What's Changed (IIS 6.0)
There are some notable and important differences in default behavior and settings between IIS 4.0, IIS 5.0, IIS 5.1, and IIS 6.0.
This topic includes the following information:
The following table summarizes the important differences between versions of IIS.
Core Functionality and Services
IIS 6.0 has been redesigned to take advantage of the base Windows kernel, HTTP.sys. This allows for built-in response and request caching and queuing, as well as the ability to route application process requests directly to the worker processes, which improves reliability and performance.
IIS 6.0 introduces two modes of operation in order to configure your application environments: worker process isolation mode and IIS 5.0 isolation mode. The default isolation mode upon installing IIS 6.0 depends on whether you perform a clean installation or an upgrade.
For information on switching from one isolation mode to the other, see Configuring Isolation Modes.
IIS 5.0 Isolation Mode
IIS 5.0 isolation mode manages application processes in a similar fashion to the process management in IIS 5.0: all in-process applications run inside Inetinfo.exe, and out-of-process applications run in separate DLL hosts. Some existing applications may not have been written to run concurrently, or to store session state separately from the application. Therefore, running processes in IIS 5.0 isolation mode ensures compatibility for most existing applications. The following illustration shows how application processes are handled in IIS 5.0 isolation mode.
Worker Process Isolation Mode
When configured to execute in worker process isolation mode, all application code runs in an isolated environment. This design removes some of the existing bottlenecks. Worker process isolation mode allows the administrator to isolate anything from an individual Web application to multiple sites in their own self-contained worker process. This prevents one application or site from stopping another. In addition, separating applications or sites into their own process space simplifies a number of management tasks, such as restarts (independent of all other sites or applications running on the system), changing a component used by the application, debugging, monitoring counters, throttling resources, and so forth. The following illustration shows how applications are managed by IIS in worker process isolation mode.
HTTP requests are routed to the correct application pool queue, which means that user mode worker processes serving an application pool pull the requests directly from the kernel and eliminate the unnecessary process hops encountered when sending a request to an out-of-process DLL host. In IIS 6.0, there is no longer the notion of in-process applications; all necessary HTTP application run-time services, such as ISAPI extension support, are equally available in any application pool. This design prevents a malfunctioning HTTP application or Web site from disrupting other HTTP applications (or other Web sites) served from other processes on that computer. Unloading components becomes easier because with isolated application processes, the process can, if necessary, be terminated to unload all resources, with no effect on other content or applications being served from other processes. It is also beneficial to be able to leverage other operating system services available at the process level (for example CPU throttling), per application pool.
Furthermore, critical portions of worker process isolation mode that maintain the overall functioning of World Wide Web Publishing Service (WWW service) run entirely outside of the worker processes. The IIS 6.0 kernel-mode driver, HTTP.sys, which is the universal HTTP processor for Windows, and the WWW Service Administration and Monitoring component isolate the critical portions of the core Web server. Both of these components are protected and do not allow third-party code to be loaded into them. This design prevents a malfunctioning HTTP application from disrupting WWW services on the server.
For more information on isolation modes, see Application Isolation Modes.
The metabase for IIS 6.0 is stored in an XML file instead of in binary format as it was in earlier versions of IIS. The location remains the same, but the ways it can be manipulated -- updated, rolled back, restored, and extended -- have changed. There are two significant files instead of one: MetaBase.xml and MBSchema.xml.
In previous versions of IIS, programmatic administration of IIS was possible with Admin Base Objects (ABO) from compiled C++ applications, or with Active Directory Services Interfaces (ADSI) from C++ or script files. IIS 6.0 includes a provider for Windows Management Instrumentation (WMI), a technology that allows administrators to control all services and applications programmatically. For more information about WMI, see "IIS Administration Technologies" in the IIS Software Development Kit (SDK) on MSDN.
Active Server Pages
Beginning with IIS 6.0, Microsoft Active Server Pages (ASP) can be used along with Microsoft ASP.NET. For information on configuring IIS to run ASP.NET applications, see About ASP.NET. For news on changes to ASP functionality in IIS 6.0, see Important Changes in ASP.
Because the worker process, W3wp.exe, runs as the Network Service account in IIS 6.0 worker process isolation mode, you must configure Launch and Access permissions to enable ASP debugging for Script Debugger and Visual InterDev. For more information, see Enabling ASP Debugging.
ASP Hang Detection
When an IIS Web site is busy, there may be instances when the maximum number of ASP threads has been spawned and some of the ASP threads are hung, resulting in degraded performance. IIS 6.0 has the ability to solve the problem of hung threads by recycling the worker process that hosts that particular instance of the ASP ISAPI extension, ASP.dll. When ASP threads are hung in IIS 6.0, ASP.dll calls the ISAPI server support function HSE_REQ_REPORT_UNHEALTHY, and the WWW service recycles the worker process that hosts ASP.dll, and make an entry in the event log.
For more information on ISAPI server support functions, see ServerSupportFunction in the ISAPI Extension Reference at MSDN® Online.
One of the most important changes in IIS 6.0 addresses Web server security. In order to take a more proactive stance against malicious users and attackers, IIS is not installed by default on members of the Microsoft Windows Server 2003 family.
To help minimize the attack surface of the server, IIS 6.0 is not installed on Windows Server 2003 by default. When you first install IIS 6.0, it is locked down -- which means that only request handling for static Web pages is enabled, and only the World Wide Web Publishing Service (WWW service) is installed. None of the features that sit on top of IIS are turned on, including ASP, ASP.NET, CGI scripting, FrontPage® 2002 Server Extensions from Microsoft, and WebDAV publishing. If you do not enable these features, IIS returns a 404 error. You can enable these features through the Web Service Extensions node in IIS Manager. For more information about how to troubleshoot 404 errors and other issues, see Troubleshooting in IIS 6.0.
With the Web Server Certificate Wizard and the CTL Wizard, you can synchronize Web and NTFS security settings, obtain and install server certificates, and create and modify certificate trust lists. You can also select a cryptographic service provider (CSP) for encrypting data with a certificate.
Other security changes in IIS 6.0 include the following:
If you use the WWW service, we strongly recommend that you run the IIS Lockdown Wizard on your Windows 2000 Server before upgrading to a product in the Windows Server 2003 family. The IIS lockdown Wizard will help secure your computer by disabling or removing unnecessary features that are present in your Windows 2000 Server installation. These features would otherwise have remained on your machine after upgrading, leaving your server vulnerable to attacks.
The word extensions has two meanings: Either Web service extensions that enable pages to serve dynamic content, for example, .asp or .aspx; or file name extensions, which indicate the file type, such as .exe, .txt, or .inc.
To limit the amount of memory allocated to ASP pages, IIS has set the default value of the AspScriptFileCacheSize Metabase Property to 250 ASP pages, and the default value of the AspScriptEngineCacheMax Metabase Property to 125 script engines. The ASPScriptFileCacheSize can be set higher on sites with a large set of frequently requested ASP pages. This improves performance because ASP page compilation is substantially slower than retrieving pages from cache. On a site with only a small number of frequently requested ASP pages, memory can be saved by setting this number to a smaller value.
IIS Utility Components
IIS on 64-bit Versions of the Windows Server 2003 Family
On the 64-bit versions of the Windows Server 2003 family of operating systems, IIS runs as a 64-bit application. This means that 32-bit applications cannot be called from IIS on the 64-bit versions of the Windows Server 2003 family of operating systems. For example, the Jet database engine will not convert to a 64-bit application, so you cannot use ActiveX® Data Objects (ADO) to open a Microsoft Access database from an ASP page. However, you can still use ADO to access other drivers, like SQL and Exchange.