This article can also be found in the Premium Editorial Download "Information Security magazine: Unwrapping Windows Server 2003: An exclusive first look at Microsoft's new OS."
Download it now to read this article plus other related content.
Of all of Windows Server 2003's components, Internet Information Server (IIS) 6.0 underwent the most significant change.
IIS's redesign comes as no surprise, since some of the worst attacks against Windows exploited the built-in Web server. While Win2003 doesn't fully live up to Microsoft's claim that it's "secure by default," IIS does--mostly.
For convenience sake, every Win2K server and workstation came with IIS turned on by default. This left the OS open to numerous security exploits and vulnerabilities. Win2003 still comes with the built-in Web server, but it's not installed automatically. When installed, IIS is turned off by default or in a locked-down state, similar to the baseline security checklists Microsoft published for IIS 4.0 and IIS 5.0. This effectively makes an out-of-the-box Win2003 system immune to IIS- related exploits.
Even when IIS is enabled, its services and extensions are locked down by default. Win2003 doesn't install the documentation or sample scripts that have been used over the years to compromise IIS. Rather, it implements multiple layers of file permissions to protect the nearly empty default Web site. To deliver anything more than static content, admins have to enable specific services.
This is a far cry from its Win2K implementation, which had all services and ISAPI extensions that enable dynamic content turned on by default. These extensions (such as CGI and ASP scripts, WebDAV, server-side includes and Internet printing) exposed IIS to many serious attacks, such as Code Red and Nimda.
Off by default is a tremendous improvement, but Microsoft still left a few of potential security problems in IIS's basic design. First, IIS still reports detailed information about errors instead of a stock error message. While this helps with support and diagnosis, it runs the risk of disclosing valuable information about a site's internal workings to malicious parties.
Second, IIS doesn't automatically install URLScan, a useful Microsoft tool that scans incoming requests for suspicious patterns and buffer overflows. Microsoft says that IIS supports URLScan, but users have to install it.
Finally, Microsoft made a major architectural change to IIS to improve its performance. The logic responsible for initial processing of HTTP requests was moved out of IIS, which runs in user mode, to a kernel-mode component called http.sys. Code runs faster in kernel mode. But this could also be disastrous if the code falls victim to a buffer overflow, since kernel mode operates at a much higher privilege level. Microsoft is aware of the increased security risk posed by http.sys, saying it has mitigated this risk through extensive security testing, including threat modeling and independent code reviews.
Nevertheless, Microsoft's "security first" commitment will be brought into serious question if http.sys appears in any security bulletins in the near future.
This was first published in April 2003