Introduction
As an IIS administrator it sometimes gets downright annoying having to fend
off all the insults from Apache admins I meet, claiming innate server
superiority. Generally the discussion about Web administration starts first with
all the various security holes plaguing IIS and the negative press the platform
garnered over the last year. Then it invariably moves to a discussion about how
Netcraft and other stats
sites show Apache as the dominant server on the Web, or how a certain big site
uses Apache, or how there are so many cool
modules to add to Apache. Pointing
out that scads of non-identified corporate in-house servers run IIS, or that it
too is a free server (since it comes with the operating system), or that there
are in fact plenty of cool
add-ons for
IIS (including many that provide
source code)
- all this does little to dissuade these server chauvinists of their
opinion. Rather than whining about rude Apache admins, however, I thought it
would be a more useful response simply to write down some of the ways I've found
of improving IIS. So without further delay here are my top ten tips for making
the most of your IIS.
Tip 10: Customize Your Error Pages
Although this is quite simple to do, few people seem to take advantage of it.
Just select the "Custom Errors" tab in MMC and map each error, such as 404, to
the appropriate HTML or ASP template. Full details can be found
here. If you
want an even easier solution - or if you want to let developers handle the
mapping without giving them access to the MMC - use a product like
CustomError.
Tip 9: Dive into the MetaBase
If you think Apache is powerful because it has a config file, then take a
look at the MetaBase. You can do just about anything you want with IIS by
editing the MetaBase. For example, you can create virtual directories and
servers; stop, start and pause Web sites; and create, delete, enable and disable
applications.
Microsoft provides a GUI utility called MetaEdit, somewhat similar to RegEdit,
to help you read from and write to the MetaBase. Download the latest version
here. But to really impress those UNIX admins - and to take full advantage of
the MetaBase by learning how to manipulate it programmatically - you'll want to
try out the command-line interface, officially called the IIS Administration
Script Utility. Its short name is adsutil.vbs and you'll find it in C:\inetpub\adminscripts,
or else in %SystemRoot%\system32\inetsrv\adminsamples, together with a host of
other useful administrative scripts.
A word of caution though: Just like Apache conf files, the MetaBase is pretty
crucial to the functioning of your Web server, so don't ruin it.
Back it up first.
Tip 8: Add spell checking to your URLs
Apache folks always brag about cool little tricks that Apache is capable of
- especially because of the wealth of modules that can extend the server's
basic functionality. One of the coolest of these is the ability to fix URL typos
using a module called mod_speling. Well, thanks to the folks at Port80 Software,
it now appears that IIS admins can do this trick too, using an ISAPI filter
called URLSpellCheck. You can check it out right on their site, by trying URLs
like www.urlspellcheck.com/fak.htm,
www.urlspellcheck.com/faq1.htm
- or any
other simple typo you care to make.
Tip 7: Rewrite your URLs
Cleaning your URLs has all sorts of benefits - it can improve the security
of your site, ease migration woes, and provide an extra layer of abstraction to
your Web applications. Moving from a ColdFusion to an ASP based site, for
example, is no big deal if you can remap the URLs. Apache users have long
bragged about the huge power of mod_rewrite - the standard Apache module for
URL rewriting. Well, there are now literally a dozen versions of this type of
product for IIS - many of them quite a bit easier to use than mod_rewrite,
which tends to presume familiarity with regular _expression arcana. Check out,
for example,
IIS
ReWrite or ISAPI
ReWrite. So brag no more, Apache partisans.
Tip 6: Add browser detection
There are a lot of ways to build Web sites, but assuming everybody has a
certain browser or screen size is just plain stupid. Simple _JavaScript
sniff-scripts exist for client-side browser detection, but if you are an IIS
user you can do better with a product called
BrowserHawk from CyScape. The
Apache world doesn't really have something comparable to this popular, mature
and well-supported product. Speaking of CyScape, they've recently added an
interesting-looking related product called
CountryHawk that helps with location
detection, but so far I haven't had the language- or location-sensitive content
to warrant trying it out.
Tip 5: Gzip site content
Browsers can handle Gzipped and deflated content and decompress it on the
fly. While IIS 5 had a gzip feature built-in, it is pretty much broken. Enter
products like Pipeboost to give us better functionality
- similar to what
Apache users have enjoyed with
mod_gzip. Don't waste your bandwidth - even Google encodes its content, and their pages are tiny.
Tip 4: Cache your content
While I'm on the topic of improving performance, remember to make your site
cache friendly. You can set expiration headers for different files or
directories right from the MMC. Just right click on an item via the IIS MMC,
flip to the "HTTP Headers" tab, and away you go. If you want to set cache
control headers programmatically - or even better, let your site developers do
it - use something like
CacheRight. If you want to go further and add reverse
proxy caching, particularly for generated content, use a product like
XCache -
which also throws in compression.
It might involve more time and expense to take full advantage of caching, but
when you watch your logs shrink because they don't contain tons of pointless 304
responses, and your bandwidth consumption drop like a stone, even while your
total page views increase over the same period, you'll start to understand why
this particular tip was so important. Cache friendly sites are quite rare, but
there is plenty of information available online about the enormous benefits to
be had by doing it right: Check out
Brian Davidson's page, this nifty tutorial
from Mark Nottingham, and
what AOL has to say on the subject.
Tip 3: Tune your server
Tuning IIS is no small topic - whole books and courses are dedicated to it.
But some good basic help is available online, such as this piece from IIS guru
Brett Hill, or this
Knowledge Base article from Microsoft itself. However, if
you don't feel like getting your hands dirty - or can't afford the time and
expense of turning yourself into an expert - take a look at
XTune, from the
makers of XCache. It's performance tuning wizards step you through the process
of tuning your IIS environment, making expert recommendations along the way..
Tip 2: Secure your server with simple fixes
Sure people are going to attack sites, but you don't have to be a sitting
duck if you're willing to make even a small effort. First off, don't advertise
the fact that you are running IIS by showing your HTTP server header. Remove or
replace it using something like
ServerMask - probably the best twenty-five
bucks you'll ever spend. You can go farther than this by removing unnecessary
file extensions to further camouflage your server environment, and scanning
request URLs for signs of exploits. There are number of commercial products that
do user input scanning, and Microsoft offers a free tool called
URLScan which
does the job. URLScan runs in conjunction with
IISLockDown, a standard security
package which should probably be installed on every IIS server on the planet.
These are simple fixes that could pay off big, so do them now.
Tip 1: Patch, patch, patch!
Okay, we in the IIS world do have to patch our systems and make hotfixes.
However, as a former Solaris admin I had to do the same thing there, so I am not
sure why this is a big surprise. You really need to keep up with the patches,
Microsoft is of course the
definitive source, but if you can also use the
highly-regarded www.cert.org. Simply search on "IIS".
Conclusion
Well there you have it: 10 tips for IIS admins to improve their servers. Some
of the tips might become obsolete once IIS 6 is gold, but, for now at least, W2K
and NT IIS admins should apply a few of these today and sleep a little better at
night.
Matt Foley is a former Solaris sysadmin who was turned to the "darkside" and
is now works for a large southern California hosting and Web agency. He quite
likes Windows now in spite of himself.