Ask Learn
Preview
Ask Learn is an AI assistant that can answer questions, clarify concepts, and define terms using trusted Microsoft documentation.
Please sign in to use Ask Learn.
Sign inThis browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
by IIS Team, Tobin Titus
Version | Notes |
---|---|
IIS 7.0 and later | The features described in this article were introduced in IIS 7.0. |
IIS 6.0 and earlier | The features described in this article were not supported prior to IIS 7.0. |
IIS 7.0 and later have a new user interface from previous versions of IIS: the IIS Manager. This article describes the look and feel, feature delegation, interaction with configuration, and remoting. Note that some versions of IIS may not have some of the functionality/features discussed in this document.
Why did it have to change? Here are a few top reasons:
http://www.contoso.com/sales
can be written to the root config file applicationHost.config, to the site http://www.contoso.com/
web.config file, or directly to the application's web.config file. The new IIS Manager has to: 1) allow an administrator to control the configuration permitted in web.config files, 2) show the administrator/user where configuration is being written. The older IIS Manager was not up to these challenges.Anything else to know? Once we decided to rewrite IIS Manager, we took the opportunity to improve in a number of key ways:
Note
This document was written for Windows Server 2008. Windows Vista® may not have some of the functionality/features discussed in this document.
Internet Information Services (IIS) Manager has had Back/Forward type navigation in past releases, and the new IIS Manager takes this even farther by adding an address bar that works like Windows Explorer.
Figure 1: New IIS Manager
The Home Page will become very familiar as soon as you start using IIS Manager. The feature list in the middle can be sorted by feature name or description, grouped by area or category, and viewed in different layouts.
Figure 2: Grouping in IIS Manager
Server, site, application, virtual directory, and folder nodes in the treeview all show a Home Page with a feature list. Most features appear on Home Pages for all these nodes, but there are exceptions.
These features appear on the server Home Page only because they are server-wide configuration, data, or information:
These features appear everywhere except the server Home Page because they are application configuration and they aren't logical at the server level, or because they just work better that way (SSL):
The features associated with delegation have special rules for where they appear:
There are three types of pages in IIS
List pages contain lists. Most list pages let you group by values in one or more columns. The main list pages, like Sites and Application Pools, let you to filter the list entries by searching in a list column for entries that match a search string.
Figure 3: IIS Manager List Page
The Add/Edit/Remove tasks in the task pane let you manipulate the contents of the list. Feature settings that aren't specific to a list entry, e.g. specifying that custom errors should be overridden by detailed errors for local requests, are generally configured through the Edit Feature Settings… task.
Figure 4: IIS Manager Actions
Property grid pages show grids of related properties. The Display selector at the top of the property grid lets you choose whether you would like to view friendly property names, the configuration property names, or both. The screenshot below shows both names.
Figure 5: Property Grids in IIS Manager
Dialog pages have checkboxes, textboxes and radio buttons, and are generally the most familiar type of page. Use Apply/Cancel in the task pane to save changes.
Content View is a read-only display; you can't create, copy, move, or delete files or folders in this view. You can get into Content View by clicking "Content View" in the Features View/Content View switcher at the bottom of the IIS Manager middle pane, or by right-clicking a treeview node and selecting "Switch to Content View".
The only way to set configuration for a file is to switch to Content View, select the file, and click "Switch to Features View" in the right-click menu or in the task pane.
Figure 6: Switch to Features View
You might be interested in feature delegation if you are a server administrator and you are not the primary person providing content on your server, or if you are a developer and you want more control over IIS configuration for your application.
IIS feature delegation means managing:
What follows is a cursory explanation of feature delegation in IIS Manager. For an in-depth walk-through, see How To Manage Feature Delegation.
If a configuration section is "locked" by default, it can only be configured in applicationHost.config. IIS Manager provides a means for server administrators to "unlock" IIS configuration sections. Once a section of configuration is unlocked, it can be set in web.config files by non-administrators.
For example, the "Custom Error Pages" feature in IIS Manager interacts with configuration in the "system.webServer/httpErrors" section. If the server administrator uses IIS Manager or appcmd to unlock the system.web/httpErrors configuration section, the httpErrors section will appear inside a location tag with overrideMode="allow" in applicationHost.config:
<location path="" overrideMode="Allow">
<system.webServer>
<httpErrors/>
</system.webServer>
</location>
OverrideMode="allow" means that it's valid to set configuration for httpErrors in a web.config file:
<configuration>
<system.webServer>
<httpErrors>
<remove statusCode="404" subStatusCode="-1" />
<error statusCode="404" path="/errors/404.aspx" responseMode="Redirect" />
</httpErrors>
</system.webServer>
</configuration>
See the "Server, Site and Application Connections" section below to see how configuration locking affects connections. For in-depth information on configuration locks, see How To Use Configuration Locking.
Additionally, server administrators can enable non-administrators to use IIS Manager to connect to a site or application. Non-administrators that can connect to sites or applications are called "Site Administrators" or "Application Administrators", and they can:
For information on how to create site and application administrators, see the online documentation Create Site and Application Administrators for Delegation.
Only machine administrators can use IIS Manager to connect to a web server. Server connections can write to both root configuration files, applicationHost.config and root web.config, and all distributed web.config files. If a configuration section is locked in applicationHost.config, the corresponding feature will be read/write in a server connection because configuration changes are written to applicationHost.config in a location tag.
Machine administrators and designated Site Administrators can connect to web sites. Site connections can only write to web.config files under the site's root folder. If a configuration section is locked in applicationHost.config, the corresponding feature will appear read-only in site connections because site connections cannot write configuration to applicationHost.config (even in a location tag). This affects both machine administrators and Site Administrators.
Figure 7: Configuration Hiearchary in IIS Manager
Machine administrators, designated Application Administrators, and Site Administrators for the application's parent site, can connect to an application. Application connections can only write to web.config files under the application's root folder. If a configuration section is locked in applicationHost.config or the site's web.config file, the corresponding feature will appear read-only in application connections.
For information on how to connect to a server, site or application, see the online documentation on Managing Connections in IIS 7.0.
Even if you never change configuration locking and never use feature delegation, at some point you're going to wonder how IIS Manager decides where to write configuration. There are two rules that define this behavior:
The status bar shows where IIS Manager will write configuration:
Configuration: '<config_file_object_path>' <config_file_name>, <location path="<path>">
The <config\_file\_object\_path>
is the path to the configuration file object, for example:
The <config\_file\_name>
is the name of the target configuration file, for example:
The <location\_path>
is the location path to the object being configured (for more information on location paths, see Configuration Overview). This portion of the text only appears if the feature's configuration section is locked at a higher level.
Compression is an IIS feature, and it appears under IIS if you group/filter the home page feature list by Area. If you've navigated to the server-level Compression page and you disable static compression, IIS Manager will write this configuration into %windir%\Windows\system32\inetsrv\applicationHost.config
:
<urlCompression doStaticCompression="false" />
.NET Compilation is .NET Framework configuration, and it appears under ASP.NET if you group/filter the home page feature list by Area. If you've navigated to the server-level .NET Compilation page and you set the default language to C#, IIS Manager will add the defaultLanguage attribute to the compilation section in the root web.config file, i.e. %windir%\Windows\\Microsoft.NET\Framework\v2.0.50727\CONFIG\web.config
:
<compilation defaultLanguage="C#">
The status bar for both these situations will read: Configuration: 'localhost' applicationHost.config or root web.config
The IIS "defaultDocument" configuration section is unlocked by default. If you configure the default document for the Default Web Site, IIS Manager will write this configuration to %windir%\inetpub\wwwroot\web.config
:
<configuration>
<system.webServer>
<defaultDocument>
<files>
<clear />
<add value="default.aspx" />
</defaultDocument>
</system.webServer>
</configuration>
The status bar will read: Configuration: 'Default Web Site' web.config
The IIS "httpErrors" configuration section is unlocked by default. If you customize the HTTP 404 response for the Default Web Site, IIS Manager will write this configuration to %windir%\Windows\system32\inetsrv\applicationHost.config
:
<location path="Default Web Site" overrideMode="Allow">
<system.webServer>
<httpErrors>
<remove statusCode="404" subStatusCode="-1" />
<error statusCode="404" path="/err/404.aspx" responseMode="Redirect" />
</httpErrors>
</system.webServer>
</location>
The status bar will read: 'localhost' applicationHost.config or root web.config, <location path="Default Web Site">
IIS Manager remoting for IIS 6.0, and previous versions of IIS, was through MMC and was always enabled. With IIS 7.0 and above, IIS Manager remoting must be explicitly enabled. All remote management is done over HTTPS and is handled by an IIS component called the Web Management Service (WMSVC). If you want enable remote management of IIS 7.0 and above through IIS Manager, read How to Enable IIS Manager Remoting.
The Web Management Service (WMSVC) is a stand-alone web server (hostable web core (HWC)) hosted in an NT service. After WMSVC is installed and started, it listens on port 8172 on all unassigned IP addresses. It expects to receive only 4 types of requests, and each is serviced by its own handler:
IIS Manager sends a login request across the wire to WMSVC to intiate a connection. Authentication is either NTLM or basic, depending on what the user selected when they were asked to provide credentials in the connection dialog.
Figure 9: Specifying Credentials
If login is successful, WMSVC returns a list of UI modules for the connection. For example, each IIS Manager page like "Custom Error Pages" corresponds to a module. If there's a module that IIS Manager doesn't have, it will request to download the module binaries (e.g. this would happen if a server administrator installed a new RSA Security product on his production server, but didn't install the product on his desktop machine that he uses to connect to the server).
After the connection is established, the end user interacts with IIS Manager causing management service requests. Management service requests direct module services in WMSVC to read/write configuration, runtime state, and providers on the server.
Ping requests are made from within the WMSVC service to the web server (HWC) it hosts. Ping requests are a simple mechanism to ensure the hostable web core continues to be responsive.
Service Configuration
WMSVC has very small set of editable configuration stored in the registry. Each time the service is started, the web configuration files are regenerated in %windir%\ServiceProfiles\LocalService\AppData\Local\Temp\WMSvc<GUID>\
. The web configuration files cannot be edited, even by administrators.
Figure 10: Changing Configuration in Registry
IIS Manager and Web Management Service (WMSVC) remoting has been through a series of reviews to ensure the functionality is simple and secure. These are a few of the security measures taken:
Locked down Hostable Web Core (HWC) configuration, including a minimal set of required modules and carefully crafted request filtering rules.
Ask Learn is an AI assistant that can answer questions, clarify concepts, and define terms using trusted Microsoft documentation.
Please sign in to use Ask Learn.
Sign in