IIS Insider - February 2002

By Brett Hill

Allocating More System Resources for IIS 5

Q: Is there a way to allocate more system resources to IIS 5? I have servers that have 2 Plus GB of useable RAM, but it appears IIS only uses a small part of it. Are there resources out there allowing tweaks to the OS to maximize the efficiency of IIS?

A: IIS is largely self tuning, except for those web sites that support very high volumes. By default IIS will consume up to one-half the available system RAM, but will not lay claim to that amount of RAM making it unavailable to other processes until it is actually required.

You have enough RAM to work well for most web servers. IIS 5 can use up to 2 GB of RAM by default. To use more RAM that 2 GB, you must use the /3GB switch in the boot.ini file.

Without knowing exactly what you have used to determine how IIS is using resources on your system, one quick response is that if IIS is only consuming only a small portion of your system resources, it is most likely because it only requires a small portion.

IIS performance can be hindered by subsystem bottlenecks other than available RAM. The most common cause of lackluster performance does not involve IIS tuning issue, but coding techniques that result in applications that cannot scale. In this case, resource use can be low, while response is less than stellar.

Identifying bottlenecks can be a challenge and there is quite a bit written on the topic. See the following:

• Chapter 5: Monitoring and Tuning Your Server (Internet Information Services 5.0 Resource Guide)
• The Art and Science of Web Server Tuning with Internet Information Services 5.0 white paper.

Minimum Permissions Required for SMTP Folders

Q: What are the minimum permissions required for the SMTP folders?

A: When you install the SMTP service on your server, the following directory tree is created under Inetpub:

Mailroot

Badmail Drop Mailbox Pickup Queue Route SortTemp

These folders, by default, have Everyone – Full Control as an inherited permission. Your question cannot be answered conclusively because the permissions required for the SMTP folders depend on mechanics of the process that uses them.

CDONTS and/or CDOSYS are often used with ASP to generate e-mail that will be automatically delivered by the SMTP service. In this case the user that invokes the script must be able to Read and Write to the Pickup folder. In some cases, the IWAM_<servername> may also need access to the Pickup folder as well (see the Microsoft Knowledge Base article Q260985).

So, the minimum permissions for using the STMP service with CDONTS or CDOSYS for an in process application for anonymous access only would be:

Mailroot – System-Full Control Administrator-Full Control Badmail - inherited Drop - inherited Mailbox - inherited Pickup - System-Full Control Administrator – Full Control IUSR_<servername> - Read and Write Queue - inherited Route - inherited SortTemp - inherited

As you can see, because the IUSR account has Read/Write permissions, you should also apply the Deny – Execute permission to the Pickup folder for the IUSR account.

This is not meant to be an example of what you should implement on your system, but rather a guide to assist in determining what permissions could be assigned rather than Everyone – Full Control. In most situations, you can probably assign Authenticated Users the Read and Write permission to the Pickup folder instead of the IUSR account and not adversely affect your security.

Tip You can research what the requirements are for your particular system by enabling Auditing for the Mailroot directory tree for both successful and failed read and write events. A review of the Security Events log will then show exactly what your server requires.

Are Host Headers Supported with FTP?

Q: We support about 12 web sites on our IIS server and would like to provide FTP access for each web site. We have not found a way to use Host Headers with FTP the same as we do for the web sites. Why doesn't Microsoft support host headers with FTP?

A: This is one of the most frequently asked questions regarding FTP with IIS 4 and IIS 5. The reason you can't use Host Header with Microsoft's FTP server is because Host Headers are not part of the FTP protocol, whereas it is part of the HTTP 1.1 specification. Consequently, the only way to have more than one virtual FTP server on your system is to use a unique IP address or port number for each.

You can, however, route each user to a designated home folder when they log on, as outlined in the Microsoft Knowledge Base article Q201771.

Difference Between the Execute Permissions for Application Settings

Q: I recently installed a second IIS 5 server and setup the new server with an identical configuration as the first. Both servers deliver a web-based application that requires Perl. The second server, however, requires Scripts and Executables permissions on the application whereas the original server requires only Scripts. The NTFS permissions are exactly the same. Why would one server require Scripts and Executables to run Perl and the other works with Scripts Only.

A: The Execute permissions (Figure 1) allow you to control exactly where executable content is permitted to be run from your server. This permission overrides NTFS permissions. Typically, Scripts Only is all that is required for a directory that contains only scripts; however this is an exception to this.

If your browser does not support inline frames, click here to view on a separate page.

Figure 1 Execute Permissions

In the application mappings for your site (which are accessed by pressing the Configuration button shown in Figure 1, highlight the mapping that associates .pl (or .cgi which is also common) with the perl scripting engine (typically perliis.dll) and then click Edit. You will see a window similar to Figure 2.

If your browser does not support inline frames, click here to view on a separate page.

Figure 2 Edit Application Extension Mapping

Notice the checkbox marked Scripting Engine. If that checkbox is not enabled, your scripts require that Execute Permissions be set to Scripts and Executables. Checking the box allows you to set the Execute Permissions to Scripts Only.

Conflict Installing IIS 4.0 From Windows NT 4.0 Option Pack

Q: We are installing IIS 4 on an NT4 server that has SP6a applied. However, when we start the Option Pack installation, a message appears saying that IIS 4 is tested only with SP3 and asks if we should continue. Do we really need to uninstall SP6a and apply SP3 to install IIS 4?

A: The message you reference does appear, but can be safely ignored. You will need to reapply SP6a and subsequent hotfixes after loading IIS 4. See the Microsoft Knowledge Base article Q199918 for more information.

Submit your questions to the IIS Insider. Selected questions along with the answers will be posted in a future IIS Insider column.

For a list of previous months questions and answers on IIS Insider columns, click here.

We at Microsoft Corporation hope that the information in this work is valuable to you. Your use of the information contained in this work, however, is at your sole risk. All information in this work is provided "as is," without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Microsoft Corporation. Microsoft Corporation shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.