IIS 6.0 security
The popularity of web servers as a prime target for crackers and worm writers around the globe made IIS a natural place for Microsoft to focus its Trustworthy Computing Initiative. As a result, IIS has been completely redesigned to be secure by default and secure by design. This article discusses the major default configuration and design changes incorporated in IIS 6.0 to make it a more secure platform for hosting critical web applications.
In the past, vendors including Microsoft packaged the default installations of their web servers with an array of sample scripts, file handlers and minimal file-system permissions to provide administrators the necessary flexibility and ease of use. However, this approach tended to increase the available attack surface and was the basis of several attacks against IIS. As a result, IIS 6.0 is designed to be more secure out-of-the-box than its precursors. The most noticeable change is that IIS 6.0 is not installed by default with Windows Server 2003.
By Rohyt Belani and Michael Muckin at SecurityFocus.
[ Read more ]
- Review: HackNotes Windows Security Portable Reference (13 October 2003)