Internet Information Services

From Wikipedia, the free encyclopedia - View original article

Internet Information Services
IIS 8.5.9431 management console.png
Screenshot of IIS Manager console of Internet Information Services 8.5
Developer(s)Microsoft
Stable release8.5 / 9 September 2013; 13 months ago (2013-09-09)
Development statusActive
Written inC++[1]
Operating systemWindows NT
Available inSame languages as Windows
TypeWeb server
LicensePart of Windows NT (same license)
Websiteiis.net
 
Jump to: navigation, search
Internet Information Services
IIS 8.5.9431 management console.png
Screenshot of IIS Manager console of Internet Information Services 8.5
Developer(s)Microsoft
Stable release8.5 / 9 September 2013; 13 months ago (2013-09-09)
Development statusActive
Written inC++[1]
Operating systemWindows NT
Available inSame languages as Windows
TypeWeb server
LicensePart of Windows NT (same license)
Websiteiis.net

Internet Information Services (IIS, formerly Internet Information Server) is an extensible web server created by Microsoft for use with Windows NT family.[2] IIS supports HTTP, HTTPS, FTP, FTPS, SMTP and NNTP. It has been an integral part of the Windows NT family since Windows NT 4.0, though it may be absent from some editions (e.g. Windows XP Home edition). IIS is not turned on by default when Windows is installed. The IIS Manager is accessed through the Microsoft Management Console or Administrative Tools in the Control Panel.

History[edit]

The first Microsoft web server was a research project at the European Microsoft Windows NT Academic Centre (EMWAC), part of the University of Edinburgh in Scotland, and was distributed as freeware.[3] However, since the EMWAC server was unable to scale to handle the volume of traffic going to Microsoft.com, Microsoft was forced to develop its own web server, IIS.[4]

Almost every version of IIS was released either alongside or with a version of Microsoft Windows:

All versions of IIS prior to 7.0 running on client operating systems supported only 10 simultaneous connections and a single website.

Microsoft was criticized by vendors of other Web server software, including O'Reilly & Associates and Netscape Communications Corp., for its licensing of early versions of Windows NT; the "Workstation" edition of the OS permitted only ten simultaneous TCP/IP connections, whereas the more expensive "Server" edition, which otherwise had few additional features, permitted unlimited connections but bundled IIS. It was inferred that this was intended to discourage consumers from running alternative Web server packages on the cheaper edition.[11] Netscape wrote an open letter to the Antitrust Division of the U.S. Department of Justice regarding this distinction in product licensing, which it asserted had no technical merit.[12]

Features[edit]

IIS 6.0 and higher support the following authentication mechanisms:[13]

IIS 7.0 has a modular architecture. Modules, also called extensions, can be added or removed individually so that only modules required for specific functionality have to be installed. IIS 7 includes native modules as part of the full installation. These modules are individual features that the server uses to process requests and include the following:[15]

IIS 7.5 includes the following additional or enhanced security features:[16]

Authentication changed slightly between IIS 6.0 and IIS 7, most notably in that the anonymous user which was named "IUSR_{machinename}" is a built-in account in Vista and future operating systems and named "IUSR". Notably, in IIS 7, each authentication mechanism is isolated into its own module and can be installed or uninstalled.[14]

IIS 8.0 offers new features targeted at performance and easier administration. The new features are:

IIS 8.5 has several improvements related to performance in large-scale scenarios, such as those used by commercial hosting providers and Microsoft's own cloud offerings. It also has several added features related to logging and troubleshooting. The new features are:

IIS Express[edit]

IIS Express, a lightweight version of IIS, is available as a standalone freeware server and may be installed on Windows XP with Service Pack 3 and subsequent versions of Microsoft Windows. IIS 7.5 Express supports only the HTTP and HTTPS protocols.[30] IIS Express can be downloaded separately[31] or as a part of WebMatrix.[32]

Extensions[edit]

IIS releases new feature modules between major version releases to add new functionality. The following extensions are available for IIS 7.5:

Usage[edit]

According to Netcraft, on 13 February 2014, IIS is the second most popular web server in the world, behind Apache HTTP Server with a market share of 32.80%. It shows an increase of 3.38% in comparison to the previous month. Netcraft shows a rising trend in market share for IIS, since 2012.[41] A day later, however, the W3Techs shows different results. According to W3Techs, IIS is the third most used web server behind Apache HTTP Server (1st place) and Nginx. Furthermore, it shows a consistently falling trend for IIS use since February 2013.[42]

Security[edit]

IIS 4 and IIS 5 were affected by the CA-2001-13 security vulnerability which led to the infamous Code Red attack;[43] however, both versions 6.0 and 7.0 have no reported issues with this specific vulnerability.[44][45] In IIS 6.0 Microsoft opted to change the behaviour of pre-installed ISAPI handlers,[46] many of which were culprits in the vulnerabilities of 4.0 and 5.0, thus reducing the attack surface of IIS. In addition, IIS 6.0 added a feature called "Web Service Extensions" that prevents IIS from launching any program without explicit permission by an administrator.

By default IIS 5.1 and lower run websites in-process under the SYSTEM account,[47] a default Windows account with 'superuser' rights. Under 6.0 all request handling processes have been brought under a Network Services account with significantly fewer privileges so that should there be a vulnerability in a feature or in custom code it won't necessarily compromise the entire system given the sandboxed environment these worker processes run in.[48] IIS 6.0 also contained a new kernel HTTP stack (http.sys) with a stricter HTTP request parser and response cache for both static and dynamic content.[49]

According to Secunia, as of June 2011, IIS 7 had a total of 6 resolved vulnerabilities while[45] IIS 6 had a total of 11 vulnerabilities out of which 1 was still unpatched. The unpatched security advisory has a severity rating of 2 out of 5.[44]

In June 2007, a Google study of 80 million domains concluded that while the IIS market share was 23% at the time, IIS servers hosted 49% of the world's malware, the same as Apache servers whose market share was 66%. The study also observed the geographical location of these dirty servers and suggested that the cause of this could be the use of pirated copies of Windows that could not obtain security updates from Microsoft.[50] In a blog post on 28 April 2009, Microsoft noted that it supplies security updates to everyone without genuine verification.[51][52]

The 2013 mass surveillance disclosures made it more widely known that IIS is particularly bad in supporting perfect forward secrecy (PFS), especially when used in conjunction with Internet Explorer. Possessing one of the long term asymmetric secret keys used to establish a HTTPS session should not make it easier to derive the short term session key to then decrypt the conversation, even at a later time. Diffie–Hellman key exchange (DHE) and Elliptic curve Diffie–Hellman key exchange (ECDHE) are in 2013 the only ones known to have that property. Only 30% of Firefox, Opera, and Chromium Browser sessions use it, and nearly 0% of Apple's Safari and Microsoft Internet Explorer sessions.[53]

See also[edit]

References[edit]

  1. ^ Lextrait, Vincent (February 2010). "The Programming Languages Beacon, v10.0". Retrieved 12 February 2010. 
  2. ^ "Running IIS 6.0 as an Application Server (IIS 6.0)". TechNet. Microsoft. 
  3. ^ "Windows NT Internet Servers". Microsoft. 10 July 2002. Retrieved 26 May 2008. 
  4. ^ Kramer, Dave (24 December 1999). "A Brief History of Microsoft on the Web". Microsoft. 
  5. ^ "Microsoft ASP.NET 2.0 Next Stop on Microsoft Web Development Roadmap". 
  6. ^ "Chapter 1 - Overview of Internet Information Services 5.0". Retrieved 25 October 2010. 
  7. ^ "Chapter 2 - Managing the Migration Process". Retrieved 27 June 2012. 
  8. ^ "What's New In IIS 6.0?". Retrieved 25 November 2010. 
  9. ^ "IIS 7.0: Explore The Web Server For Windows Vista and Beyond". Retrieved 25 November 2010. 
  10. ^ "What's New in Web Server (IIS) Role in Windows 2008 R2". Retrieved 25 November 2010. 
  11. ^ "Netscape goes to jail, does not collect $200". InfoWorld. Retrieved 12 April 2014. 
  12. ^ "Differences Between NT Server and Workstation Are Minimal". O'Reilly Media. Retrieved 12 April 2014. 
  13. ^ "Authentication Methods Supported in IIS 6.0 (IIS 6.0)". IIS 6.0 Documentation. Microsoft. Retrieved 13 July 2011. 
  14. ^ a b "Changes Between IIS 6.0 and IIS 7 Security". iis.net. Microsoft. 7 February 2010. Retrieved 13 July 2011. 
  15. ^ Templin, Reagan (11 August 2010). "Introduction to IIS 7 Architecture". iis.net. Microsoft. IIS 7 Modules. Retrieved 16 July 2011. 
  16. ^ "Available Web Server (IIS) Role Services in IIS 7.5". Microsoft TechNet. Microsoft. Retrieved 13 July 2011. 
  17. ^ a b Eagan, Shaun (29 February 2012). "IIS 8.0 Application Initialization". IIS Blog. Microsoft. Retrieved 19 September 2013. 
  18. ^ Yoo, Won (29 February 2012). "IIS 8.0 ASP.net configuration management". IIS Blog. Microsoft. Retrieved 19 September 2013. 
  19. ^ Eagan, Shaun (29 February 2012). "IIS 8.0 Centralized SSL certificate support". IIS Blog. Microsoft. Retrieved 19 September 2013. 
  20. ^ McMurray, Robert (29 February 2012). "IIS 8.0 Multicore Scaling on NUMA Hardware". IIS Blog. Microsoft. Retrieved 19 September 2013. 
  21. ^ "IIS 8.0 WebSocket protocol support". IIS Blog. Microsoft. 28 November 2012. Retrieved 19 September 2013. 
  22. ^ Eagan, Shaun (29 February 2012). "IIS 8.0 Server Name Indication". IIS Blog. Microsoft. Retrieved 19 September 2013. 
  23. ^ McMurray, Robert (29 February 2012). "IIS 8.0 Dynamic IP Address Restrictions". IIS Blog. Microsoft. Retrieved 19 September 2013. 
  24. ^ Eagan, Shaun (29 February 2012). "IIS 8.0 CPU Throttling". IIS Blog. Microsoft. Retrieved 19 September 2013. 
  25. ^ Benari, Erez (26 June 2013). "Idle Worker-process Page Out". IIS Blog. Microsoft. Retrieved 18 September 2013. 
  26. ^ Benari, Erez (3 July 2013). "Dynamic Site Activation". IIS Blog. Microsoft. Retrieved 18 September 2013. 
  27. ^ Benari, Erez (10 July 2013). "Enhanced Logging". IIS Blog. Microsoft. Retrieved 18 September 2013. 
  28. ^ Benari, Erez (15 July 2013). "ETW Logging". IIS Blog. Microsoft. Retrieved 18 September 2013. 
  29. ^ Benari, Erez (3 September 2013). "Automatic Certificate rebind". IIS Blog. Microsoft. Retrieved 18 September 2013. 
  30. ^ "IIS Express FAQ". iis.net. Microsoft. 14 January 2011. Retrieved 27 January 2011. 
  31. ^ "Internet Information Services (IIS) 7.5 Express". Download Center. Microsoft. 10 January 2011. Retrieved 27 January 2011. 
  32. ^ "IIS Express Overview". iis.net. Microsoft. 14 January 2011. Retrieved 27 January 2011. 
  33. ^ "FTP Publishing Service". iis.net. Microsoft. Retrieved 17 July 2011. 
  34. ^ "Administration Pack". iis.net. Microsoft. Retrieved 17 July 2011. 
  35. ^ "Application Request Routing". iis.net. Microsoft. Retrieved 17 July 2011. 
  36. ^ "Database Manager". iis.net. Microsoft. Retrieved 17 July 2011. 
  37. ^ "IIS Media Services". iis.net. Microsoft. Retrieved 30 July 2011. 
  38. ^ "URL Rewrite". iis.net. Microsoft. Retrieved 17 July 2011. 
  39. ^ "WebDAV Extension". iis.net. Microsoft. Retrieved 17 July 2011. 
  40. ^ "Web Deploy 2.0". iis.net. Microsoft. Retrieved 17 July 2011. 
  41. ^ "February 2014 Web Server Survey". news.netcraft.com. Netcraft. 13 February 2014. 
  42. ^ "Usage statistics and market share of Microsoft-IIS for websites". w3techs. Q-Success. Archived from the original on 8 February 2014. 
  43. ^ "CA-2001-13 Buffer Overflow In IIS Indexing Service DLL". CERT® Advisory. Computer emergency response team. 17 January 2002. Retrieved 1 July 2011. 
  44. ^ a b "Vulnerability Report: Microsoft Internet Information Services (IIS) 6". Secunia. Secunia ApS. Retrieved 1 July 2011. 
  45. ^ a b "Vulnerability Report: Microsoft Internet Information Services (IIS) 7.x". Secunia. Secunia ApS. Retrieved 1 July 2011. 
  46. ^ "IIS Installs in a Locked-Down Mode (IIS 6.0)". Microsoft Developer Network (MSDN). Microsoft. Retrieved 1 July 2011. 
  47. ^ "How To: Run Applications Not in the Context of the System Account in IIS (Revision 5.t Corporation". 7 July 2008. Retrieved 20 July 2007. 
  48. ^ Henrickson, Hethe; Hofmann, Scott R. (2003). "Chapter 15: ASP.NET Web Services". IIS 6: the complete reference. New York City: McGraw-Hill Professional. p. 482. ISBN 978-0-07-222495-5. Retrieved 12 July 2011. 
  49. ^ Henrickson, Hethe; Hofmann, Scott R. (2003). "Chapter 1: IIS Fundamentals". IIS 6: the complete reference. New York City: McGraw-Hill Professional. p. 17. ISBN 978-0-07-222495-5. Retrieved 12 July 2011. 
  50. ^ "Web Server Software and Malware". 
  51. ^ "Windows Pirates Encouraged to Install Security Updates". USA Today. February 2010. Retrieved 18 July 2011. 
  52. ^ Cooke, Paul (27 April 2009). "Who Gets Windows Security Updates?". Windows Security Blog. Microsoft. Retrieved 18 July 2011. 
  53. ^ SSL: Intercepted today, decrypted tomorrow, Netcraft, 25 June 2013.

External links[edit]