Modular architecture in IIS 7.0 aids Web server security

Introducing Windows Server 2008 - An excerpt from chapter 11, "Internet Information Services 7.0"
Introducing Windows Server 2008
By Mitch Tulloch

Get a jump on evaluating Window Server 2008 -- with technical insights from

    Requires Free Membership to View

Windows Server team. This practical introduction delivers real-world implementation scenarios and pragmatic advice for administering Windows Server in the enterprise.

One thing I really like about IIS 7.0 is its new modular architecture. What this means is that instead of IIS being a monolithic entity installed by default with only a few features available for optional installation, IIS 7.0 now has more than 40 separate setup components you can choose from and only a small set of these are installed by default. You can now install only IIS features you actually need on your Web server and leave the remaining features uninstalled. The benefits of doing this are fivefold:

  • First, your system is more secure. Why? Because the only IIS binaries installed on your system are those you actually need. And the fewer binaries, the less attack surface there is on your machine.

  • Second, your system is easier to service. Why? Because maintaining a server involves keeping it patched with the latest critical updates from Microsoft. But if you have only a subset of the available IIS modules installed on your machine, you have to patch only those modules -- you don't have to patch modules that aren't installed.

  • Third, your system is easier to manage. For example, as we'll see in a moment, if the component supporting Basic authentication is not installed on your system, the configuration setting for this feature won't be present. And the fewer configuration settings that are surfaced, the less clutter the admin UI has and the easier it is to manage your server.

  • Fourth, you can customize your Web server to function in a specific role in your environment.

  • And fifth, you can reduce the memory footprint of your Web server by removing unnecessary modules. As a result, the amount of memory used by worker processes on your machine will be reduced, which can allow you to host more Web sites and Web applications on your machine -- something especially valuable in large hosting environments. Reducing the number of installed modules also means that fewer intra-process events are occurring, so this also frees up CPU cycles as well -- something that, again, is important in hosting environments.

Windows Server 2008 security extras
Will Windows Server 2008's delay affect your security?

Windows Server 2008 features worth watching

 In addition, you can even create your own custom modules and use these to replace existing modules or add new features to your Web server. We'll talk about this later when we discuss the extensibility of the IIS 7.0 platform.

The following graphic shows the IIS 7.0 components available for you to install when you add the Web Server (IIS) role to your Windows Server 2008 machine. These components are called modules, and you can add or remove them from the Web server engine, depending on what you need.

Table 11-1 lists the different modules available in each category and provides a short description of what they do.

Table 11-1 IIS 7.0 modules and their functionality
Module name Description
HTTP modules
CustomErrorModule Sends default and configured HTTP error messages when an error status code is set on a response
HttpRedirectionModule Supports configurable redirection for HTTP requests
OptionsVerbModule Provides information about allowed verbs in response to OPTIONS verb requests
ProtocolSupportModule Performs protocol-related actions, such as setting response headers and redirecting headers based on configuration
RequestForwarderModule Forwards requests to external HTTP servers and captures responses
TraceVerbModule Returns request headers in response to TRACE verb requests
Security modules
AnonymousAuthModule Performs Anonymous authentication when no other authentication method succeeds
BasicAuthModule Performs Basic authentication
CertificateMappingAuthenticationModule Performs Certificate Mapping authentication using Active Directory
DigestAuthModule Performs Digest authentication
IISCertificateMappingAuthenticationModule Performs Certificate Mapping authentication using IIS certificate configuration
RequestFilteringModule Performs URLScan tasks, such as configuring allowed verbs and file extensions, setting limits, and scanning for bad character sequences
UrlAuthorizationModule Performs URL authorization
WindowsAuthModule Performs NTLM integrated authentication
Content mondules
CgiModule Executes CGI processes to build response output. There's also a FastCGI handler that's installed as part of the CGI install.
DavFSModule Sets the handler for Distributed Authoring and Versioning (DAV) requests to the DAV handler
DefaultDocumentModule Attempts to return the default document for requests made to the parent directory
DirectoryListingModule Lists the contents of a directory
IsapiModule Hosts ISAPI DLLs
IsapiFilterModule Supports ISAPI filter DLLs
ServerSideIncludeModule Processes server-side includes code
StaticFileModule Serves static files
Compression modules
DynamicCompressionModule Compresses responses, and applies Gzip compression transfer coding to responses
StaticCompressionModule Performs precompression of static content
Caching modules
FileCacheModule Provides user-mode caching for files and file handles (required)
HTTPCacheModule Provides kernel-mode and user-mode caching in HTTP.sys (required)
SiteCacheModule Provides user-mode caching of site information
TokenCacheModule Provides user-mode caching of user name and token pairs for modules that produce Windows user principals (required)
UriCacheModule Provides user mode caching of URL information (required)
Logging and diagnostics modules
CustomLoggingModule Loads custom logging modules
FailedRequestsTracingModule Supports the Failed Request Tracing feature
HttpLoggingModule Passes information and processing status to HTTP.sys for logging
RequestMonitorModule Tracks requests currently executing in worker processes, and reports information with Runtime Status and Control Application (RSCA) Programming Interface
TracingModule Reports events to Microsoft Event Tracing for Windows (ETW)

You can install these modules by adding role services and features to the Web Server (IIS) role using Server Manager. (Note that some of these modules cannot be selectively installed or uninstalled unless you uninstall the entire w3svc.) When you add the Web Server (IIS) role to your Windows Server 2008 server, a subset of available role services and features is installed by default (though you can also choose to add role services and features at this time or later).

Excerpted from "Introducing Windows Server 2008" by Mitch Tulloch with the Microsoft Windows Server Team . Reprinted by permission of Microsoft Press. All rights reserved. For more information, go to http://www.microsoft.com/MSPress/books/11163.aspx


This was first published in September 2007

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.