MSDN Briefing - IIS 7.0 - MSDN Blogs

Document Sample
MSDN Briefing - IIS 7.0 - MSDN Blogs Powered By Docstoc
					MSDN Briefing

IIS7 für Entwickler

Christoph Wille, MVP ASP.NET
    i n t e r n e t i n f o r m at i o n s e r v i c e s

integrated   extensible   componentized   delegated   secure   compatible   supportable
IIS – A Colorful Past

 1996 - V1 ships with WindowsNT 4.0
   V2 & V3 releases came in follow-up SP releases
 1997 – V4 part of NT 4 Option Pack
 2000 – V5 installed by default in Windows
   March 2001, #1 in Internet Site Share
   Fall 2001, Code Red and Nimda
 2003 – V6 released in Windows Server 2003
IIS 6 Today
  Secure by Default
    IIS no longer installed by default with OS
    IIS installs with “locked down” configuration
    Runs with minimal permissions, secure configuration

  Secure by Design
    Extensive design & code reviews
    Penetration testing
    Defense in depth

  Process architecture design for application failure
    Health detection
    Automatic recycling of applications

   Result: Zero critical security patches since
  release. #1 in reliability for major internet sites.

 Architecture Overview
 Administration & Troubleshooting
For Developers
 Where do I get IIS 7.0?
   Windows Vista Editions with IIS 7.0
          Vista Edition        Available
          Home Basic              N
         Home Premium             N
           Business               Y
            Ultimate              Y

 Where do I start?
   What type of developer are you?
   Native Developers vs. Managed-code Devs
   Understanding the Core Server Architecture
Installation Differences

 IIS 7.0
   Rebuilt setup architecture
   Uses Vista’s Windows Features On and Off
   Can also use Vista’s Package Manager
                                                start /w pkgmgr /iu:IIS-WebServerRole;IIS-WebServer;IIS-CommonHttpFeatures;IIS-StaticContent;
   start /w pkgmgr /iu:IIS-WebServerRole;WAS-   IIS-DefaultDocument;IIS-DirectoryBrowsing;IIS-HttpErrors;IIS-HttpRedirect;
   WAS-NetFxEnvironment;WAS-ConfigurationAPI                   IIS Minimal Install
      Full Install of all IIS                   IIS-WindowsAuthentication;IIS-DigestAuthentication;IIS-ClientCertificateMappingAuthentication;
      Components                                WebServerManagementTools;
Architecture Introduction
 IIS 7.0’s architecture, albeit similar to IIS 6.0,
 offers unique changes
 Default architecture has same “players” with
 some fresh new ones
                                 Inetinfo (optional)
A Review…IIS 6.0 Architecture

 Authentication              Monolithic implementation
 NTLM    Basic    Anon         Install all or nothing…
 Determine        Static
 Handler          File     ASP.NET
 …                         PHP
 Send Response
 Log         Compress      Extend server functionality only
                           through ISAPI…
IIS7 Request Processing

                          Server functionality is split
 Authentication           into ~ 40 modules...
 NTLM    Basic    Anon
                              Modules plug into a
 ResolveCache CGI
                              generic request pipeline…
 Determine     Static
 Handler       File
                           Modules extend server functionality
 …                         through a public module API.
 Send Response
 Log       Compress
Architecture in IIS7
  What does the “Core” do?
    Exposes interfaces
    Agrees to “hook” up interfaces via subscription or
    Primary workhorse for Web server
    Code authors:
      Microsoft: In the form of “modules” that will ship with
      the IIS7 platform
      You: The rest of the world
IIS6 ASP.NET Integration
                                      Runtime limitations
                                      Only sees ASP.NET
 Authentication                       requests
 NTLM    Basic    Anon
 …                                    Feature duplication
                  CGI       aspnet_isapi.dll
 Determine        Static   Authentication
 Handler          File     Forms     Windows

                  ISAPI     …
 …                         Map
                           Handler     Trace
 Send Response
 Log         Compress
IIS7 ASP.NET Integration
                                   Two Modes
 Authentication                        Classic (runs as ISAPI)
 …                                 Integrated
                                  aspnet_isapi.dll   Mode
                                 Authenticationmodules /
     ExecuteHandler              Forms handlers plug directly

 …                     ISAPI      … into pipeline
                                       Process all requests
 UpdateCache                     Map
                                       Full runtime fidelity
                                 Handler    Trace
 SendResponse         Compress              …
Reviewing IIS 7.0 Architecture
IIS 6.0 W3WP’s    IIS 7.0 W3WP’s

 The Most Secure Web Server Ever
Metabase vs. “AppHost.config”
 IIS 6.0’s Metabase Design
   Supported legacy, out-dated interface (ABO)
   Maintained own ACL’ing within file, rather than
   via file system ACL’ing
   Delegation wasn’t supported, relied solely on
   Administrative privileges
   Remote capabilities were limited, not user-
   friendly experience
   Schema wasn’t architected in easy-to-use format
   Extending schema was nearly impossible
Metabase vs. “AppHost.config” (2)
 Introducing ApplicationHost.config
 Location: %windir%\system32\inetsrv\config
 Default configuration:
   All features disabled *except*
     Directory Browsing (directoryBrowse)
     Default Document (defaultDocument)
     HTTP Redirect (httpRedirect)
     HTTP Protocol (httpProtocol)
 Features unlocked using IIS Manager or
Metabase vs. “AppHost.config” (3)
 ApplicationHost.config Facts:
   Uses strongly-typed Schema

   Easily edited using favorite XML editor
   Broken down into two pieces:
   Delegation of IIS settings are unlockable and
   distributable to web.config’s deployed with
Metabase vs. “AppHost.config” (4)
 ApplicationHost.config Facts (cont.):
   Uses well-known XML
   Organized into tightly-coupled groups for like
   features (i.e. collections)
   Uses simple key\value pairs for many options
   like true\false, 0 or 1, etc.
            <directoryBrowse enabled="false" />

   Extending schema is drag\drop experience (add
   XML file to /config directory and restart IIS)
Configuration Highlights
  Delegated Configuration Administration
     Administrators may allow app owner to modify settings
     Developers can set and deploy settings with their applications
     Xcopy-deployment of self-contained applications without running
     admin tool or scripts to configure -- even to centralized UNC share
  Unified Configuration Model for Entire Web Platform
     Administrators may use same file for IIS, ASP.NET, Indigo settings
     Developers can use same API and concepts across entire platform
     AuthN, AuthZ, custom errors, handlers, etc are set one single way
  Extensibility and Customization is easy
     Administrators can control what sections are registered with the
     Developers can reuse base classes to quickly develop custom
     Clean schema allows smooth editing by hand (text/XML editor), API
     or admin tool
  Compatibility Built-In at the API level
     ABO / ADSI scripts and applications continue to work
Configuration Layout
Inheritance…                                               IIS +
                                                           ASP.NET +
                                                           .NET Framework

                                 applicationHost.config     web.config
               root web.config


    root configuration files                              web.config files
Configuration Delegation
  Delegation is:
    Configuration locking, “overrideMode”
    ACL’s on configuration files

  By default…
    All IIS sections locked except:
      Default Document
      Directory Browsing
      HTTP Header
      HTTP Redirects
    All .NET Framework / ASP.NET sections are

 Customized Workload
 Site Creation – A Tour of the UI
 Currently Executing Requests
 Configuring a Site for AuthN
Modules vs. ISAPI

 IIS 6.0 Development
   First-class access to requests were only allowed
   using Internet Server API (ISAPI)
   ISAPI only supported C\C++ languages and was
   rather complex technology
 Client vs. Server Versions
   Windows XP Professional shipped with IIS 5.1
   yet lots of development was for IIS 6.0
   IIS 6.0 shipped on Windows Server 2003 and
   architected differently than IIS 5.x
Modules vs. ISAPI (2)

 Client vs. Server Versions (cont.)
   Managed-code development architecture
   differed heavily between IIS 5.x & 6.0
   ASP.NET was written as an ISAPI and had
   duplicate functionality as IIS 6.0
 IIS 7.0
   IIS 7.0 on client is the same as on Server (via
   service packs)
   Support for multiple development interfaces to
   interact with IIS 7 Core Server
IIS 7.0 Native Modules
 Vista ships with the potential of 40+ modules
 Most are native modules built using the new
 Native C\C++ APIs
 Native modules are defined in the
 <globalModules> section of
 IIS 7.0 full install
 has 33 native
Utility Modules
 Used to help the server engine with it’s
 internal operations
 Do not provide configuration for these in

Module Name     Purpose                           If removed?
 cacheuri.dll   Cache configuration, etc. after   Performance
                first request for a URI
 cachfile.dll   Cache of file handles currently   Performance
                opened by core server
 cachtokn.dll   Caches token for password-        Performance
                based authentication
Compression Modules
 Provides Static & Dynamic compression
 mechanisms for IIS requests
Module Name    Purpose                               If removed?
Compdyn.dll    Implements in-memory             None, not installed by
               compression of dynamic content          default
Compstat.dll   Implements in-memory as well      Network Bandwidth
               as file-based compression for    saturation with large
               static content                         requests

  Configurable locations:
Authentication Modules
  IIS 7.0 core authentication modules
Module Name     Purpose                                  If removed?
 authanon.dll   Implements anonymous                     Anonymous
                authentication                       Authentication is not
 authbas.dll    Implements HTTP basic               Basic authentication is
                authentication                            not available
 authsspi.dll   Implements Windows                  Negotiate (Kerberos),
                Authentication (NTLM\Kerberos)      NTLM are unavailable
 authmd5.dll    Implements Digest                   Digest Authentication
                Authentication                          is not available
 authcert.dll   Implements IIS Client Certificate   Client Certificates are
                Mapping (Requires SSL)                 not accepted for
 authmap.dll    Maps SSL Client Certs to an            Active Directory
                Active Directory Account            mapping is unavailable
Security Modules
 Implements URL authorization, and
 IP\Domain restrictions
Module Name     Purpose                                If removed?
 Urlauthz.dll   Implements authorization based     No ability to do URL-
                on configuration rules              based denying via
                                                    configuration and
  Iprestr.dll   Implements an authorization of    No Ip-based restricting
                requests based on the client’s          of requests
                IPv4 Address
  modrqflt      Implements a powerful set of       No request filtering
                security rules based on known &   based on extension,
                unknown attack vector points      query string size, etc.
                (previously known as URLScan)
Logging & Error Modules
 Implements logging functionality
 Implements custom & detailed errors
Module Name    Purpose                                    If removed?
 Logcust.dll   Implements the ILogPlugin                  Applications
               interface on top of IIS7. It is not    dependent on legacy
               recommended to use this as it is      interface will not work
               a old implementation.
               Recommendation is to write
               your own module and subscribe
               to RQ_Log_Request event.
 Loghttp.dll   Implements standard IIS logging       No request data will be
 Custerr.dll   Allows for the use of custom            No error messages
               errors and the new IIS7 detailed       (custom or detailed)
               error features                         will be sent to clients
Diagnostics Modules
  Implements IIS 7.0’s Request Monitoring,
  tracing, and Failed Request Tracing
 Module Name     Purpose                                  If removed?
   iisetw.dll    Implements Enterprise Tracing       No tracing of specific
                 for Windows functionality to        requests are available
                 capture detailed trace logs
   iisfreb.dll   Implements tracing of failed        No automatic tracing
                 requests                                based on the
                                                       configured rules
  iisreqs.dll    Implements the runtime state &      Unable to see runtime
                 control APIs for IIS 7.0 allowing          data or
                 viewing of executing requests,        start\stop\pause
                 start\stop of sites, etc.                 websites
Development Modules
 Development technologies offered as to
 execute code from that platform
 Implements Managed Interfaces, etc.
Module Name     Purpose                                 If removed?
   Isapi.dll    Implements ISAPI Extension        No ISAPI extension will
                Server Functionality                    be executed
   Filter.dll   Implements ISAPI filter            No ISAPI filter will be
                functionality                         loaded into any
    Cgi.dll   Implements Common Gateway           No CGI dll or exe will is
              Interface (CGI) on top of IIS 7.0         executed
Webengine.dll Connects the IIS core pipeline      No managed code will
              with the ASP.NET runtime and        be supported in IIS 7.0
              bridge between native and
              managed code in IIS 7.0
Misc. Modules
  Performs independent functionality outside of
  any group
 Module Name     Purpose                                    If removed?
  defdoc.dll     Implements default document              Specific URL is
                 feature using defaultdoc section      required and any / will
                 files                                          fail
   dirlist.dll   Implements IIS 7.0’s directory        Directory browsing will
                 browsing functionality                     not be allowed
  protsup.dll    Implements:                              Specific features
                 • custom/redirect response headers    outlined in purpose will
                 • custom HTTP verbs (trace\options)       not be available
                 • allows use of HTTP keep-alive
  redirect.dll   Implements redirect functionality         If redirects are
                 of incoming requests                    removed, content
                                                        protected by redirect
                                                          will be available
Misc. Modules (cont.)
Module Name     Purpose                                      If removed?
 Iis_ssi.dll    Implements server-side includes        Special case where this
                                                          module is actually
                                                       mapped as handler for
                                                       .stm, .shtm, and .shtml
  static.dll    Responsible for sending out            Without it, no static file
                reponses for extensions listed in      (htm, images, etc.) will
                mimeMap section                           be sent to client
 validcfg.dll   Validates at run-time if               No validation or help is
                configuration is valid for IIS 7.0’s       available when
                integrated mode                           configuration is
                                                        deployed improperly
IIS 7.0 Managed Modules
 Managed Modules are loaded in two ways
   Called by webengine.dll (integrated mode)
   Called by core ISAPI module – isapimodule.dll
 Integrated Mode offers ASP.NET module
 features access to all types of content
 Classic mode runs exactly like IIS 6.0 &
 ASP.NET 2.0
 Managed modules are only defined at
 application level (<modules>) along with
 native modules
IIS 7.0 Managed Modules
               Name                       Purpose
 managed       WindowsAuthentication      Sets the identity for the application to the

 code          FormsAuthentication
                                          WindowsAuthenticated user
                                          Allows authentication against all content using
                                          forms-based authenticaiton to a database\file
 module        DefaultAuthentication      Ensures that an auth object is present in the app
 parity with       OutputCache            Controls the output caching policies for your
                                          applcation                                          t
 ASP.NET       URLMappingModule           Defines a mapping that hides the real URL and
                                          maps to a friendly one                              e
 2.0                  Session             Configures session state settings for current
                  UrlAuthorization        Allows URL-based authorization via managed-         .
 Requires              Profile
                                          Configures parameters for mapping user profiles
                                          values                                              e
 webengine.        RoleManager            Configures an application for role management
 dll native      FileAuthorization        Allows file-based authorization via managed-code

 module to     AnonymousIndentification   Configures anonymous auth for application


 URL Rewriting
 Directory Listing
IIS 6.0 Tracing vs. Failed
Request Tracing
 Tracing: What it is?
 IIS 6.0 Usage:
   No User Interface Support
   Updated as part of Service Pack 1
   Very difficult to restrict tracing to extensions, or
   Not extensible with custom events written by
IIS 6.0 Tracing vs. Failed
Request Tracing (2)
  IIS 7.0’s Failed Request Tracing
 Setting up Tracing:
 • IIS Manager
 • Enabled Globally
 • Actual Trace attributes
   settable per-site or per-
IIS 6.0 Tracing vs. Failed
Request Tracing (3)
                   Viewing Trace Data
                   in IIS 6.0 difficult, yet
                   when understood is
                   very useful
                   Viewing Trace Data
                   in IIS 7.0, easy-to-
                   use XLST breaks out
                   various data to
                   simplify reviewing

 FREB in Action
IIS 6.0 Security vs. 7.0 Security
  IIS 6.0 Security –
    All Bits Installed (%windir%\system32\inetsrv)
    “Features” turned on\off
    Uses local account and group for anonymous
    client requests and process account
    IIS_WPG: Group for allowing process creation
    and security
    URLScan added for additional security features
    not offered by Core server
IIS 6.0 Security vs. 7.0 Security
 IIS 7.0 Security:
          Change                         Purpose                        Benefit
  Only Install Bits Selected   Reduce the footprint, lesson    Build truly customizable
                               management tasks such as        Web workloads to
                               patching, etc.                  maximize security and
                                                               improve performance
  Convert URLScan to           Bring a popular security tool   With one click,
  installable features,        into the product to simplify    RequestFilteringModule
  rather than add-on           deployment, configuring, and    can be installed, and with
                               supporting                      one easy file deployed with
                                                               your content it is working
  Change local accounts to     Avoid management of             Every installation of IIS 7.0
  built-in accounts            passwords, ACL’ing problems     installs the same accounts,
                               and better handle Web farm      with same GUIDs, and with
                               deployments                     same ACLs and everything
                                                               “just works.”
Unified authentication, authorization
across web server platform
  Fully supports non-Windows principals!

  All authentication schemes configured one single way for
  all types of content
    Forms authentication is now fully supported

  IIS extends its ACL authorization model with URL
    Membership system support (includes support for custom
    Windows principals (stored in the local SAM or Active Directory)
    Custom configuration credential sections (non Window principals)
Unified Authentication and Authorization
Reconciled impersonation model

       IIS 7.0 always uses the following rules (in order of precedence)

       1. If a username/password is configured at a virtual directory it is used first

       2. If virtual directory username/password is not configured, the authenticated
          users credentials are used (anonymous, basic, windows)

       3. If no authenticated user (e.g. if forms authentication was used or no
          authentication module is configured) the process identity is used
Unified Authentication and Authorization
Reconciled impersonation model

       IIS 7.0 always uses the following rules (in order of precedence)

       1. If a username/password is configured at a virtual directory it is used first

       2. If virtual directory username/password is not configured, the authenticated
          users credentials are used (anonymous, basic, windows)

       3. If no authenticated user (e.g. if forms authentication was used or no
          authentication module is configured) the process identity is used

            Web user          VDIR has username and       Credentials configured for the virtual
            requests page     password configured         directory are used
Unified Authentication and Authorization
Reconciled impersonation model

       IIS 7.0 always uses the following rules (in order of precedence)

       1. If a username/password is configured at a virtual directory it is used first

       2. If virtual directory username/password is not configured, the authenticated
          users credentials are used (anonymous, basic, windows)

       3. If no authenticated user (e.g. if forms authentication was used or no
           authentication module is configured) the process identity is used

       Web user           VDIR has no     User is prompted and      The client credentials or anonymous
       requests page      username,       provides valid Windows    identity provided during
                          password        credentials. Note - the   authentication is used
                          configured      <authentication>
                                          section needs to be
Unified Authentication and Authorization
Reconciled impersonation model

       IIS 7.0 always uses the following rules (in order of precedence)

       1. If a username/password is configured at a virtual directory it is used first

       2. If virtual directory username/password is not configured, the authenticated
          users credentials are used (anonymous, basic, windows)

       3. If no authenticated user (e.g. if forms authentication was used or no
           authentication module is configured) the process identity is used

            Web user                                                The process identity
                                 VDIR has no
            requests page        username,        No user           is used
                                 password         authentication
                                 configured       is configured
Unified Authentication and Authorization
Reconciled impersonation model

      ASP.NET developers can still define their own identity
      section if required by their applications
          Useful for applications that reside on different machines

           Web user
           requests page                                                   ASP.NET developers can
                           IIS uses any of the impersonation methods and   use their web.config to
                           impersonates some Windows identity              impersonate an alternate
                                                                           identity (example - for
                                                                           database access)

 Extending AuthN & AuthZ
Administration Extensibility

 Delegated administration
   Non-administrators can change relevant settings.
   Admins specify what’s allowed per site and application.
 Unified management for the entire web platform
   IIS and ASP.NET settings are presented within the same
   user interface.
 Extensible architecture
   Developers can create custom management features.
 Remote administration
   Administer locally, over the intranet, or over the Internet.
 New modern look and feel
   A new navigation-based, task-oriented, rich user
    Web Management Client   Connection

            Connection          Module
                                                        Module UI
             Manager            Service
                             Service Proxy

                                                 Web Management Server
     Module UI
                              (Standalone Web server : http://server:8080/… )
      Content and
      Configuration              Runtime                         Provider
        Login Handler             state                           Data

    IIS 7.0                                  Application appdomain

  Extensibility Points
    New Features and Pages
      Register new pages with the Control Panel
    Existing plug-in points
      Lock Configuration
      Provider Configuration
    Custom extensibility using the Extensibility

  Adding a new management module
      Write a new Module Provider
      Write a Module Service
      Install the DLL to the GAC
      Register the module in the root configuration
      Enable the module
      Write a new Module
      Write a Module Service Proxy
      Write some Module Pages
      Plug in existing features using the Extensibility Manager

 Server Header
  End-to-End Sample with Module

   Listing Sites
   Creating a Site
   App Pool Creation
 Something new for everyone in IIS 7.0
 Most radical changes in IIS since IIS 4.0
 IIS 6.0 was…
   Limited for Developers because of ISAPI and less-than desirable support for
   Limiting configuration for key scenarios, such as delegation and schema
   Limited troubleshooting capabilities to support zero-repro environments

 IIS 7.0 is…
   Easy to extend using any language, native or managed
   Robust configuration supporting delegation, schema extensibility
   Task-based oriented, newly re-written IIS Manager supporting delegation,
   and much more
   Has awesome diagnostics which is natively built-in to the plumbing of IIS 7.0

Shared By: