The core functions and services have been redesigned for IIS 6.0 to take advantage of the basic Windows kernel http.sys. This makes it a built-in response and request cache and queue function, and can request the application process to directly route the working process, thereby improving reliability and performance.
IIS 6.0 introduces two operation modes for configuring an application environment: working process isolation mode and IIS 5.0 isolation mode. When installing IIS 6.0, the default isolation mode depends on the new installation or upgrade.
After the new installation IIS 6.0, IIS runs in the working process isolation mode. After upgrading from a lower version of IIS 6.0, the isolation mode is the same as the previously installed IIS 6.0 version. After upgrading from IIS 5.0 or IIS 4.0, IIS 6.0 is run in an IIS 5.0 isolation mode by default, which can maintain compatibility with existing applications. For information on switching from an isolation mode to another quarantine mode, see Configuring Isolation Mode.
IIS 5.0IIS 5.1iis 6.0 Platform Windows 2000Windows XP ProfessionalWindows Server 2003 family architecture 32-bit 32-bit and 64-bit 32-bit and 64-bit application process model TCP / IP kernel DLLHOST.EXE (in medium or high application isolation mode Multiple DLL hosts) TCP / IP kernel DLLHOST.EXE (multiple DLL hosts in medium or high application isolation mode) http.sys kernel When IIS is running at IIS 5.0 isolation mode: inetinfo.exe (for internal application Program) or DLLHOST.EXE (for procedure external applications) When IIS is running in working process quarantine: W3WP.exe Configuring Database Configuring Binary Binary XML Security Windows Authentication SSL KerberosWindows Authentication SSL Kerberos Security Wizard Windows Authentication SSL Kerberos Security Wizard Passport Support Remote Manage HTMLA No HTMLA Terminal Services Remote Management Tool (HTML) Terminal Services Cluster Support IIS Cluster Windows Support Windows Support WWW Service WINDOWS 9X IIS (optional) ) IISWINDOWS on Windows XP Professional
IIS 5.0 Isolation Mode IIS 5.0 Isolation mode Manages application processes in ways to manage processes in IIS 5.0: All processes are running within INetInfo.exe, and process external applications run in separate DLL hosts. Some existing applications may not be able to run or store session status to the application. Therefore, running processes in IIS 5.0 isolation mode ensures compatibility with most existing applications. The figure below shows how to handle application processes in IIS 5.0 isolation mode.
Configuring a database Configuration IIS 6.0 configuration database stores in XML files instead of being stored in an earlier versions. The location is still in place, but the operation mode (update, rollback, restore and extension) has changed. There are two important files, not a: Metabase.xml and MBSChema.xml.
For more information on the IIS configuration database, see About the configuration database.
Managing In IS 4.0, the application can run in the same process as the Internet, or run in separate processes. In IIS 5.0 and 5.1, applications can now be divided into several collections to enhance performance and increase scalability. For more information, see About the application. In IIS 6.0 working process isolation mode, the application can be combined into any number of application pools. The Application Mappings property page contains a list of Hypertext Transfer Protocol (HTTP) action, which can be processed by an application that is mapped to a specific file type. The list of action is different from IIS 4.0. In IIS 4.0, the list contains "excluded" or unreated action. This change is to accommodate new HTTP actions to add it to the protocol. For more information on application mapping, see Setting up application mapping. The cluster is not the function of IIS 6.0 (IISSYNCHE.EXE). The cluster is the function of the Windows Server 2003 family. For information on Windows Cluster (MSCs), see the Help of the Windows Server 2003 family. Compared to IIS 4.0, the location of the custom error file in IIS 5.0 has changed. For more information, see Enabling Detailed Custom Error Messages. A new custom error file has been added to report more detailed error messages and errors related to new features. For a complete list of available custom error messages, see About Custom Error Messages. Web-based Internet Service Manager (HTML) has been applied by the web tool. To use Internet Service Manager (HTML) Remote Manage IIS, see How to Remote Manage Server. To programmatically manage the IIS from compiled C applications to use the Active Directory service interface (ADSI) from C or script files from C or script files from C or script files to programmatically manage IIS. IIS 6.0 includes a Windows Management Specification (WMI) provider, WMI technology allows administrators to programmatically control all services and applications. For more information, see Using the IIS WMI provider. For information on new ADSI methods, see Configuring Database Changes in IIS 6.0. Active Server Pages Starting from IIS 6.0, Microsoft Active Server Pages (ASP) can be used with Microsoft ASP.NET. For information on configuring IIS to run the ASP.NET application, see ASP.NET. For information on the ASP function changes in IIS 6.0, see Important Changes in the ASP.
ASP suspension detection When the IIS website is busy, this may happen: the maximum number of ASP threads have been generated, and some ASP threads hang, which will result in reduced performance. IIS 6.0 can solve the thread hanging problem by recycling the working process of a specific instance host of ASP ISAPI extension (ASP.DLL). When the ASP thread hangs in IIS 6.0, asp.dll calls the ISAPI server support function hse_req_report_unhealthy, WWW service recycles the working process as an ASP.DLL host, and creates a project in the event log.
For more information about the ISAPI server support function, see ServersupportFunction in the ISDN® Online on the ISAPI Extension Reference.
One of the most important changes in IIS 6.0 involves the security of web server. In order to better prevent malicious users and attackers, by default, IIS is not installed on members of the Microsoft Windows Server 2003 family. In order to better prevent malicious users and attackers, IIS is not installed on members of the Microsoft® Windows® Server 2003 family. Moreover, when you initially install IIS, the service is installed in high security and "locked" mode. By default, IIS is only serving the static content - ie, the ASP, ASP.NET, the server side contains, WebDAV publishing and FrontPage® Server Extensions only work when enabled. If this feature is not enabled after installing IIS, IIS returns a 404 error. You can provide services for dynamic content and enable these features through the Web service extension node in the IIS Manager. Similarly, if the application extension is not mapping in IIS, IIS returns a 404 error. To map extensions, see Setting the application mapping. For more information on how to disclose 404 errors (including 404.2 and 404.3), updates to IIS 6.0's new installation or upgrade from low versions of IIS, see Troubleshooting.
With the Web Server Certificate Wizard and CTL wizard, you can synchronize Web and NTFS security settings, get and install server certificates, and create and modify the certificate trust list. You can also select an encrypted service provider (CSP) to encrypt data using certificate. For more information, see Using the Certificate Wizard.
Other security changes in IIS 6.0 include the following:
Disabled on the upgrade version: Unless one of the following conditions, the World Wide Web Publishing Service (WWW service) is disabled on the Windows Server 2003 family: Before starting the upgrade process, you have run IIS Lock Wizard on Windows 2000 Server. . The IIS Locking Wizard reduces the attack surface by disabling unnecessary features, and it allows you to confirm which features are enabled for the site. IIS Locking Wizard is provided in IIS LockDown Tool. Points If you use WWW services, you strongly recommend that you run the IIS Locking Wizard on Windows 2000 Server before upgrading to the product in the Windows Server 2003 family. The IIS Locking Wizard protects your computer's security by disabling or deleting a feature that is not required in Windows 2000 Server installation. Otherwise, these features remain on the computer after the upgrade, which will make your server vulnerable.
The registry key Retainw3SvcStatus has been added to the registry HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / W3SVC below. Under Retainw3SvcStatus, you can add any values and give it a DWORD value. For example, you can create a registry key hkey_local_machine / system / currentControlSet / Services / W3SVC / Retainw3SvcStatus / Do_not_Disable, and the DWORD value is 1. For unattended installations, the "DisableWebServiceonupgrade = false" item is in unattended installation scripts. Disable IIS through Group Policy: By using the Windows Server 2003 family member, domain administrators can prohibit users from installing IIS on their computers. Run with an account with low level access: The IIS work process runs in the user context of very few access rights. This greatly reduces the impact of potential attacks. Improve the security of ASP: All ASP built-in functions are always running at an account IUSR_ComputerName with very little access. Run the restrictions of executables: In order to run most of the executables in the system folder (such as cmd.exe), you must be a member of the Administrators group, localsystem, interactive, or service account. This restriction limits remote access to Administrators, so anonymous users cannot run executables. Patch management: For patch management, administrators can install the latest security patches without interrupting services. Known Extensions: IIS is only serving a request for files with a known file extension. If the file extension of the request content is not mapped to a known extension, the server rejects the request. Content write protection: By default, refusal to write access to the web content (running in IUSR_ComputerName Accounts). Timeout and restrictions: In IIS 6.0, the default setting is safe and active, which minimizes attacks caused by the previous timeout and limitations. Upload data limit: Administrators can limit data that can be loaded to the server. Buffer overflow protection: The working process detects the buffer overflow and exits the program when detecting. File Verification: IIS The contents of the request are verified before sending the request to the request handler (ISAPI extension). Index Resources: This permission will now be enabled by default. Script resource access: This permission allows "source code" of ASP page and other scripts to be accessed, which is disabled by default. It can be used when "Read" or "Write" permissions are selected. Subweight: In the newly installed IIS 6.0, it is no longer enabled by default. For more information, see the User Validation section in anonymous authentication. UNC Authentication: In this version of IIS, UNC authentication methods check for user credentials. For more information, see UNC Authentication. New Policies: The "Prohibited Install IIS" policy has been added to the Windows Server 2003 product family. This policy allows domain administrator control to install IIS on which computers in the domain. For more information, see the Group Policy in Windows Help. FORTEZZA: Support for this feature has been canceled.
Performance To restrict the amount of memory assigned to the ASP page, IIS has set the default value of the ASPScriptFileCachesize to 250 ASP pages and set the default value of AspscripTENGINECACAX to 125 script engines. On sites with a large number of ASP pages that are regularly requested, you can set higher. Because the compilation ratio of the ASP page is much slower than retrieving the page from the cache, this will improve performance. On sites with only a small amount of regularly requested ASP pages, you can save memory by setting this number. IIS Tools Components WIDOWS NT Server Collaboration Data Objects (CDONTS): CDONTS has been removed from the Windows Server 2003 family. If the web application uses CDONTS, you can convert them to the Microsoft Collaboration Data Object (CDO). Most methods in CDONTS have a matching method in the CDO, but the name may be different. For reference on the Platform Software Development Kit (PSDK), see OverView Of CDO on MSDN Online. IIS tool components are not installed: Ad Rotator, Browser Capabilities, Content Linker, Content Rotator, Counters, Logging Utility, My Info, Page Counter, Status and Tools are not installed with IIS 6.0. However, if your web server is upgraded from a low version of IIS, these tool components will not be deleted. You can get a copy of the Tool Component DLL file from the IIS 6.0 Resource Toolkit. The 64-bit Windows Server 2003 family IIS on the 64-bit Windows Server 2003 operating system, IIS runs as a 64-bit application. This means that 32-bit applications cannot be called from the 64-bit Windows Server 2003 operating system operating system. For example, a Jet database engine will not be converted to a 64-bit application, so you cannot use the ActiveX® Data Object (ADO) to open the Microsoft Access database from the ASP page. However, ADO can still be used to access other drivers such as SQL and Exchange.
