With its newest server operating system (OS), Microsoft hoped to make Windows Server 2008's security better than that of its predecessor, Windows Server 2003. So it should come as no surprise that Internet Information Services (IIS) 7, which is included with Windows Server 2008, is loaded with new security features.
Modular design
If you ever installed IIS 6, you know that it had a modular design, too. A default installation added the basic components, and there were several more components that you could install if you needed them. But with that design, many organizations wound up installing a number of unnecessary components.
When Microsoft created IIS 7, it took a slightly different approach to the deployment process. Initially, administrators must use the Server Manager to tell Windows that they want to install the IIS server role. A couple of screens into the installation process, however, the Add Roles Wizard displays the screen that is shown in Figure A.
Figure A
Windows allows you to choose which IIS components you want installed.
Windows now takes a more minimalist approach to IIS installation. Only the very basic components are installed by default, and you even have the option of disabling some of those before you install IIS 7. That way, you can achieve better performance and better security because you are not installing anything that isn't absolutely necessary.
When you scroll further down the list of IIS components, you will see an entire section dedicated to security. In Figure B, the only security component that is installed by default is the Request Filtering component. So if you want any additional features, take a look at the whole component list to find others that might benefit your website.
Figure B
Most of the security components are not installed by default.
Delegation of Administration
Delegation of administration is a new security concept in IIS 7. The idea is that if an administrator had access to an IIS server in IIS 6, then that person had the authority to fully manage the server and all of the websites that are hosted on it. In an enterprise environment, that's not always a good thing. IIS 7 remedies this situation by allowing you to delegate administrative responsibility in a way that limits administrators to managing certain websites or Web applications.
Microsoft built three different administrative roles into IIS 7: Web Server Administrator, Web Site Administrator and Web Application Administrator.
A Web Server Administrator is similar to an administrator in IIS 6. A Web Server Administrator has full control over IIS. He can manage all of the websites and Web applications that are hosted on the server and have full control over application pools, virtual directories and anything else that IIS might be using.
A Web Site Administrator is delegated full administrative control over a particular website hosted on the server. This means that the administrator has full control of any Web applications, virtual directories or physical directories that fall within the area of delegation.
A Web Application Administrator is given authority over a specific Web application, not over an entire website. A Web Application Administrator has full control over the virtual directories and physical directories in which the application resides.
About the author: Brien M. Posey, MCSE, has received Microsoft's Most Valuable Professional Award four times for his work with Windows Server, IIS and Exchange Server. He has served as CIO for a nationwide chain of hospitals and healthcare facilities, and was once a network administrator for Fort Knox.
