Developer(s) | Microsoft |
---|---|
Initial release | May 30, 1995 |
Stable release | |
Written in | C++ [1] |
Operating system | Windows NT |
Available in | Same languages as Windows |
Type | Web server |
License | Part of Windows NT (same license) |
Website | www |
Microsoft IIS ( Internet Information Services, IIS, 2S) is an extensible web server created by Microsoft for use with the Windows NT family. [2] IIS supports HTTP, HTTP/2, HTTP/3, HTTPS, FTP, FTPS, SMTP and NNTP. It has been an integral part of the Windows NT family since Windows NT 4.0, though it may be absent from some editions (e.g. Windows XP Home edition), and is not active by default. A dedicated suite of software called SEO Toolkit [3] is included in the latest version of the manager. This suite has several tools for SEO with features for metatag / web coding optimization, sitemaps / robots.txt configuration, website analysis, crawler setting, SSL server-side configuration and more.
The first Microsoft web server was a research project at the European Microsoft Windows NT Academic Centre (EMWAC), part of the University of Edinburgh in Scotland, and was distributed as freeware. [4] However, since the EMWAC server was unable to handle the volume of traffic going to Microsoft.com, Microsoft was forced to develop its own web server, IIS. [5]
Almost every version of IIS was released either alongside or with a version of Microsoft Windows:
All versions of IIS prior to 7.0 running on client operating systems supported only 10 simultaneous connections and a single website.
Microsoft was criticized by vendors of other web server software, including O'Reilly & Associates and Netscape, for its licensing of early versions of Windows NT; the "Workstation" edition of the OS permitted only ten simultaneous TCP/IP connections, whereas the more expensive "Server" edition, which otherwise had few additional features, permitted unlimited connections but bundled IIS. It was implied that this was intended to discourage consumers from running alternative web server packages on the cheaper edition. [17] Netscape wrote an open letter to the Antitrust Division of the U.S. Department of Justice regarding this distinction in product licensing, which it asserted had no technical merit. [18] O'Reilly showed that the user could remove the enforced limits meant to cripple NT 4.0 Workstation as a web server with two registry key changes and other trivial configuration file tweaking.
IIS 6.0 and higher support the following authentication mechanisms: [19]
IIS 7.0 has a modular architecture. Modules, also called extensions, can be added or removed individually so that only modules required for specific functionality have to be installed. IIS 7 includes native modules as part of the full installation. These modules are individual features that the server uses to process requests. [21]
IIS 7.5 includes the following additional or enhanced security features: [22]
Authentication changed slightly between IIS 6.0 and IIS 7, most notably in that the anonymous user which was named "IUSR_{machinename}" is a built-in account in Vista and future operating systems and named "IUSR". Notably, in IIS 7, each authentication mechanism is isolated into its own module and can be installed or uninstalled. [20]
IIS 8.0 offers new features targeted at performance and easier administration. The new features are:
IIS 8.5 has several improvements related to performance in large-scale scenarios, such as those used by commercial hosting providers and Microsoft's own cloud offerings. It also has several added features related to logging and troubleshooting. The new features are:
IIS Express, a lightweight (4.5–6.6 MB) version of IIS, is available as a standalone freeware server and may be installed on Windows XP with Service Pack 3 and subsequent versions of Microsoft Windows. IIS 7.5 Express supports only the HTTP and HTTPS protocols. It is portable, stores its configuration on a per-user basis, does not require administrative privileges and attempts to avoid conflicting with existing web servers on the same machine. [36] IIS Express can be downloaded separately [37] or as a part of WebMatrix [38] or Visual Studio 2012 and later. [39] (In Visual Studio 2010 and earlier, web developers developing ASP.NET apps used ASP.NET Development Server, codenamed "Cassini".) [40] By default, IIS Express only serves local traffic. [41] [39]
IIS releases new feature modules between major version release to add new functionality. The following extensions are available for IIS 7.5:
According to Netcraft, in February 2014, IIS had a "market share of all sites" of 32.80%, making it the second most popular web server in the world, behind Apache HTTP Server at 38.22%. Netcraft showed a rising trend in market share for IIS, since 2012 [update] . [50] On 14 February 2014, however, the W3Techs shows different results. According to W3Techs, IIS is the third most used web server behind Apache HTTP Server (1st place) and Nginx. Furthermore, it shows a consistently falling trend for IIS use since February 2013 [update] . [51]
Netcraft data in February 2017 indicates IIS had a "market share of the top million busiest sites" of 10.19%, making it the third most popular web server in the world, behind Apache at 41.41% and nginx at 28.34%. [52]
IIS 4 and IIS 5 were affected by the CA-2001-13 security vulnerability which led to the infamous Code Red attack; [53] [54] however, both versions 6.0 and 7.0 have no reported issues with this specific vulnerability. [55] In IIS 6.0 Microsoft opted to change the behaviour of pre-installed ISAPI handlers, [56] many of which were culprits in the vulnerabilities of 4.0 and 5.0, thus reducing the attack surface of IIS. [54] In addition, IIS 6.0 added a feature called "Web Service Extensions" that prevents IIS from launching any program without explicit permission by an administrator.
By default IIS 5.1 and earlier run websites in a single process running the context of the System account, [57] a Windows account with administrative rights. Under 6.0 all request handling processes run in the context of the Network Service account, which has significantly fewer privileges, so should there be a vulnerability in a feature or custom code it won't necessarily compromise the entire system given the sandboxed environment these worker processes run in. [58] IIS 6.0 also contained a new kernel HTTP stack (http.sys
) with a stricter HTTP request parser and response cache for both static and dynamic content. [59]
According to Secunia, as of June 2011 [update] , IIS 7 had a total of six resolved vulnerabilities while [55] IIS 6 had a total of eleven vulnerabilities, out of which one was still unpatched. The unpatched security advisory has a severity rating of 2 out of 5. [55]
In June 2007, a Google study of 80 million domains concluded that while the IIS market share was 23% at the time, IIS servers hosted 49% of the world's malware, the same as Apache servers whose market share was 66%. The study also observed the geographical location of these dirty servers and suggested that the cause of this could be the use of unlicensed copies of Windows that could not obtain security updates from Microsoft. [60] In a blog post on 28 April 2009, Microsoft noted that it supplies security updates to everyone without genuine verification. [61] [62]
The 2013 mass surveillance disclosures made it more widely known that IIS is particularly bad in supporting perfect forward secrecy (PFS), especially when used in conjunction with Internet Explorer. Possessing one of the long term asymmetric secret keys used to establish a HTTPS session should not make it easier to derive the short term session key to then decrypt the conversation, even at a later time. Diffie–Hellman key exchange (DHE) and elliptic curve Diffie–Hellman key exchange (ECDHE) are in 2013 the only ones known to have that property. Only 30% of Firefox, Opera, and Chromium Browser sessions use it, and nearly 0% of Apple's Safari and Microsoft Internet Explorer sessions. [63]
The Apache HTTP Server is a free and open-source cross-platform web server software, released under the terms of Apache License 2.0. It is developed and maintained by a community of developers under the auspices of the Apache Software Foundation.
Active Server Pages (ASP) is Microsoft's first server-side scripting language and engine for dynamic web pages.
Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securing HTTPS remains the most publicly visible.
Integrated Windows Authentication (IWA) is a term associated with Microsoft products that refers to the SPNEGO, Kerberos, and NTLMSSP authentication protocols with respect to SSPI functionality introduced with Microsoft Windows 2000 and included with later Windows NT-based operating systems. The term is used more commonly for the automatically authenticated connections between Microsoft Internet Information Services, Internet Explorer, and other Active Directory aware applications.
ASP.NET is a server-side web-application framework designed for web development to produce dynamic web pages. It was developed by Microsoft to allow programmers to build dynamic web sites, applications and services. The name stands for Active Server Pages Network Enabled Technologies.
Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft Corporation which provides a user with a graphical interface to connect to another computer over a network connection. The user employs RDP client software for this purpose, while the other computer must run RDP server software.
The Internet Server Application Programming Interface (ISAPI) is an n-tier API of Internet Information Services (IIS), Microsoft's collection of Windows-based web server services. The most prominent application of IIS and ISAPI is Microsoft's web server.
Web server software allows computers to act as web servers. The first web servers supported only static files, such as HTML, but now they commonly allow embedding of server side applications.
The acronyms BAPP and BAMP refer to a set of open-source software programs commonly used together to run dynamic websites or servers. This set is a solution stack, and an open source web platform.
HTTP 403 is an HTTP status code meaning access to the requested resource is forbidden. The server understood the request, but will not fulfill it, if it was correct.
Nginx is a web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache. The software was created by Russian developer Igor Sysoev and publicly released in 2004. Nginx is free and open-source software, released under the terms of the 2-clause BSD license. A large fraction of web servers use Nginx, often as a load balancer.
SharePoint is a web-based collaborative platform that integrates natively with Microsoft 365. Launched in 2001, SharePoint is primarily sold as a document management and storage system, although it is also used for sharing information through an intranet, implementing internal applications, and for implementing business processes.
The Online Certificate Status Protocol (OCSP) stapling, formally known as the TLS Certificate Status Request extension, is a standard for checking the revocation status of X.509 digital certificates. It allows the presenter of a certificate to bear the resource cost involved in providing Online Certificate Status Protocol (OCSP) responses by appending ("stapling") a time-stamped OCSP response signed by the CA to the initial TLS handshake, eliminating the need for clients to contact the CA, with the aim of improving both security and performance.
Security Support Provider Interface (SSPI) is a component of Windows API that performs security-related operations such as authentication.
GlobalSign is a certificate authority and a provider of internet identity and security products. As of January 2015, Globalsign was the 4th largest certificate authority in the world, according to Netcraft.
Windows Server 2008 R2, codenamed "Windows Server 7", is the eighth version of the Windows Server operating system produced by Microsoft and released as part of the Windows NT family of operating systems. It was released to manufacturing on July 22, 2009, and became generally available on October 22, 2009, the same respective release dates of Windows 7. It is the successor to Windows Server 2008, which is derived from the Windows Vista codebase, released the previous year, and was succeeded by the Windows 8-based Windows Server 2012.
Windows Identity Foundation (WIF) is a Microsoft software framework for building identity-aware applications. It provides APIs for building ASP.NET or WCF based security token services as well as tools for building claims-aware and federation capable applications.
SAP Logon Tickets represent user credentials in SAP systems. When enabled, users can access multiple SAP applications and services through SAP GUI and web browsers without further username and password inputs from the user. SAP Logon Tickets can also be a vehicle for enabling single sign-on across SAP boundaries; in some cases, logon tickets can be used to authenticate into 3rd party applications such as Microsoft-based web applications.
Microsoft started development on the .NET Framework in the late 1990s originally under the name of Next Generation Windows Services (NGWS). By late 2001 the first beta versions of .NET Framework 1.0 were released. The first version of .NET Framework was released on 13 February 2002, bringing managed code to Windows NT 4.0, 98, 2000, ME and XP.
ASP.NET Core is an open-source modular web-application framework. It is a redesign of ASP.NET that unites the previously separate ASP.NET MVC and ASP.NET Web API into a single programming model. Despite being a new framework, built on a new web stack, it does have a high degree of concept compatibility with ASP.NET. The ASP.NET Core framework supports side-by-side versioning so that different applications being developed on a single machine can target different versions of ASP.NET Core. This was not possible with previous versions of ASP.NET. ASP.NET Core initially ran on both the Windows-only .NET Framework and the cross-platform .NET. However, support for the .NET Framework was dropped beginning with ASP.Net Core 3.0.
{{cite web}}
: CS1 maint: multiple names: authors list (link){{cite web}}
: CS1 maint: multiple names: authors list (link)