Microsoft IIS 7.5 Review

Few products in the Microsoft portfolio have seen as positive a turnaround as the Internet Information Services Web server.

Nine years ago, IIS was a security nightmare that was regularly exploited by dangerous worms and viruses. But, beginning with IIS 6, Microsoft made significant improvements in the security profile of the Web server—improvements that have erased IIS’ bad security reputation. With IIS 7, Microsoft took many cues from open-source rival Apache, making IIS more modular in its deployment options and even relying on good old configuration files for much of the server’s set-up and administration.

Now, with the release of Windows Server 2008 R2, we are seeing an update to Microsoft’s Web platform in the form of IIS 7.5. Like much of R2 itself, IIS 7.5 isn’t a massive upgrade from previous versions; in fact, many of the new features were already available as add-ons to IIS 7.

But, all in all, IIS 7.5 is a welcome update, improving the management and deployment options for the Microsoft Web server.

Interestingly, it also seems to be acknowledging that for some Microsoft customers, IIS might have gone too far down the Apache road of (mainly) GUI-free configuration.

This new focus was clear once I fired up the IIS Management Console on Windows Server 2008 R2 and started to configure request filtering for the server. Request filtering makes it possible to build a more secure server configuration that is resistant to common attack techniques such as cross site scripting.

Request filtering was built into IIS in previous versions of the server, but setting it up required editing configuration files. This wasn’t exactly difficult, but IIS 7.5 makes it easier with the option to set up filtering using a standard GUI interface. I found this process to be relatively simple, and I liked the fact that changes made here took effect immediately, without the need to restart the service.

Also new in IIS 7.5 is the graphical Configuration Editor, which is sort of like a regedit for IIS configuration. Using this tool, I could edit and view IIS configuration settings without the need to open up the web.config file.

Another welcome change in IIS 7.5 is the elevation of FTP to become a full-fledged part of the server. In previous versions, set-up and management of an FTP server in IIS were done pretty much separately from Web server management. In IIS 7.5, FTP administration is fully integrated into the IIS Management Console.

I found this to be a very good implementation of FTP, making it possible to quickly set up secure FTP servers and tie them to my Websites. Especially nice was the ability to easily use virtual host names for the FTP sites. All in all, the FTP implementation in IIS 7.5 is one of the best I’ve seen, even when compared with dedicated FTP server products.

While much of IIS 7.5 is dedicated to improved GUI management, that isn’t the only focus. Administrators comfortable in the command line, will like the option of managing the IIS server through Microsoft’s PowerShell interface. Using the PowerShell snap-in for IIS 7.5, I was able to use commands to control and view nearly any aspect of the server. This also made it easier to use management scripts, build scheduled tasks and handle remote management.

IIS 7.5 also includes some under-the-hood enhancements, such as hardened application pool security through lowered privileges. In addition, IIS benefits from a large library of extensions and add-on modules that make it possible for businesses to add capabilities to their server implementations.

Jim Rapoza is chief technology analyst at eWeek