IIS 6 Administration
|
|
This brings us to the current incarnation of IIS, version 6, which is what the rest of this book is about. Having surveyed the evolution of IIS up to the present, let’s now take a look at some of the exciting new features and enhancements that make version 6 a must-have upgrade for any serious Microsoft shop.
Improved Architecture
The biggest changes in IIS 6 are hidden from view under the hood of the product. These are changes in the basic architecture of how IIS serves out content in response to HTTP requests, and they have a significant impact on how IIS performs. In IIS 5 there was one main service called Inetinfo.exe, and web applications could either run In Process (together with Inetinfo.exe) or Out of Process (isolated from Inetinfo.exe and running in a separate memory space). In IIS 6 this architecture has been completely redesigned by moving all HTTP listening into the kernel for greater performance and reliability. Incoming HTTP requests are now handled by a kernel-mode component called Http.sys, which responds to each request by placing it into the appropriate queue for each website or application on IIS. Because of the isolation of Http.sys within the kernel, it is no longer possible for the failure of one web application to bring down other applications on the server. And because Http.sys runs in kernel mode, it can handle greater numbers of HTTP requests more efficiently than the previous architecture in IIS 5. I’ll talk more about Http.sys and other aspects of the new IIS 6 architecture in the next chapter.
New Mode
Previous versions of IIS separated web applications into different memory pools, including In Process (runs within the context of the main Inetinfo.exe service), Out of Process (runs in isolation from Inetinfo.exe within the context of a helper dllhost.exe process), or Pooled Process (runs collectively as a group of applications within an isolated helper dllhost.exe process). With IIS 6, this distinction between in-process and out-of-process execution no longer applies. Instead, all user-developed application code is now run within isolated processes in a mode of operation called worker process isolation mode. In other words, all third-party application code is completely isolated from the core web server processes (such as Http.sys). As a result, the failure or crash of one web application cannot affect the operation of other applications on the server or corrupt any of the core IIS configuration information and bring down the server itself. In addition, multiple applications can be grouped together if needed into separate application pools, with each pool being serviced by a separate Http.sys queue. Worker process isolation mode also means that management of IIS applications is simplified, since sites can now be taken offline or brought online independently and can be modified or debugged without affecting other sites running on the server. This is a great feature in today’s web development environment where application development cycles are measured in weeks instead of years, with the result that bugs are often never completely worked out of a program before the next release appears. I’ll talk more about Worker Process Isolation Mode and application pools in Chapter 2 and in Chapter 8, “Configuring Applications.”
Web Gardens
Just as IIS 6 allows multiple web applications to run within the same application pool (for example, applications that need to share information with each other), it also lets you configure multiple worker processes to service a single application pool. A worker process is a host process that contains the web service DLLs used to service the needs of a web application. The executable associated with a worker process is w3wp.exe, and it handles tasks like processing of HTTP requests forwarded from the kernel, loading and unloading ISAPI extensions and filters, performing authentication and authorization, andso on. Normally, each application pool has a single worker process assigned to it to service the needs of the applications within the pool, but IIS 6 also lets you configure an application pool to be serviced by multiple worker processes. It’s sort of like a web farm where multiple physical web servers can respond to incoming HTTP requests, except here multiple worker processes respond to requests submitted to a single http.sys queue. The end result is reliability, because if one worker process becomes congested or fails, other processes take up the load and the responsiveness of the application is unaffected. I’ll talk more about this feature in Chapters 2 and 8. Note that IIS 6 even allows you to assign worker processes to individual CPUs on SMP systems!
IIS 5 Compatibility
For applications that work well under IIS 5 but break when run within the new worker process isolation mode, IIS 6 gives you the option of switching to the old model of IIS 5 using an emulation called IIS 5 isolation mode. In this mode, the underlying architecture with kernel mode HTTP listening and response cache is still the same as IIS 6, but the user mode architecture changes to that of IIS 5 to ensure that applications developed for that platform still work in IIS 6.
New Metabase
The IIS metabase was the bane of administrators in earlier versions of this product. The metabase was designed to improve upon the Registry as a location for storing IIS configuration information. The Registry itself is a hierarchical structure that replaced the earlier System.ini and Win.ini files, which were plain text files in good old Windows 3.1. The problem with the metabase in IIS 4 and 5 was that it was a binary file that was not directly modifiable by administrators (even the Registry could be modified directly using Regedit.exe or Regedt32.exe). The reason for having a metabase at all was to speed up access to IIS configuration information by isolating this information from the Windows Registry. Searching the Registry on disk was too slow, and the Registry was often quite large and would have been unwieldy to load into memory just to have fast access to the IIS portion of it. So a hierarchical binary structure called the metabase was created and stored in the \system32\inetsrv directory, and this metabase.bin was then loaded by IIS into memory to give it fast access to its properties. To be fair, Microsoft did later provide a command-line tool called Mdutil for directly editing metabase properties, with the caveat that it was just as dangerous to do this as edit the Windows Registry by hand using Regedit. They also provided a GUI version of this tool called MetaEdit in the Windows 2000 Resource Kit.
Well, with IIS 6 we’ve come full circle with regard to the metabase: namely, it’s a text file once again! Shades of Win.ini! The proprietary binary format of the IIS 4 and 5 metabase has been abandoned in favor of plain text files formatted using Extensible Markup Language (XML), the wave of the future as far as interprocess communications is concerned. This makes it easy to edit the metabase using tools as simple as Notepad (something you want to be careful about doing, however, because one slip up and your metabase is corrupted and your web server may not start). I’m assuming you can read native XML directly, of course—but perhaps in a few years, children will learn XML in kindergarten, right after they learn how to draw the letters of the alphabet!
There are other enhancements besides the basic format of the metabase:
-
A metabase history feature that keeps track of all changes made to the metabase, creating a version history of different Metabase.xml files for your server. This is terrific in case you need to revert to a previous stable metabase configuration if you mess up your web server settings.
-
The ability to edit the metabase while IIS is still running without having to stop and restart websites or services. This is cool.
-
The ability to programmatically export and import branches of the metabase. This feature allows you to copy a directory, site, or entire server collection from one physical machine to another using the admin scripts included with IIS 6, Active Directory Services Interface (ADSI) scripts, or Windows Management Instrumentation (WMI) tools.
I’ll talk more about the metabase and its new features in Chapter 18.
Enhanced Security
Lack of security has probably been the number one issue brought against the Microsoft Windows platform, and against IIS in particular. In part this was due to the high visibility of Microsoft, which made its products a tempting target for hackers and disaffectionados. The reality is that IIS is probably the most secure web server platform around, simply because it has been hacked from this way through Sunday. The result is that most of its security vulnerabilities have been exposed and are well known and easily fixed using service packs and hot fixes available from Microsoft. Nevertheless, in one aspect of the security issue, Microsoft really did fall down: when you installed earlier versions of IIS out of the box it was basically "wide open" instead of "locked down." This meant every service was enabled and started, permissions were assigned their least restrictive values, and service accounts had high system privileges. The result was that when an inexperienced administrator set up IIS sites on a server, these sites were likely to be easily compromised or taken down by knowledgeable hackers. In response to this, Microsoft began to get serious about security, and in late 2001 they released a Security Toolkit on their website that contained some important additions to IIS 4 and 5— namely, the IIS Security Lockdown Wizard, a tool that implemented the security recommendations Microsoft previously published in its Security Checklists for these products, and UrlScan, an ISAPI filter that blocked malicious HTTP requests that attempted to destabilize IIS through buffer overflows and other programming tricks.
What’s new with IIS 6 is that the functionality of the Lockdown Wizard has now been incorporated into the product in the form of a new feature called Web Service Extensions (WSE). Furthermore, IIS is now installed in a locked-down state instead of a wide-open configuration, with ASP and FrontPage extensions disabled, permissions set at high levels, no ISAPI extensions or filters installed, and sample content that consists only of harmless static HTML pages. In fact, you need to use WSE after you install IIS, not to lock it up further, but to open it up to the degree necessary to meet your needs. This is a big improvement, and Microsoft deserves kudos for finally taking this step because it flies in the face of their common goal of giving users “features, features, features!” That goal might be acceptable for end users and desktop applications, but the server room is something far different.
Security Alert! | We’ll examine WSE in more detail later in Chapter 7, “Creating and Configuring Web Sites,” and Chapter 10, “Securing IIS”; but if you’ve already installed and started playing with IIS 6 and find that the web applications you’ve migrated to this new version no longer work, try playing with the WSE node in IIS Manager. Out of the box, IIS 6 will only serve up static HTML files to clients; in order for ISAPI, CGI, or ASP.NET applications to work, these features must first be unlocked using the wizard. |
There are other security improvements Microsoft made in IIS 6, including
-
Configurable worker process identity, a method for ensuring that an administrator of one web application deployed on IIS is completely isolated from and cannot interfere with the configuration or operation of web applications managed by other administrators on the same server.
-
Low privileges for IIS 6 worker processes, which by default use a special built-in identity called NetworkService as the context in which they run, instead of the more-powerful LocalSystem account used in previous versions of IIS.
-
Digest Authentication, an authentication method that sends a hash value across the network and can work through firewalls and proxy servers. Integrated Windows Authentication is also still available (as are Basic Authentication and Anonymous Access) when less security is required.
-
Integration with Microsoft .NET Passport to allow IIS to use Passport as an authentication method.
-
The ability for cryptographic processing to be offloaded to a suitable cryptographic service provider (CSP) for strong security.
-
The ability to configure the metabase to cause IIS to respond with an Access Denied message when requests for files with unknown file extensions are received.
-
In an Active Directory environment, Group Policy can be used to block IIS from being installed in order to prevent users from deploying unauthorized web servers on a company’s network.
I’ll cover these various security features in more detail later in Chapter 10.
Improved Performance
I’ve already talked about how moving the HTTP listener into the kernel dramatically increases performance of IIS and allows more applications and websites to be hosted on a single machine (which means lower costs). IIS 6 includes other enhancements that also contribute to improved performance over earlier versions, including
-
Large memory support for caching up to 64GB of data on 32-bit Intel platforms. Cached data can now be retrieved more quickly, and this boosts the performance of the web server.
-
Advanced caching heuristics that determine when content (static or dynamic) should be cached and when it should be discarded. This includes caching of ASP templates (when an ASP file is processed, it is first compiled into an ASP template prior to execution). The most requested ASP templates are held in memory while others are persisted to disk.
-
Web gardens (mentioned earlier) that can reduce blocking by binding worker processes to specific processors on SMP machines.
-
Improved thread management to make more efficient user of concurrency when executing processor-bound requests.
-
Improved allocation of resources, now allocated as required instead of being allocated during initialization.
-
Compression of HTTP responses to improve performance on congested networks. This feature was first included in IIS 5 but only as a global ISAPI filter. In IIS 6, however, it can be configured at the server, site, directory, or even file level.
-
Improved management of server resources for individual sites and application pools, including configurable connection limits and timeouts, bandwidth throttling, process accounting, memory recycling, and queue length limits.
The net result of all these performance enhancements is that a single IIS 6 machine can host thousands more sites than an earlier IIS 5 one could. This is especially good news for service providers like ISPs and web hosting companies, and it may give them just the reason they need to migrate their systems away from Apache. I’ll cover these performance enhancements in Chapter 2, as well as Chapter 12.
Improved Management
In addition to being able to manage IIS using the Internet Services Manager snap-in, there are several other ways you can manage IIS 6 machines:
-
A WMI provider is included to allow IIS configuration information storedin the metabase to be remotely accessed and manipulated using Windows Management Instrumentation (WMI). This complements the already-existing way of accomplishing this using Active Directory Services Interfaces (ADSI) in IIS 5.
-
A collection of administration scripts written in VBScript are included, which allow administrators to manage IIS from the command line to create, delete, start, stop, and list web and FTP sites; create and delete virtual directories; export and import IIS configuration into a text file formatted with XML; back up and restore IIS configuration information; and so on.
-
A brand new browser-based administration tool much superior in ease of use to the old HTMLA of earlier IIS versions (see Figure 1-2 for a peek at this new tool).
Figure 1-2: The new browser-based administration tool of Window Server 2003.
You can also administer IIS remotely using Terminal Services, which has been enhanced and improved in Windows Server 2003. I’ll talk more about these various administration tools in Chapter 5, “Administering Standard/Enterprise Edition”; Chapter 6, “Administering Web Server Edition”; Chapter 11, “Working from the Command-Line”; and Chapter 12, “Performance Tuning and Monitoring.”
Other Enhancements
Few changes were made to the FTP, SMTP, and NNTP services in this version, as IIS is really a web application platform. One change that’s worth mentioning is FTP User Isolation, which isolates users’ top-level FTP directories from each other, making them appear as if they are the root directory of the server. This helps prevent FTP users from nosing around in other peoples’ home directories and enhances the security of IIS as an FTP server platform. Another FTP improvement is FTP Restart, which allows interrupted file transfers to be resumed where they left off.
Other enhancements in this version include:
-
The ability to restart IIS without rebooting your machine (in fact, very few reboots are required in Windows Server 2003).
-
Enhanced IIS W3SVC logging feature that supports Unicode and UTF-8 and not just ASCII.
-
Improved custom HTTP error messages, which you can further customize if you desire.
-
Improved ISAPI functionality, including Unicode support, custom errors, COM+ services, and so on. This is pretty heavy stuff and basically of interest only to high-level programmers.
|
|