What's Changed

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1

There are some notable and important differences in default behavior and settings between IIS 4.0, IIS 5.0, IIS 5.1, and IIS 6.0.

This topic includes the following information:

  • Core Functionality and Services

  • Metabase Configuration

  • Administration

  • Programmatic Administration

  • Active Server Pages (ASP)

  • ASP Hang Detection

  • Security

  • Performance

  • IIS Utility Components

  • IIS on 64-bit Versions of the Windows Server 2003 Family

The following table summarizes the important differences between versions of IIS.

  IIS 4.0 IIS 5.0 IIS 5.1 IIS 6.0

Platform

Windows NT 4.0

Windows 2000

Windows XP Professional

Windows Server 2003 family

Architecture

32-bit

32-bit

32-bit and 64-bit

32-bit and 64-bit

Application process model

TCP/IP kernel

MTX.exe

TCP/IP kernel

DLLhost.exe (multiple DLL hosts in medium- or high-application isolation)

TCP/IP kernel

DLLhost.exe (multiple DLL hosts in medium- or high-application isolation)

HTTP.sys kernel

When IIS is running in IIS 5.0 isolation mode: Inetinfo.exe (for in-process applications) orDLLhost.exe (for out-of-process applications)

When IIS is running in Worker Process Isolation Mode: W3wp.exe (multiple worker processes)

Metabase configuration

Binary

Binary

Binary

XML

Security

Windows authentication

SSL

Windows authentication

SSL

Kerberos

Windows authentication

SSL

Kerberos

Security wizard

Windows authentication

SSL

Kerberos

Security wizard

Passport support

Remote administration

HTMLA

HTMLA

No HTMLA

Terminal Services

Remote Administration Tool (HTML)

Terminal Services

Cluster support

In Windows NT 4.0

IIS clustering

Windows support

Windows support

WWW services

IIS on Windows NT 4.0

Personal Web Manager on Windows 9x

IIS on Windows 2000

IIS optionally on Windows XP Professional

IIS on a member of the Windows Server 2003 family

Core Functionality and Services

IIS 6.0 has been redesigned to take advantage of the base Windows kernel, HTTP.sys. This allows for built-in response and request caching and queuing, as well as the ability to route application process requests directly to the worker processes, which improves reliability and performance.

IIS 6.0 introduces two modes of operation in order to configure your application environments: worker process isolation mode and IIS 5.0 isolation mode. The default isolation mode upon installing IIS 6.0 depends on whether you perform a clean installation or an upgrade.

  • After a clean install of IIS 6.0, IIS runs in worker process isolation mode.

  • After an upgrade from an earlier version of IIS 6.0, the isolation mode is the same as configured on the previously-installed version of IIS 6.0.

  • After an upgrade from IIS 5.0 or IIS 4.0, IIS 6.0 runs in IIS 5.0 isolation mode by default to maintain compatibility with your existing applications.

For information about switching from one isolation mode to the other, see Configuring Isolation Modes.

IIS 5.0 Isolation Mode

IIS 5.0 isolation mode manages application processes in a similar fashion to the process management in IIS 5.0: all in-process applications run inside Inetinfo.exe, and out-of-process applications run in separate DLL hosts. Some existing applications may not have been written to run concurrently, or to store session state separately from the application. Therefore, running processes in IIS 5.0 isolation mode ensures compatibility for most existing applications. The following illustration shows how application processes are handled in IIS 5.0 isolation mode.

Art Image

Worker Process Isolation Mode

When configured to execute in worker process isolation mode, all application code runs in an isolated environment. This design removes some of the existing bottlenecks. Worker process isolation mode allows the administrator to isolate anything from an individual Web application to multiple sites in their own self-contained worker process. This prevents one application or site from stopping another. In addition, separating applications or sites into their own process space simplifies a number of management tasks, such as restarts (independent of all other sites or applications running on the system), changing a component used by the application, debugging, monitoring counters, throttling resources, and so forth. The following illustration shows how applications are managed by IIS in worker process isolation mode.

Art Image

HTTP requests are routed to the correct application pool queue, which means that user mode worker processes serving an application pool pull the requests directly from the kernel and eliminate the unnecessary process hops encountered when sending a request to an out-of-process DLL host. In IIS 6.0, there is no longer the notion of in-process applications; all necessary HTTP application run-time services, such as ISAPI extension support, are equally available in any application pool. This design prevents a malfunctioning HTTP application or Web site from disrupting other HTTP applications (or other Web sites) served from other processes on that computer. Unloading components becomes easier because with isolated application processes, the process can, if necessary, be terminated to unload all resources, with no effect on other content or applications being served from other processes. It is also beneficial to be able to leverage other operating system services available at the process level (for example CPU throttling), per application pool.

Furthermore, critical portions of worker process isolation mode that maintain the overall functioning of World Wide Web Publishing Service (WWW service) run entirely outside of the worker processes. The IIS 6.0 kernel-mode driver, HTTP.sys, which is the universal HTTP processor for Windows, and the WWW Service Administration and Monitoring component isolate the critical portions of the core Web server. Both of these components are protected and do not allow third-party code to be loaded into them. This design prevents a malfunctioning HTTP application from disrupting WWW services on the server.

For more information about isolation modes, see Application Isolation Modes.

Metabase Configuration

The metabase for IIS 6.0 is stored in an XML file instead of in binary format as it was in earlier versions of IIS. The location remains the same, but the ways it can be manipulated -- updated, rolled back, restored, and extended -- have changed. There are two significant files instead of one: MetaBase.xml and MBSchema.xml.

Administration

  • In IIS 4.0, applications could either be run in the same process as the Internet service or in a separate process. In IIS 5.0 and 5.1, applications can be grouped into pooled processes for increased performance and improved scalability. For more information, see About Configuring Applications. In IIS 6.0 worker process isolation mode, applications can grouped in any number of application pools.

  • The Application Mappings property sheet contains a list of Hypertext Transport Protocol (HTTP) verbs that are processed by an application that is mapped to certain file types. This list of verbs represents a change from IIS 4.0. In IIS 4.0, the list contained verbs that were excluded, or not processed. This change was made to accommodate new HTTP verbs as they are added to the protocol. For more information about application mappings, see Setting Application Mappings in IIS 6.0.

  • Clustering is not a feature of IIS 6.0 (IISsynche.exe is not supported). Clustering is a feature of the Windows Server 2003 family. For information about Windows Clustering (MSCS), see Windows Server 2003 family Help.

  • The location of custom error files has changed from IIS 4.0 to IIS 5.0.

  • The Web-based Internet Services Manager (HTML) has been replaced by a Web application called the Remote Administration (HTML) tool. To remotely administer IIS by using the Remote Administration (HTML) tool, see Administering Servers Remotely in IIS 6.0.

Programmatic Administration

In previous versions of IIS, programmatic administration of IIS was possible with Admin Base Objects (ABO) from compiled C++ applications, or with Active Directory Services Interfaces (ADSI) from C++ or script files. IIS 6.0 includes a provider for Windows Management Instrumentation (WMI), a technology that allows administrators to control all services and applications programmatically. For more information about WMI, see "IIS Administration Technologies" in the IIS Software Development Kit (SDK) on MSDN.

Active Server Pages

Beginning with IIS 6.0, Microsoft Active Server Pages (ASP) can be used along with Microsoft ASP.NET. For information about configuring IIS to run ASP.NET applications, see About ASP.NET. For news on changes to ASP functionality in IIS 6.0, see Important Changes in ASP.

Because the worker process, W3wp.exe, runs as the Network Service account in IIS 6.0 worker process isolation mode, you must configure Launch and Access permissions to enable ASP debugging for Script Debugger and Visual InterDev. For more information, see Enabling ASP Debugging.

ASP Hang Detection

When an IIS Web site is busy, there may be instances when the maximum number of ASP threads has been spawned and some of the ASP threads are hung, resulting in degraded performance. IIS 6.0 has the ability to solve the problem of hung threads by recycling the worker process that hosts that particular instance of the ASP ISAPI extension, ASP.dll. When ASP threads are hung in IIS 6.0, ASP.dll calls the ISAPI server support function HSE_REQ_REPORT_UNHEALTHY, and the WWW service recycles the worker process that hosts ASP.dll, and make an entry in the event log.

For more information about ISAPI server support functions, see ServerSupportFunction in the ISAPI Extension Reference at MSDN® Online.

Security

One of the most important changes in IIS 6.0 addresses Web server security. In order to take a more proactive stance against malicious users and attackers, IIS is not installed by default on members of the Microsoft Windows Server 2003 family.

Important

To help minimize the attack surface of the server, IIS 6.0 is not installed on Windows Server 2003 by default. When you first install IIS 6.0, it is locked down -- which means that only request handling for static Web pages is enabled, and only the World Wide Web Publishing Service (WWW service) is installed. None of the features that sit on top of IIS are turned on, including ASP, ASP.NET, CGI scripting, FrontPage® 2002 Server Extensions from Microsoft, and WebDAV publishing. If you do not enable these features, IIS returns a 404 error. You can enable these features through the Web Service Extensions node in IIS Manager. For more information about how to troubleshoot 404 errors and other issues, see Troubleshooting in IIS 6.0.

With the Web Server Certificate Wizard and the CTL Wizard, you can synchronize Web and NTFS security settings, obtain and install server certificates, and create and modify certificate trust lists. You can also select a cryptographic service provider (CSP) for encrypting data with a certificate.

Other security changes in IIS 6.0 include the following:

  • Disabled on upgrades: The World Wide Web Publishing Service (WWW service) is disabled on Windows Server 2003 family upgrades, unless one of the following is true:

    • You have already run the IIS Lockdown Wizard on your Windows 2000 Server before starting the upgrade process. The IIS Lockdown Wizard reduces surface attack by disabling unnecessary features, and it allows you to decide which features to enable for your site. The IIS Lockdown Wizard is available at IIS Lockdown Tool.

Important

If you use the WWW service, we strongly recommend that you run the IIS Lockdown Wizard on your Windows 2000 Server before upgrading to a product in the Windows Server 2003 family. The IIS lockdown Wizard will help secure your computer by disabling or removing unnecessary features that are present in your Windows 2000 Server installation. These features would otherwise have remained on your machine after upgrading, leaving your server vulnerable to attacks.

  • The registry key RetainW3SVCStatus has been added to the registry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC. Under RetainW3SVCStatus, you can add any value and then assign a DWORD value to it. For example, you can create the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\RetainW3SVCStatus\do_not_disable with the DWORD value of 1.

  • In the unattended install case, an entry "DisableWebServiceOnUpgrade = false" exists in the unattended install script.

  • Disabling IIS through Group Policy: With members of the Windows Server 2003 family, domain administrators can prevent users from installing IIS on their machines.

  • Running as an account with a low level of access rights: IIS worker processes run in a user context of few access rights. This drastically reduces the effect of potential attacks.

  • Secure ASP: All ASP built-in functions always run as the account with very few access rights, IUSR_computername.

  • Restriction on running executables: In order to run most executables in the system folder (such as cmd.exe) you must be a member of the Administrators group, the LocalSystem, Interactive, or Service account. This restriction limits remote access to Administrators, so anonymous users cannot run executables.

  • Patch management: With patch management, administrators can get the latest security patches installed without interrupting service.

  • Known extensions: IIS serves requests only to files with known file name extensions. The server rejects requests for content if the file name extension is not mapped to a known file type or to an application that services requests for that file type.

Note

The word extensions has two meanings: Either Web service extensions that enable pages to serve dynamic content, for example, .asp or .aspx; or file name extensions, which indicate the file type, such as .exe, .txt, or .inc.

Use the WebSvcExtRestrictionList metabase key to lock down DLLs and executables that handle dynamic content. To lock down file name extensions, use the MimeMap feature in the IIS metabase.

  • Write protection for content: Anonymous users (running as IUSR_computername account) are denied write access to Web content by default.

  • Timeouts and limits: In IIS 6.0, settings are set to aggressive and secure defaults to minimize attacks due to timeouts and limits that were previously too generous.

  • Upload data limitations: Administrators can limit the data that can be uploaded to a server.

  • Buffer overflow protection: Worker processes detect and exit programs if a buffer overflow is detected.

  • File verification: IIS verifies whether the requested content exists before it gives the request to a request handler (ISAPI extension).

  • Index this resource: This permission is now enabled by default.

  • Script source access: This permission, which allows access to the source code of scripts in ASP pages and other scripts, is new and is disabled by default. It is available if either the Read or Write permission is selected.

  • Subauthentication: This is no longer enabled by default on a new installation of IIS 6.0. For more information, see Configuring Subauthentication.

  • UNC authentication: In this version of IIS, the UNC authentication method checks for user credentials. For more information, see UNC Authentication in IIS 6.0.

  • New policy: The "Prevent IIS from Installing" policy has been added to the Windows Server 2003 family of products. This policy allows a domain administrator to control which computers in the domain can install IIS. For more information, see "Group Policy" in Help and Support Center for Windows Server 2003.

  • Fortezza: Support for this has been removed.

Performance

To limit the amount of memory allocated to ASP pages, IIS has set the default value of the AspScriptFileCacheSize Metabase Property to 250 ASP pages, and the default value of the AspScriptEngineCacheMax Metabase Property to 125 script engines. The ASPScriptFileCacheSize can be set higher on sites with a large set of frequently requested ASP pages. This improves performance because ASP page compilation is substantially slower than retrieving pages from cache. On a site with only a small number of frequently requested ASP pages, memory can be saved by setting this number to a smaller value.

IIS Utility Components

  • Collaboration Data Objects for Windows NT Server (CDONTS): CDONTS has been removed from the Windows Server 2003 family. If your Web applications use CDONTS, you can convert them to Microsoft Collaboration Data Objects (CDO). Most methods in CDONTS have matching methods in CDO, but might be named differently. For reference material for CDO in the Platform Software Developer Kit (PSDK), see Overview of CDO at MSDN Online.

  • IIS utility components not installed: Ad Rotator, Browser Capabilities, Content Linker, Content Rotator, Counters, Logging Utility, My Info, Page Counter, Status, and tools are not installed with IIS 6.0. However, if you upgrade your Web server from a previous version of IIS, the utility components are not removed.

IIS on 64-bit Versions of the Windows Server 2003 Family

On the 64-bit versions of the Windows Server 2003 family of operating systems, IIS runs as a 64-bit application. This means that 32-bit applications cannot be called from IIS on the 64-bit versions of the Windows Server 2003 family of operating systems. For example, the Jet database engine will not convert to a 64-bit application, so you cannot use ActiveX® Data Objects (ADO) to open a Microsoft Access database from an ASP page. However, you can still use ADO to access other drivers, like SQL and Exchange.