News Stay informed about the latest enterprise technology news and product updates.

Can IIS 6.0 take the heat?

Microsoft's IIS 5.0 was some fine dining for worms. The company needed to make the next version less tantalizing to intruders, and more appealing to customers.

With Web services central to its .NET framework, the success of Microsoft's IIS Web server technology rides on whether the next version can improve security and boost performance to a degree that rivals the rival Apache server.

Worm food

Internet Information Services (IIS) has been a favorite target for crackers. In fact, some experts wager that the platform has seen more attacks than all the other Microsoft platforms combined. Proving that IIS 6.0 is stable is critical as the company moves closer to its .NET platform with Web services at the center.

"It's the number one thing Microsoft needs to get right," said Greg Frankenfield, CEO at Magenic Technologies, a Minneapolis integrator.

The proof is in the doughnuts

At least one customer testing .NET and the beta version of IIS is reporting initial improvement over version 5.0. Frank Hood, vice president of operations at the Krispy Kreme Doughnut Corp., in Winston-Salem, N.C., said Microsoft is helping his company convert to .NET and test IIS 6.0.

He said his goal for this trial was to see that IIS performed as least on par with version 5.0, and in the end the best came through.

"We have had no material outage to speak of that is core to IIS," Hood said. "We have had only two issues occur with our server, and those were introduced by humans."

A familiar interface

Brett Hill, a Microsoft certified IIS trainer, said most administrators accustomed to working with IIS 5.0 will feel comfortable working with version 6.0 because the user interface, though not identical, is familiar.

But all agree that customers must realize that IIS 6.0 is much more than an extension of 5.0. The Web server software has been completely rewritten and has a new engine and framework.

The IIS 6.0 technology will ship to manufacturing in the second half of calendar year 2002 -- locked down as part of the Windows .NET server product, according to Microsoft. Customers don't have to use IIS with .NET, but if or when they do, they can activate the software from a console.

Tougher on the buffer

Many of the new features today more or less mimic the Apache server, particularly in areas that deal with system security.

For example, the most serious attacks on IIS have been buffer overflow attacks, and Microsoft has added security features to alleviate that problem.

In previous versions an attacker could launch what is called a buffer overflow attack and crash an application, which would give the attacker access to system resources via the elevated privileges account. In version 6.0, an attacker cannot enter the system account by crashing an application because the kernel mode listener, which processes HTTP commands, does not run any user code, Hill said.

Applications run in separate processes in the security content of low-privileged account or administrator-assigned user accounts. This manner of functioning "out-of-process" is similar to how applications run on the Linux-based Apache server.

As a result of the architectural improvements in IIS 6.0, performance will be improved even though applications run out of process, though Microsoft has not said by how much.

Running applications out of process could potentially cause some problems when it comes to application compatibility, Hill said. "If an application is designed such that it cannot be run outside of Inetinfo, it will probably need to be retooled, or you will be limited to using IIS 5.0 compatibility mode."

Third party favors

Mary Alice Colvin, product manager Windows .NET server said Microsoft is providing information for third party software vendors so they can make their applications compatible. The IIS 5.0 mode can be turned on, and this lets users run an application not fully compatible with IIS 6.0, though some of the 6.0 features may be lost.

What's in the pool?

Another substantial change is the ability to define application pools. The 5.0 version of IIS let administrators run applications in a "resource pool." In version 6.0, IT administrators can define their own application pools by putting one or more applications in the same pool, under their own security context, and then monitor that pool.

"It's a means of partitioning applications so they have dedicated resources, security identity and parameters to monitor their health," Hill said.

Looking up to Zeus

In the end, whether this upcoming version of IIS is stable enough to convert Apache users may have just as much to do with what type of expertise the customer has in house, said William Boswell, a principal at the Windows Consulting Group.

Boswell predicted that Sun shops will run Web servers on Solaris and Windows shops will probably use IIS, but for customers who have the highest performance and security concerns, they will probably stick with a high end Web product like the one made by Zeus Technologies of Santa Clara, Calif.


SearchWin2000's Best Web Links on IIS

Featured Topic on IIS

Dig Deeper on Windows client management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.