Windows IIS7 Web Server

Data compression on traffic going through a server has tremendous cost saving potential. Lower bandwidth costs and less waiting time for users.

However, implementations of this solution is fraught with difficulty. One problem is determining how much of compression to use. Too much compression and it really slows the system down.

IIS7 gets over this problem by implementing traffic compression in a completely configurable manner that is easy to understand and has the flexibility to achieve maximum performance.

Administrators can set the level of compression and ensure that it takes place only when the CPU cycles are free - meaning when the server has other work to do, the compression can be adjusted so that there is no slowing down due to lack of CPU resources.

Also, IIS7 allows administrators to tweak the compression based on the type of data being transferred. This "content aware" compression is a hallmark of IIS7's flexibility.

Image Credit: polyscene

IIS7 significantly outperforms its older brother IIS6 in both usability as well as performance. By far the greatest change in the latest iteration is the modular nature of IIS7 management. Instead of the clunky metabase structure, IIS7 now makes use of .config files just like Apache giving administrators complete flexibility and control over their installations.

In addition, IIS7 has made tremendous leaps in terms of security and reliability. With the latest implementation of Application Request Routing (ARR), web requests are now sent to the most appropriate content server based on a plethora of variables designed to ensure maximization of performance parameters.

However, perhaps the greatest change has been IIS7's comparison to Apache - traditionally viewed as the free open source alternative to IIS. The performance of PHP on IIS has always been a stumbling block till now and has been the cause of many a webmaster refusing to change to IIS.

With the latest Fast CGI module, IIS7 convincingly bridges this gap and no longer falters with PHP scripts, removing perhaps the greatest hurdle to its adoption. The IIS Manager tool also allows easy management of PHP applications.

Finally, the Web Application Installer (Web AI) allows quick and easy installation of development platforms including PHP and makes configuration a complete cinch.

The results are startling to say the least. IIS7 is such a major upgrade over IIS6 that it can hardly be said to be merely an upgrade. It looks like a whole new product that is faster, more reliable, and more secure than any other server on the market.

IIS7 gives you plenty of options for creating and managing your site content. As we saw earlier, IIS7 now supports blazing fast PHP applications meaning that you can even make use of Joomla!

However, when you host a Windows Server, you can make use of the first class CMS applications available for developing and maintaining your content. These applications can be based on the .NET framework which allow for great flexibility and reach features.

Large organizations like Parallels Inc. have pledged their support for Enterprise class CMS platforms based on which corporations can receive guaranteed support and technical expertise.

This makes IIS7 one of the safest and most reliable platforms on which to develop. After all, reliability is a key component of any IT infrastructure.

Image Credit: bertop

Anyone who has been a server administrator knows that it can be a real hassle to get the required software up and running. Part of what makes it so difficult is the fact that a server has so many entities within it - users, websites, and resources that need to be shared.

Unless you're very experienced, it's hard to do everything just right with the correct configuration. The latest Windows Server 2008 however, strives to make this process just a little bit easier with the Microsoft Web Platform Installer (Web PI).

The Web PI is a small free download from Microsoft that automates the download of critical components such as SQL server and the .NET framework. Configuration and installation takes place automatically.

In addition, it makes use of the Windows web application gallery - a repository of useful software such as Blogs, CMS, and Wikis. The Web PI allows you to search for and install such tools with just a few clicks. Such software is not restricted to merely .NET applications but includes even PHP ones such as Wordpress.

Getting a website up and running has never been so easy and neither has the administration of a Webserver.

Image Credit: www.microsoft.com

With the introduction of Windows Server 2008 R2, the IIS engine has had a bit of a revamp and has implemented several improvements that make management easier.

However, though it's technically IIS7.5, the name is still IIS7. Here are some of the core improvements:

Implements Configuration polling which allows hosters to track configuration changes made by their customers

ASP .NET can now support more than one CLR - ability to have a separate CLR version for different application pools

Finer security control over request filtering of URLs to prevent SQL injection attacks

However, there are some really great usability and value add changes such as the addition of a "Best Practices Analyzer" (BPA) in the Server Manager component that lets administrators know if their configuration matches up with some industry level accepted practices. This can really help to plug loopholes in security configurations for example.

Also, FTP and WebDAV are not part of the core IIS7.5 architecture making it easier for users to utilize FTP publishing. And finally, one of the best improvements is the ability to manage ASP .NET configurations with PowerShell using a prompt like this: "IIS:/>"

All in all, a great release from Microsoft building on the success of the IIS7 Web Server.

With the integration of the FastCGI module into IIS7, more and more administrators have been turning to Windows Server in order to host their PHP applications. With this increase in usage, comes a need to have more complex PHP configurations to suit various needs such as having multiple PHP versions side by side.

There are many reasons why you would need such a configuration. For example as a reseller, your clients may demand a PHP version that matches their specific application which needs to be ported over. In such a situation you cannot use use the default PHP Windows installer since it doesn't allow various PHP versions to co exist on the same server.

Here are the steps for installing multiple PHP versions side by side on an IIS7 server.

First you must manually install a PHP version by following these steps. Secondly, extract the next PHP version into another folder and configure it according to the instructions found here.

Finally, using these instructions , you need to alter the handler mappings so that the appropriate PHP version is used.

Note that due to the flexibility afforded by IIS7, PHP versions can be implemented on a server basis, a site basis, or even an application basis. This allows you to have, for example, multiple PHP version applications running on not just the same site, but even within the same application.

The various uses of such side by side configurations become even more apparent if you're a web developer and you need to test your program with various versions of PHP. Or if you have multiple clients - each of whom requires PHP coding in line with a different version, IIS7 gives you the tools to do it easily with minimal problems and maximum flexibility.

Background on Cross Site Scripting
Cross site scripting is one of the most common ways for a hacker to attack a web application. In one study, Symantec found that around 80% of all the vulnerabilities it found was caused due to this form of attack. Knowing how it works therefore allows us to understand how to prevent it. A little later, we take a look at how we can use IIS7 to prevent cross site scripting attacks.

How Cross Site Scripting works
Cross site scripting gets its name from the practice of injecting malicious script into a webpage via a third party. The exploit mainly occurs when a user clicks on a URL that has been deliberately crafted by the hacker. The hacker places the script inside the URL and if the user who clicks on it is logged into the targeted website with their user credentials, the attack can send the user's sensitive data to the attacker thereby allowing him or her to impersonate the victim.

There are many ways in which a cross site scripting attack can occur as it is one of the most common vulnerabilities, so the details of how the attack progresses may change. One thing to note is that the script need not be present only in URLs, but also in other input fields that are sent to the server such as field values.

Preventing the attacks
Apart from modifying user behavior by asking them not to click on links which are untrusted, servers can scan the inputs that are coming in either via the URL or from submitted fields and either deny them based on rules which identify an XSS attack or render the script harmless by "escaping" the characters. This is called Request Filtering.

Request Filtering in IIS7
IIS7 comes with a new extension called URLScan 3.0 which includes request filtering as part of its functionality. The latest IIS 7.5 release in fact makes configuring request filtering easier than ever by allowing the entire process to proceed with a GUI frontend instead of necessitating changes in the configuration files.

Request filtering allows administrators to filter out or escape the most dangerous meta characters that indicate an attack. This is useful if the server expects HTML as valid input (Much like Squidoo accepting HTML markup as part of the input in the text box.)

By providing a variety of options for request filtering, IIS7 and IIS 7.5 have created a powerful tool for administrators to protect their site from one of the most common forms of attack on the Internet.