IIS 7.0 : Striking a Balance Between Security and Performance - SSL

2/9/2011 9:00:16 AM
The SSL implementation has changed in IIS 7.0. Windows Server 2003 stores all SSL configurations in the IIS metabase, and encryption and decryption happen in user mode. This requires a lot of back-and-forth communication between kernel and user mode. In Windows Server 2008, HTTP.sys handles SSL encryption and decryption in kernel mode. Secure connections should have up to 20 percent better performance than IIS 6.0. The performance gains for decrypting data are evident because the need to bounce back and forth from kernel mode to user mode has been greatly reduced.

To move SSL into kernel mode, IIS 7.0 requires SSL binding information to be stored in two locations. The binding information is stored in %windir%\system32\inetsrv\applicationHost.config for each site. When the site starts, IIS sends the binding to HTTP.sys, and HTTP.sys starts listening for requests on the specified IP:port. The second part of SSL configuration is stored in HTTP.sys configuration. You can use Netsh to view SSL binding configuration stored in HTTP.sys.


Netsh is a command line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh also provides a scripting feature that allows you to run a group of commands in batch mode against a specified computer. Netsh can also save a configuration script in a text file for archival purposes or to help you configure other servers. For more information about Netsh, go to and search for Netsh overview.

Here is an example showing a sample binding to The IP address is the same that would be listed in the Web site bindings.

netsh http show sslcert

SSL Certificate bindings:

IP:port :
Certificate Hash : 63ca21f32543806959aed570a081fb3f311f958a
Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled

When a client starts an SSL negotiation, HTTP.sys looks in its SSL configuration for the IP and port pair that the client connected to. For the SSL-based request to succeed, the HTTP.sys SSL configuration must include a certificate hash and name of the certificate’s store.

SSL accelerators come in two forms: an external device and internal card. An external device is useful when you want to add capacity on demand or make sure there is room to grow. As your requirements for SSL increase, you can add devices to handle the load. An internal card, usually a PCI card, will take the load off the Web server by handling the encryption and decryption. As computers continue to get faster and add more CPU cores, there may no longer be any need for the external device.

Whatever solution you decide regarding SSL will depend on your application needs. IIS 7.0 has improved the performance of how it handles SSL, compared to IIS 6.0. After you have load-tested your application, only then will you determine if you need an external device.

No matter which way you proceed, following best practices, you should put your application in a controlled environment and load-test it. If you determine under load that your servers can handle all the operations, then this can help determine what your production environment will look like. Testing will help you clarify your decision about SSL performance.

PS4 game trailer XBox One game trailer
WiiU game trailer 3ds game trailer
Top 10 Video Game
-   Minecraft Mods - MAD PACK #10 'NETHER DOOM!' with Vikkstar & Pete (Minecraft Mod - Mad Pack 2)
-   Minecraft Mods - MAD PACK #9 'KING SLIME!' with Vikkstar & Pete (Minecraft Mod - Mad Pack 2)
-   Minecraft Mods - MAD PACK #2 'LAVA LOBBERS!' with Vikkstar & Pete (Minecraft Mod - Mad Pack 2)
-   Minecraft Mods - MAD PACK #3 'OBSIDIAN LONGSWORD!' with Vikkstar & Pete (Minecraft Mod - Mad Pack 2)
-   Total War: Warhammer [PC] Demigryph Trailer
-   Minecraft | MINIONS MOVIE MOD! (Despicable Me, Minions Movie)
-   Minecraft | Crazy Craft 3.0 - Ep 3! "TITANS ATTACK"
-   Minecraft | Crazy Craft 3.0 - Ep 2! "THIEVING FROM THE CRAZIES"
-   Minecraft | MORPH HIDE AND SEEK - Minions Despicable Me Mod
-   Minecraft | Dream Craft - Star Wars Modded Survival Ep 92 "IS JOE DEAD?!"
-   Minecraft | Dream Craft - Star Wars Modded Survival Ep 93 "JEDI STRIKE BACK"
-   Minecraft | Dream Craft - Star Wars Modded Survival Ep 94 "TATOOINE PLANET DESTRUCTION"
-   Minecraft | Dream Craft - Star Wars Modded Survival Ep 95 "TATOOINE CAPTIVES"
-   Hitman [PS4/XOne/PC] Alpha Gameplay Trailer
-   Satellite Reign [PC] Release Date Trailer
Game of War | Kate Upton Commercial