HTTP.Sys is the new kernel process that accepts all incoming IIS traffic. It uses application pools to assign resources to Web sites.
IIS 6.0 runs on a separate worker process model. This means every Web site is a separate ISAPI application memory space and is detached from IIS. This mechanism is different from the IIS 5.0 isolation model.
We can use certificates to authenticate a user to IIS 6.0. These certificates can be mapped to Windows user accounts in many ways. They are Directory Service, one-to-one, or many-to-one mechanisms.
The most flexible method is many-to-one certificate mapping. This has less overhead in administration and less maintenance compared to the others. It will also support large organizations and third- party certificate authorities (CAs).
There are several authentication methods available in IIS 6.0: anonymous, basic, digest, and integrated Windows authentication.
The IIS 6.0 default authentication method is integrated Windows authentication. This is enabled by default by the installation process.
IIS 6.0 will impersonate the IUSR_ComputerName account to enable anonymous access. This access should only be available on the public nonsensitive Web sites of the enterprise.
Basic authentication is supported by most browsers. This authentication is specified in the W3C HTTP specification. However, this mechanism is not the safestit will transfer the username and the password as clear text to the IIS server.
Digest authentication is similar to basic authentication. However, the credentials are encrypted as an MD5 hash message digest. This authentication is only available on WebDAV directories.
Integrated Windows authentication also uses a hash algorithm to encrypt the data communication between the client and the IIS server. It also implements the Kerberos V5 protocol to assist the Windows operating system to authenticate users.
The Remote Authentication Dial-In User Service (RADIUS) protocol defines a single sign-on mechanism for multiple remote connections to the enterprise (for example, VPN, Internet, and wireless access).
RADIUS implementation in Windows Server 2003 is referred to Internet Authentication Service (IAS). The IAS acts as both a proxy server and authentication server for enterprise users.
There are several risks to IIS installations. Windows 2003 delivers Internet Connection Firewall and Web Service Extensions to combat some of them.
IIS 6.0 is installed in a locked-down stage in Windows 2003. We need to use Web Services Extensions to configure the correct settings after the installation.
FTP username password credentials are passed as clear text. Therefore, use SSL on WebDAV or Point-to-Point Tunneling Protocol on VPN to encrypt the FTP credentials.
There are several ways to secure Web, FTP, NNTP, and SMTP implementation of IIS 6.0. Most of them will include encryption mechanisms like SSL, Transport Layer Security (TLS), or Point-to-Point Tunneling Protocol.
There are several new security features in IIS 6.0: advance digest authentication, server-side cryptography, selectable cryptography provider, and new authorization framework.
There is a Heath Detection system between IIS and the separate worker processes.
ASP.NET is the default scripting mechanism available in IIS 6.0. It will still support the old ASP applications.
503 errors are due to the influx of HTTP requests to HTTP.Sys. This could lead to rapid-fail protection to restart the worker process.
Create a monitoring base line by using IIS logs, Security event logs, Security auditing, and Health Monitor in IIS 6.0.
We can also use Network Monitor and System Monitor to track abnormal behavior (due to security breach) of the network and the system, respectively.
Content Management servers can be used to deploy content to multiple IIS servers in a Web farm. We can also use other third-party content management servers for the same purpose (for example, Vignette).