I saw a link on Robert Scoble’s site to a post about IIS 7 so I followed it out of curiosity (I have done a ton of work on IIS 4, 5 and 6).
IIS 7 looks like it will be interesting – a few snippets:
Right now, ASP.NET is implemented as an ISAPI extension for IIS. That will still be true in ASP.NET 2.0. In IIS7, that changes. Instead, the concepts of HTTP pipelines, handlers, modules, XML config files, etc… are all natively built into the platform.
That’s a big change and should mean easier configuration and demonstrable performance improvements. Right, well that’s a good start – what else?
now practically every feature in the pipeline has been broken out into a separate module. From a security standpoint, this is a whole new realm for IIS. Because the pipeline is componentized (the WHOLE pipeline), you can reduce your surface area by removing any module you’re not using from the pipeline. So if you don’t have Passport authentication, don’t enable the module.
Now that sounds like Microsoft is moving in the right direction, security-wise in this development. Of course, opening the code up for independent review would be an even better move, but we are unlikely to see that happen!
Finally, if IIS7 doesn’t do something you want it to do, you can write an HttpHandler or HttpModule to support the functionality you need. Say you want to run PHP on IIS7… done. Say you want to be able to support serving up a new filetype… piece of cake. Forget about all the hassles of ISAPI… programming managed IIS extensions is far easier. Of course, ISAPI extensions will still work for compatibility reasons, but hopefully unmanaged extensions will be a thing of the past.
This sounds intriguing as well – it will remain to be seen just how extensible IIS 7 actually is but if there is any truth to these reports at all, it will be a significant step forward for Microsoft.