Development in IIS or on file system

[Mark]

ASP.NET 2.0 installs web projects by default in the file system, leveraging
the increased security of the new personal web server, rather than relying
on hacker prone IIS. However, it strikes me that this will add more
headaches for testing because your development doesn't use IIS. For
example, you lack the benefits of testing withing the VS IDE with debugging,
as well as identifying IIS issues upfront. We work in an environment where
Microsoft's updates are automatically downloaded and installed, keeping IIS
ideally as up to date as Microsoft is able to make it.

Aside from the obvious security benefit of not using IIS, are there other
advantages/disadvantages/work arounds that should be considered here?

Thanks in advance.

Mark

 

[Jim Cheshire]

ASP.NET 2.0 installs web projects by default in the file system, leveraging
the increased security of the new personal web server, rather than relying
on hacker prone IIS. However, it strikes me that this will add more
headaches for testing because your development doesn't use IIS. For
example, you lack the benefits of testing withing the VS IDE with debugging,
as well as identifying IIS issues upfront. We work in an environment where
Microsoft's updates are automatically downloaded and installed, keeping IIS
ideally as up to date as Microsoft is able to make it.

Aside from the obvious security benefit of not using IIS, are there other
advantages/disadvantages/work arounds that should be considered here?

At the risk of answering what appears to be, at least in part, a
loaded question, it's important to remember that development and test
are two different stages.


Jim Cheshire

 

[Mark]

Yes - testing is certainly done beyond development. However, it is my
responsibility to test my software thoroughly prior to handing it to the
tester. I can copy the files from the file system to my local IIS to test
.... but again I lose the debug capabilities, not to mention the ease of
finding problems just by working natively in IIS all the time.

Also - no loaded question was intended. Microsoft has created a "safe"
place for us to develop code, but it strikes me as a limited environment.
I'd love feedback on how others intend to balance the need for feeling safe,
and the desire for increased functionality. Once we have our team head down
one path, it would be a pain to change it for everyone.

Thanks again.

Mark

 

[Jim Cheshire]

Yes - testing is certainly done beyond development. However, it is my
responsibility to test my software thoroughly prior to handing it to the
tester. I can copy the files from the file system to my local IIS to test
... but again I lose the debug capabilities, not to mention the ease of
finding problems just by working natively in IIS all the time.

Also - no loaded question was intended. Microsoft has created a "safe"
place for us to develop code, but it strikes me as a limited environment.
I'd love feedback on how others intend to balance the need for feeling safe,
and the desire for increased functionality. Once we have our team head down
one path, it would be a pain to change it for everyone.

Yes, the ASP.NET Development Server is a limited environment for sure.
There are several reasons why we chose to go that route, but one of
the most important ones is that it allows developers to run and debug
code as non-administrators. This has traditionally been a painful
process, especially for educational institutions and government
agencies.

One thing that you may not have thought of is using the ASP.NET
Development Server to debug content that physically exists on an IIS
instance. In other words, say that you have a Web server called Web01.
You can map a drive (say the G drive) on your development box that
maps to the content of your Web site on the Web server. In VS 2005,
you simply open your project using that file path. Then when you
debug, you will actually run against the ASP.NET Development Server,
but you can also browse the exact same content on the IIS instance.


Jim Cheshire

 

[Mark]

Interesting points. Thanks for the details. Assuming that our developers
are all admins on our boxes, and that we all have IIS installed locally on
our machines, is there any good reason not to develop our applications right
in our local IIS instances?

Thanks again.

Mark

 

[Jim Cheshire]

Interesting points. Thanks for the details. Assuming that our developers
are all admins on our boxes, and that we all have IIS installed locally on
our machines, is there any good reason not to develop our applications right
in our local IIS instances?

No, in your scenario, you can certainly use the local IIS instance.

Jim Cheshire

 

[S. Justin Gengo]

Mark,

To add to Jim's answer, at my main job (F+W Publications, Inc.) we develop
on IIS and I develop using IIS for my own side business also. I prefer it
that way for many of the same reasons you are thinking of doing it. And my
setup is similar to yours in many ways. I would recommend doing one thing if
you're worried about IIS possibly being compromised. Because we have our
development boxes opened up at work (not to the public but internally) we
run software firewalls and allow only local 127.0.0.1 access to IIS. That
locks it down pretty tightly.

Regards,

--
S. Justin Gengo
Web Developer / Programmer

Free code library:
http://www.aboutfortunate.com

"Out of chaos comes order."
Nietzsche

Interesting points. Thanks for the details. Assuming that our developers
are all admins on our boxes, and that we all have IIS installed locally on
our machines, is there any good reason not to develop our applications
right in our local IIS instances?

Thanks again.

Mark