Microsoft is launching a new salvo in its battle for Web server market supremacy with the introduction of Internet Information Services (IIS) 7.0, a key component of Windows Server 2008.
|Is IIS 7.0 the Web server that finally gets Web serving right?|
Unsure About an Acronym or Term?
IIS currently powers about 40 percent of Web servers around the world. According to the latest Netcraft survey results, IIS trails Apache by about 10 percentage points. If Microsoft hopes to continue catching up with Apache — as it has been doing for the past 18 months or so — it must provide a compelling reason to choose IIS 7 over Apache and other open-source alternatives.
So what’s new and great in IIS 7.0?
New and Improved
IIS 5 was a monolithic Web server with numerous, well-known security problems. IIS 6 was in many ways a “make it better” release. IIS 7 may well be the version that finally gets it right, and what’s most striking is the modular nature of the product, allowing for far better security.
IIS 7.0 features about 40 components that can be used to build a Web server with just the functionality required, without including features — and thus code — that aren’t needed. These modules include everything from core http functionality, security and compression, to caching and server logging. This enables administrators to configure a server with a minimized attack surface under the security principal that you can’t exploit code that isn’t there.
Modularity also makes IIS 7 expandable. Administrators can write their own modules to provide functionality that isn’t otherwise available, instead of being beholden to Microsoft to provide features. There’s a security risk in that, of course, but it’s the admin’s choice — not Microsoft’s — as to whether adding a feature is worth the additional risk.
Patching is also more secure, thanks to the way Server 2008 can be installed to fulfill various templated roles. A box configured in a server role receives only patches relevant to that role, minimizing the number or reboots required and, in theory at least, also reducing the chances of acquiring new vulnerabilities with patch code that isn’t needed.
Taking this “security through minimalization” idea to its logical extreme, an IIS 7.0 Web server can also be set up in a Server Core installation with no GUI. In this configuration, which is about 1 gigabyte in total according to Microsoft, almost no unnecessary services or applications are running. This further reduces the attack surface, resulting in a need for less server management and maintenance. Microsoft says a Server Core installation requires about 66 percent fewer reboots than a full installation.
A GUI-less Server Core installation isn’t for everyone, of course, but the option of a stripped down, hardened system will appeal in many circumstances, especially in the market segment also occupied by Apache servers.
IIS 7 also takes advantage of the .Net framework, which makes it relatively straightforward to build Web 2.0 applications. It is shipped with a new FastCGI module, so application frameworks such as PHP, Ruby on Rails and Perl can be hosted, and applications built on them can run natively on the Web server. One caveat: The Server Core version of IIS 7.0 does not include the .Net framework (because the .Net framework has hooks into the GUI, which has been removed from the Server Core installation) and therefore doesn’t “do” ASP.Net. However, Microsoft announced that the next version of the .Net framework will be componentized. It will work with the Server Core version of IIS to get ASP.Net functionality.
New management features in IIS 7 should make day-to-day Web server administration much easier. Among the most interesting is the ability for administrators to delegate configuration of certain site settings to Web site operators (in the web.config file in the site’s root) and the ability to configure multiple servers simultaneously in a Web server farm.
The final benefits of IIS 7 come by virtue of the fact that the Web server is part of the Windows Server 2008 operating system.
Server 2008 comes with a new TCP/IP stack. In tests on an ultrafast network, Microsoft claims that a 10-gigabyte transfer that took more than five hours using 2003’s stack took just seven minutes using the new stack, due to its dynamically expandable receive window. Although this type of speed gain will not be achievable over the Internet because of other speed barriers, it’s possible that data exchanges between IIS 7 and Vista client machines (which use the same new stack) on fast corporate networks will see significant speed increases.
On the downside, the new stack is a potential security risk since there’s the possibility of introducing new and as yet unknown vulnerabilities — the older 2003 stack was more mature. But Server 2008’s TCP/IP stack has effectively have been tested in the field for more than a year now in Vista machines. The code bases for Vista and Server 2008 forked before the launch of Vista, but they are scheduled to merge again when Server 2008 is released, and patches to Vista’s stack have been incorporated into Server 2008’s on an ongoing basis, according to Microsoft.
Finally, although there has long been a 64-bit version of Server 2003, it’s only with the introduction of Server 2008 that companies will be moving to 64-bit hardware in significant numbers as they refresh their server rooms. Because of the way TCP/IP connection states are stored and the fact that 32-bit systems can address only 4 gigabytes of RAM, 32-bit systems have in effect been limited to around 20,000 to 30,000 connections per machine. Since 64-bit machines running Server 2008 Enterprise Edition can address 2 terabytes of RAM, IIS 7 running on these machines has the potential to maintain many, many more TCP/IP connections than it (or any other Web server) would on 32-bit boxes.
With all these changes over the previous version, does IIS 7.0 have what it takes to propel Microsoft to market leadership in the Web server market? Only time will tell, but at first glance, there’s plenty to be excited about, and the signs are that IIS 7 will be the software giant’s most successful Web server yet.