Skip to main content
Windows Server – Complete Beginner to Advanced Guide
CHAPTER 17 Intermediate

Web Server and IIS Basics

Updated: May 16, 2026
30 min read

# CHAPTER 17

Web Server and IIS Basics

1. Introduction

Every time you open a web browser and navigate to a website, your computer is silently requesting HTML files from a massive server located in a datacenter. While Linux heavily dominates the public internet with web servers like Apache and NGINX, the corporate intranet and enterprise application ecosystem relies heavily on Microsoft's proprietary web engine: Internet Information Services (IIS). If a company develops custom internal software in C# or ASP.NET, it must be hosted on an IIS Web Server. In this chapter, we will install the IIS Role, explore the IIS Manager console, architect Application Pools to isolate failing code, and learn how to secure our web traffic by binding SSL/TLS cryptographic certificates to our domains.

2. Learning Objectives

By the end of this chapter, you will be able to:
  • Install the Web Server (IIS) Role via Server Manager.
  • Navigate the Internet Information Services (IIS) Manager console.
  • Deploy a basic HTML website to a Windows Server.
  • Understand the critical isolation architecture of IIS Application Pools.
  • Configure Web Bindings (Port 80 HTTP vs Port 443 HTTPS).
  • Understand the baseline process of applying an SSL Certificate for encryption.

3. What is IIS?

Internet Information Services (IIS) is a graphical web server created by Microsoft. It is a Role you install on Windows Server. Its job is to listen on the network for incoming HTTP (Port 80) or HTTPS (Port 443) requests, find the requested web files (HTML, CSS, images) on the local hard drive, and serve them back to the user's browser.

By default, when you install IIS, it automatically creates a folder at C:\inetpub\wwwroot. This is the public folder. Any file you drop into this folder instantly becomes accessible to the entire network via the server's IP address.

4. Application Pools (The Blast Shield)

If you host three different websites (HR, Finance, and Marketing) on a single IIS server, what happens if the developer of the Marketing site writes a terrible piece of code that causes a massive memory leak and crashes the web service? If all three websites share the same memory space, the Marketing code will violently drag down the HR and Finance sites with it!

The Solution: Application Pools. An Application Pool is a segregated memory sandbox. You create an App Pool for HR, an App Pool for Finance, and an App Pool for Marketing. You then assign each website to its respective pool. If the Marketing website crashes its Application Pool, the other two websites remain completely unaffected because their memory spaces are isolated by the Windows kernel.

5. Sites and Bindings

Inside the IIS Manager, a "Site" is the actual configuration linking a web address to a folder on the hard drive. To make a Site work, you must configure Bindings. A Binding tells IIS how to listen for traffic.
  • Type: http or https
  • Port: 80 (Unencrypted) or 443 (Encrypted)
  • Hostname: hr.corp.local

If you have two websites on the same server, IIS uses the Hostname binding to act as a traffic cop. When a request comes in, IIS checks the requested Hostname and routes the user to the correct folder.

6. SSL/TLS Certificates (HTTPS)

Never host a login page on HTTP (Port 80). The traffic is sent in plaintext, meaning anyone on the network can steal the passwords. You must use HTTPS (Port 443). To enable HTTPS, you must generate an SSL/TLS Certificate.
  1. 1. You request a Certificate from a trusted Certificate Authority (CA) like Let's Encrypt, or your internal Active Directory CA.
  1. 2. You import the Certificate into the IIS Manager.
  1. 3. You edit the Site's Bindings, add an https binding on Port 443, and select the imported Certificate from the dropdown menu. The website is now cryptographically secured!

7. Diagrams/Visual Suggestions

*Visual Concept: Application Pool Isolation* Draw a large box representing the IIS Server. Inside the box, draw three separate, heavily armored bank vaults. Vault 1 is labeled App Pool: HR. Inside is a web page icon. Vault 2 is labeled App Pool: Finance. Inside is a web page icon. Vault 3 is labeled App Pool: Marketing. Draw the web page icon inside this vault catching on fire. Draw thick armored walls containing the fire inside Vault 3, while Vault 1 and 2 remain perfectly safe. This vividly explains the architectural necessity of Application Pools.

8. Best Practices

  • Move the Web Root: By default, IIS places websites in C:\inetpub\wwwroot. This is a terrible enterprise practice because the C: drive contains the Windows Operating System. If a massive log file or user upload fills up the C: drive to 100%, the entire server crashes. Always create a secondary hard drive (e.g., D:\) specifically dedicated to hosting the web files to protect the OS drive.

9. Common Mistakes

  • Forgetting NTFS Permissions on Web Folders: If you create a new folder D:\Websites\Marketing and point IIS to it, the website might load a blank page or an "Access Denied" error. The IIS background service operates using a special hidden user account called IISIUSRS. If you do not manually edit the NTFS Security tab of your web folder and grant "Read" permission to the IISIUSRS group, the web server physically cannot read the HTML files to serve them to the public!

10. Mini Project: Deploy a Custom Web Page

Let's replace the default IIS welcome screen with our own custom corporate page.
  1. 1. Open Server Manager and install the Web Server (IIS) role.
  1. 2. Open Internet Information Services (IIS) Manager from the Tools menu.
  1. 3. Open File Explorer and navigate to C:\inetpub\wwwroot.
  1. 4. Delete the existing iisstart.htm file.
  1. 5. Right-click, create a new text document, and name it index.html. *(Make sure Windows isn't hiding the .txt extension, it must be .html!)*
  1. 6. Open it in Notepad and type:
<h1>Welcome to the Corporate Intranet</h1><p>This page is hosted on IIS.</p>
  1. 7. Save the file.
  1. 8. Open a web browser on any computer in the network and type the IP address of the Windows Server (e.g., http://10.0.0.50). You will instantly see your custom web page!

11. Practice Exercises

  1. 1. Explain the architectural purpose of an IIS Application Pool. Provide a specific scenario where deploying multiple websites into a single Application Pool would cause a catastrophic failure.
  1. 2. Detail the exact requirement regarding NTFS permissions when pointing an IIS Site to a brand-new, custom folder on the hard drive.

12. MCQs with Answers

Question 1

An administrator is hosting three completely different corporate websites on a single Windows Server utilizing IIS. To ensure IIS successfully routes incoming web traffic to the correct website folder, what specific configuration setting must the administrator define within the Site's configuration?

Question 2

To ensure that sensitive login credentials transmitted to an IIS web server cannot be intercepted in plaintext, an administrator must encrypt the traffic. This requires binding an SSL/TLS Certificate to the website and configuring the site to listen on which specific, encrypted TCP port?

13. Interview Questions

  • Q: A developer deploys a poorly optimized ASP.NET application to your IIS server. The application experiences a massive memory leak and crashes, violently bringing down four other completely unrelated websites hosted on the exact same server. Explain the architectural oversight regarding IIS configuration that allowed this cascading failure to occur, and how you will prevent it in the future.
  • Q: You configure a brand-new IIS website and point the Site root to a newly created folder on the D: drive. When you attempt to load the website in a browser, you receive a strict "Access Denied" error. Walk me through the exact NTFS permission adjustment required to allow the IIS service to physically read the web files.
  • Q: Explain the enterprise best-practice rationale for relocating the default IIS wwwroot directory from the C: drive to a dedicated, separate storage volume (e.g., the D: drive). What specific catastrophic server failure does this mitigate?

14. FAQs

Q: I have a PHP website (like WordPress). Can I run that on Windows Server IIS, or do I need Linux? A: You absolutely can run PHP on IIS! While Linux/Apache is the native home for PHP, Microsoft provides tools to seamlessly install the PHP engine onto IIS, allowing you to host WordPress sites natively on a Windows Server environment.

15. Summary

In Chapter 17, we transformed our Windows Server into a public-facing broadcasting platform by deploying Internet Information Services (IIS). We bypassed the default configurations, recognizing the danger of placing web assets on the OS drive and prioritizing dedicated storage volumes. We instituted absolute fault tolerance by engineering isolated Application Pools, guaranteeing that catastrophic code failures in one website cannot compromise the memory space of adjacent applications. Finally, we fortified the network perimeter, transitioning from the plaintext vulnerability of HTTP (Port 80) to the cryptographic security of HTTPS (Port 443) utilizing SSL/TLS Certificate Bindings.

16. Next Chapter Recommendation

Our server is powerful, but a single server is a single point of failure. It is time to scale up. Proceed to Chapter 18: Enterprise Server Infrastructure.

Finish this Chapter

Save your progress on your learning path and prepare for coding interview challenges.

Previous Chapter Monitoring and Performance Optimization
Next Chapter Enterprise Server Infrastructure

Discussion

Join the discussion

Log in or create a free account to participate.

Sort: ·

Explore More

📖 Related Tutorials 4

Related Quizzes 5

🎥 Related Videos 1