Informant: Disabling ISAPI Filters
Discover which ISAPI filters are installed by default on your IIS machines and whether you should remove them.
February 4, 2002
By default, the IIS installation process installs several Internet Server API (ISAPI) filters. I want to remove the filters I don't need, but what I can safely remove isn't clear. Can you tell me which filters I should and shouldn't remove?
The ISAPI Filters tab of the WWW Service Master Properties dialog box, which Figure 4 shows, displays the ISAPI filters installed on an IIS 5.0 server. (You can also load filters at the Web site level.) In addition to the default filters—sspifilt, Compression, md5filt, and fpexedll.dll—I've added UrlScan to the server.
As a quick review, ISAPI filters serve a special function in IIS: They can modify the raw data stream coming into or leaving the server. Consequently, they have a great deal of power to add functionality to the server. People often confuse ISAPI filters with ISAPI extensions such as asp.dll, which renders Active Server Pages (ASP) script, but they're very different.
Now, I'll answer your question about what each filter does and whether you should remove it. In general, if you don't need the functionality a filter provides, I suggest that you remove the filter. Removing unneeded ISAPI filters streamlines the data path and might improve security and stability. You can always add a filter later if you need it by opening the Web site's Master Properties dialog box, clicking the ISAPI Filters tab, clicking Add, and pointing to the file. If you add a filter, I recommend that you make a record of its location and filename. Also, I suggest that you back up your metabase. Here's an overview of the default ISAPI filters for IIS 5.0 and UrlScan.
Sspifilt. The Sspifilt filter provides the ability to use Secure Sockets Layer (SSL) sessions on the server. I suggest that you leave this filter installed.
Compression. The Compression filter, found in IIS 5.0 only, lets you use HTTP compression for specific extensions and tune the compression cache. However, the Compression filter has had a few problems with cache management, it doesn't work with some third-party Web applications, and it's useful only with Microsoft Internet Explorer (IE) 5.x or later clients.
UrlScan. UrlScan is installed on IIS 5.0 and IIS 4.0 machines as part of Microsoft's IIS Lockdown tool and is an important part of IIS security. You can edit the urlscan.ini file, which the installation process creates, to configure this filter. Be aware, however, that improper configuration can disable server functionality. If your server is functioning properly, I would leave the filter in place.
Md5filt. The Md5filt filter provides Digest authentication capability—an IIS 5.0 capability. Digest authentication is a much better authentication method than Basic authentication, but it's not in widespread use. For more information about Digest authentication, see the IIS 5.0 online Help files.
Fpexedll.dll. The fpexedll.dll filter provides backward compatibility from Microsoft FrontPage Server Extensions to the FrontPage 97 client. You can find this filter on both IIS 5.0 and IIS 4.0 installations.
About the Author
You May Also Like