What You Need to Know About IIS 6.0

Microsoft Internet Information Services (IIS) 6.0, the Web-server component of Windows .NET Server (Win.NET Server) 2003, represents the first extensive redesign of IIS since the product's introduction in 1996. (IIS 6.0 won't work with earlier Windows server versions such as Windows 2000 or Windows NT.) The new Web server component builds on earlier versions and adds better reliability, security, and manageability—strengths that should appeal to businesses serving Microsoft technology-based Web sites. Here's what you need to know about IIS 6.0.

Improved Reliability
"Customers wanted IIS to be smarter and more dependable," said Andrew Cushman, IIS group product manager at Microsoft. To that end, IIS 6.0 incorporates new features, including a new process model that isolates Web applications from one another. Because each application is independent, one application can fail without affecting the rest of the system. Furthermore, new process-recycling and health-detection technologies proactively test the state of IIS Web applications and restart them automatically, as needed. As a result, you can make fewer remote sessions to connect to Web servers or, in many cases, physical trips to reboot servers. Best of all, you can configure the recycling behavior on-demand or according to an extensive list of metrics (e.g., uptime, a set schedule, the number of Web hits, memory consumption).

In IIS 5.0 and earlier, the IIS metabase stores all IIS configuration settings. Because this database uses a proprietary format, you often need to stop and restart IIS to make configuration changes. Microsoft has used standards-based XML to rewrite IIS 6.0's metabase, a simple text file that you can edit through the Microsoft Management Console (MMC) Internet Information Manager snap-in (as before) or with a standard text editor. But the move to an XML-based metabase has other positive ramifications, not the least of which is instantaneous changes: When you make a change to the new metabase, your live Web sites immediately reflect the change. (IIS 6.0 creates a backup of the metabase so that you can return to previous states if necessary.) The new metabase also makes cloning Web sites and Web applications and creating server-independent backups easier. And IIS 6.0 supports automatic metabase versioning and history.

IIS 6.0 is more scriptable than earlier versions. It includes a Windows Management Instrumentation (WMI) interface and full support for command-line scripts that perform functions such as starting and stopping Web sites; backing up and restoring the metabase; and creating, deleting, importing, or exporting Web sites, directories, and Web applications.

Better Security
Probably the most intriguing changes to IIS involve security. During Microsoft's Trustworthy Computing code review in early 2002, the company made the difficult choice of disabling numerous IIS features by default so that the Web server would be more secure when you first install the product. In addition, IIS 6.0 doesn't install by default during Win.NET Server installations, which helps secure servers that don't require Web-based features.

Upon installation, IIS 6.0 defaults to serving only static Web pages. As a result, you must manually configure the software to perform more advanced functions, such as Active Server Pages (ASP) and ASP.NET site serving. When you add advanced functionality, IIS 6.0 warns you about potential security risks and makes recommendations about the best way to configure the server securely. Also, IIS 6.0 includes no sample code and has more aggressive limits and timeouts so that the software presents less of an attack surface to the outside world.

Recommendations
Despite sharing a few surface similarities with its predecessors, IIS 6.0 is, in many ways, a new Microsoft Web server. If your business relies on IIS-driven Web applications or Web sites, a Win.NET Server upgrade might be in order. Businesses that want to quickly roll out Web blade­type Web server farms should consider Microsoft's new Win.NET Server 2003, Web Edition, a low-cost alternative to the other Win.NET Server editions.