IIS 8 What's new – Website settings

The two new additions in IIS 8 are

Preload Enabled

This setting is available if you have the Application Initialization module installed

The preloadEnabled metabase setting along with the startMode setting can be used to ‘warm up’ your web application.

When you set the startMode property of your application pool to AlwaysRunning a worker process is spawned as soon as IIS starts up and does not wait for the first user request. But this does not mean the web application is initialized.

When you set preloadEnabled to true, IIS will simulate a user request to the default page (can be changed with initializationPage metabase setting) of the website/virdir so that the application initializes. The request is not logged in the IIS logs.

But you can trace this with FREB. Every time you restart your application pool you will see a FREB trace file for the dummy request. You can identify this request by analysing the GENERAL_REQUEST_HEADERS and looking at the User-Agent string.

User-Agent: IIS Application Initialization Preload

Maximum Url Segments

With the maxUrlSegments metabase setting you can control the number of segments in an URL that your web application can serve. A segment is nothing but the number of / in your URL. This is a security setting that you can use to control the depth to which a user can browse your website.

So for example say you have an application whose URL are mostly of the format https://website/virdir/page,  you can set the maxUrlSegments to 3. This stops probing attacks.

If a user tries to browse an URL with segments exceeding this limit he/she will see a 404 message and a 404.20 HTTP status code will be logged in the IIS logs.