Internet Information Services (IIS, formerly Internet Information Server) is an extensible web server software created by Microsoft for use with the Windows NT family.[2] IIS supports HTTP, HTTP/2, HTTPS, FTP, FTPS, SMTP and NNTP. It has been an integral part of the Windows NT family since Windows NT 4.0, though it may be absent from some editions (e.g. Windows XP Home edition), and is not active by default.
History
The first Microsoft web server was a research project at the European Microsoft Windows NT Academic Centre (EMWAC), part of the University of Edinburgh in Scotland, and was distributed as freeware.[3] However, since the EMWAC server was unable to handle the volume of traffic going to Microsoft.com, Microsoft was forced to develop its own web server, IIS.[4]
Almost every version of IIS was released either alongside or with a version of Microsoft Windows:
IIS 1.0 was initially released as a free add-on for Windows NT 3.51.
IIS 2.0 was included with Windows NT 4.0.
IIS 3.0, which was included with Service Pack 2 of Windows NT 4.0, introduced the Active Server Pages dynamic scripting environment.[5]
IIS 4.0 was released as part of the "Option Pack" for Windows NT 4.0. It introduced the new MMC-based administration application and also was the first version where you can run multiple instances of web and FTP servers, differenting them by port number and/or host name. It was also the first version to run application pools.
IIS 5.0 shipped with Windows 2000 and introduced additional authentication methods, support for the WebDAV protocol, and enhancements to ASP.[6] IIS 5.0 also dropped support for the Gopher protocol.[7] IIS 5.0 added HTTP.SYS.
IIS 5.1 was shipped with Windows XP Professional, and was nearly identical to IIS 5.0 on Windows 2000.
IIS 6.0 (code name "Duct Tape"), included with Windows Server 2003 and Windows XP Professional x64 Edition, added support for IPv6 and included a new worker process model that increased security as well as reliability.[8] HTTP.sys was introduced in IIS 6.0 as an HTTP-specific protocol listener for HTTP requests.[9] Also each component (like for example Server Side Includes or ASP) now has to be explicitly installed, because in earlier versions often hackers entered sites by using security bugs of components that were not even in use by the hacked site, improving security.
IIS 7.0 was a complete redesign and rewrite of IIS, and was shipped with Windows Vista and Windows Server 2008. IIS 7.0 included a new modular design that allowed for a reduced attack surface and increased performance. It also introduced a hierarchical configuration system allowing for simpler site deploys, a new Windows Forms-based management application, new command-line management options and increased support for the .NET Framework.[10] IIS 7.0 on Vista does not limit the number of allowed connections as IIS on XP did, but limits concurrent requests to 10 (Windows Vista Ultimate, Business, and Enterprise Editions) or 3 (Vista Home Premium). Additional requests are queued, which hampers performance, but they are not rejected as with XP.
IIS 7.5 was included in Windows 7 (but it must be turned on in the side panel of Programs and Features) and Windows Server 2008 R2. IIS 7.5 improved WebDAV and FTP modules as well as command-line administration in PowerShell. It also introduced TLS 1.1 and TLS 1.2 support and the Best Practices Analyzer tool and process isolation for application pools.[11]
IIS 8.0 is only available in Windows Server 2012 and Windows 8. IIS 8.0 includes SNI (binding SSL to hostnames rather than IP addresses), Application Initialization, centralized SSL certificate support, and multicore scaling on NUMA hardware, among other new features.
IIS 8.5 is included in Windows Server 2012 R2 and Windows 8.1. This version includes Idle worker-Process page-out, Dynamic Site Activation, Enhanced Logging, ETW logging, and Automatic Certificate Rebind.
IIS 10.0 version 1607 a.k.a. version 10.0.14393 is included in Windows Server 2016 released 2016-09-26 and Windows 10 Anniversary Update released 2016-08-02. This version includes support for HTTP/2,[12] running IIS in Windows containers on Nano Server, a new Rest management API and corresponding web-based management GUI, and Wildcard Host Headers.[13]
IIS 10.0 version 1709 is included in Windows Server, version 1709 (Semi-Annual Channel) and Windows 10 Fall Creators Update both released 2017-10-17. This version adds support for HSTS, container enhancements, new site binding PowerShell cmdlets, and 4 new server variables prefixed with "CRYPT_".[14]
IIS 10.0 version 1809 a.k.a. version 10.0.17763 is included in Windows Server 2019 and Windows 10 October Update released 2018-10-02. This version added flags for control of HTTP/2 and OCSP Stapling per site, a compression API and implementing module supporting both gzip and brotli schemes, and a UI for configuring HSTS.[15]
All versions of IIS prior to 7.0 running on client operating systems supported only 10 simultaneous connections and a single website.
Microsoft was criticized by vendors of other web server software, including O'Reilly & Associates and Netscape, for its licensing of early versions of Windows NT; the "Workstation" edition of the OS permitted only ten simultaneous TCP/IP connections, whereas the more expensive "Server" edition, which otherwise had few additional features, permitted unlimited connections but bundled IIS. It was implied that this was intended to discourage consumers from running alternative web server packages on the cheaper edition.[16] Netscape wrote an open letter to the Antitrust Division of the U.S. Department of Justice regarding this distinction in product licensing, which it asserted had no technical merit.[17] O'Reilly showed that the user could remove the enforced limits meant to cripple NT 4.0 Workstation as a web server with two registry key changes and other trivial configuration file tweaking.
Features
IIS 6.0 and higher support the following authentication mechanisms:[18]
Anonymous authentication
Basic access authentication
Digest access authentication
Integrated Windows Authentication
UNC authentication
.NET Passport Authentication (Removed in Windows Server 2008 and IIS 7.0)[19]
Certificate authentication
IIS 7.0 has a modular architecture. Modules, also called extensions, can be added or removed individually so that only modules required for specific functionality have to be installed. IIS 7 includes native modules as part of the full installation. These modules are individual features that the server uses to process requests.[20]
IIS 7.5 includes the following additional or enhanced security features:[21]
Client certificate mapping
IP security
Request filtering
URL authorization
Authentication changed slightly between IIS 6.0 and IIS 7, most notably in that the anonymous user which was named "IUSR_{machinename}" is a built-in account in Vista and future operating systems and named "IUSR". Notably, in IIS 7, each authentication mechanism is isolated into its own module and can be installed or uninstalled.[19]
IIS 8.0 offers new features targeted at performance and easier administration. The new features are:
Application Initialization: a feature that allows an administrator to configure certain applications to start automatically with server startup. This reduces the wait time experienced by users who access the site for the first time after a server reboot.[22]
Splash page during application initialization: the administrator can configure a splash page to be displayed to the site visitor during an application initialization.[22]
ASP.NET 4.5 support: With IIS 8.0, ASP.NET 4.5 is included by default, and IIS also offers several configuration options for running it side-by-side with ASP.NET 3.5.[23]
Centralized SSL certificate support: a feature that makes managing certificates easier by allowing the administrator to store and access the certificates on a file share.[24]
Multicore scaling on NUMA hardware: IIS 8.0 provides several configuration options that optimize performance on systems that run NUMA, such as running several worker processes under one application pool, using soft or hard affinity and more.[25]
Server Name Indication (SNI): SNI is an extension to Transport Layer Security, which allows binding of multiple websites with different hostnames to one IP address (similar to how Host Headers are used for non-SSL sites).[27]
Dynamic IP Address Restrictions: a feature that enables an administrator to dynamically block IPs or IP ranges that hit the server with a large number of requests[28]
CPU Throttling: a set of controls that allow the server administrator to control CPU usage by each application pool in order to optimize performance in a multi-tenant environment[29]
IIS 8.5 has several improvements related to performance in large-scale scenarios, such as those used by commercial hosting providers and Microsoft's own cloud offerings. It also has several added features related to logging and troubleshooting. The new features are:
Idle worker-Process page-out: a function to suspend idle site to reduce the memory footprint of idle sites[30]
Dynamic Site Activation: a feature that registers listening queues only to sites that have received requests[31]
Enhanced Logging: a feature to allow collection of Server variables, request headers and response headers in the IIS logs[32]
ETW logging: an ETW provider which allows collecting real-time logs using various Event-tracing tool[33]
Automatic Certificate Rebind: a feature that detects when a site certificate has been renewed, and automatically rebinds the site to it[34]
Express
IIS Express, a lightweight (4.5–6.6 MB) version of IIS, is available as a standalone freeware server and may be installed on Windows XP with Service Pack 3 and subsequent versions of Microsoft Windows. IIS 7.5 Express supports only the HTTP and HTTPS protocols. It is portable, stores its configuration on a per-user basis, does not require administrative privileges and attempts to avoid conflicting with existing web servers on the same machine.[35] IIS Express can be downloaded separately[36] or as a part of WebMatrix[37] or Visual Studio 2012 and later.[38] (In Visual Studio 2010 and earlier, web developers developing ASP.NET apps used ASP.NET Development Server, codenamed "Cassini".)[39] By default, IIS Express only serves local traffic.[40][38]
Extensions
IIS releases new feature modules between major version releases to add new functionality. The following extensions are available for IIS 7.5:
FTP Publishing Service: Lets Web content creators publish content securely to IIS 7 Web servers with SSL-based authentication and data transfer.[41]
Administration Pack: Adds administration UI support for management features in IIS 7, including ASP.NET authorization, custom errors, FastCGI configuration, and request filtering.[42]
Application Request Routing: Provides a proxy-based routing module that forwards HTTP requests to content servers based on HTTP headers, server variables, and load balance algorithms.[43]
Database Manager: Allows easy management of local and remote databases from within IIS Manager.[44]
Media Services: Integrates a media delivery platform with IIS to manage and administer delivery of rich media and other Web content.[45]
URL Rewrite Module: Provides a rule-based rewriting mechanism for changing request URLs before they are processed by the Web server.[46]
WebDAV: Lets Web authors publish content securely to IIS 7 Web servers, and lets Web administrators and hosters manage WebDAV settings using IIS 7 management and configuration tools.[47]
Web Deployment Tool: Synchronizes IIS 6.0 and IIS 7 servers, migrates an IIS 6.0 server to IIS 7, and deploys Web applications to an IIS 7 server.[48]
Usage
According to Netcraft, in February 2014, IIS had a "market share of all sites" of 32.80%, making it the second most popular web server in the world, behind Apache HTTP Server at 38.22%. Netcraft showed a rising trend in market share for IIS, since 2012.[49] On 14 February 2014, however, the W3Techs shows different results. According to W3Techs, IIS is the third most used web server behind Apache HTTP Server (1st place) and Nginx. Furthermore, it shows a consistently falling trend for IIS use since February 2013.[50]
Netcraft data in February 2017 indicates IIS had a "market share of the top million busiest sites" of 10.19%, making it the third most popular web server in the world, behind Apache at 41.41% and nginx at 28.34%.[51]
Security
IIS 4 and IIS 5 were affected by the CA-2001-13 security vulnerability which led to the infamous Code Red attack;[52][53] however, both versions 6.0 and 7.0 have no reported issues with this specific vulnerability.[54] In IIS 6.0 Microsoft opted to change the behaviour of pre-installed ISAPI handlers,[55] many of which were culprits in the vulnerabilities of 4.0 and 5.0, thus reducing the attack surface of IIS.[53] In addition, IIS 6.0 added a feature called "Web Service Extensions" that prevents IIS from launching any program without explicit permission by an administrator.
By default IIS 5.1 and earlier run websites in a single process running the context of the System account,[56] a Windows account with administrative rights. Under 6.0 all request handling processes run in the context of the Network Service account, which has significantly fewer privileges, so that should there be a vulnerability in a feature or in custom code it won't necessarily compromise the entire system given the sandboxed environment these worker processes run in.[57] IIS 6.0 also contained a new kernel HTTP stack (http.sys) with a stricter HTTP request parser and response cache for both static and dynamic content.[58]
According to Secunia, as of June 2011[update], IIS 7 had a total of six resolved vulnerabilities while[54] IIS 6 had a total of eleven vulnerabilities, out of which one was still unpatched. The unpatched security advisory has a severity rating of 2 out of 5.[54]
In June 2007, a Google study of 80 million domains concluded that while the IIS market share was 23% at the time, IIS servers hosted 49% of the world's malware, the same as Apache servers whose market share was 66%. The study also observed the geographical location of these dirty servers and suggested that the cause of this could be the use of unlicensed copies of Windows that could not obtain security updates from Microsoft.[59] In a blog post on 28 April 2009, Microsoft noted that it supplies security updates to everyone without genuine verification.[60][61]
The 2013 mass surveillance disclosures made it more widely known that IIS is particularly bad in supporting perfect forward secrecy (PFS), especially when used in conjunction with Internet Explorer. Possessing one of the long term asymmetric secret keys used to establish a HTTPS session should not make it easier to derive the short term session key to then decrypt the conversation, even at a later time. Diffie–Hellman key exchange (DHE) and elliptic curve Diffie–Hellman key exchange (ECDHE) are in 2013 the only ones known to have that property. Only 30% of Firefox, Opera, and Chromium Browser sessions use it, and nearly 0% of Apple's Safari and Microsoft Internet Explorer sessions.[62]
^ abHadi, Nahari (2011). Web commerce security: design and development. Krutz, Ronald L. Indianapolis: Wiley Pub. p. 157. ISBN 9781118098899. OCLC 757394142.
^Henrickson, Hethe; Hofmann, Scott R. (2003). "Chapter 15: ASP.NET Web Services". IIS 6: the complete reference. New York City: McGraw-Hill Professional. p. 482. ISBN 978-0-07-222495-5. Retrieved 12 July 2011.
^Henrickson, Hethe; Hofmann, Scott R. (2003). "Chapter 1: IIS Fundamentals". IIS 6: the complete reference. New York City: McGraw-Hill Professional. p. 17. ISBN 978-0-07-222495-5. Retrieved 12 July 2011.