Comparison of IIS Development Technologies

Article
06/16/2017

You can use IIS to create Web content in a variety of formats, including static files, scripts, compiled DLLs, and compiled EXEs. The IIS development technologies simply provide a way to perform dynamic operations that eventually build HTML output that IIS sends in response to client requests.

The technologies that can be used to develop IIS content are as follows:

ASP
ASP.NET
COM components for ASP
CGI applications
ISAPI extensions
ISAPI filters
Database applications
Static content

Web content can also be developed to programmatically configure an IIS server. For information about the different ways to configure IIS programmatically, see Comparison of IIS Administration Features.

Use the following table to help decide what technology to use to develop IIS content.

Development technology	Advantages	Disadvantages
ASP ASP pages are written in VBScript JScript PerlScript if the required PerlScript files are installed on the IIS server ASP pages have the following characteristics ASP pages execute on the IIS server when they are requested by the client. A Global.asa file can be used to set up global variables, objects, and work with ASP events. A client can pass variables to an ASP page through a query string.	ASP pages are fast and easy to develop. ASP technology is available on all versions of IIS since IIS 3.0 with a few additions in functionality to improve international features. ASP pages can call COM objects. This allows Web applications to store most of their business logic in a compiled COM object whose methods and properties are called from an ASP page. ASP includes transaction support.	ASP script processing is slightly slower than for static HTML files, COM objects, CGI applications, and ISAPI applications. The difference is only apparent on a server that experiences high volumes of traffic. ASP does not have as many features or as much control over IIS as ISAPI.
ASP.NET ASP.NET applications are written in C# Visual Basic.NET Managed C++ ASP.NET pages have the following characteristics ASP.NET pages execute on the IIS server when they are requested by the client. A Global.asax file can be used to set up global variables, objects, and work with ASP.NET and HttpModule events. A client can pass variables to an ASP.NET page through a querystring.	ASP.NET applications take advantage of all the benefits of the Microsoft .NET Framework. ASP.NET pages can be written in two ways: Executable .NET code can exist in the ASP.NET page (called a single-file page). Executable .NET code can exist separately in a compiled class file DLL. The code is then called by server controls in the ASP.NET page. ASP.NET applications are more extendible than ASP. ASP.NET includes features that are called HTTP Handlers and HTTP Modules, which match IIS ISAPI filter and extension functionality. ASP.NET includes transaction support.	ASP.NET is more difficult to learn in the beginning than ASP. However, the languages that are used to develop ASP.NET applications are gaining much popularity and can be used to develop other kinds of applications. ASP.NET is a younger and more dynamic technology than ASP, CGI, and ISAPI, which requires programmers to keep up with the new features of ASP.NET as they develop. The .NET Framework includes hundreds of classes, namespaces, and methods, designed to cover any action that a developer might want to perform, however, getting to know them all can take a long time.
COM components for ASP COM components are written in Visual Basic Visual Java C++ Any COM-compliant language COM components have the following characteristics COM component methods and properties are called from ASP pages or ISAPI applications running on the IIS server. COM components can access ASP built-in objects using the COM+ ObjectContext object.	COM components execute faster than ASP pages alone. To make an ASP application faster, move most of the code that is contained in the ASP pages to a COM component, and then call the COM component methods and properties from the ASP pages. COM includes transaction support that interacts with ASP transactions.	COM components are not as fast as ISAPI applications. The difference is only apparent on a server that experiences high volumes of traffic. The process and thread identities of an application can change once processing is passed to COM services.
CGI applications CGI DLLs are written in Perl if the required Perl files are installed on the IIS server C++ CGI applications have the following characteristics CGI applications execute on the IIS server when they are requested by the client. CGI applications can be called from an STM or SHTML file using the #exec command.	Developers who do not have the resources to convert CGI applications to run on IIS do not have to convert them to another development technology.	Small changes might have to be made to CGI applications to make them run on IIS. For example, if CGI applications do not return properly formatted headers, an error can occur. CGI applications must adhere to CGI and HTTP specifications as set out by the World Wide Web Consortium - Specifications and Drafts.
ISAPI extensions ISAPI extensions are written in C++ ISAPI extensions have the following characteristics ISAPI extensions execute on the IIS server when they are requested by the client.	ISAPI extensions have full access to IIS functionality. They give the finest control over the client connection, request and response data, application flow, application identities, and file transmission. As an example of the power of ISAPI applications, ASP and ASP.NET functionality is contained in special ISAPI extensions that are provided by IIS and .NET. ISAPI extensions have access to Win32 APIs. ISAPI extensions are the fastest of all IIS development technologies (other than static content). ISAPI extensions can process asynchronously. Starting with IIS 6.0, ISAPI supports Unicode. Starting with IIS 6.0, ISAPI provides functions that allow any or all requests to an IIS server to be sent to an ISAPI extension, processed, and then redirected to any other application. This functionality can be used to replace ISAPI filters.	ISAPI extensions can only be written in C++, therefore ISAPI is a more difficult technology to learn. ASP.NET HTTP Handlers and HTTP Modules can be written in any .NET language, even VB.NET.
ISAPI filters ISAPI filters are written in C++ ISAPI filters have the following characteristics ISAPI filters are always running on the IIS server, filtering every request until they find one they need to process.	If an ISAPI filter is present on an IIS server, all incoming client requests pass through it. This allows a filter to select the requests that it needs to process. This is useful for purposes such as special logging or authentication. The power of ISAPI filters lie in their ability to react to specified events notifications.	ISAPI filters can only be written in C++, therefore ISAPI is a more difficult technology to learn.ASP.NET HTTP Handlers and HTTP Modules can be written in any .NET language, even VB.NET. ISAPI filters should only be used for filtering requests. ISAPI filters do not have as much functionality as ISAPI extensions.
Database applications Database applications are written in Any COM-compliant language by using ActiveX? Data Objects (ADO). Therefore, ASP, COM, and ISAPI applications can use databases. Any .NET language by using ADO.NET. Therefore, ASP.NET applications can use databases.	Database applications can store massive amounts of data such as membership information, inventory information, archival information, and so on. A properly designed database can allow a Web application to retrieve data quickly.	Databases are often used to store sensitive information, yet database applications are often developed without security in mind. Access controls must be tight. All client input must be stripped of invalid characters. Connections and queries must be constructed in the most fool-proof manner. On SQL server, the default administrative account must be replaced or have its well-known password changed. For more information about how to develop secure database applications, see the chapters titled "Never Trust User Input" and "Database Input Issues" in Writing Secure Code (ISBN 0-7356-1722-8).
Static content Static content is written in HTML Dynamic HTML (DHTML), which can include <SCRIPT> blocks XML Static content has the following characteristics Static pages execute when they are requested by the client. Unless the page contains <SCRIPT> blocks that are marked runat=Server, the code executes on the client computer.	Static content can be served to clients faster than any other content because it is not processed (unless it contains <SCRIPT runat=Server> blocks.	Some features of static content (such as the client-side script used in DHTML <SCRIPT> blocks, or XML) are not supported by some browsers, therefore your client might not be able to view your Web site correctly. This is not a problem for other IIS development technologies which execute on the IIS server to produce HTML responses that are sent to the client.

ASP

ASP pages are written in

VBScript
JScript
PerlScript if the required PerlScript files are installed on the IIS server

ASP pages have the following characteristics

ASP pages execute on the IIS server when they are requested by the client.
A Global.asa file can be used to set up global variables, objects, and work with ASP events.
A client can pass variables to an ASP page through a query string.

ASP pages are fast and easy to develop.

ASP technology is available on all versions of IIS since IIS 3.0 with a few additions in functionality to improve international features.

ASP pages can call COM objects. This allows Web applications to store most of their business logic in a compiled COM object whose methods and properties are called from an ASP page.

ASP includes transaction support.

ASP script processing is slightly slower than for static HTML files, COM objects, CGI applications, and ISAPI applications. The difference is only apparent on a server that experiences high volumes of traffic.

ASP does not have as many features or as much control over IIS as ISAPI.

ASP.NET

ASP.NET applications are written in

C#
Visual Basic.NET
Managed C++

ASP.NET pages have the following characteristics

ASP.NET pages execute on the IIS server when they are requested by the client.
A Global.asax file can be used to set up global variables, objects, and work with ASP.NET and HttpModule events.
A client can pass variables to an ASP.NET page through a querystring.

ASP.NET applications take advantage of all the benefits of the Microsoft .NET Framework.

ASP.NET pages can be written in two ways:

Executable .NET code can exist in the ASP.NET page (called a single-file page).
Executable .NET code can exist separately in a compiled class file DLL. The code is then called by server controls in the ASP.NET page.

ASP.NET applications are more extendible than ASP. ASP.NET includes features that are called HTTP Handlers and HTTP Modules, which match IIS ISAPI filter and extension functionality.

ASP.NET includes transaction support.

ASP.NET is more difficult to learn in the beginning than ASP. However, the languages that are used to develop ASP.NET applications are gaining much popularity and can be used to develop other kinds of applications.

ASP.NET is a younger and more dynamic technology than ASP, CGI, and ISAPI, which requires programmers to keep up with the new features of ASP.NET as they develop.

The .NET Framework includes hundreds of classes, namespaces, and methods, designed to cover any action that a developer might want to perform, however, getting to know them all can take a long time.

COM components for ASP

COM components are written in

Visual Basic
Visual Java
C++
Any COM-compliant language

COM components have the following characteristics

COM component methods and properties are called from ASP pages or ISAPI applications running on the IIS server.
COM components can access ASP built-in objects using the COM+ ObjectContext object.

COM components execute faster than ASP pages alone. To make an ASP application faster, move most of the code that is contained in the ASP pages to a COM component, and then call the COM component methods and properties from the ASP pages.

COM includes transaction support that interacts with ASP transactions.

COM components are not as fast as ISAPI applications. The difference is only apparent on a server that experiences high volumes of traffic.

The process and thread identities of an application can change once processing is passed to COM services.

CGI applications

CGI DLLs are written in

Perl if the required Perl files are installed on the IIS server
C++

CGI applications have the following characteristics

CGI applications execute on the IIS server when they are requested by the client.
CGI applications can be called from an STM or SHTML file using the #exec command.

Developers who do not have the resources to convert CGI applications to run on IIS do not have to convert them to another development technology.

Small changes might have to be made to CGI applications to make them run on IIS. For example, if CGI applications do not return properly formatted headers, an error can occur. CGI applications must adhere to CGI and HTTP specifications as set out by the World Wide Web Consortium - Specifications and Drafts.

ISAPI extensions

ISAPI extensions are written in

ISAPI extensions have the following characteristics

ISAPI extensions execute on the IIS server when they are requested by the client.

ISAPI extensions have full access to IIS functionality. They give the finest control over the client connection, request and response data, application flow, application identities, and file transmission. As an example of the power of ISAPI applications, ASP and ASP.NET functionality is contained in special ISAPI extensions that are provided by IIS and .NET.

ISAPI extensions have access to Win32 APIs.

ISAPI extensions are the fastest of all IIS development technologies (other than static content).

ISAPI extensions can process asynchronously.

Starting with IIS 6.0, ISAPI supports Unicode.

Starting with IIS 6.0, ISAPI provides functions that allow any or all requests to an IIS server to be sent to an ISAPI extension, processed, and then redirected to any other application. This functionality can be used to replace ISAPI filters.

ISAPI extensions can only be written in C++, therefore ISAPI is a more difficult technology to learn. ASP.NET HTTP Handlers and HTTP Modules can be written in any .NET language, even VB.NET.

ISAPI filters

ISAPI filters are written in

ISAPI filters have the following characteristics

ISAPI filters are always running on the IIS server, filtering every request until they find one they need to process.

If an ISAPI filter is present on an IIS server, all incoming client requests pass through it. This allows a filter to select the requests that it needs to process. This is useful for purposes such as special logging or authentication.

The power of ISAPI filters lie in their ability to react to specified events notifications.

ISAPI filters can only be written in C++, therefore ISAPI is a more difficult technology to learn.ASP.NET HTTP Handlers and HTTP Modules can be written in any .NET language, even VB.NET.

ISAPI filters should only be used for filtering requests.

ISAPI filters do not have as much functionality as ISAPI extensions.

Database applications

Database applications are written in

Any COM-compliant language by using ActiveX? Data Objects (ADO). Therefore, ASP, COM, and ISAPI applications can use databases.
Any .NET language by using ADO.NET. Therefore, ASP.NET applications can use databases.

Database applications can store massive amounts of data such as membership information, inventory information, archival information, and so on. A properly designed database can allow a Web application to retrieve data quickly.

Databases are often used to store sensitive information, yet database applications are often developed without security in mind. Access controls must be tight. All client input must be stripped of invalid characters. Connections and queries must be constructed in the most fool-proof manner. On SQL server, the default administrative account must be replaced or have its well-known password changed. For more information about how to develop secure database applications, see the chapters titled "Never Trust User Input" and "Database Input Issues" in Writing Secure Code (ISBN 0-7356-1722-8).

Static content

Static content is written in

HTML
Dynamic HTML (DHTML), which can include <SCRIPT> blocks
XML

Static content has the following characteristics

Static pages execute when they are requested by the client. Unless the page contains <SCRIPT> blocks that are marked runat=Server, the code executes on the client computer.

Static content can be served to clients faster than any other content because it is not processed (unless it contains <SCRIPT runat=Server> blocks.

Some features of static content (such as the client-side script used in DHTML <SCRIPT> blocks, or XML) are not supported by some browsers, therefore your client might not be able to view your Web site correctly. This is not a problem for other IIS development technologies which execute on the IIS server to produce HTML responses that are sent to the client.

Comparison of IIS Development Technologies

Additional resources