In this last how-to in the series, we look at IIS (Internet Information Server) 6.0, a key component of the new operating system and a major reason for upgrading. Firstly because the new IIS Web server is both faster and more scalable than before but, thanks to a totally new request processing architecture, also inherently more resilient and secure.
Locked down, locked out
The core Web server becomes a part of the protected OS kernel in IIS 6.0 with a kernel mode driver (http.sys) to listen out for all client requests. These are then queued to individual Web sites and applications operating within their self-contained Web service processes. As a result, rogue applications should no longer be able to bring down the server or interfere with each other. Applications can now also be grouped into pools to improve security without wasting resources as in IIS 5.0 where they either ran in one process space or individually.
IIS 6.0 server processes also run with very few privileges, so anonymous users can no longer launch executables on a host server. Neither can they write or change content, and the new server will now only service requests for files with known extensions.
These and other enhancements really do make IIS 6.0 a lot more reliable and secure. However, one drawback is that it's not possible to simply upgrade to the new Web server, the architectural changes making it wholly dependent upon WS2003. It can also come as a bit of shock to find that, as part of its new locked-down approach, Microsoft no longer includes IIS in the default install.
This applies even when upgrading from Windows 2000 where the IIS server will be disabled if its default settings are un-changed (in other words, it can be assumed not to have been used). Unfortunately, where changes have been made, the server migrated is "as-is" which can leave security holes. So much so that Microsoft recommends running its IIS Lockdown Tool (http://www.microsoft.com/technet/security/tools/locktool.asp) beforehand to make sure any obvious vulnerabilities have been dealt with.
Configure that server
The IIS 6.0 software is installed using either the Control Panel Add/remove programs applet or, if you want to be guided through the procedure, the Configure your Server wizard. This starts up automatically after the OS is first installed, and will configure IIS and associated add-ons for you when Application Server is added to the list of assigned server roles.
Installed this way you get the core IIS component and, optionally, Microsoft's FrontPage Server extensions and ASP.NET automatically. But be careful with the latter as, despite the name, you don't need ASP.NET to run Active Server Pages and should only install this option if intent on developing Web services.
The initial install completes in just a few minutes. However, even then you'll find the server won't do much more than serve up static HTTP pages, typically returning 404 errors to all requests for dynamic content until an appropriate Web service extension is enabled. And those extensions are managed via a new node added to the IIS Manager tool for IIS 6.0, the MMC snap-in now starting up with a list of the installed extensions, showing the status of each one which will either be prohibited or allowed.
Following a standard install ASP, CGI and ISAPI extensions will all be loaded but access prohibited, as will extensions for Server Side Includes and Web Distributed Authoring and Versioning (WebDAV). Buttons alongside can then be used to change extension status with other controls to, for example, add new Web service extensions and allow extensions for use with specific applications.
Management and other options
Alongside Web service extensions the IIS Manager snap-in continues to provide the main interface for general server and web site administration. The Administration Web site provided as part of earlier IIS implementations, can also be used although this is, again, a locked down option that has to be installed separately. Additionally, and more importantly when it comes to large deployments, the IIS setup can also be managed using Windows Server 2003 group policies.
On other big change, and another good reason for upgrading to IIS 6.0, is the use of an XML text file as the metabase in which configuration settings are stored. This new format brings many advantages, for example, making it easier to clone Web sites and take backups, with automatic versioning and history included as standard. The XML code can also be edited directly and any changes made are effective immediately with no need to stop and start web sites as was often the case before.
The new architecture and functionality provided by IIS 6.0 alone are good reasons for considering an upgrade to Windows Server 2003. On top of that you get all the other benefits of the new OS with, for high-density server farms, a custom Web Server edition which leaves out a lot of otherwise un-needed functionality.