Why is IIS 7.0 better architected and fundamentally more secure?
Web is one of the main areas of technological innovation in Windows Server 2008. IIS 7.0 set up is with a modular design to include more than 40 installable features. IIS 7.0 setup allows installing only those needed feature modules as to deploy a thin, task specific server with minimized footprint and attack surface.
In Windows Server 2003, IIS 6.0 is installed and secure with only static files are served by default. ISAPI extensions and CGI components are disabled to begin with and not functional until explicitly enabled, as opposed to IIS 5.0 (of Windows 2000) in which all features were installed and enabled by default. Nonetheless, the CGI feature, for instance, of IIS 6.0 is always installed regardless. The implication is if a software update for CGI becomes available, an IIS 6.0 server will need to apply this update, despite CGI is not enabled. Architecturally this suggests that IIS 6.0 installation remains monolithic since disabled feature are still installed, loaded into memory, consuming CPU, and requiring patching and updates. IIS 7.0, on the other hand, is fully modularized with only selected features are installed. Those disabled components are not installed, require no patching, and need no updates.