Problem solve Get help with specific problems with your technologies, process and projects.

Modular architecture in IIS 7.0 aids Web server security

The new modular architecture in IIS 7.0 allows you to manage the features you install on your Web servers.

Introducing Windows Server 2008
By Mitch Tulloch

Get a jump on evaluating Window Server 2008 -- with technical insights from Windows Server team. This practical introduction delivers real-world implementation scenarios and pragmatic advice for administering Windows Server in the enterprise.

One thing I really like about IIS 7.0 is its new modular architecture. What this means is that instead of IIS being a monolithic entity installed by default with only a few features available for optional installation, IIS 7.0 now has more than 40 separate setup components you can choose from and only a small set of these are installed by default. You can now install only IIS features you actually need on your Web server and leave the remaining features uninstalled. The benefits of doing this are fivefold:

  • First, your system is more secure. Why? Because the only IIS binaries installed on your system are those you actually need. And the fewer binaries, the less attack surface there is on your machine.

  • Second, your system is easier to service. Why? Because maintaining a server involves keeping it patched with the latest critical updates from Microsoft. But if you have only a subset of the available IIS modules installed on your machine, you have to patch only those modules -- you don't have to patch modules that aren't installed.

  • Third, your system is easier to manage. For example, as we'll see in a moment, if the component supporting Basic authentication is not installed on your system, the configuration setting for this feature won't be present. And the fewer configuration settings that are surfaced, the less clutter the admin UI has and the easier it is to manage your server.

  • Fourth, you can customize your Web server to function in a specific role in your environment.

  • And fifth, you can reduce the memory footprint of your Web server by removing unnecessary modules. As a result, the amount of memory used by worker processes on your machine will be reduced, which can allow you to host more Web sites and Web applications on your machine -- something especially valuable in large hosting environments. Reducing the number of installed modules also means that fewer intra-process events are occurring, so this also frees up CPU cycles as well -- something that, again, is important in hosting environments.

Windows Server 2008 security extras
Will Windows Server 2008's delay affect your security?

Windows Server 2008 features worth watching

 In addition, you can even create your own custom modules and use these to replace existing modules or add new features to your Web server. We'll talk about this later when we discuss the extensibility of the IIS 7.0 platform.

The following graphic shows the IIS 7.0 components available for you to install when you add the Web Server (IIS) role to your Windows Server 2008 machine. These components are called modules, and you can add or remove them from the Web server engine, depending on what you need.

Table 11-1 lists the different modules available in each category and provides a short description of what they do.

Table 11-1 IIS 7.0 modules and their functionality
Module name Description
HTTP modules
CustomErrorModule Sends default and configured HTTP error messages when an error status code is set on a response
HttpRedirectionModule Supports configurable redirection for HTTP requests
OptionsVerbModule Provides information about allowed verbs in response to OPTIONS verb requests
ProtocolSupportModule Performs protocol-related actions, such as setting response headers and redirecting headers based on configuration
RequestForwarderModule Forwards requests to external HTTP servers and captures responses
TraceVerbModule Returns request headers in response to TRACE verb requests
Security modules
AnonymousAuthModule Performs Anonymous authentication when no other authentication method succeeds
BasicAuthModule Performs Basic authentication
CertificateMappingAuthenticationModule Performs Certificate Mapping authentication using Active Directory
DigestAuthModule Performs Digest authentication
IISCertificateMappingAuthenticationModule Performs Certificate Mapping authentication using IIS certificate configuration
RequestFilteringModule Performs URLScan tasks, such as configuring allowed verbs and file extensions, setting limits, and scanning for bad character sequences
UrlAuthorizationModule Performs URL authorization
WindowsAuthModule Performs NTLM integrated authentication
Content mondules
CgiModule Executes CGI processes to build response output. There's also a FastCGI handler that's installed as part of the CGI install.
DavFSModule Sets the handler for Distributed Authoring and Versioning (DAV) requests to the DAV handler
DefaultDocumentModule Attempts to return the default document for requests made to the parent directory
DirectoryListingModule Lists the contents of a directory
IsapiModule Hosts ISAPI DLLs
IsapiFilterModule Supports ISAPI filter DLLs
ServerSideIncludeModule Processes server-side includes code
StaticFileModule Serves static files
Compression modules
DynamicCompressionModule Compresses responses, and applies Gzip compression transfer coding to responses
StaticCompressionModule Performs precompression of static content
Caching modules
FileCacheModule Provides user-mode caching for files and file handles (required)
HTTPCacheModule Provides kernel-mode and user-mode caching in HTTP.sys (required)
SiteCacheModule Provides user-mode caching of site information
TokenCacheModule Provides user-mode caching of user name and token pairs for modules that produce Windows user principals (required)
UriCacheModule Provides user mode caching of URL information (required)
Logging and diagnostics modules
CustomLoggingModule Loads custom logging modules
FailedRequestsTracingModule Supports the Failed Request Tracing feature
HttpLoggingModule Passes information and processing status to HTTP.sys for logging
RequestMonitorModule Tracks requests currently executing in worker processes, and reports information with Runtime Status and Control Application (RSCA) Programming Interface
TracingModule Reports events to Microsoft Event Tracing for Windows (ETW)

You can install these modules by adding role services and features to the Web Server (IIS) role using Server Manager. (Note that some of these modules cannot be selectively installed or uninstalled unless you uninstall the entire w3svc.) When you add the Web Server (IIS) role to your Windows Server 2008 server, a subset of available role services and features is installed by default (though you can also choose to add role services and features at this time or later).

Excerpted from "Introducing Windows Server 2008" by Mitch Tulloch with the Microsoft Windows Server Team . Reprinted by permission of Microsoft Press. All rights reserved. For more information, go to


Dig Deeper on Windows Server storage management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.