1. What’s new and Features in IIS 7
Windows Server 2008 featuring Internet Information Services 7.0 (IIS7) is a powerful Web
application and services platform that delivers rich Web-based experiences. It offers improved
administration and diagnostic tools to help achieve lower infrastructure costs on a variety of popular
development platforms. With improved reliability and scalability, IT professionals and developers can
manage the most demanding Web serving environments, from a single Web server to a large Web farm.
IIS7 is a major upgrade of IIS, and will ship in both Windows Vista as well as Windows 2008 Server. It
includes a ton of new functionality, including some very rich integration with ASP.NET. The main
features of IIS 7 is as follows
1. IIS7 is faster and more efficient than any other earlier version of IIS.
2. With IIS7 you can manage whole Web farms from one place
3. IIS7 allows you to delegate management workload with site owners. Site owners can also
remotely manage their sites and applications over HTTPS from Windows Vista, Windows XP,
Windows Server 2003, and Windows Server 2008. IIS7's XCopy deployment model even allows
you to deploy applications preconfigured!
4. IIS7 is much more flexible and customizable than before, allowing you to fine tune the server
(including server core!) to minimize security footprint and downtime due to patching.
5. You can save loads of time by automating more tasks with the interface that is right for you.
6. If you do run into issues, IIS7 makes it easy to resolve site issues faster, minimizing down time
due to that bone headed developer on your staff.
7. IIS7 includes built-in support for PHP, making it the best Web server for both Open Source
languages and .NET. Why would you want to deploy, manage, patch and troubleshoot that
Linux+Apache server to support those PHP apps, when you can just use Windows!?
8. IIS7 makes it easy to publish content securely over FTP/SSL or Web DAV!
9. Windows and IIS7 are cheaper than ever with the new Windows Web 2008 product. This
version of Windows is super inexpensive and supports all the great features of IIS, SharePoint,
SQL, Windows Media server and more for Internet facing sites!
10. And as if that isn't enough, IIS7 is getting better every day with new IIS7 Extensions like built-in
progressive streaming and playlist support for media content, URL Rewrite capabilities,
integrated database management, powershell support, and much much more.
2. 11. The ability to now have HttpModules and HttpHandlers participate in all requests to a server.
You no longer need to map requests to the ASP.NET ISAPI in order to write managed modules
that participate in requests. This makes building modules for flexible authentication,
authorization, logging, url-rewriting, auditing, etc. super easy with .NET. You could even now
have an ASP.NET HttpModule provide forms-authentication to a PHP or JSP page (in addition
to .htm files and static files like images and movies).
12. Integration of the ASP.NET configuration system with IIS. IIS now uses the same web.config
configuration model as ASP.NET, which means you can have both ASP.NET and IIS configuration
settings in the same file together. You can now set things like default pages, IIS security,
logging, etc within a web.config file and xcopy/ftp it to a server. This should simplify
deployment and installation of applications considerably. It also enables quot;delegated
administrationquot; for hosting scenarios -- where a hoster provides the application developer the
ability to configure certain settings in their web.config file without requiring full admin
privledges.
13. An integrated Admin UI tool that manages both IIS and ASP.NET settings together. Included
within this rich GUI is support for things like the Membership, Roles and Profile providers (so
you can create/delete users directly within the GUI tool -- regardless of what provider is
configured). The admin tool also supports remote delegated admin over http -- which means
you can point the rich-client admin tool at a shared hoster server and manage your users/roles/
profile settings remotely over http (which is pretty cool).
14. Much better request auditing and error debugging. We have a new feature we call quot;Failed
Request Event Bufferingquot; (affectionately known as quot;FREBquot;), which allows administrators to
configure applications to automatically save request information anytime an error occurs during
a request, or if a request takes longer than a specified amount of time to complete (note: if the
request completes ok this information can then be just thrown away -- and so doesn't fill up
your disk log). This allows you to easily go in after the fact and see what exactly happened
during a request that failed, as well as analyze any error exceptions. This can even capture
tracing messages generated within ASP.NET or within any component or class library that uses
System.Diagnostics -- which makes it much easier for developers and admins to instrument and
analyze what is going on with systems at runtimes.
15. Much better configuration APIs and command-line tools. In addition to new config and admin
APIs (including a nifty one that you can use to get a listing of all quot;activequot; requests being
processed by the server -- as well as what state they are in), we now have a great command-line
admin story that you can use to set/modify/retrieve all configuration information as well as
manage the server (start/stop individual apps, lookup their health state, register new apps,
refresh SSL certs, etc). The command-line tool and APIs are also extensible, so you can plug in
your own providers and extensions to them.
16. In IIS 7.0 we have unified IIS and ASP.NET two models to produce a new robust pipeline that
does the best that both older models did. IIS still supports all the old authentication protocols
but also now supports forms authentication which can protect against all content types and
does not rely on Windows accounts. In addition to supporting all the old features you have
3. come to know and love we have also enhanced some of them such as the anonymous
authentication feature.
17. In IIS 7.0, you have two authorization solutions. The first is to use the ASP.NET authorization
model. This method requires defining all your authorization rules in the <system.web>
configuration and requires zero changes for applications that already have rules written for
ASP.NET. The second model is to move to the new IIS 7.0 authorization architecture. This model
is very similar to ASP.NET's model with some minor changes:
18. Forms authentication has been part of ASP.NET and allows both Windows and non Windows
identities to authenticate themselves and get a user object that applications can later use. IIS 7
now fully supports forms authentication and can be configured to protect access to all content
types.
19. In IIS 7.0Web service Extension restriction list feature has been slightly modified so that its name
now reads quot;isapiCgiRestrictionListquot; -- but otherwise it acts and behalves as it had in IIS 6.0. The
reason for this change was to stress its true usage. In IIS 6.0 this feature was added to ensure
rogue ISAPI or CGI binaries could not copied to your IIS servers and then be allowed to execute
20. IP Restrictions works in the exact same manner as it had in the past except we now support a
new property called quot;allowUnlistedquot;. This property was added to make it easier to configure
security policies for your system at a global level. For example, if your policy required only
certain IP addresses to be allowed but to reject all others that are not listed was not very easy to
do in the past. Similarly, rejecting only a given set of IP addresses and allow ing all that are not
listed can easily be done now. As a server administrator you can set a global policy and then lock
this value so it cannot be changed on your server by application or site administrators
Disadvantages
1. Passport authentication is no longer supported in the Windows Server 2008 operating system.
Customers using passport should consider moving to its replacement Active Directory
Federation Services (ADFS).
2. In IIS 6.0, Microsoft introduced a new authorization model based on AZMan rules. In IIS 7.0
Microsoft have depreciated this feature in favor of a new model that is very similar to the
ASP.NET authorization model
How IIS 7.0 Determines the Authenticated Identity
In IIS 7.0 the authentication rules are processed by the core engine in a similar manner as they were
in previous versions of IIS with only some minor changes. To better understand the processing order,
here are the rules based on the order IIS evaluates them:
4. 1. First, IIS determines if a username and password has been configured at the virtual directory. If
a set of credentials have been defined, those credentials will be used. For pre-IIS 7.0
administrators, these credentials are the UNC credentials
2. If no credentials are configured at the virtual directory then IIS will use the credentials provided
during authentication. These credentials can belong to the identity that is configured for
anonymous authentication or the credentials provided by the user during the authentication
handshake when Basic, Digest, or Windows authentication is enabled
3. If no authenticated user was established (for example, forms authentication is enabled) it will
determine if the process identity should be used
4. If we do not have an identity at this point, IIS will return an access denied
SSL
In IIS 6.0, IIS had stored SSL related information in the metabase and had managed a large part
of the SSL negotiation process in conjunction with HTTP.SYS. In IIS 7.0, we have moved most of this
configuration into HTTP.SYS's store.
To illustrate how each of the IIS 6.0 configuration settings are carried over into IIS 7.0's
configuration (or HTTP.SYS configuration), the following chart has been constructed below.
IIS 6.0 Metabase
Description of property IIS 7.0 Architecture
configuration
AccessSSLFlags is bitmask of
AccessSSL
AccessSSL128
AccessSSLNegotiateCert Property still supported in IIS 7.0
AccessSSLFlags
AccessSSLRequireCert configuration in the <access> section
AccessSSLMapCert
0 value means no SSL.
This value will now be stored in http.sys in
Enable or disable CRL (certificate revocation list)
CertCheckMode the PHTTP_SERVICE_CONFIG_SSL_PARAM
checking.
object.
RevocationFreshnessTime If the RevocationFreshnessTime property is set to 1 This value will now be stored in http.sys in
(true), then the certificate revocation list (CRL) on the the PHTTP_SERVICE_CONFIG_SSL_PARAM
certificate client is updated by the CRL from the object.
5. remote location, even if the CRL that is cached on the
certificate client is valid. The default timeout interval
is one day unless you use the
RevocationURLRetrievalTimeout to specify a different
timeout interval (in minutes).
This property is still supported in IIS 7.0
The SecureBindings property specifies a string that is
configuration under the <binding> section for
SecureBindings used by IIS to determine which secure network
<sites>. The protocol used needs to by
endpoints are used by the server instance.
quot;httpsquot;.
The SSLAlwaysNegoClientCert property controls SSL
client connection negotiations. If this property is set to
true, any time SSL connections are negotiated, the
server will immediately negotiate a client certificate, This value will now be stored in http.sys in
SSLAlwaysNegoClientCert preventing an expensive renegotiation. Setting the PHTTP_SERVICE_CONFIG_SSL_PARAM
SSLAlwaysNegoClientCert also helps eliminate client object.
certificate renegotiation deadlocks, which may occur
when a client is blocked on sending a large request
body when a renegotiation request is received.
This value will now be stored in http.sys in
The SSLCertHash property is used to store the hash of
SSLCertHash the PHTTP_SERVICE_CONFIG_SSL_PARAM
the SSL certificate being used.
object.
The SslCtlIdentifier property contains a unique value
This value will now be stored in http.sys in
that identifies a specific certificate trust list (CTL). It
SslCtlIdentifier the PHTTP_SERVICE_CONFIG_SSL_PARAM
must be used with SslCtlStoreName to accurately
object.
reference a CTL.
The SslCtlStoreName property contains the name of
This value will now be stored in http.sys in
the CryptoAPI store that contains certificate trust lists
SslCtlStoreName the PHTTP_SERVICE_CONFIG_SSL_PARAM
(CTL). It must be used with SslCtlIdentifier to
object.
accurately reference a CTL.
The SSLStoreName property is used to store the name This value will now be stored in http.sys in
SSLStoreName of the store where the key pair of the certificate the PHTTP_SERVICE_CONFIG_SSL_PARAM
resides. object.
The SslUseDsMapper property specifies whether IIS is
This value will now be stored in http.sys in
to use the Windows Directory Service certificate
SslUseDsMapper the PHTTP_SERVICE_CONFIG_SSL_PARAM
mapper or IIS certificate mapper. If SSLUseDSMapper
object.
is set to false, IIS uses the IIS certificate mapper.
Compatibility of IIS 7 with OS
6. Microsoft considers IIS 7 is a part of the operating system (Win2K8 or Vista), so it's tied to the
version of Windows you're using.
You need to use either Windows Vista or Windows 2008 to have IIS7.
Reference: http://social.msdn.microsoft.com/Forums/en-US/wcf/thread/6064c641-
dcb3-41d3-8e4f-9e00ac642889/
Windows 2K8 Vista Vista Basic &
Display Names / Heriarchy Package Update Names Vista Prof
Server Premium Starter
Internet Information Services IIS-WebServerRole Available Available Available Available
World Wide Web Services IIS-WebServer Default Default Default Default
Common Http Features IIS-CommonHttpFeatures Default Default Default Default
Static Content IIS-StaticContent Default Default Default N/A
Default Document IIS-DefaultDocument Default Default Default N/A
Directory Browsing IIS-DirectoryBrowsing Default Default Default N/A
HTTP Errors IIS-HttpErrors Default Default Default Default
HTTP Redirection IIS-HttpRedirect Available Available Available Available
Application Development Features IIS-ApplicationDevelopment Available Available Available Available
ASP.NET IIS-ASPNET Available Available Available N/A
.NET Extensibility IIS-NetFxExtensibility Available Available Available Available
ASP IIS-ASP Available Available Available N/A
CGI IIS-CGI Available Available Available N/A
ISAPI Extensions IIS-ISAPIExtensions Available Available Available N/A
ISAPI Filters IIS-ISAPIFilter Available Available Available N/A
Server-Side Includes IIS-ServerSideInclude Available Available Available N/A
Health and Diagnostics IIS-HealthAndDiagnostics Default Default Default Default
HTTP Logging IIS-HTTPLogging Default Default Default Default
Logging Tools IIS-LoggingLibraries Available Available Available Available
Request Monitor IIS-RequestMonitor Default Default Default Default
Tracing IIS-HttpTracing Available Available Available Available
Custom Logging IIS-CustomLogging Available Available Available N/A
7. ODBC Logging IIS-ODBCLogging Available Available N/A N/A
Security IIS-Security Available Available Available Available
Basic Authentication IIS-BasicAuthentication Available Available Available N/A
Windows Authentication IIS-WindowsAuthentication Available Available N/A N/A
Digest Authentication IIS-DigestAuthentication Available Available N/A N/A
Client Certificate Mapping
Authentication IIS-ClientCertificateMappingAuthentication Available Available N/A N/A
IIS Client Certificate Mapping
Authentication IIS-IISCertificateMappingAuthentication Available Available N/A N/A
URL Authorization IIS-URLAuthorization Available Available Available Available
Request Filtering IIS-RequestFiltering Available Available Available Available
IP Security IIS-IPSecurity Available Available Available Available
Performance Features IIS-Performance Default Default Default Available
Static Content Compression IIS-HttpCompressionStatic Default Default Default N/A
Http Compression Dynamic IIS-HttpCompressionDynamic Available Available Available Available
Web Management Tools IIS-WebServerManagementTools Default Default Default Default
IIS Management Console IIS-ManagementConsole Default Default Default N/A
IIS Management Scripts and
Tools IIS-ManagementScriptingTools Available Available Available Available
IIS Management Service IIS-ManagementService Available Available Available N/A
IIS 6 Management Compatibility IIS-IIS6ManagementCompatibility Available Available Available Available
IIS Metabase and IIS 6
compatibility IIS-Metabase Available Available Available Available
IIS 6 WMI Compatibility IIS-WMICompatibility Available Available Available N/A
IIS 6 Scripting Tools IIS-LegacyScripts Available Available Available N/A
IIS 6 Management Console IIS-LegacySnapIn Available Available Available N/A
FTP Publishing Service IIS-FTPPublishingService Available Available N/A N/A
FTP Server IIS-FTPServer Available Available N/A N/A
FTP Management Console IIS-FTPManagement Available Available N/A N/A
Windows Activation Service WAS-WindowsActivationService Available Available Available Available
Process Model WAS-ProcessModel Default Default Default Default
8. .NET Environment WAS-NetFxEnvironment Available Available Available Available
Configuration APIs WAS-ConfigurationAPI Available Available Available Available
Request Execution Limit Unlimited 10 3 3
Reference : http://learn.iis.net
Migration Process
For migration, Administrators use Microsoft Web Deployment Tool (MS Deploy) is a utility that
you can use to migrate your Web server or Web site from a computer that is running Information
Services (IIS) version 6.0 on Microsoft Windows Server 2003 to a computer that is running IIS 7.0 on
Windows Server 2008. You can also use MS Deploy to migrate from an IIS 6.0 Web server to another IIS
6.0 Web server, or from an IIS 7.0 Web server to another IIS 7.0 Web server.
Reference: http://technet.microsoft.com/en-us/mscomops/cc424869.aspx
IIS 7.0 Installation Procedures
Step 1: Start Server Manager
• To start Server Manager, click: Start Menu -> All Programs -> Administrative Tools -> Server
Manager. The Server Manager window opens.
Step 2: Adding a Server Role
• In the Server Manager, select Roles. (The Role Summary View is displayed)
Step 3: Start the Add Roles Wizard
• Click Add Roles.
• The Add Roles Wizard opens.
• Click Next to select roles to install.
Step 4: Choose Web Server (IIS) Role to Install
• Check Web Server (IIS).
Step 5: Web Server Role depends on WAS
• The Add Roles Wizard notifies you on any required dependencies; since IIS depends on the
Windows Process Activation Service (WAS) feature, the following informational dialog displays.
• Click Add Required Role Services to continue.
• Web Server is now selected for install. The Select Server Roles dialog box opens.
• Click Next to continue.
9. Step 6: Additional Information
• Click Next to continue
Step 7: View IIS 7.0 Features
• The Add Roles Wizard displays a list of all IIS 7.0 features available to install as shown below.
Note that features comprising the default install are pre- selected.
• Note: To install just the IIS 7.0 default features, click the Install button and then proceed to Step
10 below. If you need to install additional features, proceed to Step 8.
Step 8: Select Additional IIS Features to Install
• For this example, we install additional IIS features:
• Start by checking the box for ASP.NET. The following dialog displays.
• The Wizards warns if adding an IIS feature will also cause other features to be installed.
• Click Add Required Role Services to continue.
Step 9: Select Additional IIS Features to Install
• Continue selecting additional IIS Role Services features to Install:
• Check the features you require.
• When you have selected all the features you require, click Next to continue.
Step 10: Summary of Features to Install
• The Wizard provides a summary of what will be installed, as shown below
• Click Install to continue.
Step 11: Install Progress
• After clicking Install, the install progress dialog opens.
Step 12: Install Complete
• When IIS 7.0 install is complete, the following dialog opens. Click Close to return to the Server
Manager.
Step 13: Check IIS 7.0 install
• You can now perform a quick check to verify that IIS 7.0 is installed.
• Start Internet Explorer web browser and enter the address http://localhost.
• You should see the default IIS quot;Welcomequot; page.