What you need to know about IIS 7

Microsoft Corp.'s Internet Information Server (IIS) has been trending upward like a fine wine: It's getting better with age. IIS 4 was a disaster, and IIS 5 was essentially an open door if used on a public-facing Web server, but IIS 6 really hit the sweet spot of performance and security.

That wasn't enough to satisfy the IIS team at Microsoft, which saw the rewrite of Windows on the server as an opportunity to revisit some fundamental assumptions about the architecture and structure of IIS.

IIS 7 is the result of those efforts, and its improvements are focused around modular design, easier management and enhanced security. Let's take a look around IIS 7 in prerelease form and see what you need to know about those revisions.

Modular design

IIS 7 introduces modularity, a concept that to date has been limited to the arguably more popular Apache Web server software. Modularity offers the ability for all features within IIS to operate discretely, meaning they can be loaded in nearly any combination without dependencies. You can enable only those modules you need for server operation, keeping the remainder of the features unloaded and untouched.

This is a great win for security because fewer modules equates to a smaller attack surface through which vulnerabilities could be exploited. However, there is also a significant performance benefit, as IIS might operate more leanly than it ever has been able to before.

Modularity also leads to extensibility: You can write custom code that integrates itself directly into IIS's inner workflow, making it easy to extend IIS when you need it, not when the IIS team gets around the including the feature. Modules are easy to enable and disable, so you're not limited to configuring servers just at install time -- changes can be made as needed. IIS 7 can be extended in most every area of its operation, including the user interface, which leads us into the next section.

Enhanced management

You might be familiar with the old IIS 6 Management Console interface, which really hadn't changed from IIS 5 and not all that much from IIS 4, either. However, IIS 7 basically tears that user interface away and builds an entirely new management structure on top of the product, with plenty of hooks for developers and corporate coders to extend the interface to include the custom functionality they write.

The interface was designed to be a balance of exposing previously-hidden features while still providing efficient access to common functions used by Web hosting operations who serve thousands of sites at a time.

Figure 1 -- the IIS Manager console

A screen shot

A screenshot of the desktop

(Click image to see larger view.)

The Tasks pane immediately greets you in any window and contains quick access to the common functions used in a certain area of IIS Manager. You can navigate around the familiar tree interface in the left pane, but as you do so, you will notice that the center pane has been completely redesigned, offering many more options exposed in a more logical manner compared with the previous version, in which you had to click around a sea of tabs to find a control you wanted to change or disable.

Another important feature to note is the ability to completely manage a site from its text-based web.config file -- another throwback to the Apache way of doing things. Every setting for a site can be directly edited within a text file, without a need to go into the graphical user interface, making it immensely easier to duplicate a site's configuration among many servers.

In addition, you can delegate access to the configuration information for certain Web sites to individual web.config files, so that operators responsible for their own sites can use web.config access to manage their own operations without involving you, the root administrator.

Improved security

IIS 6 was known for its improvement to security over the Swiss cheese that was IIS 5, and Microsoft hopes that IIS 7 will continue that positive trend. Because most corporations run IIS with Web applications that use the .Net platform, IIS 7 wraps itself around the framework even more tightly, running .Net applications directly within core IIS processes themselves and not routing them to an Internet Server Application Programming Interface extension.

IIS 7 represents a unification of Active Server Pages .Net and IIS. In addition, forms authentication becomes something available to all types of content, not just that wrapped within a .Net application, making authentication data stored in a database (one that you have a provider for, that is) available to just about any form.

Additionally, you'll find that URLScan-like functionality is included with IIS 7 natively, so that Web requests can be filtered for nefarious attempts to exploit security holes. And IIS can piggyback on the many security improvements Longhorn Server will bring to the table, making the system as well as the service more secure.

For more information, see the following:

Microsoft's IIS blogs

• More on the redesigned user interface

Jonathan Hassell is an author, consultant and speaker on a variety of IT topics. His published works include RADIUS, Hardening Windows, Using Windows Small Business Server 2003 and Learning Windows Server 2003 (O'Reilly Media, 2003). His work appears regularly in such periodicals as Windows IT Pro magazine, PC Pro and TechNet Magazine. He also speaks worldwide on topics, ranging from networking and security to Windows administration. He is currently an editor at Apress LLC, a publishing company specializing in books for programmers and IT professionals.

Copyright © 2006 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon