Security UPDATE--More Flexible Security Control in IIS 7.0--October 5, 2005

The new version of Microsoft's Web server adds security improvements such as delegation of authority. Plus, get links to security news, FAQs, and blogs.

ITPro Today

October 4, 2005

11 Min Read
ITPro Today logo in a gray background | ITPro Today

This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE.

Free Webcast from Postini: Risks of Unmanaged IM

http://www.eventsvc.com/postini/imrisks?trk=winitp

Panda Software

http://www.windowsitpro.com/go/whitepapers/panda/stopcrimeware?code=secmiddle105

===============

==========

==== Sponsor: Postini ==== Free Webcast from Postini: Risks of Unmanaged IM Join noted electronic messaging expert and author Michael Osterman on Thursday, October 20, 2005 as he explores the growing threats associated with Instant Messaging (IM) in your enterprise and what to do about them. In one short hour you'll learn how to find out where your enterprise is vulnerable ... protect against IM-borne threats ... and ensure regulatory compliance within IM. Register today and learn why IM is the "next frontier" for hackers, spammers, and phishers ... what IM means to your compliance initiatives ... why you can't stop IM threats with typical network safeguards ... and how an integrated message management strategy provides IM threat prevention and compliance. Free white paper and technology overview when you attend. Register now. http://www.eventsvc.com/postini/imrisks?trk=winitp

==========

==== 1. In Focus: More Flexible Security Control in IIS 7.0 by Mark Joseph Edwards, News Editor, mark at ntsecurity / net At the recent Microsoft Professional Developers Conference (PDC 2005), IIS Program Manager Chris Adams talked about upcoming features of IIS 7.0, some of which are security related. IIS 7.0 is built on the IIS 6.0 platform, which is far more secure than previous versions of IIS. Adams said that IIS developers learned over time, particularly because of worms such as Code Red and Nimda, how to improve the Web server's security. Adams said that no security vulnerabilities have been discovered in what he calls the "IIS critical core" since the release of IIS 6.0. Therefore IIS 6.0 serves as a good base to build on. IIS 7.0 brings new security features such as delegation of authority, which is a significant improvement. This means that people can perform delegated tasks without having administrator-level authority. So for example, in the course of developing a new Web page, a Web developer might want to use a new file extension type. Traditionally, an administrator would need to add that type to the server. But the new delegation features let an administrator delegate that authority to the developer. This capability will improve security administration and increase productivity. If you've spent a lot of time developing secure applications that run on IIS 6.0, you won't have to spend much time moving them to IIS 7.0. Adams said Microsoft has made sure that IIS 7.0 will support "legacy applications." Unlike Windows XP, which includes IIS 5.1, and Windows Server 2003, which includes IIS 6.0, Windows Vista and Longhorn Server will ship with IIS 7.0. The different IIS versions on XP and Windows 2003 posed some developmental and security problems; Microsoft is aiming to avoid those problems in the new Windows client and server OSs. With previous versions of IIS, developers typically used Internet Server API (ISAPI) and Common Gateway Interface (CGI) to develop custom functionality. But IIS 7.0 will be more modular, which brings at least two benefits: Administrators will be able to deploy IIS 7.0 with only the modules that they require, and developers will be able to replace functionality that they might not like. For example, if you want to use an authentication method other than connecting to the SAM database, you can write a replacement for IIS 7.0's authentication module. The ability to replace this module means that developers can not only create their own means of authenticating users but developers can also more easily integrate support for other OSs such as Linux, BSD, and Mac OS X. IIS 7.0 also has a new UI that exposes more of the central configuration (metabase) properties, possibly including some security properties. In previous versions, administrators had to modify some aspects of the metabase by using command-line tools or by manually editing configuration files with Notepad or the Microsoft MetaEdit tool. That's a brief summary of what you can expect. Development tools and additional information for IIS 7.0 should be available on Microsoft Developer Network (MSDN) by the end of the year. In addition, Paul Thurrott will provide a more extensive review of IIS 7.0 on our Web site sometime in the near future.

==========

==== Sponsor: Panda Software ==== Stopping Crimeware and Malware Computer users can no longer wait for a new vaccine every time a new security threat appears. How do you defend your network in a world of smarter, faster, Internet-borne zero-day attacks? Find out about Intrusion Prevention that can detect and destroy unknown malware with virtually zero false positives. http://www.windowsitpro.com/go/whitepapers/panda/stopcrimeware?code=secmiddle105

==========

==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://www.windowsitpro.com/departments/departmentid/752/752.html Latest Office Updates Improve Outlook Security Microsoft released Office 2003 Service Pack 2 (SP2) and junk email filter updates for Office Outlook 2003. Together they can help protect against phishing attacks. Read more about the updates in this news story on our Web site. http://www.windowsitpro.com/Article/ArticleID/47929 Symantec to Acquire WholeSecurity Symantec announced that it entered into an agreement to acquire privately held WholeSecurity. The deal is scheduled to close in October. WholeSecurity offers behavior-based security solutions and antiphishing technology. http://www.windowsitpro.com/Article/ArticleID/47930

==========

==========

==========

==== Hot Release ==== Maximizing Network Security Against Spyware and Other Threats Spyware installation usually exploits an underlying security vulnerability in the OS. You can remove spyware, but if you don't also patch the underlying vulnerability, you don't solve the real problem. By leaving your systems open to reinfestation, you risk surging bandwidth consumption, system instability, overwhelmed Help desks, lost user productivity, and other consequences. Unauthorized applications can even result in noncompliance with regulatory requirements. This free white paper addresses the need to manage both the threats and vulnerabilities from one console as a comprehensive security solution. http://www.windowsitpro.com/go/whitepapers/shavlik/spyware?code=sechot105

==========

==== 3. Security Toolkit ==== Security Matters Blog: Synopsis of MS Security Bulletin Creation by Mark Joseph Edwards, http://www.windowsitpro.com/securitymatters Ever wonder what goes on during the creation of a Microsoft security bulletin? Read this blog article to get a synopsis. http://www.windowsitpro.com/Article/ArticleID/47921 FAQ by John Savill, http://www.windowsitpro.com/windowsnt20002003faq Q: Can I change the type of logging that Active Directory (AD) uses? Find the answer at http://www.windowsitpro.com/Article/ArticleID/47861 Security Forum Featured Thread: Too Many Security Log Entries A forum participant writes that he needs to identify user logon and logoff events. However he needs to know only logon and logoff times and wants to log the minimum number of related events. He wants to know what policies to adjust to make that happen. Join the discussion at http://forums.windowsitpro.com/web/forum/messageview.aspx?catid=42&threadid=43678&enterthread=y

==========

==== Announcements ==== (from Windows IT Pro and its partners) Become a VIP Subscriber! Get inside access to ALL the articles, tools, and helpful resources published in Windows IT Pro, SQL Server Magazine, Exchange and Outlook Administrator, Windows Scripting Solutions, and Windows IT Security--that's more than 26,000 articles at your fingertips. Your VIP subscription also includes a valuable one-year print subscription to Windows IT Pro and two VIP CDs (includes the entire article database on CD). Sign up now: https://store.pentontech.com/index.cfm?s=1&promocode=eu275auv Windows IT Pro Has Answers You won't want to miss any of the fall issues! Subscribe now and discover the best ways to plan for Longhorn, what you need to know about VBScript, ways to make sense of SQL Server, the 10 Security Tools You Can't Live Without, and much more. You'll also gain exclusive access to the entire Windows IT Pro online article database (more than 9000 articles) and you'll SAVE 44% off the cover price. Click here: https://store.pentontech.com/index.cfm?s=1&promocode=eu205auw

==========

==========

==========

==== Contact Us ==== About the newsletter -- [email protected] About technical questions -- http://www.windowsitpro.com/forums About product news -- [email protected] About your subscription -- [email protected] About sponsoring Security UPDATE -- [email protected]

===============

This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today.

https://store.pentontech.com/index.cfm?s=1&promocode=eu255xsb

View the Windows IT Pro privacy policy at

http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy

Windows IT Pro, a division of Penton Media, Inc.

221 East 29th Street, Loveland, CO 80538

Attention: Customer Service Department

Copyright 2005, Penton Media, Inc. All rights reserved.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like