Chapter 9. Introducing IIS 7
Windows Vista introduces Internet Information Service (IIS) 7, built on Microsoft's highly successful IIS 6 product. After over four years (IIS 6 was released in March 2003 along with Windows Server 2003), IIS 6 remains without a single significant security blemish. IIS 7 was created to be even more secure. This chapter covers web server threats, introduces the new features and changes of IIS 7, and concludes with the ways to harden an IIS 7 server.
IIS 7 is secure by default. This chapter's recommendations provide additional hardening steps applicable to any environment to make it even tougher to hack a web server. IIS 7 was specifically designed to be tough enough to serve as any type of web server, whether used internally as an intranet site or as an externally facing Internet-accessible web server. This chapter will cover hardening steps that can secure both types. However, IIS 7's original presence on Windows Vista, an end-user client OS, indicates that Microsoft intended IIS 7 to initially lean more toward intranet use.
Web Server Threats
Web servers contain many pieces and parts, including the host OS, web protocols, back-end databases, and the web server software itself. This collection of related components coupled with inviting inbound Internet connectivity makes web servers a frequent hacker target. Threats to web servers include the following:
Back-end database issues