Feeds

Cut to the Web Server Core: Windows Server 2008

Apache not served

SANS - Survey on application security programs

Failed Request Tracing is another new feature worth mentioning. You can define what constitutes a failed request, by status code, time taken, or event severity, and have IIS log those requests in detail to a failed request log. The big advantage is the detail available. For example, Windows is prone to permission issues that can be hard to pin down.

Unfortunately, some administrators take the easy option and relax security generally instead of solving the specific issue. Failed Request Tracing makes it easier to identify and fix the exact problem.

PHP support is much improved. The key to this is built-in support for FastCGI, which keeps a CGI service loaded between requests with great speed benefits. A complication with PHP on Windows is that differences between Windows multi-threading and Unix multiple processes required either the use of a thread safe build, which is detrimental to compatibility with some extensions, or using a normal build but under CGI, which is slow.

Now you can use the non-thread safe build with FastCGI, which is great for both performance and compatibility. Setting up PHP on our test server was trivial, using manual configuration and the standard binary download from php.net.

IIS 7 v Apache

How does IIS now compare to Apache? Apache is the most popular web server by some margin, with more than 50 per cent market share according to Netcraft. Nevertheless, IIS has actually increased its share during the last couple of years, though meaningful figures are hard to track down because of domain parking and huge shared hosting providers. Security has also improved since IIS 6.0.

For most users, the choice between Apache and IIS makes itself. If you need ASP.NET and Windows integration, or to run SharePoint services, then IIS is the only choice. Otherwise, Apache has had all the advantages of cross-platform support, and great stability and extensibility thanks to its wide adoption and community. This balance will not change fundamentally with IIS 7.0, though some of the reasons for favoring Apache are now less compelling.

Per-directory configuration files in IIS should perform better then .htaccess files in Apache, and the most annoying characteristics of IIS for shared hosting have been resolved. We have not tested performance or scalability, though Microsoft's developer division general manager Scott Guthrie claims substantial gains over IIS 6.0. It has been tested for up to 20,000 sites on a single box, with "acceptable performance for shutdown and startup".

For those who do choose Server 2008, there are a bewildering range of editions, running from Web Server to DataCenter. Note that Server Core is an installation option, not an edition in itself. Significantly, the DataCenter edition comes with unlimited virtual image rights, making it best value for serious virtualization. Note, too, that the new Hyper-V virtualization technology remains in beta, even in the final Server 2008 release.

Other interesting features for developers include new Terminal Services features, including RemoteApp that lets you remote an individual application, rather than a complete desktop, and TS Web Access, which lets users start applications from a web link. In combination with TS Gateway, you can run Terminal Services over HTTPS making this a powerful option for firewall-friendly remote working.

Solid improvements

Whereas Vista has been a PR disaster, it is unlikely that its cousin Server 2008 will meet the same fate. There are solid improvements over the predecessor Server 2003, including IIS 7.0, granular installation, improved terminal services, the Server Core, command-line control, and changes to Active Directory. Hyper-V is nicely done, and although it is nothing special in relation to competing products from VMWare and others, its integration and neat tools will win users when it comes out of beta.

Don't get me wrong - there are frustrations. I banged my head on the desk when I saw that Server 2008 still sets “Hide extensions for known file types” and other such nonsense in IE. In other words, it’s still Windows; but a welcome upgrade nonetheless.®

3 Big data security analytics techniques

More from The Register

next story
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Oh no, Joe: WinPhone users already griping over 8.1 mega-update
Hang on. Which bit of Developer Preview don't you understand?
Microsoft lobs pre-release Windows Phone 8.1 at devs who dare
App makers can load it before anyone else, but if they do they're stuck with it
Half of Twitter's 'active users' are SILENT STALKERS
Nearly 50% have NEVER tweeted a word
Internet-of-stuff startup dumps NoSQL for ... SQL?
NoSQL taste great at first but lacks proper nutrients, says startup cloud whiz
IRS boss on XP migration: 'Classic fix the airplane while you're flying it attempt'
Plus: Condoleezza Rice at Dropbox 'maybe she can find ... weapons of mass destruction'
Ditch the sync, paddle in the Streem: Upstart offers syncless sharing
Upload, delete and carry on sharing afterwards?
New Facebook phone app allows you to stalk your mates
Nearby Friends feature goes live in a few weeks
Microsoft TIER SMEAR changes app prices whether devs ask or not
Some go up, some go down, Redmond goes silent
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.