Security
Earlier versions of IIS were hit with a number of vulnerabilities, especially the CA-2001-13 which led to the infamous Code Red worm; however, both versions 6.0 and 7.0 currently have no reported issues with this specific vulnerability. In IIS 6.0 Microsoft opted to change the behaviour of pre-installed ISAPI handlers, many of which were culprits in the vulnerabilities of 4.0 and 5.0, thus reducing the attack surface of IIS. In addition, IIS 6.0 added a feature called "Web Service Extensions" that prevents IIS from launching any program without explicit permission by an administrator.
In the current release, IIS 7, the components are provided as modules so that only the required components have to be installed, thus further reducing the attack surface. In addition, security features are added such as Request Filtering, which rejects suspicious URLs based on a user-defined rule set.
By default IIS 5.1 and lower run websites in-process under the SYSTEM account, a default Windows account with 'superuser' rights. Under 6.0 all request handling processes have been brought under a Network Services account with significantly fewer privileges so that should there be a vulnerability in a feature or in custom code it won't necessarily compromise the entire system given the sandboxed environment these worker processes run in. IIS 6.0 also contained a new kernel HTTP stack (http.sys) with a stricter HTTP request parser and response cache for both static and dynamic content.
According to Secunia, as of June 2011, IIS 7 had a total of 6 resolved vulnerabilities while IIS 6 had a total of 11 vulnerabilities out of which 1 was still unpatched. The unpatched security advisory has a severity rating of 2 out of 5.
In June 2007, a Google study of 80 million domains concluded that while the IIS market share was 23% at the time, IIS servers hosted 49% of the world's malware, the same as Apache servers whose market share was 66%. The study also observed the geographical location of these dirty servers and suggested that the cause of this could be the use of pirated copies of Windows for which security updates were unavailable. This is no longer the case: Microsoft supplies security updates to all users.
Read more about this topic: Internet Information Services
Famous quotes containing the word security:
“If we could have any security against moods! If the profoundest prophet could be holden to his words, and the hearer who is ready to sell all and join the crusade, could have any certificate that to-morrow his prophet shall not unsay his testimony!”
—Ralph Waldo Emerson (1803–1882)
“... most Southerners of my parents’ era were raised to feel that it wasn’t respectable to be rich. We felt that all patriotic Southerners had lost everything in defense of the South, and sufficient time hadn’t elapsed for respectable rebuilding of financial security in a war- impoverished region.”
—Sarah Patton Boyle, U.S. civil rights activist and author. The Desegregated Heart, part 1, ch. 1 (1962)
“Is a Bill of Rights a security for [religious liberty]? If there were but one sect in America, a Bill of Rights would be a small protection for liberty.... Freedom derives from a multiplicity of sects, which pervade America, and which is the best and only security for religious liberty in any society. For where there is such a variety of sects, there cannot be a majority of any one sect to oppress and persecute the rest.”
—James Madison (1751–1836)