Ten Things to Do With IIS

Tips (contd.)

Tip 4: Cache your content

While I'm on the topic of improving performance, remember to make your site cache friendly. You can set expiration headers for different files or directories right from the MMC. Just right click on an item via the IIS MMC, flip to the "HTTP Headers" tab, and away you go. If you want to set cache control headers programmatically -- or even better, let your site developers do it -- use something like CacheRight. If you want to go further and add reverse proxy caching, particularly for generated content, use a product like XCache -- which also throws in compression.

It might involve more time and expense to take full advantage of caching, but when you watch your logs shrink because they don't contain tons of pointless 304 responses, and your bandwidth consumption drop like a stone, even while your total page views increase over the same period, you'll start to understand why this particular tip was so important. Cache friendly sites are quite rare, but there is plenty of information available online about the enormous benefits to be had by doing it right: Check out Brian Davidson's page, this nifty tutorial from Mark Nottingham, and what AOL has to say on the subject.

Tip 3: Tune your server

Tuning IIS is no small topic -- whole books and courses are dedicated to it. But some good basic help is available online, such as this piece from IIS guru Brett Hill, or this Knowledge Base article from Microsoft itself. However, if you don't feel like getting your hands dirty -- or can't afford the time and expense of turning yourself into an expert -- take a look at XTune, from the makers of XCache. It's performance tuning wizards step you through the process of tuning your IIS environment, making expert recommendations along the way.

Tip 2: Secure your server with simple fixes

Sure people are going to attack sites, but you don't have to be a sitting duck if you're willing to make even a small effort. First off, don't advertise the fact that you are running IIS by showing your HTTP server header. Remove or replace it using something like ServerMask -- probably the best twenty-five bucks you'll ever spend. You can go farther than this by removing unnecessary file extensions to further camouflage your server environment, and scanning request URLs for signs of exploits. There are number of commercial products that do user input scanning, and Microsoft offers a free tool called URLScan which does the job. URLScan runs in conjunction with IISLockDown, a standard security package which should probably be installed on every IIS server on the planet. These are simple fixes that could pay off big, so do them now.

Tip 1: Patch, patch, patch!

Okay, we in the IIS world do have to patch our systems and make hotfixes. However, as a former Solaris admin I had to do the same thing there, so I am not sure why this is a big surprise. You really need to keep up with the patches, Microsoft is of course the definitive source, but if you can also use the highly-regarded www.cert.org. Simply search on "IIS".

Well there you have it: 10 tips for IIS admins to improve their servers. Some of the tips might become obsolete once IIS 6 is gold, but, for now at least, W2K and NT IIS admins should apply a few of these today and sleep a little better at night.

Matt Foley is a former Solaris sysadmin who was turned to the "darkside" and is now works for a large southern California hosting and Web agency. He quite likes Windows now in spite of himself.

You might also like...

Comments

About the author

Matt Foley United States

Matt Foley is a former Solaris sysadmin who was turned to the "darkside" and is now works for a large southern California hosting and Web agency. He quite likes Windows now in spite of himself. ...

Interested in writing for us? Find out more.

Contribute

Why not write for us? Or you could submit an event or a user group in your area. Alternatively just tell us what you think!

Our tools

We've got automatic conversion tools to convert C# to VB.NET, VB.NET to C#. Also you can compress javascript and compress css and generate sql connection strings.

“The greatest performance improvement of all is when a system goes from not-working to working.” - John Ousterhout