Determining Which IIS Technology to Use
IIS provides many administration and development technologies, some of which can be used within another. Also, there other products that work with IIS to make server administration and application development on large systems easier.
If you have not already done so, it is wise to understand the differences between the IIS administration and development technologies, and to understand the other products that are available from Microsoft. This information is contained in the following three topics:
Once you are familiar with the technologies and products that are available to you, you can consider other issues like those that follow.
Designing New IIS Applications
Consider the following issues when designing a new IIS application.
Issue |
Example |
|---|---|
How can the application be made secure? |
Before designing a Web application, create a threat model to evaluate potential threats. Instead of determining how the application will work, threat models identify component boundaries, assets, and how data flows between the assets. Threats can exist at the product level. For example, if an application uses a SQL database, the default administrator account should be replaced by one with a difficult password. Threats can exist at the file level. For example, if an application relies on a product to authorize access to files and the product is circumvented, files can be accessed if the file system access control list (ACL) is not restrictive enough. Threats can exist inside the application. For example, if an application contains numerous string manipulation functions, there is potential for buffer overflows. Malicious users can take advantage of a buffer overflow to open a door into the system. |
Will the application take user input? |
An application that accepts user input is one that takes untrusted data and passes it across a boundary into a trusted domain. User input should always be validated before that happens. For example, if an application accepts user input through an HTML form, a malicious user can inject code into the input that can force a database application to return protected records or display false links. |
Does the application need to run as a specific user? |
The process and thread identity is not the same for every technology. For example, ISAPI extensions run as the AnonymousUserName account if anonymous access is allowed. However, if the Win32 RevertToSelf function is called, the thread identity changes to that of the Local System if the ISAPI extension is running in the IIS process. You can select a development technology based on the identity that you need the application to operate under. For a table that summarizes application types and their identities, see IIS Application Identities. |
In what language does the developer want to write the application? |
If the developer knows only C++, the IIS application can consist of ISAPI extensions. If the developer knows only Perl, the IIS application can consist of ASP pages written in PerlScript. If the developer wants to use Visual Basic and Visual Basic Scripting Edition (VBScript), the IIS application can consist of ASP pages written in VBScript and COM components written in Visual Basic. |
Will the application configure and manage IIS? |
You can use ADSI or WMI from most languages to configure IIS programmatically. If you don't need to administer IIS from a Web page, it is recommended that you use the tools that come with IIS, or create custom scripts or applications. If administration must occur from a Web page, the Web application must authenticate clients because only clients with administrative privileges can configure IIS programmatically. |
Will the application need to perform e-commerce or other transactions? |
Explore Microsoft Commerce Server, or Web services that handle the exchange of currency. If the IIS application will handle other transactions such as those that update inventories, look into COM+ transaction services, which can be used from ASP pages alone or COM components that are called by ASP pages. |
Will the application need to interact with databases? |
Databases can be accessed from any IIS application, using ABO. For more information, see Processing Transactions Using COM+ Services |
Does the content in the application need to be created very quickly? |
Creating ASP applications is much faster than the other development technologies, while preserving most features. |
Will the application need to perform e-mail services? |
SMTP can be used to send and receive e-mail from Web applications, but you need a mail server, such as Microsoft Exchange Server. After a mail server has been set up, Web pages can create, send, and receive e-mail using Collaborative Data Objects (CDO). For more information about the CDO Library and the CDO Rendering Library, see Overview of CDO. |
Will the application need to be viewed by international clients? |
When creating international Web sites, an application developer must be careful with locales and code pages. Dates, numbers, and currency are displayed differently in each locale, and when amounts of currency cross locales, a calculation has to occur. Additionally, if your Web site is translated, the code page of the site must match that of the language. Even if your application does not yet need to cater to international clients, you can design the structure of the application so that you can easily add internationalization features later. Code pages and locales can be set in ASP, ASP.NET pages, and COM components, and starting with IIS 6.0, ISAPI applications have more support for Unicode. An application needs to handle localized data carefully. Strings of unexpected sizes can be returned to an application and cause buffer overflows. For more information about how to design international Web sites, see Designing International Applications. |
Is the amount of client traffic to the Web application likely to increase dramatically? |
If you expect the popularity of your Web site to increase beyond the capabilities of one IIS server or one site on an IIS server, design into your application the possibility of splitting it between servers in a multi-tiered design. For example, make your database code capable of querying a remote database should you need to move the database to another computer. Or design your database connections and transactional code so that it will work from multiple machines in a Web farm. Explore Microsoft Application Center, which makes managing a Web farm easier. Also consider ISAPI extensions for your application, which can execute asynchronously. |
Is the size of the application content likely to increase dramatically? |
For high traffic sites, design into your application with the possibility of splitting it between servers in a multi-tiered design. For example, make your database code capable of querying a remote database should you need to move the database to another computer. Or design your database connections and transactional code so that it will work from multiple machines in a Web farm. |
Will the content of the Web application need to be updated frequently? |
Web sites like those for news and other media frequently update content. If your site needs frequent updates, consider that when building the structure in the metabase and setting permissions. There are third-party tools that publish new content and expire or archive old content. You can also use WebDAV, Microsoft FrontPage, Microsoft SharePoint Products and Technologies, the Content Rotator component of IIS, or you can develop your own management applications. |
If the application will be published on a server owned by an Internet Service Provider (ISP) or other hosting company, what Web services do they offer? |
Most Web hosting companies offer Apache and IIS servers, but the versions might not be up-to-date. Additionally, some hosting companies are reluctant to install certain tools or features such as .NET Frameworks, ISAPI filters, or custom logging components. The Web hosting companies might also enforce their own preferred authentication methods. Research Web hosting companies to find the one that will suit your needs. |
If the application will be developed on a server other than the one on which it will be published, are there version or product differences between the two? |
Web developers often create their applications on a client computer instead of a full-featured server computer because of the difference in cost. Problems might arise from feature differences. For example, IIS 5.1 on Windows XP does not support application pools or worker process isolation mode, while IIS 6.0 on Windows Server 2003 does. Versions of .NET Framework binaries can behave differently on different versions of Windows. Research feature differences and product requirements before creating an application, and test them frequently on the destination server. |
If the application is compiled, what threading model is appropriate? |
COM components need to be have the right threading model selected. For more information, see Selecting a Threading Model for Components in IIS. ISAPI applications also need to manage threads carefully. For more information, see Designing High-Performance ISAPI Applications. |
Migrating Existing Applications
Migrating existing applications can be troublesome if expected functionality that is required by the application is not present on the destination server. For detailed procedures about migrating old IIS Web sites or Apache Web sites to IIS 6.0, see the chapters titled "Migrating IIS Web Sites to IIS 6.0" and "Migrating Apache Web Sites to IIS 6.0" in the Windows Server 2003 Deployment Kit: Deploying Internet Information Services (IIS) 6.0.
Consider the following issues when migrating an existing IIS application or a Web application that was built for a non-Microsoft Web server:
Issue |
Example |
|---|---|
Does the application include CGI DLLs or EXEs? |
As long as CGI applications adhere to CGI and HTTP specifications as set out by the World Wide Web Consortium - Specifications and Drafts, they might not need to be altered. They can be requested directly, or they can be called from an STM or SHTML file using the #exec command. |
Was the application developed on an IIS server of a different version than the server to which it is migrating? |
Problems might arise from feature differences. For example, IIS 5.1 on Windows XP does not support application pools or worker process isolation mode, while IIS 6.0 on Windows Server 2003 does. Versions of .NET Framework binaries can behave differently on different versions of Windows. If the application uses a database, are the drivers on the destination server compatible? |
If the application has to be rewritten, could it be simplified, made faster, or made more scalable? |
Sometimes an application needs to be rewritten to run on a new version of IIS. If so, could it be simplified by converting it to ASP? Could it be made faster by using COM components or ISAPI extensions? Could it be written in ASP.NET or converted to an HTTP module to take advantage of .NET technology? Could it be compartmentalized so that it can be split between servers in the future in a multi-tiered design, or duplicated across many servers in a Web farm? |