Skip navigation

IIS 7.0 is slim, trim, and more secure.

I recently had the pleasure of attending an event at Microsoft’s Redmond campus on IIS 7.0, the next version of Microsoft’s Web server platform. I got to play with the not-yet-released product, and I’m excited about some of its new features. Among other things, Microsoft is replacing the IIS Metabase with XML configuration files for sites and individual Web applications and is making all of IIS modular to improve both security and the memory footprint.


The experienced IIS administrator is probably thinking “but the Metabase is an XML file.” You’re right, but metabase.xml is complicated and unintuitive. IIS 7.0 will use a simplified XML file that gives you site-wide control. Each Web application can also have its own configuration file that overrides site-wide settings where allowed. Because the application and its configuration file reside in the same folder, when you move an application between Web servers its configuration settings can easily move with it. This feature is similar to .htaccess files in the popular open-source Apache Web server.


Most of IIS 6.0's features reside in a single DLL file, so even if you disable a feature, the code for that feature is still in memory. IIS 7.0 will include many DLL files for different features. You can enable and disable features such as the Common Gateway Interface (CGI), directory listing, or even serving static content in the XML configuration files or the GUI. You can even delete DLL files that you don’t use; then if a security vulnerability is discovered in one of those modules, the vulnerable code won’t be in memory, or even be on your hard disk.


Disabling modules also reduces the memory footprint of w3wp.exe, the IIS worker process. I tested this by using Task Manager to check the memory usage of w3wp.exe and by using ListDLLs (a handy tool from Sysinternals) to list the DLLs loaded by w3wp.exe. Because the code I tried was alpha and not yet available to the public, Microsoft asked me not to post the output of ListDLL. I can report that disabling modules allowed me to reduce the number of DLLs w3wp.exe loaded from 72 to 25 and reduced the memory usage of the process from 7996KB to 4644KB. Memory-usage reduction in the final release might be even more dramatic. Modules in IIS 7.0 are also reminiscent of an Apache’s modular design.


Microsoft hasn’t yet announced whether IIS 7.0 will be included with a service pack for Windows Server 2003 or only with Windows 2003 R2. Either way, it will give Apache administrators a few less things to brag about.


-- Adam Carheden

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.