Datasheet
Minimal Installation
IIS 7.0 continues the tradition of its predecessor with minimal installation the default. IIS is not installed
with the default operating system install, and a basic install only selects those options needed for serving
static HTML files. The installation GUI for IIS 6.0 allowed a choice of eight different options, including
installing FTP, whereas IIS 7.0’s setup allows for more than 40 options. This granularity of setup reduces
the memory footprint of IIS 7.0, but more importantly, it reduces the security footprint as well. In IIS 6.0,
a component such as CGI might never be used, but the code was still present in the core DLL. That
means that a security exploit discovered in the CGI code will affect all IIS 6.0 installations, regardless of
whether they use CGI. It also means that patches for the CGI code would need to be applied, even if you
didn’t run CGI.
The default installation of IIS 7.0 installs components needed for static HTML content, along with
default documents, directory browsing, HTTP errors, and redirection. It also adds .NET extensibility for
module extensions, as well as basic logging and tracing functions and request filtering (similar to the
functionality provided by URLScan in previous versions), HTTP compression for static content, and the
administration console. This means that, similar to IIS 6.0, a default installation can serve static content,
with little other functionality.
Figure 1-3 shows the default installation options, enabling static content and very little else. Additional
services, such as ASP.NET, can be installed either at installation or through configuration files. By leav-
ing out services you don’t need, the reduced amount of code provides for a reduced attack footprint for
the overall installation. Installation options are covered in Chapter 4.
Figure 1-3
15
Chapter 1: Background on IIS and New Features in IIS 7.0
97823c01.qxd:WroxPro 2/4/08 6:47 PM Page 15