Core functions and services
IIS 6.0 has been redesigned to take advantage of Basic Windows Kernel HTTP. sys. This provides built-in response and request caching and queue functions, and can route application process requests directly to the working process to improve reliability and performance.
IIS 6.0 introduces two operation modes for configuring the application environment: Working Process Isolation Mode and IIS 5.0 Isolation Mode. The default isolation mode when installing IIS 6.0 depends on whether you perform a new installation or upgrade.
After IIS 6.0 is completely installed, IIS runs in Working Process Isolation Mode.
After upgrading from a later version of IIS 6.0, the isolation mode is the same as that configured in the earlier version of IIS 6.0.
After upgrading from IIS 5.0 or IIS 4.0, IIS 6.0 runs in IIS 5.0 isolation mode by default to maintain compatibility with existing applications.
For information about switching from one isolation mode to another, see configure Isolation Mode.
IIS 5.0 IIS 5.1 IIS 6.0
Platform Windows 2000 Windows XP Professional Windows Server 2003 Family
Architecture 32-bit 32-bit and 64-bit
Application Process Model TCP/IP Kernel
Dllhost.exe (multiple DLL hosts in moderate or high Application Isolation Mode)
Dllhost.exe (multiple DLL hosts in moderate or high Application Isolation Mode)
HTTP. sys Kernel
When IIS runs in IIS 5.0 Isolation Mode: inetinfo.exe (for In-process applications) or dllhost.exe (for out-of-process applications)
When IIS runs in Working Process Isolation Mode: w3wp.exe (multiple working processes)
Configure the database to configure binary XML
Security Windows Authentication
Htmla does not have htmla
Remote Management Tool (HTML)
IIS cluster Windows support
Personal Web Manager on Windows 9x
IIS on Windows 2000
(Optional) Iis windows on Windows XP Professional
IIS 5.0 Isolation Mode
IIS 5.0 Isolation Mode manages application processes in a way similar to process management in IIS 5.0: all in-process applications run in inetinfo.exe, an out-of-process application runs in a separate DLL host. Some existing applications may not run concurrently or store session states separately from applications. Therefore, running processes in IIS 5.0 Isolation Mode ensures compatibility with most existing applications. Shows how to process application processes in IIS 5.0 Isolation Mode.
Configure Database Configuration
The configuration database of IIS 6.0 is stored as an XML file instead of binary format in earlier versions. The operation method (Update, rollback, restore, and extension) has changed. There are two important files: metabase. xml and mbschema. xml.
For more information about IIS database configuration, see about database configuration.
In IIS 4.0, an application can run either in the same process as the internet service or in a separate process. In IIS 5.0 and 5.1, applications can now be divided into several collection processes to enhance performance and improve scalability. For more information, see application. In IIS 6.0 Working Process Isolation Mode, applications can be combined into any number of application pools.
The application ing property page contains a list of Hypertext Transfer Protocol (HTTP) actions that can be processed by applications mapped to a specific file type. This action list is different from that of IIS 4.0. In IIS 4.0, the list contains "excluded" or unprocessed actions. This change is to adapt to the new HTTP action so that it can be added to the Protocol. For more information about application ing, see set application ing.
The cluster is not a function of IIS 6.0 (iissynche.exe is not supported ). A cluster is a feature of the Windows Server 2003 family. For more information about Windows Cluster (MSC), see help for the Windows Server 2003 family.
Compared with IIS 4.0, the location of the custom error file in IIS 5.0 has changed. For more information, see enable detailed custom error messages.
A new custom error file has been added to report more detailed error information and new function-related errors. For a complete list of available custom error messages, see about custom error messages.
Web-based Internet Service Manager (HTML) has been applied by web tools. To use Internet Service Manager (HTML) to remotely manage IIS, see how to remotely manage servers.
Manage by programming
In earlier versions of IIS, you can use the management basic object (ABO) from compiled C ++ applications, or use the Active Directory Service Interface (ADSI) from C ++ or script files) manage IIS programmatically. IIS 6.0 includes Windows Management specifications (Wmi) providers, which allow administrators to programmatically control all services and applications. For more information, see use the iis wmi provider. For information about the new ADSI method, see configure database changes in IIS 6.0.
Active Server Pages
Microsoft Active Server Pages (ASP) can be used with Microsoft ASP. NET since IIS 6.0. For information about configuring IIS to run ASP. NET applications, see ASP. NET. For more information about ASP feature changes in IIS 6.0, see important changes in ASP.
ASP suspension Detection
When the IIS website is busy, this situation may occur: the maximum number of ASP threads has been generated, while some asp threads have been suspended, which causes performance degradation. IIS 6.0 can solve the thread suspension problem by recycling the Worker Process of a specific instance host that is used as an asp isapi extension (Asp. dll. When the ASP thread is suspended in IIS 6.0, Asp. DLL calls ISAPI server support function hse_req_report_unhealthy, WWW Service recycling as ASP. DLL host Worker Process, and create a project in the event log.
For more information about functions supported by the ISAPI server, see serversupportfunction In the ISAPI extension reference on msdn online.
One of the most important changes in IIS 6.0 involves web server security. To better prevent malicious users and attackers, IIS is not installed on members of the Microsoft Windows Server 2003 family by default.
To better prevent attacks against malicious users and attackers, IIS is not installed to members of the Microsoft Windows Server 2003 family by default. In addition, when you first install IIS, the service is installed in highly secure and locked mode. By default, IIS only provides services for static content-that is, ASP, ASP. NET, server-side inclusion, WebDAV release, FrontPage Server Extensions, and other functions can only be enabled. If this feature is not enabled after IIS is installed, IIS returns a 404 error. You can provide services for dynamic content and enable these functions through the Web Service Extension node in the IIS manager. Similarly, if the application extension is not mapped in IIS, IIS returns a 404 error. To map extensions, see set application mappings. For more information about how to resolve 404 errors (including 404.2 and 404.3), problems related to the new installation of IIS 6.0, or upgrades from earlier versions of IIS, see troubleshooting.
The Web server certificate wizard and CTL wizard allow you to synchronize web and NTFS security settings, obtain and install server certificates, and create and modify the Certificate Trust List. You can also select an encryption service provider (CSP) to encrypt data using certificates. For more information, see use the certificate wizard.
Other security changes in IIS 6.0 include the following:
Disable the upgraded version: Disable the WWW Service on the upgraded version of the Windows Server 2003 family unless any of the following conditions are met ):
Before starting the upgrade process, you have run the IIS lock wizard on Windows 2000 Server. The IIS lock wizard reduces attack surface by disabling unnecessary features and allows you to determine which features are enabled for the site. The IIS Lockdown tool provides the IIS lock wizard.
If you use the WWW Service, we strongly recommend that you run the IIS lock wizard on Windows 2003 Server before upgrading to a product in the Windows Server 2000 family. The IIS locking wizard disables or deletes functions that are not required in Windows 2000 Server installation to protect computer security. Otherwise, these functions are retained on the computer after the upgrade, which makes your server vulnerable to attacks.
The Registry Key retainw3svcstatus has been added to the Registry under HKEY_LOCAL_MACHINE/system/CurrentControlSet/services/W3SVC. Under retainw3svcstatus, you can add any value and assign it a DWORD Value. For example, you can create the Registry key HKEY_LOCAL_MACHINE/system/CurrentControlSet/services/w3svc/retainw3svcstatus/do_not_disable, And the DWORD value is 1.
For unattended installation, the "disablewebserviceonupgrade = false" item exists in the unattended installation script.
Disable IIS through group policy: by using a Windows Server 2003 family member, the domain administrator can disable IIS installation on his/her computer.
Run with an account with low-level access permissions: IIS worker processes run in user context with few access permissions. This greatly reduces the impact of potential attacks.
Improve ASP security: All ASP built-in functions always run with iusr_computername, an account with minimal access permissions.
Restrictions on running executable files: To run most executable files (such as cmd.exe) in the system folder, you must be a member of the Administrators group, LocalSystem, interactive, or service account. This restriction restricts remote access to administrators, so anonymous users cannot run executable files.
Patch Management: For Patch Management, administrators can install the latest security patches without interrupting services.
Known extensions: IIS only serves requests for files with known file extensions. If the file extension of the request content is not mapped to a known extension, the server rejects the request.
Write protection of content: by default, anonymous users (running in an iusr_computername account) are denied access to write web content.
Timeout and restriction: in IIS 6.0, the default setting is secure and active, which can minimize attacks caused by too many loose timeouts and restrictions.
Data uploading restrictions: Administrators can restrict the data that can be uploaded to the server.
Buffer overflow protection: working processes detect buffer overflow and exit the program at the time of detection.
File verification: IIS verifies whether the request content exists before sending the request to the request processing program (ISAPI extension.
Index Resource: this permission is now enabled by default.
Script Resource Access: this permission allows access to the "source code" of ASP footer and other scripts. It is a new feature and is disabled by default. It can be used when the "read" or "write" permission is selected.
Subverification: In newly installed IIS 6.0, It is disabled by default. For more information, see "use subverification" in anonymous authentication.
UNC authentication: In this version of IIS, the UNC authentication method checks whether user creden。 exist. For more information, see UNC authentication.
New policy: the "Disable IIS installation" policy has been added to the Windows Server 2003 product family. This policy allows the domain administrator to control which computers in the domain can install IIS. For more information, see group policies in Windows Help.
Fortezza: the support for this function has been canceled.
To limit the amount of memory allocated to ASP pages, IIS has set the default value of aspscriptfilecachesize to 250 ASP pages, and set the default value of aspscriptenginecachemax to 125 script engines. You can set the aspscriptfilecachesize to a higher value on a site that has a large number of frequently requested ASP pages. ASP page compilation is much slower than page retrieval from the cache, which improves performance. You can set this number to a smaller value to save memory on a site that only has a small number of frequently requested ASP pages.
IIS tool components
Cdonts: cdonts has been deleted from the Windows Server 2003 family. If Web applications use cdonts, they can be converted to Microsoft collaborative Data Objects (CDO ). Most cdonts methods have matched methods in CDO, but their names may be different. For more information about CDO in the platform software development kit (psdk), see overview of CdO on msdn online.
IIS tool components not installed: Ad rotator, browser capabilities, content linker, content rotator, counters, logging utility, my info, page counter, status, and tools are not installed with IIS 6.0. However, if your web server is upgraded from a lower version of IIS, these tool components will not be deleted. You can obtain a copy of the DLL file of the tool component from the IIS 6.0 Resource Kit.
64-bit IIS on Windows Server 2003
On a 64-bit Windows Server 2003 operating system, IIS runs as a 64-bit application. This means that the 32-bit application cannot be called from IIS on the 64-bit Windows Server 2003 operating system. For example, the Jet Database Engine cannot be converted to a 64-bit application. Therefore, you cannot use ActiveX Data Object (ADO) to open a Microsoft Access database from the ASP page. However, you can still use ADO to access other drivers, such as SQL and exchange.