IIS benefits from close integration with the operating system. The same user and group configuration system that powers the main authorization system within Windows also provides security and authentication services for the main IIS system. It reduces the management overhead by supporting only one system, and enables the sys admin to automatically log in users through an intranet, assuming they are already authenticated within the Windows environment.

Because the same system is used throughout the OS, it can also be used to define security and access to different components of the file system on which the Web site relies. For example, when a user logs on to the Web site, his ability to browse the directories within the site is defined by one set of user and group structures.

Apache's security and administration system is not this well-integrated with the OSs it supports. Although there are modules and adaptors that support a variety of different authentication and security sources, including Active Directory, the Unix passwd file, and LDAP servers, the resulting server is relatively isolated from the system it supports. For example, when a user authenticates against the Unix passwd file, Apache still ignores the file permissions on the underlying file system.

In terms of secure transactions, both systems support encryption technology in SSL, and can be used with IPSec implementations and IPv6.

Performance

Gauging performance is always difficult because no matter how identical the systems to be tested are, minute changes in their configurations can have a dramatic effect on performance. It is possible to pick a "winner" based on bare-bones installations of both systems on the same hardware, but this doesn't really reflect the true performance capabilities of a system in the field. It's equally possible to configure one Apache and one IIS system to be either over- and under-efficient, again skewing the potential results.

Instead it's better to look at the potential capabilities of each system. IIS incorporates a wide range of features designed to improve performance. The worker process execution model provides significant performance benefits on multiprocessor machines, and the ASP and ISAPI extensions enable applications to be executed directly from within the processes handling the requests. The kernel mode driver, HTTP.sys, is also capable of serving pages directly from the cache (memory or disk) for both static and dynamic components, eliminating the need to send the request to a worker process. IIS automatically caches pages generated from dynamic elements to speed up responses.

Under Apache, the same range of facilities are present. Much information can be cached, and tools like mod_perl and mod_php enable the execution of dynamic and template pages almost as quickly as static pages. Like ASP and ISAPI filters under IIS, the modules effectively place the interpreter directly within the Apache executable, eliminating the need to run an external application and greatly improving performance.

Management

The two systems differ radically when it comes to management. The only method of administering Apache is through a simple text-based configuration file. Although a variety of command line, Web, and GUI interface tools are available, they all rely on the central text file to actually the update the configuration. Comanche, for example, provides a full interface to the Apache system. A list of alternative GUIs, both stand-alone and Web-based, is online at gui.apache.org.

Using a text file this way has its advantages; it's easy to share configuration information between machines by copying the relevant content from the text file. The primary disadvantage is that it's relatively easy to corrupt the file and therefore upset the configuration. Without a "soft" restart, Apache cannot update its configuration, so before restarting Apache the admin must ensure the configuration file is working. This can be achieved using a built-in testing mechanism.

IIS, on the other hand, offers a number of different interfaces to modify the configuration of the system. Although the underlying configuration is primarily stored in an XML-based text file, the IIS system enables the admin to change the configuration and the underlying file while the system is still running. Because the file is XML, it has a more rigid structure, yet is still flexible enough to support the different configuration options. For remote support, Windows Server 2003 also incorporates a telnet server, which keeps the XML Metabase modifiable and allows the use of various command-line tools for remote server management.

The various editing interfaces include a GUI-based interface through the Microsoft Management Console, a Web-based administration system, and a suite of command line tools for adding, updating, and configuring different components. Admins can also edit the XML file live and have saved changes automatically reflected within the IIS system. The XML format also makes it easy to export and import configuration information between machines to share configuration details.

System for system, there is not a huge amount to compare. The MMC within IIS provides a consistent and distributed interface for updating the configuration across a wide range of machines. However, Web-based administration tools, like Webmin, or dedicated GUI tools, like Comanche, can provide the same functionality.

Reliability

This last comparison is probably the most contentious when comparing IIS and Apache. Based on this writer's experience, there's very little differentiation between the most recent versions both applications. In the lab, a Windows Server 2003 box has been running a Web site since January 2003 (when the system was installed) -- almost eight months solid at press time. All necessary updates have been applied without restarting the server. By comparison, the Apache/Solaris 8 machine next to it has been running for 335 days without issue.

IIS 6.0 now provides extensive management and control systems over the worker processes that control most requests. To improve the reliability, IIS can also compartmentalize applications, giving them their own memory and execution space, or using a space shared with other applications. This means that when an application causes a problem, it dies within the worker process and doesn't affect any of the other applications or the request processing core in the process.

Apache automatically handles much of the process and thread management aspects, but memory and application isolation is still an issue that has not been effectively resolved or covered. Apache avoids some of the problems by automatically recycling components, with the core continuing to run even in the event of a serious failure in one of the components. There are still situations, however, where Apache may need to be restarted.

One example of this is the configuration of the Apache system itself. For a Web site running from an IIS-based server, most updates and improvements will have no effect on users' ability to access them because the configuration changes are made while the system is still running. Apache, however, requires a notional restart.

That said, the use of .htaccess within Apache means many items that normally need modification through the course of a Web site's life can be handled dynamically.

Conclusion

Despite the array of differences between the two systems, choosing between them comes down to the needs and requirements of the organization and, to a lesser extent, the personal needs and preferences of those using it. For example, many developers prefer to work in Perl in a Unix-based Apache environment, even though Perl and Apache are available under Windows, and Perl is supported separately under IIS.

If server management is a prime concern, then the extensive management capabilities of IIS may be the way to go. The security aspect and integration with Active Directory, and therefore the rest of the security mechanisms, is also a major benefit.

However, it's important not to ignore the cost of deployment issue. Apache is free, and can be installed on OSs like Linux that are also free. IIS is available only as part of Windows Server 2003. Although a new Windows Server 2003, Web Edition is available at a significant discount compared to its Standard Edition cousin, it is still, at least on the surface, more expensive than Apache.

Original date of publication, 09/09/2003.