(Redirected from Internet Information Server)
Microsoft 'Internet Information Services' ('IIS'; formerly called 'Server') is a set of Internet-based services for servers using
Microsoft Windows. It is the world's second most popular
web server in terms of overall websites.
As of September 2007 it served 34.94% of all websites and 36.63% of all active websites according to
Netcraft.
[1] The servers currently include
FTP,
SMTP,
NNTP, and
HTTP/
HTTPS.
Versions
★ IIS 1.0,
Windows NT 3.51 available as a free add-on
★ IIS 2.0,
Windows NT 4.0
★ IIS 3.0,
Windows NT 4.0 Service Pack 3
★ IIS 4.0,
Windows NT 4.0 Option Pack
★ IIS 5.0,
Windows 2000
★ IIS 5.1,
Windows XP Professional
★ IIS 6.0,
Windows Server 2003 and
Windows XP Professional x64 Edition
★ IIS 7.0,
Windows Vista and
Windows Server 2008
History of IIS
IIS was initially released as an additional set of Internet based services for Windows NT 3.51. IIS 2.0 followed adding support for the Windows NT 4.0 operating system and IIS 3.0 introduced the
Active Server Pages dynamic scripting environment.
IIS 4.0 dropped support for the
Gopher protocol and was bundled with Windows NT as a separate "Option Pack" CD-ROM.
The current shipping version of IIS is 7.0 for
Windows Vista, 6.0 for
Windows Server 2003 and IIS 5.1 for
Windows XP Professional. IIS 5.1 for Windows XP is a restricted version of IIS that supports only 10 simultaneous connections and a single web site.
[2] IIS 6.0 added support for
IPv6.
Windows Vista does not install IIS 7.0 by default, but it can be selected among the list of optionally installed components. IIS 7.0 on Vista does not limit the number of connections allowed but restricts performance based on active concurrent requests.
Security
Earlier versions of IIS were hit with a spate of vulnerabilities, chief among them
CA-2001-19 which led to the infamous
Code Red worm; however, version 7.0 currently has no reported issues that affect it. In perspective, the
free software Apache web server has four reported issues,
[3] one "moderately critical", two "less critical", and the last "not critical". In IIS 6.0, Microsoft has opted to change the behavior of pre-installed
ISAPI handlers
[4], many of which were culprits in the vulnerabilities on 4.0 and 5.0, thus reducing the
attack surface of IIS. In addition, IIS 6.0 added a feature called "Web Service Extensions" that prevents IIS from launching any program without explicit permission by an administrator. With the current release, IIS 7.0, the components were modularized, so that only the required components have to be installed, thus further reducing the attack surface. In addition, security features such as URLFiltering were added that rejects suspicious URLs based on user defined rule set.
In IIS 5.1 and lower, by default all websites were run in-process and under the System account
[5], a default Windows account with elevated rights. Under 6.0 all request handling processes have been brought under a Network Services account which has significantly fewer privileges. In particular this means that if there is an exploit in a feature or custom code, it wouldn't necessarily compromise the entire system given the sandboxed environment the worker processes run in. IIS 6.0 also contained a new kernel HTTP stack (
http.sys) with a stricter HTTP request parser and response cache for both static and dynamic content.
Authentication mechanisms
IIS 5.0 and higher support the following
authentication mechanisms:
★
Basic access authentication
★
Digest access authentication
★
Integrated Windows Authentication
★
.NET Passport Authentication
Internet Information Services 7.0
Debuting with
Windows Vista, and also to be included in
Windows Server 2008, IIS 7.0 features a modular
architecture. Instead of a
monolithic server which features all services, IIS 7 has a core web server
engine.
Modules offering specific functionality can be added to the engine to enable its features. The advantage of having this architecture is that only the features required can be enabled and that the functionalities can be extended by using custom modules.
The following sets of modules are slated to ship with the server:
#
HTTP Modules
#
Security Modules
# Content Modules
#
Compression Modules
#
Caching Modules
#
Logging and
Diagnostics Modules
Writing extensions to IIS 7 using
ISAPI has been deprecated in favor of the module
API, using which modules can plug in anywhere in the request processing pipeline. Much of IIS's own functionality is built on this API, and as such, developers will have much more control over a request process than was possible in prior versions. Modules can be written using C++ or using the ihttpmodule class of the of the
.NET Framework language. Modules can be loaded globally where the services provided by the module can effect all sites, or loaded on a per-site basis. IIS 7 has an integrated mode application pool where .NET modules are loaded into the pipeline using the module API, rather than ISAPI. As a result
ASP.NET code can be used with all requests to the server.
[6]. For applications requiring strict IIS 6.0 compatibility, the Classic application pool mode loads asp.NET as an ISAPI.
A significant change from previous versions of IIS is that all web server configuration information is stored solely in
XML configuration files, instead of in the
metabase. The server has a global configuration file that provides defaults, and each virtual web's document root (and any subdirectory thereof) may contain a 'web.config' containing settings that augment or override the defaults. Changes to these files take effect immediately. This marks a significant departure from previous versions whereby web interfaces, or machine administrator access, were required to change simple settings such as default document, active modules and security/authentication. It also eliminates the need to perform metabase synchronization between multiple servers in a farm of web servers.
IIS 7 also features a completely rewritten administration interface that takes advantage of modern
MMC features such as task panes and asynchronous operation. Configuration of
ASP.NET is more fully integrated into the administrative interface.
Other changes:
★
PICS content ratings, support for
Microsoft Passport, and server-side
image maps are no longer included.
★ Executing commands via server-side includes is no longer permitted.
★ 'IISRESET -reboot' has been removed.
★ The 'CONVLOG' tool, which converts IIS log files into
NCSA format, has been removed.
★ Support for enabling a folder for "Web Sharing" via the
Windows Explorer interface has been removed.
See also
★
List of FTP servers
★
List of mail servers
★
Comparison of web servers
★
WISA
★
Metabase
★
ASP.NET
References
1. Netcraft Web Server Survey, September 2007
2. Internet Information Services 5.1
3. Apache 2.2.x - Vulnerability Report - Secunia
4. IIS Installs in a Locked-Down Mode (IIS 6.0)
5. HOW TO: Run Applications Not in the Context of the System Account in IIS#Default Installation
6. IIS 7.0 Scott Guthrie
External links
★
Microsoft Internet Information Services product page
★
IIS.net - Microsoft Internet Information Services technical home page
★
IIS 7.0 Technical Reference — Microsoft TechNet
★
IIS Installation for XP — Microsoft
★
Security Guidance for IIS — Microsoft TechNet
العربية
中国
Français
Deutsch
Ελληνική
हिन्दी
Italiano
日本語
Português
Русский
Español
