In-Depth

IIS 6.0 Mature at Last

Microsoft’s Internet Information Server has struggled with performance and security issues its whole life. The latest version, though, shows just how far the Web server has come.

WHEN I FIRST TAUGHT Windows NT 4.0 courses, Internet Information Server (IIS) 2.0 was included in the base operating system. It was a big improvement over IIS 1.0, and I still remember the fun I had showing students how easy it was to set up a Web server. That was about six years ago, when Web servers running on NT were an exception. Since then, things have changed considerably. IIS has improved in performance, increased in functionality and grown in the number of deployments because of the changes. Netcraft reports that IIS has between 24 percent and 35 percent of the market, depending on how it’s measured. I expect the increased security and performance of IIS 6.0 to bump up those numbers a great deal. So let’s look at IIS 6.0 and what it brings to the table.

In putting together this article, I sat down with several of my former IIS students over lunch and showed them the new Process Model for IIS 6.0. I then asked them to tell me what they most wanted to know about IIS 6.0. I figured that these students would be a fair representation of the marketplace and well-trained IIS administrators. I am, of course, biased.

What About .NET Web Edition?
IIS 6.0 is available on the entire .NET family, so there’s no requirement to buy the Web Edition. However, the Web Edition will cost much less and be optimized for Web services. The limitations are that it will only support up to two CPUs and 2GB of RAM. Thankfully, it does include network load balancing. Other limitations exist, but for the purposes of providing Web services, they don’t matter, so I won’t go into them.

If two CPUs and 2GB RAM or less will meet your needs, then .NET Web Edition will work for you. If you need more horsepower, you can add more servers and load-balance them or scale vertically with one of the other .NET servers.

System Requirements

Statements like “Hey, boss, I hate to tell you but all that really cool stuff in IIS 6.0 is going to require replacing all of our existing Web servers,” don’t go over well, especially in these tight times. But to evaluate your system requirements, you’re going to have to do some estimating. How many Web site hits does your Web group expect per day, per hour and per minute? How large are the pages the server is serving up? Are the pages static content or .ASP generated on the fly? Is SSL being used? What types of Web services are being provided? What are the uptime requirements and response requirements?

The starting point is the system requirements for Windows Server 2003, because that’s required to run IIS 6.0. So, let’s start there. I’m going to ignore the official numbers because they’re laughably low. For a production environment, I recommend as a minimum:

  • 550MHz or higher CPU (733 or higher for Enterprise Server)
  • 512MB of RAM
  • 1.5-4GB of hard drive space

A New Request Processing Model
In IIS 5.0, sites and applications are run either in-process or out-of-process. Running in-process means that the site and application run in the same process as the Web server executable. If there are problems with the Web application or Web site that cause it to hang, it will also hit the Web server service and cause it to fail. This kind of failure is catastrophic, as it will then cause all other sites and applications to fail if they’re also running in-process. For in-process, inetinfo.exe is used. For out-of-process sites and applications, inetinfo.exe passes requests to dllhost.exe. IIS 5.0 can run multiple instances of dllhost.exe, if needed, to support multiple sites or applications running out-of-process.

IIS 6.0 has changed the process model considerably, and the new model leads to increased performance and stability. IIS 6.0 uses three major components in its process model.

The first major component is HTTP.sys, a kernel-mode Web listener. It receives and queues up all the requests made for each application pool. HTTP.sys then sends the requests to the response cache and onto the proper application pool, where a worker process is used to process the request if the content isn’t in the cache. The process is outlined in Figure 1.

IIS 6.0 Process Model
Figure 1. The new Process Model in IIS 6.0.

The second major component is the Web administration service (WAS), the configuration and process manager for IIS 6.0. It reads the metabase during initialization and provides the name space information to HTTP.sys, along with mappings to the appropriate application pools. WAS also controls when to create, start, stop and recycle worker processes.

The third component is the worker process. These are mini Web servers that can be found running under w3wp.exe for the process name. Worker processes are user-mode processes that run all application code and serve up content. An application pool can have one too many worker processes.

What Is an Application Pool?

An application pool is a set of Web applications that shares one or more worker processes. For example, an application pool might cover a particular intranet site or application like http://timeentry for a time entry application or http://officesupplies for an online company store for office supplies. An application pool might also consist of Internet sites for an ISP with several clients. Think of application pools as name spaces for IIS. An application pool can support one or more applications or sites at the same time, and there can be more than one application pool per server.

HTTP.sys and WAS don’t run third-party code, so they aren’t affected by Web site or application failures in IIS 6.0. This makes them stable. However, the real key to the new process model is the worker process.

The worker process handles all user code. In the event a worker process fails or times out, WAS will create a new worker process and tear down the old one. Each process is completely isolated, so the failure of one worker process won’t bother others running in other application pools or even those worker processes in the same Web Garden. (A Web Garden is a combination of worker processes used to share the load of a particular application pool; more on this shortly.)

Worker processes are protected from other worker processes and run in their own space. In IIS 5.0, an application or site would have to be configured to run out-of-process to run in its own space. The main difference between the dllhost and worker processes is that dllhost.exe is still significantly dependent on the inetinfo.exe process to pass the appropriate calls, whereas the w3wp.exe works with HTTP.sys as a listener that never runs third-party code. In IIS 6.0, every site and application runs in the space of the application pool, and each site or application can have a separate application pool created for it, as seen in Figure 1.

The new process model is important because it allows WAS to monitor the different application pools and stop to recycle worker processes that are failing or have failed completely, then create and start new worker processes to take the place of the failed one. This means that application pools can be updated and reconfigured without touching the other application pools. With WAS monitoring them, they’re self-healing, which leads to a much more stable platform; also, configuration changes don’t require reboots.

Installing IIS 6.0

IIS 6.0 is installed automatically with .NET Web Edition, but not on the other versions of .NET. There are many ways to install IIS. The three most common are:

  • Using the “Manage Your Server” introduction page that appears at startup. It’s similar to the “Configure Your Server” page seen during Windows 2000 installation (see Figure A). Click “Add or remove a role” on the menu following the Wizard. Next will be the screen shown here. To install the Web server, highlight it and click Next.
  • Using the Manage Server Wizard. Click on Start | All Programs | Administrative Tools | Manage Your Server. Then click “Add or remove a role” on the menu and follow the same wizard as in the first option.
Configure Your Server Wizard
Figure a. The Configure Your Server Wizard screen is where you choose what type of .NET Server to add, in this case IIS 6.0. (Click image to view larger version.)
  • You can always use the same Control Panel process used in Win2K. Click on Start | Control Panel | Add or Remove Programs | Add/Remove Windows Components. From here, select “Web Application Server” then click Details. Select all needed components then click “Internet Information Server (IIS),” click Details and select the components needed for the server.

The Difference Between Web Services and IIS 6.0
We keep hearing “Web services” and IIS 6.0 in the same breath as if they’re interchangeable. Web services are Web-enabled applications that happen to run on IIS. Think of the many different applications and services used on the Internet, as well as on intranets. Some of them are simple calendar management programs; others are more complex applications, like time entry as a front-end for an accounting system. In these cases, a Web interface allows access to an application or service and doesn’t require installation of an application on the user’s desktop. Also consider all those great new services that allow data transfer and integration of applications through XML messages transferred over port 80, the same port used for Web browsing. These applications are URL-addressable and can communicate via SOAP and XML messages. In many cases, a user interface (Web page) isn’t required. Web services have also been described as Web-based COM components. So Web services are much more than static Web pages served off an IIS server, but they do normally use IIS as the platform.

Security Enhancements
IIS 6.0 differs dramatically from IIS 5.0 in terms of security features. For instance, it’s locked down by default. IIS 5.0 is an installation component of Win2K and, thus, installed by default. IIS 6.0 isn’t installed by default, except in .NET Web Edition. IIS 5.0 is installed with many other features and capabilities that aren’t needed by many businesses. Securing IIS 5.0 requires hardening and the use of tools like IIS Lockdown and URL Scan. IIS 6.0, on the other hand, installs locked down, requiring the administrator to open up the system to allow needed services. This is great news. No longer will IIS install with extra options and components turned on, leaving the server open to a plethora of attacks.

Microsoft has finally implemented IIS the way it should be—installed with the bare minimum of capabilities and properly locked down. By default, IIS 6.0 installs with the ability to serve only static HTML pages. ASP requests, WebDAV, FrontPage extensions, .idc mappings, default directories, default scripts and other IIS 5.0 defaults that served as attack launching pads have been scrubbed in IIS 6.0. In the example shown in Figure 2, ASP has been allowed, while WebDAV, server side includes and other holes remain closed. The default configuration is much more secure than in IIS 5.0.

Compatibility Administrator
Figure 2. Most Web Service extensions in IIS 6.0 come turned off, providing much greater security out of the box.

Other changes on the security front include:

  • 404 File Not Found errors are used instead of 403 Access Denied for disabled extensions. This is important because now hackers can’t find out which extensions are implemented.
  • Updates and hotfixes can be installed without having to restart IIS 6.0.
  • Access Control List changes have improved security in a number of ways:
    • Files in Inetpub\wwwroot are secured with the IIS_WPG, NET WORK and IUSR accounts having very limited List permissions only.
    • Buffer overflows are easily overcome with WAS monitoring the worker processes and restarting them as necessary or according to configuration.
    • Write protection is provided for content, and upload data-type limitations are in place so that only certain file types can be uploaded to the server.
    • The HTTP.sys process verifies that the requested content exists before handing it off to ISAPI extension handlers. By limiting the requests that go forward, many probes trying to identify the services available are defeated.
  • There’s much better site isolation for ISP environments and hosting companies. The access each site operator has is limited to just his or her site. This will help, for instance, in the way FTP is implemented. The root for each FTP site is different, and users can’t navigate to folders for other sites.
  • TCP/IP port filtering is available and can be used to limit traffic to just the ports needed for the services being hosted.

Performance Boosters
Many changes have been made that improve the performance of IIS in version 6.0. The new process model is the key to most of the performance enhancements.

Bandwidth and CPU throttling is available in IIS 6.0 to allow multiple applications and sites to exist on the same server, as well as limit them so they don’t consume all the available system resources. IIS 6.0 takes it one step further, though, with CPU affinity. In systems with multiple CPUs, the worker processes can have affinity assigned to specific CPUs to use the Layer 1 and Layer 2 cache. It also allows partitioning of applications, so that a multiprocessor machine can have some CPUs assigned to one application pool and its worker processes and other CPUs assigned to a different application pool and worker processes. This provides higher levels of service.

Another change that will increase performance is WAS monitoring and protection of worker processes. This allows for quick recovery as well as periodic restarts of worker processes to limit memory leaks that might occur in a Web application. (See Figure 3 to see how these settings are applied to an application pool.) This encompasses three aspects: health monitoring, rapid-fail protection and orphaning.

Managing Worker Processes
Figure 3. Worker processes are managed much better in IIS 6.0, leading to improved performance.

Health Monitoring
WAS monitors worker process health by pinging the worker processes regularly to determine if they’ve failed. If a worker process has failed or is blocked, WAS will terminate the process and create another worker process in the application pool for replacement. In most cases, WAS can also tell when a process fails without having to ping it, because each worker process maintains a communication channel to the WAS, and WAS can detect dropped communication links.

Digex Inc.: IIS 6.0 Delivers the Goods

IIS 6.0 hasn’t been released to the general public yet, but that doesn’t mean it’s not in use. In fact, one of the largest managed hosting companies in the world has been using it for two years now—and not just on a test network. Digex Inc., headquartered in Laurel, Maryland, is a close partner of Microsoft and has been using IIS 6.0 since January 2001. Digex has been using it on some production machines, including their main Web site, www.digex.com, since the beta 3 version was released about 10 months ago. That’s confidence in a product.

Digex hosts its customers' sites on a number of platforms, including Unix and Linux. But it’s primarily a Windows shop, running Windows NT, Windows 2000 and Windows .NET Server 2003. In all, Digex is running IIS 6.0 on “about 15 different, supported production servers,” according to Dwayne Cox, a senior engineer with Digex. It’s also being used “extensively in testing,” he added. Currently, Digex is using hardware-based load balancing and managing the servers manually.

And what do they think of IIS 6.0? “It’s working fantastic,” said Senior Engineer Dan Kahler. “Prior to moving to IIS 6, we had regular service tickets” relating to problems with its use of IIS 5.0. Since the switch, “Our reliability has been outstanding,” he said.

In the nearly one year that it’s been on the production servers, there have been 0—as in zero—unscheduled outages.

That doesn’t mean Digex was having constant problems with IIS 5.0. “IIS 5 is pretty stable, but as a managed systems provider, it’s important to show customers we can keep our own stuff stable before they’ll trust us with their own systems,” Kahler explained, hence the necessity of having the most reliable servers possible.

Reliability is one of two main claims on which Microsoft has hung its hat in relation to IIS 6.0. The other is security. On that front, Digex has also been pleased.

“It’s very secure,” said Kahler. It’s so secure, in fact, that even experienced system administrators have a significant learning curve with the product. It seems that there have been a number of problems related to Web server access, “because [admins] are not familiar with the features yet. We have to tell admins to open things up; usually that’s where the problem is,” Kahler said.

Although IIS 6.0 works well for Digex, it still has its shortcomings. Chief among them is the lack of management tools. Many of Digex’s Web sites are still hosted on IIS 5.0, and Application Center 2000 serves as the management server. IIS 6.0 must be hosted on a .NET server and can’t use Application Center.

“We need features that allow us to manage more boxes,” Cox said. “We’re managing around 2,300 IIS servers, and quite a few are identical Web servers. It would be ideal to configure those [similar IIS 6.0 Web servers] through a common interface. Having a single integrated interface to configure IIS and the .NET Framework would help a lot.”

Even though IIS 6.0 can’t be run on any operating system older than .NET, it does have an IIS 5.0 compatibility mode that allows older applications to run on it. Digex said it will soon upgrade all its internal company servers to IIS 6.0 and isn’t hesitating to do so. Said Kahler: “Outside of Microsoft, you won’t find anybody more comfortable with the features [than Digex], especially the reliability of IIS 6.0.”
—Keith Ward

Rapid-fail Protection
When the communication link between WAS and the worker process fails, WAS can log the event and restart the worker process. The next level is to configure the application pool parameters so that if there are several worker process failures in a row, WAS can disable the application pool. WAS will mark it as out-of-service so that any other requests will result in a “503 Service Unavailable” response to the browser.

Orphaning
IIS 6.0 configuration can allow for orphaning of any worker process that WAS finds to be failing. If the worker process doesn’t respond to the ping from WAS, it can be marked as failing; Microsoft calls it “terminally ill.” In most cases, WAS will terminate the worker process and create a new one to take its place in the application pool. With orphaning enabled, WAS will allow the failing worker process to continue running and start up another worker process to handle new requests. This allows the orphan to possibly complete its process.

Other Boosters
One of the biggest complaints of systems administrators is the hassle of tracking down memory leaks in poorly written applications. This is true of Web applications, as well. IIS 6.0 can be set up to restart worker processes automatically based on minutes (the default is 120 minutes); number of requests served by the worker process; at scheduled times during the day or night; or when a certain memory threshold is reached. This is a great way to keep systems performing well while debugging and troubleshooting internal or third-party code that would normally suffer from memory leaks.

A Web Garden is similar to a Web Farm, but in a single server. It allows an application pool to have multiple worker processes to share the load and provide support for the same application pool. If one or more worker processes fails or times out, others will still be able to service the application pool. As the failed worker processes are discovered and restarted by WAS, they add that many more processes. This provides greater application pool performance as compared to the other application pools with a single worker process.

IIS 6.0 allows the use of hardware accelerators to improve SSL performance. This is done by allowing vendors to plug their Crypto Service Provider (CSP) modules into the system’s Crypto API to support these hardware devices.

The Best of the Best
While many improvements in IIS 6.0 merit applause, a few stand out as being especially noteworthy.

Administrative Web Site
The starting Web page in .NET Web Edition is the Administrative Web site (Figure 4). It’s an easy-to-use graphical design that provides a great deal of information. It can be used locally or remotely and is SSL-enabled by default. Notice that the top of the Welcome page shows the Status in a Warning state. In this case, it was because the certificate being used didn’t come from a Certificate Authority. The Status page tells how to fix the situation.

.NET Web Edition
Figure 4. The start page for .NET Web Edition, the Administrative Web site, is highly informative. (Click image to view larger version.)

Passport Integration
Microsoft’s been talking up Passport for a long time, but its usefulness to the average shop wasn’t apparent until IIS 6.0. With IIS 6.0, Passport can serve as another means of authentication for Web sites and applications. Users won’t have to remember separate account names and passwords to access premium sites, as their Passport ID can be mapped to an account in Active Directory. That account can then be used to provide the security ACLs necessary to access an application or content. Passport is well integrated into .NET Server.

Metabase
The new metabase implementation is a huge leap beyond the current binary file implementation. As with many other Microsoft products, XML is finding a home here. With XML, administrators can access the metabase using a standard file editor. (Look, Ma, no special tools!) Not only is it a text file that’s easy to edit, it can also be edited while the server’s running. It doesn’t require a reboot to change the metabase. The metabase has other benefits, too:

  • Faster read-and-write access than the previous binary files.
  • A smaller footprint.
  • It saves a copy that can be used to restore the system if the original is corrupted.
  • It keeps track of its version history.
  • Configurations can be rolled back quickly.
  • It can be exported and imported with ease.
  • It can be password protected.

Command-line Administration
Not many people get excited about command-line usability, but with the new capabilities, it’s now possible to do many things with scripting that couldn’t be done before. At a command prompt, it’s now possible to use home-grown scripts or those that ship with .NET to:

  • Create, delete, start, stop and display all Web and FTP sites.
  • Create and delete virtual directories and display all directories in a Web or FTP site.
  • Import and export configuration information using XML files.
  • Back up and restore IIS configuration information.

It’s great when scripts can be created to perform repetitive tasks, and these new capabilities will make life really good for ISPs and hosting organizations.

The Impact of IIS 6.0 on Your Job
For administrators, running IIS 6.0 will likely have several significant outcomes. The first is security. Now you won’t have to turn off services and lock down the system. On the other hand, you’ll have more set-up work, as services will need to be enabled. In the end though, the fewer headaches and the more secure environment will be worth it.

For truly high-demand environments, you can consider 64-bit support, since .NET comes in both flavors, 64- and 32-bit.

Also, as reported by Don Jones in “Changing Addresses” in January, .NET supports the IPv6 stack. If you install the new protocol suite, IIS 6.0 will automatically support handling HTTP requests that arrive over IPv6.

Additional Information

Find out about obtaining the latest release candidate of Windows .NET at www.microsoft.com/windows.netserver/preview/default.mspx.

You’ll find a technical overview of IIS 6.0 at www.microsoft.com/windows.netserver/techinfo/overview/iis.mspx.

But what you’ll probably notice most is that the phone will ring less often. The number of calls about the Web server being down will dramatically decrease with WAS watching worker processes and stopping, restarting or building new ones as necessary. Also, IIS 6.0 is going to be much more stable and will perform better than previous versions. That translates into a better return on investment (always a critical factor in these days of botox-tight budgets), happier admins and more satisfied users and Web customers. What could be better than that?

Featured