IIS 7.0 is just around the corner and looks poised to radically redefine the web server space. Does it mean the end of Apache as the enterprise web server of choice? I interviewed two Microsoft IIS product managers and got the low-down on why IIS 7.0 is going to kick Apache into last century.
IIS 7.0 represents a major step forward in web services, and there’s plenty for everyone to get excited about, from system admins to web developers. If you’ve got Windows Vista you can start working with IIS 7.0 right now, and it’s also incorporated into Windows Server 2008.
To find out just how different IIS 7.0 really is, and why you should be excited, I spoke to Eric Deily, Lead Product Manager, IIS Microsoft Corp, and Eric Woersching, Product Manager, IIS, Microsoft Corp.
|Eric Deily: Lead Product Manager, IIS Microsoft Corp
|Eric Woersching: Product Manager, IIS, Microsoft Corp
JB: I’d like to look at the changes implemented in IIS 7.0, compared with IIS 6.0. What are the most important new features?
EW: Probably the biggest change we made was the modular framework architecture. It’s the same sort of architecture Apache has, but now it allows us and IIS developers to build on our platform, to keep extending the web server and building in new features even after we’ve shipped. Another is that we’ve moved to a file-based configuration system. Many parts of the old configuration system were inflexible and hard to use. Now we have a system where you can write your configuration in a web.config file and deploy it preconfigured to the IIS server. It gives a lot more flexibility to developers and IT pros.
ED: It's also a lot more extensible throughout the entire aspect of the server from the ground up - in configuration, as Eric mentioned, and in modularity as you can extend the functionality or, for example, replace our existing directory browser module with a new one, or even can implement your own IIS mod. You can also create a configuration that’s completely addressable via our config system - so you could drop in a schema file for a new module and now it’s a first class entity in amongst the rest of the other IIS and ASP.NET configuration.
The UI is extensible as well. The new IIS manager has been written completely on Winforms and can be extended for new functionality and it can also roll configuration pages for the UI. It’s also no longer MMC - it's all Winform space so developers can use the existing development tools, Visual Studio for example, to develop new applications both from the functionality perspective in IIS, configuration and UI.
JB: Presumably that also means that if you have someone who is developing their own extensions and their own modules, it makes it a lot easier if things do go wrong with configs. It would be much easier to roll back without injuring the server in any way.
ED: Correct. People can version the configuration and save it off – then if something does happen there’s an automatic roll back but you can also roll back to the existing configuration. So as well as backup and restore functionality you could also take a version of your configuration that’s good, check that into a source control system and when you make changes, test those changes and if they don’t fly you can back out and restore the old version. Microsoft.com uses that method of deployment.
One of the other capabilities that we’ve added is being able to use the central configuration for web files. So if you have multiple front ends, you can point the front ends at a UNC share and get your configurations from a backend server. That way you’re only making the changes to one copy and all your front ends are pointing to that one copy – all the configuration is effectively redirected for the configuration system. From the configuration API’s point of view, they don’t know whether or not the config is local or remote.
EW: There’s a beautiful simplicity to it in that it's just a file. If that file changes on the UNC share those other web servers get the file change notifications and pick up those changes on the fly. The same thing happens if you just copy right over that file and you’ve updated everything.
JB: Which obviously adds a certain flexibility to backup and restore as well. If you’ve got an IIS 5.0 or 6.0 box that corrupts, you’re stuffed, but in this case if you have a corrupted config file, you can just restore it.
ED: A lot of the problems with corruption in the past has been either misconfiguration or the session keys have been changed or corrupted That issue doesn’t exist anymore – especially with this sort of configuration system because when you export the configuration, the secure properties are encrypted using a set of keys that are completely machine independent. The keys are kept with the configuration so that when you point new servers at that same configuration, those new servers receive the keys automatically.
JB: When you have an IIS 7.0 box that can be configured using this method, what’s the possibility of a web application making changes at the back end? Is that something that you would ever want to occur, or something you would ever allow to occur?
ED: Well, an example of that would be any sort of web-based console. Those all run as applications, so one could argue that that would be a valid scenario. In order to do that though, that application would have to be running as Local System to make any sort of application effect the changes. The biggest reason you don’t want any normal, unprivileged user to be able to make configuration changes themselves is because apppool.config carries the site, all the app pools and all application data.
However, looking at app pool security, we have a new application pool isolation which basically means that when a new app pool is created the only configuration it needs to see is parsed out to a separate temporary pool.config file in a temp directory. So that one app pool can’t actually see all the other app pool configurations.
JB: Is that similar to the user virtualisation that you see on the client now in Vista?
ED: Yes and no. If a non-admin tries to make changes to configuration that’s supposed to be admin only, we have the capability to delegate configuration. So the admin can delegate a section of configuration to non admins. That means that as an application owner you can go to your web.config file and define IIS configurations if those config settings have been delegated to you. If they haven’t and you define them anyway you’re going to get a configuration error back when you start requesting application pages. If the admin does give you those rights then your settings take hold.
EW: One of the powerful things about delegation through the config with web.config files, as well as configuration locking, is that the admin’s live interface just reads configuration files, so you can connect to IIS remotely using the remote version of our admin UI and you’ll receive a delegated experience. The administrator can choose which features are delegated to the user - which ones they can read and which ones they can read/write.
This concept of delegation is a big part of what we wanted for IT pros, which was to make the web server simpler and easier to manage.
With IIS 6.0 we made our servers so much more secure, reliable and high performance and then we asked customers, “What do you need?” and they said “Well, I have this management challenge, I have that management challenge. Can you make it easier?”. And we’ve met that in a whole host of ways.
JB: So with the enhanced modularity, how’s that feeding into other applications in the Microsoft suite, like Sharepoint and Unified Communications?
EW: Well, it's just started but we’ve already started to integrate. We have some features from Windows Media Services that only work if you host media on IIS 7.0, like bitrate throttling for example – we built a module that’s going to be released soon that does bitrate throttling for progressive download media.
ED: In the same way that you have a community built around Apache’s modules and a whole bunch of coders and developers writing new functionality, we are enabling that same sort of environment for IIS now through the new modularity. If we need to update a module now we don’t have to wait for a new Windows release - we can release an update to an existing piece of functionality, so if we need to rev an existing module that we shipped, we could ship a new version of that module later on.
EW: That’s so key for developers. Right now everything is moving at the speed of the internet. New frameworks and the new pieces of frameworks are coming out so rapidly from big companies, like Microsoft with Ajax and Silverlight. It's the web server which has to support all this, and we can’t just wait for each Windows release.
For example, through our market research we found that PHP developers are building their applications on Windows but then they have to deploy to Linux because that’s where PHP performs best. Our modularity allowed us to make a shift cycle outside of the core IIS 7.0 development cycel and build a component called FastCGI which enables PHP to run just as well on Windows.
One of the things that the modularity also allows is that we are able to intersperse our components with ASP.NET components. That allows scenarios like using an ASP.NET service to process non ASP.NET content. Now they can reach parts of the pipeline they never could before.
ED: So now you can use foreign space authentication for your PHP applications. For example, if you want single unified authentication with users and groups and roles, you can use ASP.NET to front all your authentication authorisation without using Windows. In fact we use that for the delegation capabilities. You don’t have to create any Windows accounts when you start delegating remote privileges to application owners. You can create what amounts to an ASP.NET user and let that user have delegated rights to administer the site. You’re no longer creating Windows accounts, which is great for IT pros and security architects who cringe at having to create accounts for every user on the box. Or even AD accounts. If you’re using AD, they just don’t want to do it because that gives them rights to other resources in the cloud.
JB: Which you can’t avoid, can you?
ED: Yeah. So now you can. Now we’ve enabled the use of form-based authentication for all your applications. You can now roll your own data providers, a SQL database for example, and store all your users in there and then use forms for authentication for any of your applications regardless of what’s handling it. It doesn’t have to be just ASP.NET, and it can be static or dynamic via PHP for example, ASP.NET., ASP Classic...all that can now be fronted by form-based authentication.
EW: Taking it a step further, you can use other ASP.NET services like role manager to define roles and then set up your authorisation roles and say “Only this role can touch this site and only this role can touch that site or this part of that site”. This integration between IIS and ASP.NET starts at the run time and goes across the whole configuration. Because the file based configuration we’ve been talking about is actually kind of sneaky – it’s just .NET configuration – but we now have a section called SYSTEM.WEBSERVER which we’re integrating across every tool. IIS and ASP.NET settings have feature pages right next to each other and you can configure it all in one place. Diagnostics, IIS system diagnostics or web events get picked up by our tracing and show up in your IIS logs. You don’t have to have two separate logs now. So the ASP.NET developer now has a more powerful platform but it's also much more of a .NET-friendly, .NET-integrated platform.
On the other hand the PHP developer almost gets the same thing in the sense that IIS now can deliver the same speed and the same level of performance and reliability that Linux Apache does for PHP, but you can also now take advantage of the ASP.NET services and a simple file based configuration system like you have in Apache.
JB: And you don’t need another PHP module to talk back-end to your security accounts?
JB: So would you expect this to be the catalyst to seeing a lot more public front-end portal sites to be hosted on IIS simply for that one reason?
ED: Honestly speaking I think PHP does get the support of FastCGI and the internal work and attention to make PHP a viable platform and viable application programming language on top of IIS, and this will definitely open the door in a lot of other places, especially hosters.
Look at the top applications out there for hosters, and we’re not talking developer communities. We’re talking those people who sit there and say “I want to blog. I want a photo gallery.” Well you’ve got WordPress, you’ve got Qdig, Drupal, PHPBB and a number of other major applications.
We’re enabling those scenarios now and we’re working with various different FastCGI language owners like Zend, and the most common platforms like Python and Ruby on Rails. PHP now is rolling SQL-based libraries that will allow for data storage, so the next step are scenarios like getting WordPress because WordPress right now runs on MySQL. You can install MySQL on Windows just fine. I have WordPress running on my system.
JB: If you don’t have to why would you want to?
ED: Well exactly right. So you know now that PHP is supporting SQL we’re working with the application vendors like WordPress to tweak the applications and allow them to run against SQL. This means that I can still have a tear-off application so now it's just a matter of what do I feel most comfortable with in my application. Do I feel more comfortable with Linux or do I feel more comfortable with Windows? Given that 90% of desktops out there are Windows…
JB: At least. Especially in the enterprise I think it's more like close to 100% We all know that (laughing). So really you’re essentially creating an environment where you’ve enabled these publically-accessible applications which do have a lot of press and which people do like to use, to be leveraged straight into the enterprise without compromising any aspects of that enterprise environment?
ED: Yeah. For example, there are a number of customers that use single unified authentication – single sign-on solutions like Integrity for example. If I got a new application that I need to be able to deploy and requires us to be running PHP, can I still use Integrity? Well yeah I can use Integrity or IIS’s URL authorisation or any other mechanism. Let’s take URL authorisation for example – I say “OK the authentication mechanism is forms”, and then I sit there and say “OK – authorise”. Who is authorised to see this URL? You know INDEX.PHP, right? Well only enterprise user group A is authorised to do that. Group A could be an NT group, it could a domain group, it could be an ASP.NET role. It doesn’t matter. That check is done up front before the request ever makes it to the framework - in this case PHP.
So we do that check up front. You authenticate by whatever means – you have your little single 12 digit LCD thing telling you what your code of the day is and you log in and it just verifies who you are or you log in using the form. Great, I’ve just logged in. I have credentials now. Those credentials can be used on the application and the authorisation layers which then check to see whether or not you’re authorised to use that URL.
EW: But there’s a stronger scenario. A lot of enterprises ban PHP outright or maybe or maybe it’s running away on a some legacy web server. However if the enterprise is all about .NET and using ASP.NET, well they you have capability to integrate it. If you’re an enterprise with some internal PHP, you can move it onto IIS, develop it and host it using ASP.NET. You don’t have to completely abandon PHP because it's reliably hosted in the application pool right next to your ASP.NET and you can migrate your skills and infrastructure over to .NET.
If you have a fully LAMP-based web infrastructure, Linux, Apache and MySQL, how is it easy at all to move to ASP.NET or move to Windows? That’s what this is all about – after years of struggle, we need to make sure that our base level operators at the can support everyone as best we can and then after that’s accomplished, support our developer technologies really, really well.
ED: LAMP to WISP - Windows, IIS, SQL, PHP.
JB: And then from an enterprise perspective, being able to migrate your existing Linux-based technologies and infrastructures across to that sort of platform also gives you the benefit of reducing your support costs. Certainly reducing your deployment costs phenomenally.
EW: Especially if a lot of the rest of your infrastructure is Window based. If you’ve got a big Active Directory solution that’s controlling your client machines and all your users are using Windows – people in your IT department are all Windows users - it's a big deal for them that you can take one less or a few less boxes that you have to manage off Linux and migrate them to Windows in a consistent management environment.
JB: Nice. So let’s say that you wanted to come up with a soundbyte argument to kick back at that whole Apache versus IIS security model. What would you say? How would you say “OK it's rubbish because of ‘X’”?
EW: It's rubbish because of our track record with IIS 6.0 – we’ve had no critical security vulnerabilities. Zero since we released.
JB: How long ago was that?
EW: March of 2003. It's not something that Apache can say and if you look at total security patches, even kind of the medium and important level ones that aren’t critical and either scenario-specific or purely optional, I think we have at this point, maybe four and Apache has something like 37. You go to secunia.com and it will list all the patches…but it's become a myth that Apache is more secure than IIS.
JB: Myths die hard. That’s the problem.
ED: I think the biggest challenge we’ve hit in the past which is kind of what we’re addressing with modularity, is that they had an issue with IIS being so monolithic so when you installed it. That’s not the case anymore. So by default when you install IIS 7.0, regardless of how many patches we’ve had which has been zero critical security fixes as Eric mentioned, you’ve got a standard web server and that’s it out of the gate. There are no other DLLs that are installed. So when you look at worker process, the actual footprint in terms of DLLs is minimal compared to what it was in IIS 6.0.
We’ve taken it the next step by putting back on the admins to figure out what they need it to run. So if you need FastCGI and PHP then you need to install the CGI module and it will install CGI and FastCGI If you need ASP, you need ISAPI and then you need ASP. There’s something like 40-odd choices you can make when you’re custom crafting your web server.
EW: The modularity does two things for security. One is what Eric has just talked about – that if you’re only selecting what you need you have fewer components that can put you at risk. The other thing is that as everyone installs IIS 7.0 everyone will be setting up a different flavour or a different setup of IIS. In the past with Windows one of our challenges was that we have a lot of uniformity and it's easy for a worm or some sort of virus or vulnerability to be out there for everyone at once, attacking a uniform target. But with opensource, everyone has a different feel of this and a different flavour of that - it's so different that worms can’t spread easily. Now we have that advantage too.
EW: We should also mention that we have an IIS GOLive license customers should know about. Basically we’re so confident with where the product is at this stage that you can download Windows 2008 Beta 3 off Microsoft.com and get this GoLive license off Connect.Microsoft.com and you can put IIS 7.0 into production today.
ED: 79 out of 80 web servers that host Microsoft.com right now run on Beta 3. The other one is running 2K3 and it's only running that for performance comparisons.
JB: Is IIS 7.0 going to be available as a 2003 install?
JB: People are going to ask, you understand.
ED (laughing): Yeah, they’ve always been asking. Ever since we started talking with them.
EW: But it is a little better. I mean we do ship IIS 7.0 in Vista for developers, which is something we didn’t do in the past. I forgot to mention that with the GoLive license, we already have 12 – it might be up to 13 now – hosters who are offering free IIS 7.0 hosting to developers. So if you’re a developer and you wouldn’t be setting up a box anyway, you have these opportunities to deploy now for free. We also have a community site now - for the first time the web server actually has a web site about it called IIS.net so it's pretty easy to remember and it's where all of our content information lives. Go to IIS.net/golive and you can learn more about that.
ED: A few of the hosters are supporting the remote administration tool. So you can get your IIS 7.0 site use the remote administration tool to run it from your XP, 2K3 or Vista box and write all the code you want to then deploy it on IIS 7.0
EW: And building up the momentum of our extensibility, cPanel has started developing a version of their product that over 40% of hosters use for their control panel solution that will support IIS 7.0. We’ve never had that before. All these popular control panels only worked with Linux Apache, and now the most popular one is going to support IIS7. We’re very proud of that.
JB: Exciting times ahead then.
JB: You mentioned that now that because of the modularity you could ship an update to a particular module. Is there a dev team who will be doing that sort of work, working on updates?
EW: Yes, the IIS team will be doing that.
ED: So anything that’s shipped in the box will be updated via Windows Update. In fact we’ve got a list of about 40 different enhancement projects on the go – most of the IIS dev team is basically finished with core IIS, but the next version for us isn’t going to be Windows 7. It's going to be what modules we can ship in the next three months to get into a quarterly wave where we start releasing new modules and new functionality. A couple of the publically-announced enhancements include a brand new WebDAV module that’s RFC compliant and a brand new FTP server that supports SSL connections.
EW: FastCGI, media pack bitrate throttling and other features. This is just the start. Those are just the things that we started too late and are not on the ship cycle, but every quarter we said there’s going to be more.
ED: And we’re also looking at what the top modules are in Apache and why they are so popular, and looking at possibly writing a version of those for IIS.
And if they become popular enough like we believe they will, then we’ll be putting in the work to develop and support them through standard Windows engineering practices so that the code is secure, well-formatted and well-tested. Not only do we have developers working on this but we also have program managers who are designing them and testers assigned to fully test these modules. So whereas – and I’m not slanting the Apache community too much but whereas some of the modules are just released with a “Hey look I’ve got a new mod!” - we’ll be doing that too but Microsoft will be code-signing and supporting these products. This functionality will be fully supported by the IIS dev team as well. So you’ve got a program manager, a developer and a tester (at a minimum) working on designing, coding and testing and trying to break these things.
EW: And the reason they’re able to do this is this extensibility framework for the set of APIs and how the config is extensible and everything is extensible. But we’ve released all that to the public. ISVs and developers, they can build features for IIS 7.0 at the highest level – the same level the IIS product team can – and get config support and UI support.
I’ve probably swamped you but we’re very excited!