Here's a decent hardening guide for IIS 6 I ran across.

http://www.shebeen.com/win2003/

I met Roger Grimes through Windows IT Pro magazine conferences and events. He's a great guy with whom I have a lot in common. Trainer, speaker, author kinda guy. You don't meet many people can talk well about technology, that can also teach, that can also write - but he's good at all of that. So I was intrested in his idea of creating an IIS 6 server and inviting the world to hack it. Like me, he's really tired of the myth that IIS is an insecure platform. People who know me know that I would be one of the first to say if this was otherwise, LOUD and clear, but it ain't so. So I say loud and clear, IIS is secure platform. Debnunking IIS mythology is one of the things I love to do - inside and outside Microsoft. For example, it's a myth that scripts need Execute permission. There's a lot of IIS documentation that says it does - but it doesn't. Ditto for the IUSR account requiring Log on Local rights - never has required that but it is a persistent myth. I've done presentations galore on these myths, but none is more persisten than IIS is insecure.

Now to be sure, IIS 5 gold out of the box is highly insecure. Those days are gone and a properly hardened IIS 5 server is very secure indeed. Believe it or not, You may not believe it, but there are thousands upon thousands of IIS 5 servers out there with mission critical, publicly assccessible web applications that have never seen succesful breach. IIS 6 SP1 out of the box is a secure installation and I challenge anyone who says otherwise.

In fact, if you can find a security hotfix for IIS 6 - let me know. That means a critical security update to IIS 6 binaries not services that IIS 6 uses such as asp.net. People never seem to blame Apache for problems with PHP, but an asp.net issue somehow gets lumped in as an IIS issue. To be fair, asp.net runs exclusively on IIS and they are both Microsoft products so there is a big bucket called "Microsoft web delivered applications" that you can point at as cumulative indicator for security issues and get bigger numbers than zero - however just do the same on Apache/*nix and compare. Apples to apples as it were.

So Roger is putting up the server and we'll see what happens! Hackiis6.com.

-brett

It's a bit strange working at Microsoft at times. It's challening since I have a crystalline notion of what Microsoft needs and what customers want - yet navigating this big ship is not something you do quickly. This is a big, I mean GIGANTIC change from my entepreneurial past My inclinations are to do things myself and that has worked very well for me in the past.

From a customer perspective, people want Microsoft to be responsive and to be able to have a voice - impact the product, documentation and training. They want Microsoft to be proactive to tell them about known problems so you don't have to discover them from an obscure KB article, to let you know when a new IIS tool comes out rather than having to dig out of microsoft.com/downloads or finding out on forum. They want to know where and how to get peer support and elevate issue to Microsoft. They want EXPERT information on a continual basis as well as introductory material that gets people into the the technology.

Funny thing is, that's what Microsoft wants too. So why aren't we doing a better job of it? That is what I'm trying to find out and solve. Werid things like there's no IIS logo or exam are indicators of the issues here. But I am working diligently on behalf of the IIS community as best I can. If it ever seems otherwise, please let me know. If this goes well, it will be great for us all.

- brett

One of the things that Microsoft is doing is trying make writing code more accessible to many. There are quite a few "express" products in beta right now that I think you'll find quite useful. Check out:

· SQL Server 2005 Express Edition for using local data from windows and web applications.

As a non-developer myself, I like tools that make the entry price low (how about free!) for getting my hands on tools that let me explore new techologies. In particular the web developer stuff is cool

Hi,

Some of you have wondered what has become of me since I started Microsoft. My posting activity on iislists.com has dropped significantly - not due to lack of interest, but due to working massively on new tasks. When I took this job as Server Evangelist at Microsoft specilazing in IIS, I knew they wanted me to hit the ground running, but it was more like hitting the ground in the Indy 500. Day 1 was like "by the way - we have 5 events that you're responsible for ogranizing and the first one is in 6 weeks".

One thing at Microsoft is that people are generally quite helpful but you are on your own a lot to figure out things. I thrive in that kind of environment, but it can be daunting. For example, to pay for some stuff at the events I am managing, like in any company, you have to open a PO. People that have been here can do that in a minute - for me, it's all day task! You have to take a training on how to do it, then figure out what accounting details, etc. Newbie stuff like that can really slow you up.

Muddling through that kind of thing can take - oh, a couple years.

The events I'm working are IIS 7 Technical Previews. Very cool stuff. One thing for real - the IIS team rocks. I kid with people (half kidding), that evanglising IIS 7 is like selling a new Maserati. Just take the cover off and show the car. People go wild then "great job Brett, taking the cover off like that".

While there's a lot more to it than that, it's not entirely untrue. My bias has alwasy been that you let the technology talk, rather than try to overwork the language into marketing blurbs. Techno types spot the hype a mile away. We all just want to know how to works better to solve our problems, what new possibilties it creates, and does it work with what I have. The good news is that IIS 7 has a great story with all of these things.

More great news, Microsoft is a great company to work for.

Later,
Brett