Tip 5: Gzip Site Content
Browsers can handle Gzipped and deflated content and decompress it on the
fly. Although IIS 5 had a gzip feature built-in, it is pretty much broken. Enter
products like Pipeboost to offer
better functionality — similar to what Apache users have enjoyed with
mod_gzip.
Don’t waste your bandwidth — even Google encodes its content, and its
pages are tiny.
Tip 4: Cache Your Content
While I’m on the topic of improving performance, remember to make your site
cache friendly. You can set expiration headers for different files or directories
right from the MMC. Just right click on an item via the IIS MMC, flip to the
“HTTP Headers” tab, and away you go. If you want to set cache control headers
programmatically — or even better, let your site developers do it — use
something like CacheRight. If you
want to go further and add reverse proxy caching, particularly for generated
content, a product like XCache, which also throws in compression, is a good choice.
Taking full advantage of caching might involve more time and expense, but when you watch your logs shrink because they don’t contain tons of pointless 304 responses, and your bandwidth consumption drops like a stone, even while total page views increase during the same period, you’ll start to understand why this particular tip was so important. Cache friendly sites are quite rare, but plenty of information is available online about the enormous benefits to be had by doing it right: Check out
Brian Davidson’s page, this nifty
tutorial from Mark Nottingham,
and even what AOL has to say on the subject.
Tip 3: Tune Your Server
Tuning IIS is no small topic — whole books and courses are dedicated to it. But
some good basic help is available online, such as this piece from IIS guru
Brett Hill,
or this Knowledge Base article
from Microsoft itself. However, if you don’t feel like getting your hands dirty
— or can’t afford the time and expense of turning yourself into an expert —
take a look at XTune,
from the makers of XCache. It’s performance tuning wizards step you through the
process of tuning your IIS environment, making expert recommendations along the way.
Tip 2: Secure Your Server With Simple Fixes
Sure people are going to attack sites, but you don’t have to be a sitting duck
if you’re willing to make even a small effort. First off, don’t advertise the
fact that you are running IIS by showing your HTTP server header. Remove or
replace it using something like ServerMask
— probably the best $25 you’ll ever spend. You can go even farther
than this by removing unnecessary file extensions to further camouflage your
server environment, and scanning request URLs for signs of exploits. A number of commercial products provide user input scanning, and Microsoft offers a free tool called
URLScan
that does the job. URLScan runs in conjunction with
IISLockDown,
a standard security package that should probably be installed on every IIS
server on the planet. These are simple fixes that could pay off big, so do them now.
Tip 1: Patch, Patch, Patch!
Okay, we in the IIS world do have to patch our systems and make hotfixes.
However, as a former Solaris admin I had to do the same thing there, so I am
not sure why this is a big surprise. You really must keep up with the
patches. Microsoft is of course the
definitive source,
but if you can, also use the highly-regarded www.cert.org. Simply search on “IIS”.
Well there you have it: 10 tips for IIS admins to improve their servers. Some
of the tips might become obsolete once IIS 6 is gold, but, for now at least,
Windows 2000 and NT IIS admins should apply a few of these today and sleep a little better at night.
