I took a look at the default install of IIS on Windows 2003. The more things that I look at, the more dissapointed I am with this new operating system.

The general observation is that the default install of IIS is very similar to the version 5 install of IIS that had the IIS lockdown tool applied to it. Here are the specifics:

IIS 6.0
ISAPI filters are not mapped - There is a "java-like" Web Service Extensions folder where you can enable filters and set their properties. It appears to be an attempt to centralize settings and also bring them into compiance with IISs hierarchy model. In my opinion, it is piss poor.

HTTP.SYS - Yeah, they now have IIS operations being handled at the kernel level. But wait, does it always? Strangely, IIS 6.0 offers two modes of operation, Worker Process Isolation Mode (default if you setup IIS fresh) or IIS5.0 Worker Process Mode. From what I can tell, they added the IIS 5.0 mode because some apps may not agree with the new IIS 6.0 architecture. Hmmm, can anyone see a possible avenue for haxoring????? I for one will be keeping a *close* eye on how apps interact with the new mode of IIS operation. Also, if you upgrade from earlier versions of IIS, Windows 2003 will automatically configure IIS 6 to run in IIS 5.0 Worker Process Mode. They say that this is to maintain compatibility with your existing apps but doesn't that also mean that you aren't getting the new added kernel mode operation benefits??!! Cmon, give me a break. How many people are going to setup IIS 6.0 from scratch? There will be tons of W2K3 servers running IIS 5.0 out there. How nice.

Metabase content is now stored as XML instead of binary. Not much to say about this other than you can change metabase NFO on the fly. I guess that is useful to some people but certainly not me.

Security - LOL, MS would have you think that they have added enhancements but the only thing that has been added is passport support. SSL, Kerberos and the usual security config wizards have been carried over from IIS 5.0

Cluster support is unchanged, however, it is now handled by the OS rather than IIS (IISsynche.exe is no longer supported).

ASP - There is too much to list on the changes made with ASP interaction in IIS 6.0. If you use ASP pages, start reading now.

TUNING - What's interesting is that IIS is performance tuned out of the box. They have made changes that I used to make right away. For instance, connection time outs are now set to 120 seconds instead of 1200. They also limit connections to 1000. Hmmmmm, another interesting change because it is well known that the stack becomes unstable after 1000 connections on a windows box.

Well that's my high level look at IIS so far. I'm going to see look at the inner workings of HTTP.SYS to see if indeed the sandbox created is as tight as MS claims it is.

Hope this helps out.