WEB programming frontend 3: significant differences between iis5.1 and IIS 6.0

Core functions and services

IIS 6.0 has been redesigned to take advantage of the Basic Windows Kernel
HTTP. sys. This enables it to have built-in response and request caching and queue functions, and can applyProgramProcess requests are routed directly to the working process to improve reliability and performance.

 

IIS 6.0 introduces two operation modes for configuring the application environment: Working Process Isolation Mode and IIS 5.0 Isolation Mode. Install IIS 6.0
The default Isolation Mode depends on whether you are performing a new installation or upgrade.

 

After IIS 6.0 is completely installed, IIS runs in Working Process Isolation Mode.

 

After upgrading from a later version of IIS 6.0, the isolation mode is the same as that configured in the earlier version of IIS 6.0.

 

After upgrading from IIS 5.0 or IIS 4.0, by default, IIS 6.0
Run in Isolation Mode to maintain compatibility with existing applications.

 

For information about switching from one isolation mode to another, see configure Isolation Mode.

 

IIS 5.0 Isolation Mode IIS 5.0 Isolation Mode manages application processes in a way similar to process management in IIS 5.0: all in-process applications are in
Inetinfo.exe runs, and external applications run in a separate DLL host. Some existing applications may not run concurrently or store session states separately from applications. Therefore
5.0 running processes in isolation mode can ensure compatibility with most existing applications. Shows how to process application processes in IIS 5.0 Isolation Mode.

 

Configure the database to configure the IIS 6.0 configuration database with XML
Files are stored instead of binary files in earlier versions. The operation method (Update, rollback, restore, and extension) has changed. There are two important files, not one: metabase. xml
And mbschema. xml.

 

For more information about IIS database configuration, see about database configuration.

 

Management

 

In IIS 4.0, an application can run either in the same process as the internet service or in a separate process. In IIS 5.0 and 5.1
Applications can now be divided into several pooled processes to enhance performance and improve scalability. For more information, see application. In IIS 6.0
In working process Isolation Mode, applications can be combined into any number of application pools.

 

The application ing property page contains a list of Hypertext Transfer Protocol (HTTP) actions that can be processed by applications mapped to a specific file type. This action list corresponds to IIS 4.0
There is a difference. In IIS 4.0, the list contains "excluded" or unprocessed actions. This change is to adapt to the new HTTP action so that it can be added to the Protocol.
For more information about application ing, see set application ing.

 

The cluster is not a function of IIS 6.0 (iissynche.exe is not supported ). A cluster is a feature of the Windows Server 2003 family. Related
For more information about Windows Cluster (MSC), see help for the Windows Server 2003 family.

 

Compared with IIS 4.0, the location of the custom error file in IIS 5.0 has changed. For more information, see enable detailed custom error messages.

 

A new custom error file has been added to report more detailed error information and new function-related errors. For a complete list of available custom error messages, see about custom error messages.

 

Web-based Internet Service Manager (HTML) has been applied by web tools. Remote Management using Internet Service Manager (HTML)
For IIS, see how to remotely manage servers.

 

Manage by programming

 

In earlier versions of IIS, you can manage basic objects (ABO) from compiled C ++ applications or use active directory from C ++ or script files.
The Service Interface (ADSI) manages IIS programmatically. IIS 6.0 includes the Windows Management Specification (Wmi) provider, WMI
This technology allows administrators to programmatically control all services and applications. For more information, see use the iis wmi provider. For information about the new ADSI method, see IIS 6.0
Configuration database changes in.

 

Active Server Pages

 

Microsoft Active Server Pages (ASP) can work with Microsoft ASP. NET
. For information about configuring IIS to run ASP. NET applications, see ASP. NET. For information on ASP function changes in IIS 6.0, see ASP
Important changes in.

 

ASP suspension Detection

 

When the IIS website is busy, this situation may occur: the maximum number of ASP threads has been generated, while some asp threads have been suspended, which causes performance degradation. In IIS 6.0
The thread suspension problem can be solved by recycling the worker processes of a specific instance host that acts as an asp isapi extension (Asp. dll. When the ASP thread is in IIS 6.0
When being suspended, ASP. dll calls the ISAPI server to support the hse_req_report_unhealthy function.
Host Worker Process, and create a project in the event log.

 

For more information about functions supported by the ISAPI server, see
Serversupportfunction.

 

Security

 

One of the most important changes in IIS 6.0 involves web server security. To better prevent malicious users and attackers, IIS is not installed on
Members of the Microsoft Windows Server 2003 family.

 

To better prevent attacks by malicious users and attackers, IIS is not installed on Microsoft Windows Server 2003 by default.
Family members. In addition, when you first install IIS, the service is installed in highly secure and locked mode. By default, IIS only provides services for static content-
That is, functions such as ASP, ASP. NET, server-side inclusion, WebDAV release, and FrontPage Server Extensions only work when enabled. If you install
If this feature is not enabled after IIS, IIS returns a 404 error. You can provide services for dynamic content and use the web
Service Expansion nodes enable these features. Similarly, if the application extension is not mapped in IIS, IIS returns a 404 error. To map extensions, see set application mappings. How to resolve
For more information, see troubleshooting.

 

You can use the Web server certificate wizard and CTL Wizard to synchronize web and NTFS
Security Settings, obtain and install server certificates, and create and modify the Certificate Trust List. You can also select an encryption service provider (CSP) to encrypt data using certificates.
For more information, see use the certificate wizard.

 

Other security changes in IIS 6.0 include the following:

 

Disable the upgraded version: Disable the WWW Service on the upgraded version of the Windows Server 2003 family unless any of the following conditions are met ):

 

Before starting the upgrade process, you have run the IIS lock wizard on Windows 2000 Server. IIS
The lock wizard removes attack surface by disabling unnecessary features and allows you to determine which features are enabled for the site. The IIS Lockdown tool provides the IIS lock wizard.

 

If you use the WWW Service, we strongly recommend that you
Run the IIS lock wizard on the server. The IIS locking wizard disables or deletes Windows 2000 Server
Functions not required during installation to protect computer security. Otherwise, these functions are retained on the computer after the upgrade, which makes your server vulnerable to attacks.

 

The Registry Key retainw3svcstatus has been added to the Registry.
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ W3SVC. In
In retainw3svcstatus, you can add any value and assign it a DWORD Value. For example, you can create a registry key.
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ W3SVC \ retainw3svcstatus \ do_not_disable, and
The DWORD value is 1.

 

For unattended installation, the "disablewebserviceonupgrade = false" item exists in the unattended installation script.

 

Disable IIS through group policy: by using a Windows Server 2003 family member, the domain administrator can disable IIS installation on his/her computer.

 

Run with an account with low-level access permissions: IIS worker processes run in user context with few access permissions. This greatly reduces the impact of potential attacks.

 

Improve ASP security: All ASP built-in functions always run with iusr_computername, an account with minimal access permissions.

 

Restrictions on running executable files: To run most executable files (such as cmd.exe) in the system folder, you must be an Administrators
Group, LocalSystem, interactive, or service account member. This restriction limits the number of Administrators
Therefore, anonymous users cannot run executable files.

 

Patch Management: For Patch Management, administrators can install the latest security patches without interrupting services.

 

Known extensions: IIS only serves requests for files with known file extensions. If the file extension of the request content is not mapped to a known extension, the server rejects the request.

 

Write protection of content: by default, anonymous users (running in an iusr_computername account) are denied access to write web content.

 

Timeout and restriction: in IIS 6.0, the default setting is secure and active, which can minimize attacks caused by too many loose timeouts and restrictions.

 

Data uploading restrictions: Administrators can restrict the data that can be uploaded to the server.

 

Buffer overflow protection: working processes detect buffer overflow and exit the program at the time of detection.

 

File verification: IIS verifies whether the request content exists before sending the request to the request processing program (ISAPI extension.

 

Index Resource: this permission is now enabled by default.

 

Script Resource Access: this permission allows access to ASP
Footer and other scriptsSource codeIt is a new feature and is disabled by default. It can be used when the "read" or "write" permission is selected.

 

Subverification: In newly installed IIS 6.0, It is disabled by default. For more information, see "use subverification" in anonymous authentication.

 

UNC authentication: In this version of IIS, the UNC authentication method checks whether user creden。 exist. For more information, see UNC authentication.

 

New policy: the "Disable IIS installation" policy has been added to the Windows Server 2003 product family. This policy allows the domain administrator to control which computers can be installed in the domain
IIS. For more information, see group policies in Windows Help.