the server. The only workaround is to create and use a different account that doesn't use IUSR in the name. For more information about the IUSR account, see the Microsoft article "Correction and Addendum to Internet Information Services 5.0 Release Notes" (http://support.microsoft.com/support/kb/articles/q254/2/60.asp).

Less reliance on the registry. One of the most significant hidden changes in IIS 5.0 is its almost total reliance on the metabase rather than the registry. The IIS 5.0 metabase contains many registry keys that IIS 4.0 uses. This relocation in IIS 5.0 might not be obvious because the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Inetinfo subkey exists in IIS 5.0 and appears to contain information about the server, just as the subkey in IIS 4.0 does. However, this subkey remains in IIS 5.0 only to provide backward compatibility with the IIS 4.0 Microsoft Management Console (MMC).

WWW Distributed Authoring and Versioning. WebDAV is a standard in progress whose purpose is to extend HTTP to add file I/O capability. Internet Engineering Task Force (IETF) Request for Comments (RFC) 2518 outlines the WebDAV standard, which lets you open, save, rename, search, create, change, and delete files on an IIS 5.0 server from Microsoft Office applications, the Win2K desktop, and Microsoft Internet Explorer (IE) 5.0.

Previous [1] 2 3 4 5 Next

Although it was previosly though that WebDAV could not be disabled, as this article points out, Microsoft has just released KB article Q241520 "How to Disable WebDAV for IIS 5.0" because of a potential DOS attack described in MS Security Bulletin MS01-016 "Malformed WebDAV Request Can Cause IIS to Exhaust CPU Resources. But, a patch has been released (see security bulletin).

Happy patching.

Eric Barr March 09, 2001

Where the default web site files are doesn't matter. You should only be using the default web site to host a link or redirection to your real websites, which would be physically located on different drives or partitions.

Doug Lippi April 19, 2001

Renaming the local IUSR account? Who cares? Create a new account with whatever name you want. Most will prefer to create a domain account anyway.

Doug Lippi April 19, 2001

You must log on before posting a comment.

If you don't have a username & password, please register now.