IIS 7 for Apache Administrators

by Tali Smith

Apache Hypertext Transfer Protocol (HTTP) Server and Internet Information Services are two of the world's most popular Web servers. This article provides technical information about IIS for users who are familiar with Apache. The article compares the architecture, security model, and management features of IIS 7 (and above) with those of Apache, and it also compares common IIS and Apache management scenarios and tools.

IIS, with a modular design similar to that of the Apache Web server, gives administrators control through its extensible architecture and intuitive graphical user interface. Diagnostic capabilities built into IIS help reduce the time required to troubleshoot issues, minimizing downtime.

The functionality of IIS is divided into more than 44 separate feature modules. These modules can be installed during the setup of the Web Server (IIS) role through the Server Manager console. The existent functionality can be extended further using the included Win32® and Microsoft® .NET application programming interfaces (APIs) to build new modules. While the IIS modules replace Internet Server Application Programming Interface (ISAPI) filters and extensions, IIS maintains full support of these filters and extensions.

Apache Web Server provides limited support for Microsoft® Speech API (SAPI) extensions, but does not support ISAPI filters. It relies on a community-driven project called the Apache Portable Runtime (APR), which is used to create and maintain software libraries that provide a predictable and consistent interface to underlying platform-specific implementations. The APR provides a set of APIs that maps to the underlying operating system, and thus let developers code platform-independent programs.

Since 2003, four security vulnerabilities have been reported on IIS 6.0, compared with 23 for Apache 2.0.x during the same period of time,[1] according to the security service provider Secunia. IIS builds on the secure foundation of its predecessor, and brings an enhanced process model that isolates applications by sandboxing resources and configurations at the application level by default.

Installing a minimal environment by choosing the Server Core installation option of Windows ServerÒ 2008 further limits the area of exposure of the IIS installation. Server Core omits graphical services and most libraries, reducing the total footprint of the operating system while still retaining the ability to be administered both locally, through the IIS command-line utility Appcmd.exe, and remotely.

The initial design of Apache did not take into account the possibility of implementing a graphical interface for its management tools. Apache management functions are accomplished through entries made directly into configuration files or through open-source graphical management tools such as TKApache and NetLoony.

IIS offers a range of management tools; management can be accomplished graphically, via the command line, or manually by editing the configuration file.

In Apache, faults are isolated and diagnosed through five log files, each of which must be read manually to search for patterns that point to a particular problem.

IIS include two mechanisms to help with diagnostics and troubleshooting:

• The Runtime State and Control API provides real-time state information about application pools, worker processes, sites, application domains, and even running requests. This Component Object Model (COM) API is displayed through the IIS Manager console, the new Appcmd.exe command-line tool, and WindowsÒ Management Instrumentation (WMI). These applications offer quick and easy status checks in any management environment chosen.
• Detailed event tracing functionality tracks events throughout the request and response path, allowing developers and administrators to trace a request through the IIS processing pipeline and back out to the response. These detailed tracing events collect information on the request path, errors raised by the request, and the elapsed time at all points.

IIS also provides a detailed and actionable library of error messages. This library replaces the traditional, terse error codes with detailed information about the request, the possible cause of the error, and suggested steps to fix the problem. IIS sends detailed error information to the browser and other remote clients.

IIS offers tools that enable organizations to manage all of their Web applications on a single platform, eliminating the need to maintain two or more independent platforms that create higher infrastructure costs.

FastCGI in IIS supports the high-performance version of the Common Gateway Interface (CGI). FastCGI overcomes the performance problems of standard CGIs by creating persistent processes that can be reused for multiple requests, rather than creating a new process for each request, which is then discarded when the request has been filled. FastCGI also allows applications to run remotely, improving load distribution.

IIS also operates with the MicrosoftÒ .NET Framework version 1.1 and later. Through its support of classic ASP, Microsoft® ASP.NET, and PHP, IIS provides organizations with the flexibility to write applications in the language of their choice and to host applications on the platform of their choice.

Developers can extend IIS through the core server API set, which lets them build modules in both native code (such as C/C++) and managed code using languages (such as C# and Microsoft® Visual Basic®) that use the .NET Framework. IIS also enables extensibility for configuration, scripting, event logging, and administration tool feature sets.

Extensions are available for download at no charge for x86 and x64 platforms. The extensions cover a range of tasks in deployment, administration, request handling, security, content publishing, and media service. For the available IIS extensions, see: IIS Extensions.

FTP Publishing Service for IIS (FTP 7) offers many enhanced capabilities over previous releases of the IIS FTP server:

• Tighter integration with IIS through a new administration user interface (UI) and configuration store based on the .NET XML-based *.CONFIG format.
• Support for File Transfer Protocol (FTP) over Secure Sockets Layer (SSL) and for the use of non-WindowsÒ accounts for authentication. The new FTP service also supports other Internet improvements, such as UTF8 and IPv6.
• Shared hosting improvements through full integration into IIS. This allows FTP 7 to host FTP and Web content from the same site by simply adding an FTP binding to an existing Web site. In addition, the FTP service now has virtual host name support, making it possible to host multiple FTP sites on the same IP address.
• Improved logging and supportability features, including enhanced logging for all FTP-related traffic, unique tracking for FTP sessions, FTP sub-statuses, and additional detail fields in FTP logs.

In previous versions of IIS, ASP.NET was implemented as an IIS ISAPI extension, and requests to non-ASP.NET content, such as ASP pages or static files, were not visible to ASP.NET.

In IIS, the layout of the request pipeline provides more opportunities to influence the way in which a request is handled. IIS processes a request to any content type, which enables services provided by ASP.NET modules such as forms authentication or output cache to be used for requests to ASP pages, PHP pages, or static files.

In Apache, configuration starts with a directive entry in the Httpd.config file.

This method is similar for IIS configuration, in which most settings can be configured either locally in the Web.config file or globally in the ApplicationHost.config file. IIS provides a few methods for editing the .config files. These methods include:

• Graphically editing through the IIS Manager console.
• Editing from the command prompt by using Appcmd.exe along with the set config / commit argument/.
• Editing within a Windows Management Instrumentation script, using Application class.
• Manually editing the configuration files, which are based on a strongly typed schema written in clear-text XML. Microsoft® Visual Web Developer 2005 Express Edition can be used to edit the IIS configuration files in a neat-looking code editor environment.

The complete usage options of Appcmd.exe can be found here.

Modules in IIS control and customize its functionality, resulting in greater flexibility and efficiency of the server platform. By default, these modules are dynamic link library (DLL) files stored in the %WINDIR%\System32\inetsrv\ folder. They can be classified into two types, as follows.

• Native. A native module has unrestricted access to any resource available to the server worker process, just like an ISAPI filter or extension in previous versions.
• Managed. Managed modules can be configured separately for each site or application. They are loaded for processing only when required by the particular site or application.

Several IIS modules perform tasks specific to HTTP in the request-processing pipeline. These include modules to respond to information and inquiries sent in client headers, to return HTTP errors, and to redirect requests.

Several IIS modules perform security tasks in the request-processing pipeline. In addition, separate modules exist for each of the authentication schemes, enabling the selection of modules for the types of authentication desired on the server. Other modules perform URL authorization and filter requests.

Several IIS modules perform tasks related to content in the request-processing pipeline. Content modules process requests for static files, return a default page when a client fails to specify a resource in a request, list the contents of a directory, and more.

Two IIS modules perform compression in the request-processing pipeline.

Several IIS modules perform tasks related to caching in the request-processing pipeline. Caching improves the performance of Web sites and Web applications by storing processed information, such as Web pages, in memory on the server and then reusing that information in subsequent requests for the same resource.

Several IIS modules perform tasks related to logging and diagnostics in the request-processing pipeline. The logging modules support loading custom modules and passing information to HTTP.sys. The diagnostics modules track and report events during request processing.

Two IIS modules support managed integration in the IIS request-processing pipeline.

In addition to native modules, IIS enables the use of managed code modules to extend IIS functionality. Some of the managed modules, such as UrlAuthorization, have a native module counterpart that provides a native alternative to the managed module.

The new configuration system in IIS caches configuration files like .htaccess files in Apache, but consumes significantly less memory. In addition, there are various ways to configure IIS to take advantage of either global or more granular configuration changes.

IIS uses a configuration scheme that provides ASP.NET integration, including shared configuration and HTTP runtime support. The XML-based configuration model uses configuration text files that hold configuration settings and that can be stored in separate XML files in a folder.

IIS uses three main XML files that maintain server deployments:

• Machine.config holds .NET Framework settings for the server. These settings are inherited by all other .NET Framework configuration files and can be located by default at %windir%\Microsoft.net\Framework\<*framework\_version*>\Config\Machine.config.
• The ApplicationHost.config file contains settings for IIS and its services. By default, it is located at %windir%\System32\inetsrv\config\applicationHost.config.
• The Root Web.config file holds the global settings for ASP.NET Web applications, and it is located at %windir%\Microsoft.NET\Framework\<*framework\_version*>\Config\Root Web.config. This file gives each application a Web.config file that overrides global settings and also allows the IIS configuration settings to be stored in these Web.config files, making copying applications across multiple Web servers much easier, and avoids costly and error-prone replication, manual synchronization, and additional configuration tasks.

IIS can be used to execute the same management tasks that are performed on Apache.

For every standard HTTP error 403, 404, and 504, a message is returned to the browser. Different Web servers allow administrators to return a default error message, a specific Web page, or a file as a Web page for each error.

• In Apache, customizing error messages is done using the .htaccess file, which administrators can use to manipulate server behavior and create custom server error messages. Examples of such errors are the "404 Not Found" error that appears when a link is broken and the "500 Internal Server Error" that appears when a script fails. The .htaccess file tells the server to display a special page in case of an error.
• IIS also lets administrators return special pages in place of default pages for Web site errors. For example, instead of displaying the message "404 File Not Found," a message listing optional links along with the company header and an apologetic note may be displayed.

By default, IIS returns two types of errors when a problem occurs. The first type is the standard custom error, including a terse error description and an error code. The second type of error is a detailed error, which by default only returns requests from localhost. IIS can be configured to return detailed errors all the time, specifically when the application needs to be run in debug mode, or to never return detailed errors and instead always return custom errors.

URL rewriting is a way to modify the appearance of a Web URL. Web application users prefer short, neat URLs instead of raw query string parameters. A concise URL is easy to remember and less time-consuming to type in. If the URL can be made to relate clearly to the content of the page, then errors are less likely to happen.

• For URL rewriting, Apache comes with a well-known module called mod_rewrite. This module provides a rule-based rewriting engine to rewrite requested URLs on the fly. The mod_rewrite module is enabled in the Apache.conf file by removing the # and restarting Apache. Rewrite rules can then be defined in the .htaccess file within any particular directory.
• IIS now offers a URL Rewriting module (see: URL Rewrite Module).

Web caching is the temporary storage of Web objects, such as HTML documents, for later retrieval. There are three significant advantages to Web caching: reduced bandwidth consumption as fewer requests and responses need to go over the network, reduced server load as a server has fewer requests to handle, and reduced latency since responses for cached requests are available immediately and are closer to the client being served. Together, these advantages make the Web less expensive and improve performance.

Caching can be performed by the client application and is built into most Web browsers. A number of products extend or replace built-in caches with systems containing larger storage, more features, or better performance. Caching can also be implemented between the client and the server as part of a proxy. Proxy caches are often located near network gateways to reduce the bandwidth required over expensive dedicated Internet connections. Finally, caches can be placed directly in front of a particular server to reduce the number of requests that the server must handle.

• In Apache 2.0 and 2.2, caching normally relies on three modules: mod_cache, mod_disk_cache, and mod_mem_cache. The commands to configure caching must be defined in the main server configuration file(s), not in .htaccess files. Caching techniques do not work without server administrator access and are most appropriate for dynamic content that should be cached and served as static content. This is how Apache forces the caching of dynamic content for a certain period of time that would otherwise be served dynamically each time before hitting the database again.
• The IIS output cache is a new feature that makes it possible to cache entire responses in memory, even from dynamic content, and lets site owners and developers configure the output cache to allow caching of separate copies of responses based on query string values.

The output cache is also integrated with the HTTP.sys kernel cache that helps with fast performance. Kernel caching is unlocked by default. Developers can take advantage of this feature by configuring caching profiles within their applications. A command-line tool can be executed to show the content in the HTTP.sys cache. A rule based on response headers may be configured to cache different versions of content in a site or application.

Although Web page compression is not a new technology, it has recently become popular among IT administrators and managers because of the almost-immediate return on investment (ROI) that it generates.

• The Web output compression solution available in Apache is mod_gzip, with which configured file types are compressed using GZIP encoding after processing by Apache's other modules and before being sent to the client. When a request is received from a client, Apache determines if mod_gzip should be invoked by noting whether the "Accept-Encoding" HTTP request header was sent. If the client sends the header, mod_gzip compresses the output of all configured file types when they are sent to the client.
• IIS has improved and simplified support for GZIP encoding enabled out-of-the-box execution of Web compression. Compression is configured in the ApplicationHost.config file at C:\Windows\System32\inetsrv\config\applicationhost.config. The compression module gives IIS the ability to serve compressed responses to compression-enabled clients. Clients that can accept compressed responses send an Accept-Encoding header indicating the compression schemes that they can handle. If IIS can compress the response using one of these compression schemes, it then sends a compressed response with a Content-Encoding response header indicating the scheme used to compress the response.

To effectively manage a Web server, it is necessary to get feedback on the activity and performance of the server and on any problems that may be occurring.

The Apache HTTP Server provides comprehensive and flexible logging capabilities:

• Error logs. The server error log, whose name and location is set by the ErrorLog directive, is the most important log file. This is where Apache Httpd sends diagnostic information and records any errors that it encounters in processing requests. It is the first place to look when a problem occurs with starting or operating the server, since it often contains details of what went wrong and how to fix it.

  A wide variety of different messages can appear in the error log. The error log also contains debugging output from CGI scripts. Any information written to stderr by a CGI script is copied directly to the error log.

  Customizing the error log by adding or removing information is not possible. However, error log entries dealing with particular requests have corresponding entries in the access log. Customizing the access log to provide more information is also possible.

• Access logs. In Apache, the server access log records all requests processed by the server. The CustomLog directive controls the location and content of the access log. The LogFormat directive can be used to simplify the selection of the contents of the logs. Various versions of Apache Httpd use different modules and directives to control access logging, including mod_log_config, mod_log_referer, mod_log_agent, and the TransferLog directive.

• Script logs. To aid in debugging, the ScriptLog directive allows you to record the input to and output from CGI scripts. This should only be used during testing and not for live servers.

• Rewrite logs. When using the powerful and complex features of mod_rewrite, it is almost always necessary to use the RewriteLog to help in debugging. This log file produces a detailed analysis of how the rewriting engine transforms requests. The RewriteLogLevel directive controls the level of detail.

IIS includes major improvements that aid in diagnostics and troubleshooting to help developers and administrators more easily work with errant Web sites and applications. The following are improvements in diagnostic and troubleshooting tools in IIS:

• Lets the administrator see all requests currently running on the server.
• Provides detailed local server error logs.
• Provides detailed trace log that make it possible to track problem issues and obtain detailed information about trace events.
• Includes new Runtime State and Control API (RSCA) for real-time state information about application pools, worker processes, sites, application domains, and running requests (providing real-time state information through a native Component Object Model [COM] API and Appcmd.exe).
• Can be configured to automatically capture full trace logs.
• Contains tools that let IT staff find problems and troubleshoot in IIS Manager.

Apache administrators often use the following to secure their configurations:

• Apply security patches.

• Hide the Apache version number and other sensitive information.

• Make sure Apache is running under its own user account and group.

• Ensure that files outside the Web root are not served.

• Turn off directory browsing.

• Turn off CGI execution.

• Run mod_security, a module written to apply several different security configurations:

  • Filtering (Simple and Regular Expression based)
  • Encoding Validation (URL and Unicode)
  • Auditing
  • Upload memory limits
  • Server identity masking, etc.

Request Filtering is integrated into IIS. Details and a complete options set for the module can be found here.

Dynamic IP Restrictions for IIS is a module that provides protection against denial-of-service and brute-force attacks on Web servers and Web sites. Such protection is provided by temporarily blocking IP addresses of the HTTP clients that make unusually high number of concurrent requests or that make large number of requests over a short period of time. Detailed instructions on the installation and use of this module can be found here.

• My Take: IIS vs. Apache
• See: http://secunia.com/advisories/product/1438/?task=statistics