In Windows .NET Server, you enable only the IIS 6.0 services you want

One of the key hindrances to the acceptance of Microsoft products as enterprise-level tools is security vulnerabilities. Rival companies such as Sun Microsystems and Oracle have a heyday with the security breaches in Microsoft products that hackers and viruses regularly expose.

A Popular Target
Microsoft IIS has rightly been a popular target of criticism. IIS has gotten so much flack for its security shortcomings that Gartner, a leading market analysis firm, recommended last year that businesses discontinue using it. This dramatic pronouncement was aimed more at attracting attention than at seriously addressing the problem. Companies' investment in IIS-oriented applications and technology makes chucking IIS an unrealistic option—especially since Microsoft has addressed the known security concerns associated with the CodeRed virus that triggered the Gartner recommendation.

Of course, the primary reason that Microsoft is a frequent hacking target is that the company is the biggest available target. The vast number of Windows systems makes Windows a high-powered magnet for hackers. Worth noting is that Microsoft is hardly the only company to suffer attacks; all the major software vendors, including Sun and Oracle, are in the same boat, but you hear a lot more about the Microsoft problems. In Microsoft's defense, the company has promptly cranked out hotfixes for all the security holes that hackers have uncovered.

However, it's also no secret that Microsoft has contributed to its problems by valuing usability over security—even in its server products. This orientation is perhaps the reason why Sun's Scott McNealy and Oracle's Larry Ellison can strike a chord in the IT community with their attacks on Microsoft. Out of the box, the Windows 2000 and Windows NT versions of IIS ship with all capabilities enabled. IIS even includes several scripts that allow the curious and knowledgeable unauthorized access to your Web server and system resources.

These settings and scripts make IIS a user- and hacker-friendly Web server. Microsoft has readily available security guidelines and tools to help you lock down the software, but doing so is up to you. Security-conscious professionals take advantage of these tools, but not all Web servers are set up by such professionals. A post­Nimbda/CodeRed Web survey that Netcraft (http://www.netcraft.com) conducted in October 2001 revealed that the administrators of 24 percent of e-commerce-oriented IIS servers still hadn't taken some basic steps to lock down their systems. Most likely, administrators started running these systems with their friendly out-of-the box settings and aren't managing them much after the initial setup.

About-Face
The IIS 6.0 security implementation that's included with Windows .NET Server seems to suggest that Microsoft has finally gotten the security message loud and clear. Microsoft has done a complete turnaround—IIS 6.0 isn't even installed by default. If you choose to install it, you start off with a fully locked-down implementation that's capable of serving only static HTML pages.

After you install IIS 6.0, the first time you open the Microsoft Management Console (MMC) IIS Management snap-in, it launches the Security Lockdown Wizard, which prompts you to enable the extensions you want and disable unneeded services. In this model, you must purposefully and selectively open only necessary services, leaving all other vulnerabilities closed by default.

IIS 6.0 isn't as user-friendly as earlier versions because it doesn't automatically run everything right out of the box, but it's also not nearly as hacker friendly—and the change is long overdue. Some will no doubt find something in this modification to criticize Microsoft about, but the IIS 6.0 lockdown is a step in the right direction.