The major differences between IIS 6.0 and IIS 7.0 are: ■ A modular core server consisting of simplifi ed setup and a unifi ed pipeline for request execution ■ An all new delegatable, dis
Trang 1IIS 6.0 versus IIS 7.0: The Delta
IIS 6.0 was a monumental step forward for the Web platform for Windows At the highest priority stood security, followed by reliability and scalability With IIS 7.0, Microsoft stood true to all of these important areas and delivered a rock-solid product; however, as with any release, there is still room for improvement The following sections help us to understand the differences between IIS 6.0 and IIS 7.0, why changes were made, and what the benefi ts are for customers
The major differences between IIS 6.0 and IIS 7.0 are:
■ A modular core server consisting of simplifi ed setup and a unifi ed pipeline for request execution
■ An all new delegatable, distributable confi guration system allowing non-administrators as well as non-Windows credentials access to Web server confi guration
■ A completely rewritten IIS Manager that is task-oriented and extensible
■ An extensible WMI provider that offers native access to the new confi guration
as well as access via Windows PowerShell
■ A single, all-inclusive, command-line utility called AppCmd.exe that simplifi es
access to confi guration and state information (done in individual VBS fi les
with IIS 6.0)
■ An IIS and ASP.NET diagnostics engine that is extensible and allows granular access
to runtime-specifi c information about requests
■ A brand-new Failed Request Tracing feature to identify causes of request failures
Modular Core Server
The biggest change in architecture between IIS 6.0 and IIS 7.0 is the modular core server
Remember that the core server in IIS 6.0 was monolithic and its installation was all or none
In IIS 7.0 all of that changes Figure 12.11 is a diagram of the modular core server in IIS 7.0
As mentioned earlier, the new modular core allows administrators to load only what they
need Figure 12.12 shows that modules can be completely uninstalled from the server at
any time
Trang 2Because of the changes made to the core server in IIS 7.0, the memory footprint is smaller and the risk of loading unused code and it being available for exploitation is removed, along with
achieving better performance The ability to customize server workload will reduce its attack surface Patching requirements are also minimized When a patch was released in the IIS 6.0 monolithic
model, the entire core was re-done and sent out Now only those modules that require patching will receive them
Figure 12.11 IIS 7.0 Modular Server Core
Trang 3The new extensible APIs are a big improvement over the previous ISAPI model Practically every aspect of IIS provides extensibility, thus allowing developers to tailor the server to meet their own needs, regardless of whether they use managed or native code The new modular architecture has allowed Microsoft to eliminate duplication, and as such, IIS 7.0 has a single pipeline for all code regardless if whether it’s managed or native code
Figure 12.12 IIS 7.0 Module Selection
NOTE
IIS 7.0’s new native API still requires users to know C\C++ Microsoft offers an
additional capability by allowing a developer to use managed code to interact with the server
Trang 4Delegation: Less Is Often Better
In IIS 6.0, for a user to do any tasks on the server required administrative rights, which were a
security nightmare for server administrators Now with IIS 7.0, administrators are able to delegate
tasks to users without leaving the door wide open In IIS 7.0, administrators can delegate features in IIS Manager to Web site and Web application administrators, allowing them to manage their sites and applications remotely without having administrative access to the server
BEST PRACTICES ACCORDING TO MICROSOFT
Microsoft recommends a strategy of starting with the minimum rights and working
up It does not recommend opening rights up completely and later locking them
down Doing so could cause applications to become unstable
SOME INDEPENDENT ADVICE
Delegation creates a new culture in IT When Active Directory came out, the ability to delegate administrative tasks to users was possible For users who had administrator rights before delegation, it was considered a slap in the face They felt as though
they were no longer trusted Although delegation is a great security tool, be
prepared for the human factor, especially from those who used to have full
administrative rights
Server administrators still have complete control over what management features are delegated to application owners
■ Feature Delegation The ability to confi gure which features of a Web site or application
to delegate to Web site and application administrators Provides the ability to delegate
control of specifi c features to site or application administrators without having to provide
them with full administrative control of the server
■ Administrators This feature allows server administrators the ability to create site and
application administrators Server administrators include both the local server’s
administrators group and the members of the Domain Administrators group
■ Management Service A management service for IIS 7.0 that enables server, site, and
application administrators the ability to connect to IIS 7.0 remotely using IIS Manager It
also allows site and application administrators the ability to connect to IIS 7.0 on the server locally, when they are a member of a Windows group
Figure 12.13 shows the Feature Delegation screen from within the new IIS Manager
Trang 5Improved User Interface for Users,
Partners, and Microsoft
The interface in IIS has changed in version 7.0 It has become more task-oriented, helping
administrators do exactly what they want, and not forcing them to search for the correct tab or control button IIS Manager is extensible as is the rest of IIS 7.0 It allows you to administer most of the features in IIS 7.0 and monitor the server’s operation Administrators can manage both IIS and
ASP.NET confi guration settings, membership and user data, and runtime diagnostic information.
As seen in the previous section, the new interface can also be used to enable delegation The new IIS Manager can remotely manage servers via Hypertext Transfer Protocol Secure sockets (HTTPS), therefore making remote management more secure friendly and not forcing IT administrators to open additional ports on fi rewalls The ports for HTTPS (443), which are required for remote IIS
Figure 12.13 Feature Delegation in IIS Manager