Internet Information Services Explained

Microsoft IIS
Developer:Microsoft
Programming Language:C++[1]
Language:Same languages as Windows
Genre:Web server
License:Part of Windows NT (same license)
Operating System:Windows NT

Microsoft IIS (Internet Information Services, IIS, 2S) is an extensible web server created by Microsoft for use with the Windows NT family.[2] IIS supports HTTP, HTTP/2, HTTP/3, HTTPS, FTP, FTPS, SMTP and NNTP. It has been an integral part of the Windows NT family since Windows NT 4.0, though it may be absent from some editions (e.g. Windows XP Home edition), and is not active by default. A dedicated suite of software called SEO Toolkit[3] is included in the latest version of the manager. This suite has several tools for SEO with features for metatag / web coding optimization, sitemaps / robots.txt configuration, website analysis, crawler setting, SSL server-side configuration and more.

History

The first Microsoft web server was a research project at the European Microsoft Windows NT Academic Centre (EMWAC), part of the University of Edinburgh in Scotland, and was distributed as freeware.[4] However, since the EMWAC server was unable to handle the volume of traffic going to Microsoft.com, Microsoft was forced to develop its own web server, IIS.[5]

Almost every version of IIS was released either alongside or with a version of Microsoft Windows:

All versions of IIS prior to 7.0 running on client operating systems supported only 10 simultaneous connections and a single website.

Microsoft was criticized by vendors of other web server software, including O'Reilly & Associates and Netscape, for its licensing of early versions of Windows NT; the "Workstation" edition of the OS permitted only ten simultaneous TCP/IP connections, whereas the more expensive "Server" edition, which otherwise had few additional features, permitted unlimited connections but bundled IIS. It was implied that this was intended to discourage consumers from running alternative web server packages on the cheaper edition.[17] Netscape wrote an open letter to the Antitrust Division of the U.S. Department of Justice regarding this distinction in product licensing, which it asserted had no technical merit.[18] O'Reilly showed that the user could remove the enforced limits meant to cripple NT 4.0 Workstation as a web server with two registry key changes and other trivial configuration file tweaking.

Features

IIS 6.0 and higher support the following authentication mechanisms:[19]

IIS 7.0 has a modular architecture. Modules, also called extensions, can be added or removed individually so that only modules required for specific functionality have to be installed. IIS 7 includes native modules as part of the full installation. These modules are individual features that the server uses to process requests.[21]

IIS 7.5 includes the following additional or enhanced security features:[22]

Authentication changed slightly between IIS 6.0 and IIS 7, most notably in that the anonymous user which was named "IUSR_" is a built-in account in Vista and future operating systems and named "IUSR". Notably, in IIS 7, each authentication mechanism is isolated into its own module and can be installed or uninstalled.

IIS 8.0 offers new features targeted at performance and easier administration. The new features are:

IIS 8.5 has several improvements related to performance in large-scale scenarios, such as those used by commercial hosting providers and Microsoft's own cloud offerings. It also has several added features related to logging and troubleshooting. The new features are:

Express

IIS Express, a lightweight (4.5–6.6 MB) version of IIS, is available as a standalone freeware server and may be installed on Windows XP with Service Pack 3 and subsequent versions of Microsoft Windows. IIS 7.5 Express supports only the HTTP and HTTPS protocols. It is portable, stores its configuration on a per-user basis, does not require administrative privileges and attempts to avoid conflicting with existing web servers on the same machine.[36] IIS Express can be downloaded separately[37] or as a part of WebMatrix[38] or Visual Studio 2012 and later. (In Visual Studio 2010 and earlier, web developers developing ASP.NET apps used ASP.NET Development Server, codenamed "Cassini".)[39] By default, IIS Express only serves local traffic.[40] [41]

Extensions

IIS releases new feature modules between major version release to add new functionality. The following extensions are available for IIS 7.5:

Usage

According to Netcraft, in February 2014, IIS had a "market share of all sites" of 32.80%, making it the second most popular web server in the world, behind Apache HTTP Server at 38.22%. Netcraft showed a rising trend in market share for IIS, .[50] On 14 February 2014, however, the W3Techs shows different results. According to W3Techs, IIS is the third most used web server behind Apache HTTP Server (1st place) and Nginx. Furthermore, it shows a consistently falling trend for IIS use .[51]

Netcraft data in February 2017 indicates IIS had a "market share of the top million busiest sites" of 10.19%, making it the third most popular web server in the world, behind Apache at 41.41% and nginx at 28.34%.[52]

Security

IIS 4 and IIS 5 were affected by the CA-2001-13 security vulnerability which led to the infamous Code Red attack;[53] [54] however, both versions 6.0 and 7.0 have no reported issues with this specific vulnerability. In IIS 6.0 Microsoft opted to change the behaviour of pre-installed ISAPI handlers,[55] many of which were culprits in the vulnerabilities of 4.0 and 5.0, thus reducing the attack surface of IIS. In addition, IIS 6.0 added a feature called "Web Service Extensions" that prevents IIS from launching any program without explicit permission by an administrator.

By default IIS 5.1 and earlier run websites in a single process running the context of the System account,[56] a Windows account with administrative rights. Under 6.0 all request handling processes run in the context of the Network Service account, which has significantly fewer privileges, so should there be a vulnerability in a feature or custom code it won't necessarily compromise the entire system given the sandboxed environment these worker processes run in.[57] IIS 6.0 also contained a new kernel HTTP stack (http.sys) with a stricter HTTP request parser and response cache for both static and dynamic content.[58]

According to Secunia,, IIS 7 had a total of six resolved vulnerabilities while IIS 6 had a total of eleven vulnerabilities, out of which one was still unpatched. The unpatched security advisory has a severity rating of 2 out of 5.[59]

In June 2007, a Google study of 80 million domains concluded that while the IIS market share was 23% at the time, IIS servers hosted 49% of the world's malware, the same as Apache servers whose market share was 66%. The study also observed the geographical location of these dirty servers and suggested that the cause of this could be the use of unlicensed copies of Windows that could not obtain security updates from Microsoft.[60] In a blog post on 28 April 2009, Microsoft noted that it supplies security updates to everyone without genuine verification.[61] [62]

The 2013 mass surveillance disclosures made it more widely known that IIS is particularly bad in supporting perfect forward secrecy (PFS), especially when used in conjunction with Internet Explorer. Possessing one of the long term asymmetric secret keys used to establish a HTTPS session should not make it easier to derive the short term session key to then decrypt the conversation, even at a later time. Diffie–Hellman key exchange (DHE) and elliptic curve Diffie–Hellman key exchange (ECDHE) are in 2013 the only ones known to have that property. Only 30% of Firefox, Opera, and Chromium Browser sessions use it, and nearly 0% of Apple's Safari and Microsoft Internet Explorer sessions.[63]

See also

Notes and References

  1. Web site: The Programming Languages Beacon, v10.0 . Vincent . Lextrait . February 2010 . 12 February 2010 . dead . https://archive.today/20120530/http://www.lextrait.com/Vincent/implementations.html . 30 May 2012 . dmy-all .
  2. Web site: Running IIS 6.1 as an Application Server (IIS 6.0). TechNet. Microsoft. 14 December 2012. https://web.archive.org/web/20130921055538/http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/ddf1d92f-3e6e-423f-b024-35cefc10a22f.mspx?mfr=true. 21 September 2013. dead. dmy-all.
  3. Web site: Getting started with the SEO Toolkit . Microsoft Learn. 11 April 2024 . Microsoft. 14 April 2024. dmy-all.
  4. Web site: Windows NT Internet Servers. 10 July 2002. Microsoft. 26 May 2008. https://web.archive.org/web/20080919082144/http://support.microsoft.com/kb/120734. 19 September 2008. dead.
  5. Web site: A Brief History of Microsoft on the Web. Dave. Kramer. Microsoft. 24 December 1999. 26 May 2008. https://web.archive.org/web/20080514174242/http://www.microsoft.com/misc/features/features_flshbk.htm. 14 May 2008. dead. dmy-all.
  6. Web site: Microsoft ASP.NET 2.0 Next Stop on Microsoft Web Development Roadmap.
  7. Web site: Chapter 1 - Overview of Internet Information Services 5.0 . 9 December 2009 . 25 October 2010.
  8. Web site: Chapter 2 - Managing the Migration Process . 9 December 2009 . 27 June 2012.
  9. Web site: What's New In IIS 6.0? . 25 November 2010 . 14 May 2013 . https://web.archive.org/web/20130514113244/http://www.devx.com/webdev/Article/17085 . dead .
  10. Web site: Introduction to IIS Architectures. arkaytee. docs.microsoft.com. en-us. 2019-08-29.
  11. Web site: IIS 7.0: Explore The Web Server For Windows Vista and Beyond . 25 November 2010.
  12. Web site: What's New in Web Server (IIS) Role in Windows 2008 R2 . 25 November 2010.
  13. Web site: HTTP/2 on IIS. September 11, 2015 . Mike Bishop; David So. Microsoft.
  14. Web site: New Features Introduced in IIS 10.0. Sourabh Shirhatti. 14 June 2022 . Microsoft.
  15. Web site: New Features Introduced in IIS 10.0 Version 1709. Sourabh Shirhatti; Richard Lang. 19 May 2022 . Microsoft.
  16. Web site: New Features Introduced in IIS 10.0, version 1809. Sourabh Shirhatti. Microsoft.
  17. Web site: Netscape goes to jail, does not collect $200 . InfoWorld . 12 April 2014 . dead . https://web.archive.org/web/20081223224855/http://www.infoworld.com/pageone/opinions/petrel/petreltwo.htm . 23 December 2008 .
  18. Web site: Differences Between NT Server and Workstation Are Minimal. O'Reilly Media. https://web.archive.org/web/20160316010614/http://archive.oreilly.com/pub/a/oreilly//news/differences_nt.html. 16 March 2016. 7 July 2018.
  19. Web site: Authentication Methods Supported in IIS 6.0 (IIS 6.0). IIS 6.0 Documentation. Microsoft. 13 July 2011. https://web.archive.org/web/20121102114807/http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/523ae943-5e6a-4200-9103-9808baa00157.mspx?mfr=true. 2 November 2012. dead. dmy-all.
  20. Web site: Changes Between IIS 6.0 and IIS 7 Security. iis.net. . 13 July 2011. 7 February 2010.
  21. Web site: Templin . Reagan . Introduction to IIS 7 Architecture . iis.net . . 16 July 2011 . 11 August 2010 . IIS 7 Modules.
  22. Web site: Available Web Server (IIS) Role Services in IIS 7.5. Microsoft TechNet. 27 January 2010 . . 13 July 2011.
  23. Web site: Eagan. Shaun. IIS 8.0 Application Initialization. IIS Blog. Microsoft. 19 September 2013. 29 February 2012.
  24. Web site: Yoo. Won. IIS 8.0 ASP.NET configuration management. IIS Blog. Microsoft. 19 September 2013. 29 February 2012.
  25. Web site: Eagan. Shaun. IIS 8.0 Centralized SSL certificate support. IIS Blog. Microsoft. 19 September 2013. 29 February 2012.
  26. Web site: McMurray. Robert. IIS 8.0 Multicore Scaling on NUMA Hardware. IIS Blog. Microsoft. 19 September 2013. 29 February 2012.
  27. Web site: IIS 8.0 WebSocket protocol support. IIS Blog. Microsoft. 19 September 2013. 28 November 2012.
  28. Web site: Eagan. Shaun. IIS 8.0 Server Name Indication. IIS Blog. Microsoft. 19 September 2013. 29 February 2012.
  29. Web site: McMurray. Robert. IIS 8.0 Dynamic IP Address Restrictions. IIS Blog. Microsoft. 19 September 2013. 29 February 2012.
  30. Web site: Eagan. Shaun. IIS 8.0 CPU Throttling. IIS Blog. Microsoft. 19 September 2013. 29 February 2012.
  31. Web site: Benari. Erez. Idle Worker-process Page Out. IIS Blog. Microsoft. 18 September 2013. 26 June 2013.
  32. Web site: Benari. Erez. Dynamic Site Activation. IIS Blog. Microsoft. 18 September 2013. 3 July 2013.
  33. Web site: Benari. Erez. Enhanced Logging. IIS Blog. Microsoft. 18 September 2013. 10 July 2013.
  34. Web site: Benari. Erez. ETW Logging. IIS Blog. Microsoft. 18 September 2013. 15 July 2013.
  35. Web site: Benari. Erez. Automatic Certificate rebind. IIS Blog. Microsoft. 18 September 2013. 3 September 2013.
  36. Web site: IIS Express FAQ . iis.net . . 14 January 2011 . 27 January 2011 .
  37. Web site: Internet Information Services (IIS) 7.5 Express . Download Center . . 10 January 2011 . 27 January 2011 .
  38. Web site: IIS Express Overview . iis.net . . 14 January 2011 . 27 January 2011 .
  39. Web site: Guthrie. Scott. Introducing IIS Express. ScottGu's Blog. Microsoft. 29 June 2010.
  40. Web site: Gopalakrishnan. Vaidy. Handling URL Binding Failures in IIS Express. iis.net. Microsoft. 12 January 2011.
  41. Web site: Hanselman. Scott. Condron. Glen. 3 Introducing Model View Controller (MVC). Introduction to ASP.NET. Microsoft. 15 September 2015. 0:14:02.
  42. Web site: FTP Publishing Service. iis.net. Microsoft. 17 July 2011.
  43. Web site: Administration Pack. iis.net. Microsoft. 17 July 2011.
  44. Web site: Application Request Routing. iis.net. Microsoft. 17 July 2011.
  45. Web site: Database Manager. iis.net. Microsoft. 17 July 2011.
  46. Web site: IIS Media Services. iis.net. Microsoft. 30 July 2011.
  47. Web site: URL Rewrite. iis.net. Microsoft. 17 July 2011.
  48. Web site: WebDAV Extension. iis.net. Microsoft. 17 July 2011.
  49. Web site: Web Deploy 2.0. iis.net. Microsoft. 17 July 2011.
  50. Web site: February 2014 Web Server Survey. news.netcraft.com. Netcraft. 3 February 2014.
  51. Web site: Usage statistics and market share of Microsoft-IIS for websites. w3techs. Q-Success.
  52. Web site: February 2017 Web Server Survey. news.netcraft.com. Netcraft. 27 February 2017.
  53. Web site: CA-2001-13 Buffer Overflow In IIS Indexing Service DLL . CERT® Advisory . . 17 January 2002 . 1 July 2011.
  54. Book: Hadi, Nahari. Web commerce security: design and development. 2011. Wiley Pub. Krutz, Ronald L.. 9781118098899. Indianapolis. 157. 757394142.
  55. Web site: IIS Installs in a Locked-Down Mode (IIS 6.0) . Microsoft Developer Network (MSDN) . . 1 July 2011 . https://web.archive.org/web/20110430202208/http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/54257c42-d723-4b12-badf-f4902c195821.mspx?mfr=true . 30 April 2011 . dead . dmy-all.
  56. Web site: How To: Run Applications Not in the Context of the System Account in IIS (Revision 5.1) Microsoft Corporation . 7 July 2008 . 20 July 2007.
  57. Book: Henrickson. Hethe. IIS 6: the complete reference. 2003. McGraw-Hill Professional. New York City. 978-0-07-222495-5. Hofmann . Scott R. . 12 July 2011. 482. Chapter 15: ASP.NET Web Services. https://books.google.com/books?id=_jh9bm8uBk4C&q=%22Chapter+15:+ASP.NET+Web+Services%22.
  58. Book: Henrickson. Hethe. IIS 6: the complete reference. 2003. McGraw-Hill Professional. New York City. 978-0-07-222495-5. Hofmann . Scott R. . 12 July 2011. 17. Chapter 1: IIS Fundamentals. https://books.google.com/books?id=_jh9bm8uBk4C&q=%22Chapter+1:+IIS+Fundamentals%22.
  59. Web site: Vulnerability Report: Microsoft Internet Information Services (IIS) 6 . Secunia . Secunia ApS . 1 July 2011.
  60. News: Web Server Software and Malware. Google Online Security Blog .
  61. News: Windows Pirates Encouraged to Install Security Updates. Technology Live. USA Today. February 2010. 18 July 2011.
  62. Web site: Cooke. Paul. Who Gets Windows Security Updates?. Windows Security Blog. Microsoft. 18 July 2011. 27 April 2009.
  63. http://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypted-tomorrow.html SSL: Intercepted today, decrypted tomorrow