The new IIS 8 is here. There are great improvements and new very useful features like Server Name Indication (SNI), Centralized Certificates Store (CCS), CPU Throttling, Application Initialization, Dynamic IP Restriction, WebSockets, and finally FTP 8.
Here is a brief on each feature:
ASP.NET Configuration Management: IIS management tools have been updated for ASP.net 4.5
Server Name Indication (SNI): Using SNI we can configure thousands of secure websites on the web server, thus it allows many SSL sites to share the same Web Server IP. But we have to consider that not all browsers support SNI, for example it doesn’t work on Windows XP, even IE 8.
Centralized Certificates Store (CCS): Using CCS we can configure all certificate to be stored and accessed centrally on a file share. So in web server farm, Each IIS on separate server just go and pick up the certificate from the share but it must be certificate name like website name exactly. But we need to enable it in each web server (following concept of shared configuration). Thus Certificate Renewal and syncing tasks of certificates in the farm now is a piece of cake 🙂
CPU Throttling: Using CPU Throttling we can control and limit how much CPU each application pool can consume as a percentage of CPU. It is not a new feature, it was there in IIS 7.x; it was just killing w3wp when reach limit. But now it have a new additional actions like Throttle and ThrottleUnderLoad thatwill limit the CPU consumption for the worker processes in the application pool to the configured value. It is important to know that CPU Throttling doesn’t reserve CPU but it is just limiting CPU usage.
Application Initialization: Using Application Initialization Module, we can configure initialization page as initialization or warm up tasks to run before serving 1st HTTP request; it was there in IIS 7.x before as warm-up module. But now it is built in IIS 8.
Dynamic IP Restriction (DIPR): Using DIPR we can Customize IIS reply like: Unauthorized (HTTP 401), Forbidden (HTTP 403), Not Found (HTTP 404), or Abort (IIS terminates the HTTP connection). Moreover we can allow or deny specific IP address or a range of IP addresses, even if they violate a dynamic restriction setting. We can block dynamic IPs based on the number of concurrent requests or the number of requests over a period of time. Finally it is a very useful feature for web servers behind firewall or load balancer, because of the proxy mode property that enables IIS to cross checks the values in the X-Forwarded-For HTTP header. So it can verify the IP address of the client initially made request.
FTP Logon Attempt Restrictions: In IIS 8.0 for Windows Server 2012, Microsoft has added a built-in network security feature that provides this functionality for all logins without the necessity for creating a custom authentication provider. Check this walkthrough, and learn the steps required to enable FTP login restrictions in order to prevent brute-force attacks on your server.