What’s new and Features in IIS 7

Windows Server 2008 featuring Internet Information Services 7.0 (IIS7) is a powerful Web application and services platform that delivers rich Web-based experiences. It offers improved administration and diagnostic tools to help achieve lower infrastructure costs on a variety of popular development platforms. With improved reliability and scalability, IT professionals and developers can manage the most demanding Web serving environments, from a single Web server to a large Web farm.

IIS7 is a major upgrade of IIS, and will ship in both Windows Vista as well as Windows 2008 Server. It includes a ton of new functionality, including some very rich integration with ASP.NET. The main features of IIS 7 is as follows

1. IIS7 is faster and more efficient than any other earlier version of IIS.

2. With IIS7 you can manage whole Web farms from one place

3. IIS7 allows you to delegate management workload with site owners. Site owners can also remotely manage their sites and applications over HTTPS from Windows Vista, Windows XP, Windows Server 2003, and Windows Server 2008. IIS7's XCopy deployment model even allows you to deploy applications preconfigured!

4. IIS7 is much more flexible and customizable than before, allowing you to fine tune the server (including server core!) to minimize security footprint and downtime due to patching.

5. You can save loads of time by automating more tasks with the interface that is right for you.

6. If you do run into issues, IIS7 makes it easy to resolve site issues faster, minimizing down time due to that bone headed developer on your staff.

7. IIS7 includes built-in support for PHP, making it the best Web server for both Open Source languages and .NET. Why would you want to deploy, manage, patch and troubleshoot that Linux+Apache server to support those PHP apps, when you can just use Windows!?

8. IIS7 makes it easy to publish content securely over FTP/SSL or Web DAV!

9. Windows and IIS7 are cheaper than ever with the new Windows Web 2008 product. This version of Windows is super inexpensive and supports all the great features of IIS, SharePoint, SQL, Windows Media server and more for Internet facing sites!

10. And as if that isn't enough, IIS7 is getting better every day with new IIS7 Extensions like built-in progressive streaming and playlist support for media content, URL Rewrite capabilities, integrated database management, powershell support, and much much more.

11. The ability to now have HttpModules and HttpHandlers participate in all requests to a server. You no longer need to map requests to the ASP.NET ISAPI in order to write managed modules that participate in requests. This makes building modules for flexible authentication, authorization, logging, url-rewriting, auditing, etc. super easy with .NET. You could even now have an ASP.NET HttpModule provide forms-authentication to a PHP or JSP page (in addition to .htm files and static files like images and movies).

12. Integration of the ASP.NET configuration system with IIS. IIS now uses the same web.config configuration model as ASP.NET, which means you can have both ASP.NET and IIS configuration settings in the same file together. You can now set things like default pages, IIS security, logging, etc within a web.config file and xcopy/ftp it to a server. This should simplify deployment and installation of applications considerably. It also enables "delegated administration" for hosting scenarios -- where a hoster provides the application developer the ability to configure certain settings in their web.config file without requiring full admin privledges.

13. An integrated Admin UI tool that manages both IIS and ASP.NET settings together. Included within this rich GUI is support for things like the Membership, Roles and Profile providers (so you can create/delete users directly within the GUI tool -- regardless of what provider is configured). The admin tool also supports remote delegated admin over http -- which means you can point the rich-client admin tool at a shared hoster server and manage your users/roles/profile settings remotely over http (which is pretty cool).

14. Much better request auditing and error debugging. We have a new feature we call "Failed Request Event Buffering" (affectionately known as "FREB"), which allows administrators to configure applications to automatically save request information anytime an error occurs during a request, or if a request takes longer than a specified amount of time to complete (note: if the request completes ok this information can then be just thrown away -- and so doesn't fill up your disk log). This allows you to easily go in after the fact and see what exactly happened during a request that failed, as well as analyze any error exceptions. This can even capture tracing messages generated within ASP.NET or within any component or class library that uses System.Diagnostics -- which makes it much easier for developers and admins to instrument and analyze what is going on with systems at runtimes.

15. Much better configuration APIs and command-line tools. In addition to new config and admin APIs (including a nifty one that you can use to get a listing of all "active" requests being processed by the server -- as well as what state they are in), we now have a great command-line admin story that you can use to set/modify/retrieve all configuration information as well as manage the server (start/stop individual apps, lookup their health state, register new apps, refresh SSL certs, etc). The command-line tool and APIs are also extensible, so you can plug in your own providers and extensions to them.

16. In IIS 7.0 we have unified IIS and ASP.NET two models to produce a new robust pipeline that does the best that both older models did. IIS still supports all the old authentication protocols but also now supports forms authentication which can protect against all content types and does not rely on Windows accounts. In addition to supporting all the old features you have come to know and love we have also enhanced some of them such as the anonymous authentication feature.

17. In IIS 7.0, you have two authorization solutions. The first is to use the ASP.NET authorization model. This method requires defining all your authorization rules in the <system.web> configuration and requires zero changes for applications that already have rules written for ASP.NET. The second model is to move to the new IIS 7.0 authorization architecture. This model is very similar to ASP.NET's model with some minor changes:

18. Forms authentication has been part of ASP.NET and allows both Windows and non Windows identities to authenticate themselves and get a user object that applications can later use. IIS 7 now fully supports forms authentication and can be configured to protect access to all content types.

19. In IIS 7.0Web service Extension restriction list feature has been slightly modified so that its name now reads "isapiCgiRestrictionList" -- but otherwise it acts and behalves as it had in IIS 6.0. The reason for this change was to stress its true usage. In IIS 6.0 this feature was added to ensure rogue ISAPI or CGI binaries could not copied to your IIS servers and then be allowed to execute

20. IP Restrictions works in the exact same manner as it had in the past except we now support a new property called "allowUnlisted". This property was added to make it easier to configure security policies for your system at a global level. For example, if your policy required only certain IP addresses to be allowed but to reject all others that are not listed was not very easy to do in the past. Similarly, rejecting only a given set of IP addresses and allow ing all that are not listed can easily be done now. As a server administrator you can set a global policy and then lock this value so it cannot be changed on your server by application or site administrators

Disadvantages

1. Passport authentication is no longer supported in the Windows Server 2008 operating system. Customers using passport should consider moving to its replacement Active Directory Federation Services (ADFS).

2. In IIS 6.0, Microsoft introduced a new authorization model based on AZMan rules. In IIS 7.0 Microsoft have depreciated this feature in favor of a new model that is very similar to the ASP.NET authorization model

How IIS 7.0 Determines the Authenticated Identity

In IIS 7.0 the authentication rules are processed by the core engine in a similar manner as they were in previous versions of IIS with only some minor changes. To better understand the processing order, here are the rules based on the order IIS evaluates them:

1. First, IIS determines if a username and password has been configured at the virtual directory. If a set of credentials have been defined, those credentials will be used. For pre-IIS 7.0 administrators, these credentials are the UNC credentials

2. If no credentials are configured at the virtual directory then IIS will use the credentials provided during authentication. These credentials can belong to the identity that is configured for anonymous authentication or the credentials provided by the user during the authentication handshake when Basic, Digest, or Windows authentication is enabled

3. If no authenticated user was established (for example, forms authentication is enabled) it will determine if the process identity should be used

4. If we do not have an identity at this point, IIS will return an access denied

SSL

In IIS 6.0, IIS had stored SSL related information in the metabase and had managed a large part of the SSL negotiation process in conjunction with HTTP.SYS. In IIS 7.0, we have moved most of this configuration into HTTP.SYS's store.

To illustrate how each of the IIS 6.0 configuration settings are carried over into IIS 7.0's configuration (or HTTP.SYS configuration), the following chart has been constructed below.

IIS 6.0 Metabase

configurationDescription of property IIS 7.0 Architecture

AccessSSLFlags

AccessSSLFlags is bitmask of

AccessSSL

AccessSSL128

AccessSSLNegotiateCert

AccessSSLRequireCert

AccessSSLMapCert

0 value means no SSL.

Property still supported in IIS 7.0

configuration in the <access> section

CertCheckModeEnable or disable CRL (certificate revocation list)

checking.

This value will now be stored in http.sys in

the PHTTP_SERVICE_CONFIG_SSL_PARAM

object.

RevocationFreshnessTime If the RevocationFreshnessTime property is set to 1

(true), then the certificate revocation list (CRL) on

the certificate client is updated by the CRL from the

remote location, even if the CRL that is cached on

the certificate client is valid. The default timeout

interval is one day unless you use the

RevocationURLRetrievalTimeout to specify a

This value will now be stored in http.sys in

the PHTTP_SERVICE_CONFIG_SSL_PARAM

object.

different timeout interval (in minutes).

SecureBindings

The SecureBindings property specifies a string that

is used by IIS to determine which secure network

endpoints are used by the server instance.

This property is still supported in IIS 7.0

configuration under the <binding> section

for <sites>. The protocol used needs to by

"https".

SSLAlwaysNegoClientCert

The SSLAlwaysNegoClientCert property controls SSL

client connection negotiations. If this property is set

to true, any time SSL connections are negotiated,

the server will immediately negotiate a client

certificate, preventing an expensive renegotiation.

Setting SSLAlwaysNegoClientCert also helps

eliminate client certificate renegotiation deadlocks,

which may occur when a client is blocked on

sending a large request body when a renegotiation

request is received.

This value will now be stored in http.sys in

the PHTTP_SERVICE_CONFIG_SSL_PARAM

object.

SSLCertHashThe SSLCertHash property is used to store the hash

of the SSL certificate being used.

This value will now be stored in http.sys in

the PHTTP_SERVICE_CONFIG_SSL_PARAM

object.

SslCtlIdentifier

The SslCtlIdentifier property contains a unique value

that identifies a specific certificate trust list (CTL). It

must be used with SslCtlStoreName to accurately

reference a CTL.

This value will now be stored in http.sys in

the PHTTP_SERVICE_CONFIG_SSL_PARAM

object.

SslCtlStoreName

The SslCtlStoreName property contains the name of

the CryptoAPI store that contains certificate trust

lists (CTL). It must be used with SslCtlIdentifier to

accurately reference a CTL.

This value will now be stored in http.sys in

the PHTTP_SERVICE_CONFIG_SSL_PARAM

object.

SSLStoreName

The SSLStoreName property is used to store the

name of the store where the key pair of the

certificate resides.

This value will now be stored in http.sys in

the PHTTP_SERVICE_CONFIG_SSL_PARAM

object.

SslUseDsMapper

The SslUseDsMapper property specifies whether IIS

is to use the Windows Directory Service certificate

mapper or IIS certificate mapper. If

SSLUseDSMapper is set to false, IIS uses the IIS

certificate mapper.

This value will now be stored in http.sys in

the PHTTP_SERVICE_CONFIG_SSL_PARAM

object.

Compatibility of IIS 7 with OS

Microsoft considers IIS 7 is a part of the operating system (Win2K8 or Vista), so it's tied to the version of Windows you're using.

You need to use either Windows Vista or Windows 2008 to have IIS7.

Reference: http://social.msdn.microsoft.com/Forums/en-US/wcf/thread/6064c641-dcb3-41d3-8e4f-9e00ac642889/

Display Names / Heriarchy Package Update NamesWindows

2K8 Server

Vista

Prof

Vista

Premium

Vista

Basic &

Starter

Internet Information Services IIS-WebServerRole Available Available Available Available

World Wide Web Services IIS-WebServer Default Default Default Default

Common Http Features IIS-CommonHttpFeatures Default Default Default Default

Static Content IIS-StaticContent Default Default Default N/A

Default Document IIS-DefaultDocument Default Default Default N/A

Directory Browsing IIS-DirectoryBrowsing Default Default Default N/A

HTTP Errors IIS-HttpErrors Default Default Default Default

HTTP Redirection IIS-HttpRedirect Available Available Available Available

Application Development Features IIS-ApplicationDevelopment Available Available Available Available

ASP.NET IIS-ASPNET Available Available Available N/A

.NET Extensibility IIS-NetFxExtensibility Available Available Available Available

ASP IIS-ASP Available Available Available N/A

CGI IIS-CGI Available Available Available N/A

ISAPI Extensions IIS-ISAPIExtensions Available Available Available N/A

ISAPI Filters IIS-ISAPIFilter Available Available Available N/A

Server-Side Includes IIS-ServerSideInclude Available Available Available N/A

Health and Diagnostics IIS-HealthAndDiagnostics Default Default Default Default

HTTP Logging IIS-HTTPLogging Default Default Default Default

Logging Tools IIS-LoggingLibraries Available Available Available Available

Request Monitor IIS-RequestMonitor Default Default Default Default

Tracing IIS-HttpTracing Available Available Available Available

Custom Logging IIS-CustomLogging Available Available Available N/A

ODBC Logging IIS-ODBCLogging Available Available N/A N/A

Security IIS-Security Available Available Available Available

Basic Authentication IIS-BasicAuthentication Available Available Available N/A

Windows Authentication IIS-WindowsAuthentication Available Available N/A N/A

Digest Authentication IIS-DigestAuthentication Available Available N/A N/A

Client Certificate Mapping

Authentication IIS-ClientCertificateMappingAuthentication Available Available N/A N/A

IIS Client Certificate Mapping

Authentication IIS-IISCertificateMappingAuthentication Available Available N/A N/A

URL Authorization IIS-URLAuthorization Available Available Available Available

Request Filtering IIS-RequestFiltering Available Available Available Available

IP Security IIS-IPSecurity Available Available Available Available

Performance Features IIS-Performance Default Default Default Available

Static Content Compression IIS-HttpCompressionStatic Default Default Default N/A

Http Compression Dynamic IIS-HttpCompressionDynamic Available Available Available Available

Web Management Tools IIS-WebServerManagementTools Default Default Default Default

IIS Management Console IIS-ManagementConsole Default Default Default N/A

IIS Management Scripts and

Tools IIS-ManagementScriptingTools Available Available Available Available

IIS Management Service IIS-ManagementService Available Available Available N/A

IIS 6 Management Compatibility IIS-IIS6ManagementCompatibility Available Available Available Available

IIS Metabase and IIS 6

compatibility IIS-Metabase Available Available Available Available

IIS 6 WMI Compatibility IIS-WMICompatibility Available Available Available N/A

IIS 6 Scripting Tools IIS-LegacyScripts Available Available Available N/A

IIS 6 Management Console IIS-LegacySnapIn Available Available Available N/A

FTP Publishing Service IIS-FTPPublishingService Available Available N/A N/A

FTP Server IIS-FTPServer Available Available N/A N/A

FTP Management Console IIS-FTPManagement Available Available N/A N/A

Windows Activation Service WAS-WindowsActivationService Available Available Available Available

Process Model WAS-ProcessModel Default Default Default Default

.NET Environment WAS-NetFxEnvironment Available Available Available Available

Configuration APIs WAS-ConfigurationAPI Available Available Available Available

Request Execution Limit Unlimited 10 3 3

Reference : http://learn.iis.net

Migration Process

For migration, Administrators use Microsoft Web Deployment Tool (MS Deploy) is a utility that you can use to migrate your Web server or Web site from a computer that is running Information Services (IIS) version 6.0 on Microsoft Windows Server 2003 to a computer that is running IIS 7.0 on Windows Server 2008. You can also use MS Deploy to migrate from an IIS 6.0 Web server to another IIS 6.0 Web server, or from an IIS 7.0 Web server to another IIS 7.0 Web server.

Reference: http://technet.microsoft.com/en-us/mscomops/cc424869.aspx

IIS 7.0 Installation Procedures

Step 1: Start Server Manager To start Server Manager, click: Start Menu -> All Programs -> Administrative Tools -> Server

Manager. The Server Manager window opens.

Step 2: Adding a Server Role In the Server Manager, select Roles. (The Role Summary View is displayed)

Step 3: Start the Add Roles Wizard Click Add Roles. The Add Roles Wizard opens. Click Next to select roles to install.

Step 4: Choose Web Server (IIS) Role to Install Check Web Server (IIS).

Step 5: Web Server Role depends on WAS

The Add Roles Wizard notifies you on any required dependencies; since IIS depends on the Windows Process Activation Service (WAS) feature, the following informational dialog displays.

Click Add Required Role Services to continue. Web Server is now selected for install. The Select Server Roles dialog box opens. Click Next to continue.

Step 6: Additional Information Click Next to continue

Step 7: View IIS 7.0 Features The Add Roles Wizard displays a list of all IIS 7.0 features available to install as shown below.

Note that features comprising the default install are pre- selected. Note: To install just the IIS 7.0 default features, click the Install button and then proceed to Step

10 below. If you need to install additional features, proceed to Step 8.

Step 8: Select Additional IIS Features to Install For this example, we install additional IIS features: Start by checking the box for ASP.NET. The following dialog displays. The Wizards warns if adding an IIS feature will also cause other features to be installed. Click Add Required Role Services to continue.

Step 9: Select Additional IIS Features to Install Continue selecting additional IIS Role Services features to Install: Check the features you require. When you have selected all the features you require, click Next to continue.

Step 10: Summary of Features to Install The Wizard provides a summary of what will be installed, as shown below Click Install to continue.

Step 11: Install Progress After clicking Install, the install progress dialog opens.

Step 12: Install Complete When IIS 7.0 install is complete, the following dialog opens. Click Close to return to the Server

Manager.

Step 13: Check IIS 7.0 install You can now perform a quick check to verify that IIS 7.0 is installed. Start Internet Explorer web browser and enter the address http://localhost. You should see the default IIS "Welcome" page.