By Michael Cherry [Bio]
Posted: Jun. 10, 2002

• Illustration: IIS 6 Architecture and Request Processing
• Illustration: IIS 5 Isolation Mode
• Illustration: The Web Services Extension

The version of Internet Information Services (IIS) in the upcoming Windows .NET Server has been completely redesigned to improve reliability, performance, and security. Because of the redesign, IIS 6.0 is not fully backward compatible and contains a great deal of new code, so customers will have to test their Web applications carefully before moving to the new server.

IIS 6.0 Goals

The following two forces drove Microsoft to redesign IIS:

Supporting .NET. ASP.NET, which runs on IIS, is one of the key platforms for delivering Microsoft’s .NET vision of Web services. For ASP.NET to gain acceptance as the preferred platform for delivering Web applications and services, IIS had to be made more reliable and secure, and be able to handle a large number of requests.

Holding off Apache. Open source Web servers, such as Apache hosted on Linux or FreeBSD, offer attractive features and lower licensing costs, particularly for organizations looking to evaluate using open source software in a relatively safe environment.

To address these forces, Microsoft improved IIS in the following ways:

Performance. Microsoft moved performance-critical code that processes the Hypertext Transfer Protocol (HTTP) into the Windows kernel and improved the ability of applications to exploit multiprocessor servers and server farms. These changes could speed delivery of static content and execution of dynamic Web pages, widening the gap between IIS and its open source competitors.

Reliability. Microsoft has restructured the IIS process model to protect IIS more effectively from errant code and to protect Web sites and services from one another. These changes are crucial to give e-commerce Web sites and Web services a consistently high level of availability.

Security. Microsoft has subjected the IIS code base to a security review and made radical changes to its default configuration. These changes could make it less vulnerable to the kinds of security-related bugs that led some analysts to advise avoiding it until Microsoft completed a rewrite. (For background, see "Abandon IIS?" on page 20 of the Dec. 2001 Update.)

New IIS Architecture

Microsoft has carefully increased the componentization of IIS 6.0 to improve reliability and performance of application-level code and to boost performance of the Web server's core task—handling HTTP requests. IIS 5.0, in contrast, is a relatively monolithic program that processes most HTTP requests and administration processes within a single component of the Web server. (For an illustration of the new architecture, see "IIS 6 Architecture and Request Processing".)

The main services and processes in IIS 6.0 include the following:

An HTTP Listener. The IIS 6.0 HTTP driver (HTTP.sys) accepts HTTP requests (such as a request for a Web page or an image) and passes them to the appropriate Web application. HTTP.sys is a kernel-mode driver, meaning that it runs as part of the Windows .NET Server executive (the collection of kernel components, such as the memory, I/O, and object managers). Running in kernel mode isolates HTTP.sys, substantially speeds its performance, and protects it from any problems caused by the user-written application code that processes the request. Another advantage of having a separate service to process HTTP requests is that this service, separated from IIS itself, can more easily be used by other operating system services or server applications that also rely on HTTP.

Worker processes. IIS 6.0 starts a separate "worker" process (W3WP.EXE) for each Web application pool to provide further isolation for user-written application code. For example, if two different ASP.NET Web applications are running, each has its own worker process, complete with its own ASP.NET engine (an Internet Server Application Programming Interface [ISAPI] extension), its own Common Language Runtime (CLR), and any user-written application code.

This contrasts with IIS 5.0, which could run application code together with the main IIS process (INETINFO.EXE), or split parts of the application into a separate process (DLLHOST.EXE), but did not provide complete isolation between Web applications.

IIS 6.0 can even create groups of multiple worker processes dedicated to a particular application. Each process in one of these "Web gardens" can run on a separate processor, allowing the application to use the full capacity of a multiprocessor server.

By hosting each application or Web site on the IIS 6.0 server in its own process, the site administrator gains fine control of the resources assigned to an application, and a problem with one application cannot impact other worker processes, even if the failed application or Web site must be restarted.

Web Administration Service. IIS 6.0 has a new Web Administration Service (WAS) used to configure the server and any worker processes. In addition to managing configuration, the WAS ensures that worker processes are not started until there is a request for the Web application, which preserves resources. The WAS monitors the health of the worker processes to ensure that a worker process with a problem, such as a memory leak, is automatically restarted without impacting users.

XML metabase. With IIS 6.0, the metabase, which stores Web site and application configuration information, uses an XML file format. Previous versions of the IIS metabase used a proprietary, binary format. An XML-formatted metabase will make it easier for administrators and other programs (such as Application Center) to manage changes to the metabase; track changes through various versions; and back up, restore, or export the metabase to configure and deploy additional IIS servers. This will be particularly valuable for organizations that use "farms" of redundant Web servers to provide higher performance or reliability—an XML metabase file will be easier to replicate to all members of the farm.

IIS Admin Service. With IIS 6.0, the IIS Admin Service (INETINFO.EXE) becomes less important to the Web server and the worker processes, but it still exposes a series of IIS Administration Base Objects (ABO) that facilitate management of the IIS server via the Microsoft Management Console (MMC), command line scripts, or third-party tools. This service also hosts the File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), and newsgroup Network News Transfer Protocol (NNTP) services.

Security Improvements

In response to concerns about the security of IIS, Microsoft has taken several steps to improve security, including reviewing the code as part of its "Trustworthy Computing" code review (see "Security Coding Halt, New Hires" on page 6 of the Mar. 2002 Update), locking down the server by default, and running IIS as a low-privileged account (again by default).

Locking down the server is the biggest change, and one that administrators will definitely notice. In the past, IIS's default setting had services such as ASP or Internet printing turned on, even if customers might not use them. This made the services easy to discover, and therefore easy to adopt, but created an opening for malicious code when administrators unwittingly left them on. The new approach is to leave IIS uninstalled from Windows .NET Server by default, and when it is installed, to "lock down" or turn off functionality so that the server can only serve relatively safe static Web pages until the administrator enables support for additional services, such as ASP, ASP.NET, or FrontPage Server Extensions.

To make it easier to enable IIS features correctly, administrators can use the Web Services Extensions, formerly known as the Lockdown Wizard. (For a look at this feature, see the illustration "The Web Services Extension".)

A second major security-related change configures each IIS worker process to run as a "NetworkService," a new built-in account with very few privileges. Running with low privileges limits the impact of security breaches if they occur so that a breach does not, for example, allow a hacker to take administrative control of the server.

Because administrators must specifically turn on IIS functionality, and because IIS is running with the least possible privileges, the exposure to vulnerabilities is greatly reduced.

Compatibility, Maturity Questions

The most significant drawback to the redesign of IIS 6.0 is that the architectural changes can break a small number of existing applications, including applications written for ASP.NET, which was just released in Feb. 2002. The volume of new code in the product also raises questions about its stability.

Special Mode Provides Compatibility

The addition of kernel mode HTTP.sys and worker processes (among other changes) means that IIS 6.0 is not backward compatible with a small number of existing applications. IIS 6.0 offers an "IIS 5 Isolation Mode," which provides backward compatibility for applications that rely on a specific behavior of IIS 5.0, such as applications that use ISAPI filters to read raw HTTP requests. The only IIS 6.0 feature used in IIS 5 Isolation Mode is HTTP.sys. (For an overview of the differences, see the illustration "IIS 5 Isolation Mode".)

Microsoft claims that unless a Web application relies on specific IIS 5.0 behaviors, such as reading raw data from the HTTP data stream, the application should be able to run in the normal IIS 6.0 mode, called "Worker Process Isolation Mode." Furthermore, Microsoft says that all applications that ran on IIS 5.0 will run on IIS 6.0 in IIS 5 Isolation Mode.

However, both modes cannot coexist on one physical server, that is, an IIS 6.0 server is either in Worker Process Isolation Mode or IIS 5 Isolation Mode. Organizations needing both modes will need at least two servers.

IIS 6.0 starts up in one mode or the other depending on how it is installed. New installations and upgrades to previous version 6.0 servers will be running by default in Worker Process Isolation Mode. Upgrades from previous IIS versions will be running by default in IIS 5 Isolation Mode. The mode can be switched from the IIS Manager, the IIS Administration MMC snap-in, as well as from a script.

ASP.NET Applications Need Configuration

In addition to choosing which mode to run the server in, organizations may have to reconfigure some ASP.NET-based applications to run on IIS 6.0. ASP.NET was originally designed and released to work on IIS 5.0, and includes its own process model. When ASP.NET is running on IIS 6.0, it uses IIS 6.0 Worker Process Isolation Mode and disables its own ASP.NET process model. (For more information on ASP.NET see "ASP.NET Improves Development of Web Applications" on page 3 of the Jan. 2002 Update.)

Developers either need to avoid the ASP.NET-specific request processing model, or manually set the appropriate IIS 6.0 worker process configuration settings.

New Code Raises Questions

IIS 6.0 is currently undergoing beta testing as part of the closed Windows .NET Server beta. Among other things, this means it is too early to tell whether the substantial amount of new code in the product has affected its overall stability. The new version of IIS will only have been tested as part of the Windows .NET Server beta and on a number of the servers that run Microsoft’s Web properties (such as microsoft.com).

Companies considering moving their applications to IIS 6.0 should plan a more rigorous test process than they did for IIS 5.0. If their applications turn out to require IIS 5 Isolation Mode to run on the new Web server, companies should then carefully review whether the application can be easily changed to run in IIS 6.0, or whether they want to run the server in the backward-compatibility mode (even though this will not give them the full benefits of IIS 6.0).

Availability and Resources

Microsoft is expected to ship Windows .NET Server before the end of 2002, with general availability in early 2003. IIS 6.0 will be included with all versions of Windows .NET Server, but leading the charge against Linux and Apache on Web sites will be a new member of the Windows Server family called "Windows .NET Web Server." While final packaging, including licensing and cost details are unknown at this time, this new server family member will likely be positioned to provide an easy-to-implement Web server for small to medium businesses and will be limited to running as a Web server only.

For more information on the design changes to IIS 6.0, see www.microsoft.com/windows.netserver/evaluation/overview/technologies/iis.asp.

For an overview of the Windows .NET Server family (including some discussion of IIS 6.0), see www.microsoft.com/windows.netserver/docs/TechOverview.doc.

For general information on Windows .NET Server, see www.microsoft.com/windows.netserver.