Each new version of Microsoft Internet Information Services (IIS) has represented a major advance in Web server technology. The changes have been dramatic, and they’ve improved reliability, availability, scalability, manageability, and security. However, no version of IIS has brought the kinds of changes you’ll find in IIS 6.0—so if you think you know IIS 6 because you knew a previous version, think again.
Microsoft’s entire .NET strategy is tied to IIS 6., so much so that you can think of IIS as the heart of Web application services within the Microsoft Windows .NET Framework. IIS is no longer a simple bundle of services for putting up a Web site—it’s a complete solution for hosting Web servers and Web applications, and the Web application architecture is one of the most versatile you’ll find anywhere.
IIS 6 has been redesigned from the bottom up. For starters, ASP.NET and the Windows .NET Framework are fully integrated into IIS 6, which significantly changes the way you use IIS. Further, unlike IIS 5, where the main Web server process was often a major choke point that severely affected performance, IIS 6 has a redesigned request processing architecture that allows the server to perform better, to reserve fewer resources, to handle more virtual servers, to detect failures and resolve them, and much more.
IIS 6 has many other new and enhanced features. Few are more important than the changes to the security architecture. IIS 6 has multiple levels of security, and it adds authentication mechanisms (including .NET Passport authentication and delegated authentication),improves Secure Sockets Layer (SSL) by enhancing performance and adding support for crypto service providers, and supports Uniform Resource Locator (URL) authorization whereby administrators can control access according to applications and URLs.
Because of the many changes, a lot of what you know about IIS is obsolete or irrelevant. But it’s not all bad news. There’s a light at the end of the tunnel—well, it’s more like a freight train coming right at you—but it’s there. The changes in IIS 6 are well worth the time and effort you’ll spend learning the new architecture and the new techniques required to manage Web servers. Our dependence on ASP.NET and Windows .NET Framework will only grow over time, and the more you learn about the heart of the .NET architecture—IIS 6—the better prepared you’ll be for now and for the future.
Note
Throughout this book I’ll refer to administration of IIS, Web applications, and the Indexing Service as Microsoft Web administration or simply Web administration. Microsoft Indexing Service is used to create text indexes of the contents and properties of files so that the files can be searched using standard queries.
As you get started with Microsoft Web administration, you should concentrate on these key areas:
What’s new or changed in IIS 6
How IIS works with your hardware
How IIS works with Microsoft Windows–based operating systems
Which administration tools are available
Which administration techniques you can use to manage and maintain IIS
Note
In this book, the term Windows Server 2003 refers to these members of the Microsoft Windows Server 2003 family: Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; Windows Server 2003, Datacenter Edition; and Windows Server 2003, Web Edition. In addition, all procedures described in this book are based on the default version of Windows Server 2003; if you are using the Classic Start menu, some of the steps will be slightly different.
Internet Information Services (IIS) is designed to provide secure, scalable solutions for creating and managing World Wide Web sites and servers. You can use IIS to publish information on intranets, extranets, and the Internet. Because today’s Web sites use related services, like File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), ASP.NET, and Windows .NET Framework, IIS bundles these services as part of a comprehensive offering. A separate but related service is the Indexing Service, which is used to build catalogs of documents that can be searched. When you add this capability to a Web site, it allows users to search for topics of interest using a standard Hypertext Markup Language (HTML) form.
Unlike IIS 5, where the main Web server process was often a major choke point that severely affected performance, IIS 6 has a redesigned request processing architecture that allows the server to perform better, to reserve fewer resources, to handle more virtual servers, to detect failures and resolve them, and much more. This architecture has several key features:
HTTP listener process. In IIS 6, the main Web server process is a kernel-mode driver called Http.sys. It’s used for Hypertext Transfer Protocol (HTTP) parsing and caching. It’s responsible for listening for requests and passing them off to worker processes.
Worker processes. Worker processes run in an isolated mode that allows administrators to group different Web applications. Worker processes are isolated by application pool and can be allocated on demand, meaning they’re allocated system resources when they become active and don’t use system resources when they’re inactive. This architecture improvement, along with others, ensures that IIS 6 can support many more concurrent processes than previous versions.
Application pools. Groups of Web applications are called application pools. Application pools are separated from one another by process boundaries and are serviced by one or more worker processes, which applications in the pool share. All Web sites and applications on a server are assigned to an application pool. Settings for application pools allow you to monitor worker processes and to recover automatically from any problems that might occur.
Application pool request queue. When requests are passed off from Http.sys to worker processes, the requests are placed in the appropriate application pool request queue. Each application pool has a separate request queue. Worker processes assigned to the application pool handle the request in first in, first out (FIFO) order. You can assign worker processes a processor affinity so that specific processors handle their workload.
Although you’ll learn even more about the request processing architecture in Chapter 2, these two chapters only scratch the surface of the dramatic change the new architecture represents. To understand the architecture completely, you’ll need to read the chapters in Part II. These chapters discuss site, server, and application configuration; worker process assignment; and application pool configuration.
The security architecture is another major area where IIS 6 has been redesigned. The new security architecture has several important features that you should know about right now:
Capability lockdown. IIS isn’t installed by default on Windows Server 2003. When you install IIS, the default installation allows only static content (HTML files) to be served, and all other functions and types of content must be specifically enabled. Nonstatic content is managed through the Web Service Extensions settings. See Chapter 4, for details. Further, if you upgraded the operating system on a server that was previously running IIS, the IIS service might be disabled. To reenable IIS, you might need to enable the IIS service as well as the associated services.
Privilege changes. By default, many IIS 6 features run using the built-in account NetworkService. This account has very few privileges and is designed to ensure that IIS and related processes have very few privileges on the server. Although good for security and reducing potential vulnerabilities, it might change the way you use IIS, and some applications or features might work differently than you expect. Be sure to take a look at this account’s privileges.
Tool and file restrictions. IIS won’t serve requests for invalid files. It verifies all file requests before serving them, checking file extensions and for the existence of the requested content. IIS won’t run command-line tools or other command-line executables.
Authentication enhancements. IIS has a number of enhancements for authenticating requests, including URL authorization and delegated authentication, but the most important change is without doubt the support for .NET Passport authentication. Through their .NET Passport identification, users can be validated and authorized access according to the access controls in their corresponding Active Directory service user account.
Real World
There’s a way to run Web applications in IIS 5 mode. It’s called IIS 5 isolation mode. Although operating in this mode might solve problems with applications that won’t run under the new IIS 6 architecture, security restrictions might also be affecting the way applications are running. Be sure to read Chapter 7, "Enhancing Web Server Security," so that you understand the changes to the security architecture.
IIS 6 has many additional features. Some that you’ll want to learn about include:
FTP restart. FTP restart allows clients to resume FTP downloads without having to download the entire file again if an interruption occurs during transfer. When a connection is broken during a download, compliant clients (such as Microsoft Internet Explorer 5) can reestablish their file transfer using the REST command, and the file transfer will resume where it left off.
FTP user isolation. IIS 6 allows you to isolate users to their own directories so that they can’t view or overwrite other users’ content.
Health monitoring. Just as Windows Server 2003 monitors the health of its running processes, so does IIS 6. IIS 6 takes this monitoring a few steps further, though. It can detect and recover from memory leaks, problems in code, and blocking calls. IIS can also check for nonresponsive processes and then recycle or restart processes as necessary.
Host headers. Host headers allow you to host multiple Web sites on a single computer with only one Internet Protocol (IP) address. Here, IIS uses the host name passed in the HTTP header to determine the site that a client is requesting.
HTTP 1.1 and HTTP compression. IIS fully supports the HTTP 1.1 protocol and the compression enhancements it defines. Using HTTP compression, you can compress both static and dynamic results of HTTP queries for transmission to HTTP 1.1–compliant clients. Unlike IIS 5, where compression was implemented using an Internet Server Application Programming Interface (ISAPI) filter and could only be enabled for an entire server, IIS 6 builds in compression as a feature that you can control precisely to the file level.
Kernel-mode cache. Http.sys runs in kernel mode and passes requests directly to the worker processes without intermediaries. Previously requested static content can be cached, and unlike previous versions of IIS, dynamic content can be cached in kernel mode as well to improve performance. To better support Active Server Pages (ASP), ASP templates are stored in memory and deallocated from memory to free space for new templates. Unlike previous versions, IIS 6 uses a persistent ASP template cache. Here, deallocated templates are written to disk, where they can be accessed and reallocated. IIS 6 also has a heuristics-based caching policy. This policy is designed to ensure that files are cached when it makes sense and aren’t cached otherwise.
On-demand starting and time-out. You can configure application pools so that worker processes start on demand and time out when they’re no longer needed. By starting on demand, the process uses resources only when it’s active. By timing out, the resources used by the worker process can be freed up when the process has been idle for a certain amount of time.
Process accounting and process throttling. Process accounting provides information about how individual Web sites use CPU resources. Process throttling allows you to limit CPU usage for out-of-process applications and thereby potentially reduce performance problems on the server as a whole.
Rapid-fail protection. Rapid-fail protection allows IIS to monitor worker processes for failure. If IIS detects failure, IIS can take actions to record and recover, such as logging a related event in the event logs and restarting the worker process.
SSL 3 and TLS. SSL 3 and Transport Layer Security (TLS) provide secure methods of exchanging information between clients and servers. SSL 3 and TLS also enable the use of client certificates that can be read by Internet Server Application Programming Interface (ISAPI) server pages. Client certificates are used to authenticate users and control access by mapping the client certificate to a Windows user account.
WebDAV. Web Distributed Authoring and Versioning (WebDAV) extends the HTTP 1.1 protocol and is integrated into IIS. Using WebDAV, remote users can publish, lock, and manage resources on a Web server using an HTTP connection.
XML metabase. The IIS metabase is now formatted using Extensible Markup Language (XML) and stored in plaintext files. XML’s structure makes it easier to search and maintain the metabase and also improves performance when working with the metabase. The XML metabase can be edited while IIS is running. It can be used to save configurations at the server, site, or application level so they can be used on other servers, which can help ensure that configurations across server farms are exact copies of each other. The metabase also supports automatic versioning and history. This means that IIS automatically tracks changes to the metabase and changes that are made can be rolled back to restore a previous configuration.