<br />IIS 7.0 for Apache Administrators<br />Published: March 2009<br />Contents<br /> TOC o "
Overview PAGEREF _Toc225160481 h 1<br />Introduction to IIS 7.0 PAGEREF _Toc225160482 h 2<br />Extensible Modular Architecture PAGEREF _Toc225160483 h 2<br />Enhanced Web Server Security PAGEREF _Toc225160484 h 2<br />Improved Management Tools PAGEREF _Toc225160485 h 3<br />Diagnostics & Troubleshooting PAGEREF _Toc225160486 h 3<br />Strong Web Application Support PAGEREF _Toc225160487 h 4<br />Flexible Extensibility Model for Customization PAGEREF _Toc225160488 h 4<br />FTP Publishing Service for IIS 7.0 PAGEREF _Toc225160489 h 5<br />Integrated Request Pipeline PAGEREF _Toc225160490 h 6<br />IIS 7.0 Configuration and Management PAGEREF _Toc225160491 h 7<br />Configuring IIS 7.0 PAGEREF _Toc225160492 h 7<br />Hosting PHP on IIS 7.0 PAGEREF _Toc225160493 h 10<br />Installing FastCGI Support PAGEREF _Toc225160494 h 10<br />Installing and Configuring PHP on IIS 7.0 PAGEREF _Toc225160495 h 10<br />Configure IIS 7.0 to Handle PHP Requests PAGEREF _Toc225160496 h 11<br />Using Modules to Control and Customize IIS PAGEREF _Toc225160497 h 12<br />Distributed Configuration Model PAGEREF _Toc225160498 h 17<br />Administration Using IIS 7.0 PAGEREF _Toc225160499 h 19<br />Customizing Error Messages PAGEREF _Toc225160500 h 19<br />URL Rewriting PAGEREF _Toc225160501 h 22<br />Web Caching PAGEREF _Toc225160502 h 24<br />Web Output Compression PAGEREF _Toc225160503 h 28<br />Diagnostics and Troubleshooting PAGEREF _Toc225160504 h 31<br />Apache PAGEREF _Toc225160505 h 31<br />IIS 7.0 PAGEREF _Toc225160506 h 31<br />Securing the Web Server PAGEREF _Toc225160507 h 36<br />Conclusion PAGEREF _Toc225160508 h 38<br />IIS 7.0 Resources PAGEREF _Toc225160509 h 39<br />Overview<br />This white paper provides Apache administrators with detailed technical information about Internet Information Services (IIS) 7.0. It describes the architecture, security model, management features, and other new enhancements included in this release. It also compares common IIS 7.0 and Apache management scenarios and tools. <br />This document also examines how each Web server platform integrates with application, database, and management solutions, and how ease of management can be maintained as the Web server environment grows. Finally, this document examines the powerful diagnostic, troubleshooting, and reporting tools that can help simplify the maintenance of Web applications running on IIS 7.0. <br />Introduction to IIS 7.0<br />IIS 7.0 is the most powerful Web server from Microsoft to date, providing new capabilities that dramatically improve the way Web solutions are developed, deployed, and managed. IIS 7.0, with a modular design similar to that of Apache Web Server, gives administrators superior control through its extensible architecture, an intuitive graphical user interface, and greater ability to customize their Web servers, resulting in improved efficiency when deploying and managing Web applications. In addition, the powerful diagnostic capabilities built into IIS 7.0 reduce the time required to troubleshoot issues, resulting in minimized downtime.<br />Extensible Modular Architecture<br />In previous versions of IIS, all functionality was built in by default. In effect, all features were installed regardless of the intended use of the IIS server, and there was no easy way to extend or replace any of that functionality. In IIS 7.0, the core Web server has been completely re-engineered and replaced by a wholly modular architecture that offers greater flexibility and the following three key benefits:<br />Componentization<br />Extensibility<br />ASP.NET integration<br />The functionality of IIS 7.0 is divided into more than 44 separate feature modules. These modules can be installed during the setup of the Web Server (IIS) role through the Server Manager console. The existent functionality can be extended further using the included Win32 and .NET APIs to build new modules.<br />While the IIS 7.0 modules replace Internet Server Application Programming Interface (ISAPI) filters and extensions, IIS 7.0 maintains full support of these filters and extensions. Apache Web Server provides limited support for SAPI extensions but does not support ISAPI filters. It has a famous community-driven project called Apache Portable Runtime (APR), used to create and maintain software libraries that provide a predictable and consistent interface to underlying platform-specific implementations. APR provides a set of APIs that maps to the underlying operating system, and hence allows developers to code platform-independent programs.<br />Enhanced Web Server Security<br />Since 2003, four security vulnerabilities have been reported on IIS 6.0, compared with 23 for Apache 2.0.x during the same period, according to Secunia, the security service provider. IIS 7.0 builds on top of the secure foundation of its predecessor, and brings an enhanced process model that isolates applications by sandboxing resources and configurations at the application level by default.<br />Installing a minimal environment by choosing the Server Core installation option of Windows Server 2008 further limits the area of exposure of the IIS 7.0 installation. Server Core omits graphical services and most libraries, reducing the total footprint of the operating system while still retaining the ability to be administered both locally via the IIS command-line utility APPCMD.EXE as well as remotely. <br />Improved Management Tools<br />Apache’s initial design did not take into account the possibility of implementing a graphical interface for its management tools. Apache management functions are accomplished through entries made directly into configuration files, or through open source graphical management tools such as TKApache and NetLoony, which are available for download.<br />In contrast, IIS 7.0 offers a range of management tools that cater to any Web site administrator’s personal taste. Day-to-day management can be accomplished graphically, via the command line, or by manually editing the configuration file. These tools give administrators greater control and easier access to the sites they manage.<br />The following management tools are integrated into IIS 7.0.<br />IIS Manager, a graphically rich console, provides access to IIS configuration settings, ASP.NET, and other IIS modules, in addition to user data and runtime diagnostic information. IIS Manager allows administrative control over sites to be delegated to developers or content owners, reducing the server administrator’s day-to-day responsibilities. The new IIS Manager supports remote administration over HTTPS, allowing for administration over the Internet without requiring DCOM or the opening of other ports on the firewall.<br />APPCMD.EXE, a new command-line tool, simplifies common management Web server tasks. It exposes all key server management functionality through a set of 10 objects that can be manipulated from the command line or from scripts.<br />Windows PowerShell Provider for IIS 7.0 makes available more than 75 task-based cmdlets that address key day-to-day activities, such as creating Web sites and enabling request tracing. Another set of low-level configurations enables access to every IIS configuration setting in addition to any other custom configuration.<br />Microsoft.Web.Administration, a simple and comprehensive application programming interface (API), gives developers convenient access to server objects and the ability to manipulate XML configuration files.<br />Windows Management Instrumentation provider, which includes tools that let developers view and edit objects in a common information repository and run selected methods to edit IIS configuration settings.<br />Web Deployment Tool, another free download, helps keep sites and servers in sync with IIS 6.0 or IIS 7.0, and assists administrators in migrating sites from IIS 6.0 to IIS 7.0.<br />Administration Pack for IIS 7.0, a set of extension modules designed to help with a variety of administrative tasks.<br />Diagnostics & Troubleshooting<br />In Apache, faults are isolated and diagnosed through five log files, each of which must be read manually to search for patterns that point to a particular problem.<br />IIS 7.0 includes two mechanisms to help with diagnostics and troubleshooting. One gives the administrator a real-time view of requests running on the server; the other allows the administrator to set traps to catch hard-to-reproduce error conditions and write a detailed trace log.<br />Runtime State and Control API provides real-time state information about application pools, worker processes, sites, application domains, and even running requests. This COM API is displayed through the IIS Manager console, the new APPCMD.EXE command-line tool, and Windows Management Instrumentation (WMI). These applications offer quick and easy status checks in any management environment chosen.<br />Detailed event tracing functionality tracks events throughout the request and response path, allowing developers and administrators to trace a request through the IIS processing pipeline and back out to the response. These detailed tracing events collect information on the request path, errors raised by the request, and the elapsed time at all points.<br />IIS 7.0 also simplifies troubleshooting by providing an improved, more detailed, and more actionable library of error messages. This library replaces the traditional terse error codes with detailed information about the request, the possible cause of the error, and suggested steps to fix the problem. IIS 7.0 now sends detailed error information to the browser and other remote clients.<br />Strong Web Application Support<br />IIS 7.0 offers powerful and easy-to-use tools that enable organizations to manage all of their Web applications on a single platform, eliminating the need to maintain two or more independent platforms that create higher infrastructure costs.<br />FastCGI is a new feature of IIS 7.0 that supports the high-performance version of the Common Gateway Interface (CGI). FastCGI overcomes the performance problems of standard CGIs by creating persistent processes that can be reused for multiple requests, rather than creating a new process for each request, which is then discarded when the request has been filled. FastCGI also allows applications to run remotely, improving load distribution.<br />IIS 7.0 also operates with Microsoft .NET Framework version 1.1 and later, creating a combination of new technologies for developing applications that deliver a visually compelling user experience, communication across technology boundaries, identity management, and support for a wide range of business processes. The newer versions of .NET Framework 3.0 simplify development through a consistent and comprehensive environment, enabling developers to build solutions compatible with a variety of mobile devices, backend services, and applications. Through its support of classic ASP, ASP.NET, and PHP, IIS 7.0 provides organizations with the flexibility to write applications in the language of their choice and to host applications on the platform of their choice.<br />Flexible Extensibility Model for Customization<br />IIS 7.0 gives software developers a complete server platform on which to build Web server extensions. Developers can extend IIS to provide custom functionality through the all-new core server API set. This API set allows developers to build modules in both native code such as C/C++ and managed code using languages such as C# and Visual Basic® using .NET Framework. It was also used to implement a significant portion of the IIS 7.0 feature set for request and application processing. IIS 7.0 also enables extensibility for configuration, scripting, event logging, and administration tool feature sets.<br />These extensions are available for download at no charge for x86 and x64 platforms. They cover a range of tasks in deployment, administration, request handling, security, content publishing, and media service. As of November 2008, the following extensions were available:<br />ToolFunctionWeb Deployment Tool Helps keep sites and servers in sync with IIS 6.0 or IIS 7.0, as well as migrate from IIS 6.0 to IIS 7.0.PowerShell Provider for IIS 7.0A PowerShell snap-in that allows for management of IIS 7.0 configuration and runtime data.Administration Pack for IIS 7.0A set of six modules designed to help with a variety of administrative tasks. Database Manager for IIS 7.0A spin-off from the Administration pack that allows for easy management of databases through the IIS Manager UI. IIS Manager for Remote AdministrationAllows end-users and administrators to remotely manage IIS 7.0 servers from Windows Vista, Windows XP, and Windows Server 2003. URL Scan 3.0Restricts the types of HTTP requests that IIS will process.URL RewriterProvides a rule-based rewriting mechanism for changing request URLs before the Web server processes them.Application Request RoutingA proxy-based routing module that forwards HTTP requests to content servers based on HTTP headers, server variables, and load balance algorithms. FTP for IIS 7.0A new FTP service that has been completely rewritten for Windows Server 2008.WebDAV for IIS 7.0Improved WebDAV extension module that enhances Web authors’ ability to publish content and offers Web administrators more security and deployment options.Bit Rate ThrottlingOffers a range of functionality for controlling download rates for media and other content.Web Playlists for IIS 7.0Allows server-controlled media playlists to be delivered from the Web server infrastructure rather than from a dedicated streaming media server.<br />FTP Publishing Service for IIS 7.0<br />FTP Publishing Service for IIS 7.0 (FTP 7) offers many enhanced capabilities over previous releases of the IIS FTP server. In addition to standard FTP functionality, through a new management UI the new service offers administration, support for current security standards, and support for virtual sites.<br />The following are selected highlights of the new FTP release: <br />Tighter integration with IIS 7.0 through a new administration UI and configuration store based on the .NET XML-based *.CONFIG format.<br />Support for FTP over SSL and for the use of non-Windows accounts for authentication. The new FTP service also supports other Internet improvements, such as UTF8 and IPv6.<br />Shared hosting improvements through full integration into IIS 7.0. This allows FTP 7 to host FTP and Web content from the same site by simply adding an FTP binding to an existing Web site. In addition, the FTP service now has virtual host name support, making it possible to host multiple FTP sites on the same IP address.<br />Improved logging and supportability features, including enhanced logging for all FTP-related traffic, unique tracking for FTP sessions, FTP sub-statuses, and additional detail fields in FTP logs. <br />Integrated Request Pipeline<br />In previous versions of IIS, ASP.NET was implemented as an IIS ISAPI extension. Requests to non-ASP.NET content, such as ASP pages or static files, were not visible to ASP.NET. Thus, services provided by ASP.NET modules and custom ASP.NET application code were not available to non-ASP.NET requests.<br />In IIS 7.0, the layout of the request pipeline allows for greater opportunities to influence the way in which a request is handled. Instead of the ASP.NET request processing pipeline plugging into the IIS pipeline, IIS 7.0 provides a wrapper around the IIS pipeline. IIS 7.0 processes a request to any content type, which enables services provided by ASP.NET modules such as forms authentication or output cache to be used for requests to ASP pages, PHP pages or static files.<br />IIS 7.0 Configuration and Management<br />Configuring IIS 7.0<br />In Apache, configuration starts with a directive entry in the httpd.config file. <br />This method is similar for IIS 7.0 configuration, in which most settings can be configured either locally in the web.config file or globally in the ApplicationHost.config file. In IIS 7.0, configuration is based on the existing .NET Framework configuration store, which allows IIS configuration settings to be stored in web.config files alongside ASP.NET configuration settings. <br />IIS 7.0 provides a few methods for editing the .CONFIG files. These methods include:<br />Graphically through the IIS Manager console by clicking on the Application Settings icon in the default Features View, and then selecting Edit to open an Edit Application Setting dialog box.<br />From the command line by using APPCMD.EXE along with the set config / commit argument/.<br />Within a Windows Management Instrumentation script, using Application class.<br />Manually editing the configuration files. The IIS 7.0 configuration files are based on a strongly typed schema written in clear-text XML. This XML schema divides the configuration files into logical sections and makes them extremely simple to read and edit. One can use Visual Web Developer 2005 Express to edit the IIS 7.0 configuration files in a neat-looking code editor environment.<br />Online documentation for all of these methods is available through the Microsoft Web site.<br />The following table lists the settings that may be changed using any of these editing methods.<br />SettingFunctionalityApplication SettingsApplication-wide values that reside in a central location and can be accessed from anywhere in the application.ASP (classic)View the default settings or edit them as needed.CGIView the default settings or edit them as needed.CompilationMake changes to the way managed code is compiled. Managed code must first be compiled into one or more Dynamic Link Library (DLL) files before IIS can process it. Either use the default compilation settings or edit them as needed.Database Connection StringsCreate a string in IIS to store the information that an application uses to connect to the database.E-mailSet the Simple Mail Transfer Protocol (SMTP) server for delivery method and delivery location. IIS can immediately deliver e-mail messages from a site or store them for delivery later. GlobalizationRegional and language settings for applications.ISAPI FiltersDLL files that modify or enhance IIS functionality. ISAPI filters can be added to the IIS configuration.Machine KeysSettings for machine keys to configure encryption and decryption methods in addition to validation and encryption keys.Pages and ControlsSupports the global setting of certain ASP.NET page and control directives. Globally setting these directives will change all pages and controls within the scope of the configuration file.ProfilesDefine information to maintain about each user visiting the site or application. Use this feature to add, edit, or delete user profiles.ProvidersConfigure ASP.NET providers for membership user roles and profiles, and select the default provider for these provider-based services.Session StateASP.NET session state allows for the storage and retrieval of values for a user as the user navigates through the different ASP.NET pages of an application.<br />The complete list of available settings can be determined by running the following command:<br />Appcmd list config /section:?<br />Figure 1: appcmd.exe list of configuration of options<br />Figure 2: appcmd.exe list of configuration of options<br />The complete usage options of appcmd.exe can be found at http://learn.iis.net/page.aspx/114/getting-started-with-appcmdexe/.<br />Hosting PHP on IIS 7.0<br />Installing FastCGI Support<br />FastCGI is a language-independent, scalable, open extension to CGI that provides high performance for Internet applications. The FastCGI extension improves performance and stability in application frameworks such as PHP on IIS. <br />To enable FastCGI on Apache requires manually moving the mod_fastCGI files and then manually editing configuration files to load modules on startup. In some Linux distributions, the mod_fastCGI files must first be built.<br />Enabling FastCGI support on IIS 7.0 in Windows Server 2008 is handled entirely through the Server Manager console.<br />From the Start menu, open Server Manager. <br />Select Roles, then Web Server (IIS) Role. Then select Add Role Services. From the list of Role Services, check CGI and click Next. This enables both CGI and FastCGI services.<br />Figure 3: Adding CGI through the Role Services window<br />Installing and Configuring PHP on IIS 7.0<br />Microsoft recommends using a nonthread safe build of PHP with IIS 7.0 FastCGI. The nonthread safe build of PHP provides significant performance gains over the standard build by not executing any thread-safety checks. These checks are unnecessary, since FastCGI is not tied to a particular server architecture and applications can be single or multithreaded.<br />The nonthread safe build is available for download at http://www.php.net/downloads.php. Create the folder c:PHP and unpack the files into it. From these files, rename the php.ini-recommended file to php.ini. In the php.ini file, enter the following settings:<br />Set fastcgi.impersonate = 1. FastCGI under IIS supports the ability to impersonate security tokens of the calling client. This allows IIS to define the security context under which the request runs.<br />Set cgi.fix_pathinfo = 1. Cgi.fix_pathinfo provides real PATH_INFO/PATH_TRANSLATED support for CGI. For more information on PATH_INFO, see the CGI specs. This setting causes PHP CGI to fix its paths to conform to the spec.<br />Set cgi.force_redirect = 0.<br />Set open_basedir to point to the folder or network path in which the Web site content is located.<br />To test whether the PHP installation was successful, run the following command from the command line prompt:<br />C:PHP>php –info <br />If PHP was installed correctly and all of its dependencies are available on the machine, this command will display information on the current PHP configuration, such as the following.<br />Figure 4: PHP Configuration data<br />Configure IIS 7.0 to Handle PHP Requests<br />Handler mapping is required for IIS 7.0 to host PHP applications. This handler mapping tells IIS to pass all requests for PHP files to the PHP application framework via the FastCGI protocol.<br />In Apache, PHP handler is configured mainly in php.conf, with other PHP parameters in VirtualHost containers of the main httpd.conf file and in the VirtualHost includes files in /usr/local/apache/conf/userdata. Some editing of php.conf can be done through Web Host Manager under Configure PHP and SuExec.<br />In IIS 7.0, handler mapping can be added and configured through the UI. Open the IIS Manager, select the top node—usually the server name—in Connections, and then click on the Handler Mappings icon in the center pane.<br />Figure 5: Accessing Handler Mappings <br />From the Handler Mappings window, select Add Module Mapping and enter the following settings in the module mapping fields:<br /><ul><li>Request path:*.php