IIS 7 Components

There are over three dozen components and subcomponents to choose from when installing IIS. Table 1 discusses the various components. One of IIS 7's biggest improvements over previous versions is the granularity of the features that can be, or not be, installed. For instance, you can install Windows Authentication, but not Digest Authentication. If you don't install a particular component, like Digest Authentication, the associated programming coding is not installed or kept in memory. This decreases the potential security vector attack points and provides incremental performance benefits. Installers should choose the bare minimum number of components necessary to support their web server's applications. Unfortunately, the new level of granularity makes installing IIS a chore. You can choose between 48 different feature checkboxes over three levels. There is no "install all" setting. To get a complete IIS install takes 24 separate enabled checkboxes. Of course, you should only install the bare minimum requirements necessary to meet your web application needs. Use Table 1 as a guide.

Table 1: IIS Components
Open table as spreadsheet

COMPONENT	DESCRIPTION
FTP Publishing Services	Parent-category heading for File Transfer Protocol (FTP) service.
FTP Management Console	FTP Microsoft Management console snap-in. Should be selected if FTP service is enabled. Can be used to manage local and remote FTP servers.
FTP Server	File Transfer Protocol service. Enable if you want Vista to support FTP services.
Web Management Tools	Parent-category heading for IIS management tools, consoles, and scripts.
IIS 6 Management Compatibility	Sub-category heading to install IIS 6–compatible tools and APIs to manage IIS 7 services.
IIS 6 Management Console	Enable if you want to administrate remote IIS 6 services, including World Wide Web and FTP. It can also be used to administrate FTP on IIS 7 servers.
IIS 6 Scripting Tools	Installs IIS 6 configuration scripts.
IIS 6 WMI Compatibility	Installs IIS 6–compatible Windows Management Instrumentation (WMI) interfaces, allowing many local and remote IIS 6 management tools to operate.
IIS Metabase and IIS 6 configuration compatibility	IIS 7 does not use Metabase database files natively, as IIS 6 does. If this component is installed, Metabase compatibility APIs will be installed to allow legacy Metabase tools to be utilized on IIS 7 services.
IIS Management Console	New Microsoft management console snap-in for local and remote IIS 7 services.
IIS Management Scripts and Tools	If enabled, installs new management scripts and tools for local IIS 7 servers.
IIS Management Services	Installs web management interface to allow remote management using an Internet browser.
World Wide Web Services	Parent category for WWW services. Must be enabled if World Wide Web (WWW) services are desired.
Application Development Features	Child category for application development options.
.NET Extensibility	If enabled, will allow IIS WWW services to support .NET Framework applications. Needed for IIS 7's new protocol listeners (covered later).
ASP	If enabled, supports legacy Active Server Pages (ASP). High risk, should be disabled if not used.
ASP.NET	If enabled, will allow IIS WWW services to support ASP.NET Framework applications. High risk, should remain disabled if not used.
CGI	Enables a Common Gateway Interface subsystem to support CGI programs and scripts. High risk, should remain disabled if not used.
ISAPI Extensions	Allows ISAPI programs to respond for particular request types. High risk, should remain disabled if not used.
ISAPI Filters	Allows ISAPI filters (often DLLs) to filter and respond for particular types of requests. High risk, should remain disabled if not used.
Server-Side Includes	If enabled, implements server side includes, handling requests for documents ending in .stm, .shtm, or .shtml. Should be disabled if your web server does not use server-side includes.
Common Http Features	Child category. Needed for ASP.NET and other types of HTTP functionality.
Default Document	If enabled, will serve up defined default documents, such as index.htm or default.aspx, if the http request does not include a specific trailing document name.
Directory Browsing	If enabled on a web folder, will disable the standard HTTP rendering format and display all folder documents and files in a column list (much like a user might see on an FTP site). The user can then see the individual files and download them. Should not be enabled on most web sites, unless desired.
HTTP Errors	If enabled, will implement IIS's default error responses. Error responses have been used in the past to enumerate Web sites and to identify the existence of documents and filenames. Administrators can choose not to implement the default error documents and create their own customized error responses.
HTTP Redirection	If enabled, can allow HTTP requests to be redirected to other locations. Has been used maliciously in the past by spammers and other rogue hackers. Should be left disabled unless needed.
Static Content	Supports HTML content. Read-only static content is normally low risk. Most web servers will need this option enabled.
Health and Diagnostics	Child-category, if enabled installs tools to monitor and manage server and Web site performance and response.
Custom Logging	Enables custom logging interfaces.
HTTP Logging	Enabled by default. Monitors HTTP requests and responses.
Logging Tools	Installs IIS 7 logging tools and scripts.
ODBC Logging	Installs ODBC database interface capabilities.
Request Monitor	Enables requests to be monitored. Enabled by default.
Tracing	Enables additional troubleshooting capabilities for ASP.NET applications.
Performance Features	Child category for two performance-enhancing capabilities.
Http Compression Dynamic	For standard HTTP traffic compression; on dynamic content needed for ASP support.
Static Content Compression	Enabled by default. For standard HTTP traffic compression of static content.
Security	Parent category, allows administrator to enable various security and authentication mechanisms.
Basic Authentication	If enabled, allows local or domain authentication credentials to be passed in near clear-text format. Only needed for clients that cannot support more secure authentication methods (discussed more later). Should be disabled if not needed, unless all basic authentication is carried out over a secured connection, such as SSL/TLS or IPsec.
Client Certificate Mapping Authentication	If enabled, allows SSL or TLS client certificates to be used to authenticate Active Directory computer or user accounts.
Digest Authentication	If enabled, allows local or domain authentication credentials to be passed in a cryptographic hash format.
IIS Client Certificate Mapping Authentication	Maps client certificates to a one-to-one or many-to-one computer or user account.
IP Security	Enables administrators to restrict requests based on IP addresses or domain names.
Request Filtering	Enabled by default. Allows incoming URL requests to be filtered for legitimacy. Must be enabled to get functionality similar to legacy versions of URLScan (which no longer needs to be installed).
URL Authorization	Integrated authentication method. Allows authentication to be determined by a web application. Was previously available in IIS 6 using ASP.NET.
Windows Authentication	If enabled, allows local or domain authentication credentials to be passed in a very secure challenge-response format-LAN Manager, NTLM, or Kerberos. In order to be used, web server must be contactable using RPC or NetBIOS methods. Typically used for domain computers to intranet web servers. Doesn't typically work through external firewalls or over the Internet (without the use of a VPN or other configured methods). Discussed more later in the chapter.

When IIS 7 is installed on Vista, the following components are installed by default if no specific components are selected:

• IIS Management Console, default document

• Directory browsing

• HTTP errors

• Static content

• HTTP logging

• Request Monitor

• Static content compression

• Request filtering

The default IIS 7 install will allow only static content to be delivered. All active scripting is disabled by default. IIS 7 can support multiple Web and FTP sites and, unlike previous workstation versions, can do so at the same time. Each separate Web or FTP Web site must be bound to a separate TCP port number, IP address, or host header name (which is identical to the existing behaviors in server versions of IIS). IIS 7 can support multiple Web and FTP site configurations. IIS application files are located in a folder called %windir%\system32\inetsrv. The initial IIS 7 install creates a default Web site called, not surprisingly, the default Web site. Files for the default Web site are stored in \Inetpub\wwwroot by default, and contain only a single static web page (see Figure 1) that, if clicked will redirect the user to http://www.iis.net, Microsoft's official IIS support Web site.

Figure 1: Default IIS Web site

Enabling IIS activates a handful of new executables and one or more services. The core executeables will all run in Session 0 using the Local System account. Interfaces (for example, InetMgr.exe) typically run in additional sessions (for example, Session 1) under the local user's security context. The main IIS WWW service is called the World Wide Web Publishing Service service. The service is launched in a Svchost process called IISsvcs. The IIS Worker Process (W3wp.exe) will also be launched.

When IIS is active, the web server will listen only on port 80 until otherwise configured. IIS runs using a multitude of files and processes. The main IIS process of Inetinfo.exe, running in the Local System context, is always present, but several other processes assist. Some such as Dllhost.exe may appear and then disappear, until later needed. It's important to note that in IIS 6 and above, no user code runs in these highly privileged processes.

Note

If Vista Home Basic is upgraded to Business or Ultimate editions, several IIS 7 features are installed and enabled by default. See http://www.support.microsoft.com/kb/930902/en-us for more details.