692 Chapter 12 • Getting Started with IIS 7.0 IIS 6.0 versus IIS 7.0: The Delta IIS 6.0 was a monumental step forward for the Web platform for Windows. At the highest priority stood security, followed by reliability and scalability. With IIS 7.0, Microsoft stood true to all of these important areas and delivered a rock-solid product; however, as with any release, there is still room for improvement. The following sections help us to understand the differences between IIS 6.0 and IIS 7.0, why changes were made, and what the benefi ts are for customers. The major differences between IIS 6.0 and IIS 7.0 are: ■ A modular core server consisting of simplifi ed setup and a unifi ed pipeline for request execution ■ An all new delegatable, distributable confi guration system allowing non-administrators as well as non-Windows credentials access to Web server confi guration ■ A completely rewritten IIS Manager that is task-oriented and extensible ■ An extensible WMI provider that offers native access to the new confi guration as well as access via Windows PowerShell ■ A single, all-inclusive, command-line utility called AppCmd.exe that simplifi es access to confi guration and state information (done in individual VBS fi les with IIS 6.0) ■ An IIS and ASP.NET diagnostics engine that is extensible and allows granular access to runtime-specifi c information about requests ■ A brand-new Failed Request Tracing feature to identify causes of request failures Modular Core Server The biggest change in architecture between IIS 6.0 and IIS 7.0 is the modular core server. Remember that the core server in IIS 6.0 was monolithic and its installation was all or none. In IIS 7.0 all of that changes. Figure 12.11 is a diagram of the modular core server in IIS 7.0. As mentioned earlier, the new modular core allows administrators to load only what they need. Figure 12.12 shows that modules can be completely uninstalled from the server at any time. Getting Started with IIS 7.0 • Chapter 12 693 Because of the changes made to the core server in IIS 7.0, the memory footprint is smaller and the risk of loading unused code and it being available for exploitation is removed, along with achieving better performance. The ability to customize server workload will reduce its attack surface. Patching requirements are also minimized. When a patch was released in the IIS 6.0 monolithic model, the entire core was re-done and sent out. Now only those modules that require patching will receive them. Figure 12.11 IIS 7.0 Modular Server Core 694 Chapter 12 • Getting Started with IIS 7.0 The new extensible APIs are a big improvement over the previous ISAPI model. Practically every aspect of IIS provides extensibility, thus allowing developers to tailor the server to meet their own needs, regardless of whether they use managed or native code. The new modular architecture has allowed Microsoft to eliminate duplication, and as such, IIS 7.0 has a single pipeline for all code regardless if whether it’s managed or native code. Figure 12.12 IIS 7.0 Module Selection NOTE IIS 7.0’s new native API still requires users to know C\C++. Microsoft offers an additional capability by allowing a developer to use managed code to interact with the server. Getting Started with IIS 7.0 • Chapter 12 695 Delegation: Less Is Often Better In IIS 6.0, for a user to do any tasks on the server required administrative rights, which were a security nightmare for server administrators. Now with IIS 7.0, administrators are able to delegate tasks to users without leaving the door wide open. In IIS 7.0, administrators can delegate features in IIS Manager to Web site and Web application administrators, allowing them to manage their sites and applications remotely without having administrative access to the server. BEST PRACTICES ACCORDING TO MICROSOFT Microsoft recommends a strategy of starting with the minimum rights and working up. It does not recommend opening rights up completely and later locking them down. Doing so could cause applications to become unstable. SOME INDEPENDENT ADVICE Delegation creates a new culture in IT. When Active Directory came out, the ability to delegate administrative tasks to users was possible. For users who had administrator rights before delegation, it was considered a slap in the face. They felt as though they were no longer trusted. Although delegation is a great security tool, be prepared for the human factor, especially from those who used to have full administrative rights. Server administrators still have complete control over what management features are delegated to application owners. ■ Feature Delegation The ability to confi gure which features of a Web site or application to delegate to Web site and application administrators. Provides the ability to delegate control of specifi c features to site or application administrators without having to provide them with full administrative control of the server. ■ Administrators This feature allows server administrators the ability to create site and application administrators. Server administrators include both the local server’s administrators group and the members of the Domain Administrators group. ■ Management Service A management service for IIS 7.0 that enables server, site, and application administrators the ability to connect to IIS 7.0 remotely using IIS Manager. It also allows site and application administrators the ability to connect to IIS 7.0 on the server locally, when they are a member of a Windows group. Figure 12.13 shows the Feature Delegation screen from within the new IIS Manager. 696 Chapter 12 • Getting Started with IIS 7.0 Improved User Interface for Users, Partners, and Microsoft The interface in IIS has changed in version 7.0. It has become more task-oriented, helping administrators do exactly what they want, and not forcing them to search for the correct tab or control button. IIS Manager is extensible as is the rest of IIS 7.0. It allows you to administer most of the features in IIS 7.0 and monitor the server’s operation. Administrators can manage both IIS and ASP.NET confi guration settings, membership and user data, and runtime diagnostic information. As seen in the previous section, the new interface can also be used to enable delegation. The new IIS Manager can remotely manage servers via Hypertext Transfer Protocol Secure sockets (HTTPS), therefore making remote management more secure friendly and not forcing IT administrators to open additional ports on fi rewalls. The ports for HTTPS (443), which are required for remote IIS Figure 12.13 Feature Delegation in IIS Manager . sections help us to understand the differences between IIS 6.0 and IIS 7.0, why changes were made, and what the benefi ts are for customers. The major differences between IIS 6.0 and IIS 7.0 are: ■ . of the features in IIS 7.0 and monitor the server’s operation. Administrators can manage both IIS and ASP.NET confi guration settings, membership and user data, and runtime diagnostic information. As. simplifi es access to confi guration and state information (done in individual VBS fi les with IIS 6.0) ■ An IIS and ASP.NET diagnostics engine that is extensible and allows granular access to runtime-specifi