An Overview of Internet Information Services (IIS)

Internet Information Services (IIS) is one of the more commonly used Web servers utilized on the Internet and in intranets. Through IIS, you can create and manage Web sites, and share and distribute information over the Internet or intranet. With the introduction of the Windows 2000 Server OS came the launch of Internet Information Services (IIS) 5. IIS 5 included the name change from Internet Information Server to Internet Information Services. IIS 5 was integrated with the Active Directory directory service introduced in Windows 2000. It also included support for Web Distributed Authoring and Versioning (WebDAV) which allowed users to edit, delete and move files and directories, and share documents over the Internet. HTTP compression made it possible to transmit pages between the Web server and clients that support compression much faster. IIS 5 support for Terminal Services, also introduced in Windows 2000 Server, allows you to remotely administer IIS and other Windows services.

With the introduction of the Windows Server 2003 OS, came the introduction of Internet Information Services (IIS) 6. Because IIS 6 is integrated with Windows Server 2003, you need no additional software to manage multiple Web sites. In Windows Server 2003, IIS has been redesigned, and offers greater reliability, scalability and flexibility, and enhanced performance over its earlier versions. The most important improvements made in IIS 6 pertain to security, and performance and reliability. The remainder of this Article focuses on the new features, and enhancements introduced with IIS 6.What's New In IIS 6.0

IIS 6 Security Enhancements and Features

The security vulnerabilities of earlier versions of IIS, including IIS 5, were continuously patched up by service packs and hotfixes available from Microsoft. Previously when IIS was installed, the following occurred:

  • All services were enabled and started.

  • All service accounts had high system rights.

  • Permissions were assigned to the lowest levels.

This basically meant that your IIS implementation was vulnerable to attacks by hackers. Microsoft introduced the Security Lockdown Wizard in an attempt to address the security loopholes evident in the previous versions of IIS. The Security Lockdown Wizard in IIS 6 has been included in the Web Service Extensions (WSE). IIS is installed in locked-down mode with IIS 6. The only feature immediately available is to access static content. You actually need to use the WSE feature in the IIS Manager console tree to manually enable IIS to run applications and its features. By default, all applications and extensions are prohibited from running.

When installing IIS 6, the following occurs:

  • ASP and FrontPage extensions are disabled

  • ISAPI extensions and filters are not installed

  • Permissions are assigned to the high levels

The five authentication methods available to authenticate users in IIS 6 are listed below:

  • Basic Authentication

  • Digest Authentication

  • Anonymous access

  • Integrated Windows Authentication

  • .NET Passport Authentication

The above authentication methods can be configured at the following levels:

  • Web Sites node

  • An individual website

  • A virtual directory

  • An individual file

The Integrated Windows Authentication method is the most secure authentication method for authenticating users wanting to connect to IIS 6. IIS can integrate with Microsoft .NET Passport so that it can use Passport as an authentication method. While Basic Authentication sends user credentials in a format that can easily be interpreted, Digest Authentication utilizes MD5 hashing to encrypt user credentials that are sent over the network. The user credentials are encrypted through cipher algorithms which are hard to decipher. With Advanced Digest Authentication, the user credentials are stored in Active Directory as a MD5 hash.

The other IIS 6 security enhancements included in IIS 6 are listed below:

  • Configurable worker process identity: With IIS 6, a Web site runs in an isolated process environment, called a worker process. This ensures that one Web application deployed on IIS is isolated from other Web applications on the same server. Previously, a failure of the World Wide Web (WWW) Publishing Service could cause the machine to shut down.

  • The worker process also shuts down applications if the IIS server is sent malicious code.

  • The worker processes of IIS 6 have low privileges and run in the context of the NetworkService built-in identity. The previous versions of IIS used the LocalSystem account.

  • Hypertext Transfer Protocol (HTTP) transmission data between the IIS Web servers and the client were encrypted through Secure Sockets Layer (SSL) and Transport Layer Security (TLS) in IIS 5. With SSL/TLS, a cipher algorithm is used for encryption. IIS 6 supports the use of Server-Gated Cryptography (SGC), which is an extension of SSL/TLS. With IIS 6, SGC can utilize 128-bit encryption to protect data.

  • Selectable Cryptographic Service Provider (CSP) is a new IIS 6 feature that allows users to choose from a list of cryptography providers to provide the interface for encrypting data between the IIS Web server and Web client. CSP can also be used for certificate management. The default Cryptographic Service Providers are:

    • Microsoft RSA SChannel Cryptographic provider

    • Microsoft DH SChannel Cryptographic provider

  • Because of IIS 6 integration with Active Directory, you can use the Group Policy feature of Active Directory to further secure IIS. Through Group Policy, you can prevent users from deploying unauthorized web servers on the network.

  • IIS 6 also includes new types of ASP.NET authorization methods:

    • File Authorization: In this method, access control list (ACL) checking is performed for the user on the ASP.NET file. Only authorized users are permitted to access the file. You enable File Authorization by enabling Windows Authentication on the Web site

    • URL Authorization: With this method, the URL namespace is used to store user information and access roles. Authorization information is contained in a text file which indicates whether a user is allowed or denied access.

IIS 6 Performance Improvements

With IIS 6 architecture, HTTP listening and routing is moved to the Kernel Mode HTTP Listener component of IIS 6, and is put in operation through the http.sys kernel mode device driver. The Implementation of the Kernel Mode HTTP Listener component through http.sys has led to the following benefits.

  • Because the handling of HTTP requests has been moved directly into the kernel, IIS 6 provides increased performance and reliability over the earlier versions of IIS.

  • Processes that execute in kernel mode have a higher priority than any user mode processes, which means that http.sys improves on the processing time of HTTP requests.

  • Http.sys can continue to listen for, and queue HTTP requests in cases where the actual Web application for the requests is down.

New features and enhancements in IIS 6 that improve IIS performance are listed below:

  • HTTP compression improves performance by compressing HHTP responses to clients that support HTTP compression. Using HTTP compression in congested networks is particularly beneficial. You can configure HTTP compression on the following levels:

    • Web server level

    • Directory level

    • File level

  • IIS 6 can cache 64GB of data on 32-bit Intel platforms, and because cached data can be retrieved quite quickly, Web server performance is enhanced.

  • An application pool can have numerous worker processes hosting multiple Web applications. This configuration concept is called a Web garden and is a new IIS 6 feature. You can through Web gardens reduce blocking by binding worker processes to certain processors on SMP machines.

  • When a client requests an ASP page, the ASP code is compiled into an ASP template, which gets cached in the in-memory cache. These templates are cached so that they can be used again. This in turn improves performance.

  • Configurable connection limits and timeouts, bandwidth throttling, queue length limits and memory recycling are also all geared at improving performance of IIS in version 6.

IIS 6 Features and Improvements that Enhance Reliability

The Worker Process Isolation mode, the primary application mode used in IIS 6, includes the application pools, worker processes, health monitoring, and all other IIS 6 specific architectural features In this mode, ASP applications, ASP.NET applications and ISAPI extensions are loaded into the worker processes. Web Administration Service (WAS) manages the application pools and worker processes.
The most significant advantage of running IIS 6 in Worker Process Isolation mode is that a single application failure does not result in multiple applications failing – all user developed code is separated from the WWW service

Health monitoring and detection of worker processes improves the reliability of Web applications. IIS performs health monitoring.

The Demand Start feature of IIS 6 only starts the worker processes associated with an application pool when the initial HTTP request for an application within the particular application pool is detected. This basically means that resources are not allocated at Startup. Through Demand Start, IIS can better manage processor, memory, and disk resources. It only allocates resources to start a worker process when an HTTP request is received for an application. The Web Administration Service (WAS) of IIS 6 manages Demand Start.

The Idle Timeout feature is another feature managed by WAS. Idle Timeout enables WAS to automatically shut down worker processes which are idle for a predetermined amount of time. Both the Idle Timeout feature and Demand Start feature improve IIS reliability, scalability, and performance.

The Kernel Mode HTTP Listener component, the http.sys device driver, operates within the Windows Server 2003 TCP/IP network subsystem. Http.sys listens for all incoming HTTP requests and is responsible for routing the HTTP requests to the appropriate worker process. Multiple worker processes usually run simultaneously to handle pools of applications. An application pool is associated with a kernel mode queue to which http.sys routes HTTP requests. Http.sys also caches HTTP responses for static content and dynamic content through a kernel mode cache. It manages TCP connections for HTTP requests and responses, bandwidth throttling, connection limits and connection timeouts, and text based logging for the WWW Publishing service. Through the use of application pools, Http.sys increases the number of websites which can be hosted, and improves performance and reliability of IIS. Access to IIS resources is more controlled in IIS 6.

IIS 6 and ASP.NET Integration

IIS 6 utilizes the newer ASP.NET (Active Server Pages) scripting language. The earlier versions of IIS utilized Active Server Pages (ASP). The benefits associated with using the ASP.NET scripting language are listed below:

  • With ASP.NET, the following caching options exist:

    • Cache complete pages

    • Fragment caching – cache parts of pages

    • Caching API – used by developers to control caching

  • With ASP.NET, the source file is compiled. In ASP, code is compiled line by line. ASP.NET therefore further improves the performance of II 6.

  • ASP.NET can be coded in multiple languages, including those listed below. An ASP.NET page can also contain multiple language code.

    • VB.NET

    • Jscript.NET

    • C#

The XML Metabase

With IIS 6, the IIS metabase is formatted and saved as a plain text file using the Extensible Markup Language (XML). In IIS 4 and IIS 5, the metabase was saved in the binary format. With IIS 6, you can use a text editor tool such as Notepad to edit the metabase file. You can also use Windows Management Instrumentation (WMI) tools or Active Directory Services Interface (ADSI) scripts to change the metabase file. Whether changing the metabase file manually or programmatically, you no longer need to stop and restart IIS to perform any changes to the metabase file.

The XML files in the IIS metabase are:

  • Metabase.xml: Contains the configuration data for the Web server. You can edit this file without stopping IIS.

  • MBSchema.xml: Contains the metabase XML schema

The metabase history feature included in IIS 6 monitors changes made to the IIS metabase, and automatically saves backups of the metabase when changes are made to it. IIS 6 allows administrators to copy IIS configurations from one physical machine to a different machine through the use of ADSI scripts, WMI tools or the admin scripts provided by IIS 6.

Other IIS 6 Features

  • IIS 6 includes UTF-8 support for file names and URLs. The previous IIS versions of the IIS log file was in English only. This often presented a problem for multilingual Web sites.

  • IIS 6 can be administered in a number of ways:

    • MMC console

    • Terminal Services

    • WMI

    • ADSI

    • Administration scripts

  • Less reboots are needed after configuration changes are made. This means less downtime for applications running on IIS 6.

  • Process recycling enables the worker processes to be restarted periodically. This is support applications which have memory leaks or other issues.

  • Through orphaning, IIS can kill any hung worker processes, and start new worker processes to replace.