Testing How Security Features Affect Performance

  • Article

Applies To: Windows Server 2003, Windows Server 2003 with SP1

The security services in Windows Server 2003 and IIS 6.0 are integrated into a number of operating system services. This means that you cannot monitor security features separately from other aspects of those services. Instead, the most common way to measure security overhead is to run tests that compare server performance with and without a security feature. Run the tests with fixed workloads and a fixed server configuration so that the security feature is the only variable.

In your tests of the effects of security services on performance, measure the following:

  • Processor activity and the processor queue. Security features like authentication, certificates, encryption, and the SSL protocol require significant processing; so it is important to balance the performance costs associated with these security features with your performance objectives.

    When using security features, you are likely to see increased processor activity, in both privileged mode and user mode, and an increase in the rate of context switches and interrupts. If the processors on the server are not sufficient to handle the increased load, queues are likely to form.

    If the SSL protocol is being used, Lsass.exe might consume an unexpected amount of CPU resources because SSL processing occurs in the Lsass.exe process. Custom hardware, such as cryptographic accelerators that perform encryption, can help. When you create certificates by using the certificate wizards provided in IIS, you can select a cryptographic service provider that uses cryptographic accelerators.

  • Physical memory used. Security features require that the system store and retrieve more user information.

  • Network traffic. You are likely to see an increase in traffic between the IIS-based server and the domain controller that is used for authenticating logon passwords and verifying IP addresses.

  • Latency and delays. The most obvious performance degradation resulting from complex security features like SSL is the time and effort involved in encryption and decryption, both of which use many processor cycles. Downloading files from servers by using the SSL protocol can be 10 to 100 times slower than downloading from servers that are not using SSL.

Important

It is recommended that you do not use a domain controller as a Web server. If a domain controller is running IIS, the proportion of processor use, memory, and network and disk activity consumed by domain services is likely to increase significantly. The increased activity can be enough to prevent IIS services from running efficiently.

For more information about IIS certificate wizards, see Using Certificate Wizards.