IIS7 Revealedby Mitch Tulloch
Microsoft Internet Information Services (IIS) has evolved over the years from a simple web server to a full-fledged application hosting platform. While earlier versions had some glaring security issues, version 6 of IIS provided enterprises with an application hosting environment that was locked down by default, earning it widespread accolades as the most secure web server ever. Now with Windows Vista and Longhorn Server on the horizon, version 7 of IIS will soon arrive. What new benefits will IIS 7 bring to enterprises already running IIS 6? And can IIS7 help Microsoft further penetrate web-hosting markets where Apache currently rules? To find out, I talked recently with Brett Hill, a well-known IIS trainer who is now working as an IIS Evangelist at Microsoft.
Tulloch: Brett, what's so exciting about IIS7? Can you give us a quick overview of the new features and enhancements in this version?
Hill: IIS 7 is Microsoft's most ambitious web server to date. Perhaps the most well-known feature is the new modular design. In IIS 6, the majority of features are provided in a single .dll and if Microsoft didn't provide the feature, or it didn't work in the way that fit your business, you had a limited number of options. In IIS 7, the design is completely modular. The features, like Basic authentication, compression, directory browsing, etc., are implemented as discrete modules. You can remove modules you don't need, or add your own modules--which can be written in native or managed code--to add the functionality you need. This gives you the ability to make very specialized, streamlined servers that are custom-designed for your specific scenarios.
Tulloch: Let's drill in on this modularity thing for a moment--it sounds almost like Apache. What's the idea behind this new architecture?
Hill: There are several motivations for this new architecture. Primarily, it's about giving people authority over the behavior of the server. With the modular design, you can control which modules are loaded, the sequence they load in, and who can load them. Since you can load custom modules directly into the IIS 7 request-handling pipeline, you can write--in native or managed code--modules that are hooked up to internal events such as authentication. This gives developers the ability to modify or extend the features of IIS 7 with relative ease. As a result, people are no longer dependent on the IIS team to release new features, as you can write your own and plug them directly into IIS 7. And this idea of extensibility is not limited to modularity; you can extend almost every aspect of IIS 7 including the schema, the user interface, and tracing events reported by applications.
Tulloch: What about security? IIS6 was a big improvement over previous versions since it came locked down by default. Has security improved in IIS7? How?
Hill: Indeed, IIS 6 has an extremely impressive security record and we are building on that record. IIS 7 is much more tightly integrated with .NET than was IIS 6. This has several benefits for security. In IIS 6, ASP.net would run as an ISAPI extension. As a result, a request would be received by the server and was sent through the IIS 6 pipeline. If the request was for .NET, then the ASP.net ISAPI would take the request and process it through the .NET pipeline. In some cases, security behavior would be different for .NET versus non-.NET content.
In IIS 7, however, you can run your applications in "Integrated" mode, meaning that .NET capability is part of the core pipeline. Forms authentication, which used to be only applicable to .NET content, can now be used for all kinds of content. This means you can have the numerous benefits of .NET forms authentication, role, and membership providers for any content on your web server. This is a very, very big deal for a lot of people. You can authenticate your .php, static, or any kind of content to any database, local or remote, for which you have a provider. Since it's .NET, you can even write your own provider to integrate with any local or remote store you want to use. Remember that there are no changes required in your applications to be able to do this! In addition, Request Filtering, similar to URLScan, is built in. And of course, there are the many security improvements in Vista and Longhorn from which IIS will benefit.
Tulloch: What about performance? How does IIS7 compare in this aspect with previous versions and who will this benefit the most?
Hill: We are expecting to see performance gains through improvements in http.sys, Longhorn/Vista networking and file system improvements, and the ability to streamline the IIS 7 pipeline. Honestly, we've been focusing mostly on Vista, which is a client operating system, of course, and we're not expecting to engage enterprise-level performance testing for IIS 7 until after Beta 2 is shipped.
Tulloch: Who is Microsoft really targeting with all these changes--the corporate intranet environment, web-hosting companies, or both?
Hill: All of the above and more. In particular, we want to interest developers who can extend the capabilities of IIS 7 to do all kinds of things that we can't even imagine. That's the beauty of this design--to provide an open design, documented APIs, and extensible features, and let designers, hosters, enterprise organizations, and hobbyists create innovations.
Tulloch: What about the management UI? There seems to be a lot of changes there. Will it be easier to simultaneously manage large numbers of sites using these changes? Or more difficult?
Hill: The new IIS manager is completely redesigned--and it's about time! Before I joined Microsoft, I used to kid the IIS team that IIS 6 was a hot-rod engine with jalopy body. In essence, the IIS 6 UI is a modified IIS 4 design. In fairness, the new IIS 7 architecture required a complete rethinking of the UI design. We wanted to allow developers the ability to extend the UI, while at the same time permit administrators the ability to delegate control. We needed to do all of this while not losing sight of hosters that need to administer thousands of sites from the same console. Plus, we expose net configuration, creating new users, and many other settings never before accessible from IIS from within the user interface. This, as you can imagine, has taken one or two iterations to get right.
For those who are experienced with IIS 6, the key functions you normally perform are usually listed on the Tasks pane of the UI for quick access. For example, when you click on the websites node in the standard tree view of sites and folders, the task pane will allow you to create new virtual directories, edit the basic settings, etc. These options change depending on where you are in the UI.
One of the key new features is the ability to delegate configuration of specific settings to website operators. In this way, you can allow specific individuals to modify IIS settings in the web.config file that resides in the web root. For example, the IIS administrator can allow a site's web.config file to change the type of authentication used for a site, or change the default page. This allows you to judiciously delegate control for website configuration to trusted others, or keep it centralized on the IIS 7 server as you see fit.
Tulloch: Will IIS7 only be available on the Vista and Longhorn server platforms, or will it be backported to existing platforms?
Hill: IIS 7 will be delivered as part of Vista and Longhorn server. There are no plans at this time to make it available for other Microsoft operating systems.
Tulloch: How is IIS7 in Vista different from the Longhorn server version?
Hill: One of the biggest news stories here is not what's missing, but what's changed from IIS 5.1. As many people know, IIS 5.1 on XP Pro allowed only one website. IIS 7 on Vista allows you to create multiple websites! This is a big win for developers. In addition, rather than limiting you to ten connections on the client operating system, you can have as many requests as you want, but only ten at time will be processed, the rest going into the request queue.
Tulloch: Is there still any room for improvement in IIS? What features are on your wish list for future versions?
Hill: Of course there is always room for improvement and I don't think you're going to have to wait 'til Longhorn Server to see some of them. There are some "projects" at work that will be quite helpful to current IIS users that manage multiple servers. I can't say more at this time.
Tulloch: Are there any good IIS7 resources out there that are publicly available yet? What would you recommend for enterprises that want to learn more about IIS7's capabilities?
Hill: Around the Beta 2 timeframe, you can expect to hear about some very public, new IIS 7 resources. Until then, it's admittedly quite a challenge to get many details on IIS 7. One place is Channel 9 where you can find webcasts and podcasts. Also, if you search for IIS 7 on MSN, you'll find lots of blog entries by team members, such as this one by Carlos Aguilar Mares on the new web management API and David Wang, developer extraordinaire.
Tulloch: Finally, would you care to guess how the market will react? Will IIS7 help Microsoft make further inroads against Apache, or will Apache hold its own?
Hill: I work closely with the IIS product team and can attest to their efforts to deliver the very best product that is possible. They work hard to find out what customers need, to innovate, and to create the most reliable, secure, performing product they can with the resources they have. I'm not saying this from a marketing perspective, but as a first-person witness to this effort. All this effort will translate into a better product that results in greater adoption and implementation of IIS and Windows. That's the way I approach the entire marketshare discussion. If we make a great product, more people will want to use it.
Return to the Windows DevCenter.