Comparing IIS and Apache: Questions and Answers

Published: March 2009

Contents

Comparing IIS and Apache: Questions and Answers 1

Understanding IIS and Apache 2

Apache HTTP Server 2

Internet Information Server 6.0 2

Internet Information Services 7.0 3

Common Questions from Apache Administrators 4

Does IIS offer the performance and scalability I need? 4

Is IIS as secure as Apache? 4

Is IIS harder to manage than Apache? 5

Is IIS as reliable as Apache? 5

Is IIS really as modular as Apache? 6

Apache is an innovative platform. What about IIS? 6

Troubleshooting Web applications can be complicated. What does IIS offer to simplify troubleshooting? 7

I depend on a wide variety of Web architectures. Can I run them on IIS? 8

Yes, PHP applications can run on IIS, but is it really a good idea? 8

Will IIS be more expensive than Apache? 8

Conclusions 10

IIS 7.0 Resources 11

Comparing IIS and Apache: Questions and Answers

In this paper, we examine Internet Information Server (IIS) from the perspective of an administrator familiar with the Apache HTTP Server. Apache administrators have many questions as to whether IIS can perform as well as Apache: Can it handle the same workloads and the same throughput? Can it provide the same reliability? Can it do all these things with high security? We seek to answer these questions by providing examples from real users who have run these products in mission-critical operations.

Understanding IIS and Apache

While both Apache and IIS service HTTP requests, each Web server has its own architecture, built-in features, and common add-ons. Though developed independently, both Web servers provide many of the same features, through either built-in functionality or add-on modules. Both servers support the following functions:

· HTTP request processing

· Authentication

· Access control

· Encryption (SSL)

· Caching

· Web site isolation

· Bandwidth throttling

· Load balancing

· Web frameworks and middleware

· Configuration files and management APIs

· Modular architecture

Apache HTTP Server

First released in 1995, the Apache HTTP Server is a free open-source Web server developed under the governance of the Apache Software Foundation. The Apache 2.0 license permits bundling with commercial software and does not require derivative works to be open source.

A variety of developers make code contributions to the project, including members of the Apache Software Foundation, developers who are allowed or instructed to work on Apache by their corporate employers, and even individuals contributing to Apache on their own time. Companies that use Apache range from start-ups to long-established large enterprises. Apache is used for intranets and public facing Web sites.

Apache is a key component in what’s known as the “LAMP” stack, which comprises the Linux operating system; the Apache Web server; the MySQL database; and either PHP, Perl, or Python programming language. While people often perceive Apache as a Linux Web server, it also runs on Windows.

Internet Information Server 6.0

With Windows Server 2003, Microsoft introduced Internet Information Server (IIS) 6.0, which has proven to be a very secure Web server, with only four vulnerabilities reported since its release in 2003. IIS security results from Microsoft investing in the Security Development Lifecycle, an end-to-end approach to security that typically reduces both the total number and the severity of vulnerabilities in software built using that methodology.[i] This isn’t to say that Apache is not secure, as high-profile and widely available Web sites wouldn’t use it if they thought it were, but simply to point out that IIS 6.0 was designed with security in mind, and has a great security track record.

IIS 6.0 included a number of features that made it a good fit for corporations, and enabled hosting providers to offer Windows Server 2003 and IIS 6.0-based solutions. It introduced application pools to prevent one misbehaving site from taking other sites down and it also included health monitoring that allowed administrators to configure sites for automatic restart on failure. IIS 6.0 enhanced management by moving to a single, XML-based configuration file (the “metabase”) and by supporting more operations through a command-line interface. IIS 6.0 used resources more efficiently, thus increasing the performance of individual sites and allowing each server to host a greater number of sites.

Internet Information Services 7.0

The latest version of IIS, version 7.0, is included in Windows Server 2008. It builds on the foundation of IIS 6.0 and introduces a number of new features. One of the most important changes is that IIS 7.0 has a fully modular architecture. This feature lets users install or uninstall discrete pieces of functionality and also gives users the ability to leverage new modules from Microsoft and from the Web development community at large.[ii]

IIS 7.0 enhances administration by replacing the metabase with distributed XML-based configuration files (similar to Apache) allowing users to port their Web server settings simply by copying the configuration file to another server. Users can even put the configuration file on a network share and then point all the servers in their Web farm at it, to ensure identical configuration and a centralized location for changes. The IIS 7.0 hierarchical configuration model allows the administrator to delegate which settings can be changed by site owners.

Other IIS 7.0 enhancements include the following:

· Updated graphical administrative tool that simplifies administration when managing many sites, and reduces the time required for common administrative tasks

· Firewall-friendly Remote Administration of IIS sites via HTTPS

· Dynamic and static caching improvements for faster response time for PHP or ASP.NET applications.

· Support for fine-grained, secure delegation of administration functions to other administrators or non-administrators who work with IIS servers.

· Command-line tool (appcmd).

· Granular tracing of requests, which speeds troubleshooting.

· Greatly improved application hosting for FastCGI compliant applications, with many popular PHP applications tested and documented on IIS.

· Total extensibility of the IIS run-time engine, the IIS configuration system and the IIS Administration tool.

Common Questions from Apache Administrators

Administrators who are accustomed to working with Apache ask many of the following questions as they evaluate IIS:

Does IIS offer the performance and scalability I need?

IIS has proven its ability to handle the scalability and performance requirements of high-traffic sites. Both Apache and IIS 7.0 allow administrators to optimize performance and scalability with bandwidth throttling, compression, and some load balancing. Static and dynamic compressions are built in to IIS 7.0 in order to use bandwidth efficiently. IIS 7.0 also supports bandwidth throttling, while Windows Server 2008 includes full featured network load balancing.[iii]

Apache administrators are accustomed to installing Apache on a trimmed-down server installation. Microsoft provides a similar platform for IIS with the “Server Core” installation option. This option means that the operating system is using the fewest resources possible, which makes more resources available to handle the Web workload and ensures that fewer components are installed, requiring less management and maintenance. The modular nature of IIS also helps improve performance, allowing administrators to enable only the modules they need, resulting in a faster processing pipeline.

Caching often provides the biggest performance improvement for Web sites, and IIS provides built-in output caching and object caching that can automatically detect when the underlying database has changed. Apache administrators will find that these IIS 7.0 features are similar in functionality to the caching modules that they typically use with Apache.

The performance and scalability of IIS are proven by some of the most highly trafficked Web sites. For example, Match.com runs IIS to process its 30 million daily page views.[iv] In 2004, PlentyOfFish.com used one IIS 6.0 server running at 65 percent of capacity to handle 31 million daily page views from 40,000?50,000 concurrent users[v]; the site currently handles 1.2 billion page views per month. MySpace.com runs IIS to handle the whopping 23 billion page views it gets every month.[vi]

Is IIS as secure as Apache?

Microsoft developed Windows Server 2003 and Windows Server 2008 under its Security Development Lifecycle (SDL), which uses education, quality gates, threat modeling, attack surface reduction, static analysis, fuzz and penetration testing, and a final security review to ensure that products are as secure as possible. In addition, the Microsoft Security Response Center engages with external security researchers and is even involved in the security community through its participation in, for example, the Black Hat conference. These efforts have resulted in a substantial reduction in vulnerabilities across the Microsoft product suite, with particularly steep reductions in OS, Web server, and database vulnerabilities. The modular nature of IIS 7.0 further reduces the risk of exploitable flaws, as most modules are not installed by default to keep the attack surface small.

In addition to having fewer vulnerabilities, IIS includes a number of new security features. For example, IIS 7.0 isolates each Web site into its own “sandbox” to help prevent single-site exploits and failures from compromising other sites or the entire server. The IIS process, which executes requests from the web, run as a restricted user account by default, and does not require administrative privileges. To further protect the Web server, IIS 7.0 includes request filtering. Request filtering is a rules-based security module that inspects every incoming request for malicious request patterns, such as SQL injection attacks. This prevents some malicious requests from ever reaching the core Web server.

Finally, IIS is deeply integrated with Windows Server 2008, which can be installed using the Server Core installation option. In this mode, the server has no graphical user interface, and the removal of many components reduces the surface area and patching requirements of the operating system. According to Michael Leefers, systems administrator at the Information Services and Technology Division at the University of California, Berkeley, “with Server Core, we saw a way to reduce a server’s vulnerability to attack, but also its need for patches and our administrative overhead associated with patch monitoring and installation.”[vii]

IIS is a both a secure product, and has important security features. Because Microsoft developed IIS6 and IIS7 under the SDL, the Web server continues to enjoy low vulnerability counts. IIS provides the same functionality as Apache authentication, access control, and SSL modules. Plus, IIS makes these features easy to use and configure.

Is IIS harder to manage than Apache?

IIS offers administrators a relatively easy-to-use graphical user interface that can manage local and remote Web servers. IIS 7 also provides command line tools to manage the server and hosted applications. Earlier versions of IIS stored configuration information in a binary database format, but starting with IIS 6.0, the Web server began storing information in a text file. Now, with IIS 7.0, that text file is portable between machines with different machine names, thus allowing administrators simply to copy the configuration file to different Web servers to ensure that they are configured identically. Administrators can also place the configuration file on a network share, where multiple Web servers can read it.

Fortune 500 companies and high-volume Web hosts report that the management interface of IIS 7.0 meets their management needs. As Ben May, senior systems engineer at Dell, reports, “Windows Server 2008 and IIS 7.0 are absolutely cornerstone to how all this would work. We will no longer have to touch individual machines; we’ll have a cloud of servers that we can direct in an automated way.”[viii]

Jeff McGeath, CTO of Accent on Integration, explains, “With IIS 7.0 we have one centralized hosting environment so we can do single-point deployment and manage the services much more effectively. This is something we simply couldn’t do before.”[ix]

Hosters also find IIS 7.0 easy to manage. As Dominic Foster, lead engineer for MaximumASP, explains, “Before, we had to have a programmer to create batch files and automate processes. But with IIS 7.0, anyone can do it, which makes management faster and easier.”[x]

Mike Graves, senior Windows system administrator for Adhost, says, “With Windows Server 2008 and the Shared Configuration feature of IIS 7.0, we can go from a bare-bones box to a running Web server in about one hour—a four-hour savings over Windows Server 2003. Site setup can be done in about a quarter of the time—10 minutes to activate a site via script, versus 40 minutes. And we’re expecting to cut our webmaster and administration time in half as well.”[xi]

Apache focuses on management primarily through manual editing of configuration files or using command-line routines. Apache users will be happy to know that IIS supports these techniques, too. IIS supports modification to the configuration files while the server is running, after which the server will automatically pick up the changes without requiring a server restart. The combination of administrative graphical user interfaces for local and remote administration, configuration text files, full-featured command-lines, and scriptable APIs ensures that administrators can choose the most productive method to perform a given administrative task.

Is IIS as reliable as Apache?

Users of IIS report that it is a stable and reliable Web server. Like Apache, IIS has a number of features to help ensure reliable and available operation.

Apache administrators are familiar with using open-source projects like monit to restart Apache based on failed requests, CPU usage, or other factors. IIS also enables administrators to restart the process based on simple configuration options. IIS can monitor and recycle the process based on an apparent crash, elapsed time, total number of requests, amount of memory usage, or other factors. A controlled IIS process “recycle” should not result in any dropped requests.

Fifty-six percent of Fortune 1000 companies already depend on IIS 6 or 7. Mike Graves of AdHost provides his experience with IIS7, explaining, “In terms of stability, we’ve been running Windows Server 2008 for two months now, and have been monitoring it every three minutes from five different Web servers. So far we haven’t seen even a flicker of downtime.”

Is IIS really as modular as Apache?

Yes. IIS has been re-architected to be extremely modular. Microsoft ships 40 modules with IIS 7.0, with “extensions” to IIS available from Microsoft and the developer community.

Like Apache, IIS now uses modules for core functionality, and by default, only 10 modules are installed. These modules provide:[xii]

· Common HTTP features, including static content, default document, directory browsing, and HTTP errors

· Health and diagnostics features such as HTTP logging and request monitoring