One of the questions we are regularly asked concerns the implications of installing IIS and SQL on the same Server . In this article we provide a summary of the key points to consider based on the current recommendations. Please note that these considerations are based on issues to do with IIS and SQL and not [email protected] or [email protected]
As servers have become more powerful there has been a natural tendency to consider installing IIS and SQL on the same server. There are a number of reasons why, in general, this is not an optimal configuration.
SQL Server Stability
SQL Server databases need to be robust, stable and secure. Consequently updates and patches for SQL Server tend to be infrequent and when released tend to be extensively tested.
Web servers on the other hand are designed to be accessed and viewed by a large number of people and by definition are exposed to the Internet (or at least a corporate Intranet). The resultant attraction of hackers to widely used IIS based systems means a constant release of security patches at regular intervals (even if your IIS server is not exposed to the Internet).
These patches are applied regularly and frequently and therefore often without the testing that would be desired in an ideal world.
It would be fair to say that in terms of stability, SQL Server and IIS are at opposite ends of the scale.
By definition a web server is usually exposed to the external access whereas a database server tends to be kept secure behind a fire wall with very limited access to its functionality and what functionality is exposed requires password access.
If you put SQL Server on the same box as IIS then you elevate the risks and potential consequences if the IIS security is compromised. For a start, SQL Server runs with administrative privileges and has a number of features to read and write to the registry, call operating system commands, talk to other servers etc.
Database servers tend to be designed for resilience whereas web servers (which of course need to be reliable too) are more focused on delivering web pages as quickly as possible.
SQL Server loves memory. So unfortunately does IIS, particularly if the web-site makes extensive use of session variables.
The operations of a web server directly oppose typical requirements of a database server.
Buying 2 machines of adequate specification to run IIS and SQL separately may actually be cheaper than buying one super server to handle both.
If possible keep them separate and tune/upgrade/optimise as appropriate to each.