In-Depth
IIS 6.0 Mature at Last
Microsoft’s Internet Information Server has struggled with performance and security issues its whole life. The latest version, though, shows just how far the Web server has come.
- By Russ Kaufmann
- 02/01/2003
WHEN I FIRST TAUGHT Windows NT 4.0 courses, Internet Information Server
(IIS) 2.0 was included in the base operating system. It was a big improvement
over IIS 1.0, and I still remember the fun I had showing students how
easy it was to set up a Web server. That was about six years ago, when
Web servers running on NT were an exception. Since then, things have changed
considerably. IIS has improved in performance, increased in functionality
and grown in the number of deployments because of the changes. Netcraft
reports that IIS has between 24 percent and 35 percent of the market,
depending on how it’s measured. I expect the increased security and performance
of IIS 6.0 to bump up those numbers a great deal. So let’s look at IIS
6.0 and what it brings to the table.
In putting together this article, I sat down with several of my former
IIS students over lunch and showed them the new Process Model for IIS
6.0. I then asked them to tell me what they most wanted to know about
IIS 6.0. I figured that these students would be a fair representation
of the marketplace and well-trained IIS administrators. I am, of course,
biased.
What About .NET Web Edition?
IIS 6.0 is available on the entire .NET family, so there’s no
requirement to buy the Web Edition. However, the Web Edition will cost
much less and be optimized for Web services. The limitations are that
it will only support up to two CPUs and 2GB of RAM. Thankfully, it does
include network load balancing. Other limitations exist, but for the purposes
of providing Web services, they don’t matter, so I won’t go into them.
If two CPUs and 2GB RAM or less will meet your needs, then .NET Web Edition
will work for you. If you need more horsepower, you can add more servers
and load-balance them or scale vertically with one of the other .NET servers.
| System
Requirements |
|
Statements like “Hey, boss, I hate to tell you but
all that really cool stuff in IIS 6.0 is going to require
replacing all of our existing Web servers,” don’t go
over well, especially in these tight times. But to evaluate
your system requirements, you’re going to have to do
some estimating. How many Web site hits does your Web
group expect per day, per hour and per minute? How large
are the pages the server is serving up? Are the pages
static content or .ASP generated on the fly? Is SSL
being used? What types of Web services are being provided?
What are the uptime requirements and response requirements?
The starting point is the system requirements for Windows
Server 2003, because that’s required to run IIS 6.0.
So, let’s start there. I’m going to ignore the official
numbers because they’re laughably low. For a production
environment, I recommend as a minimum:
- 550MHz or higher CPU (733 or higher for Enterprise
Server)
- 512MB of RAM
- 1.5-4GB of hard drive space
|
|
|
A New Request Processing Model
In IIS 5.0, sites and applications are run either in-process or
out-of-process. Running in-process means that the site and application
run in the same process as the Web server executable. If there are problems
with the Web application or Web site that cause it to hang, it will also
hit the Web server service and cause it to fail. This kind of failure
is catastrophic, as it will then cause all other sites and applications
to fail if they’re also running in-process. For in-process, inetinfo.exe
is used. For out-of-process sites and applications, inetinfo.exe passes
requests to dllhost.exe. IIS 5.0 can run multiple instances of dllhost.exe,
if needed, to support multiple sites or applications running out-of-process.
IIS 6.0 has changed the process model considerably, and the new model
leads to increased performance and stability. IIS 6.0 uses three major
components in its process model.
The first major component is HTTP.sys, a kernel-mode Web listener. It
receives and queues up all the requests made for each application pool.
HTTP.sys then sends the requests to the response cache and onto the proper
application pool, where a worker process is used to process the request
if the content isn’t in the cache. The process is outlined in Figure 1.
 |
| Figure 1. The new Process Model in IIS 6.0. |
The second major component is the Web administration service (WAS), the
configuration and process manager for IIS 6.0. It reads the metabase during
initialization and provides the name space information to HTTP.sys, along
with mappings to the appropriate application pools. WAS also controls
when to create, start, stop and recycle worker processes.
The third component is the worker process. These are mini Web servers
that can be found running under w3wp.exe for the process name. Worker
processes are user-mode processes that run all application code and serve
up content. An application pool can have one too many worker processes.
| What
Is an Application Pool? |
|
An application pool is a set of Web applications that shares
one or more worker processes. For example, an application
pool might cover a particular intranet site or application
like http://timeentry for a time entry application or http://officesupplies
for an online company store for office supplies. An application
pool might also consist of Internet sites for an ISP with
several clients. Think of application pools as name spaces
for IIS. An application pool can support one or more applications
or sites at the same time, and there can be more than one
application pool per server.
|
|
HTTP.sys and WAS don’t run third-party code, so they aren’t affected
by Web site or application failures in IIS 6.0. This makes them stable.
However, the real key to the new process model is the worker process.
The worker process handles all user code. In the event a worker process
fails or times out, WAS will create a new worker process and tear down
the old one. Each process is completely isolated, so the failure of one
worker process won’t bother others running in other application pools
or even those worker processes in the same Web Garden. (A Web Garden is
a combination of worker processes used to share the load of a particular
application pool; more on this shortly.)
Worker processes are protected from other worker processes and run in
their own space. In IIS 5.0, an application or site would have to be configured
to run out-of-process to run in its own space. The main difference between
the dllhost and worker processes is that dllhost.exe is still significantly
dependent on the inetinfo.exe process to pass the appropriate calls, whereas
the w3wp.exe works with HTTP.sys as a listener that never runs third-party
code. In IIS 6.0, every site and application runs in the space of the
application pool, and each site or application can have a separate application
pool created for it, as seen in Figure 1.
The new process model is important because it allows WAS to monitor the
different application pools and stop to recycle worker processes that
are failing or have failed completely, then create and start new worker
processes to take the place of the failed one. This means that application
pools can be updated and reconfigured without touching the other application
pools. With WAS monitoring them, they’re self-healing, which leads to
a much more stable platform; also, configuration changes don’t require
reboots.
| Installing
IIS 6.0 |
|
IIS 6.0 is installed automatically with .NET Web Edition,
but not on the other versions of .NET. There are many
ways to install IIS. The three most common are:
- Using the “Manage Your Server” introduction page
that appears at startup. It’s similar to the “Configure
Your Server” page seen during Windows 2000 installation
(see Figure A). Click “Add or remove a role” on the
menu following the Wizard. Next will be the screen
shown here. To install the Web server, highlight it
and click Next.
- Using the Manage Server Wizard. Click on Start
| All Programs | Administrative Tools | Manage Your
Server. Then click “Add or remove a role” on the menu
and follow the same wizard as in the first option.
 |
| Figure a. The Configure Your
Server Wizard screen is where you choose what type
of .NET Server to add, in this case IIS 6.0. (Click
image to view larger version.) |
- You can always use the same Control Panel process
used in Win2K. Click on Start | Control Panel | Add
or Remove Programs | Add/Remove Windows Components.
From here, select “Web Application Server” then click
Details. Select all needed components then click “Internet
Information Server (IIS),” click Details and select
the components needed for the server.
|
|
|
The Difference Between Web Services and IIS 6.0
We keep hearing “Web services” and IIS 6.0 in the same breath as
if they’re interchangeable. Web services are Web-enabled applications
that happen to run on IIS. Think of the many different applications and
services used on the Internet, as well as on intranets. Some of them are
simple calendar management programs; others are more complex applications,
like time entry as a front-end for an accounting system. In these cases,
a Web interface allows access to an application or service and doesn’t
require installation of an application on the user’s desktop. Also consider
all those great new services that allow data transfer and integration
of applications through XML messages transferred over port 80, the same
port used for Web browsing. These applications are URL-addressable and
can communicate via SOAP and XML messages. In many cases, a user interface
(Web page) isn’t required. Web services have also been described as Web-based
COM components. So Web services are much more than static Web pages served
off an IIS server, but they do normally use IIS as the platform.
Security Enhancements
IIS 6.0 differs dramatically from IIS 5.0 in terms of security
features. For instance, it’s locked down by default. IIS 5.0 is an installation
component of Win2K and, thus, installed by default. IIS 6.0 isn’t installed
by default, except in .NET Web Edition. IIS 5.0 is installed with many
other features and capabilities that aren’t needed by many businesses.
Securing IIS 5.0 requires hardening and the use of tools like IIS Lockdown
and URL Scan. IIS 6.0, on the other hand, installs locked down, requiring
the administrator to open up the system to allow needed services. This
is great news. No longer will IIS install with extra options and components
turned on, leaving the server open to a plethora of attacks.
Microsoft has finally implemented IIS the way it should be—installed
with the bare minimum of capabilities and properly locked down. By default,
IIS 6.0 installs with the ability to serve only static HTML pages. ASP
requests, WebDAV, FrontPage extensions, .idc mappings, default directories,
default scripts and other IIS 5.0 defaults that served as attack launching
pads have been scrubbed in IIS 6.0. In the example shown in Figure 2,
ASP has been allowed, while WebDAV, server side includes and other holes
remain closed. The default configuration is much more secure than in IIS
5.0.
 |
| Figure 2. Most Web Service extensions in IIS
6.0 come turned off, providing much greater security out of the box. |
Other changes on the security front include:
- 404 File Not Found errors are used instead of 403 Access Denied for
disabled extensions. This is important because now hackers can’t find
out which extensions are implemented.
- Updates and hotfixes can be installed without having to restart IIS
6.0.
- Access Control List changes have improved security in a number of
ways:
- Files in Inetpub\wwwroot are secured with the IIS_WPG, NET WORK
and IUSR accounts having very limited List permissions only.
- Buffer overflows are easily overcome with WAS monitoring the worker
processes and restarting them as necessary or according to configuration.
- Write protection is provided for content, and upload data-type
limitations are in place so that only certain file types can be
uploaded to the server.
- The HTTP.sys process verifies that the requested content exists
before handing it off to ISAPI extension handlers. By limiting the
requests that go forward, many probes trying to identify the services
available are defeated.
- There’s much better site isolation for ISP environments and hosting
companies. The access each site operator has is limited to just his
or her site. This will help, for instance, in the way FTP is implemented.
The root for each FTP site is different, and users can’t navigate to
folders for other sites.
- TCP/IP port filtering is available and can be used to limit traffic
to just the ports needed for the services being hosted.
Performance Boosters
Many changes have been made that improve the performance of IIS
in version 6.0. The new process model is the key to most of the performance
enhancements.
Bandwidth and CPU throttling is available in IIS 6.0 to allow multiple
applications and sites to exist on the same server, as well as limit them
so they don’t consume all the available system resources. IIS 6.0 takes
it one step further, though, with CPU affinity. In systems with multiple
CPUs, the worker processes can have affinity assigned to specific CPUs
to use the Layer 1 and Layer 2 cache. It also allows partitioning of applications,
so that a multiprocessor machine can have some CPUs assigned to one application
pool and its worker processes and other CPUs assigned to a different application
pool and worker processes. This provides higher levels of service.
Another change that will increase performance is WAS monitoring and protection
of worker processes. This allows for quick recovery as well as periodic
restarts of worker processes to limit memory leaks that might occur in
a Web application. (See Figure 3 to see how these settings are applied
to an application pool.) This encompasses three aspects: health monitoring,
rapid-fail protection and orphaning.
 |
| Figure 3. Worker processes are managed much better
in IIS 6.0, leading to improved performance. |
Health Monitoring
WAS monitors worker process health by pinging the worker processes regularly
to determine if they’ve failed. If a worker process has failed or is blocked,
WAS will terminate the process and create another worker process in the
application pool for replacement. In most cases, WAS can also tell when
a process fails without having to ping it, because each worker process
maintains a communication channel to the WAS, and WAS can detect dropped
communication links.
| Digex
Inc.: IIS 6.0 Delivers the Goods |
|
IIS 6.0 hasn’t been released to the general public
yet, but that doesn’t mean it’s not in use. In fact,
one of the largest managed hosting companies in the
world has been using it for two years now—and not just
on a test network. Digex Inc., headquartered in Laurel,
Maryland, is a close partner of Microsoft and has been
using IIS 6.0 since January 2001. Digex has been using
it on some production machines, including their main
Web site, www.digex.com,
since the beta 3 version was released about 10 months
ago. That’s confidence in a product.
Digex hosts its customers' sites on a number of platforms,
including Unix and Linux. But it’s primarily a Windows
shop, running Windows NT, Windows 2000 and Windows .NET
Server 2003. In all, Digex is running IIS 6.0 on “about
15 different, supported production servers,” according
to Dwayne Cox, a senior engineer with Digex. It’s also
being used “extensively in testing,” he added. Currently,
Digex is using hardware-based load balancing and managing
the servers manually.
And what do they think of IIS 6.0? “It’s working fantastic,”
said Senior Engineer Dan Kahler. “Prior to moving to
IIS 6, we had regular service tickets” relating to problems
with its use of IIS 5.0. Since the switch, “Our reliability
has been outstanding,” he said.
In the nearly one year that it’s been on the production
servers, there have been 0—as in zero—unscheduled outages.
That doesn’t mean Digex was having constant problems
with IIS 5.0. “IIS 5 is pretty stable, but as a managed
systems provider, it’s important to show customers we
can keep our own stuff stable before they’ll trust us
with their own systems,” Kahler explained, hence the
necessity of having the most reliable servers possible.
Reliability is one of two main claims on which Microsoft
has hung its hat in relation to IIS 6.0. The other is
security. On that front, Digex has also been pleased.
“It’s very secure,” said Kahler. It’s so secure, in
fact, that even experienced system administrators have
a significant learning curve with the product. It seems
that there have been a number of problems related to
Web server access, “because [admins] are not familiar
with the features yet. We have to tell admins to open
things up; usually that’s where the problem is,” Kahler
said.
Although IIS 6.0 works well for Digex, it still has
its shortcomings. Chief among them is the lack of management
tools. Many of Digex’s Web sites are still hosted on
IIS 5.0, and Application Center 2000 serves as the management
server. IIS 6.0 must be hosted on a .NET server and
can’t use Application Center.
“We need features that allow us to manage more boxes,”
Cox said. “We’re managing around 2,300 IIS servers,
and quite a few are identical Web servers. It would
be ideal to configure those [similar IIS 6.0 Web servers]
through a common interface. Having a single integrated
interface to configure IIS and the .NET Framework would
help a lot.”
Even though IIS 6.0 can’t be run on any operating system
older than .NET, it does have an IIS 5.0 compatibility
mode that allows older applications to run on it. Digex
said it will soon upgrade all its internal company servers
to IIS 6.0 and isn’t hesitating to do so. Said Kahler:
“Outside of Microsoft, you won’t find anybody more comfortable
with the features [than Digex], especially the reliability
of IIS 6.0.”
—Keith Ward
|
|
|
Rapid-fail Protection
When the communication link between WAS and the worker process
fails, WAS can log the event and restart the worker process. The next
level is to configure the application pool parameters so that if there
are several worker process failures in a row, WAS can disable the application
pool. WAS will mark it as out-of-service so that any other requests will
result in a “503 Service Unavailable” response to the browser.
Orphaning
IIS 6.0 configuration can allow for orphaning of any worker process
that WAS finds to be failing. If the worker process doesn’t respond to
the ping from WAS, it can be marked as failing; Microsoft calls it “terminally
ill.” In most cases, WAS will terminate the worker process and create
a new one to take its place in the application pool. With orphaning enabled,
WAS will allow the failing worker process to continue running and start
up another worker process to handle new requests. This allows the orphan
to possibly complete its process.
Other Boosters
One of the biggest complaints of systems administrators is the
hassle of tracking down memory leaks in poorly written applications. This
is true of Web applications, as well. IIS 6.0 can be set up to restart
worker processes automatically based on minutes (the default is 120 minutes);
number of requests served by the worker process; at scheduled times during
the day or night; or when a certain memory threshold is reached. This
is a great way to keep systems performing well while debugging and troubleshooting
internal or third-party code that would normally suffer from memory leaks.
A Web Garden is similar to a Web Farm, but in a single server. It allows
an application pool to have multiple worker processes to share the load
and provide support for the same application pool. If one or more worker
processes fails or times out, others will still be able to service the
application pool. As the failed worker processes are discovered and restarted
by WAS, they add that many more processes. This provides greater application
pool performance as compared to the other application pools with a single
worker process.
IIS 6.0 allows the use of hardware accelerators to improve SSL performance.
This is done by allowing vendors to plug their Crypto Service Provider
(CSP) modules into the system’s Crypto API to support these hardware devices.
The Best of the Best
While many improvements in IIS 6.0 merit applause, a few stand out as
being especially noteworthy.
Administrative Web Site
The starting Web page in .NET Web Edition is the Administrative
Web site (Figure 4). It’s an easy-to-use graphical design that provides
a great deal of information. It can be used locally or remotely and is
SSL-enabled by default. Notice that the top of the Welcome page shows
the Status in a Warning state. In this case, it was because the certificate
being used didn’t come from a Certificate Authority. The Status page tells
how to fix the situation.
 |
| Figure 4. The start page for .NET Web Edition,
the Administrative Web site, is highly informative. (Click image
to view larger version.) |
Passport Integration
Microsoft’s been talking up Passport for a long time, but its usefulness
to the average shop wasn’t apparent until IIS 6.0. With IIS 6.0, Passport
can serve as another means of authentication for Web sites and applications.
Users won’t have to remember separate account names and passwords to access
premium sites, as their Passport ID can be mapped to an account in Active
Directory. That account can then be used to provide the security ACLs
necessary to access an application or content. Passport is well integrated
into .NET Server.
Metabase
The new metabase implementation is a huge leap beyond the current
binary file implementation. As with many other Microsoft products, XML
is finding a home here. With XML, administrators can access the metabase
using a standard file editor. (Look, Ma, no special tools!) Not only is
it a text file that’s easy to edit, it can also be edited while the server’s
running. It doesn’t require a reboot to change the metabase. The metabase
has other benefits, too:
- Faster read-and-write access than the previous binary files.
- A smaller footprint.
- It saves a copy that can be used to restore the system if the original
is corrupted.
- It keeps track of its version history.
- Configurations can be rolled back quickly.
- It can be exported and imported with ease.
- It can be password protected.
Command-line Administration
Not many people get excited about command-line usability, but with
the new capabilities, it’s now possible to do many things with scripting
that couldn’t be done before. At a command prompt, it’s now possible to
use home-grown scripts or those that ship with .NET to:
- Create, delete, start, stop and display all Web and FTP sites.
- Create and delete virtual directories and display all directories
in a Web or FTP site.
- Import and export configuration information using XML files.
- Back up and restore IIS configuration information.
It’s great when scripts can be created to perform repetitive tasks, and
these new capabilities will make life really good for ISPs and hosting
organizations.
The Impact of IIS 6.0 on Your Job
For administrators, running IIS 6.0 will likely have several significant
outcomes. The first is security. Now you won’t have to turn off services
and lock down the system. On the other hand, you’ll have more set-up work,
as services will need to be enabled. In the end though, the fewer headaches
and the more secure environment will be worth it.
For truly high-demand environments, you can consider 64-bit support,
since .NET comes in both flavors, 64- and 32-bit.
Also, as reported by Don Jones in “Changing
Addresses” in January, .NET supports the IPv6 stack. If you install
the new protocol suite, IIS 6.0 will automatically support handling HTTP
requests that arrive over IPv6.
But what you’ll probably notice most is that the phone will ring less
often. The number of calls about the Web server being down will dramatically
decrease with WAS watching worker processes and stopping, restarting or
building new ones as necessary. Also, IIS 6.0 is going to be much more
stable and will perform better than previous versions. That translates
into a better return on investment (always a critical factor in these
days of botox-tight budgets), happier admins and more satisfied users
and Web customers. What could be better than that?