Executive Summary:
| Microsoft Internet Information Services (IIS) 7.0 includes four new security features called componentization, feature delegation, URL authorization, and request filtering. To reduce Microsoft IIS 7.0's attack surface, Microsoft broke the Web server into a set of component modules. Feature delegation lets Web server administrators delegate the configuration of certain features to a Web site or application owner. The URL authorization feature lets you define access to a Web site by linking permissions to the Web site's URL. Request filtering can be configured only from the Microsoft IIS 7.0 configuration files. |
Windows Server 2008 (formerly code-named Longhorn) includes the latest version of Microsoft's Web server, IIS 7.0. At the time of this writing, Microsoft had released Server 2008 Beta 3 and was planning to launch Server 2008 on February 27, 2008. IIS 7.0 is also included in the Home Premium, Professional, and Ultimate editions of Windows Vista.
Overall, the changes in IIS 7.0 are less fundamental than the changes Microsoft made in IIS 6.0, which is the version that's bundled with Windows Server 2003. IIS 7.0 builds on IIS 6.0’s architecture, but it adds quite a few new security features. Several of these features better integrate into the Web server security functionality that was previously added by using the IIS 6.0 Resource Kit Tools or other tools. Microsoft also added security features to IIS 7.0 that have been available for quite some time in IIS’s main competitor, the Apache HTTP Server. This article will focus on four of IIS 7.0's new and important security features: componentization, feature delegation, URL authorization, and request filtering. . . .