The IIS 7.0 Web server feature set is componentized into more than thirty independent modules.
A module is either a Win32 DLL (native module) or a .NET 2.0 type contained within an assembly (managed module). Similar to a Lego set, modules are added to the server in order to provide the desired functionality for your applications. Likewise, all IIS modules can be removed, or replaced with custom modules developed using the new IIS 7.0 C++ APIs, or the familiar ASP.NET 2.0 APIs.
This article describes common IIS 7.0 module management tasks, and details each module including its configuration settings and the potential effect a module removal has on the web server. The management examples are given using both the graphical IIS 7.0 Administration tool and the AppCmd command line tool.
This article contains:
Prerequisites
To follow some the steps in this document it is best to do a full install of IIS 7.0.
To Perform a Full Installation of IIS on Windows Vista
-
Click Start and then click Control Panel.
-
In the Control Panel, click Programs.
-
Under Programs and Features, click Turn Windows features on or off.
-
In the Windows Features dialog, expand Internet Information Services and select all features.
-
Click OK.
To Perform a Full Install of IIS on Windows Server® 2008
-
Open Server Manager > Roles and select Web Server (IIS).
-
Check all features under IIS.
Getting Started with Modules
In order to add a module to the server, you must perform two steps:
-
Install a module on the server (native modules only).
-
Enable the module in an application.
The first step registers the module globally with the server, making it available within each server worker process. It is necessary only for native modules due to the trusted nature of native code, and is available to administrators only.
Note: A native module has unrestricted access to any resource available to the server worker process, just like an ISAPI filter or extension in previous versions. Because of this unrestricted access, you should only install native modules that have come from a trusted source.
The second step enables the module to execute within a particular application and effectively allows the application administrator to control the server features enabled for the application. This step allows both installed native modules and managed modules to be enabled for each application.
To Install a Native Module
In order to install a native module, it must be registered with the server using one of the options below:
- Manually editing the new IIS 7.0 configuration store
- Using the IIS 7.0 Administration Tool
- Using the IIS 7.0 APPCMD.EXE command line tool
All three of these options result in the module entry being added to the <globalModules> IIS 7.0 configuration section, which is settable only at the server level. To examine the contents of this section, open the root configuration file located in (%windir%/system32/inetsrv/config/applicationhost.config), and search for the string "<globalModules>".
After a full IIS 7.0 install, this section contains an entry for each of the native modules shipped with IIS 7.0, specifying a name and the path to the module DLL:
<globalModules>
<add name="DefaultDocumentModule" image="%windir%/system32/inetsrv/defdoc.dll" />
<add name="DirectoryListingModule" image="%windir%/system32/inetsrv/dirlist.dll" />
<add name="StaticFileModule" image="%windir%/system32/inetsrv/static.dll" />
...
</globalModules>
All of these modules are described in detail further in this document.
To Un-install a Native Module
Un-install a native module if that module is no longer in use on the server, or if you would like to replace it with another module. Remove the corresponding module entry from the <globalModules> configuration list, and the associated entry in the <modules> configuration list using one of the following options:
- Manually editing the new IIS 7.0 configuration store
- Using the IIS 7.0 Administration Tool
- Using the IIS 7.0 APPCMD.EXE command line tool
Note: Because the <globalModules> configuration section is only settable at the server level, you must be an administrator to un-install a module.
Enabling a Module for an Application
A module must be enabled before it can provide service for a particular application.
In order to enable a native module, it must first be installed on the server (see the previous section, Installing a Native Module).
A managed module does not require installation, and can be enabled directly for each application. Not requiring installation allows applications to include their managed modules directly within the application by registering them in the application's web.config file, and providing the implementation in /BIN or /App_Code directories.
To enable a module, do one of the following:
- Manually edit the IIS 7.0 configuration store, either globally to enable the module for all applications on the server, or in a particular web.config file located within each application for which you would like to enable this module.
- Use the IIS 7.0 Administration Tool
- Use the IIS 7.0 APPCMD.EXE command line tool
All three of these options add the module entry to the <modules> IIS 7.0 configuration section, which is settable at both the server level or application level. Examine the contents of this section by opening the root configuration file located in (%windir%/system32/inetsrv/config/applicationhost.config), and searching for the string "<modules>".
A managed module does not require adding to the <globalModules> configuration section, unlike native modules.
After a full IIS 7.0 install, the configuration section contains an entry for each of the modules (both managed and native) shipped with IIS 7.0. The entry indicates that all these modules are enabled by default for all applications on the server. Each entry in this section specifies either the name of a native module that was previously installed on the server, or the name and .NET type of a managed module:
<modules>
<add name="DefaultDocumentModule" />
<add name="DirectoryListingModule" />
<add name="StaticFileModule" />
...
</modules>
Disabling a Module in an Application
Disable a module if that module is no longer in use in the application, or if you want to replace it with another module. To disable a module, remove the corresponding module entry from the <modules> configuration collection for a particular application where you do not want this module to execute. If the module is enabled at the server level, remove it there to disable it in all applications on the server by default. Use one of the following options to remove the module at the server level:
- Manually edit the <system.webServer>/<modules> configuration section in your application.
- Use the IIS 7.0 Administration Tool.
- Use the IIS 7.0 APPCMD.EXE command line tool.
After the module is removed from the application, it will not be active in that application. However, if the module is native, it will still be loaded in the server worker process, and may be used by other applications that did not remove it.
Note: The configuration section is unlocked by default if ASP.NET is installed. This default unlocking allows applications to disable both native and managed modules enabled globally, and to add new managed modules. This configuration section can be locked at the server level to prevent modification entirely, or prevent removal of specific module entries if desired by the Administrator.
Preconditions
There is another attribute on a module entry called precondition. The IIS core engine uses preconditions to determine when to enable a particular module. Performance reasons, for example, might determine that you only want to execute managed modules for requests that also go to a managed handler. The precondition in the following example (precondition="managedHandler") only enables the forms authentication module for requests that are also handled by a managed handler, such as requests to .aspx or .asmx files:
<add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule" preCondition="managedHandler" />
If you remove the attribute precondition="managedHandler", Forms Authentication also applies to content that is not served by managed handlers, such as .html, .jpg, .doc, but also for classic ASP (.asp) or PHP (.php) extensions. See "How to Take Advantage of IIS 7.0 Integrated Pipeline" for an example of enabling ASP.NET modules to run for all content.
You can also use a shortcut to enable all managed (ASP.NET) modules to run for all requests in your application, regardless of the "managedHandler" precondition. To enable all managed modules to run for all requests without configuring each module entry to remove the "managedHandler" precondition, use the runAllManagedModulesForAllRequests property in the <modules> section:
<modules runAllManagedModulesForAllRequests="true" />
When you use this property, the "managedHandler" precondition has no effect and all managed modules run for all requests.
Querying, Adding and Removing Modules Using the IIS 7.0 Administration Tool
The IIS 7.0 Administration Tool provides an easy way to query, add or remove modules.
-
Open the IIS 7.0 Administration tool.
-
Click the machine name of your IIS server .
-
Click the "Modules" icon under the IIS category.
Figure 1: IIS Manager
To manage the enabled modules for a particular application:
- Connect to that application using the tree view on the left.
- Navigate to the Modules feature pane.
- Click "Add Managed Module" to add a "Managed Module" to your application. "Add Native Module" only allows you to add a module that was already registered on the Server level.
To remove a module from your application:
- Click the module in the list. The "Remove" task displays in the pane on the left.
- Click "Remove."
Figure 2: Modules List in IIS Manager
Managing Modules from the Command Line
To quickly manage modules from the command line, or script module management tasks, use the APPCMD.EXE command line tool.
To install a module (installing a native module automatically enables it at the server level):
Appcmd.exe install module /name:<MODULE_NAME> /image:<PATH_TO_DLL>
e.g. %windir%/system32/inetsrv/appcmd.exe install module /name:DefaultDocumentModule /image:%windir%/system32/inetsrv/defdoc.dll
To un-install a module (un-installing a module automatically disables it at the server level):
Appcmd.exe uninstall module <MODULE_NAME>
e.g. %windir%/system32/inetsrv/appcmd.exe uninstall module DefaultDocumentModule
To list enabled modules for a particular application (or globally):
Appcmd.exe list modules [/app.name:<APPLICATION_NAME>]
e.g. %windir%/system32/inetsrv/appcmd.exe list modules /app.name:"<span style="color:darkred">Default Web Site/"
%windir%/system32/inetsrv/appcmd.exe list modules
To enable a module for a particular application (or globally):
Appcmd.exe <span style="color:blue">add module /name:<MODULE_NAME> /type:<MGD_TYPE>
e.g. %windir%/system32/inetsrv/appcmd.exe <span style="color:blue">add module /name:FormsAuthentication /type:System.Web.Security.FormsAuthenticationModule /app.name:"<span style="color:darkred">Default Web Site/"
%windir%/system32/inetsrv/appcmd.exe <span style="color:blue">add module /name:FormsAuthentication /type:System.Web.Security.FormsAuthenticationModule
To disable a module for a particular application (or globally):
Appcmd.exe delete module <MODULE_NAME> [/app.name:<APPLICATION_NAME>]
e.g. %windir%/system32/inetsrv/appcmd.exe delete module FormsAuthentication /app.name:"<span style="color:darkred">Default Web Site/"
%windir%/system32/inetsrv/appcmd.exe delete module FormsAuthentication
To get more help on the syntax for each of the commands on the module object, use the following:
Display commands supported on the MODULE object:
Appcmd.exe module /?
Display the usage of each command:
Appcmd.exe install module /?
Appcmd add module /?
etc ...
Module Reference
The IIS 7.0 server is ready for customizing. Read the following list carefully to avoid side-effects, feature loss or removing security features.
Utility Modules
These modules do not provide request services, but instead assist the server engine with its internal operation.
|
Module Name: |
UriCacheModule |
|
Description: |
Implements a generic cache for URL-specific server state, such as configuration. With this module, the server only reads configuration for the first request for a particular URL, and reuse it on subsequent requests until it changes. |
|
Configuration sections: |
None. |
|
Dependencies: |
None. |
|
Potential issues when removing this module |
Performance loss due to state cached for each URL retrieval for every request. |
|
Module Name: |
FileCacheModule |
|
Description: |
Caches file handles for files opened by the server engine and modules. |
|
Configuration sections: |
None. |
|
Dependencies: |
None. |
|
Potential issues when removing this module |
Performance loss. If file handles are not cached, the files have to be opened for every request. |
|
Module Name: |
TokenCacheModule |
|
Description: |
Caches windows security tokens for password based authentication schemes (anonymous authentication, basic authentication, IIS client certificate authentication). |
|
Configuration sections: |
None. |
|
Dependencies: |
None. |
|
Potential issues when removing this module |
Performance loss. The users must be logged on for every request if the token is not cached. A major performance impact may result. For example, if a password protected html page references 50 images that are also protected, 51 logonUser calls to the local account database, or worse, to an off-box domain controller, result in a performance issue. |
Managed Engine: ASP.NET Integration
|
Module Name: |
ManagedEngine |
|
Description: |
Managed Engine has a special place within all the other modules. It is responsible for providing the IIS integration to hook up with the ASP.NET runtime. |
|
Configuration sections: |
|
|
Dependencies: |
None. |
|
Potential issues when removing this module |
ASP.NET integration will be disabled. None of the managed modules declared in the <modules> or ASP.NET handlers declared in the <handlers> section are called when the Application Pool runs in Integrated Mode. |
IIS 7.0 Native Modules
|
Module Name: |
HttpCacheModule |
|
Description: |
The HttpCacheModule implements the IIS 7.0 output cache and also the logic for caching items in the http.sys cache. Set the cache size, output cache profiles etc. via configuration. |
|
Configuration sections: |
System.webServer/caching |
|
Dependencies: |
None. |
|
Potential issues when removing this module |
Content will no longer be cached in kernel mode. Cache profiles are ignored. Removing the HttpCacheModule will probably have adverse effects on performance and resource usage. |
|
Module Name: |
DynamicCompressionModule |
|
Description: |
Implements in-memory compression of dynamic content. |
|
Configuration sections: |
system.webServer/httpCompression and system.webServer/urlCompression. |
|
Dependencies: |
There will not be any dependencies because Dynamic compression is turned off by default. |
|
Module Name: |
StaticCompressionModule |
|
Description: |
Implements compression (in memory as well as persistent in the file system) of static content. |
|
Configuration sections: |
system.webServer/httpCompression and system.webServer/urlCompression |
|
Dependencies: |
None. |
|
Potential issues when removing this module |
Potential Bandwidth saturation due to uncompressed content being sent back to the client. |
|
Module Name: |
DefaultDocumentModule |
|
Description: |
Implements default document functionality. Requests that come in with a trailing / will be rerouted to a document in the default document list. |
|
Configuration sections: |
system.webServer/defaultDocument |
|
Dependencies: |
None. |
|
Potential issues when removing this module |
Requests to /, for example http://localhost/, return a 404 error. If a directoryBrowsing is enabled, a directory listing is generated. |
|
Module Name: |
DirectoryListingModule |
|
Description: |
Implements directory browsing functionality. |
|
Configuration sections: |
system.webServer/directoryBrowse |
|
Dependencies: |
None. |
|
Potential issues when removing this module |
If the neither the default document module nor the directoryListing Module handle a request for a /, an empty response returns. |
|
Module Name: |
ProtocolSupportModule |
|
Description: |
Implements custom and redirect response headers. Implements the trace and Options HTTP verbs. Implements the supports which allow or turn off keep-alive support via configuration. |
|
Configuration sections: |
system.webServer/httpProtocol |
|
Dependencies: |
None. |
|
Potential issues when removing this module |
TRACE or OPTIONS requests return a "405 Method not allowed" error message. |
|
Module Name: |
HttpRedirectionModule |
|
Description: |
Implements redirect functionality. |
|
Configuration sections: |
system.webServer/httpRedirect |
|
Dependencies: |
None. |
|
Potential issues when removing this module |
Potential security issue if resources were protected by redirection. When the Redirection module is removed, the content becomes accessible again. |
|
Module Name: |
ServerSideIncludeModule |
|
Description: |
Implements server side includes. This module is mapped as a handler, only executing for requests ending in .stm, .shtm and .shtml. |
|
Configuration sections: |
system.webServer/serverSideInclude |
|
Dependencies: |
None. |
|
Potential issues when removing this module |
The static file module handles.stm, .shtm and .shtml files. If this module has a mimeMap for these extensions the files become served as text. Note, however, that this is not the default. |
|
Module Name: |
StaticFileModule |
||
|
Description: |
Sends out static files with the file extension .html, .jpg, as well as many others. The staticContent/mimeMap configuration collection determines the list of file extensions. |
||
|
Configuration sections: |
|