Apache is at the heart of the LAMP stack which is comprised of Linux, Apache, MySQL, and PHP. Apache was first released in 1995 and it has a modular architecture similar to that found in IIS 7.0. One significant difference between Apache and IIS is that Apache is built with an open source model with a series of individual contributors and organizations contributing code to the project. The current version of Apache is 2.2.9 which was released in June of 2008.
IIS 7 contains a variety of improvements when compared to IIS 6.0. As detailed throughout this presentation IIS makes it easy to create streamlined servers, generate a reduced attack surface for a given deployment, quickly diagnose issues in production, dev, and test, and is built on a highly extensible and modular architecture.
There are a number of perceptions that exist in the Apache community about the real differences between Apache and IIS. Some of the more common perceptions are detailed here.
Minimal Surface AreaBy design IIS 7.0 is comprised of a variety of different modules. Only 10 of which are loaded by default leading to small attack surface. In addition modules can be added only as needed allowing administrators to carefully control the surface area of any given IIS web server deployment.Automatic Site / Application SandboxingIIS 7.0 introduces application pool sandboxing features that are transparent to the user. By default IIS 7.0 runs each application in a sandbox so that if a web application fails only the memory associated with that application is affected. This isolation is an important consideration as organizations deploy hundreds or thousands of web sites on a single server.Anonymous User AccountWith IIS 7.0 the “Anonymous User” account is no longer “keyed” to each server and instead is named IUSR instead of IUSR_<ServerName>. IUSR with IIS 7.0 is built into IIS 7.0 and is not an NT local account. This means there is no need to worry about a intruder being able to logon to the operating system with this account. URL AuthorizationIIS 7.0 also supports URL authorization for controlling access to sites, folders, and files with the need for using NTFS ACL’s. Rules are stored in *.config files making authorization stores portable and allowing administrators to utilize Xcopy to migrate and maintain security settings for an application. In addition these *.config file rules can be controlled via the administrative interfaces that ship with IIS 7.0Request FilteringIIS 7.0 includes integrated URLScan style rules. These rules prevent URL’s that contain “any string”, they can block URL’s over x length, and prevent delivery of certain extensions or content such as *.config, or *.bin, or query length. You can also specify “hidden” namespaces that cannot be requested in a URL even if it is present on the server. For example App_Data and Bin are defined as hidden namespaces by default and will not be served by IIS 7.0. They are easy to implement in *.config. These rules can also now be edited in a UI with the IIS 7.0 Admin Pack. (link). Request Filtering helps to prevent malicious URL’s from ever reaching your applications. Finally there are new error codes that track rejections that occurred due to request filtering.Integrated Active Directory AuthorizationWhereas IIS integrates seamlessly with Active Directory Apache requires third party modules to achieve the same level of functionality.Security Tracking – SecuninaSecunia reports far more vulnerabilities in Apache 2.0 than were found in IIS 6.0.Security Development LifecycleApache’s community driven model for software development lacks a clearly defined vulnerability resolution path. While Apache’s community driven approach sometimes allows for a patch to developed and disseminated quickly it also does not ensure that all security vulnerabilities are addressed nor that each vulnerability is handled in the same way. By contrast IIS is developed via a structured, disciplined Security Development Lifecycle (SDL).Automatic Update PatchingDue to the benefit of being deployed on top of the Windows Server Platform IIS can easily participate in the automated patching mechanisms that are offered by Windows Server. By contrast Apache does not offer automatic patching capabilities similar to Windows Server and IIS’s automatic patching capabilities. Nor can Apache offer the same type of “patch Tuesday” consistency in terms of when patches come out, when they need to be applied, etc.ASP.NET Forms SecurityASP.NET on IIS offers Forms Security out of the box for all site content. Making it easy for developers to put together a secure site quickly.
Centralized Web Farm ConfigurationWith IIS , while you can leverage simple XCOPY configuration deployment to ease the deployment of configuration changes across a number of different servers this still leaves you with the issue of having to configure each IIS instance independently. IIS 7.0 also includes the ability to share configuration state information from a network share and point each IIS instance at this shared configuration information. Thereby allowing you to update configuration settings in one place but still have multiple IIS servers pick up the configuration change.Apache’s feature that supports distributed configuration by contrast in one that the Apache.org site recommends be disabled due to the performance hit that ensues when it is enabled.Streamlined and Focused Administration ToolIIS has an intuitive, feature-focused administration tool with streamlined administration tasks. By contrast Apache forces administrators to primarily work via the command line and edit configuration files manually. This requires administrations to memorize appropriate commands and makes discoverability of the right “next step” in managing a server a potentially time consuming process compared to the use of the GUI’s found in IIS. Remote Administration ToolIIS 7.0 also includes solid remote management tools. In addition these tools leverage HTTPS, letting you use the same UI for remote management as if you were logged in locally to the server.Command Line AdministrationApache is administrated predominately via the command line with all of the configuration information contained in text files. By contrast IIS supports a rich set of GUI management applications in addition to a rich command line and text file configuration based management framework. With IIS administrators can edit configuration files directly, leverage AppCMD.exe from the command line to manage configuration changes, or utilize additional management API’s. Also, with IIS the server does not require a restart to apply configuration changes whereas in a fair number of cases Apache does require a restart to apply configuration changes. Finally IIS comes with a default configurations that can be used right after deployment of the web server.Rapid Troubleshooting and Limited DowntimeIIS comes with a rich set of troubleshooting and management tools such as Failed Request Tracing. By contrast Apache’s troubleshooting tools are very basic and there is very limited diagnostic or troubleshooting support built in. In addition the Apache Foundation does not have a dedicated support arm and dedicated Apache support packages must be purchased from third parties.
Leaner Web ServersIIS Modular nature makes it easier to streamline the process of responding to requests and serving content. Removing modules where they are not needed can result in higher application throughput and faster responses.Server CoreServer Core makes it easier to support IIS deployments that do not leverage the .NET Framework and ASP.NET with less memory and overall system resources compared to a full Windows Server 2008 install in conjunction with IIS.Static and Dynamic CompressionIIS 7.0 supports the compression technologies of IIS 6.0 in static and dynamic compression. Compression is an effective way to make maximum use of the bandwidth available to deliver responses to client applications. Static Compression, pre-compresses content and stores it on disk. Dynamic Compression compresses the response in real time.Output Caching ImprovementsPreviously IIS offered caching via the kernel cache or the output cache. Each had their own specific limitations. With IIS 7.0 the new output cache bridges the gap between the old kernel and output caches of IIS 6.0. The new output cache supports the caching of any type of content (ASP, ASP.NET, PHP, etc.). The new cache allows content to be stored in the kernel cache to be stored there and other content to be stored in the output cache. The IIS output cache also supports a series of programmatic API’s that make it easy to set caching policies based on information gained dynamically at runtime.
Proven and Trusted PlatformIIS 7.0 is built on top of a proven and trusted platform that has powered numerous high traffic sites from MySpace to Microsoft.com. In addition 54% of the Fortune 1000 rely on IIS 7.0.Rapid Diagnostic ToolsIIS 7.0 has a set of tools that allow you to rapidly troubleshoot any concerns quickly. Failed Request Tracing can be used to generate a detailed trace of the events leading up to the error. Failed Request Tracing can also be used to track down specific errors you might be trying to isolate. IIS also comes with the Runtime State and Control API. This API can be used to see the active state of sites, applications, and active requests on the server., as well as a variety of administrative functions such as starting and stopping the server. This API is accessible via a variety of means such as Microsoft.Web.Administration API or AppCMD.exe from the command line.
40 Modules / 10 by DefaultIIS 7.0 ships with 40 modules however only 10 of these are installed by default. These “default” modules consist of common HTTP feature (Static Content, Default Document, Directory Browsing, HTTP Errors), Health and Diagnostics (HTTP Logging and Request Monitor), Security (Request Filtering),Performance (Static Content Compression),Management Tools (IIS Management Console), and the Windows Process Activation Service. This is a intentionally limited set of modules. For example ASP.NET and Remote Management by contrast need to be explicitly installed.Modules and the Generic PipelineModules plug into a generic request pipeline compared to previous releases of IIS.Modules and Extensibility APIIn addition to being able to pick and choose which modules are included as part of an install of IIS you have the ability to utilize third party modules or develop your own.
The IIS team and the broader IIS community have been actively involved in the development of a variety of enhancements for IIS 7.0. The following is just a sample of some of these efforts.IIS 7.0 Admin PackThe IIS admin pack consists of a set of custom modules that assist in administrating a IIS web server. Modules include a configuration editor, an IIS Reports modules for statistics tracking, and a set of UI modules that allow you to manage existing features such as FastCGI via IIS manager.URL Rewrite ModuleThe URL rewrite module provides a rule based mechanism (regular expressions, wild card) for changing request URL’s before they get processed by he web server. The module helps enable user and search friendly URL’s with dynamic web applications. PowerShell Provider for IISThe PowerShell Provider is a snap in that allows you to perform tasks such as create web sites, web applications, change configuration properties on web sites, query run time data, search and discover configuration settings, etc.Remote Manager – Down Level ClientsThe IIS Remote Manager for down level clients allows you to easily manage IIS instances from Windows Vista, Windows XP, and Windows Server 2003 servers.Web PlaylistsWeb Playlists let you deliver server controlled media playlists from a web server infrastructure rather than utilizing a dedicated media server. Web Playlists let you control seek and skip functionality, supports content protection through dynamically generated tokenized URL’s, and is fully integrated into IIS 7.0 configuration models.
Detailed Error MessagesIIS also provides verbose error messages that suggest causes and solutions. Details include configuration sections in questions, modules in use, etc. In addition these verbose errors by default are only delivered to localhost.IIS 7.0 Failed Request TracingIIS supports failed request tracing. Failed Request Tracing allows you to only keep the events for failed requests as well as the setting of custom failure criteria per URL such as the time taken and status codes. Common Usages for Failed Request Tracing include, tracking down requests that take too long or hang, requests that complete but with an error (authorization/authentication problems), etc. Finally the perf overhead for Failed Request Tracing is a static amount per request. Finally you can easily turn off Failed Request Tracing when you do not need it.
Extensible Modular ArchitectureIIS 7.0 supports an extensible modular architecture that lets you easily add, remove, or replace any built in module. Extensibility is provided via C/C++ and .NET interfaces. By contrast with Apache you need a solid understanding of the ecosystem around Apache and it’s associated projects to assembly a complete web server platform with equivalent functionality to IIS. Apache also does not offer ready made hosting for ASP.NET. While the mono project does contain support for ASP.NET the support is not full. Currently Mono only fully supports ASP.NET 1.1 in it’s entirety. With ASP.NET 2.0 feature such as Web Parts are missing from the mono implementation.Since IIS fully supports ASP.NET developers are able to take advantage of the rich integration with Visual Studio. IIS also allows developers to extend their development efforts toward managing IIS via managed interfaces and custom configuration schemas. Finally .NET is deeply integrated into IIS’s architecture from it’s request pipeline, configuration schema, management tools, and trace infrastructure.Caching SupportAs mentioned previously IIS supports a strong set of caching mechanism that have been improved upon from the IIS 6.0 release.FastCGIFast CGI supports PHP hosting on Windows along with all other FastCGI compatible applications such as Ruby on Rails.Strong Integration with other Microsoft ProductsUnlike Apache, IIS is natively integrated with other enterprise application such as Portals (SharePoint) and enterprise directory services (Active Directory). Apache also does not offer an integrated application server leaving it up the user or organization that uses Apache to be the integrator of this functionality on their own from various independent open source projects.Streaming MediaIIS has extensive support for streaming media. The combination of IIS 7.0, Windows Media Services, and the variety of functionality found in the IIS 7.0 media pack lead to a robust platform for media serving. IIS 7.0 allows you to save bandwidth costs on streaming media, decrease network traffic when streaming media, and easily monetize assets by preventing ad skipping.
Rapid Troubleshooting and Minimized DowntimeThe ability to generate detailed errors and utilizeautomatic failed request tracing leads to rapid troubleshooting and minimized server or site downtime.Minimized Surface AreaIIS 7.0’s minimized surface area leads to less administrative overhead as there is less to patch and maintain for streamlined IIS installations.Isolation and SandboxingThe isolation and sandboxing features detailed previously make it easier to ensure that a single site failure does not bring down additional sites or the server itself thereby increasing administration time.ScalableMulti-Tenant HostingScalable multi-tenant hosting makes it easy for IIS to scale and sandbox thousands of Web sites on a single server. This allowsIT organizations to consolidate more sites on a single server and minimize the overall number of servers that need to be administered.Delegated Control to Site OwnersIIS 7.0 also makes it easy to delegate site control to the actual owners of the site. A significant concern for hosting companies in particular.Strong Support ResourcesBy choosing IIS you can also leverage the extensive support options that Microsoft provides compared to a purely community based support model that Apache leverages.
Consolidate .NET and PHP ApplicationsIIS 7.0 with it’s Fast CGI support makes it easy to consolidate .NET and PHP based applications on the same server. And both types of applications can benefit from the strong security inherent in IIS as well as the long history of reliability.Consolidate Web and Other Server Management Frameworks to a Single PlatformThe ability to host both PHP and ASP.NET applications on a single Windows Server instance with IIS makes it easier to have a consistent IT environment. In addition Windows Server comes with a variety of management frameworks out of the box that can be easily used to manage this consistent IT environment such as PowerShell, Server Manager, and Hyper-V for virtualized environments.Better Web Platform ManagementWindows Server 2008 and IIS 7.0 offer significant advantage when it comes to the day to day management of both PHP and ASP.NET based applications. For example IIS administrators can easily delegate management tasks to PHP site owners. Both PHP and ASP.NET site owners can also easily connect to their sites from Windows XP or Vista and manage their sites remotely. Finally PHP and ASP.NET sites can both leverage the centralized configuration model that IIS makes available to administrators.Server CoreServer Core gives Windows Server 2008 and IIS 7.0 the ability to function as a Minimal / Headless PHP server with a minimal surface area and a reduced use of system resources compared to a full Windows Server installation.Powerful Media ServingWindows Server 2008 and IIS 7.0 also provides a strong set of media serving capabilities via Windows Media Server 2008 and IIS 7.0’s Media Pack, an add-on that helps to enable progressive downloading of media from a web server and includes a bit rate throttling module. Microsoft Supported SolutionA final consideration is that for organizations that choose to run PHP applications on Windows they receive full support from Microsoft for essentially all aspects of the application deployment from a single vendor. This extends from the base operating system all the way up through the support for Fast CGI on IIS.
Apache vs IIS Myths
IIS vs. ApacheMyths and Reality<br />
Apache - Overview<br />Free web server.<br />Often combined with Linux, MySQL, and PHP to make the LAMP stack.<br />First released in 1995.<br />Modular architecture.<br />Built using an open source development model.<br />Commercial friendly open-source license.<br />Current Version is 2.2.9 which was released in June of 2008<br />
IIS 6 Overview<br />IIS 6.0 – A Solid Foundation<br />Shipped with Windows Server 2003<br />Proven Security<br />Significant reduction in attack surface compared to previous releases<br />No security vulnerabilities since it’s release five years ago.<br />Proven Scalability and Stability<br />Used by many major sites and companies such as MySpace.com, Match.com, US Bank, USA Today, Allstate, Continental Airlines and others.<br />Significant increase in reliability of hosted web sites compared to IIS 5.0.<br />A solid trusted foundation for IIS 7.0<br />
IIS7 Overview<br />Benefits<br />Features<br />Reduced Attack Surface<br />Create Streamlined Servers<br />Modular and Extensible<br />Integrated with .NET<br />Improved Security<br />Agile Administration<br />Built in Request Tracing<br />Easier to ManageFast Diagnostics<br />Extend/Modify IIS Features<br />
Security“Which of the two platforms, IIS and Apache, is more secure?”<br />IIS 7.0 Security<br />Minimal Surface Area<br />Automatic Site / Application Sandboxing<br />Anonymous User Account Changes<br />URL Authorization<br />Built in Request Filtering<br />Integrated Active Directory Authorization<br />IIS / Security Development Lifecycle<br />Automatic Update Patching<br />Security Tracking – Secunia<br />IIS 6 by comparison has only 5 advisories released to date.<br />http://secunia.com/product/1438/?task=advisories<br />Apache 2.0.x on the other hand has over 35, several of which are critical rated.<br />http://secunia.com/product/73/?task=advisories<br />
Management“Is IIS or Apache easier to manage?”<br />IIS 7.0 Manageability<br />Centralized Web Farm Configuration<br />Streamlined and Focused Administration Tool<br />Remote Administration Tool<br />Command Line Administration<br />Rapid Troubleshooting and Limited Downtime<br />AdHost<br />- Able to Reduce Site Setup Time to a Quarter of the Previous Time with IIS 7.0<br />
Performance / Scalability“Does Apache have better performance /scalability than IIS?”<br />IIS 7.0 Performance/Scalability<br />Leaner Web Servers<br />Server Core<br />Static and Dynamic Compression<br />Output Caching Improvements<br />Enterprise Level Performance<br />“Match.com runs IIS 7.0 with 30 million page views daily.”<br />“PlentyOffFish.com gets 1.2 billion page views a month.”<br />“WS2008 and IIS 7.0 allow www.microsoft.com to process 122 million more requests at the same CPU level – compared to IIS 6.0”<br />“MySpace.com runs IIS 7.0 with 23 billion page views a month.”<br />HostMySite<br />- Now hosting 1,100 web sites per server / Up from 500 shared applications.<br />
Reliability“Which web server is more reliable?”<br />IIS 7.0 Reliability<br />Proven and Trusted Platform<br />54% of the Fortune 1000 rely on IIS 7.0<br />Rapid diagnostics tools to troubleshoot any concerns quickly<br />Failed Request Tracing<br />Runtime State and Control API.<br />HiChina<br />- Reduced Application downtime by 99% for applications that were moved to Windows Server 2008 and IIS.<br />
Modularity“Which is more modular, IIS or Apache?”<br />IIS 7.0 Modularity<br />Server functionality is split into 40 modules<br />Only 10 modules installed by default<br />Modules and a Generic Pipeline<br />Extensibility<br />
Troubleshooting“Is IIS or Apache an easier platform to troubleshoot?”<br />IIS 7.0 Troubleshooting<br />Detailed Error Messages<br />Verbose Error Messages<br />Suggests Causes and Solutions<br />Details include configuration sections in question, modules in use, page, etc.<br />Failed Request Tracing<br />Allows for custom failure criteria per URL<br />Persist Failure Log Files beyond process lifetime<br />Common Usages<br />Request take too long<br />Request Error (completes but with error code)<br />
Application Support“Does Apache support more Applications?”<br />IIS 7.0 Application Support<br />Extensible, modular architecture – add, remove or replace any built-in module<br />Enhanced ASP.NET integration including unified configuration, HTTP runtime and administration tools<br />Caching support (kernel and user) for all types of dynamic content<br />Built-in FastCGI support for Open Source frameworks such as PHP and Ruby.<br />Strong integration with other Enterprise Products such as SharePoint<br />Extensive Support for Streaming Media<br />
TCO“Does IIS or Apache have the lower TCO?”<br />IIS 7.0 - Cost of Ownership<br />Rapid Troubleshooting and Minimized Downtime<br />Minimized Surface Area<br />Isolation and Sandboxing<br />Scalable Multi-Tenant Hosting<br />Less Expensive Administrator Resources to Maintain<br />Delegated Control to Site Owners<br />Strong Microsoft Support Resources<br />HiChina<br /><ul><li> Reduced System Management costs by 10%
Saved nearly 20% in overall maintenance and operating costs.</li></li></ul><li>TCOIndependent Commentary<br />
PHP Applications“Is Apache the best platform for PHP?”<br />IIS 7.0 and PHP Support<br />Consolidate .NET and PHP applications on a single server<br />Consolidate Web and Other Server Management Frameworks to a single platform<br />Better Web Platform Management<br />Host on Minimal / Headless Server with Server Core<br />Powerful Media Serving<br />Microsoft Supported Solution<br />
Summary<br />IIS 7.0 has:<br />A Modular and Extensible Architecture<br />Deep integration with .NET Applications<br />Improved Security<br />Agile Administration<br /> Built in Troubleshooting Tools such as Request Tracing<br />This leads to a Web Platform that is:<br />Streamlined<br />Easy to extend<br />To Manage<br />Quick to Troubleshoot<br />Highly Secure<br />