Monitoring and Tuning Your Server

Monitoring Security Overhead

Security is achieved only at some cost in performance. Measuring the performance overhead of a security strategy is not simply a matter of monitoring a separate process or threads. The features of the Windows 2000 security model and other IIS 5.0 security services run in the context of the IIS 5.0 process; they are integrated into several different operating system services. You cannot monitor security features separately from other aspects of the services.

Instead, the most common way to measure security overhead is to run tests comparing server performance with and without a security feature. The tests should be run with fixed workloads and a fixed server configuration, so that the security feature is the only variable. During the tests, you probably want to measure:

• Processor Activity and the Processor Queue   Authentication, IP address checking, SSL protocol, and encryption schemes are security features that require significant processing. You are likely to see increased processor activity, both in privileged and user mode, and an increase in the rate of context switches and interrupts. If the processors in the server are not sufficient to handle the increased load, queues are likely to develop. Custom hardware may help here. For more information, see Security in this book.
• Physical Memory Used   Security requires that the system store and retrieve more user information. Also, the SSL protocol uses long keys—40 bits to 1,024 bits long—for encrypting and decrypting the messages.
• Network Traffic   You are also likely to see an increase in traffic between the
  IIS 5.0–based server and the domain controller used for authenticating logon passwords and verifying IP addresses.
• Latency and Delays   The most obvious performance degradation resulting from complex security features like SSL is the time and effort involved in encryption and decryption, both of which use lots of processor cycles. Downloading files from servers using the SSL protocol can be 10 to 100 times slower than from servers that are not using SSL.

If a server is used both for running IIS 5.0 and as a domain controller, the proportion of processor use, memory, and network and disk activity consumed by domain services is likely to increase the load on these resources significantly. The increased activity can be enough to prevent IIS 5.0 services from running efficiently. It is a good idea to test such a server thoroughly before deploying it.

See Measuring Security Overhead with WCAT

© 1997-1999 Microsoft Corporation. All rights reserved.