Internet Information Services (IIS) 7 has changed significantly since its last major release (with Windows Server 2003). IIS6 focused on improving the security, reliability and scalability of the product and has largely succeeded in meeting its goals – especially in the area of security.

IIS 7 focuses on addressing a number of additional pain points.

Delegation of Administration

IIS has traditionally required a user to be an Administrator user on the machine in order to configure IIS. IIS7 changes this model, providing a delegation model similar to that employed by ASP.NET. An administrator can delegate administration of the server, a website or individual web applications to other users, and choose which settings can be overridden by these users

XCopy Deployment

The mechanism that facilitates this delegation of administration is a new hierarchical configuration system, again similar to the system ASP.NET uses (a central master configuration file, with subordinate web.config files). The nature of these files (XML) means that IIS configuration information can be copied in the same as content is (e.g. via xcopy.exe, FTP, FPSE etc). Previously all IIS configuration was stored in a master Metabase, and configuring the metabase required the use of the GUI or running scripts.

Modularity and Security

In previous versions of IIS all core functionality (such as authentication, authorization, logging and performance monitoring) was implemented by a monolithic set of core components. Administrators had little opportunity to customise the way that IIS was installed.

In IIS7, most functionality is broken out into a set of approximately 40 modules. Some modules are .NET (implementing IHTTPModule) and some are written using a native API. Administrators are free to add or remove modules to customise their IIS installation. And because the APIs that are used to write these modules are publicly available, Administrators are free to build their own custom modules to address specific business needs

This modularity allows the Administrator to build a light-weight customised web server that only has the modules required for operation installed on the machine and/or loaded inside a worker process, reducing attack surface and improving both performance and security

Unified Event Pipeline

Previous versions of IIS had an event pipeline that was accessible via writing your own ISAPI Filters. After the request had passed through the IIS pipeline, it was handed to a file handler that was configured based on the extension of the file being requested. These ISAPI Extensions are how ASP, ASP.NET and similar technologies are implemented. ASP.NET implements its own event pipeline which occurs after the request has been handed off by IIS to ASP.NET. The results in there being multiple authentication, authorization, caching etc events, resulting in duplicate configuration and confusion amongst developers and administrators.

In IIS7, we now have a single, unified event pipeline. All requests pass through this event pipeline, and modules loaded inside IIS can see all requests passing through the pipeline. This provides some interesting side effects – you can use ASP.NET Forms Based Authentication (FBA) for example, to protect all resources (not just ASP.NET resources) including Classic ASP pages and even PHP pages!

New Monitoring and Error Tracing Functionality

Whilst Event Tracing was available in IIS6, IIS7 provides far more accessible error tracing capabilities. The new FREB (Failed Request Event Buffering) functionality provides administrators the ability to trace requests through the IIS pipeline to determine at which point a request may be failing (e.g. at the authentication level, or being served from a cache rather than disk). The RSCA (Runtime Status and Control API) provides administrators with real-time access to requests “in flight” allowing analysis of the web server in real time. Administrators can access this functionality through GUI tools, command line tools, and also programmatically.

Administration Tools

A new set of administration and configuration tools are available to developers and administrators. The IIS MMC console has been updated to cater for the new features in IIS 7. It also has an extensibility API that allows developers to add additional configuration icons and items using a set of .NET classes. Administrators are able to configure IIS7 using the new appcmd.exe command line tool, or using a brand new WMI provider which has been rewritten to allow complete administration of IIS (the WMI provider in IIS6 didn’t allow configuration of all items). Administrators can also use Powershell to configure IIS via the WMI provider

Publishing Options

IIS7 will feature new publishing options. Frontpage Server Extensions will be updated to provide FPSE publishing options to developers using older tools (like previous versions of Visual Studio.NET or Frontpage). The WebDAV publishing components are also being rewritten to work seamlessly with the new client redirectors in Windows Vista and Windows Server 2008. Unlike WebDAV in previous versions of IIS, the new WebDAV publishing components promise to provide a far more robust and stable experience for end users. Lastly Windows Server 2008 will feature a new FTP server that supports two important new features – publishing secured by SSL/TLS (namely FTPS) and support for virtual hosts (the ability to run multiple FTP sites on a single IP address/port combination, similar to Host Headers for web sites).

In Summary

All in all, there are a slew of new features coming with IIS 7. The above few paragraphs have only touched on a few "headline" changes (there are many more small changes "under the covers"). The IIS Product Group has an excellent site at www.iis.net where you can keep track of the changes coming with IIS 7.0.

If you are coming to Tech.Ed Australia or Tech.Ed NZ, there are six sessions currently scheduled on IIS 7.0. Look forward to seeing you there!