As an IIS administrator it sometimes gets downright annoying having to
fend off all the insults from Apache admins I meet claming innate server
superiority. Generally the discussion about Web administration starts
first with all the various security holes plaguing IIS and the negative
press the platform garnered over the last year. Then it invariably moves
to a discussion about how Netcraft and other stats sites show Apache as
the dominant server on the Web, or how a certain big site uses Apache, or
how there are so many cool modules to add to Apache. Pointing out that
scads of non-identified corporate in-house servers run IIS, or that it too
is a free server (since it comes with the operating system), or that there
are in fact plenty of cool add-ons for IIS (including many that provide
source code) -- all this does little to dissuade these server chauvinists
of their opinion. Rather than whining about rude Apache admins, however, I
thought it would be a more useful response simply to write down some of
the ways I've found of improving IIS. So without further delay here are my
top ten tips for making the most of your IIS.
Tip 10: Customize Your Error Pages
Although this is quite simple to do, few people seem to take advantage of
it. Just select the "Custom Errors" tab in MMC and map each error, such as
404, to the appropriate HTML or ASP template. Full details can be found
here. If you want an even easier solution -- or if you want to let
developers handle the mapping without giving them access to the MMC -- use
a product like CustomError.
Tip 9: Dive into the MetaBase
If you think Apache is powerful because it has a config file, then take a
look at the MetaBase. You can do just about anything you want with IIS by
editing the MetaBase. For example, you can create virtual directories and
servers; stop, start and pause Web sites; and create, delete, enable and
Microsoft provides a GUI utility called MetaEdit, somewhat similar to
RegEdit, to help you read from and write to the MetaBase. Download the
latest version here. But to really impress those UNIX admins -- and to
take full advantage of the MetaBase by learning how to manipulate it
programmatically -- you'll want to try out the command-line interface,
officially called the IIS Administration Script Utility. Its short name is
adsutil.vbs and you'll find it in C:\inetpub\adminscripts, or else in
%SystemRoot%\system32\inetsrv\adminsamples, together with a host of other
useful administrative scripts.
A word of caution though: Just like Apache conf files, the MetaBase is
pretty crucial to the functioning of your Web server, so don't ruin it.
Back it up first.
Tip 8: Add spell checking to your URLs
Apache folks always brag about cool little tricks that Apache is capable
of -- especially because of the wealth of modules that can extend the
server's basic functionality. One of the coolest of these is the ability
to fix URL typos using a module called mod_speling. Well, thanks to the
folks at Port80 Software, it now appears that IIS admins can do this trick
too, using an ISAPI filter called URLSpellCheck. You can check it out
right on their site, by trying URLs like www.urlspellcheck.com/fak.htm,
www.urlspellcheck.com/faq1.htm -- or any other simple typo you care to
Tip 7: Rewrite your URLs
Cleaning your URLs has all sorts of benefits -- it can improve the
security of your site, ease migration woes, and provide an extra layer of
abstraction to your Web applications. Moving from a ColdFusion to an ASP
based site, for example, is no big deal if you can remap the URLs. Apache
users have long bragged about the huge power of mod_rewrite -- the
standard Apache module for URL rewriting. Well, there are now literally a
dozen versions of this type of product for IIS -- many of them quite a bit
easier to use than mod_rewrite, which tends to presume familiarity with
regular _expression arcana. Check out, for example, IIS ReWrite or ISAPI
ReWrite. So brag no more, Apache partisans.
Tip 6: Add browser detection
There are a lot of ways to build Web sites, but assuming everybody has a
sniff-scripts exist for client-side browser detection, but if you are an
IIS user you can do better with a product called BrowserHawk from CyScape.
The Apache world doesn't really have something comparable to this popular,
mature and well-supported product. Speaking of CyScape, they've recently
added an interesting-looking related product called CountryHawk that helps
with location detection, but so far I haven't had the language- or
location-sensitive content to warrant trying it out.
Tip 5: Gzip site content
Browsers can handle Gzipped and deflated content and decompress it on the
fly. While IIS 5 had a gzip feature built-in, it is pretty much broken.
Enter products like Pipeboost to give us better functionality -- similar
to what Apache users have enjoyed with mod_gzip. Don't waste your
bandwidth -- even Google encodes its content, and their pages are tiny.
Tip 4: Cache your content
While I'm on the topic of improving performance, remember to make your
site cache friendly. You can set expiration headers for different files or
directories right from the MMC. Just right click on an item via the IIS
MMC, flip to the "HTTP Headers" tab, and away you go. If you want to set
cache control headers programmatically -- or even better, let your site
developers do it -- use something like CacheRight. If you want to go
further and add reverse proxy caching, particularly for generated content,
use a product like XCache -- which also throws in compression.
It might involve more time and expense to take full advantage of caching,
but when you watch your logs shrink because they don't contain tons of
pointless 304 responses, and your bandwidth consumption drop like a stone,
even while your total page views increase over the same period, you'll
start to understand why this particular tip was so important. Cache
friendly sites are quite rare, but there is plenty of information
available online about the enormous benefits to be had by doing it right:
Check out Brian Davidson's page, this nifty tutorial from Mark Nottingham,
and what AOL has to say on the subject.
Tip 3: Tune your server
Tuning IIS is no small topic -- whole books and courses are dedicated to
it. But some good basic help is available online, such as this piece from
IIS guru Brett Hill, or this Knowledge Base article from Microsoft itself.
However, if you don't feel like getting your hands dirty -- or can't
afford the time and expense of turning yourself into an expert -- take a
look at XTune, from the makers of XCache. It's performance tuning wizards
step you through the process of tuning your IIS environment, making expert
recommendations along the way.
Tip 2: Secure your server with simple fixes
Sure people are going to attack sites, but you don't have to be a sitting
duck if you're willing to make even a small effort. First off, don't
advertise the fact that you are running IIS by showing your HTTP server
header. Remove or replace it using something like ServerMask -- probably
the best twenty-five bucks you'll ever spend. You can go farther than this
by removing unnecessary file extensions to further camouflage your server
environment, and scanning request URLs for signs of exploits. There are
number of commercial products that do user input scanning, and Microsoft
offers a free tool called URLScan which does the job. URLScan runs in
conjunction with IISLockDown, a standard security package which should
probably be installed on every IIS server on the planet. These are simple
fixes that could pay off big, so do them now.
Tip 1: Patch, patch, patch!
Okay, we in the IIS world do have to patch our systems and make hotfixes.
However, as a former Solaris admin I had to do the same thing there, so I
am not sure why this is a big surprise. You really need to keep up with
the patches, Microsoft is of course the definitive source, but if you want you
can also use the highly-regarded www.cert.org. Simply search on "IIS".
Well there you have it: 10 tips for IIS admins to improve their servers.
Some of the tips might become obsolete once IIS 6 is gold, but, for now at
least, W2K and NT IIS admins should apply a few of these today and sleep a
little better at night.
About the Author
Matt Foley is a former Solaris sysadmin who was turned to the "darkside"
and is now works for a large southern California hosting and Web agency.
He quite likes Windows now in spite of himself.