Does IIS offer the performance and scalability I need? 9
Is IIS as secure as Apache? 10
Is IIS harder to manage than Apache? 11
Is IIS as reliable as Apache? 12
Is IIS really as modular as Apache? 13
Apache is an innovative platform. What about IIS? 14
Troubleshooting Web applications can be complicated. What does IIS offer to simplify troubleshooting? 15
I depend on a wide variety of Web architectures. Can I run them on IIS? 16
Yes, PHP applications can run on IIS, but is it really a good idea? 17
Will IIS be more expensive than Apache? 18
IIS 7.0 Resources 20
Comparing IIS and Apache: Questions and Answers
In this paper, we examine Internet Information Server (IIS) from the perspective of an administrator familiar with the Apache HTTP Server. Apache administrators have many questions as to whether IIS can perform as well as Apache: Can it handle the same workloads and the same throughput? Can it provide the same reliability? Can it do all these things with high security? We seek to answer these questions by providing examples from real users who have run these products in mission-critical operations.
Understanding IIS and Apache
While both Apache and IIS service HTTP requests, each Web server has its own architecture, built-in features, and common add-ons. Though developed independently, both Web servers provide many of the same features, through either built-in functionality or add-on modules. Both servers support the following functions:
First released in 1995, the Apache HTTP Server is a free open-source Web server developed under the governance of the Apache Software Foundation. The Apache 2.0 license permits bundling with commercial software and does not require derivative works to be open source.
A variety of developers make code contributions to the project, including members of the Apache Software Foundation, developers who are allowed or instructed to work on Apache by their corporate employers, and even individuals contributing to Apache on their own time. Companies that use Apache range from start-ups to long-established large enterprises. Apache is used for intranets and public facing Web sites.
Apache is a key component in what’s known as the “LAMP” stack, which comprises the Linux operating system; the Apache Web server; the MySQL database; and either PHP, Perl, or Python programming language. While people often perceive Apache as a Linux Web server, it also runs on Windows.
Internet Information Server 6.0
With Windows Server 2003, Microsoft introduced Internet Information Server (IIS) 6.0, which has proven to be a very secure Web server, with only four vulnerabilities reported since its release in 2003. IIS security results from Microsoft investing in the Security Development Lifecycle, an end-to-end approach to security that typically reduces both the total number and the severity of vulnerabilities in software built using that methodology.i This isn’t to say that Apache is not secure, as high-profile and widely available Web sites wouldn’t use it if they thought it were, but simply to point out that IIS 6.0 was designed with security in mind, and has a great security track record.
IIS 6.0 included a number of features that made it a good fit for corporations, and enabled hosting providers to offer Windows Server 2003 and IIS 6.0-based solutions. It introduced application pools to prevent one misbehaving site from taking other sites down and it also included health monitoring that allowed administrators to configure sites for automatic restart on failure. IIS 6.0 enhanced management by moving to a single, XML-based configuration file (the “metabase”) and by supporting more operations through a command-line interface. IIS 6.0 used resources more efficiently, thus increasing the performance of individual sites and allowing each server to host a greater number of sites.
Internet Information Services 7.0
The latest version of IIS, version 7.0, is included in Windows Server 2008. It builds on the foundation of IIS 6.0 and introduces a number of new features. One of the most important changes is that IIS 7.0 has a fully modular architecture. This feature lets users install or uninstall discrete pieces of functionality and also gives users the ability to leverage new modules from Microsoft and from the Web development community at large.ii
IIS 7.0 enhances administration by replacing the metabase with distributed XML-based configuration files (similar to Apache) allowing users to port their Web server settings simply by copying the configuration file to another server. Users can even put the configuration file on a network share and then point all the servers in their Web farm at it, to ensure identical configuration and a centralized location for changes. The IIS 7.0 hierarchical configuration model allows the administrator to delegate which settings can be changed by site owners.
Other IIS 7.0 enhancements include the following:
Updated graphical administrative tool that simplifies administration when managing many sites, and reduces the time required for common administrative tasks
Firewall-friendly Remote Administration of IIS sites via HTTPS
Dynamic and static caching improvements for faster response time for PHP or ASP.NET applications.
Support for fine-grained, secure delegation of administration functions to other administrators or non-administrators who work with IIS servers.
Command-line tool (appcmd).
Granular tracing of requests, which speeds troubleshooting.
Greatly improved application hosting for FastCGI compliant applications, with many popular PHP applications tested and documented on IIS.
Administrators who are accustomed to working with Apache ask many of the following questions as they evaluate IIS:
Does IIS offer the performance and scalability I need?
IIS has proven its ability to handle the scalability and performance requirements of high-traffic sites. Both Apache and IIS 7.0 allow administrators to optimize performance and scalability with bandwidth throttling, compression, and some load balancing. Static and dynamic compressions are built in to IIS 7.0 in order to use bandwidth efficiently. IIS 7.0 also supports bandwidth throttling, while Windows Server 2008 includes full featured network load balancing.iii
Apache administrators are accustomed to installing Apache on a trimmed-down server installation. Microsoft provides a similar platform for IIS with the “Server Core” installation option. This option means that the operating system is using the fewest resources possible, which makes more resources available to handle the Web workload and ensures that fewer components are installed, requiring less management and maintenance. The modular nature of IIS also helps improve performance, allowing administrators to enable only the modules they need, resulting in a faster processing pipeline.
Caching often provides the biggest performance improvement for Web sites, and IIS provides built-in output caching and object caching that can automatically detect when the underlying database has changed. Apache administrators will find that these IIS 7.0 features are similar in functionality to the caching modules that they typically use with Apache.
The performance and scalability of IIS are proven by some of the most highly trafficked Web sites. For example, Match.com runs IIS to process its 30 million daily page views.iv In 2004, PlentyOfFish.com used one IIS 6.0 server running at 65 percent of capacity to handle 31 million daily page views from 40,000−50,000 concurrent usersv; the site currently handles 1.2 billion page views per month. MySpace.com runs IIS to handle the whopping 23 billion page views it gets every month.vi
Is IIS as secure as Apache?
Microsoft developed Windows Server 2003 and Windows Server 2008 under its Security Development Lifecycle (SDL), which uses education, quality gates, threat modeling, attack surface reduction, static analysis, fuzz and penetration testing, and a final security review to ensure that products are as secure as possible. In addition, the Microsoft Security Response Center engages with external security researchers and is even involved in the security community through its participation in, for example, the Black Hat conference. These efforts have resulted in a substantial reduction in vulnerabilities across the Microsoft product suite, with particularly steep reductions in OS, Web server, and database vulnerabilities. The modular nature of IIS 7.0 further reduces the risk of exploitable flaws, as most modules are not installed by default to keep the attack surface small.
In addition to having fewer vulnerabilities, IIS includes a number of new security features. For example, IIS 7.0 isolates each Web site into its own “sandbox” to help prevent single-site exploits and failures from compromising other sites or the entire server. The IIS process, which executes requests from the web, run as a restricted user account by default, and does not require administrative privileges. To further protect the Web server, IIS 7.0 includes request filtering. Request filtering is a rules-based security module that inspects every incoming request for malicious request patterns, such as SQL injection attacks. This prevents some malicious requests from ever reaching the core Web server.
Finally, IIS is deeply integrated with Windows Server 2008, which can be installed using the Server Core installation option. In this mode, the server has no graphical user interface, and the removal of many components reduces the surface area and patching requirements of the operating system. According to Michael Leefers, systems administrator at the Information Services and Technology Division at the University of California, Berkeley, “with Server Core, we saw a way to reduce a server’s vulnerability to attack, but also its need for patches and our administrative overhead associated with patch monitoring and installation.”vii
IIS is a both a secure product, and has important security features. Because Microsoft developed IIS6 and IIS7 under the SDL, the Web server continues to enjoy low vulnerability counts. IIS provides the same functionality as Apache authentication, access control, and SSL modules. Plus, IIS makes these features easy to use and configure.
Is IIS harder to manage than Apache?
IIS offers administrators a relatively easy-to-use graphical user interface that can manage local and remote Web servers. IIS 7 also provides command line tools to manage the server and hosted applications. Earlier versions of IIS stored configuration information in a binary database format, but starting with IIS 6.0, the Web server began storing information in a text file. Now, with IIS 7.0, that text file is portable between machines with different machine names, thus allowing administrators simply to copy the configuration file to different Web servers to ensure that they are configured identically. Administrators can also place the configuration file on a network share, where multiple Web servers can read it.
Fortune 500 companies and high-volume Web hosts report that the management interface of IIS 7.0 meets their management needs. As Ben May, senior systems engineer at Dell, reports, “Windows Server 2008 and IIS 7.0 are absolutely cornerstone to how all this would work. We will no longer have to touch individual machines; we’ll have a cloud of servers that we can direct in an automated way.”viii
Jeff McGeath, CTO of Accent on Integration, explains, “With IIS 7.0 we have one centralized hosting environment so we can do single-point deployment and manage the services much more effectively. This is something we simply couldn’t do before.”ix
Hosters also find IIS 7.0 easy to manage. As Dominic Foster, lead engineer for MaximumASP, explains, “Before, we had to have a programmer to create batch files and automate processes. But with IIS 7.0, anyone can do it, which makes management faster and easier.”x
Mike Graves, senior Windows system administrator for Adhost, says, “With Windows Server 2008 and the Shared Configuration feature of IIS 7.0, we can go from a bare-bones box to a running Web server in about one hour—a four-hour savings over Windows Server 2003. Site setup can be done in about a quarter of the time—10 minutes to activate a site via script, versus 40 minutes. And we’re expecting to cut our webmaster and administration time in half as well.”xi
Apache focuses on management primarily through manual editing of configuration files or using command-line routines. Apache users will be happy to know that IIS supports these techniques, too. IIS supports modification to the configuration files while the server is running, after which the server will automatically pick up the changes without requiring a server restart. The combination of administrative graphical user interfaces for local and remote administration, configuration text files, full-featured command-lines, and scriptable APIs ensures that administrators can choose the most productive method to perform a given administrative task.
Is IIS as reliable as Apache?
Users of IIS report that it is a stable and reliable Web server. Like Apache, IIS has a number of features to help ensure reliable and available operation.
Apache administrators are familiar with using open-source projects like monit to restart Apache based on failed requests, CPU usage, or other factors. IIS also enables administrators to restart the process based on simple configuration options. IIS can monitor and recycle the process based on an apparent crash, elapsed time, total number of requests, amount of memory usage, or other factors. A controlled IIS process “recycle” should not result in any dropped requests.
Fifty-six percent of Fortune 1000 companies already depend on IIS 6 or 7. Mike Graves of AdHost provides his experience with IIS7, explaining, “In terms of stability, we’ve been running Windows Server 2008 for two months now, and have been monitoring it every three minutes from five different Web servers. So far we haven’t seen even a flicker of downtime.”
Is IIS really as modular as Apache?
Yes. IIS has been re-architected to be extremely modular. Microsoft ships 40 modules with IIS 7.0, with “extensions” to IIS available from Microsoft and the developer community.
Like Apache, IIS now uses modules for core functionality, and by default, only 10 modules are installed. These modules provide:xii
Common HTTP features, including static content, default document, directory browsing, and HTTP errors
Health and diagnostics features such as HTTP logging and request monitoring
Security features such as request filtering
Performance features such as static content compression
Management tools, including the IIS Management Console
Windows Process Activation Service to start the Worker Process on the first request
Additional modules are included to provide functionality for authentication, authorization, compression, application frameworks (such as CGI and the .NET Framework), health monitoring, diagnostics, and logging.
Since the release of IIS 7.0, Microsoft has developed new modules for bit-rate throttling and URL rewriting, which provides functionality similar to the mod_rewrite module available for Apache. Outside of Microsoft, modules are available from software vendors, and open-source modules can be found on CodePlex.com.xiii
As James Hanauer, a senior software engineer at ServiceU, explains, “The modular architecture of IIS 7.0 and its integration with the newest version of the Microsoft .NET Framework contribute to increased Web server performance. These same characteristics provide a customizable platform where specialized server components such as authentication and logging can be extended or replaced.”xiv
Rich Korb, assistant manager of Data Center Operations for WeatherBug, says, “We really like the ability to pick which components of IIS 7.0 we need—whether it’s using the integrated mode to run ASP.NET applications, using the classic pipeline to run ASP.NET through the ISAPI filter, or just running a streamlined HTTP Web server.”
Apache is an innovative platform. What about IIS?
You can expect Microsoft, the ISV ecosystem, and the open-source developer community to continue to innovate with IIS to meet future hosting provider, developer and corporate needs. The modular architecture of IIS 7.0 ensures that important innovation can happen even outside of Microsoft, and Microsoft continues to listen to customers and partners alike.
IIS 7.0 includes a number of important innovations. It is fully scriptable and able to operate with no GUI. Microsoft also enhanced IIS 7.0 by allowing it to run FastCGI applications, such as PHP, very effectively.
To Apache administrators, these innovations may seem to imply that IIS is only catching up to Apache, but in reality, IIS has its own set of unique innovations. In addition to its new GUI administrative interface, IIS 7.0 includes many performance enhancements that permit it to host more sites and handle more traffic on the same hardware. Windows Process Activation Service can start up the Worker Process on the first HTTP request. IIS includes application pools and sandboxing to let you control reliability and isolation on a per-site basis. IIS supports editing of configuration files while the server is live, and automatically applies the changes. IIS also includes robust static and dynamic output caching, as well as object caching for back-end data.
Microsoft continues to evolve IIS to meet the needs of a diverse audience that includes companies hosting their own sites, sites hosted through co-location that require remote management, and hosters that service hundreds or thousands of customers.
According to hosting company eLinia, “Microsoft really listened to the hosting community when it developed Windows Server 2008. The changes in Internet Information Services 7.0 mean that we can tailor the system to do exactly what we want.”xv
Craig Tadlock, chief systems architect for Spot Runner, says, “IIS 7.0 is a more feature-rich platform than previous Web servers. IIS 7.0 reduces the amount of foundational technology, such as logging and auditing, that we need to develop on our own and thereby simplifies our services and, ultimately, our systems.”
Troubleshooting Web applications can be complicated. What does IIS offer to simplify troubleshooting?
Apache records errors in a log file that includes information from the Apache HTTP server and additional information from the relevant modules. Apache also lets users control the amount of information logged, ranging from emergency issues only to verbose debugging information. If users need additional information, they can add such things as mod_log_forensic to capture entire requests.
IIS also logs errors, and Microsoft has focused on ensuring that IIS error messages are understandable and useful. IIS defaults to providing verbose error information on the localhost and a more generic message to remote users to ensure that security information is not remotely disclosed. Error information often includes suggested causes and solutions. IIS also provides Failed Request Tracing, which lets users capture entire requests. Failed Request Tracing lets you set the number of log files to keep, which URLs should be traced, and which response codes should generate a trace. Users can even specify that requests for certain URLs be captured only if those requests take over a certain amount of time to process.xvi
Dawn Getteau, systems architect at Continental Airlines, explains, “The troubleshooting features in IIS 7.0 have been enhanced by leaps and bounds. At the end of the day, what matters to us and our users is not just how well our IIS applications run, but also how fast we can troubleshoot them if they go down.”xvii
Hostbasket’s Van Pottelberghe says, “There’s nothing cryptic about it. If something goes wrong, we track it, repair it, and quickly finish the configuration.”xviii
Gregory Storme, systems engineer of COMBELL, comments, “Before, when a client’s Web site wasn’t performing well, the old debugging tools provided a lot of output. With 500 Web sites running, it was nearly impossible to find the relevant error information. Failed Request Tracing in IIS 7.0 makes it a lot easier to see just the requests that we’re interested in, with the status codes and other details that we need to debug the site or the application.”
I depend on a wide variety of Web architectures. Can I run them on IIS?
IIS provides more application choice. This may seem counterintuitive, as there are innumerable open-source Web projects such as blogs, forums, customer relationship management (CRM) systems, content management systems (CMS), and wikis. But many of these popular Web applications run on IIS and Apache. Microsoft has provided simple step-by-step instructions for running Drupal, LimeSurvey, phplist, Coppermine, Gallery2, Mambo, WordPress, XOOPS, MediaWiki, and other popular applications on IIS.xix SpikeSource offers simple installers for phpBB, WebCalendar, Moodle, and Mantis on IIS.xx SugarCRM, Alfresco, JBoss, and many other corporate-backed open-source projects are also supported on IIS.
In addition, there are a number of popular Web applications—including SharePoint, and Outlook Web Access—that run on IIS only. This lets you consolidate your Web sites onto fewer servers. For example, IIS permits you to host WordPress and SharePoint on the same machine, which is exactly what Web hoster CrystalTech does. Jon Thompson, CrystalTech’s server operations manager, explains, “We can work with whatever our customers want to write. They have access to ASP, ASP.NET, PHP, and Perl as well.”
Yes, PHP applications can run on IIS, but is it really a good idea?
Microsoft invested heavily in FastCGI and Windows Server 2008 to ensure that PHP and other CGI frameworks would run as first-class citizens on Windows.
In addition to providing the basic infrastructure for running PHP applications, IIS-specific features are also available for those workloads. For example, you can use IIS authentication mechanisms such as NTLM that integrate with Active Directory. You can use the SQL Server driver for PHP. In addition, PHP applications get the benefit of IIS application pools and sandboxing. PHP also benefits from the performance that IIS Kernel Mode Caching offers.xxi PHP and ASP.NET can be combined for quick development by leveraging certain functionality that ASP.NET provides out of the box, such as Forms Authentication.xxii Users can apply the exact same modules across PHP and ASP.NET sites, such as, URL Rewriter. By running PHP on Windows, you’re able to use the same management tools to monitor your PHP workloads that you use to monitor your Windows workloads.
Companies such as COMBELL are providing their customers the capability of running PHP on Windows and today are seeing the results. As Frederik Poelman, technical director of COMBELL, explains “In the past, if customers asked for PHP hosting, we offered them Linux; if they asked for ASP or ASP.NET hosting, we offered Windows Server. Now we have a bunch of test customers running PHP on IIS 7.0, and it is working very well for them. The more customer requirements we can support with one operating system, the more experts we can have developing new solutions on that operating system.”xxiii
Will IIS be more expensive than Apache?
If you do your own cost comparisons, you’ll likely find that the total cost of IIS on Windows is the same or less than Apache on Linux.
Apache may be free software, but users should keep in mind that up-front cost is not the only type of price to be paid. Software vendors often market against free software by talking about the total cost of ownership (TCO). Even though TCO has become a widely used marketing term, certain commonsense TCO concepts apply from an administrator’s perspective.
For example, although Apache is free, it does not come with support. Organizations deal with this lack of support in two ways. One method involves paying for support though a Linux subscription such as Red Hat Enterprise Linux or Novell SUSE Linux Enterprise.
But some organizations quickly find that the costs of Linux support subscriptions are comparable to, or even more expensive than, Windows licensing.xxiv These companies can turn to the second method: supporting Apache with internal expertise. This means that organizations have to hire highly skilled experts in order to run mission-critical applications on Apache—in some regions these experts are hard to find. In contrast, Windows expertise is relatively common.
Some organizations may also find that administrative tasks can be performed more quickly on IIS. Since software acquisition is 7 percent of TCO, while staffing is 60 percent, staff costs can quickly outweigh acquisition costs.xxv
Consider one case study: “At aruba.it, Italy’s largest hosting service provider, Microsoft found that the TCO of its existing Windows-based shared hosted services was 16 percent lower than the TCO of its Linux-based offerings. Moreover, the contribution margin from the Windows-based services was 14 percent higher than the contribution margin from the analogous Linux-based services. Finally, the profit margin for Windows was 81 percent compared to 77 percent for Linux.”xxvi
It is apparent that Apache is a capable Web server. Over the past years Microsoft has invested heavily in the development of IIS which has proven to be not only as capable as Apache, but also able to host a greater variety of applications such as SharePoint, Outlook Web Access, and ASP.NET sites. IIS also hosts popular PHP applications, such as Wordpress, Drupal, phpBB, and MediaWiki.. In addition to being highly secure and reliable, IIS is easy to manage through administrative GUIs and scripts. It runs many Web sites that have extremely high performance and availability requirements.
The benefits of a modular architecture are self-evident to Apache administrators—and IIS now shares this type of architecture. IIS 7.0 includes 40 modules that are fully supported by Microsoft, giving administrators one company to hold responsible for problem resolution.
Starting with IIS 6.0 and continuing with IIS 7.0, Microsoft has invested in improving the reliability and fault tolerance of its Web server. IIS 6.0 introduced application pools that allow users to make isolation decisions on a per-site basis; IIS 7.0 extends this capability with sandboxing, which provides many of the isolation benefits of separate processes but without the overhead. In addition, IIS 7.0 provides great diagnostics with Failed Request Tracing, a feature that makes it easy to get to the bottom of problems.
To evaluate IIS and determine if it’s right for your workloads, visit learn.iis.net.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.