There are over three dozen components and subcomponents to choose from when installing IIS. Table 9-2 discusses the various components. One of IIS 7's biggest improvements over previous versions is the granularity of the features that can be, or not be, installed. For instance, you can install Windows Authentication, but not Digest Authentication. If you don't install a particular component, like Digest Authentication, the associated programming coding is not installed or kept in memory. This decreases the potential security vector attack points and provides incremental performance benefits. Installers should choose the bare minimum number of components necessary to support their web server's applications. Unfortunately, the new level of granularity makes installing IIS a chore. You can choose between 48 different feature checkboxes over three levels. There is no "install all" setting. To get a complete IIS install takes 24 separate enabled checkboxes. Of course, you should only install the bare minimum requirements necessary to meet your web application needs. Use Table 9-2 as a guide.
COMPONENT | DESCRIPTION |
---|---|
FTP Publishing Services | Parent-category heading for File Transfer Protocol (FTP) service. |
FTP Management Console | FTP Microsoft Management console snap-in. Should be selected if FTP service is enabled. Can be used to manage local and remote FTP servers. |
FTP Server | File Transfer Protocol service. Enable if you want Vista to support FTP services. |
Web Management Tools | Parent-category heading for IIS management tools, consoles, and scripts. |
IIS 6 Management Compatibility | Sub-category heading to install IIS 6–compatible tools and APIs to manage IIS 7 services. |
IIS 6 Management Console | Enable if you want to administrate remote IIS 6 services, including World Wide Web and FTP. It can also be used to administrate FTP on IIS 7 servers. |
IIS 6 Scripting Tools | Installs IIS 6 configuration scripts. |
IIS 6 WMI Compatibility | Installs IIS 6–compatible Windows Management Instrumentation (WMI) interfaces, allowing many local and remote IIS 6 management tools to operate. |
IIS Metabase and IIS 6 configuration compatibility | IIS 7 does not use Metabase database files natively, as IIS 6 does. If this component is installed, Metabase compatibility APIs will be installed to allow legacy Metabase tools to be utilized on IIS 7 services. |
IIS Management Console | New Microsoft management console snap-in for local and remote IIS 7 services. |
IIS Management Scripts and Tools | If enabled, installs new management scripts and tools for local IIS 7 servers. |
IIS Management Services | Installs web management interface to allow remote management using an Internet browser. |
World Wide Web Services | Parent category for WWW services. Must be enabled if World Wide Web (WWW) services are desired. |
Application Development Features | Child category for application development options. |
.NET Extensibility | If enabled, will allow IIS WWW services to support .NET Framework applications. Needed for IIS 7's new protocol listeners (covered later). |
ASP | If enabled, supports legacy Active Server Pages (ASP). High risk, should be disabled if not used. |
ASP.NET | If enabled, will allow IIS WWW services to support ASP.NET Framework applications. High risk, should remain disabled if not used. |
CGI | Enables a Common Gateway Interface subsystem to support CGI programs and scripts. High risk, should remain disabled if not used. |
ISAPI Extensions | Allows ISAPI programs to respond for particular request types. High risk, should remain disabled if not used. |
ISAPI Filters | Allows ISAPI filters (often DLLs) to filter and respond for particular types of requests. High risk, should remain disabled if not used. |
Server-Side Includes | If enabled, implements server side includes, handling requests for documents ending in .stm, .shtm, or .shtml. Should be disabled if your web server does not use server-side includes. |
Common Http Features | Child category. Needed for ASP.NET and other types of HTTP functionality. |
Default Document | If enabled, will serve up defined default documents, such as index.htm or default.aspx, if the http request does not include a specific trailing document name. |
Directory Browsing | If enabled on a web folder, will disable the standard HTTP rendering format and display all folder documents and files in a column list (much like a user might see on an FTP site). The user can then see the individual files and download them. Should not be enabled on most web sites, unless desired. |
HTTP Errors | If enabled, will implement IIS's default error responses. Error responses have been used in the past to enumerate Web sites and to identify the existence of documents and filenames. Administrators can choose not to implement the default error documents and create their own customized error responses. |
HTTP Redirection | If enabled, can allow HTTP requests to be redirected to other locations. Has been used maliciously in the past by spammers and other rogue hackers. Should be left disabled unless needed. |
Static Content | Supports HTML content. Read-only static content is normally low risk. Most web servers will need this option enabled. |
Health and Diagnostics | Child-category, if enabled installs tools to monitor and manage server and Web site performance and response. |
Custom Logging | Enables custom logging interfaces. |
HTTP Logging | Enabled by default. Monitors HTTP requests and responses. |
Logging Tools | Installs IIS 7 logging tools and scripts. |
ODBC Logging | Installs ODBC database interface capabilities. |
Request Monitor | Enables requests to be monitored. Enabled by default. |
Tracing | Enables additional troubleshooting capabilities for ASP.NET applications. |
Performance Features | Child category for two performance-enhancing capabilities. |
Http Compression Dynamic | For standard HTTP traffic compression; on dynamic content needed for ASP support. |
Static Content Compression | Enabled by default. For standard HTTP traffic compression of static content. |
Security | Parent category, allows administrator to enable various security and authentication mechanisms. |
Basic Authentication | If enabled, allows local or domain authentication credentials to be passed in near clear-text format. Only needed for clients that cannot support more secure authentication methods (discussed more later). Should be disabled if not needed, unless all basic authentication is carried out over a secured connection, such as SSL/TLS or IPsec. |
Client Certificate Mapping Authentication | If enabled, allows SSL or TLS client certificates to be used to authenticate Active Directory computer or user accounts. |
Digest Authentication | If enabled, allows local or domain authentication credentials to be passed in a cryptographic hash format. |
IIS Client Certificate Mapping Authentication | Maps client certificates to a one-to-one or many-to-one computer or user account. |
IP Security | Enables administrators to restrict requests based on IP addresses or domain names. |
Request Filtering | Enabled by default. Allows incoming URL requests to be filtered for legitimacy. Must be enabled to get functionality similar to legacy versions of URLScan (which no longer needs to be installed). |
URL Authorization | Integrated authentication method. Allows authentication to be determined by a web application. Was previously available in IIS 6 using ASP.NET. |
Windows Authentication | If enabled, allows local or domain authentication credentials to be passed in a very secure challenge-response format-LAN Manager, NTLM, or Kerberos. In order to be used, web server must be contactable using RPC or NetBIOS methods. Typically used for domain computers to intranet web servers. Doesn't typically work through external firewalls or over the Internet (without the use of a VPN or other configured methods). Discussed more later in the chapter. |
When IIS 7 is installed on Vista, the following components are installed by default if no specific components are selected:
IIS Management Console, default document
Directory browsing
HTTP errors
Static content
HTTP logging
Request Monitor
Static content compression
Request filtering
The default IIS 7 install will allow only static content to be delivered. All active scripting is disabled by default. IIS 7 can support multiple Web and FTP sites and, unlike previous workstation versions, can do so at the same time. Each separate Web or FTP Web site must be bound to a separate TCP port number, IP address, or host header name (which is identical to the existing behaviors in server versions of IIS). IIS 7 can support multiple Web and FTP site configurations. IIS application files are located in a folder called %windir%\system32\inetsrv. The initial IIS 7 install creates a default Web site called, not surprisingly, the default Web site. Files for the default Web site are stored in \Inetpub\wwwroot by default, and contain only a single static web page (see Figure 9-4) that, if clicked will redirect the user to http://www.iis.net, Microsoft's official IIS support Web site.
Figure 9-4: Default IIS Web site
Enabling IIS activates a handful of new executables and one or more services. The core executeables will all run in Session 0 using the Local System account. Interfaces (for example, InetMgr.exe) typically run in additional sessions (for example, Session 1) under the local user's security context. The main IIS WWW service is called the World Wide Web Publishing Service service. The service is launched in a Svchost process called IISsvcs. The IIS Worker Process (W3wp.exe) will also be launched.
When IIS is active, the web server will listen only on port 80 until otherwise configured. IIS runs using a multitude of files and processes. The main IIS process of Inetinfo.exe, running in the Local System context, is always present, but several other processes assist. Some such as Dllhost.exe may appear and then disappear, until later needed. It's important to note that in IIS 6 and above, no user code runs in these highly privileged processes.
Note | If Vista Home Basic is upgraded to Business or Ultimate editions, several IIS 7 features are installed and enabled by default. See http://www.support.microsoft.com/kb/930902/en-us for more details. |