IIS 7.0 for Apache AdministratorsPublished: March 2009

Contents

Overview................................................................................................................................... 1

Introduction to IIS 7.0................................................................................................................2

Extensible Modular Architecture...........................................................................................2

Enhanced Web Server Security............................................................................................2

Improved Management Tools...............................................................................................3

Diagnostics & Troubleshooting.............................................................................................3

Strong Web Application Support...........................................................................................4

Flexible Extensibility Model for Customization......................................................................4

FTP Publishing Service for IIS 7.0........................................................................................5

Integrated Request Pipeline..................................................................................................6

IIS 7.0 Configuration and Management.....................................................................................7

Configuring IIS 7.0................................................................................................................7

Hosting PHP on IIS 7.0...........................................................................................................10

Installing FastCGI Support..................................................................................................10

Installing and Configuring PHP on IIS 7.0...........................................................................10

Configure IIS 7.0 to Handle PHP Requests........................................................................11

Using Modules to Control and Customize IIS.....................................................................12

Distributed Configuration Model..........................................................................................17

Administration Using IIS 7.0....................................................................................................19

Customizing Error Messages..............................................................................................19

URL Rewriting.....................................................................................................................22

Web Caching...................................................................................................................... 24

Web Output Compression...................................................................................................28

Diagnostics and Troubleshooting............................................................................................31

Apache................................................................................................................................ 31

IIS 7.0................................................................................................................................. 31

Securing the Web Server....................................................................................................36

Conclusion.............................................................................................................................. 38

IIS 7.0 Resources.................................................................................................................... 39

OverviewThis white paper provides Apache administrators with detailed technical information about Internet Information Services (IIS) 7.0. It describes the architecture, security model, management features, and other new enhancements included in this release. It also compares common IIS 7.0 and Apache management scenarios and tools.

This document also examines how each Web server platform integrates with application, database, and management solutions, and how ease of management can be maintained as the Web server environment grows. Finally, this document examines the powerful diagnostic, troubleshooting, and reporting tools that can help simplify the maintenance of Web applications running on IIS 7.0.

Introduction to IIS 7.0IIS 7.0 is the most powerful Web server from Microsoft to date, providing new capabilities that dramatically improve the way Web solutions are developed, deployed, and managed. IIS 7.0, with a modular design similar to that of Apache Web Server, gives administrators superior control through its extensible architecture, an intuitive graphical user interface, and greater ability to customize their Web servers, resulting in improved efficiency when deploying and managing Web applications. In addition, the powerful diagnostic capabilities built into IIS 7.0 reduce the time required to troubleshoot issues, resulting in minimized downtime.

Extensible Modular Architecture

In previous versions of IIS, all functionality was built in by default. In effect, all features were installed regardless of the intended use of the IIS server, and there was no easy way to extend or replace any of that functionality. In IIS 7.0, the core Web server has been completely re-engineered and replaced by a wholly modular architecture that offers greater flexibility and the following three key benefits:

Componentization

Extensibility

ASP.NET integration

The functionality of IIS 7.0 is divided into more than 44 separate feature modules. These modules can be installed during the setup of the Web Server (IIS) role through the Server Manager console. The existent functionality can be extended further using the included Win32 and .NET APIs to build new modules.

While the IIS 7.0 modules replace Internet Server Application Programming Interface (ISAPI) filters and extensions, IIS 7.0 maintains full support of these filters and extensions. Apache Web Server provides limited support for SAPI extensions but does not support ISAPI filters. It has a famous community-driven project called Apache Portable Runtime (APR), used to create and maintain software libraries that provide a predictable and consistent interface to underlying platform-specific implementations. APR provides a set of APIs that maps to the underlying operating system, and hence allows developers to code platform-independent programs.

Enhanced Web Server Security

Since 2003, four security vulnerabilities have been reported on IIS 6.0, compared with 23 for Apache 2.0.x during the same period,1 according to Secunia, the security service provider. IIS 7.0 builds on top of the secure foundation of its predecessor, and brings an enhanced process model that isolates applications by sandboxing resources and configurations at the application level by default.

Installing a minimal environment by choosing the Server Core installation option of Windows Server 2008 further limits the area of exposure of the IIS 7.0 installation. Server Core omits graphical services and most libraries, reducing the total footprint of the operating system while still retaining the ability to be administered both locally via the IIS command-line utility APPCMD.EXE as well as remotely.

Improved Management Tools

Apache’s initial design did not take into account the possibility of implementing a graphical interface for its management tools. Apache management functions are accomplished through

1 See: http://secunia.com/advisories/product/1438/?task=statistics.

entries made directly into configuration files, or through open source graphical management tools such as TKApache and NetLoony, which are available for download.

In contrast, IIS 7.0 offers a range of management tools that cater to any Web site administrator’s personal taste. Day-to-day management can be accomplished graphically, via the command line, or by manually editing the configuration file. These tools give administrators greater control and easier access to the sites they manage.

The following management tools are integrated into IIS 7.0.

IIS Manager, a graphically rich console, provides access to IIS configuration settings, ASP.NET, and other IIS modules, in addition to user data and runtime diagnostic information. IIS Manager allows administrative control over sites to be delegated to developers or content owners, reducing the server administrator’s day-to-day responsibilities. The new IIS Manager supports remote administration over HTTPS, allowing for administration over the Internet without requiring DCOM or the opening of other ports on the firewall.

APPCMD.EXE, a new command-line tool, simplifies common management Web server tasks. It exposes all key server management functionality through a set of 10 objects that can be manipulated from the command line or from scripts.

Windows PowerShell Provider for IIS 7.0 makes available more than 75 task-based cmdlets that address key day-to-day activities, such as creating Web sites and enabling request tracing. Another set of low-level configurations enables access to every IIS configuration setting in addition to any other custom configuration.

Microsoft.Web.Administration, a simple and comprehensive application programming interface (API), gives developers convenient access to server objects and the ability to manipulate XML configuration files.

Windows Management Instrumentation provider, which includes tools that let developers view and edit objects in a common information repository and run selected methods to edit IIS configuration settings.

Web Deployment Tool, another free download, helps keep sites and servers in sync with IIS 6.0 or IIS 7.0, and assists administrators in migrating sites from IIS 6.0 to IIS 7.0.

Administration Pack for IIS 7.0, a set of extension modules designed to help with a variety of administrative tasks.

Diagnostics & Troubleshooting

In Apache, faults are isolated and diagnosed through five log files, each of which must be read manually to search for patterns that point to a particular problem.

IIS 7.0 includes two mechanisms to help with diagnostics and troubleshooting. One gives the administrator a real-time view of requests running on the server; the other allows the administrator to set traps to catch hard-to-reproduce error conditions and write a detailed trace log.

Runtime State and Control API provides real-time state information about application pools, worker processes, sites, application domains, and even running requests. This COM API is displayed through the IIS Manager console, the new APPCMD.EXE command-line tool, and Windows Management Instrumentation (WMI). These applications offer quick and easy status checks in any management environment chosen.

Detailed event tracing functionality tracks events throughout the request and response path, allowing developers and administrators to trace a request through the IIS processing pipeline and back out to the response. These detailed tracing events collect information on the request path, errors raised by the request, and the elapsed time at all points.

IIS 7.0 also simplifies troubleshooting by providing an improved, more detailed, and more actionable library of error messages. This library replaces the traditional terse error codes with detailed information about the request, the possible cause of the error, and suggested steps to fix the problem. IIS 7.0 now sends detailed error information to the browser and other remote clients.

Strong Web Application Support

IIS 7.0 offers powerful and easy-to-use tools that enable organizations to manage all of their Web applications on a single platform, eliminating the need to maintain two or more independent platforms that create higher infrastructure costs.

FastCGI is a new feature of IIS 7.0 that supports the high-performance version of the Common Gateway Interface (CGI). FastCGI overcomes the performance problems of standard CGIs by creating persistent processes that can be reused for multiple requests, rather than creating a new process for each request, which is then discarded when the request has been filled. FastCGI also allows applications to run remotely, improving load distribution.

IIS 7.0 also operates with Microsoft .NET Framework version 1.1 and later, creating a combination of new technologies for developing applications that deliver a visually compelling user experience, communication across technology boundaries, identity management, and support for a wide range of business processes. The newer versions of .NET Framework 3.0 simplify development through a consistent and comprehensive environment, enabling developers to build solutions compatible with a variety of mobile devices, backend services, and applications. Through its support of classic ASP, ASP.NET, and PHP, IIS 7.0 provides organizations with the flexibility to write applications in the language of their choice and to host applications on the platform of their choice.

Flexible Extensibility Model for Customization

IIS 7.0 gives software developers a complete server platform on which to build Web server extensions. Developers can extend IIS to provide custom functionality through the all-new core server API set. This API set allows developers to build modules in both native code such as C/C++ and managed code using languages such as C# and Visual Basic® using .NET Framework. It was also used to implement a significant portion of the IIS 7.0 feature set for request and application processing. IIS 7.0 also enables extensibility for configuration, scripting, event logging, and administration tool feature sets.

These extensions are available for download at no charge for x86 and x64 platforms. They cover a range of tasks in deployment, administration, request handling, security, content publishing, and media service. As of November 2008, the following extensions were available:

Tool Function

Web Deployment Tool Helps keep sites and servers in sync with IIS 6.0 or IIS 7.0, as well as migrate from IIS 6.0 to IIS 7.0.

PowerShell Provider for IIS 7.0 A PowerShell snap-in that allows for management of IIS 7.0 configuration and runtime data.

Administration Pack for IIS 7.0 A set of six modules designed to help with a variety of administrative tasks.

Database Manager for IIS 7.0 A spin-off from the Administration pack that allows for easy management of databases through the IIS Manager UI.

IIS Manager for Remote Administration

Allows end-users and administrators to remotely manage IIS 7.0 servers from Windows Vista, Windows XP, and Windows Server 2003.

URL Scan 3.0 Restricts the types of HTTP requests that IIS will process.

URL Rewriter Provides a rule-based rewriting mechanism for changing request URLs before the Web server processes them.

Application Request Routing A proxy-based routing module that forwards HTTP requests to content servers based on HTTP headers, server variables, and load balance algorithms.

FTP for IIS 7.0 A new FTP service that has been completely rewritten for Windows Server 2008.

WebDAV for IIS 7.0 Improved WebDAV extension module that enhances Web authors’ ability to publish content and offers Web administrators more security and deployment options.

Bit Rate Throttling Offers a range of functionality for controlling download rates for media and other content.

Web Playlists for IIS 7.0 Allows server-controlled media playlists to be delivered from the Web server infrastructure rather than from a dedicated streaming media server.

FTP Publishing Service for IIS 7.0

FTP Publishing Service for IIS 7.0 (FTP 7) offers many enhanced capabilities over previous releases of the IIS FTP server. In addition to standard FTP functionality, through a new management UI the new service offers administration, support for current security standards, and support for virtual sites.

The following are selected highlights of the new FTP release:

Tighter integration with IIS 7.0 through a new administration UI and configuration store based on the .NET XML-based *.CONFIG format.

Support for FTP over SSL and for the use of non-Windows accounts for authentication. The new FTP service also supports other Internet improvements, such as UTF8 and IPv6.

Shared hosting improvements through full integration into IIS 7.0. This allows FTP 7 to host FTP and Web content from the same site by simply adding an FTP binding to an existing Web site. In addition, the FTP service now has virtual host name support, making it possible to host multiple FTP sites on the same IP address.

Improved logging and supportability features, including enhanced logging for all FTP-related traffic, unique tracking for FTP sessions, FTP sub-statuses, and additional detail fields in FTP logs.

Integrated Request Pipeline

In previous versions of IIS, ASP.NET was implemented as an IIS ISAPI extension. Requests to non-ASP.NET content, such as ASP pages or static files, were not visible to ASP.NET. Thus, services provided by ASP.NET modules and custom ASP.NET application code were not available to non-ASP.NET requests.

In IIS 7.0, the layout of the request pipeline allows for greater opportunities to influence the way in which a request is handled. Instead of the ASP.NET request processing pipeline plugging into the IIS pipeline, IIS 7.0 provides a wrapper around the IIS pipeline. IIS 7.0 processes a request to any content type, which enables services provided by ASP.NET modules such as forms authentication or output cache to be used for requests to ASP pages, PHP pages or static files.

IIS 7.0 Configuration and Management

Configuring IIS 7.0

In Apache, configuration starts with a directive entry in the httpd.config file.

This method is similar for IIS 7.0 configuration, in which most settings can be configured either locally in the web.config file or globally in the ApplicationHost.config file. In IIS 7.0, configuration is based on the existing .NET Framework configuration store, which allows IIS configuration settings to be stored in web.config files alongside ASP.NET configuration settings.

IIS 7.0 provides a few methods for editing the .CONFIG files. These methods include:

Graphically through the IIS Manager console by clicking on the Application Settings icon in the default Features View, and then selecting Edit to open an Edit Application Setting dialog box.

From the command line by using APPCMD.EXE along with the set config / commit argument/.

Within a Windows Management Instrumentation script, using Application class.

Manually editing the configuration files. The IIS 7.0 configuration files are based on a strongly typed schema written in clear-text XML. This XML schema divides the configuration files into logical sections and makes them extremely simple to read and edit. One can use Visual Web Developer 2005 Express to edit the IIS 7.0 configuration files in a neat-looking code editor environment.

Online documentation for all of these methods is available through the Microsoft Web site.2

2 For example, see http://windowshelp.microsoft.com/Windows/en-us/help/e5b36e97-d424-4ef9-9a52-7ed14f9d79af1033.mspx.

The following table lists the settings that may be changed using any of these editing methods.

Setting Functionality

Application Settings Application-wide values that reside in a central location and can be accessed from anywhere in the application.

ASP (classic) View the default settings or edit them as needed.

CGI View the default settings or edit them as needed.

Compilation Make changes to the way managed code is compiled. Managed code must first be compiled into one or more Dynamic Link Library (DLL) files before IIS can process it. Either use the default compilation settings or edit them as needed.

Database Connection Strings

Create a string in IIS to store the information that an application uses to connect to the database.

E-mail Set the Simple Mail Transfer Protocol (SMTP) server for delivery method and delivery location. IIS can immediately deliver e-mail messages from a site or store them for delivery later.

Globalization Regional and language settings for applications.

ISAPI Filters DLL files that modify or enhance IIS functionality. ISAPI filters can be added to the IIS configuration.

Machine Keys Settings for machine keys to configure encryption and decryption methods in addition to validation and encryption keys.

Pages and Controls Supports the global setting of certain ASP.NET page and control directives. Globally setting these directives will change all pages and controls within the scope of the configuration file.

Profiles Define information to maintain about each user visiting the site or application. Use this feature to add, edit, or delete user profiles.

Providers Configure ASP.NET providers for membership user roles and profiles, and select the default provider for these provider-based services.

Session State ASP.NET session state allows for the storage and retrieval of values for a user as the user navigates through the different ASP.NET pages of an application.

The complete list of available settings can be determined by running the following command:

Appcmd list config /section:?

Figure 1: appcmd.exe list of configuration of options

Figure 2: appcmd.exe list of configuration of options

The complete usage options of appcmd.exe can be found at http://learn.iis.net/page.aspx/114/getting-started-with-appcmdexe/.

Hosting PHP on IIS 7.0

Installing FastCGI Support

FastCGI is a language-independent, scalable, open extension to CGI that provides high performance for Internet applications. The FastCGI extension improves performance and stability in application frameworks such as PHP on IIS.

To enable FastCGI on Apache requires manually moving the mod_fastCGI files and then manually editing configuration files to load modules on startup. In some Linux distributions, the mod_fastCGI files must first be built.

Enabling FastCGI support on IIS 7.0 in Windows Server 2008 is handled entirely through the Server Manager console.

1. From the Start menu, open Server Manager.

2. Select Roles, then Web Server (IIS) Role. Then select Add Role Services. From the list of Role Services, check CGI and click Next. This enables both CGI and FastCGI services.

Figure 3: Adding CGI through the Role Services window

Installing and Configuring PHP on IIS 7.0

Microsoft recommends3 using a nonthread safe build of PHP with IIS 7.0 FastCGI. The nonthread safe build of PHP provides significant performance gains over the standard build by not executing any thread-safety checks. These checks are unnecessary, since FastCGI is not tied to a particular server architecture and applications can be single or multithreaded.4

The nonthread safe build is available for download at http://www.php.net/downloads.php. Create the folder c:\PHP and unpack the files into it. From these files, rename the php.ini-recommended file to php.ini. In the php.ini file, enter the following settings:

3 See http://msdn.microsoft.com/en-us/magazine/cc135973.aspx.4 See, for example, http://www.fastcgi.com/devkit/doc/fastcgi-whitepaper/fastcgi.htm.

Set fastcgi.impersonate = 1. FastCGI under IIS supports the ability to impersonate security tokens of the calling client. This allows IIS to define the security context under which the request runs.

Set cgi.fix_pathinfo = 1. Cgi.fix_pathinfo provides real PATH_INFO/PATH_TRANSLATED support for CGI. For more information on PATH_INFO, see the CGI specs. This setting causes PHP CGI to fix its paths to conform to the spec.

Set cgi.force_redirect = 0.

Set open_basedir to point to the folder or network path in which the Web site content is located.

To test whether the PHP installation was successful, run the following command from the command line prompt:

C:\PHP>php –info

If PHP was installed correctly and all of its dependencies are available on the machine, this command will display information on the current PHP configuration, such as the following.

Figure 4: PHP Configuration data

Configure IIS 7.0 to Handle PHP Requests

Handler mapping is required for IIS 7.0 to host PHP applications. This handler mapping tells IIS to pass all requests for PHP files to the PHP application framework via the FastCGI protocol.

In Apache, PHP handler is configured mainly in php.conf, with other PHP parameters in VirtualHost containers of the main httpd.conf file and in the VirtualHost includes files in /usr/local/apache/conf/userdata. Some editing of php.conf can be done through Web Host Manager under Configure PHP and SuExec.

In IIS 7.0, handler mapping can be added and configured through the UI. Open the IIS Manager, select the top node—usually the server name—in Connections, and then click on the Handler Mappings icon in the center pane.

Figure 5: Accessing Handler Mappings

From the Handler Mappings window, select Add Module Mapping and enter the following settings in the module mapping fields:

Request path: *.phpModule: FastCgiModuleExecutable: c:\php\php-cgi.exeName: PHP via FastCGI

Click on the OK button to commit the settings, then Yes on the confirmation dialog box that follows.

Using ModuError: Reference source not foundError: Reference source not foundError: Reference source not foundles to Control and Customize IIS

Modules in IIS 7.0 control and customize its functionality, resulting in greater flexibility and efficiency of the server platform. The core Web server in IIS 7.0 has been re-engineered and replaced by more than 40 separate feature modules that can be installed either during setup or later, depending on Web site and application requirements. This modular architecture reduces the attack surface of IIS and any unnecessary administrative overhead by eliminating the amount of unused code loaded into memory.

By default, these modules are Dynamic Link Library files stored in the %WINDIR%\System32\inetsrv\ folder. They can be classified into two types, as follows.

Native: A native module has unrestricted access to any resource available to the server worker process, just like an ISAPI filter or extension in previous versions.

Managed: Managed modules can be configured separately for each site or application. They are loaded for processing only when required by the particular site or application.

Typically, modules providing basic IIS functionality are installed during setup. Thereafter, modules can be installed using one of the following methods:

Manually editing the new IIS 7.0 configuration store, APPLICATIONHOST.CONFIG. This method is similar to configuration in Apache.

Using the IIS 7.0 Manager administration tool.

Using the IIS 7.0 APPCMD.EXE command line tool.

The modular architecture of IIS 7.0 makes it easy to add, remove, and replace built-in modules, and to add third-party modules. IIS 7.0 also allows for scripting of module management to create programmatic changes to control management or configuration, and to customize the API.

Adding and Configuring Modules using IIS Manager

In IIS 7.0, only the modules needed to run IIS as a static content server are installed by default. In past IIS versions, all functionality was installed by default, which allowed the IT administrator to start from the most secure base. With IIS 7.0, modules are added only as needed by the applications and services hosted on the Web server, allowing technical professionals to easily add new functionality to their servers.

IIS 7.0 facilitates the writing of additional modules to execute tasks such as restricting Web access, adding functionality, or allowing administration of a subset of Web sites. The modular aspect of IIS 7.0 provides IT professionals with increased control over deployment and configuration and reduces the surface of attack.

Site administrators can easily add, remove, and replace IIS modules from the IIS server process using the IIS Manager console.

Adding New Modules

To add a module in IIS 7.0, open IIS Manager. In the Connections pane, select the site to receive the module, then drill down and highlight the system_web folder. In the center Workspace pane, click on the Modules icon to open a dialog box that lists all available modules.

In the Actions pane, click on the Add Managed Module link. A dialog box displays a list of available modules. In the Name field, type the name of the module being added and then choose the module Type from the drop-down menu. Select a check box next to Invoke only for requests to ASP.NET applications or managed handlers. Click OK to add the module.

Generally, Apache and IIS modules have similar functions. The following sections describe the available IIS modules.

HTTP Modules

Several IIS 7.0 modules perform tasks specific to Hypertext Transfer Protocol (HTTP) in the request-processing pipeline. These include modules to respond to information and inquiries sent in client headers, to return HTTP errors, to redirect requests, and more.

Apache module

IIS equivalent Description Resource

Core feature: ErrorDocument Directive

CustomErrorModule Sends default and configured HTTP error messages when an error status code is set on a response.

Inetsrv\Custerr.dll

mod_alias HttpRedirectionModule Supports configurable redirection for HTTP requests.

Inetsrv\Redirect.dll

mod_headers ProtocolSupportModule

Performs protocol-related actions, such as setting response and redirecting headers based on the configuration.

Inetsrv\Protsup.dll

Security Modules

Several IIS 7.0 modules perform security tasks in the request-processing pipeline. In addition, separate modules exist for each of the authentication schemes, enabling the selection of modules for the types of authentication desired on the server. Other modules perform URL authorization and filter requests.

Apache module

IIS equivalent Description Resource

mod_auth_anon AnonymousAuthentica- tionModule

Performs Anonymous authentication when no other authentication method succeeds.

Inetsrv\Authanon.dll

mod_auth BasicAuthentication- Module

Performs Basic authentication. Inetsrv\Authbas.dll

  CertificateMapping- AuthenticationModule

Performs Certificate Mapping authentication using Active Directory.

Inetsrv\Authcert.dll

mod_auth_digest

DigestAuthentication-Module

Performs Digest authentication. Inetsrv\Authmd5.dll

No equivalent IISCertificateMapping- AuthenticationModule

Performs Certificate Mapping authentication using IIS certificate configuration.

Inetsrv\Authmap.dll

Partially available as a core function of Apache

RequestFilteringModule

Performs URLScan tasks such as configuring allowed verbs and file extensions, setting limits, and scanning for bad character sequences.

Inetsrv\Modrqflt.dll

mod_auth UrlAuthorizationModule Performs URL authorization. Inetsrv\Urlauthz.dll

Not supported WindowsAuthentication- Module

Performs NTLM integrated authentication.

Inetsrv\Authsspi.dll

mod_access IpRestrictionModule Restricts IPv4 addresses listed in the ipSecurity list in configuration.

Inetsrv\iprestr.dll

Content Modules

Several IIS 7.0 modules perform tasks related to content in the request-processing pipeline. Content modules process requests for static files, return a default page when a client fails to specify a resource in a request, list the contents of a directory, and more.

Apache module IIS equivalent Description Resource

mod_cgi CgiModule Executes Common Gateway Interface (CGI) processes to build response output.

Inetsrv\Cgi.dll

mod_dir DefaultDocumentModule

Attempts to return a default document for requests made to the parent directory.

Inetsrv\Defdoc.dll

mod_autoindex DirectoryListingModule

Lists the contents of a directory. Inetsrv\dirlist.dll

Third party IsapiModule Hosts ISAPI extension DLLs. Inetsrv\Isapi.dll

Not supported IsapiFilterModule Supports ISAPI filter DLLs. Inetsrv\Filter.dll

Core feature: Options directive

ServerSideIncludeModule

Processes server-side includes code.

Inetsrv\Iis_ssi.dll

Core feature: EnableSendfile directove

StaticFileModule Serves static files. Inetsrv\Static.dll

mod_fcgid FastCgiModule Supports FastCGI, a high-performance alternative to CGI.

Inetsrv\iisfcgi.dll

Compression Modules

Two IIS 7.0 modules perform compression in the request-processing pipeline.

Apache module IIS equivalent Description Resource

mod_gzip DynamicCompression- Module

Compresses responses and applies GZIP compression transfer coding to responses.

Inetsrv\Compdyn.dll

mod_gzip StaticCompression- Module

Performs precompression of static content.

Inetsrv\Compstat.dll

Caching Modules

Several IIS 7.0 modules perform tasks related to caching in the request-processing pipeline. Caching improves the performance of Web sites and Web applications by storing processed information such as Web pages in memory on the server, and then reusing that information in subsequent requests for the same resource.

Apache module IIS equivalent Description Resource

mod_cache and supporting modules

FileCacheModule Provides user mode caching for files and file handles.

Inetsrv\Cachfile.dll

mod_cache and supporting modules

HTTPCacheModule

Provides kernel mode and user mode caching in HTTP.sys.

Inetsrv\Cachhttp.dll

mod_cache and supporting modules

TokenCacheModule

Provides user mode caching of user name and token pairs for modules that produce Windows user principals.

Inetsrv\Cachtokn.dll

mod_cache and supporting modules

UriCacheModule Provides user mode caching of URL info.

Inetsrv\Cachuri.dll

Logging and Diagnostics Modules

Several IIS 7.0 modules perform tasks related to logging and diagnostics in the request-processing pipeline. The logging modules support loading custom modules and passing information to HTTP.sys. The diagnostics modules follow and report events during request processing.

Apache module IIS equivalent Description Resource

mod_log_config CustomLoggingModule

Loads custom logging modules. Inetsrv\Logcust.dll

Not supported FailedRequests- TracingModule

Supports the Failed Request Tracing feature.

Inetsrv\Iisfreb.dll

mod_log_config HttpLoggingModule

Passes information and processing status to HTTP.sys for logging.

Inetsrv\Loghttp.dll

mod_dtrace RequestMonitorModule

Tracks requests currently executing in worker processes and reports information with the Runtime Status and Control Application Programming Interface.

Inetsrv\Iisreqs.dll

mod_log_config TracingModule Reports events to Microsoft Event Tracing for Windows (ETW).

Inetsrv\Iisetw.dll

Managed Support Modules

Two IIS 7.0 modules support managed integration in the IIS request-processing pipeline.

Apache module IIS equivalent Description Resource

Not supported ManagedEngine Provides integration of managed code modules in the IIS request-processing pipeline.

Microsoft.NET\Framework\v2.0.50727\webengine.dll

Third party ConfigurationValidationModule

Validates configuration issues, such as when an application is running in Integrated mode but has handlers or modules declared in the system.web section.

Inetsrv\validcfg.dll

Managed Modules

In addition to native modules, IIS 7.0 enables the use of managed code modules to extend IIS functionality. Some of the managed modules, such as UrlAuthorization, have a native module counterpart that provides a native alternative to the managed module.

Apache module IIS equivalent Description Resource

mod_auth_anon AnonymousIdentifica- tion

Manages anonymous identifiers used by features supporting anonymous identification, such as ASP.NET profile.

System.Web.Security.AnonymousIdentificationModule

mod_auth DefaultAuthentication

Ensures that an authentication object is present in the context.

System.Web.Security.DefaultAuthenticationModule

mod_auth FileAuthorization Verifies that a user has permission to access the requested file.

System.Web.Security.FileAuthorizationModule

mod_auth FormsAuthentication

Supports Forms authentication. System.Web.Security.FormsAuthenticationModule

mod_auth OutputCache Supports output caching. System.Web.Caching.OutputCacheModule

mod_auth Profile Manages user profiles using ASP.NET profile, which stores and retrieves user settings in a data source such as a database.

System.Web.Profile.ProfileModule

Third party RoleManager Manages a RolePrincipal instance for the current user.

System.Web.Security.RoleManagerModule

mod_perl Session Supports maintaining session state, which enables storage of data specific to a single client within an application on the server.

System.Web.SessionState.SessionStateModule

Third party UrlAuthorization Determines whether the current user has access to the requested URL based on the user name or the list of roles of which the user is a member.

System.Web.Security.UrlAuthorizationModule

mod_rewrite UrlMappingsModule

Supports mapping a real URL to a more user-friendly URL.

System.Web.UrlMappingsModule

Not supported WindowsAuthentication

Sets the identity of the user for an ASP.NET application when Windows authentication is enabled.

System.Web.Security.WindowsAuthenticationModule

Distributed Configuration Model

The new configuration system in IIS 7.0 caches configuration files equivalent to .htaccess files in Apache, consuming significantly less memory. In addition, there are various ways to configure IIS 7.0 to take advantage of either global or more granular configuration changes.

IIS 7.0 uses a powerful configuration scheme that provides enhanced ASP.NET integration, including shared configuration and HTTP runtime support. The XML-based configuration model uses configuration text files that hold configuration settings and that can be stored in separate XML files in a folder.

IIS 7.0 uses three main XML files that maintain server deployments:

MACHINE.CONFIG holds .NET Framework settings for the server. These settings are inherited by all other .NET Framework configuration files and can be located by default at %windir%\Microsoft.net\Framework\ <framework_version>\Config\Machine.config.

The APPLICATIONHOST.CONFIG file contains settings for IIS and its services. By default, it is located at %windir%\System32\inetsrv\config\applicationHost.config.

The ROOT WEB.CONFIG file holds the global settings for ASP.NET Web applications and it is located at %windir%\Microsoft.NET\Framework\<framework_version>\Config\Root Web.config. This file gives each application a WEB.CONFIG file that overrides global settings. It also allows the IIS configuration settings to be stored in these web.config files, making copying applications across multiple Web servers much easier, and avoids costly and error-prone replication, manual synchronization, and additional configuration tasks.

Administration Using IIS 7.0This section instructs Apache administrators on how to use IIS to execute management tasks that they perform on Apache.

Customizing Error Messages

For every standard HTTP error 403, 404, 504, a message is returned to the browser. Different Web servers allow administrators to return a default error message, a specific Web page, or a file as a Web page for each error. The following section describes custom error pages with Apache and IIS 7.0.

Apache

In Apache, customizing error messages is done using the .htaccess file, which allows administrators to manipulate server behavior and create custom server error messages. Examples of such errors are the "404 Not Found" error that appears when a link is broken and the "500 Internal Server Error" that appears when a script fails. The .htaccess file tells the server to display a special page in case of an error.

IIS 7.0

IIS 7.0 also allows administrators to return special pages in place of default pages for Web site errors. For example, instead of displaying the message, "404 File Not Found," a message listing optional links along with the company header and an apologetic note may be displayed.

By default, IIS returns two types of errors when a problem occurs. The first type is the standard custom error, including a terse error description and an error code. The second type of error is a detailed error, which by default only returns requests from localhost. IIS 7.0 can be configured to return detailed errors all the time, specifically when the application needs to be run in debug mode, or to never return detailed errors and instead always return custom errors.

To configure custom error messages in IIS 7.0, open the IIS 7.0 Management Console, double-click the name of the Web site to launch the site management options, and scroll down to locate the “Error Page” feature under the IIS heading. Double-click on the Error Page icon or right-click and choose Open Feature.

Figure 6: Accessing Open Feature to Customize Error Messages

From the available Error Pages pane, right-click on any error entry and click either Add or Edit to add an entry to the list or to edit the selected entry, respectively.

Figure 7: Selecting an Error Message to Edit

A popup window will appear for both selections. The Edit Custom Error Page popup window allows the path of the custom error page to be edited, and the Add Custom Error Page popup window allows a new error message to be defined.

Figure 8: Edit Custom Error Message

Figure 9: Add Custom Error Message

To enable IIS 7.0 to return detailed error messages all the time and not just for the localhost, click on Edit Feature Settings in the left pane, change the properties in the popup window accordingly and click OK to save the changes.

Figure 10: Edit Error Page Settings

URL Rewriting

URL rewriting is a way to modify the appearance of a Web URL. Web application users prefer short, neat URLs instead of raw query string parameters. A concise URL is easy to remember and less time-consuming to type in. If the URL can be made to relate clearly to the content of the page, then errors are less likely to happen.

Example

The following URL has query string parameters that encode the date of the available postings that should be displayed by some blog engines:

http://www.somebloghost.com/Blogs/Posts.php?Year=2006&Month=12&Day=10

The above URL may be modified to reflect clearly what the page will display:

http://www.somebloghost.com/Blogs/2006/12/10/

Benefits

Rewriting URLs provides many benefits. It can improve the security of the site, minimize migration issues, and provide an extra layer of abstraction to Web applications. Other benefits of URL rewriting include:

Making Web site URLs more user- and search engine-friendly.

Preventing undesired “inline linking”.

Preventing the exposure of the inner workings of a Web site's address to visitors.

Maintaining the URLs of Web site pages even if the underlying technology used to serve them changes.

Apache

For URL rewriting, Apache comes with a well-known module called mod_rewrite. This module provides a rule-based rewriting engine to rewrite requested URLs on the fly. The mod_rewrite module is enabled in the Apache.conf file by removing the # and restarting Apache. Rewrite rules can then be defined in the .htaccess file within any particular directory.

IIS 7.0

IIS 7.0 now offers URL rewriting, one of the most hotly requested features. It is free to all IIS 7.0 users and available for download for x86 and x64 platforms from:

http://www.iis.net/extensions/URLRewrite

The following walkthrough illustrates the process of creating and testing a set of rewrite rules for the IIS 7.0 URL rewrite module.

Prerequisites

This walkthrough requires the following prerequisites:

1. IIS 7.0 with ASP.NET role service enabled.

2. URL rewrite module installed.

Steps

The following format creates a simple rewrite rule that rewrites this URL

http://localhost/article/342/some-article-title

into

http://localhost/article.aspx?id=342&title=some-article-title.

The URL Rewrite UI in IIS Manager creates a rewrite rule. To do this, follow these steps:

1. Go to IIS Manager.

2. Select Default Web Site.

3. In the Feature View, click URL Rewrite Module.

4. In the Actions pane on right-hand side, click on Add rules…

5. In the Add Rules dialog, select the Blank Rule and click OK.

In the URL rewrite module, a rewrite rule is defined by specifying four required pieces of information:

1. Naming a rule: In the Name text box, enter a name to uniquely identify the rule, for example: Rewrite to article.aspx.

2. Defining a pattern: In the Pattern text box, enter the following string:

^article/([0-9]+)/([_0-9a-z-]+)

3. Defining an action: Since the rule to be created is supposed to rewrite the URL, choose the Rewrite action type listed in the Action group box. In the Rewrite URL: text box, enter the following string:

article.aspx?id={R:1}&title={R:2}

Leave default values for all other settings. The Edit Rule property page should look like the following screenshot:

Figure 11: Edit Rule Property Page

Save the rule by clicking on the Apply action on the right-hand side.

Testing the Rule

To test that the rule correctly rewrites URLs, open a Web browser and request the following URL:

http://localhost/article/234/some-title

The rewrite rule on the Web server should change the original URL to article.aspx and should pass “234” and “some-title” as values for query string parameters.

The detailed procedure for setting up the URL rewrites on IIS 7.0 can be viewed at

http://learn.iis.net/page.aspx/461/creating-rewrite-rules-for-the-url-rewrite-module/.

Web Caching

Web caching is the temporary storage of Web objects such as HTML documents for later retrieval. There are three significant advantages to Web caching: reduced bandwidth consumption as fewer requests and responses need to go over the network, reduced server load as a server has fewer requests to handle, and reduced latency since responses for cached requests are available immediately and are closer to the client being served. Together, these advantages make the Web less expensive and improve performance.

Methods

Caching can be performed by the client application and is built into most Web browsers. A number of products extend or replace built-in caches with systems containing larger storage, more features, or better performance.

Caching can also be implemented between the client and the server as part of a proxy. Proxy caches are often located near network gateways to reduce the bandwidth required over expensive dedicated Internet connections.

Finally, caches can be placed directly in front of a particular server to reduce the number of requests that the server must handle.

Caching in Apache

In Apache, caching normally relies on three modules:

1. mod_cache

2. mod_disk_cache

3. mod_mem_cache

Running the httpd binary with the -M flag can determine the modules that are loaded:

$ /usr/local/apache2/bin/httpd –M

The commands to configure caching must be defined in the main server configuration file(s), not in .htaccess files. Caching techniques will not work without server administrator access.

Finally, the modules and techniques defined in this section are available in Apache 2.0 and 2.2, but are not available in Apache 1.3.

Example

CacheEnable disk /

CacheRoot /var/www/cache

CacheDefaultExpire 3600

CacheMinExpire 3600

The above configuration caches all of the content on the Web site, and the cache will persist for at least an hour regardless of its “freshness.”

This technique is most appropriate for dynamic content that should be cached and served as static content. This is how Apache forces the caching of dynamic content for a certain period that would otherwise be served dynamically each time before hitting the database again.

The time specified is in seconds, forcing at least an hour of caching regardless of the "freshness" of the content.

Caching in IIS 7.0

The IIS 7.0 output cache is a new feature that makes it possible to cache entire responses in memory, even from dynamic content. Unlike existing caches in IIS 6.0, IIS 7.0 has a “smart” cache, which lets site owners and developers configure the output cache to allow caching of separate copies of responses based on query string values.

The output cache is also integrated with the HTTP.sys kernel cache that helps with fast performance. Kernel caching is unlocked by default. Developers can take advantage of this feature by configuring caching profiles within their applications. A command line tool can be executed to show the content in the HTTP.sys cache.

In IIS 7.0, a rule based on response headers may be configured to cache different versions of content in a site or application.

Configuring the Output Cache Rule Using Headers

Administrators can perform this procedure through the user interface by running Appcmd.exe commands in a command-line window, by editing configuration files directly, or by writing WMI scripts.

1. Open IIS Manager and navigate to the level to be managed.

2. In Features View, double-click Output Caching.

Figure 12: Output Caching Feature

3. Click Add in the Actions pane.

Figure 13: Create a Caching Rule

4. In the Add Cache Rule dialog box, enter the file name extension in the File Name Extension box for the cache rule being created, such as .aspx.

Figure 14: Add a Cache Rule

5. Check the User-mode caching box to enable output caching, and select one of the following options:

a. Using file change notification: to remove an item from the cache when it is updated.

b. At time intervals (hh:mm:ss): to remove an item from the cache after a certain time elapses.

c. Prevent all caching: to prevent all caching of the designated file type.

6. Click Advanced.

7. In the Advanced Output Cache Rule Settings dialog box, click Headers under Cache different versions of a file based on.

Figure 15: Advanced Output Cache Rule Settings

8. Type a response header, such as Accept-Language or Accept-Charset, in the Headers box and then click OK.

Web Output Compression

Although Web page compression is not a new technology, it has gained recent recognition in the minds of IT administrators and managers because of the almost-immediate ROI that it generates.

Apache

The Web output compression solution available in Apache is mod_gzip, one of the many additional modules available for the platform. Many administrators use it in designing a high-performance Web server. With this module, configured file types are compressed using GZIP encoding after processing by Apache's other modules and before being sent to the client.

The idea behind GZIP-encoding is that, for files to be transmitted to a Web client, a compressed version of the data rather than the raw file is sent.

When a request is received from a client, Apache determines if mod_gzip should be invoked by noting whether the "Accept-Encoding" HTTP request header was sent. If the client sends the header, mod_gzip compresses the output of all configured file types when they are sent to the client.

Accept-encoding: gzip

This client header announces to Apache that the client will understand files that have been GZIP-encoded. mod_gzip then processes the outgoing content and includes the following server response headers.

Content-Type: text/html

Content-Encoding: gzip

These server response headers announce that the content returned from the server is GZIP encoded, but that expanded content should be treated as a standard HTML file.

IIS 7.0

IIS 7 has improved and simplified support for GZIP encoding enabled out-of-the-box execution of Web compression.

In IIS 7.0, compression is configured in the ApplicationHost.config file at C:\Windows\System32\inetsrv\config\applicationhost.config. The following is a simple httpCompression section:

<httpCompression directory="%SystemDrive%\inetpub\temp\IIS Temporary Compressed Files"> <scheme name="gzip" dll="%Windir%\system32\inetsrv\gzip.dll" /> <dynamicTypes> <add mimeType="text/*" enabled="true" /> <add mimeType="message/*" enabled="true" /> <add mimeType="application/x-javascript" enabled="true" /> <add mimeType="*/*" enabled="false" /> </dynamicTypes>

<staticTypes> <add mimeType="text/*" enabled="true" /> <add mimeType="message/*" enabled="true" /> <add mimeType="application/x-javascript" enabled="true" /> <add mimeType="*/*" enabled="false" /> </staticTypes></httpCompression>and<urlCompression doStaticCompression="true" doDynamicCompression="false" />

The compression module gives IIS the ability to serve compressed responses to compression-enabled clients. Clients that can accept compressed responses send an Accept-Encoding header indicating the compression schemes that they can handle. If IIS can compress the response using one of these compression schemes, it then sends a compressed response with a Content-Encoding response header indicating the scheme used to compress the response.

The following is an example of a request response:

REQUEST: **************GET /static/index.htm HTTP/1.1\r\nAccept-Encoding: gzip, deflate\r\nHost: localhost\r\nAccept: */*\r\n\r\nRESPONSE: **************HTTP/1.1 200 OK\r\nContent-Type: text/html\r\nContent-Encoding: gzip\r\nLast-Modified: Tue, 28 Mar 2006 03:44:06 GMT\r\nAccept-Ranges: bytes\r\nETag: "087e0dc1952c61:0"\r\nVary: Accept-Encoding\r\nServer: Microsoft-IIS/7.0\r\nX-Powered-By: ASP.NET\r\nDate: Tue, 13 Jun 2006 02:23:41 GMT\r\nContent-Length: 438\r\n

In IIS 7.0, static compression is ON by default. Dynamic compression is OFF by default and can be turned ON for all content by running:

appcmd set config -section:urlCompression /doDynamicCompression:true

As static compression is enabled by default and compression happens on the main thread, compression may be shut off and resumed on the fly depending on CPU load. Four properties are available to the system.webServer/httpCompression section to control this behavior:

1. staticCompressionDisableCpuUsage – disables compression when average CPU usage over a period is above this number.

2. staticCompressionEnableCpuUsage – enables compression if average CPU usage over a period falls below this number.

3. dynamicCompressionDisableCpuUsage – disables dynamic compression depending on CPU load.

4. dynamicCompressionEnableCpuUsage – enables dynamic compression depending on CPU load.

The average CPU utilization calculation is done every 30 seconds.

In IIS 7.0, compression can be enabled and disabled depending on the content type of the response. Just one entry in the config is sufficient to enable static or dynamic compression for text/html responses. Administrators are not required to pick up all extensions that return text/html responses.

While configuring these mimeTypes under httpCompression section, administrators can use * as a wildcard.

If response type is text/html, IIS 7.0 looks for an entry for text/html and if found, uses the corresponding enabled value.

If text/html is not found, IIS 7.0 looks for text/* or */html.

If both are present, IIS 7.0 picks the one that comes first and uses that enabled property value.

If none of the above is found, IIS 7.0 looks for */* and uses the corresponding enabled value.

To enable compression for all content types, add an entry under the httpCompression section in applicationHost.config as follows:

<staticTypes> <add mimeType="*/*" enabled="true" /> </staticTypes>

Diagnostics and TroubleshootingTo effectively manage a Web server, it is necessary to get feedback on the activity and performance of the server and on any problems that may be occurring. This section instructs Apache administrators on how to execute on IIS the diagnostics and troubleshooting tasks that they perform on Apache.

Apache

The Apache HTTP Server provides comprehensive and flexible logging capabilities, which are briefly described here.

Error logs

The server error log, whose name and location is set by the ErrorLog directive, is the most important log file. This is where Apache httpd sends diagnostic information and records any errors that it encounters in processing requests. It is the first place to look when a problem occurs with starting or operating the server, since it often contains details of what went wrong and how to fix it.

A wide variety of different messages can appear in the error log. The error log also contains debugging output from CGI scripts. Any information written to stderr by a CGI script is copied directly to the error log.

In Apache, customizing the error log by adding or removing information is not possible. However, error log entries dealing with particular requests have corresponding entries in the access log. Customizing the access log to provide more information is also possible.

Access logs

In Apache, the server access log records all requests processed by the server. The CustomLog directive controls the location and content of the access log. The LogFormat directive can be used to simplify the selection of the contents of the logs. Various versions of Apache httpd use different modules and directives to control access logging, including mod_log_config, mod_log_referer, mod_log_agent, and the TransferLog directive.

Script logs

To aid in debugging, the ScriptLog directive allows you to record the input to and output from CGI scripts. This should only be used during testing and not for live servers.

Rewrite logs

When using the powerful and complex features of mod_rewrite, it is almost always necessary to use the RewriteLog to help in debugging. This log file produces a detailed analysis of how the rewriting engine transforms requests. The RewriteLogLevel directive controls the level of detail.

IIS 7.0

IIS 7.0 includes major improvements that aid in diagnostics and troubleshooting to help developers and administrators more easily work with errant Web sites and applications. The diagnostics and troubleshooting changes in IIS 7.0 allow a developer or an administrator to see, in real time, requests running on the server. IIS 7.0 also collects and exposes detailed diagnostic events to aid in troubleshooting problematic servers and applications. Some of the techniques in IIS 7.0 make troubleshooting practically effortless.

The following are improvements in diagnostic and troubleshooting tools in IIS 7.0:

Ability to see all requests currently running on the server.

Detailed local server error logs.

Detailed trace log makes it possible to track problem issues and obtain detailed information about trace events.

New Runtime State and Control API (RSCA) provides real-time state information about application pools, worker processes, sites, application domains, and even running requests, providing real-time state information through a native Component Object Model (COM) API and appcmd.exe.

IIS 7.0 can be configured to automatically capture full trace logs.

IIS 7.0 contains tools that let IT staff find problems and troubleshoot in IIS Manager.

Runtime Status and Control (RSCA)

The Runtime Status and Control (RSCA) API is a new feature in IIS 7.0 that provides the ability to obtain run-time status and to control the state of every aspect of a Web server, including application pools, application domains, Web sites, worker processes, and virtual directories. RSCA is designed to provide a consistent API for controlling run-time state across all server objects. Using RSCA, technical staff can develop their own infrastructure to monitor and control the state of Web sites by accessing the RSCA object hierarchy that maps directly to the worker processes in application pools. The API itself is wrapped and exposed through the new IIS WMI provider, appcmd.exe, and IIS Manager.

Benefits of RSCA

RSCA provides tools that let administrators query detailed information, such as looking into an application pool and seeing all currently running requests, and then accessing detailed information about each request. Because RSCA is geared toward developers, it takes some of the burden off the hosting provider by giving developers a tool that allows them to find detailed explanations if something goes wrong during the execution of their code. They can also start and stop sites, as well as recycle application pools. RSCA is also handy for administrators in hosting environments because they can use the appcmd.exe command-line tool or IIS Manager to resolve a hanging request problem and determine which script is consuming CPUs resources.

Detailed Error Information

IIS 7.0 displays extensive error information, which helps diagnose and troubleshoot problems. What makes error information displayed in IIS 7.0 unique is the amount of detail provided, and that IIS Manager provides information about the possible causes of the error as well as tips on ways to fix the problem. This saves time in locating the source of errors and quickly fixing them.

The following figure provides an example of an error message in IIS 7.0. The detailed server errors appear only on the local server and are not displayed to end-users on the site.

Figure 16: IIS 7.0 Error Message Sample

Customizing Error Messages and Failed Request Tracing

IIS 7.0 also allows administrators to configure the HTTP error message responses displayed to control the information provided during an error condition. In the IIS section of the Features View, click the Error Pages icon to display the Error Messages dialog box, as shown in the next figure.

Figure 17: Setting Error Message Responses

Use this feature to configure HTTP error responses. The error responses can be custom error pages or detailed error messages that contain troubleshooting information.

Information that can be set includes:

The ability to insert content from a static file into the error response.

Whether to execute a URL on the site.

Whether to respond with a 302 redirect.

Benefits of Error Reporting in IIS 7.0

IIS 7.0 provides extensive reporting for error conditions and displays detailed information to help administrators diagnose and troubleshoot problems quickly. In addition, HTTP error message responses can be customized to even better suit their needs. Diagnostics and error reporting in IIS 7.0 help developers and administrators quickly locate problems and fix them. Administrators can view error and diagnostic messages in real-time without needing to look through various logs to determine the source of a problem, saving both time and expenses.

Failed Request Tracing

The new Failed Request Tracing technology allows administrators to define error conditions that, when triggered, write detailed error information to log files. Failed Request Tracing is particularly useful in tracing intermittent or complex problems. In IIS 7.0, it is even possible to add tracing to custom modules. Error conditions can range from “slow” or “hung” requests to

the familiar status codes that IIS sends back during error conditions, such as “Server 500 Error.” When configured, if IIS 7.0 detects one of these error conditions, it automatically logs detailed trace events of everything that happened during the request that led up to the error.

How Failed Request Tracing Works

The tracing infrastructure in IIS 7.0 is very flexible. Since both trace event providers and trace event consumers are simply modules, selecting which modules to use is easy. For example, the technical professional can use Event Tracing for Windows (ETW) or Failed Request Tracing, the automatic fail request tracing infrastructure in IIS 7.0. In addition to choosing one of these existing modules, creating both consumer and provider modules and plugging them into the tracing infrastructure is easy. This allows technical staff to use their own providers and consumers in any place that normally uses built-in providers and consumers.

Example: The IIS Manager console is used to define a trace condition, such as a "404 File Not Found" error that may occur as a result of a request. This request is written to the Trace Configuration file. When the Web server processes a request, the pipeline modules read the trace configuration information for that provider. Then, when an event that matches the tracing configuration occurs, such as the "404 File Not Found" error defined earlier, the pipeline module raises a trace event. The trace event is then delivered back to the source consumer module that registered the trace event. That consumer module is responsible for doing something with that event, such as writing it to a log file.

To set up a failed request tracing rule in IIS 7.0, do the following:

In the IIS section of the Features View, click the Failed Request Tracing Rules icon. The Define Trace Conditions dialog box displays, as shown in the next figure.

In the Add Failed Request Tracing Rule dialog box, click an item in the list to indicate what should be traced. Valid selections are: all content, ASP.NET (*.aspx), ASP (*.asp) or Custom (where a name such as tr*.aspx can be entered). Click Next to display the next dialog box.

Figure 18: Setting a Failed Request Trace Rule

In the Define Trace Conditions dialog box, indicate the conditions under which a request should be traced. A status code, time taken, and severity may be entered. When the trace information has been set, click Finish to complete the trace rule. Whenever a failed request meets the criteria established, it will be traced.

Benefits of Using Failed Request Tracing

Large datacenters and hosting providers appreciate the enhanced productivity leveraged by the new Failed Request Tracing capabilities of IIS 7.0. It is no longer necessary for administrators to try to reproduce problems that occur intermittently or only under certain circumstances. Once Failed Request Tracing is configured, it automatically tracks the defined condition. Furthermore, it is not necessary to turn Failed Request Tracing on for every Web site and every URL on a server. Moreover, administrators no longer need to spend time attempting to reproduce complex or intermittent problems. Not only does failed request tracing reduce the amount of tracing information that can be logged, it also ensures that this powerful feature has as little performance impact as possible on the server.

With the minimal impact on performance and the significant gain in information retrieved by Failed Request Trace, it is feasible to turn it on for newly deployed sites or as a means of verifying that sites are running error free. Using Failed Request Tracing in IIS 7.0 helps pinpoint the cause of failures to make resolving the issue quicker and easier.

Securing the Web Server

Apache

Apache administrators often use the following steps to secure their configurations:

1. Apply Security Patches.

2. Hide the Apache version number and other sensitive information.

ServerSignature Off

ServerTokens Prod

3. Make sure Apache is running under its own user account and group.

User apache

Group apache

4. Ensure that files outside the Web root are not served.

<Directory /> Order Deny,Allow Deny from all Options None AllowOverride None</Directory><Directory /web> Order Allow,Deny Allow from all</Directory>

5. Turn off directory browsing.

Options -Indexes

6. Turn off CGI execution.

Options -ExecCGI

Run mod_security, a module written to apply several different security configurations:

Filtering (Simple and Regular Expression based)

Encoding Validation (URL and Unicode)

Auditing

Upload memory limits

Server identity masking, etc.

IIS 7.0

Microsoft offers a free tool called UrlScan that does all of the tasks related to securing the Web server. On IIS 5.1 Web servers, UrlScan runs in conjunction with IISLockDown, a standard security package that should be installed on every IIS 5.1 server and that includes simple fixes with significant benefits. On IIS 7.0, the built-in Request Filtering feature includes functionality equivalent to UrlScan 2.5.

UrlScan v3.1 is a security tool that restricts the types of HTTP requests processed by IIS and provides an update to the Request Filtering module in IIS 7.0. By blocking specific HTTP requests, UrlScan helps prevent potentially harmful requests from being processed by Web applications on the server. It is a one-stop shop to cater to almost all security needs.

Along with UrlScan, a powerful module called Request Filtering is integrated into IIS 7.0. In the Request Filtering module, the IIS 7.0 team incorporated all the core features of UrlScan and added an additional feature called Hidden Segments. Details and a complete options set for the Request Filtering module can be found at

http://learn.iis.net/page.aspx/143/how-to-use-request-filtering/ .

The Dynamic IP Restrictions for IIS 7.0 is a module that provides protection against denial of service and brute force attacks on Web servers and Web sites. Such protection is provided by temporarily blocking IP addresses of the HTTP clients that make unusually high number of concurrent requests or that make large number of requests over a short period. Detailed instructions on installation and usage of this module can be found at

http://learn.iis.net/page.aspx/548/using-dynamic-ip-restrictions/ .

ConclusionThe rich set of functionalities in IIS 7.0, in addition to the parity in features compared with Apache, makes migrating Web applications from Apache to IIS 7.0 a worthwhile investment.

IIS 7.0 provides easy-to-use, flexible tools for developers, administrators, and Web hosting companies that simplify management of Web servers. For instance, a flexible extensibility model and powerful diagnostic tools allow site administrators to proactively monitor the health of Web sites, while the possibility of deploying applications using XCopy simplifies the administration of Web farms. The modular design of IIS 7.0 allows for functionality to be independently installed to reduce the attack surface of the server and to eliminate unnecessary administrative overhead. IIS 7.0 works with existing tools and scripts, and its new management and diagnostic features free up IT resources for other business critical tasks. New rich tracing and troubleshooting capabilities help solve problems more efficiently, reducing downtime and the time needed to diagnose the source of a problem.

In addition, administrators can decrease their workload and administrative costs by delegating the administration of IIS 7.0 to customers. This allows , for example, datacenters to manage their own content.

IIS 7.0, with features equivalent to that of Apache and enhanced functionality over IIS 6.0, creates significant reductions in the total cost of ownership of Web infrastructures for organizations.

IIS 7.0 Resources

Technical Communities, Webcasts, Blogs, Chat and User Groups

http://www.microsoft.com/communities/default.mspx

Microsoft Learning and Certification

http://www.microsoft.com/learning/default.mspx

Microsoft Developer Network (MSDN) & TechNet

http://microsoft.com/msdn

http://microsoft.com/technet

Trial Software and Virtual Labs

http://www.microsoft.com/technet/downloads/trials/default.mspx

IIS.NET Walkthroughs, Forums, Blogs and More

http://www.iis.net

http://blogs.iis.net

http://forums.iis.net

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.

This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

© 2007 Microsoft Corporation. All rights reserved.