Difference between Windows IIS 5.0 and IIS 6.0

Below are the following difference between IIS 5.0 and IIS 6.0:-

IIS 5.0...

While processing the Web Requests,IIS picks up the request on Port 80 and forwards the request to aspnet_isapi.dll. After that it is forwarded to the Worker process...asp_wp.exe.

Worker Process
It Manages the pipeline through request flows. All asp.net software components like HttpApplication,Session run by the instance of Worker Process.

IIS 6.0...
While processing the request is processed by HTTP.SYS driver and then passed to the asp.net worker process. HTTP.SYS is a kernel level driver close to Operating System.By passing the request directly to asp.net worker process, asp.net bypass the overhead of an extra out-of-process call and automatically enforces application isolation.

With these features there are other features also which are present in IIS 6.0 ...

IIS 6.0 provides error logging in a seprate file from the web logs and also have more properties to configure in the error log.

IIS 6.0 provides 2000 application pools. With IIS 5.0 then applications are pooled in one application pool which is hosted by DLLHost.exe. But in case of IIS 6.0 where IIS 6.0 operates in worker process isolation mode, up to 2000 application pools can be created where each application pool can be configured separately.

As IIS 6.0 have many application pools so it provides a well-defined separation of applications. Now thousands of applications can run side by side on a single IIS 6.0 server.

IIS 6.0 supports auto restart of failed applications.

IIS 6.0's multiple level of security :. The following table summarizes the multiple levels of security available in IIS 6.0. I have taken this table from Microsoft's Website.


IIS 6.0 Security Level	Description
Not installed by default on Windows Server 2003	Much of security is about reducing the attack surface of your system. Therefore, IIS 6.0 is not installed by default on Windows Server 2003. Administrators must explicitly select and install IIS 6.0.
Installs in a locked down state	The default installation of IIS 6.0 exposes only minimal functionality. Only static files get served and all other functionality (such as ASP and ASP.NET) has to be enabled explicitly by the administrator.
Disabled on upgrades	For Windows Server 2003 upgrades to servers with IIS installed, if the administrator did not install and run the Lockdown Tool or configure the RetainW3SVCStatus registry key on the server being upgraded, then IIS 6.0 will be installed in a disabled state.
Disabling via Group Policy	With Windows Server 2003, domain administrators can prevent users from installing IIS 6.0 on their computers.
Running as a low-privileged account	IIS 6.0 worker processes run in a low-privileged user context by default. This drastically reduces the effect of potential attacks.
Secure ASP	All ASP built-in functions always run as a low-privileged account (anonymous user).
Recognized file extensions	Only serves requests to files that have recognized file extensions and rejects requests to file extensions it doesn�t recognize.
Command-line tools not accessible to Web users	Attackers often take advantage of command-line tools that are executable via the Web server. In IIS 6.0, the command-line tools can�t be executed by the Web server.
Write protection for content	Once attackers get access to a server, they try to deface Web sites. By preventing anonymous Web users from overwriting Web content, these attacks can be mitigated.
Time-outs and limits	Product settings are set to aggressive and secure defaults.
Upload data limitations	Administrators can limit the size of data that can be uploaded to a server.
Buffer overflow protection	Like the rest of Windows, IIS worker processes are compiled with options that are set to monitor the Windows stack and exit the process if a buffer overflow is detected.
File verification	The core server verifies that the requested content exists before it gives the request to a request handler (ISAPI extension).