Ten
Things to Do With IIS
By
Matt J. Foley
As an
IIS administrator it sometimes gets downright annoying having to fend off all
the insults from Apache admins I meet claiming innate server superiority.
Generally the discussion about Web administration starts first with all the
various security holes plaguing IIS and the negative press the platform garnered
over the last year. Then it invariably moves to a discussion about how Netcraft and other stats sites
show Apache as the dominant server on the Web, or how a certain big site uses
Apache, or how there are so many cool modules to add to
Apache. Pointing out that scads of non-identified corporate in-house servers run
IIS, or that it too is a free server (since it comes with the operating system),
or that there are in fact plenty of cool add-ons for
IIS (including many that provide source code)
-- all this does little to dissuade these server chauvinists of their opinion.
Rather than whining about rude Apache admins, however, I thought it would be a
more useful response simply to write down some of the ways I've found of
improving IIS. So without further delay here are my top ten tips for making the
most of your IIS.
Tip
10: Customize Your Error Pages
Although
this is quite simple to do, few people seem to take advantage of it. Just select
the "Custom Errors" tab in MMC and map each error, such as 404, to the
appropriate HTML or ASP template. Full details can be found here. If you
want an even easier solution -- or if you want to let developers handle the
mapping without giving them access to the MMC -- use a product like CustomError.
Tip
9: Dive into the MetaBase
If
you think Apache is powerful because it has a config file, then take a look at
the MetaBase. You can do just about anything you want with IIS by editing the
MetaBase. For example, you can create virtual directories and servers; stop,
start and pause Web sites; and create, delete, enable and disable applications.
Microsoft provides a GUI utility called MetaEdit, somewhat similar to
RegEdit, to help you read from and write to the MetaBase. Download the latest
version here. But to really impress those UNIX admins -- and to take
full advantage of the MetaBase by learning how to manipulate it programmatically
-- you'll want to try out the command-line interface, officially called the IIS
Administration Script Utility. Its short name is adsutil.vbs and you'll find it
in C:\inetpub\adminscripts, or else in
%SystemRoot%\system32\inetsrv\adminsamples, together with a host of other useful
administrative scripts.
A word of caution though: Just like Apache conf
files, the MetaBase is pretty crucial to the functioning of your Web server, so
don't ruin it. Back it up first.
Tip
8: Add spell checking to your URLs
Apache
folks always brag about cool little tricks that Apache is capable of --
especially because of the wealth of modules that can extend the server's basic
functionality. One of the coolest of these is the ability to fix URL typos using
a module called mod_speling. Well, thanks to the folks at Port80 Software, it
now appears that IIS admins can do this trick too, using an ISAPI filter called
URLSpellCheck. You can
check it out right on their site, by trying URLs like www.urlspellcheck.com/fak.htm, www.urlspellcheck.com/faq1.htm -- or any other simple typo you
care to make.
Tip
7: Rewrite your URLs
Cleaning
your URLs has all sorts of benefits -- it can improve the security of your site,
ease migration woes, and provide an extra layer of abstraction to your Web
applications. Moving from a ColdFusion to an ASP based site, for example, is no
big deal if you can remap the URLs. Apache users have long bragged about the
huge power of mod_rewrite -- the standard Apache module for URL rewriting. Well,
there are now literally a dozen versions of this type of product for IIS -- many
of them quite a bit easier to use than mod_rewrite, which tends to presume
familiarity with regular _expression arcana. Check out, for example, IIS
ReWrite or ISAPI
ReWrite. So brag no more, Apache partisans.
Tip
6: Add browser detection
There
are a lot of ways to build Web sites, but assuming everybody has a certain
browser or screen size is just plain stupid. Simple _JavaScript sniff-scripts
exist for client-side browser detection, but if you are an IIS user you can do
better with a product called BrowserHawk from CyScape. The Apache world doesn't really have
something comparable to this popular, mature and well-supported product.
Speaking of CyScape, they've recently added an interesting-looking related
product called CountryHawk that helps with location detection, but so far I
haven't had the language- or location-sensitive content to warrant trying it
out.
Tip
5: Gzip site content
Browsers
can handle Gzipped and deflated content and decompress it on the fly. While IIS
5 had a gzip feature built-in, it is pretty much broken. Enter products like Pipeboost to give us better
functionality -- similar to what Apache users have enjoyed with mod_gzip. Don't waste your bandwidth -- even Google encodes
its content, and their pages are tiny.
Tip
4: Cache your content
While
I'm on the topic of improving performance, remember to make your site cache
friendly. You can set expiration headers for different files or directories
right from the MMC. Just right click on an item via the IIS MMC, flip to the
"HTTP Headers" tab, and away you go. If you want to set cache control headers
programmatically -- or even better, let your site developers do it -- use
something like CacheRight. If you want to go further and add reverse proxy
caching, particularly for generated content, use a product like XCache -- which also throws in compression.
It might
involve more time and expense to take full advantage of caching, but when you
watch your logs shrink because they don't contain tons of pointless 304
responses, and your bandwidth consumption drop like a stone, even while your
total page views increase over the same period, you'll start to understand why
this particular tip was so important. Cache friendly sites are quite rare, but
there is plenty of information available online about the enormous benefits to
be had by doing it right: Check out Brian Davidson's page, this nifty tutorial from Mark Nottingham, and what AOL has to say on the subject.
Tip
3: Tune your server
Tuning
IIS is no small topic -- whole books and courses are dedicated to it. But some
good basic help is available online, such as this piece from IIS guru Brett Hill, or this Knowledge Base article from Microsoft itself. However, if you
don't feel like getting your hands dirty -- or can't afford the time and expense
of turning yourself into an expert -- take a look at XTune, from the makers of XCache. It's performance tuning
wizards step you through the process of tuning your IIS environment, making
expert recommendations along the way.
Tip
2: Secure your server with simple fixes
Sure
people are going to attack sites, but you don't have to be a sitting duck if
you're willing to make even a small effort. First off, don't advertise the fact
that you are running IIS by showing your HTTP server header. Remove or replace
it using something like ServerMask -- probably the best twenty-five bucks you'll ever
spend. You can go farther than this by removing unnecessary file extensions to
further camouflage your server environment, and scanning request URLs for signs
of exploits. There are number of commercial products that do user input
scanning, and Microsoft offers a free tool called URLScan which does the job. URLScan runs in conjunction with
IISLockDown, a standard security package which should probably
be installed on every IIS server on the planet. These are simple fixes that
could pay off big, so do them now.
Tip
1: Patch, patch, patch!
Okay,
we in the IIS world do have to patch our systems and make hotfixes. However, as
a former Solaris admin I had to do the same thing there, so I am not sure why
this is a big surprise. You really need to keep up with the patches, Microsoft
is of course the definitive source, but if you can also use the highly-regarded
www.cert.org. Simply search on "IIS".
Well
there you have it: 10 tips for IIS admins to improve their servers. Some of the
tips might become obsolete once IIS 6 is gold, but, for now at least, W2K and NT
IIS admins should apply a few of these today and sleep a little better at night.
Matt
Foley is a former Solaris sysadmin who was turned to the "darkside" and is now
works for a large southern California
hosting and Web agency. He quite likes Windows now in spite of
himself.
Archive Import (Blue) 