Tài liệu PROFESSIONAL MICROSOFT® IIS 8 doc

Windows Server 2012 Server Manager 64 The Default IIS 8.0 Installation 65Installing IIS 8.0’s Features 76 Installing IIS 8.0 Using PowerShell 79 Upgrading from IIS 7.0 to IIS 8.0 80 Inst

PROFESSIONAL MICROSOFT® IIS 8

INTRODUCTION xxvii

 PART I INTRODUCTION AND DEPLOYMENT CHAPTER 1 Background on IIS and New Features in IIS 8.0 3

CHAPTER 2 IIS 8.0 Architecture 19

CHAPTER 3 Planning Your Deployment 39

CHAPTER 4 Installing IIS 8.0 63

 PART II ADMINISTRATION CHAPTER 5 Administration Tools 97

CHAPTER 6 Website Administration 117

CHAPTER 7 Web Application Administration 153

CHAPTER 8 Web Application Pool Administration 179

CHAPTER 9 Delegating Remote Administration 221

CHAPTER 10 Confi guring Other Services 259

 PART III ADVANCED ADMINISTRATION CHAPTER 11 Core Server 315

CHAPTER 12 Core Server Extensibility 343

CHAPTER 13 Securing the Server 393

CHAPTER 14 Authentication and Authorization 423

CHAPTER 15 SSL and TLS 471

CHAPTER 16 IIS Scalability I: Building an IIS Web Farm 501

CHAPTER 17 IIS Scalability II: Load Balancing and ARR 545

CHAPTER 18 Programmatic Confi guration and Management 597

CHAPTER 19 URL Rewrite 681

CHAPTER 20 Confi guring Publishing Options 743

Continued

CHAPTER 22 Monitoring and Performance Tuning 805

CHAPTER 23 Diagnostics and Troubleshooting 851

INDEX 923

Microsoft ® IIS 8

Microsoft ® IIS 8

Ken Schaefer Jeff Cochran Scott Forsyth Dennis Glendenning Benjamin Perkins

Indianapolis, IN 46256

www.wiley.com

Copyright © 2013 by John Wiley & Sons, Inc., Indianapolis, Indiana

Published simultaneously in Canada

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means,

electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108

of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization

through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers,

MA 01923, (978) 750-8400, fax (978) 646-8600 Requests to the Publisher for permission should be addressed to the

Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 6011, fax (201)

748-6008, or online at http://www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with

respect to the accuracy or completeness of the contents of this work and specifi cally disclaim all warranties, including

without limitation warranties of fi tness for a particular purpose No warranty may be created or extended by sales or

pro-motional materials The advice and strategies contained herein may not be suitable for every situation This work is sold

with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services

If professional assistance is required, the services of a competent professional person should be sought Neither the

pub-lisher nor the author shall be liable for damages arising herefrom The fact that an organization or Web site is referred to

in this work as a citation and/or a potential source of further information does not mean that the author or the publisher

endorses the information the organization or Web site may provide or recommendations it may make Further, readers

should be aware that Internet Web sites listed in this work may have changed or disappeared between when this work was

written and when it is read.

For general information on our other products and services please contact our Customer Care Department within the

United States at (877) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.

Wiley publishes in a variety of print and electronic formats and by print-on-demand Some material included with

stan-dard print versions of this book may not be included in e-books or in print-on-demand If this book refers to media such

as a CD or DVD that is not included in the version you purchased, you may download this material at

http://book-support.wiley.com For more information about Wiley products, visit www.wiley.com.

Library of Congress Control Number: 2012947718

Trademarks: Wiley, the Wiley logo, Wrox, the Wrox logo, Wrox Programmer to Programmer, and related trade dress are

trademarks or registered trademarks of John Wiley & Sons, Inc and/or its affi liates, in the United States and other

coun-tries, and may not be used without written permission Microsoft is a registered trademark of Microsoft Corporation All

other trademarks are the property of their respective owners John Wiley & Sons, Inc., is not associated with any product

or vendor mentioned in this book.

ABOUT THE AUTHORS

KEN SCHAEFER is a senior architect with HP Enterprise Services For the past three years, he has worked on the Singapore whole-of-government SOE platform transformation program

Prior to HP, Ken was a lead consultant for global systems integrator Avanade Avanade is a joint partnership between Microsoft and Accenture and focuses on enterprise projects across the Microsoft product stack

Ken has worked with IIS for nearly 15 years and was a Microsoft MVP for IIS from 2003 to 2010

He has presented at numerous Microsoft Tech.Ed events across the United States, Australia, and Asia; written articles for Microsoft TechNet; and spent hours talking about IIS at other events, user group meetings, and road shows He is currently an MCITP, MCTS, MCSE, MCDBA, and holds a Masters in Business and Technology from the University of New South Wales

Thank you, Julia, Adelaide, Ivy-Jane, Sebastien, and Theo for putting up with the trials, tions, and late nights involved in writing a book, again This would not have been possible without your love and support.

tribula-As the lead author, on behalf of all the authors, I’d like to thank Bob Elliott and John Sleeva and the rest of the team at Wiley for their never-ending patience whilst we put this book together The authors would also like to thank Rob Baugh and Mike Everest for their generous contributions to this work, without which our job would have been that much more arduous.

JEFF COCHRAN is a Senior Network Specialist for the City of Naples, Florida, and has been employed in the computer networking industry for nearly two decades Beginning with computer bulletin boards on a Commodore 64 in the early 1980s, he has worked with nearly every method of communication via computer In the early 1990s, he started the fi rst commercial ISP in Southwest Florida, using Windows NT 3.51 systems for mail, web, and FTP servers

Jeff is married to Zina, a self-employed graphic designer, and spends his free time remodeling a 1950s home in Naples Although most of his personal hobbies revolve around computers, he enjoys Geocaching and collecting pinball machines, and is still addicted to Age of Empires

Much of the credit for this book must go to our editor, John Sleeva, for keeping me on track and on point (on deadline is apparently a lost cause), and to our tech editor, Steve Schofi eld, for fi xing my errors in coding and process.

To Zina, without whom there would be no reason to write.

ence in IIS and building highly available and scalable web farms Scott is a Microsoft MVP for ASP

.NET/IIS, an ASPInsider, and a speaker at code camps, user groups, and technical conferences

Scott is co-founder and Chief Systems Architect of Vaasnet, a web services company that provides

instant, preconfi gured virtual machines that can easily be customized for training classes,

develop-ment environdevelop-ments, or corporate needs Additionally, he offers consulting services for the web

plat-form on the Microsoft technology stack, and is actively involved in Microsoft community forums

and user groups

Scott lives in Mooresville, North Carolina with his wife and two kids He can be reached at

scott@vaasnet.com You can follow him on Twitter at http://twitter.com/scottforsyth and

fi nd his blog at http://weblogs.asp.net/owscott

For my wife, Melissa, and my children, Joel and Alisha, who always patiently support me during

my long hours of work and writing.

DENNIS GLENDENNING (MA, MBA, MCSA+Msg, MCSE, PMP) is an Enterprise Solutions Architect

with Avanade He has provided technical strategy and design delivery leadership for enterprise

cli-ents for more than 14 years Dennis lives in Cleveland, Ohio with his wife and three children

To my wife, Melissa, and our amazing children: Bo, T, and Chuck-Do.

BENJAMIN PERKINS (MBA, MCSD.NET in C#, ITIL Management) is currently employed at

Microsoft Deutschland GmbH in Munich, Germany as a Senior Support Escalation Engineer on

the IIS and ASP.NET team He has been working professionally in the IT industry for almost

2 decades Benjamin started computer programming with QBasic at the age of 11 on an Atari

1200XL desktop computer He takes pleasure in the challenges troubleshooting technical issues

have to offer and savors in the rewards of a well-written program After completing high school, he

joined the United States Army and served as a 19 Delta Calvary Scout After successfully completing

his military service, he attended Texas A&M University in College Station, Texas, where he received

a bachelor’s degree of Business Administration in Management Information Systems

Benjamin’s roles in the IT industry have spanned the entire spectrum from programmer, to system

architect, technical support engineer, to team leader and fi rst-level management While employed

at Hewlett-Packard, he received numerous awards, degrees, and certifi cations He has a passion for

technology and customer service, and looks forward to troubleshooting and creating world-class

technical solutions

“My approach is to write code and design solutions with support in mind, to do it once correctly

and completely so we do not have to come back to it again, except to enhance it.”

Benjamin is married to Andrea and has two wonderful children, Lea and Noa

ABOUT THE TECH EDITOR

STEVE SCHOFIELD has been involved in the Microsoft community since 1999, and has been a Microsoft IIS MVP since 2006 Some his community projects include: starting ASPFree.com, being

an ASP/ASP.NET MVP, writing a logging utility called IISLogs (www.iislogs.com), and sending a monthly IIS Community Newsletter (www.iisnewsletter.com) He enjoys helping people in IIS and related Microsoft communities When not playing with technology, his family keeps him busy Steve lives in Greenville, Michigan, with his wife, Cindy, and three boys, Marcus, Zach, and Tayler

Mary Beth Wakefi eld

FREELANCER EDITORIAL MANAGER

INTRODUCTION xxvii

PART I: INTRODUCTION AND DEPLOYMENT

IIS Versions 1.0 to 4.0 4 IIS 5.0 and 5.1 4

IIS Architecture Basics 20

Inetinfo.exe 20Http.sys 21

ISAPI and CGI 22

Windows Server 2012 Architecture 33

Windows 2012 Server Deployment Planning 40

Virtualization 41

IIS 8.0 Deployment Planning 53

Windows Server 2012 Server Manager 64 The Default IIS 8.0 Installation 65

Installing IIS 8.0’s Features 76 Installing IIS 8.0 Using PowerShell 79 Upgrading from IIS 7.0 to IIS 8.0 80 Installing IIS 8.0 on Windows 8 81 Installing IIS 8.0 on Windows 7 84 Automated Installation and Confi guration 85

Hosting Service Recommendations 86

PART II: ADMINISTRATION

Remote Connections 106 Confi guration Settings 107

Command-Line Management 114

Websites, Applications, and Virtual Directories 118

Websites 118Applications 119

Creating a New Website 121

Confi guring Logging 127

Confi guring Host Headers 134 Administering Applications 138

Administering Virtual Directories 140

Authentication 143 Confi guring Compression 143 Confi guring Default Document Settings 146

Confi guring MIME Settings 146

Basic Administration Tasks 149

Application Administration 154 ASP Confi guration 154 ASP.NET Confi guration 155

ISAPI Confi guration 172 CGI Confi guration 173 FastCGI Confi guration 174

Windows Process Activation Service 176 Application Initialization 176

A Background of Website Separation 180 Defi ning Applications 180 Comparing Virtual Directories to Applications 183 Understanding the w3wp.exe Process 185

Working with Application Pools 190

Application Pool Security 212

Noteworthy Advanced Settings 215

Bitness 215

Application Pool Users 216

Introducing the Main Characters 222

IIS Manager Remote Access 223

Delegation Settings 236

Installing and Confi guring an FTP Server 260

Confi guring Existing FTP Sites 271

Logging 273

Confi guring FTP User Security 274

Administering FTP with Confi guration Files 294

The FTP Command-Line Client 296 Installing and Confi guring an SMTP Server 298

Installing and Using LogParser 309

PART III: ADVANCED ADMINISTRATION

Background 315 Core Server and Modules 317

Server Workload Customization 326

ASP.NET and the IIS Pipeline 336

Migrating Legacy ASP.NET Applications to IIS 8.0 339

Legacy ISAPI Support 340

Extensibility Overview 344 IIS Module Concepts 345

Events 345

An Example Native Module 351

Managed Code Modules 363

An Example Managed Module 366

Event Tracing from Modules 371

Extending IIS Confi guration 377

Extending the IIS Administration Tool 381

Securing Your Environment 398 Securing Your IIS 8.0 Server 399

Authentication in IIS 8.0 424

Confi guring Anonymous Authentication 428 Confi guring Basic Authentication 430 Confi guring Digest Authentication 433 Confi guring Integrated Windows Authentication 437 Confi guring NTLM Authentication 439

Confi guring UNC Authentication 448 Confi guring Client Certifi cate Authentication 449 Confi guring Forms-Based Authentication 453 Confi guring Delegation 456 Confi guring Protocol Transition 461 Confi guring Authorization 462

Understanding IIS 8.0 User Accounts 468

Securing a Website with TLS 472

Securing an SMTP Virtual Server with TLS 496 Securing an FTP Site with TLS 498

IIS 8.0 and Web Farms 502

Content Confi guration 520

Network Load Balancing 590 Frameworks 594

Programmatic Confi guration 618

AHAdmin 639

Confi guration Editor 641

Command-Line Management 646

IIS PowerShell Management 665

IIS Operational Activities Using PowerShell 677

URL Rewrite Concepts 682

Conditions 682Actions 683

Obtaining and Installing URL Rewrite 686 Getting Started Walk-Through 687 Managing URL Rewrite 691

Applying URL Rewrite Rules 692

Rule Templates 695

Input Variables 701

Wildcards Pattern Matches 704 Regular Expressions 705

Back-References 712

Setting Server Variables 715

Special Considerations 716

Outbound Rules 732

Troubleshooting URL Rewrite 738

Simplify 741

Web Platform Installer 744

Web Deployment Tool 751

FTP Publishing 759

WebDAV Publishing 763

Visual Studio Publishing 768

PART IV: MANAGING AND OPERATING IIS 8.0

Management Approaches 779

Operational Tasks 797

Monitoring Websites 806

Performance Tuning 831

Runtime Status and Control API 854

IIS 8.0 Error Pages 861

Failed Request Tracing 867

Logging 873 ASP.NET Tracing 874

Troubleshooting Tips 880

Reproduce 880Isolate 881Fix 884

Additional Built-In Tools 885

INDEX 923

WINDOWS SERVER 2012 is the latest incarnation of Microsoft’s successful server platform Included

is a new version of IIS, now in its eighth incarnation

IIS 8.0 isn’t the revolutionary change in architecture that IIS 7.0 was However it offers much new functionality, absorbing many of the standalone add-on updates available since IIS 7.0 was released,

as well presenting administrators with new security, scalability, and administrative features

For readers familiar with IIS 7.0, this book has substantial sections devoted to popular add-ons now baked into the product, such as the Application Request Routing (ARR) and URL Rewrite modules, as well as coverage of new features, such as Central Certifi cate Store and Server Name Indication support.For readers new to IIS, this book offers complete coverage of IIS fundamentals: the confi guration model, delegated administration, extensibility options, and real-time diagnostic and troubleshooting features that have been carried over from IIS 7.0

Both new and previous users of IIS can benefi t from a book covering the whole deployment lifecycle: architecture, installation, confi guration, and operations management Like its predecessor, this book continues to stress both GUI options as well as provide alternative, automated management through comprehensive AppCmd and PowerShell examples

The authors have focused on capturing the very best of the new features in IIS 8.0 and how you can take advantage of them The writing styles vary from chapter to chapter because some of the foremost experts on IIS 8.0 have contributed to this book Drawing on our expertise in deployment, hosting, development, and enterprise operations, we believe that this book captures much of what today’s IIS administrators need in their day-to-day work

WHO THIS BOOK IS FOR

This book is aimed at IIS administrators (or those who need to ramp up quickly in anticipation of having to administer IIS) What differentiates this book is that it doesn’t just focus on features and how to confi gure them using a GUI administrative tool Instead, we explain how features work (for example, how Kerberos authentication actually works under the covers) so that you can better troubleshoot issues when something goes wrong

Additionally, since most administrators need to be able to automate common procedures, we have included specifi c chapters on programmatic administration and command-line tools as well as code snippets (with a focus on using AppCmd.exe and PowerShell) throughout the book

This book covers features that many other IIS books don’t touch (such as high availability and web farm scenarios, or extending IIS) and has a dedicated chapter on troubleshooting and diagnostics.Real-life IIS administration is about people, processes, and technology Although a technical book can’t teach you much about hiring the right people, this book doesn’t focus solely on technology Operations management and monitoring (key components of good processes) are also addressed

Overall, we think that this book provides comprehensive coverage of the real-life challenges facing

IIS administrators: getting up to speed on the new features of a product, understanding how the

product works under the covers, and being able to operate and manage the product effectively over

the long term

HOW THIS BOOK IS STRUCTURED

The book is divided into four major parts:

‰ Part I covers the new features and architecture of IIS 8.0, as well as deployment and

installation considerations

‰ Part II discusses the basics of the administration tools (both GUI and command-line) as

well as common administrative tasks for websites, delegated administration, and supporting

services (such as FTP, SMTP, and publishing options)

‰ Part III introduces more advanced topics, such as extending IIS 8.0, programmatic

administration, web farms and high availability, and security

‰ Finally, Part IV covers topics that go beyond the initial understanding of the new feature

set We cover topics that administrators will need on an ongoing basis, such as operations

management, performance monitoring and tuning, and diagnostics and troubleshooting

WHAT YOU NEED TO USE THIS BOOK

Although IIS 8.0 ships in both Windows 8 and Windows Server 2012, certain functionality (such

as load balancing) is available only in the server edition Because the full functionality of IIS 8.0 is

available in Windows Server 2012, the authors have focused on that product for this book

For IIS 8.0 extensibility, Microsoft Visual Studio 2012 has been used throughout the book;

how-ever, any IDE suitable for NET development can be used for implementing the code samples

presented

CONVENTIONS

To help you get the most from the text and keep track of what’s happening, we’ve used a number of

conventions throughout the book

PRODUCT TEAM ASIDE

Boxes like this one hold tips, tricks, trivia from the ASP.NET Product Team, or

some other information that is directly relevant to the surrounding text

NOTE Tips, hints, and tricks to the current discussion are offset and placed in italics like this.

As for styles in the text:

‰ We italicize new terms and important words when we introduce them

‰ We show keyboard strokes like this: Ctrl+A

‰ We show fi le names, URLs, and code within the text like so: persistence.properties

‰ We present code in two different ways:

We use a monofont type with no highlighting for most code examples.

We use bold to emphasize code that is particularly important in the present context or to show changes from a previous code snippet.

SOURCE CODE

As you work through the examples in this book, you may choose either to type in all the code ually or to use the source code fi les that accompany the book All the source code used in this book

man-is available for download at www.wrox.com Once at the site, simply locate the book’s title (either

by using the Search box or by using one of the title lists), and click the Download Code link on the book’s detail page to obtain all the source code for the book

NOTE Because many books have similar titles, you may fi nd it easiest to search

by ISBN; this book’s ISBN is 978-1-118-38804-4.

Once you download the code, just decompress it with your favorite compression tool Alternately, you can go to the main Wrox code download page at www.wrox.com/dynamic/books/download aspx to see the code available for this book and all other Wrox books

ERRATA

We make every effort to ensure that there are no errors in the text or in the code However, no one

is perfect, and mistakes do occur If you fi nd an error in one of our books, like a spelling mistake or faulty piece of code, we would be very grateful for your feedback By sending in errata you may save another reader hours of frustration and at the same time you will be helping us provide even higher quality information

To fi nd the errata page for this book, go to www.wrox.com and locate the title using the Search box

or one of the title lists Then, on the Book Search Results page, click the Errata link On this page

you can view all errata that has been submitted for this book and posted by Wrox editors

NOTE A complete book list including links to errata is also available at

www.wrox.com/misc-pages/booklist.shtml.

If you don’t spot “your” error on the Errata page, click the Errata Form link and complete the form

to send us the error you have found We’ll check the information and, if appropriate, post a message

to the book’s errata page and fi x the problem in subsequent editions of the book

P2P.WROX.COM

For author and peer discussion, join the P2P forums at p2p.wrox.com The forums are a web-based

system for you to post messages relating to Wrox books and related technologies and interact with

other readers and technology users The forums offer a subscription feature to e-mail you topics

of interest of your choosing when new posts are made to the forums Wrox authors, editors, other

industry experts, and your fellow readers are present on these forums

At http://p2p.wrox.com you will fi nd a number of different forums that will help you, not only as

you read this book, but also as you develop your own applications To join the forums, just follow

these steps:

1. Go to p2p.wrox.com and click the Register link

2. Read the terms of use and click Agree

3. Complete the required information to join, as well as any optional information you wish to

provide, and click Submit

4. You will receive an e-mail with information describing how to verify your account and

com-plete the joining process

NOTE You can read messages in the forums without joining P2P, but in order to

post your own messages, you must join.

Once you join, you can post new messages and respond to messages other users post You can read

messages at any time on the web If you would like to have new messages from a particular forum

e-mailed to you, click the Subscribe to this Forum icon by the forum name in the forum listing

For more information about how to use the Wrox P2P, be sure to read the P2P FAQs for answers to

questions about how the forum software works as well as many common questions specifi c to P2P

and Wrox books To read the FAQs, click the FAQ link on any P2P page

PART I

Introduction and Deployment

 CHAPTER 1: Background on IIS and New Features in IIS 8.0

 CHAPTER 2: IIS 8.0 Architecture

 CHAPTER 3: Planning Your Deployment

 CHAPTER 4: Installing IIS 8.0

‰ Windows Server 2012 features

‰ New features in IIS 8.0Microsoft’s Internet Information Services (IIS) has been around for more than 15 years, from its fi rst incarnation in Windows NT 3.51 to the current release of IIS 8.0 on the Windows Server 2012 and Windows 8 platforms It has evolved from providing basic service as an HTTP server, as well as additional Internet services such as Gopher and WAIS, to a fully confi gurable application services platform integrated with the operating system

IIS 8.0 is not as dramatic a change as IIS 7.0 was, but IIS 8.0 benefi ts from the improvements

in the Windows Server 2012 operating system These benefi ts make IIS 8.0 far more scalable, more appropriate for cloud and virtual systems, and more integral to Microsoft’s application and programming environment

This chapter provides an overview of the changes in IIS 8.0 as well as a sampling of some

of the new technologies If you are familiar with IIS 7.0, you will want to skim through this chapter for changes before digging into future chapters for specifi cs If you are new to IIS, this chapter will provide an introduction to the features in IIS 8.0 and provide you with a basis for understanding future chapters And if you’re the kind of reader who just wants to skip to the part that applies to your immediate needs, this chapter can help you fi gure out in what area those needs lie

IIS VERSIONS 1.0 TO 4.0

IIS was released with Service Pack 3 for Windows NT 3.51, as a set of services providing HTTP,

Gopher, and WAIS functionality Although the functions were there, most users chose alternatives

from third-party vendors, such as O’Reilly’s website or Netscape’s server Although these services

had been available for years with the various fl avors of UNIX operating systems, native Internet

ser-vices for Windows were mostly an afterthought, with little integration with the Windows operating

system

With the advent of Windows NT 4.0, IIS also matured in version 2.0 The most notable

improve-ment in IIS version 2.0 was closer integration with the Windows NT operating system, taking

advantage of Windows security accounts and providing integrated administration through a

man-agement console similar to many other Windows services IIS 2.0 introduced support for HTTP

Host headers, which allowed multiple sites to run on a single IP address, and aligned Microsoft’s IIS

development with National Computer Security Association (NCSA) standards, providing for NCSA

common log formats and NCSA-style map fi les IIS 2.0 also introduced a web browser interface for

management and content indexing through Microsoft’s Index Server

IIS version 3.0 was introduced with Windows NT Service Pack 3 and introduced the world to ASP

(Active Server Pages) and Microsoft’s concept of an application server A precursor to the ASP.NET

environment, ASP (now referred to as classic ASP) is a server-side scripting environment for the

cre-ation of dynamic web pages Using VBScript, JScript, or any other active scripting engine,

program-mers fi nally had a viable competitor to Common Gateway Interface (CGI) and scripting technologies

available on non-Microsoft platforms, such as Perl

IIS 4.0, available in the NT Option Pack, introduced ASP 2.0, an object-based version of ASP that

included six built-in objects to provide standardized functionality in ASP pages IIS 4.0 was the last

version of IIS that coumld be downloaded and installed outside of the operating system

IIS 5.0 AND 5.1

With the release of Windows 2000, IIS became integrated with the operating system Version

num-bers refl ected the operating system, and there were no upgrades to IIS available without

upgrad-ing the operatupgrad-ing system IIS 5.0 shipped with Windows 2000 Server versions and Windows 2000

Professional, and IIS version 5.1 shipped with Windows XP Professional, but not Windows XP

Home Edition For all essential functions, IIS 5.0 and IIS 5.1 are identical, differing only slightly as

needed by the changes to the operating system

With Windows 2000 and IIS 5.0, IIS became a service of the operating system, meant to be the base

for other applications, especially for ASP applications The IIS 5.0 architecture served static content,

Internet Server Application Programming Interface (ISAPI) functions, or ASP scripts, with ASP

script processing handed off to a script engine based on the fi le extension Using fi le extensions to

determine the program that handles the fi le has always been a common part of Windows

function-ality, and in the case of ASP processing, the speed of serving pages was increased by the automatic

handoff of ASP scripts directly to the ASP engine, bypassing the static content handler This

archi-tecture has endured in IIS to the current version

IIS 6.0 x 5

IIS 6.0

IIS 6.0 shipped with Windows Server 2003 editions and Windows XP Professional 64-Bit Edition, which was built on the Windows Server 2003 Service Pack 1 code base IIS 6.0 was identical among operating system versions, but there were restrictions or expansions depending on the version of Server 2003 under which IIS was running For example, Server 2003 Web Edition would only run IIS and a few ancillary services; it could not be used to run Microsoft SQL Server On the other end

of the spectrum, only the Enterprise and Data Center versions of Server 2003 included clustering technology

Operating system changes also expanded the capabilities of IIS as an application server Native XML Web Services appeared in Server 2003 Process-independent session states made web farms easier to confi gure and manage, allowing session states to be stored outside of the application for redundancy and failover Web farms also became easier with Server 2003’s improved Network load-balancing features, such as the NLB Manager, which provided a single management point for NLB functions

Secure by Default

Windows Server 2003 and IIS 6.0 shipped in a secure state, with IIS no longer installed by default

Even when IIS was installed, the default installation would serve only static HTML pages; all dynamic content was locked down Managed through web service extensions, applications such as ASP and ASP.NET had to be specifi cally enabled, minimizing default security holes with unknown services open to the world

IIS 6.0 also ran user code under a low-privilege account, Network Service, which had few privileges

on the server outside of the IIS processes and the website hierarchy Designed to reduce the damage exposure from rogue code, access to virtual directories and other resources had to be specifi cally enabled by the administrator for the Network Service account

IIS 6.0 also allowed delegation for the authentication process; thus, administrators and mers could further restrict account access Passport authentication was also included with IIS 6.0, although in real-world use, it never found widespread favor among administrators Kerberos authen-tication, on the other hand, allowed secure communication within an Active Directory domain and solved many remote resource permission issues

program-IIS 6.0 also would serve only specifi c fi le requests, by default not allowing execution of line code or even the transfer of executable fi les Unless the administrator assigned a specifi c MIME (Multipurpose Internet Mail Extensions) type to be served, IIS would return a 404 error to the request, reporting the fi le not found Earlier versions of IIS included a wildcard mapping and would serve any fi le type

command-Request Processing

IIS 6.0 changed the way IIS processed requests, eliminating what had been a major performance hurdle in scaling prior IIS versions to serve multiple sites IIS 6.0 used the Http.sys listener to receive requests and then handed them off to worker processes to be addressed These worker processes

were isolated to application pools, and the administrator could assign application pools to specifi c

sites and applications This meant that many more requests could be handled simultaneously, and

it also provided for an isolated architecture in cases of error If a worker process failed, the effects

would not be seen outside of the application pool, providing stability across the server’s sites In

addition, worker processes could be assigned a processor affi nity, allowing multiprocessor systems

to split the workload

Additional Features

As did its predecessors, IIS 6.0 included additional features and functionality Some internal

fea-tures, such as HTTP compression and kernel mode caching, increased performance of the web

server and applications served from it Other features affected confi guration, such as the move to an

XML metabase, or stability, such as being able to confi gure individual application pools and isolate

potential application failures Still others added or expanded utility and ancillary functions, such as

the improved FTP services or the addition of POP services to the existing SMTP service

Application Pools

IIS 6.0 changed the way applications behaved in memory, isolating applications into memory pools

Administrators could confi gure separate memory pools for separate applications, thus preventing

a faulty application from crashing other applications outside of its memory pool This is particularly

important in any shared web server environment, especially with ASP.NET applications

FTP Service

The FTP service grew up in IIS 6.0, providing for greater security and separation of accounts

through a new isolation mode using either Active Directory or local Windows accounts Using

Windows accounts or Active Directory accounts, users could be restricted to their own available

FTP locations without resorting to naming the home directories the same as the FTP accounts In

addition, users were prevented from traversing above their home directories and seeing what other

accounts may exist on the server Even without NT File System (NTFS) permissions to the content,

security in FTP before IIS 6.0 was still compromised because a user could discover other valid user

accounts on the system

SMTP and POP Services

The SMTP service in Windows Server 2003 didn’t change much from previous versions, allowing

for greater fl exibility and security but not altering the core SMTP functions Most administrators

would not use the SMTP service in IIS for anything other than outbound mail, instead relying on

third-party servers or Microsoft’s Exchange Server for receiving and distributing mail But the

addi-tion of a POP3 service in Server 2003 allowed a rudimentary mail server confi guraaddi-tion, useful for

testing or small mail domains Although SMTP can be used to transfer mail, most mail clients such

as Microsoft Outlook rely on the POP3 or IMAP protocols to retrieve mail, which was unavailable

without additional products until Windows Server 2003 and IIS 6.0

IIS 7.0 and 7.5 x 7

IIS 7.0 AND 7.5

IIS 7.0 was a complete rewrite of the base code from IIS 6.0 and earlier Available on Windows Vista and Windows Server 2008, IIS 7.0 adapted to several operating systems, including the new Windows Core Edition and the Windows Web Server edition IIS 7.5, introduced with Windows 7, consisted

of IIS 7.0 plus all the inline updates that had been made to IIS 7.0 since its introduction Users could essentially update IIS 7.0 to the functionality of IIS 7.5 by installing the appropriate updates and modules

IIS 7.0 was a ground-up rewrite of IIS 6.0, designed as an integrated web application platform

Integration with the ASP.NET framework combined with fully exposed application programming interfaces (APIs) for complete extensibility of the platform and management interfaces made IIS 7.0

a programmer’s dream Security that included delegation of confi guration and a complete diagnostic suite with request tracing and advanced logging satisfi ed several of the administrator’s desires

Although the most substantial change in IIS 7.0 may have been the integration of ASP.NET into the request pipeline, the extensibility of IIS 7.0, confi guration delegation and the use of XML con-

fi guration fi les, request tracing and diagnostics, and the new administration tools were all welcome changes from previous versions of IIS

Unlike previous versions of IIS, the modular design of IIS 7.0 allowed for easy implementation of custom modules and additional functionality This increased functionality came from in-house development, third-party sources, or even Microsoft Because these modules and additional pro-grams could be plugged into IIS at any time, without changing core operating system functions, the Microsoft IIS development team shipped additional supported and unsupported modules outside of Microsoft’s standard Service Pack process IIS 7.5 included most of these inline updates and mod-ules, such as FTP 7.5, that did not originally exist for IIS 7.0 Microsoft’s website at www.iis.net is the source for these additional downloads, for the IIS 7.0 and 7.5 versions, as well as for future add-

on modules and updates for IIS 8.0

ASP.NET Integration

One of the most radical changes in IIS 7.0 was its close integration with ASP.NET and the ASP.NET processes There was a unifi ed event pipeline in IIS 7.0 that merged the previously separate IIS and ASP.NET pipelines from IIS 6.0 and earlier ASP.NET HTTP modules that previously only listened for events within the ASP.NET pipeline could be used for any request in IIS 7.0 For backward com-patibility, IIS 7.0 maintained a Classic pipeline mode, which emulated the separate IIS and ASP.NET pipeline model from IIS 6.0

IIS 7.0 also changed IIS confi guration to match the process used for confi guring ASP.NET tions This greatly improved and simplifi ed the implementation of IIS into the ASP.NET program-ming environment and allowed for better confi gurability and easier deployment of both sites and applications It also made deployment across multiple systems in web farms more straightforward and allowed for extensibility of the confi gurations IIS 7.0 introduced the concept of shared confi gu-ration, wherein multiple web servers can point to the same physical fi le for confi guration, making deploying confi guration changes to web farms nearly instantaneous

applica-IIS 7.0 introduced the applicationHost.config fi le for storing settings and added confi guration

options for individual websites or web applications to the web.config fi les, alongside ASP.NET

set-tings, in a new system.webServer section

Extensibility

IIS 7.0 greatly increased the extensibility of IIS as a web application platform Because of the

changes to the request-processing pipeline, the core server itself was now extensible, using both

native and managed code Instead of having to work with ISAPI fi lters to modify the request

pro-cess, developers could now inject their own components directly into the processing pipeline These

components could represent the developers’ own code, third-party utilities and components, and

existing Microsoft core components This meant that if you didn’t like Microsoft’s Windows

authen-tication process, you could not only choose to use forms authenauthen-tication on all fi les, but also choose

to bypass all built-in authentication and roll your own In addition, if you didn’t need to process

classic ASP fi les, you could simply not load that component Unlike in previous versions, in which

components were loaded into memory in a single DLL, IIS 7.0 reduced the memory footprint by not

loading unnecessary modules or code

Security

Componentization also increased the already strong security that existed in IIS 6.0 A perennial

complaint against Microsoft had always been that IIS installed by default and that all services were

active by default IIS 6.0 and Server 2003 reversed that course—almost nothing was installed by

default, and even when you did install it, the majority of components were disabled by default To

enable ASP.NET, you had to choose to allow ASP.NET as a web service extension Classic ASP had

to be enabled separately, as did third-party CGI application processors such as Perl or PHP

With the exception of third-party software, however, IIS 6.0 still loaded all the services into

mem-ory—it just loaded them as disabled For example, if you didn’t want to use Windows

authentica-tion, as would be the case if you were using your own authentication scheme, you could choose not

to enable it, but the code still resided in memory Similarly, default IIS 6.0 installations were locked

down to processing static HTML fi les, a good choice from a security standpoint But what if you

were never going to use static HTML fi les in your application or site? In IIS 7.0, you had the option

of never loading the code in the fi rst place

Minimal Installation

IIS 7.0 continued the tradition of its predecessor with minimal installation the default IIS was

not installed with the default operating system installation, and a basic install only selected those

options needed for serving static HTML fi les The installation graphical user interface (GUI) for

IIS 6.0 allowed a choice of eight different options, including installing FTP, whereas IIS 7.0’s setup

allowed for more than 40 options This granularity of setup reduced the memory footprint of IIS

7.0, but more importantly, it reduced the security footprint as well