Section 8.3. What s New in IIS 6

8.3. What's New in IIS 6

It's fair to presume that everyone involved in computing now has surfed the Web. The Web has become integrated into popular culture and many people now consider it a necessary utility, such as power and water. Microsoft recognizes this implantation of the Web into everyday life and has capitalized on it. Of course, the company also believes web services are the foundation of its revenue base in the future, so one shouldn't find it too hard to believe that Microsoft would improve the product on which it's basing its existence. But, no matter the impetus behind the revision, we all benefit from these improvements, as I'll discuss in this section.

In IIS 6 you can create multiple virtual servers on a single physical machine, with each virtual server acting as its own copy of IIS, having its own properties and security configuration. The most popular use of this is among commercial web hosting companies that host tens or hundreds of individual web sites on one machine. By configuring multiple virtual servers, these companies can isolate each customer's traffic and configuration.

Although virtual servers are nice, perhaps the most important architectural improvement in IIS 6 is the new web service DLL that is independent from the web serving mechanism. The new DLL is called into memory by worker processes, which you know from the previous section are simply separate "threads" that work on requests from the kernel mode web server driver, HTTP.SYS. These worker processes load dynamic scripts and programs that use ISAPI. By separating the web server driver from the web service DLL, you achieve a more stable environment because a failure (a poorly written script, an exception fault, or other problem) that in previous versions of IIS could have brought down an entire web site now is isolated to only one specific application. If an application does break, the web service DLL magically creates an identical process that can finish service to any remaining requests. However, IIS still keeps track of failures, and if the application is brought down again, the process is ended permanently. (This feature is called rapid-fail protection and you can configure it through the Application Pools property page, which I'll cover in detail in a later section of this chapter.)

IIS uses application pools to manage all these requests. HTTP.SYS acts as a traffic director, sending requests to the individual application pools based on the addresses (URLs, to be specific) of the applications. Because multiple worker processes can serve a single application pool, there's better response time within an individual application. But what happens when you have worker processes that fail? Do all these processes "catch" the failure going down and bring them down, too? Fortunately, this is no longer the case, specifically because of worker process isolation mode, which simply isolates a memory segment for each application and its associated worker processes. An added bonus from this isolation: you can limit CPU and memory use of individual applications to fine-tune load once you have a very active server that's hosting sites and web applications.

IIS 6 also introduces the concept of web gardens, which are multiple worker processes serving a single application all on one server. For very basic but highly active applications, this is an effective technique for managing load and increasing speed, but complex applications still will need to be serviced across multiple physical servers (known as a web farm). But IIS 6 actually improves performance and process migration across all machines in a web farm, so there's quality in that arena as well.

The alert among you might assume that if a clever hacker manages to penetrate HTTP.SYS, he's got control of the entire operating system. You'd be correct in that assumption. However, Microsoft has done a thorough code review of IIS at all levels and assures everyone in the Internet community that IIS will be well behaved. (And as of this writing in June 2004, to my knowledge Windows Server 2003 has suffered no IIS-specific vulnerabilities. This is one year and two months after the product's release.) In fact, IIS is not even installed by default, which takes care of a big problem: users would install a copy of Windows 2000 Server that happened to be connected to the Internet, and before they had a chance to install patches, Code Red and W32.Nimda would infect the machine. Further, even once IIS is installed it is set to serve up only static pages, not any dynamic content or script output. Even servers upgraded from previous versions of Windows server products have IIS disabled if the Setup program detects they are still operating with default settings intact. (Normally at least something is changed if IIS is in use on a particular machine, so even the deployment of Windows Server 2003 has a worm and virus "neutralizing" effect, disabling unused web servers that could be vulnerable to attack.)

There's also a laundry list of other minor improvements, some of which include the following:

• Furthering the discussion of isolation, the FTP server component of IIS runs in user isolation mode, so when users log on they are restricted to their own home directory and cannot view or even realize that other directories on the server exist. If you're familiar with Unix systems, this is much like a CHROOT jail.

• IIS 6 comes prepackaged with a set of administration scripts, written in VBScript, that you can run from the command-line. This is excellent if you have a custom program that you need to integrate with IIS to create and delete sites, make configuration changes, and so on.

• You can import configuration information, and export it as well, across the different aspects of IIS operation, from the directory to the site to the server level, so you can now create multiple servers that have identical setups.

• Configuration informationknown as the metabaseis also stored in a set of two XML files, instead of a mysterious binary file that no one could look at. Now Microsoft Product Support Services can't get off easily telling you your problem is a corrupt metabase and that you need to reinstallyou can actually go inside the files and see what the problem might be.

• IIS 6 will now compress responses formed from dynamic content before sending them to the user, resulting in faster transmission times from the server to the client. Static content is stored in a disk cache as well that HTTP.SYS can access directly, which makes for rapid access to commonly requested files.

• IIS 6 supports IPv6 if it's installed on a Windows Server 2003 machine.