The Minority Report

The folks over at the Windows Server division have been busy little beavers working on IIS extensions. Funny how I wanted to start out by slamming Microsoft again but after looking at some facts, I really couldn’t slam them all that much.

The old IIS Extensions train keeps on rollin’. Last month we hit RTW with the Web Platform Installer V1.0 (Why do we call it V1.0? Just wait until you see V2.0) and as you know, Web PI is the one-stop shop for discovering, downloading and installing the various components of the Microsoft Web Platform, be they application server modules, drivers, tools or IIS extensions. And while you’re over checking that out, take a look at the new version of Microsoft.com/Web, which provides a lot more detail on why the Microsoft Web Platform is the software of choice for building Web applications and solutions. It also has a pretty flower, which we thought was kinda apt for Valentine’s Day.

And so to today’s news, where two more IIS extension release updates join the fold, to help manage distributed Web server farms and to better protect those servers against unauthorized access or malicious requests: Application Request Router and IIS Dynamic IP Restrictions.

ARR, now reaching it’s RTW milestone, enables Web server administrators and hosting providers to increase Web application scalability and reliability through rule-based routing and load balancing of HTTP server requests. With ARR, administrators can optimize resource utilization for application servers, and so reduce management costs for Web server farms and shared hosting environments. Show me the money! The RTW version of ARR is fully supported and production ready, and adds new functionality since the Release Candidate, including:

• An improved way to allocate and identify servers for host name affinity by including 2 providers: one based on round robin and the other based on memory consumption, to more evenly distribute the “load” across shared servers
• Greater integration with IIS Manager, including the ability to manually override health statuses and configure HTTP and HTTPS ports for the application servers
• Performance improvements in least response time load balancing algorithm

The other release we have today is a newcomer to the extensions stable – the beta of IIS Dynamic IP Restrictions. This extension provides IT Professionals and hosting providers with a configurable module that can help mitigate or block Denial of Service attacks or the cracking of passwords through brute-force methods. It does this by temporarily blocking IP addresses of HTTP clients who follow a pattern that could be indicative of such an attack. This module can be configured at the Web Server or the Web Site level for analyzing and blocking potentially malicious requests.

IIS Dynamic IP Restrictions integrates into IIS Manager and extends the existing IP Restrictions functionality, maintaining support for the functionality already provided by IPv4 Address and Domain Restrictions and also adding new support for IPv6 addresses. As a result, IT Administrators can build and use a static list of IP addresses and domain names that are denied or granted access, while still restricting suspicious IP addresses dynamically based on behavior. Learn more about how to use this new extension, try it out, and of course, let us know how you get on.

David Lowe.

Windows Server Division WebLog : IIS Extensions: Application Request Router RTW and Dynamic IP Restrictions Beta

I’m trying to find some recent statistics (maybe someone will comment with some…hint…hint) on the vulnerability of Apache vs. IIS but I did find relatively recent statistics on usage.

In the January 2009 survey we received responses from 185,497,213 sites, reflecting an uncharacteristic monthly loss of 1.23 million sites.

Apache’s market share grew by more than 1 percentage point this month, extending its lead over Microsoft IIS, which has fallen to less than a third of the market. In total, Apache gained 1.27 million sites this month.

Netcraft Ltd – Internet Research, Anti-Phishing and PCI Security Services

Market Share for Top Servers Across All Domains August 1995 – January 2009

I’m obviously not a scientific survey, but I don’t know anyone that runs IIS for a public facing web server. I guess I’m naive because I thought the gap between Apache and IIS would be larger and by the accounts that I’m reading for this post, IIS 7.0 is more secure. I personally would not use it because I think ASP is crappy to program with and LAMP is just easier at this point for me but I guess there are people out there that feel differently. Just goes to show you that if you spend millions and millions of dollars and 7 versions, you just might get it right.

Here is an opinion on why you should check out IIS 7.0:

Text file configuration

Apache has httpd.conf – a simple text file for configuration – which makes it very easy to edit Apache configuration using text/code editors or write PERL or other scripts to automate configuration changes. Since the configuration file is just a text file, it also makes it easy to copy configuration from one server to another. Unfortunately, Apache does require that you ‘restart’ Apache in order for the configuration changes to take effect. Many IIS customers dread IIS’ configuration store – the ‘metabase’ – and for good reason. It has been an opaque configuration store like the registry since it was introduced in IIS4, and while there are many tools and APIs to use to configure IIS with, nothing beats being able to open up your configuration in the text editor of your choice and directly change configuration settings. With IIS7, all IIS configuration is now stored in a simple XML file called applicationHost.config, which is placed by default in the \windows\system32\inetsrv\config directory. Changing configuration is as simple as opening the file, adding or changing a configuration setting, and saving the file. Want to share configuration across a set of servers? Simply copy the applicationHost.config file onto a file share and redirect IIS configuration to look there for it’s settings.

My Take: IIS vs. Apache : BillS IIS Blog : The Official Microsoft IIS Site

Distributed Configuration (by default)

Apache supports distributed configuration with a feature called .htaccess. It is a powerful feature that enables configuration for a Web site to be overriden using a simple text file in the content directory. Unfortunately, due to the way it is designed in Apache, using it incurrs a huge performance hit. In fact, the apache.org site recommends you avoid using it whenever possible.

IIS7 supports distributed configuration in web.config files, and has some important advantages over .htaccess. Web.config is the file that ASP.NET uses today to store configuration, so developers now have a single file, format and API to use to target Web site / app configuration. Imagine storing your PHP, Apache and Web Application settings in one file. This distributed configuration support is very powerful, and allows for every per-URL configuration IIS property to be set in distributed configuration.

My Take: IIS vs. Apache : BillS IIS Blog : The Official Microsoft IIS Site

Extensibility (C/C++/C#/VB.NET/and 30+ other languages…)

As I noted above, Apache has had a very modular architecture with powerful extensibility for many years. Apache’s architecture has allowed many people to take it and add / modify / extend the Web server to do many custom things. The resulting community modules for Apache has been impressive to watch. IIS’ ISAPI extensibility hasn’t been a complete slouch: some of the world’s biggest application frameworks have successfuly run on ISAPI, including ASP, ASP.NET, ColdFusion, ActiveState PERL, etc. Unfortunately, the number of successful ISAPI developers does seem to be smaller than the successful Apache mod developers, and the product team itself elected to rarely use ISAPI to build actual IIS features.

This all changes with IIS7. With IIS7, IIS introduces a new native extensibility interface, CHttpModule, on top of which we ported all of the IIS features as a discrete, pluggable binary. The IIS core Web server itself is a very thin event pipeline, and each of the IIS features can now be added and removed independently. The extensibility point, CHttpModule, is much more powerful than ISAPI, and provides a fully asynchronous super-set support for extensions and filters. Don’t like how IIS does XYZ feature, rip it out and replace it with your own: you have all the APIs the IIS team has.

My Take: IIS vs. Apache : BillS IIS Blog : The Official Microsoft IIS Site

If you’re saying to yourself: IIS isn’t as secure as Apache, or isn’t as reliable, or isn’t as fast, you should think twice.

Security. If you’re worried about IIS security vs. Apache, you’re concerns are outdated. Check out http://secunia.com and compare IIS5 and IIS6′s track record for the last 4-5 years and compare it to Apache. Having been on the IIS team during Code Red and Nimda I can tell you it was a very painful experience and one I don’t ever hope to re-live, nor do I wish it on my worst enemy. The IIS team learned hard lessons in 2001, and the results speak for themselves. Is IIS perfect? Nope, it is still build by faliable humans and we make mistakes just like every other engineering team.

My Take: IIS vs. Apache : BillS IIS Blog : The Official Microsoft IIS Site

Oh and I wanted to throw in the ol’ system calls diagram for Apache and IIS. It’s outdated but still cool lookin’.

IIS, Apache, LAMP, Microsoft