Mark Adams knows how new software code can gum up the works. As IT director for HomeLoanCenter.com, an online direct
lender in Irvine, Calif., Adams oversees a development team that churns out code about every two weeks. That's one reason Adams is pleased about several enhanced security features included in version 6 of Microsoft Corp.'s Internet Information Server (IIS). HomeLoanCenter.com is a Microsoft programming shop that has used previous versions of IIS, which is Microsoft's Web server product. Adams says improved kernel processes in IIS6 helped developers accelerate code launches for online applications that furnish interest rates and other mortgage information to homebuyers. Uptime and productivity have risen, with fewer application errors. IIS6 is also helping the company as it develops new applications using the .NET framework. IIS6 provides threads that isolate processes, so dynamic code running in one application doesn't interfere with other programs. "We have a lot of user-level code that tends to overlap into some of the IIS applications," Adams says. "The kernel of IIS6 is a lot better at managing the shutdown of processes that otherwise would kill our IIS [5.1] servers." This is one of the ways Microsoft is trying to bolt down security in the new Web server. Once the poster child for how not to build an HTTP server, IIS has come to symbolize Redmond, Wash.-based Microsoft's newfound emphasis on security over open functionality. Microsoft founder Bill Gates made a splash last year by announcing his company's new Trustworthy Computing initiative. Experts say IIS6 shows Microsoft is serious about its new security orientation. "In terms of Microsoft delivering on its promise to deliver more secure software, this is it," says Brett Hill, a consultant who runs IISTraining.com in Boulder, Colo. Since its inception as part of Windows 2000 Server, IIS has been plagued by well-chronicled security holes, most of which resulted from buggy software. The principal culprit: IIS default settings, which permitted programs to run automatically when Windows 2000 was installed. "It wasn't that IIS was so full of holes as much as it was the applications that were enabled by default. The applications had the bugs, but IIS was the gateway to those applications," says Hill. In the new version, default settings are turned to the "off" position, which means administrators have greater control over which applications run automatically. Rather than locking down programs and assigning user privileges after Windows 2000 is installed, administrators now can tighten things up at the outset. This is a 360-degree reversal for Microsoft, which built the formative releases of IIS to be as functional as possible out of the box. "In the past, partly because of its role in corporate LANs, IIS was relatively biased toward functionality and ease of use, not security," says Joseph Lima, vice president of product development with San Diego-based Port80 Software Inc., which develops specialized applications for IIS. "Now, you have to select even the installation of IIS." Also, associated software --- legacy applications for integrating Windows NT file systems, Web-based printing, tracking usage on servers, and other features --- automatically are disabled. That removes a hacker's chief attack point. The locked-down approach extends to all basic configuration tasks, including access control lists and the use of third-party software. "All of this has to be specifically enabled by the administrator, whereas before it would have been the exact reverse," says Lima. Microsoft made important changes to the metabase, which stores metadata about IIS' configuration settings. "You can configure your pager, set up security, set up your directory structure, and do it [in the database] through an easily navigable interface," says HomeLoanCenter.com's Adams. The reworked metabase is more "Apache-like," says Lima, referring to the Apache Web server, an open-source product favored by Unix and Linux shops. "The changes should help in a lot of ways with troubleshooting." Indeed, Apache is in Microsoft's crosshairs. Microsoft wants to deepen its penetration into the Web-server market, which has been dominated by Apache. About 63% of Web sites are served by Apache, according to a July 2003 survey by Netcraft Ltd. Microsoft captured about 27% of the market. Still, a body of myth has developed that Apache is more security oriented than IIS -- a perception not shared by IISTraining.com's Hill. "Apache and Unix- and Linux-based systems have had their fair share of fixes, too. If you stack up the number of fixes of Apache against Microsoft, IIS compares quite favorably," he says. New licensing programs by Microsoft may offer potential savings in the form of server consolidation. Windows 2003 is the first version of Windows to include a Web edition -- an exclusive operating system for enterprises that only want an HTTP server. Internet service providers, for instance, could replace server farms with one or two IIS6 boxes, which can handle between 10,000 and 15,000 Web sites. "Your cost savings [for fewer licenses] are dramatic, plus your uptime increases," says Hill. The 32- and 64-bit enterprise editions of Windows 2003 Server are priced around $4,000. The Web edition does not have standard pricing, so administrators should check with authorized Microsoft resellers for the best deal.