[This is preliminary documentation and subject to change]

Features

Internet Information Services 6.0 has many features to help Web administrators to create scalable, flexible Web applications. The features are described in the following topics:

Configuration
Administration
Performance
Reliability: Application Processing
Security
Programmability
Internet Standards

Configuration

Metabase re-engineering has lead to dramatic improvements in server startup and shutdown times, in addition to enhancing overall metabase performance and usability.

About the Metabase

The metabase is stored in two plain-text XML formatted-files on disk: Metabase.xml contains the configuration values for IIS and MBSchema.xml stores the XML metabase schema and enforces correct metabase configuration. Because both the Metabase.xml and MBSchema.xml files are stored as plain text, they are human readable and editable using any plain-text editor.

Administration

About the Metabase History Feature

You can quickly rollback to a previous version preventing long service interruptions to allow easy metabase restoration. Automatic tracking of changes to the metabase are written to disk by versioning a copy of the metabase file in a history folder. Each history file is marked with a unique version number, which is then available for the metabase rollback or restore processes. A new set of Admin Base Object (ABO), WMI and ADSI methods are exposed which allows users to enumerate and "rollback" metabase configuration programmatically

About Editing the MetaBase.xml File While IIS Is Running

Import and Export Site and Application Configuration

In order to propagate site and application configuration settings across multiple servers for any node level, IIS supports two Admin Base Object (ABO) methods, Import() and Export(). Using these methods, you can export one node or an entire tree to an XML file from any level of the metabase along with the inherited configuration if you choose, then import one node or an entire tree from an XML file, as well as the inherited configurations. In addition you can password protect secure data with these ABO methods.

Create Server Independent Metabase Backups

Using the BackupWithPassword and RestoreWithPassword methods of the ADSI IIsComputer object, you can programmatically back up and restore the metabase with a password. The session key is encrypted with an optional user-supplied password during backup and is not based on the machine key.

Metabase Reliability

Using the configuration backup/restore feature, you can create a secure or insecure backup of your metabase. Administrators can also restore copies of the metabase to other computers via the IIS snap-in. These backup methods provide a way to restore only your metabase settings, not your content files. As with previous versions of IIS, you can programmatically create a legacy backup of the metabase; however, you cannot restore legacy backups of the metabase to other computers.

Metabase Snapshot Writer

Metabase snapshot writer (MSW) uses COM to ensure that NTbackup creates a stable and reliable backup of the metabase. MSW is used with NTbackup only, and is not a part of the Configuration Backup/Restore application that is run from the IIS snap-in.

The IIS WMI Provider

Windows XP features Windows Management Instrumentation (WMI), a scalable management infrastructure, as a means to improve management of Windows servers in your environment. The IIS WMI provider provides a level of manageability functionally equivalent to the IIS ADSI provider, while supporting an extensible schema. Furthermore, schema extensions developed using ADSI are imported into the IIS WMI provider, making the benefits of WMI even better.

Command-Line Administrative Scripts

Command-line administration makes it easier to perform management tasks efficiently. IIS provides scripts for the following tasks:

Create, delete, start, stop, and list Web sites
Create, delete, start, stop, and list FTP sites
Create or delete Web virtual directories
Create or delete applications
Export or import IIS configuration
Back up and restore IIS configuration

UTF-8 Logging Support

IIS supports log file recording in UTF-8 that allows administrators to log their URL hits in their native language instead of English. This setting, configurable on the W3SVC-level, instructs Http.sys in which format to write out the log files-in UTF-8 or in the local code page.

Restarting IIS

You can restart IIS without having to reboot your computer.

Improved Custom Error Messages

Now administrators can send informative messages to clients when HTTP Web sites errors occur. The improved custom error messages also includes detailed ASP error processing capabilities through the use of the 500-100.asp custom error message.You can use the custom errors that IIS provides, or create your own.

Configuration Options

You can set permissions for Read, Write, Execute, Script, and FrontPage Web operations at the Web site, directory, or file level.

Remote Administration

Terminal Services is a feature of Windows XP that allows you to run 32-bit Windows applications on terminals and terminal emulators running on personal computers and other computer desktops. This enables you to remotely administer Windows XP services such as IIS, as if you were at the server console. You can administrate from older legacy PCs, or even non-PC devices such as UNIX workstations with compatible client software. However, non-Windows-based client devices require third-party add-on software.

Centralized Administration

Administration tools for IIS use the Microsoft® Management Console (MMC). MMC hosts the programs, such as the IIS snap-in, that administrators can use to manage their servers. You can use IIS snap-in from a computer running Windows XP Professional to administer a computer on your intranet running Internet Information Services on a Windows server product.

Remotable Certification Object

Using scripts, you can process SSL certificates on your local or a remote computer. A COM object allows you to perform the add function, remove function, back up function, and restore function, which circumnavigates the constraints imposed by the MMC.

Performance

Http.sys is a single point of contact for all incoming (server-side) HTTP requests that provides high-performance connectivity for HTTP server applications. Http.sys is also responsible for overall connection management, bandwidth throttling, and text-based logging. Http.sys implements a flexible URI response cache, called flexible caching, which enables HTTP applications to cache static and dynamic data and service cached HTTP requests completely in kernel mode with no transition to user mode. Http.sys implements a URI namespace mapping mechanism called application pools. With application pools HTTP applications can claim portions of the URI namespace, which allows Http.sys to route HTTP requests directly to the appropriate HTTP applications.

ASP Template Cache Tuning

ASP processes templates that contain ASP scripts, stores the processed templates in a cache, and serves the cached templates to clients. By default, 250 templates are cached in-memory. If a site uses ASP heavily, this in-memory template cache cannot store all the necessary templates. IIS includes a persistent cache, so templates are cached to disk if the in-memory cache does not have enough space. If the ASP page is requested again, Asp.dll doesn't need to re-compile the source code and can load the compiled template from disk. Caching ASP templates enhances performance because cached ASP templates are not processed each time they are called. You can further improve performance by changing the number of cached templates for all applications with low (in process) application protection or medium (pooled) application protection, or individually for applications with high (isolated) application protection.

Asynchronous CGI

IIS handles the CGI implementation asynchronously, thereby removing the potential for blocked CGI processing responses.

Capacity Planning Tracing

When planning for your system's capacity and you need to determine real or estimated costs, you can collect and analyze event trace data under different workloads and different hardware configurations. Using the IIS tracing feature for capacity planning you can trace application workloads against ASP script resource usage, such as HTTP response/request times.

Quality of Service

As an administrator, you can control the level and quality of service for your users by using the IIS implementation of connection limits and timeouts, application pool queue length limits, bandwidth throttling, and process accounting.

Improved Bandwidth Throttling

IIS leverages the operating system to do bandwidth throttling, allows IIS to throttle individual host-header sites. Responses for a given site can be sent in parallel as opposed to serial.

Process Accounting

Provides information about how individual Web sites use CPU resources on the server. This information is useful to determine which sites are using disproportionately high CPU resources or which sites may have malfunctioning scripts or CGI processes.

Process Throttling

You can limit the percentage of time the CPU spends processing out-of-process ASP, ISAPI, and CGI applications for individual Web sites. In addition, misbehaving processes can be stopped and restarted.

Reliability: Application Processing

Modes of Operation

You can configure IIS 6.0 to run in either standard application mode, where processes run within the Web service, or dedicated application mode, where all application code runs in isolated processes. Standard application mode allows you to run your IIS 5.0 applications in the IIS 6.0 environment. With dedicated application mode, you can isolate anything from an individual Web application to multiple sites in their own self-contained Web service process, preventing one application or site from stopping another. Separating applications or sites into separate processes simplifies a number of management tasks.

Worker Processes

Worker processes in dedicated application mode handle all user code and are completely isolated from the core Web service, Inetinfo.exe. Because these ISAPI applications run separately from the Web service, an application failure prevents all services hosted by Inetinfo from failing. Only the worker process that hosts the ISAPI application is affected. Worker process can be configured to run on specific CPU's, which allows you greater control of balancing system resources.

Application Pools

Dedicated application mode allows customers to create multiple application pools, where each application pool can have a different configuration. Performance and reliability are enhanced because these application pools receive their requests directly from the kernel instead of Inetinfo.

Application Pool Assignments

An application pool can be configured in dedicated application mode to serve anything from one Web application to multiple applications up to multiple sites. Assigning an application to an application pool allows you to further isolate applications, and is as easy as configuring what pool that application should be routed to in the metabase. Sites, by default, are considered to be a simple application-one where the root namespace "/" is configured as an application.

Application Pool Queue Length Limits

When running in dedicated application mode, you can choose to limit the number of requests that should be queued for each application pool in Http.sys. This allows you to fine-tune the environment in which your applications run by managing pool requests and system resources.

Web Gardens

A Web garden is an application pool that has multiple worker processes serving the requests routed to that pool. Each pool is configured to associate with a specified processor. You can increase scalability of your Web applications in dedicated application mode because a lock on one process does not block any other processes on the multi-processor computer

Kernel Mode Queuing

Http.sys places requests destined for application pools in a queue if a worker process in that pool fails. Because the Web service is managing the processes, it can initialize another one without causing an interruption in service to your users. Requests are then sent out of the queue until empty or the web service is stopped.

Web Administration Service (WAS)

Dedicating separate processing space for management and application processes affords greater system reliability. WAS and Http.sys make up the core portion of the Web service. The service is responsible for configuring Http.sys, managing the various worker processes, and on-demand process starts. The service also enforces many of the health detection features such as "pinging". A worker process, traditionally third-party code, is not allowed to run in the WAS.

Health Monitoring

In dedicated application mode, the Web service monitors the health of worker processes and if the process is unresponsive, the process is terminated and replaced with another. Health monitoring helps you to keep processes running and provides your users with more reliable service.

Idle Process Timeout

You can control system resources by configuring application pools in dedicated application mode to have their worker processes request a shutdown if they are idle for a configurable amount of time, such as minute, hour, day. You can then request a forced application startup when demand exists for that application pool.

Rapid-Fail Protection

You can configure IIS in dedicated application mode to use rapid-fail protection when a particular application pool suffers multiple failures in a row, it can be automatically disabled. Rapid-fail protection allows you the opportunity to deal with specific troublesome applications while insulating your users from major service problems.

Orphan Worker Process

A worker process that fails to respond to WAS queries can be configured in dedicated application mode to "separate" from the application pool instead of being terminated, as a new one is started in its stead. Because the process is still running, you can perform diagnostics on it.

Recycling Worker Processes

You can configure IIS in dedicated application mode to periodically restart worker processes in an application pool to manage faulty applications. A new process is initialized and takes the requests as the former one finishes processing its requests from the queue. This allows you to manage troublesome applications, such as those with memory leaks, without interrupting service to your users.

Security

Digest Authentication

Digest authentication allows secure and robust authentication of users across proxy servers and firewalls. In addition, anonymous authentication, basic authentication, and integrated Windows authentication are still available.

Advanced Digest Authentication

Advanced digest authentication makes improvements over basic authentication because credentials are sent over the network as an MD5 hash and are stored as such in the Active Directory of the domain controller. This mechanism makes it extremely difficult for intruders to discover users' passwords and do not require you to modify your applications.

About Security

Secure Sockets Layer (SSL) 3.0 and Transport Layer Security (TLS) provide a secure way to exchange information between clients and servers. In addition, SSL 3.0 and TLS provide a way for the server to verify whom the client is before the user logs on to the server. In IIS, client certificates are exposed to both ISAPI and Active Server Pages, so that programmers can track users through their sites. Also, IIS can map the client certificate to a Windows user account, so that administrators can control access to system resources based on the client certificate.

Setting Encryption Strength

Server-Gated Cryptography (SGC) is an extension of SSL that allows financial institutions with export versions of IIS to use strong 128-bit encryption. Although SGC capabilities are built into IIS, a special SGC certificate is required to use SGC.

Selectable Cryptographic Service Provider (CSP)

Secure Sockets Layer provides a secure way to exchange information between clients and servers. However, the CPU has to perform intensive cryptography, which degrades performance. IIS offers the Selectable Cryptographic Service Provider which allows you to select a cryptographic provider that suits your needs. Each provider can create a public and private key for encrypting data sent to and from the Web server. The private key is stored at the server on hardware, on a PCI card, on a SmartCard, or in the registry as it is for the two default providers Microsoft installs. Storing the private key on hardware allows you to plug into hardware-based accelerator cards that perform cryptographic computations instead of the server. It is easy to select providers from the IIS snap-in to use Microsoft or installed third-party CryptoAPI providers. All CryptoAPIs implement the same methods so that you can switch between providers without having to change your code.

Configurable Worker Process Identity

To thwart system hackers, you can configure application pools and therefore the worker process executing within to run under an account with lower privileges than LocalSystem. If you provide services to Internet users, you can allow your customers to upload static content and executable code. Erroneous code will not cause the Web service or computer to fail, only the application will fail.

Disabling Unknown Extensions

You can configure IIS through a metabase property to send out only known file extensions to your users. Unknown file extensions receive an "access denied" error.

Using the New Security Task Wizards

Security wizards simplify server administration tasks.

The Web Server Certificate Wizard simplifies certificate administration tasks, such as creating certificate requests and managing the certificate life cycle.
The Permissions Wizard makes it easy to configure Web site access by assigning access policies to virtual directories and files. The Permissions Wizard can also update NTFS file permissions to reflect these Web access policies.
The CTL wizard helps you configure your certificate trust lists (CTLs). A CTL is a list of trusted certification authorities (CAs) for a particular directory. CTLs are especially useful for Internet service providers (ISPs) who have several Web sites on their server and who need to have a different list of approved certification authorities for each site.

IP and Internet Domain Restrictions

You can grant or deny Web access to individual computers, groups of computers, or entire domains.

Kerberos v5 Authentication Protocol Compliance

IIS is fully integrated with the Kerberos v5 authentication protocol implemented in Microsoft® Windows® XP, allowing you to pass authentication credentials among connected computers running Windows.

Certificate Storage

IIS certificate storage is now integrated with the Windows CryptoAPI storage. The Windows Certificate Manager provides a single point of entry that allows you to store, back up, and configure server certificates.

Fortezza

The U.S. government security standard, commonly called Fortezza, is supported in IIS. This standard satisfies the Defense Message System security architecture with a cryptographic mechanism that provides message confidentiality, integrity, authentication, and access control to messages, components, and systems. These features can be implemented both with server and browser software and with PCMCIA card hardware.

Programmability

Getting Started with ASP

You can create dynamic content by using server-side scripting and components to create browser-independent dynamic content. Active Server Pages (ASP) provides an easy-to-use alternative to CGI and ISAPI by allowing content developers to embed any scripting language or server component into their HTML pages. ASP provides access to all of the HTTP request and response streams, as well as standards-based database connectivity and the ability to customize content for different browsers.

ExecuteURL

If you must develop read raw data filters to allow a user to examine or modify the request entity body before the target URL processes it, an ISAPI extension function enables you to transparently call URLs on the IIS machine. Extensions provide functionality for easy retrieval and manipulation of the entity body. ExecuteURL allows an extension to process the request entity body and pass it to a child request. Furthermore, you can leverage the rich ISAPI extension interfaces. HSE_REQ_EXEC_URL enables request chaining, custom authentication and authorization, and URL hiding. Documentation for this extension is in the Platform SDK.

VectorSend

Using VectorSend, you can construct an ordered list of buffers and file handles to send, and allow IIS to compile the final response. Http.sys compiles all the buffers, file handles, or both buffers and handles into one response buffer within the kernel and then sends it. This action frees the ISAPI from having to do any of the buffer construction or multiple write-clients. With the HSE_REQ_VECTOR_SEND API you can send multiple buffers with only one transition between user and kernel mode.

Unicode ISAPI

IIS allows Web site hosters to host multi-language content because the reliance on the code page is removed. With UTF-8 encoded URLs, Unicode is possible. IIS adds two new ServerSupportFunctions that allow developers to access the Unicode representation of an URL. This allows them to leverage server variables in Unicode.

ADSI 2.0

Administrators and application developers have the ability to add custom objects, properties, and methods to the existing ADSI provider, giving administrators even more flexibility in configuring their sites.

Internet Standards

Standards Based

Microsoft Internet Information Services 6.0 complies with the HTTP 1.1 standard, including features such as PUT and DELETE, the ability to customize HTTP error messages, and support for custom HTTP headers.

Multiple Sites, One IP Address

With support for host headers, you can host multiple Web sites on a single computer running Microsoft Windows XP Server with only one IP address. This is useful for Internet service providers and corporate intranets hosting multiple sites.

IIS Extensions to FTP

IIS extends FTP in two significant areas. The IIS FTP User Isolation feature allows you to contain users to their own FTP directory, thus preventing them from viewing or overwriting other users' Web content. In addition, IIS supports multiple character sets for FTP, which allows your users native-language access worldwide.

UTF-8 Support

Support for Unicode and UTF-8 now extends to filenames and URLs. ASP can open any filename using the Unicode filename string. UTF-8 URLs are converted to a Unicode representation and presented to ASP.

WebDAV Publishing (WebDAV)

Enables remote authors to create, move, or delete files, file properties, directories, and directory properties on your server over an HTTP connection.

News and Mail

You can use SMTP and NNTP Services to set up intranet mail and news services that work in conjunction with IIS.

PICS Ratings

You can apply Platform for Internet Content Selection (PICS) ratings to sites that contain content for mature audiences.

FTP Restart

Now File Transfer Protocol file downloads can be resumed without having to download the entire file over again if an interruption occurs during data transfer.

HTTP Compression

Provides faster transmission of pages between the Web server and compression-enabled clients. Compresses and caches static files, and performs on-demand compression of dynamically generated files.