Internet Information Services
Encyclopedia
Internet Information Services (IIS) – formerly called Internet Information Server – is a web server
application and set of feature extension modules created by Microsoft
for use with Microsoft Windows
. It is the most used web server after Apache HTTP Server
. IIS 7.5 supports HTTP, HTTPS
, FTP
, FTPS
, SMTP
and NNTP
. It is an integral part of Windows Server
family of products, as well as certain editions of Windows XP
, Windows Vista
and Windows 7. IIS is not turned on by default when Windows is installed.
in Scotland, and was distributed as freeware
. However, since the EMWAC server was unable to scale sufficiently to handle the volume of traffic going to microsoft.com, Microsoft was forced to develop its own web server, IIS.
Almost every version of IIS was released either alongside or with a version of Microsoft Windows operating system. IIS 1.0 was initially released as a free add-on, a set of web-based services for Windows NT 3.51. However, IIS 2.0 was included with Windows NT 4.0. IIS 3.0, which was included with Service Pack
3 of Windows NT 4, introduced the Active Server Pages
dynamic scripting environment. IIS 4.0 was released as part of an "Option Pack" for Windows NT 4.0 and dropped support for the Gopher protocol. IIS 5.0 shipped with Windows 2000 and introduced additional authentication methods, management enhancements including a new MMC
based administration application, support for the WebDAV
protocol, and enhancements to ASP
. IIS 5.1 was shipped with Windows XP Professional, and was nearly identical to IIS 5.0 on Windows 2000 except for several limitations Microsoft introduced. IIS 5.1 supported only 10 simultaneous connections and supported only a single web site. IIS 6.0, included with Windows Server 2003
and Windows XP Professional x64 Edition
, added support for IPv6
and included a new worker process model that increased security as well as reliability.
IIS 7.0 was a complete redesign and rewrite of IIS, and was shipped with Windows Vista and Windows Server 2008. IIS 7.0 included a new modular design that allowed for a reduced attack surface and increased performance. IIS 7.0 also introduced a hierarchical configuration system allowing for simpler site deploys, a new Windows Forms
based management application, new command line management options and increased support for the .NET Framework
. IIS 7.0 on Vista does not limit the number of allowed connections as IIS on XP did, but limits concurrent requests to 10 (Windows Vista Ultimate, Business, and Enterprise Editions) or 3 (Vista Home Premium). Additional requests are queued, which hampers performance, but they are not rejected as with XP.
The current shipping version of IIS is IIS 7.5, included in Windows 7 and Windows Server 2008 R2
. IIS 7.5 improved WebDAV and FTP modules as well as command line administration in PowerShell. It also introduced Best Practices Analyzer tool and process isolation for application pools.
. It is used on 15.66% of servers and responds to 12.46% of total requests.
, especially the CA-2001-13 which led to the infamous Code Red worm; however, both versions 6.0 and 7.0 currently have no reported issues with this specific vulnerability. In IIS 6.0 Microsoft opted to change the behaviour of pre-installed ISAPI
handlers, many of which were culprits in the vulnerabilities of 4.0 and 5.0, thus reducing the attack surface
of IIS. In addition, IIS 6.0 added a feature called "Web Service Extensions" that prevents IIS from launching any program without explicit permission by an administrator.
In the current release, IIS 7, the components are provided as modules so that only the required components have to be installed, thus further reducing the attack surface. In addition, security features are added such as Request Filtering, which rejects suspicious URLs based on a user-defined rule set.
By default IIS 5.1 and lower run websites in-process under the SYSTEM account, a default Windows account with 'superuser' rights. Under 6.0 all request handling processes have been brought under a Network Services account with significantly fewer privileges so that should there be a vulnerability in a feature or in custom code it won't necessarily compromise the entire system given the sandboxed
environment these worker processes run in. IIS 6.0 also contained a new kernel HTTP stack (
According to Secunia
, , IIS 7 had a total of 6 resolved vulnerabilities while IIS 6 had a total of 11 vulnerabilities out of which 1 was still unpatched. The unpatched security advisory has a severity rating of 2 out of 5.
In June 2007, a Google study of 80 million domains concluded that while the IIS market share was 23% at the time, IIS servers hosted 49% of the worlds malware, same as Apache servers
whose market share was 66%. The study also observed the geographical location of these dirty servers and suggested that the cause of this could be the use of pirated copies of Windows for which security updates were unavailable. This is no longer the case: Microsoft supplies security updates to all users.
IIS 6.0 and higher support the following authentication
mechanisms:
IIS 7.5 includes the following additional or enhanced security features:
Authentication changed slightly between IIS 6.0 and IIS 7, most notably in that the anonymous user which was named "IUSR_{machinename}" is a built-in account in Vista and future operating systems and named "IUSR". Notably, in IIS 7, each authentication mechanism is isolated into its own module and can be installed or uninstalled.
Similar servers
Web server
Web server can refer to either the hardware or the software that helps to deliver content that can be accessed through the Internet....
application and set of feature extension modules created by Microsoft
Microsoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
for use with Microsoft Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
. It is the most used web server after Apache HTTP Server
Apache HTTP Server
The Apache HTTP Server, commonly referred to as Apache , is web server software notable for playing a key role in the initial growth of the World Wide Web. In 2009 it became the first web server software to surpass the 100 million website milestone...
. IIS 7.5 supports HTTP, HTTPS
Https
Hypertext Transfer Protocol Secure is a combination of the Hypertext Transfer Protocol with SSL/TLS protocol to provide encrypted communication and secure identification of a network web server...
, FTP
File Transfer Protocol
File Transfer Protocol is a standard network protocol used to transfer files from one host to another host over a TCP-based network, such as the Internet. FTP is built on a client-server architecture and utilizes separate control and data connections between the client and server...
, FTPS
FTPS
FTPS is an extension to the commonly used File Transfer Protocol that adds support for the Transport Layer Security and the Secure Sockets Layer cryptographic protocols....
, SMTP
Simple Mail Transfer Protocol
Simple Mail Transfer Protocol is an Internet standard for electronic mail transmission across Internet Protocol networks. SMTP was first defined by RFC 821 , and last updated by RFC 5321 which includes the extended SMTP additions, and is the protocol in widespread use today...
and NNTP
Network News Transfer Protocol
The Network News Transfer Protocol is an Internet application protocol used for transporting Usenet news articles between news servers and for reading and posting articles by end user client applications...
. It is an integral part of Windows Server
Windows Server
Windows Server is a brand name for a group of server operating systems released by Microsoft Corporation. All are part of Microsoft Servers.- Members :This brand includes the following software:* Windows 2000 Server* Windows Server 2003...
family of products, as well as certain editions of Windows XP
Windows XP
Windows XP is an operating system produced by Microsoft for use on personal computers, including home and business desktops, laptops and media centers. First released to computer manufacturers on August 24, 2001, it is the second most popular version of Windows, based on installed user base...
, Windows Vista
Windows Vista
Windows Vista is an operating system released in several variations developed by Microsoft for use on personal computers, including home and business desktops, laptops, tablet PCs, and media center PCs...
and Windows 7. IIS is not turned on by default when Windows is installed.
History
The first Microsoft web server was a research project at European Microsoft Windows NT Academic Centre (EMWAC), part of the University of EdinburghUniversity of Edinburgh
The University of Edinburgh, founded in 1583, is a public research university located in Edinburgh, the capital of Scotland, and a UNESCO World Heritage Site. The university is deeply embedded in the fabric of the city, with many of the buildings in the historic Old Town belonging to the university...
in Scotland, and was distributed as freeware
Freeware
Freeware is computer software that is available for use at no cost or for an optional fee, but usually with one or more restricted usage rights. Freeware is in contrast to commercial software, which is typically sold for profit, but might be distributed for a business or commercial purpose in the...
. However, since the EMWAC server was unable to scale sufficiently to handle the volume of traffic going to microsoft.com, Microsoft was forced to develop its own web server, IIS.
Almost every version of IIS was released either alongside or with a version of Microsoft Windows operating system. IIS 1.0 was initially released as a free add-on, a set of web-based services for Windows NT 3.51. However, IIS 2.0 was included with Windows NT 4.0. IIS 3.0, which was included with Service Pack
Service pack
A service pack is a collection of updates, fixes or enhancements to a software program delivered in the form of a single installable package. Many companies, such as Microsoft or Autodesk, typically release a service pack when the number of individual patches to a given program reaches a certain ...
3 of Windows NT 4, introduced the Active Server Pages
Active Server Pages
Active Server Pages , also known as Classic ASP or ASP Classic, was Microsoft's first server-side script engine for dynamically-generated Web pages. Initially released as an add-on to Internet Information Services via the Windows NT 4.0 Option Pack Active Server Pages (ASP), also known as Classic...
dynamic scripting environment. IIS 4.0 was released as part of an "Option Pack" for Windows NT 4.0 and dropped support for the Gopher protocol. IIS 5.0 shipped with Windows 2000 and introduced additional authentication methods, management enhancements including a new MMC
MMC
MMC may stand for:In business:*Mail.com Media Corp., a US digital media company*Marsh & McLennan Companies, a US-based global professional services firm*Material Móvil y Construcciones...
based administration application, support for the WebDAV
WebDAV
Web-based Distributed Authoring and Versioning is a set of methods based on the Hypertext Transfer Protocol that facilitates collaboration between users in editing and managing documents and files stored on World Wide Web servers...
protocol, and enhancements to ASP
Active Server Pages
Active Server Pages , also known as Classic ASP or ASP Classic, was Microsoft's first server-side script engine for dynamically-generated Web pages. Initially released as an add-on to Internet Information Services via the Windows NT 4.0 Option Pack Active Server Pages (ASP), also known as Classic...
. IIS 5.1 was shipped with Windows XP Professional, and was nearly identical to IIS 5.0 on Windows 2000 except for several limitations Microsoft introduced. IIS 5.1 supported only 10 simultaneous connections and supported only a single web site. IIS 6.0, included with Windows Server 2003
Windows Server 2003
Windows Server 2003 is a server operating system produced by Microsoft, introduced on 24 April 2003. An updated version, Windows Server 2003 R2, was released to manufacturing on 6 December 2005...
and Windows XP Professional x64 Edition
Windows XP Professional x64 Edition
Microsoft Windows XP Professional x64 Edition released on April 25, 2005 is an edition of Windows XP for x86-64 personal computers. It is designed to use the expanded 64-bit memory address space provided by the x86-64 architecture....
, added support for IPv6
IPv6
Internet Protocol version 6 is a version of the Internet Protocol . It is designed to succeed the Internet Protocol version 4...
and included a new worker process model that increased security as well as reliability.
IIS 7.0 was a complete redesign and rewrite of IIS, and was shipped with Windows Vista and Windows Server 2008. IIS 7.0 included a new modular design that allowed for a reduced attack surface and increased performance. IIS 7.0 also introduced a hierarchical configuration system allowing for simpler site deploys, a new Windows Forms
Windows Forms
Windows Forms is the name given to the graphical application programming interface included as a part of Microsoft .NET Framework, providing access to native Microsoft Windows interface elements by wrapping the extant Windows API in managed code...
based management application, new command line management options and increased support for the .NET Framework
.NET Framework
The .NET Framework is a software framework that runs primarily on Microsoft Windows. It includes a large library and supports several programming languages which allows language interoperability...
. IIS 7.0 on Vista does not limit the number of allowed connections as IIS on XP did, but limits concurrent requests to 10 (Windows Vista Ultimate, Business, and Enterprise Editions) or 3 (Vista Home Premium). Additional requests are queued, which hampers performance, but they are not rejected as with XP.
The current shipping version of IIS is IIS 7.5, included in Windows 7 and Windows Server 2008 R2
Windows Server 2008 R2
Windows Server 2008 R2 is a server operating system produced by Microsoft. It was released to manufacturing on July 22, 2009 and launched on October 22, 2009. According to the Windows Server Team blog, the retail availability was September 14, 2009. It is built on Windows NT 6.1, the same core...
. IIS 7.5 improved WebDAV and FTP modules as well as command line administration in PowerShell. It also introduced Best Practices Analyzer tool and process isolation for application pools.
Versions
- IIS 1.0, Windows NT 3.51Windows NT 3.51Windows NT 3.51 is the third release of Microsoft's Windows NT line of operating systems. It was released on 30 May 1995, nine months after Windows NT 3.5. The release provided two notable feature improvements; firstly NT 3.51 was the first of a short-lived outing of Microsoft Windows on the...
available as a free add-on - IIS 2.0, Windows NT 4.0Windows NT 4.0Windows NT 4.0 is a preemptive, graphical and business-oriented operating system designed to work with either uniprocessor or symmetric multi-processor computers. It was the next release of Microsoft's Windows NT line of operating systems and was released to manufacturing on 31 July 1996...
- IIS 3.0, Windows NT 4.0Windows NT 4.0Windows NT 4.0 is a preemptive, graphical and business-oriented operating system designed to work with either uniprocessor or symmetric multi-processor computers. It was the next release of Microsoft's Windows NT line of operating systems and was released to manufacturing on 31 July 1996...
Service Pack 2 - IIS 4.0, Windows NT 4.0Windows NT 4.0Windows NT 4.0 is a preemptive, graphical and business-oriented operating system designed to work with either uniprocessor or symmetric multi-processor computers. It was the next release of Microsoft's Windows NT line of operating systems and was released to manufacturing on 31 July 1996...
Option Pack - IIS 5.0, Windows 2000Windows 2000Windows 2000 is a line of operating systems produced by Microsoft for use on personal computers, business desktops, laptops, and servers. Windows 2000 was released to manufacturing on 15 December 1999 and launched to retail on 17 February 2000. It is the successor to Windows NT 4.0, and is the...
- IIS 5.1, Windows XP Professional and Windows XP Media Center EditionWindows XP Media Center EditionWindows XP Media Center Edition is a version of the Windows XP operating system designed to serve as a home-entertainment hub. The last version, Windows XP Media Center Edition 2005, was released in October 2004.-Versions:...
(requires retail CD) - IIS 6.0, Windows Server 2003Windows Server 2003Windows Server 2003 is a server operating system produced by Microsoft, introduced on 24 April 2003. An updated version, Windows Server 2003 R2, was released to manufacturing on 6 December 2005...
and Windows XP Professional x64 EditionWindows XP Professional x64 EditionMicrosoft Windows XP Professional x64 Edition released on April 25, 2005 is an edition of Windows XP for x86-64 personal computers. It is designed to use the expanded 64-bit memory address space provided by the x86-64 architecture.... - IIS 7.0, Windows Server 2008 and Windows VistaWindows VistaWindows Vista is an operating system released in several variations developed by Microsoft for use on personal computers, including home and business desktops, laptops, tablet PCs, and media center PCs...
(Home Premium, Business, Enterprise and Ultimate editions) - IIS 7.5, Windows Server 2008 R2Windows Server 2008 R2Windows Server 2008 R2 is a server operating system produced by Microsoft. It was released to manufacturing on July 22, 2009 and launched on October 22, 2009. According to the Windows Server Team blog, the retail availability was September 14, 2009. It is built on Windows NT 6.1, the same core...
and Windows 7 (Home Premium, Professional, Enterprise and Ultimate editions)
Usage
, IIS is the second most used server in the world, after Apache HTTP ServerApache HTTP Server
The Apache HTTP Server, commonly referred to as Apache , is web server software notable for playing a key role in the initial growth of the World Wide Web. In 2009 it became the first web server software to surpass the 100 million website milestone...
. It is used on 15.66% of servers and responds to 12.46% of total requests.
Security
Earlier versions of IIS were hit with a number of vulnerabilitiesVulnerability (computing)
In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance.Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw...
, especially the CA-2001-13 which led to the infamous Code Red worm; however, both versions 6.0 and 7.0 currently have no reported issues with this specific vulnerability. In IIS 6.0 Microsoft opted to change the behaviour of pre-installed ISAPI
ISAPI
The Internet Server Application Programming Interface is an N-tier API of Internet Information Services , Microsoft's collection of Windows-based web server services...
handlers, many of which were culprits in the vulnerabilities of 4.0 and 5.0, thus reducing the attack surface
Attack surface
The attack surface of a software environment is the code within a computer system that can be run by unauthenticated users. This includes, but is not limited to: user input fields, protocols, interfaces, and services....
of IIS. In addition, IIS 6.0 added a feature called "Web Service Extensions" that prevents IIS from launching any program without explicit permission by an administrator.
In the current release, IIS 7, the components are provided as modules so that only the required components have to be installed, thus further reducing the attack surface. In addition, security features are added such as Request Filtering, which rejects suspicious URLs based on a user-defined rule set.
By default IIS 5.1 and lower run websites in-process under the SYSTEM account, a default Windows account with 'superuser' rights. Under 6.0 all request handling processes have been brought under a Network Services account with significantly fewer privileges so that should there be a vulnerability in a feature or in custom code it won't necessarily compromise the entire system given the sandboxed
Sandbox (computer security)
In computer security, a sandbox is a security mechanism for separating running programs. It is often used to execute untested code, or untrusted programs from unverified third-parties, suppliers, untrusted users and untrusted websites....
environment these worker processes run in. IIS 6.0 also contained a new kernel HTTP stack (
http.sys) with a stricter HTTP request parser and response cache for both static and dynamic content.According to Secunia
Secunia
Secunia is a Danish computer security service provider best known for tracking vulnerabilities in a large variety of software and operating systems.Numbers of "unpatched" vulnerabilities in popular applications are frequently quoted in software comparisons....
, , IIS 7 had a total of 6 resolved vulnerabilities while IIS 6 had a total of 11 vulnerabilities out of which 1 was still unpatched. The unpatched security advisory has a severity rating of 2 out of 5.
In June 2007, a Google study of 80 million domains concluded that while the IIS market share was 23% at the time, IIS servers hosted 49% of the worlds malware, same as Apache servers
Apache HTTP Server
The Apache HTTP Server, commonly referred to as Apache , is web server software notable for playing a key role in the initial growth of the World Wide Web. In 2009 it became the first web server software to surpass the 100 million website milestone...
whose market share was 66%. The study also observed the geographical location of these dirty servers and suggested that the cause of this could be the use of pirated copies of Windows for which security updates were unavailable. This is no longer the case: Microsoft supplies security updates to all users.
Features
The architecture of IIS 7 is modular. Modules, also called extensions, can be added or removed individually so that only modules required for specific functionality have to be installed. IIS 7 includes native modules as part of the full installation. These modules are individual features that the server uses to process requests and include the following:- HTTP modules – Used to perform tasks specific to HTTP in the request-processing pipeline, such as responding to information and inquiries sent in client headers, returning HTTP errors, and redirecting requests.
- Security modules – Used to perform tasks related to security in the request-processing pipeline, such as specifying authentication schemes, performing URL authorization, and filtering requests.
- Content modules – Used to perform tasks related to content in the request-processing pipeline, such as processing requests for static files, returning a default page when a client does not specify a resource in a request, and listing the contents of a directory.
- Compression modules – Used to perform tasks related to compression in the request-processing pipeline, such as compressing responses, applying Gzip compression transfer coding to responses, and performing pre-compression of static content.
- Caching modules – Used to perform tasks related to caching in the request-processing pipeline, such as storing processed information in memory on the server and using cached content in subsequent requests for the same resource.
- Logging and Diagnostics modules – Used to perform tasks related to logging and diagnostics in the request-processing pipeline, such as passing information and processing status to HTTP.sys for logging, reporting events, and tracking requests currently executing in worker processes.
IIS 6.0 and higher support the following authentication
Authentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...
mechanisms:
- Anonymous authentication
- Basic access authentication
- Digest access authenticationDigest access authenticationDigest access authentication is one of the agreed upon methods a web server can use to negotiate credentials with a user's web browser. It uses encryption to send the password over the network which is safer than the Basic access authentication that sends plaintext.Technically digest...
- Integrated Windows AuthenticationIntegrated Windows AuthenticationIntegrated Windows Authentication is a term associated with Microsoft products that refers to the SPNEGO, Kerberos, and NTLMSSP authentication protocols with respect to SSPI functionality introduced with Microsoft Windows 2000 and included with later Windows NT-based operating systems...
- UNC authentication
- .NET Passport Authentication (Removed in Windows Server 2008 and IIS 7.0)
- Certificate authentication
IIS 7.5 includes the following additional or enhanced security features:
- Client Certificate Mapping
- IP Security
- Request Filtering
- URL Authorization
Authentication changed slightly between IIS 6.0 and IIS 7, most notably in that the anonymous user which was named "IUSR_{machinename}" is a built-in account in Vista and future operating systems and named "IUSR". Notably, in IIS 7, each authentication mechanism is isolated into its own module and can be installed or uninstalled.
IIS Express
IIS Express, a lightweight version of IIS, is available as a standalone freeware server and may be installed on Windows XP with Service Pack 3 and subsequent versions of Microsoft Windows. IIS 7.5 Express supports only the HTTP and HTTPS protocols. IIS Express can be downloaded separately or as a part of Microsoft WebMatrix.Extensions
IIS releases new feature modules between major version releases to add new functionality. The following extensions are available for IIS 7.5:- FTP Publishing Service – Lets Web content creators publish content securely to IIS 7 Web servers with SSL-based authentication and data transfer.
- Administration Pack – Adds administration UI support for management features in IIS 7, including ASP.NET authorization, custom errors, FastCGI configuration, and request filtering.
- Application Request Routing – Provides a proxy-based routing module that forwards HTTP requests to content servers based on HTTP headers, server variables, and load balance algorithms.
- Database Manager – Allows easy management of local and remote databases from within IIS Manager.
- Media Services – Integrates a media delivery platform with IIS to manage and administer delivery of rich media and other Web content.
- URL Rewrite Module – Provides a rule-based rewriting mechanism for changing request URLs before they are processed by the Web server.
- WebDAV – Lets Web authors publish content securely to IIS 7 Web servers, and lets Web administrators and hosters manage WebDAVWebDAVWeb-based Distributed Authoring and Versioning is a set of methods based on the Hypertext Transfer Protocol that facilitates collaboration between users in editing and managing documents and files stored on World Wide Web servers...
settings using IIS 7 management and configuration tools. - Web Deployment Tool – Synchronizes IIS 6.0 and IIS 7 servers, migrates an IIS 6.0 server to IIS 7, and deploys Web applications to an IIS 7 server.
See also
IIS topics- IIS Metabase
- LogParserLogparserlogparser is a flexible command line utility that was initially written by Gabriele Giuseppini , a Microsoft employee, to automate tests for IIS logging. It was intended for use with the Windows operating system, and was included with the IIS 6.0 Resource Kit Tools...
- Microsoft Personal Web Server
- Windows Activation ServicesWindows Activation ServicesWindows Process Activation Service is the new process activation mechanism that ships with Internet Information Services v7.0....
Similar servers
- Comparison of web serversComparison of web servers-Overview:-Features:- Operating system support :...
- List of FTP server software
- List of mail servers
External links
- IIS.NET – The Official Microsoft IIS Site
- IIS 7.5 Product Page – Windows Server 2008 R2
- Security Guidance for IIS – Microsoft TechNet
- Microsoft Web Platform Installer – A free tool to install IIS and other components of the Microsoft Web Platform
- Microsoft WebsiteSpark Program – A program that offers IIS and other Microsoft Web Platform products at no upfront cost for 3 years