Internet Information Services (IIS) is designed to provide secure, scalable solutions for creating and managing World Wide Web sites and servers. You can use IIS to publish information on intranets, extranets, and the Internet. Because today’s Web sites use related services, like File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), ASP.NET, and Windows .NET Framework, IIS bundles these services as part of a comprehensive offering. A separate but related service is the Indexing Service, which is used to build catalogs of documents that can be searched. When you add this capability to a Web site, it allows users to search for topics of interest using a standard Hypertext Markup Language (HTML) form.
Unlike IIS 5, where the main Web server process was often a major choke point that severely affected performance, IIS 6 has a redesigned request processing architecture that allows the server to perform better, to reserve fewer resources, to handle more virtual servers, to detect failures and resolve them, and much more. This architecture has several key features:
HTTP listener process In IIS 6, the main Web server process is a kernel- mode driver called Http.sys. It’s used for Hypertext Transfer Protocol (HTTP) parsing and caching. It’s responsible for listening for requests and passing them off to worker processes.
Worker processes Worker processes run in an isolated mode that allows administrators to group different Web applications. Worker processes are isolated by application pool and can be allocated on demand, meaning they’re allocated system resources when they become active and don't use system resources when they’re inactive. This architecture improvement, along with others, ensures that IIS 6 can support many more concurrent processes than previous versions.
Application pools Groups of Web applications are called application pools. Application pools are separated from one another by process boundaries and are serviced by one or more worker processes, which applications in the pool share. All Web sites and applications on a server are assigned to an application pool. Settings for application pools allow you to monitor worker processes and to recover automatically from any problems that might occur.
Application pool request queue When requests are passed off from Http.sys to worker processes, the requests are placed in the appropriate application pool request queue. Each application pool has a separate request queue. Worker processes assigned to the application pool handle the request in first in, first out (FIFO) order. You can assign worker processes a processor affinity so that specific processors handle their workload.
Although you’ll learn even more about the request processing architecture in Chapter 2, “Core IIS Administration,” these two chapters only scratch the surface of the dramatic change the new architecture represents. To understand the architecture completely, you’ll need to read the chapters in Part II, “Web Server Administration.” These chapters discuss site, server, and application configuration; worker process assignment; and application pool configuration.
The security architecture is another major area where IIS 6 has been redesigned. The new security architecture has several important features that you should know about right now:
Capability lockdown IIS isn’t installed by default on Windows Server 2003. When you install IIS, the default installation allows only static content (HTML files) to be served, and all other functions and types of content must be specifically enabled. Nonstatic content is managed through the Web Service Extensions settings. See Chapter 4, “Customizing Web Server Content,” for details. Further, if you upgraded the operating system on a server that was previously running IIS, the IIS service might be disabled. To reenable IIS, you might need to enable the IIS service as well as the associated services.
Privilege changes By default, many IIS 6 features run using the built-in account NetworkService. This account has very few privileges and is designed to ensure that IIS and related processes have very few privileges on the server. Although good for security and reducing potential vulnerabilities, it might change the way you use IIS, and some applications or features might work differently than you expect. Be sure to take a look at this account’s privileges.
Tool and file restrictions IIS won’t serve requests for invalid files. It verifies all file requests before serving them, checking file extensions and for the existence of the requested content. IIS won't run command-line tools or other command-line executables.
Authentication enhancements IIS has a number of enhancements for authenticating requests, including URL authorization and delegated authentication, but the most important change is without doubt the support for .NET Passport authentication. Through their .NET Passport identification, users can be validated and authorized access according to the access controls in their corresponding Active Directory service user account.
|Real World|| |
There’s a way to run Web applications in IIS 5 mode. It’s called IIS 5 isolation mode. Although operating in this mode might solve problems with applications that won't run under the new IIS 6 architecture, security restrictions might also be affecting the way applications are running. Be sure to read Chapter 7, “Enhancing Web Server Security,” so that you understand the changes to the security architecture.
IIS 6 has many additional features. Some that you’ll want to learn about include:
FTP restart FTP restart allows clients to resume FTP downloads without having to download the entire file again if an interruption occurs during transfer. When a connection is broken during a download, compliant clients (such as Microsoft Internet Explorer 5) can reestablish their file transfer using the REST command, and the file transfer will resume where it left off.
FTP user isolation IIS 6 allows you to isolate users to their own directories so that they can’t view or overwrite other users’ content.
Health monitoring Just as Windows Server 2003 monitors the health of its running processes, so does IIS 6. IIS 6 takes this monitoring a few steps further, though. It can detect and recover from memory leaks, problems in code, and blocking calls. IIS can also check for nonresponsive processes and then recycle or restart processes as necessary.
Host headers Host headers allow you to host multiple Web sites on a single computer with only one Internet Protocol (IP) address. Here, IIS uses the host name passed in the HTTP header to determine the site that a client is requesting.
HTTP 1.1 and HTTP compression IIS fully supports the HTTP 1.1 protocol and the compression enhancements it defines. Using HTTP compression, you can compress both static and dynamic results of HTTP queries for transmission to HTTP 1.1–compliant clients. Unlike IIS 5, where compression was implemented using an Internet Server Application Programming Interface (ISAPI) filter and could only be enabled for an entire server, IIS 6 builds in compression as a feature that you can control precisely to the file level.
Kernel-mode cache Http.sys runs in kernel mode and passes requests directly to the worker processes without intermediaries. Previously requested static content can be cached, and unlike previous versions of IIS, dynamic content can be cached in kernel mode as well to improve performance. To better support Active Server Pages (ASP), ASP templates are stored in memory and deallocated from memory to free space for new templates. Unlike previous versions, IIS 6 uses a persistent ASP template cache. Here, deallocated templates are written to disk, where they can be accessed and reallocated. IIS 6 also has a heuristics-based caching policy. This policy is designed to ensure that files are cached when it makes sense and aren't cached otherwise.
On-demand starting and time-out You can configure application pools so that worker processes start on demand and time out when they’re no longer needed. By starting on demand, the process uses resources only when it’s active. By timing out, the resources used by the worker process can be freed up when the process has been idle for a certain amount of time.
Process accounting and process throttling Process accounting provides information about how individual Web sites use CPU resources. Process throttling allows you to limit CPU usage for out-of-process applications and thereby potentially reduce performance problems on the server as a whole.
Rapid-fail protection Rapid-fail protection allows IIS to monitor worker processes for failure. If IIS detects failure, IIS can take actions to record and recover, such as logging a related event in the event logs and restarting the worker process.
SSL 3 and TLS SSL 3 and Transport Layer Security (TLS) provide secure methods of exchanging information between clients and servers. SSL 3 and TLS also enable the use of client certificates that can be read by Internet Server Application Programming Interface (ISAPI) server pages. Client certificates are used to authenticate users and control access by mapping the client certificate to a Windows user account.
WebDAV Web Distributed Authoring and Versioning (WebDAV) extends the HTTP 1.1 protocol and is integrated into IIS. Using WebDAV, remote users can publish, lock, and manage resources on a Web server using an HTTP connection.
XML metabase The IIS metabase is now formatted using Extensible Markup Language (XML) and stored in plaintext files. XML’s structure makes it easier to search and maintain the metabase and also improves performance when working with the metabase. The XML metabase can be edited while IIS is running. It can be used to save configurations at the server, site, or application level so they can be used on other servers, which can help ensure that configurations across server farms are exact copies of each other. The metabase also supports automatic versioning and history. This means that IIS automatically tracks changes to the metabase and changes that are made can be rolled back to restore a previous configuration.