Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Microsoft The Internet

Microsoft IIS v7 Details Emerge 192

daria42 writes "According to several .NET and Longhorn bloggers, the next version of Microsoft's IIS web server will integrate ASP.NET and turn many core features into optional modules in order to provide a smaller security footprint for hackers to attack. In addition, the software's admin tool has been completely revamped, and will allow Web-based remote administration utilising SSL."
This discussion has been archived. No new comments can be posted.

Microsoft IIS v7 Details Emerge

Comments Filter:
  • Apache (Score:5, Insightful)

    by The Snowman ( 116231 ) * on Monday May 30, 2005 @08:57AM (#12675851)

    ...and turn many core features into optional modules in order to provide a smaller security footprint for hackers to attack.

    In other words, Microsoft is learning lessons from open source software and making IIS more like Apache httpd.

    • In other words.. Still no reason to go for IIS over apache?
      • Re:Apache (Score:3, Insightful)

        by /ASCII ( 86998 )
        According to this [arstechnica.com] ASP will be integrated into IIS. Exectly what that will mean is not very clear to me, but it is interesting to note that this is the opposite direction of what Apache is doing with PHP, mod_perl , etc.

        Perhaps this is like when MS decided to mode the graphics subsystem into the kernel, a way to gain performance at the cost of security and stability.
        • ASP will be integrated into IIS

          My reading of that is that parts of IIS will be written in mangaged .NET code. The impression is that IIS will become more modular, not more integrated.

          But I don't know enough about the internals to really compare the "pipelines" with Apache modules -- and apparently, neither does anyone else here.
    • Re:Apache (Score:5, Insightful)

      by KingSkippus ( 799657 ) on Monday May 30, 2005 @09:03AM (#12675874) Homepage Journal

      Microsoft is learning lessons

      That's not new, Microsoft has made a pretty profitable business from learning lessons [slashdot.org] (or stealing ideas, one could also argue) from its competitors. That is, after all, how we got Windows in the first place.

      And as long as some people are dead-set on using IIS, it seems that making it more Apache-like in ways that Apache is superior to IIS is a good idea. Let's just hope that they continue to learn the more useful lessons and scrapping bad ideas.

      • ...or stealing ideas, one could also argue...

        One that would should see this [opensourceversus.com] first.

        AFAIC, that's inspiration, not stealing.
      • theft of ideas (Score:3, Interesting)

        by jesterzog ( 189797 )

        or stealing ideas, one could also argue

        I don't think "stealing" is a very good word to use, or you start to fall into the same trap that a lot of people accuse organisations like the RIAA and MPAA of. ("Stealing" music, copyright "theft", etc.) That is, unless you agree with them that use of another person's ideas without asking is theft.

        Personally I think it's good that Microsoft has finally decided to implement what everyone else has, for a long time, known to be useful. Just because Micr

    • Re:Apache (Score:3, Insightful)

      by CastrTroy ( 595695 )
      If they started to give out modules that provided certain functionality, is it possible, that apache, through Wine, or some other interface, could make use of these components? Imagine having apache run .Net or ASP web applications. It may make the switch to Apache, and maybe eventually Linux cheaper and easier for many companies. Many companies have lots of money invested in .Net and ASP web applications.
      • Re:Apache (Score:5, Informative)

        by molnarcs ( 675885 ) <csabamolnar@@@gmail...com> on Monday May 30, 2005 @09:33AM (#12676033) Homepage Journal
        ...If they started to give out modules that provided certain functionality ...

        I was looking for help on url_rewrite on google, when I bumped into some threads where users complained about $company's url_rewrite module not working as expected. He said that he regrets paying for it now. Others suggested him to try out isapi rewrite [isapirewrite.com] ... another pay for module that only provides freaking rewrite functionality. When I read those, I was soooo glad I never had to deal with IIS - I would have never thought that IIS users must go out hunting on google and actually pay for new modules for IIS that are compeletely free (and immediately available) for apache...

        • Re:Apache (Score:3, Informative)

          by gregmac ( 629064 )
          I would have never thought that IIS users must go out hunting on google and actually pay for new modules for IIS that are compeletely free (and immediately available) for apache...

          I noticed the same thing a few years ago (5) with ASP. My roommate in university was an ASP developer, and I had been doing PHP for a couple years at that point. He was working on some application that required DNS lookups, and actually ended up paying for an ASP module/script/whatever to do them. I was totally surprised at this
      • Re:Apache (Score:5, Informative)

        by adolfojp ( 730818 ) on Monday May 30, 2005 @09:39AM (#12676063)
        "Imagine having apache run .Net or ASP web applications."

        In my experience Mono http://www.mono-project.com/ [mono-project.com] has done a wonderfull job at runing ASP.NET apps and web services.

        To run clasic ASP get this.
        http://www.apache-asp.org/ [apache-asp.org]

        If you are concerned with their legality go check Tomcat and JBoss ;-)

        Cheers,
        Adolfo
        • C# and the CLR (which .NET and mono run on) are open specs. JBoss, unless I'm mistaken, has an explicit exemption from Sun. I don't think there's any question that Apache using mono (which is backed by Novell) is legal....Just a thought.
        • I said that to run ASP on apache you could use apache asp. It is a lie.

          I made a mistake. My quick googling confused Chilisoft with the link that I posted.

          I apologize for the inconvenience.

          Adolfo
      • Re:Apache (Score:4, Insightful)

        by gregorio ( 520049 ) on Monday May 30, 2005 @10:02AM (#12676195)
        If they started to give out modules that provided certain functionality, is it possible, that apache, through Wine, or some other interface, could make use of these components? Imagine having apache run .Net or ASP web applications. It may make the switch to Apache, and maybe eventually Linux cheaper and easier for many companies. Many companies have lots of money invested in .Net and ASP web applications.
        This article (mostly because of the submitter's text) is a great disservice to technical information:
        • This kind of modularity is a part of IIS since its first version.
        • ASP.NET is already implemented as a module, in all ASP.NET-supporting IIS versions.
        About your question: I'm not sure if ASP.NET can run on mod_isapi without too much trouble, but you can always try it, if you want to: ISAPI [apache.org] Apache module.

        Anyway, Covalent already provides us with a .NET-ready version [wired.com] of Apache 2.0 for Linux.
    • Re:Apache (Score:5, Insightful)

      by j-pimp ( 177072 ) <zippy1981@@@gmail...com> on Monday May 30, 2005 @09:16AM (#12675946) Homepage Journal
      In other words, Microsoft is learning lessons from open source software and making IIS more like Apache httpd.

      For better or for worse, Microsoft has definatly become a better company because of open source. Open source has definatly gotten better because of Microsoft too. Open source has harped on Microsoft because of security, and Microsoft has made itself more secure. Microsoft has bosted ease of use and a good office suite and as a result we get KDE, Gnome nad open office.

      Competition is good.
      • Re:Apache (Score:3, Insightful)

        by cpghost ( 719344 )

        Microsoft has bosted ease of use and a good office suite and as a result we get KDE, Gnome nad open office.

        Agreed! It's just tood bad that KDE, Gnome and OO are getting so much bloated, that they won't (decently) run on small solid state devices or low-end, power saving slow or embedded CPUs. Of course there's xfce, fluxbox etc..., but it's sad that userfriendliness still attracts bloatedness so much.

      • by g0at ( 135364 )
        For better or for worse, Microsoft has definatly become a better company because of open source.

        Whenever someone misspells definitely as "definatly", I often read it as defiantly. Sometimes, depending on the context, it's an even more appropriate word.

        -b
      • I disagree that MS has become a better company, it has become a worse company in my eyes. But they do some products better, of course, as there are open source programs kicking the butt of some of their 'best' expensive ones (Apache against IIS for example).
        I don't know what you mean when you say that MS has boosted ease of use and a good office suite, I hope you are kidding.
        KDE came because of the availability of Qt for free, and because the Qt API was so great, look at the initial KDE announcement (http:/ [kde.org]
        • I don't know what you mean when you say that MS has boosted ease of use and a good office suite, I hope you are kidding. Well I can remember a time when there was no open source office suite. Sure there was free as in beer star office and commerical alternatives such as the port of Word perfect 5.1 to SCO run via SCO binaryy emulation on Linux, but none of this came from the open source community.

          Also, while open office is a great product that has some innovation in it, most of its features were inspir
    • In other words, Microsoft is learning lessons from open source software and making IIS more like Apache httpd.
      That's exactly what I was thinking recently when I had to start learning ASP.NET/C#.
      In ASP.NET you have to put your security instructions into a text file called "web.config" - .htaccess anyone?
      • Uhm no. Big difference. .htaccess is handled by the web server. Web.config is not parsed by IIS. It is handled by the dll that handles aspx (et all) pages. Big difference. Different layer all together.

        Web.config would be closer to something like php.ini, although that's not even correct. I recon the closest would be something like a Smarty config file or something under php.
    • "In other words, Microsoft is learning lessons from open source software and making IIS more like Apache httpd."

      Ready pitchforks!!
  • oxymoronic? (Score:4, Insightful)

    by Kr3m3Puff ( 413047 ) * <me@nOsPaM.kitsonkelly.com> on Monday May 30, 2005 @08:58AM (#12675854) Homepage Journal

    "...provide a smaller security footprint for hackers to attack."
    "Web-based remote administration utilising SSL."


    Is it just me, or doesn't that sound contradictory. Opening up your application, let alone your OS for remote hacking. Also, why would Microsoft even blink at enabling remote monitoring/logging of the websites your visit for government agencies? Tell me that that isn't going to be exploited...
    • Re:oxymoronic? (Score:3, Insightful)

      by blowdart ( 31458 )
      is it just me, or doesn't that sound contradictory

      No. If everything is modular and you have to enable things by default then it will be off at install time, and won't have any footprint until you enable it. They started the "off by default" route with 2003, it just looks like Longhorn Server is taking it further.

      • I think the point is while "off by default" is understood, the average administrator is more likely to go "OOOOO CONVENIENT" and enable it without thinking of the potential security risks.

        I would choose to disagree with that analogy, however, because a person who doesn't know the potential security risks of doing this probably isn't fit to serve in that capacity. You can't idiot-proof network administration. The administrator must know how one thing interacts with the other, or he won't be a very success
        • There are similar "off by default" changes in Yukon (aka SQL server 2005).

          I attended a talk by Microsoft during the week and the speaker claimed that a "click-OK-and-nothing-else" install of SQL server 2005 would not actually install anything! You have to manually select all the features to be installed.

          That might be taking it a bit far, but at least they are trying to reduce the security footprint of their products.
        • the average administrator is more likely to go "OOOOO CONVENIENT" and enable it without thinking of the potential security risks

          I totally get what you mean, but have you seen how much work it takes to get some of the typical stuff like IIS6 or Terminal Services up and going on Win2003 Server? Compared to Win2000, not that convenient after all.

          I think all the new wizards for 2003 are there to discourage that "hm, what's this do?" syndrome.

    • If they do this wrong, this'll be just another less-secure-than-Apache server, even with separated components.

      This SSL security better be tough, lest they receive extra damage to their reputation.

    • Re:oxymoronic? (Score:5, Insightful)

      by Zocalo ( 252965 ) on Monday May 30, 2005 @09:16AM (#12675942) Homepage
      Is it just me, or doesn't that sound contradictory.

      Not really, it depends upon the implementation and how Microsoft sets the defaults. The remote administration part is almost certainly going to be apart from the main server as one of the modular components mentioned in the article. I suspect what we will see is that the IIS admin tool will be an MMC snap-in, and that it will be MMC that will gain the remote HTTPS accessibility, which would make it little different from a remote access enabled install of WebMin.

      If they are taking security as seriously as they like to make out, then they will be designing the thing with the possibilty of a remote exploit in mind. That means, having remote access disabled by default, warning the user of the security implications when they try and enable remote access, and making it easy for the user to lock down the remote access by IP as well as HTTPS authentication. Asking for some IP ranges right after the remote access functionality is enabled would be good, or better yet restricting to the local IP anyway and *forcing* the user to enter additional IPs. This data could then be passed to the Windows Firewall as well as used as a "double check" by the MMC console, for an additional layer of protection.

      Regardless of the method and security of any implementation, that doesn't stop the usual bunch of losers with out a clue on security enabling global remote access of course. Nor, I suspect, will it stop Microsoft taking a good deal of the blame if and when a load of IIS7 servers get rooted by some future worm that exploits the remote mangement feature because some lunatics enabled it with minimal security.

      • btw, why didn't someone came up yet with the idea to make a putty MMC snap-in. I imagine something on the lines of the tsmmc.msc from the windows server 2003 admin pack which is a very handy tool if you have some more servers to work on (basically a tree with the servers on the left side and the RDP-view on the right, switching between servers by clicking on the entries on the left side)
      • I suspect what we will see is that the IIS admin tool will be an MMC snap-in, and that it will be MMC that will gain the remote HTTPS accessibility.

        Nice thought, but I doubt it will happen that way. The MMC snap-in interfaces don't expose enough information to be seamlessly converted to a web interface. The treeview is enumerated through the interface, so that could be webified, but the right-hand content pane is mostly opaque to MMC. Each snap-in can define its own content pane implementation as an

    • Is it just me, or doesn't that sound contradictory.

      I don't see your point. I think the point is: limit the exposure of your server to things you actually need. If you take your web server off the internet it will be quite secure, after all, but that's not a very useful definition of security.

      It's nice to see that MS is slowly starting to "get it". It will be nicer still if this means fewer rooted IIS-bots attacking *my* server. One can only hope.
    • Re:oxymoronic? (Score:5, Informative)

      by ergo98 ( 9391 ) on Monday May 30, 2005 @09:27AM (#12676001) Homepage Journal
      Opening up your application, let alone your OS for remote hacking.

      Well most servers have remote desktop enabled, and web administration of IIS has existed since IIS 5. I think the point was moreso that you'll be able to fully configure your site. One of the issues, mentioned in the article, that IIS currently has is that there is a disconnect, and overlap, between the settings necessary in IIS and ASP.NET to configure a site properly, and it would be nice if they merged them (which really would be mapping some of the IIS metabase XML into the Web.Config).

      Reading this article, I'm still not sure what the real message is- You can already create fully managed handlers and modules for IIS, and the idea of it being pulled "into" IIS is frightening, actually (IIS 6 is a gorgeous design [microsoft.com] because it is like a microkernel web architecture, with an extremely minimalist server module and cache that communicates to external modules to handle things like ASP.NET processing). I suspect some information was misunderstood.
      • IIS4 also had remote web admin, on a random high port for the complete IIS admin, and /iisadmin/ application for that web's admin.

        NTAdmin was also a very cool util for NT4 running IIS.
    • They aren't contradictory. I'm assuming remote web administration will not be turned on by default, thereby following the creed established in the first sentence. Remote administration is already possible, anyway, if the feature is turned on. Run IIS manager and point it at a remote server with the service enabled.

      I would think this would be a good thing for Open Source enthusiasts. It means that if a company wants IIS, you can keep those servers at a bare minimum, and maintain them from linux/unix/osx ser
    • Re:oxymoronic? (Score:4, Informative)

      by dioscaido ( 541037 ) on Monday May 30, 2005 @09:45AM (#12676095)
      It is not an oxymoron. The feature would be turned off by default. You are confusing the point you are trying to make, which is that this remote admin feature would be a good target for exploits. It is a valid comment.

      But common sense would dictate that the web admin tool would not be turned on to connections from the general internet. Instead, it would be limited to the intranet. If it is turned on to the general internet, then they better be sure there aren't any exploits around. But the same is true of any outward facing service, isn't it? IIS v5 was a travesty in security, but IIS6 has had very little problems where vulnerabilities are concerned (check out http://secunia.com/product/1438/ [secunia.com]). One would hope IIS7 would be even better, given the draconian protocol we have to follow now within Microsoft when it comes to security in code.

      Remote GUI administration is already available, by the way. Run IIS manager, choose 'connect' and point it to a remote IIS server with the service turned on, and you'll be able to admin it just as you do your local IIS server.

      I would think this is a good thing for OSS enthusiasts. It means that if a corporation absolutely insists on running IIS, then all the other support servers could be Linux/OSX and you could admin the machine through the web interface. Now you still need MS machines running for support, so you can either Remote Desktop to the IIS box, or use IIS Manager.
    • Re:oxymoronic? (Score:4, Informative)

      by hey! ( 33014 ) on Monday May 30, 2005 @11:13AM (#12676531) Homepage Journal
      Well, imagine a rectangular hyperbola produced by this equation:

      K = Security x Convenience

      where K is a constant representing the level of design and implementation skill an organization has.

      What I'm saying almost anybody can have an aribtrarily secure system, provided that they are willing to bear a sufficiently large degree of inconvenience. For example, a web site that is served by a diskless server that boots and serves information from a CD-ROM would present limited opportunities for somebody who wished to deface the site, although it is still possible. But such a CD-ROM based system obviously wouldn't be practical for most organizations. Practical systems require a certain level of convenience to be, well, practical. If that level of convenience entails unacceptable security risks, then you either give up on that application as being impractical, or you go looking for a more highly skilled team that can build systems on a tighter trade-off curve.

      So, the very first choice is whether to have remote administration or not; I believe virtually everybody can agree that a practical web server has to be remotely administratable. Once you've made this decision, then you have taken a big step on our graph towards the orgiin point -- where real skill really comes into play. Which approach to doing this is the shrewdest? You can't make this decision using general philosophical principles, you need data; or at least assumptions.

      For example, suppose I am considering two alternatives to managing my servers remotely: a self contained management system employing HTML forms and https, or one based on remote shell operations using ssh. Without going into this choice in great detail,a lot depends on your assumptions -- not only that, it depends on your marginal assumptions. If I recall correctly, SSH has had its share of vulnerabilities over the years. But I may feel comfortable with it at this point and regard it as "secure enough" for my application. I may have a queasy feeling about trusting IIS's TLS implementation, or IIS's ability to ensure that sensitive operations are properly authorized. This makes turning off IIs's own management system and using something like Remote Desktop tunneled over SSH through a firewall sound like a good bet.

      But wait.

      Suppose my web site is supposed to handle secure transactions. I'm relying on IIS's TLS to manage mutual authentication using client and server side certificates. I'm relying on it to enforce security policies I've set up. If IIS's security is broken, then I'm hosed. The marginal risk I am exposed to by managing my web server using it's built in tools doesn't seem so dramatic anymore. Using a separate mechanism to manage the web server actutally adds a second, independent channel by which my site can be compromised.

      Intuition can be a faulty guide. If your goal is to get to market with close to a 100% of your eggs, you may be better off placing them in a single, well chosen basket, rather than distributing them between two baskets you don't have much trust in. Likewise, when the universe of choices is constrained by your employer or by your client, your best choice may be something you wouldn't have considered otherwise. Gambling when you need money is a fool's game, but if you're stuck in Casablanca without money for a good bribe, then Rick's roulette table starts to look pretty good, even though everyone knows its rigged.

      Of course, I'm probably using Apache for this, but you can see the point. Speaking of Apache, Tomcat has a built in management application, and nobody I know of ever complains it is a security issue. That's because nearly everyone trusts Apache, and assumes that it is not a security issue.
      • Well, imagine a rectangular hyperbola produced by this equation: K = Security x Convenience where K is a constant representing the level of design and implementation skill an organization has.

        Nonsense. Organizations - depending on what they choose to emphasize - with great design and implementation skills can deliver solutions with poor convenience and horrible security.

        Microsoft is an excellent example of such an organization - they made the strategic decision to emphasize time-to-market and ve

  • by A beautiful mind ( 821714 ) on Monday May 30, 2005 @08:59AM (#12675859)
    This is what apache did with modules ages ago and webmin did years ago aswell. Although all of it seems to be good what MS is doing, it is late with a few years again.
    • This is what apache did with modules ages ago and webmin did years ago aswell. Although all of it seems to be good what MS is doing, it is late with a few years again.

      IIS is module-based (ISAPI) since the beginning.
    • This is what apache did with modules ages ago and webmin did years ago as well.

      Remember that this information is coming from bloggers. The barrier to entry to blogging about something is that you have the wherewithall to setup an account on a blogging host.

      IIS has been module based since day one - ASP is nothing more than an ISAPI module. Logging can be configured as external modules. Filters are external modules.

      I read a more detailed account and it really sounds like the big change is .htaccess kinds
  • Wait! (Score:5, Funny)

    by sammykrupa ( 828537 ) <sam@theplaceforitall.com> on Monday May 30, 2005 @09:07AM (#12675895) Homepage Journal
    Microsoft putting cool features into Longhorn!

    Next Slashdot Headline: Microsoft Takes IIS v7 Out of Longhorn
    • Why not make IIS a completely serparate program? Why should every computer running XP professional even have the option to install a web server from the same disk as the operating system. I think Microsoft should really try to cut out all the stuff that really makes most desktops vulnerable. There are very few computers that need to have a web server, and even fewer that need to have one as complex as IIS.
      • I don't see a problem with IIS being on the same installation disk as windows as long as it is not obligatory and is not installed by default. After all, the number of different programs that come on most Linux distribution is significant. There is no need to make it more difficult to get various programs. The trick is to let the user choose what to install according to their need and not force it down his/her throat
  • SSL? (Score:3, Funny)

    by FlashBuster3000 ( 319616 ) on Monday May 30, 2005 @09:08AM (#12675898) Homepage
    Wah, SHA1 Broken! SSL!! WAAA, PANIC!!!

    just for all you tinfoilhats out there :)
  • by Dink Paisy ( 823325 ) on Monday May 30, 2005 @09:08AM (#12675899) Homepage
    IIS 6 already rivals (and may even exceed) Apache as far as security goes. These changes seem designed to reduce risk more than increase security, since the security is already there. The other features seem to address one of the biggest complaints with Windows from Administrators, namely that it is too centralized and too hard to administer remotely. Think of these as going further along the direction of the perfect operating system to run Hotmail on.

    Even if Microsoft does release the most secure web server ever, they will still have a huge problem to address: how to convince customers to move off of IIS 5, which has been exploited many times. Until that happens, all the new features do them no good at all.

    • Even if Microsoft does release the most secure web server ever, they will still have a huge problem to address: how to convince customers to move off of IIS 5, which has been exploited many times.

      No I think their biggest problem is how to enable the large hosting companies to manage sites. I have put together script to add sites and stuff to boxes whcih can be called from database triggers. I do not see how this is even thinkabout with IIS 4/5/6/7.

      Until some operating system problems are addressed the I

    • by codepunk ( 167897 ) on Monday May 30, 2005 @09:37AM (#12676050)
      Actually it still does not address the concerns of our IT manager. Hook it to a database and see how much that costs for licensing etc. On top of that it cannot possibly compete because the underlying operating system cannot perform active / active clustering and single image configuration. And even if it could perfom active /active clustering the cost would still be way too high, vs me downloading centos and GFS and bringing up a high performance cluster.
  • by js3 ( 319268 ) on Monday May 30, 2005 @09:12AM (#12675918)
    I don't know I think they should improve the multimedia console one. Webbased admin tool might just end up full of holes anyways.

    I also noticed the upcoming virtual server 2005 SP1 is using a webbased admin tool. Why something like a virtual machine needs IIS to run to mangage is a little baffling but there seems to be someone at microsoft who always comes up with these terrible ideas.
    • What good is a server without remote admin to a large shop? Far better to use something SSL-based than Remote Desktop to manage your servers, after all.

      Whether it's "insanely stupid" to use IIS as a part of remote admin will depend on how small its footprint turns out to be. I'm skeptical as well, but not at the basic idea, just at MS's ability to implement. If they can deliver a very lightweight web server, more power to them. If not, it will still be useful for machines that have to run IIS for anoth
  • Linked from the article: Guess he's using it already [longhornblogs.com]. ;)
  • Is it just me, or is the name "IIS web server" really lame? "Internet Information Server web server..." Yes, I know, Microsoft doesn't append "web server" to IIS, but if you have to tack on "web server" to remind people what the heck it is, then why not call it "Microsoft" web server instead of the nine-syllable babble-phrase? Sort of reminds me of PL/SQL, which when fully expanded is "Procedural Language/Structured Query Language".
  • NIHS (Score:5, Interesting)

    by putko ( 753330 ) on Monday May 30, 2005 @09:14AM (#12675928) Homepage Journal
    I know it is against "not invented here", but why don't they take a decent BSD-licensed web-server, and then "embrace and extend" the thing to do their proprietary extensions?

    If they've modularized their stuff, this should be possible. They've done this already with TCP/IP, Kerberos and so on.

    The overall product, to the extent that it benefitted from the work of free BSD-licensed improvements, would be good for everybody.
  • Why I hate IIS most. (Score:2, Interesting)

    by ceeam ( 39911 )
    Are they going to fix their totally, state-of-the-brain-damaged-art configuration interface? I was made a couple of times to try to fix IIS problems and damn, is that one misguided abomination if I ever seen one. I dunno - maybe they should make it - you know - well commented plain text configuration file? Or even XML? I heard this works for others ;) But all in all - ASP.Net aside (I have not yet encountered that closely enough, knocking on the wood) is there a reason to use IIS at all? Apache for Win32 w
    • IIS 6 already uses XML for all it's configuration files.
    • by _ZorKa_ ( 86716 ) on Monday May 30, 2005 @09:57AM (#12676171) Homepage
      Honestly who cares about ASP. No one today is really still writing in old ASP/VB (except may some intranents). However, if we are talking ASP.NET, in my repeated experience (since I work on a large team of web developers using multiple technologies), those migrating from PHP to ASP.NET constantly say "Wow, that would have taken me about 3 days to code that in PHP.". I mean simple things like caching are not built into PHP, you have to code it from scratch. Other things like OOP sessions don't exists. Everything is a freaking function for crying out loud. So you are left coding your own "framework" so to speak which is why there are a gazillion PHP frameworks out there all trying to immitate what ASP.NET provides you. Another example is the ever popular MVC model. ASP.NET does this out of the box. But with PHP you have to spend the time coding your own. I wrote PHP code for a long time dude, and switched to ASP.NET over a year ago and I haven't looked back. Open your mind. Do you want the green pill or the red pill?
      • '"Wow, that would have taken me about 3 days to code that in PHP."'

        Funny, that's pretty much what PHP people moving to Ruby/Rails keep saying too. Not that it's exactly difficult to beat PHP, but still..
      • Apache beats both PHP and ASP.

        Web devellopment using Tomcat is a breeze, it's fully OOP, and you can choose from lots of MVC frameworks.

        You can say PHP is better because is trully free, but Java is a much better language to code on, has a more consistant syntax, and is quite mantainable thanks to javadoc.

        I don't know what to say about ASP.NET, because I don't really know it.
    • I dunno - maybe they should make it - you know - well commented plain text configuration file? Or even XML

      ISS 6 already uses XML configuration files. It's in fact a quite rare move in the MS world - until then they only used their beloved "registry". I guess people asked them to use "configuration files", so they went for XML configuration files. But their approach is awkwards, when you edit the configuration file and save it, ISS detects it and the corresponding registry configuration is changed to refl
      • by Anonymous Coward
        The XML files are there to simplify deployment. Just unzip the files on a new server and your done with both content and site configuration.

        The synchronization with the registry is necessary for backwards compatibility, since many tools and applications expects to find configuration information in the registry. .m
  • by Ucklak ( 755284 ) on Monday May 30, 2005 @09:27AM (#12675999)
    Umm, you could do that with IIS 4.0. Is this just marketing the same thing and labeling it as new?

    Will they fix the backup and restore features so that you can transfer sites server to server without having to configure the whole damn thing?
    • That is the primary reason I hate IIS, why can't it be text configuration so that we can all script site administration?

      The metabase is just a pain to work with and requires, in most cases the scripting host which is slower than java.
  • Still bloatware! (Score:1, Interesting)

    by bravado2112 ( 627937 )
    I don't know about you...but being an ex-ASP developer, I always found IIS to be rather bloated and testy. Even when I started using .NET and IIS 6 on a 2003 server...it still felt like bloatware! Give me an Apache server any day! :)
  • Microsoft Longhorn: A False Hope. (I probably the only one who understood that, but it is to do with the let downs that the first 2 new Star Wars movies were, and the way that the titles of these movies where layed out. That or it just wasn't funny.)
  • My LAMP setup shines brightly enough for me.
  • Web-based remote administration utilising SSL

    Hands up those of you who think this will be nice and secure, and won't have any flaws. Hands up, all of you - cmon, I can't see any hands up.
    The best thing they could do is run it on a different port, so that (with correct firewalling) it would only be accessible from the company admin ranges.

  • by ledow ( 319597 ) on Monday May 30, 2005 @10:01AM (#12676194) Homepage
    Anyone else noticed that the Hack IIS6 website from the previous slashdot article has gone down?
  • In addition, the software's admin tool has been completely revamped, and will allow Web-based remote administration utilising SSL.

    Which, somehow, will still be easily hackable rendering the other security improvments useless because every script kiddie and their sister will be able to get remote admin access.

If bankers can count, how come they have eight windows and only four tellers?

Working...