Home > Enterprise Desktop Tips > > Modular architecture in IIS 7.0 aids Web server security
Enterprise Desktop Tips:
EMAIL THIS
 TIPS & NEWSLETTERS TOPICS 


Modular architecture in IIS 7.0 aids Web server security


Introducing Windows Server 2008 - An excerpt from chapter 11, "Internet Information Services 7.0"
09.27.2007
Rating: --- (out of 5)


Advice for securing Windows
Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google


Introducing Windows Server 2008
By Mitch Tulloch

Get a jump on evaluating Window Server 2008 -- with technical insights from Windows Server team. This practical introduction delivers real-world implementation scenarios and pragmatic advice for administering Windows Server in the enterprise.

One thing I really like about IIS 7.0 is its new modular architecture. What this means is that instead of IIS being a monolithic entity installed by default with only a few features available for optional installation, IIS 7.0 now has more than 40 separate setup components you can choose from and only a small set of these are installed by default. You can now install only IIS features you actually need on your Web server and leave the remaining features uninstalled. The benefits of doing this are fivefold:

  • First, your system is more secure. Why? Because the only IIS binaries installed on your system are those you actually need. And the fewer binaries, the less attack surface there is on your machine.

  • Second, your system is easier to service. Why? Because maintaining a server involves keeping it patched with the latest critical updates from Microsoft. But if you have only a subset of the available IIS modules installed on your machine, you have to patch only those modules -- you don't have to patch modules that aren't installed.

  • Third, your system is easier to manage. For example, as we'll see in a moment, if the component supporting Basic authentication is not installed on your system, the configuration setting for this feature won't be present. And the fewer configuration settings that are surfaced, the less clutter the admin UI has and the easier it is to manage your server.

  • Fourth, you can customize your Web server to function in a specific role in your environment.

  • And fifth, you can reduce the memory footprint of your Web server by removing unnecessary modules. As a result, the amount of memory used by worker processes on your machine will be reduced, which can allow you to host more Web sites and Web applications on your machine -- something especially valuable in large hosting environments. Reducing the number of installed modules also means that fewer intra-process events are occurring, so this also frees up CPU cycles as well -- something that, again, is important in hosting environments.

Windows Server 2008 security extras
Will Windows Server 2008's delay affect your security?

Windows Server 2008 features worth watching
In addition, you can even create your own custom modules and use these to replace existing modules or add new features to your Web server. We'll talk about this later when we discuss the extensibility of the IIS 7.0 platform.

The following graphic shows the IIS 7.0 components available for you to install when you add the Web Server (IIS) role to your Windows Server 2008 machine. These components are called modules, and you can add or remove them from the Web server engine, depending on what you need.

Table 11-1 lists the different modules available in each category and provides a short description of what they do.

Table 11-1 IIS 7.0 modules and their functionality
Module nameDescription
HTTP modules
CustomErrorModule Sends default and configured HTTP error messages when an error status code is set on a response
HttpRedirectionModule Supports configurable redirection for HTTP requests
OptionsVerbModule Provides information about allowed verbs in response to OPTIONS verb requests
ProtocolSupportModule Performs protocol-related actions, such as setting response headers and redirecting headers based on configuration
RequestForwarderModule Forwards requests to external HTTP servers and captures responses
TraceVerbModule Returns request headers in response to TRACE verb requests
Security modules
AnonymousAuthModule Performs Anonymous authentication when no other authentication method succeeds
BasicAuthModule Performs Basic authentication
CertificateMappingAuthenticationModule Performs Certificate Mapping authentication using Active Directory
DigestAuthModule Performs Digest authentication
IISCertificateMappingAuthenticationModule Performs Certificate Mapping authentication using IIS certificate configuration
RequestFilteringModule Performs URLScan tasks, such as configuring allowed verbs and file extensions, setting limits, and scanning for bad character sequences
UrlAuthorizationModule Performs URL authorization
WindowsAuthModule Performs NTLM integrated authentication
Content mondules
CgiModule Executes CGI processes to build response output. There's also a FastCGI handler that's installed as part of the CGI install.
DavFSModule Sets the handler for Distributed Authoring and Versioning (DAV) requests to the DAV handler
DefaultDocumentModule Attempts to return the default document for requests made to the parent directory
DirectoryListingModule Lists the contents of a directory
IsapiModule Hosts ISAPI DLLs
IsapiFilterModule Supports ISAPI filter DLLs
ServerSideIncludeModule Processes server-side includes code
StaticFileModule Serves static files
Compression modules
DynamicCompressionModule Compresses responses, and applies Gzip compression transfer coding to responses
StaticCompressionModule Performs precompression of static content
Caching modules
FileCacheModule Provides user-mode caching for files and file handles (required)
HTTPCacheModule Provides kernel-mode and user-mode caching in HTTP.sys (required)
SiteCacheModule Provides user-mode caching of site information
TokenCacheModule Provides user-mode caching of user name and token pairs for modules that produce Windows user principals (required)
UriCacheModule Provides user mode caching of URL information (required)
Logging and diagnostics modules
CustomLoggingModule Loads custom logging modules
FailedRequestsTracingModule Supports the Failed Request Tracing feature
HttpLoggingModule Passes information and processing status to HTTP.sys for logging
RequestMonitorModule Tracks requests currently executing in worker processes, and reports information with Runtime Status and Control Application (RSCA) Programming Interface
TracingModule Reports events to Microsoft Event Tracing for Windows (ETW)

You can install these modules by adding role services and features to the Web Server (IIS) role using Server Manager. (Note that some of these modules cannot be selectively installed or uninstalled unless you uninstall the entire w3svc.) When you add the Web Server (IIS) role to your Windows Server 2008 server, a subset of available role services and features is installed by default (though you can also choose to add role services and features at this time or later).

Excerpted from "Introducing Windows Server 2008" by Mitch Tulloch with the Microsoft Windows Server Team . Reprinted by permission of Microsoft Press. All rights reserved. For more information, go to http://www.microsoft.com/MSPress/books/11163.aspx


Rate this Tip
To rate tips, you must be a member of SearchEnterpriseDesktop.com.
Register now to start rating these tips. Log in if you are already a member.




Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google



RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary

DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.



Enterprise Desktop Security - Virus Protection, Malware Protection, Intrusion Detection
HomeTopicsITKnowledge ExchangeTipsMultimediaWhite PapersBlogs
About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
SEARCH 
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2008 - 2009, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts