Windows 7 / Getting Started

---

Prepare Web Servers (Dedicated or Application)

Web servers, whether they are dedicated or not, are based on Microsoft Internet Information Services (IIS). IIS has been seen as Windows' weakest point in the past. In older versions of Windows, it was installed by default and often not managed in the way that it should be, which lent it to abuse. This is no longer a problem with WS08, since no server role is installed by default. If you install a server role, you do it consciously and, therefore, you should be aware that it will require management to some degree. If any of you have had experience with IIS before, you will find that working with IIS version 7, the version built into WS08, is completely different.

Several characteristics of IIS have been modified in Windows Server 2008:

• IIS 7 has now been divided into modules that you install and activate as needed. For example, if you need Server Side Includes (SSI) on your Web server, then you must install the SSI component to make it run. IIS now includes more than 30 components you can install and configure as needed.
• IIS Manager, the IIS management console, has been completely revamped. Each component is now clearly laid out and easier to access. It includes both a features and a content view. The content view provides an interface similar to previous versions of IIS. The features view gives you access to administrative interfaces for each of the installed components.
  CAUTION:
  You cannot manage previous versions of IIS with the IIS 7 Manager. This is why WS08 includes the ability to install a compatible console for IIS 6 and lower versions.
• The execution mode for IIS is completely different in WS08. Each application running in IIS 7 runs in its own execution environment or application pool and is completely isolated from other applications. If an application wants to perform illegal operations, it cannot affect other applications running on the same server. IIS can also automatically restart applications after crashing, limiting the damage a denial-of-service attack can have on each application. Application isolation occurs automatically in IIS 7 each time a new application is added to the Web server.
• The Web edition of WS08 includes only one role: Web Services (IIS) which is not installed by default. This edition of WS08 is a dedicated edition that is designed to provide a low-cost alternative to non-Windows Web servers. Use the same approaches as with IIS to manage and monitor servers running this edition.
• IIS 7 is the most secure version of IIS to date. Before, IIS would install a whole series of components because its structure was monolithic. This increased its attack surface. Of course, you had control over whether components were enabled or not, but since they were installed, they could lend themselves to malicious use. Now, IIS 7 does not require component activation. If you choose to install the component, it is activated. If it isn't installed, then it can't be activated maliciously or inadvertently.
  These are the major new features for IIS security. Altogether, IIS is a much more secure and stable Web platform than it ever has been before.

Keep in mind, though, that IIS is no longer required on most of your servers. In addition, you should not place IIS on any of your domain controllers if at all possible. There may be some circumstances where you have no choice in this matter (for example, in the case of multipurpose servers).