Professor Windows - November 2003
Introducing the New Internet Information Services (IIS)
Ziv Eden, Software Test Engineer, Microsoft Israel
While in some areas Windows Server 2003 is an incremental release compared to Windows 2000, it certainly has a significantly different Web and application server infrastructure than previous releases of Windows Server. IIS 6.0 that comes with Windows Server 2003 is built for increased capacity and scalability for Web applications, and more possibilities of decreasing the number of web servers. There are many new features in this baby, but first thing's first – you've got to get to know the architecture before running and selecting those cool new tabs.
A Totally New Architecture
When you look at IIS 5.0, it was essentially designed to have only one process, namely InetInfo.exe. This was your Web server process that handled requests to one or more out-of-process applications, namely DLLHost.exe. In other words, in previous versions of IIS, a failure of a single Web application could cause the failure of other Web sites and applications on the same server. In IIS 6.0 we built the architecture in a way that the Web server code runs separately from the application handling code. There are three new components in IIS 6.0:
- Kernel-mode HTTP listener (HTTP.sys)
- User-mode configuration and process manager (WWW Service Administration and Monitoring)
- Worker processes (the application handlers)
Worker processes are "Mini Web Servers" that operate independently of one another (so in case a worker process fails, it does not affect the other worker processes). Every worker process handles service requests for application pools in HTTP.sys. Application Pools help isolate Web sites and applications into self-contained units. They are separated from the other applications hosted on the same server. In short, any user code such as ASP pages is processed in the worker process(es) and not in kernel-mode.
Figure 1 helps with the new architectural picture.
If your browser does not support inline frames, click here to view on a separate page.
Figure 1 IIS 6.0 Architecture
Application Pools are another new concept in IIS 6.0. They are used to isolate between Web sites and applications so certain groups of URLs can share certain configuration that is different than other URLs. In an application pool, a worker process services requests for the Web sites and applications that reside in that application pool. Application pools can help you achieve a highly isolated and reliable environment. You can place few web sites in an application pool, and you can place each and every site in its own application pool. To achieve greater security, you can configure a unique user account to be used as the process identity for each application pool. It's recommended that you use an account with the least privileges possible (e.g. Network Service). It's also highly recommended that you separate test applications from production applications into different Application Pools when running on the same server.
In The New World, Not Only Cans Get Recycled
Recycling is good for our planet, and it's also good for our web servers. One of the most important features of Application pools is that they allow you to periodically recycle (restart) their worker processes based on settings such as memory use, number of requests, etc. The process recycling helps in preventing resource leaks and other possible issues that may occur in applications when running for a long period of time. When a worker process is ready to be shut down, a new worker process is created. The queued requests are sent to the new process and the old process is drained of requests before being shut down, making the recycle process fairly transparent to an end user. You can throttle resources such as bandwidth, connections, and CPU use.
Secure By Default
One of the most important changes made to IIS 6.0 is that it's locked down by Default. In previous versions of IIS, web application processes ran as Local System. Local System has access to almost every resource available on the machine, and needless to say, this was very challenging to give you highly secured site with such privileges. In IIS 6.0 the identity of an application pool is configurable, and defaults to the Network Service account, which has low-level user access rights. But listen to me talking about running your web server securely. Fact is, Windows Server 2003 does not even install IIS 6.0 by default — you'd have to select and install it specifically, and even when installed, it essentially does nothing much than displaying HTML text and graphics (static files). To operate freely with dynamic content, you have to go and manually enable specific items for your web server such as ISAPIs. This step was done in order to reduce the attack surface. You can now also remove IIS from any desired machine on your network by using GPO (Group Policies). Always keep in mind that all these and more secure defaults and settings will not offer a completely secure and threat-free web server without downloading and installing patches when needed. Windows Server 2003 includes automatic updates that can automatically make sure that server stays patched for security threats. There are more ways (such as Software Update Services, Systems Management Server, etc.) to enable automatic patching of servers and other Windows machines in your network. For more information, you may start by referring to this page.
Notepad style Configuration Editing
Remember the good old metabase.bin file that held the IIS configuration? Well, it's still there, essentially, and locked by InetInfo, but actually, in IIS 6.0, the configuration file is now stored in XML format that you can edit with any standard text editor. Some call it "Notepad style editing" meaning you essentially open notepad and edit the application settings while your web server is running without needing to restart or do anything else. No more disruption of service just to change a configuration setting on one of your web sites, or create virtual directories or even add new sites. IIS 6.0 will automatically track the changes in the configuration metabase that were written to disk. In addition, your previous configurations are saved so you may rollback to previous configurations if needed.
Management Goes To The Next Level
Some of you who are into scripting might know what Windows Management Instrumentation (WMI) is and how powerful it is as a means of configuring servers and gaining access to important system management data. For those of you who are into using WMI, IIS 6.0 now offers full support for WMI, providing you with a rich set of programming interfaces that offer flexible ways to manage your Web Servers.
But not all of us are into scripting, right? True, we're not all "script gurus", yet we all want quick "cmd style" management, don't we? When administrating an IIS 6.0 box or multiple IIS 6.0 Web Servers, you can use the Windows Server 2003 command line to accomplish many common management tasks. You can manage multiple local or remote computers and automate tasks in a single command line. One of the highly noted VBS scripts that exist is IIScnfg.vbs, which enables you to export Web site and server configurations and import them to a different server. You can also directly copy a single site, all sites, or the entire configuration to another server.
In addition to the new cmd and WMI interfaces, we've kept backward compatibility to IIS ADSI namespace provider and ABO (Admin Based Objects) so existing scripts you've written using ABO/ADSI won't break when moving to IIS 6.0.
More To Be Told (And Seen!)
Not only did Microsoft re-write IIS in Windows Server 2003, but we also offer Windows Server 2003 Web Edition which is an economical Web server that is competitively priced for self-hosting organizations needing to deploy Web pages, Web sites, Web applications, and Web services rapidly.
IIS 6.0 really made a huge leap, in which this column cannot cover the full complexity and richness of the new Web Server. There are many FTP improvements such as FTP user isolation, important performance improvements (e.g. Kernel-mode Caching and ASP caching), new options for limiting how authentication credentials are delegated in Web applications (delegating credentials for specific servers or services), and much more. I could probably go on and talk about SSL improvements, Passport integration, IIS 5.0 compatibility mode, ISAPI improvements, etc., but the bottom line remains - it's a new and robust version of IIS. Therefore, if you're into web hosting – Take this cool technology for a ride!
May the source be with you.
For More Information
- Windows 2003 Internet Information Services Resources
- Internet Information Services Technical Articles
- Overview of Windows Server 2003 Web Edition
- IIS 6.0 Resource Kit Tools
For any feedback regarding the content of this column, please write to Microsoft TechNet. Please be aware that a response is not guaranteed.