Document

Report
Securing and Tuning IIS7
Microsoft®
Hosting Deployment
Accelerator
What We’ll Cover
IIS7 Performance
New IIS7 Performance Features
Tuning IIS7
IIS7 Security
Reduced Attack Surface
Architectural Changes
New Security Features
Windows Server Core
Get both performance and security benefits
IIS7 Performance Improvements
Kernel mode SSL and Windows authentication
Performance improvements up to 150%
More powerful compression
For static and dynamic content
Output caching
Per URL, query string and/or request headers
API’s for putting responses in the output cache
Improved scalability
Host thousands of sites
FastCGI
Great way to run PHP on IIS
CGI vs. FastCGI
IIS7 Tuning Tips
Enable Output Caching for semi-dynamic pages
Low bandwidth Branch Offices?
Enable Dynamic Compression (~ 5% CPU overhead)
Need to run many web apps on a single box?
Run IIS worker processes in Wow64 mode
Room for the OS, scalability for your web apps
Now a per-AppPool setting: Enable32BitAppOnWow64
Thinking about buying new Web Server hardware?
W2K8 scales extremely well on new multi-proc boxes (4 and 8 core)
IIS7 Tuning Tips
Thousands of requests per second?
Remove modules you don’t need
Don’t know why some pages are so slow?
Turn on FREB and the “time-taken” feature to investigate
You * scriptmapped all requests to ASP.NET in IIS6?
Integrated Pipeline is much faster than an IIS6 * scriptmap solution
Try together with IIS7 URL Authorization
IIS7 Tuning Tips
PHP applications?
PHP on top of FastCGI is much faster than traditional CGI
The majority of your requests go to your Default Document?
Put it on top of the list – otherwise IIS7 has to check every time
Static default documents will be cached in kernel-mode (+450%)
Looking for tools to measure web server performance?
Try WCAT 6.3 from www.iis.net/downloads
Output Caching
IIS7 Security
Building upon a solid foundation - IIS6
Reduced Attack Surface
Server Core
Componentization
Application Pool Isolation and other architectural
changes
Security Features
Request Filtering
URL Authorization
IIS7 Installable Components
Logging and
Diagnostics
AuthN/AuthZ
HttpLoggingModule
CustomLoggingModule
RequestMonitorModule
TracingModule
Extensibility
BasicAuthModule
ManagedEngineModule
DigestAuthModule
ISAPIModule
WindowsAuthModule
ISAPIFilterModule
CertificateAuthModule
CGIModule
AnonymousAuthModule
ServerSideIncludeModule
FormsAuthModule
UrlAuthorizationModule
Core Web Server
StaticFileModule
DefaultDocumentModule
HttpCacheModule
DirectoryListingModule
DynamicCompressionModule
Http Protocol Support
CustomErrorModule
StaticCompressionModule
Configuration and Metadata Caches
Request FilteringModule
ProtocolSupportModule
TokenCacheModule
UriCacheModule
OptionsVerbModule
HttpRedirectionModule
SiteCacheModule
FileCacheModule
Componentization
Security Architecture Improvements
Feature delegation
Allow non-administrators to manage IIS7 settings
remotely
Allow fine-grained control over feature delegation
Application pool isolation
Sandboxing out-of-the-box
Security Architecture Improvements
IIS7 identities are built-in
Anonymous User IUSR_<machinename> → IUSR
IIS_WPG is now IIS_IUSRS
Easier to administer, scale-out and configure
You no longer need to add worker process identities to
IIS_IUSRS group
Anonymous user is no longer required
Worker process identity does the job
Application Pool Isolation
Security Features
.NET security integration
Roles profile, membership forms auth, URL auth modules
support any type of content
Use of .NET Role and Membership Providers
URL Authorization
Control access via web.config files instead of using ACLs
Request Filtering
Filter verbs, sequences, urls, headers
Request Filtering
Server Core
Server Core is:
A minimal installation option for Windows Server®
2008
Part of the Windows Server® 2008 general purpose
SKUs
Available for x86 and x64
Server Core Benefits
Today’s challenges
Servers have single role or a fixed workload
Administrators are required to deploy and service the full OS
Non-value add features present a servicing and security burden
Administrators think of servers in terms of server roles
With Server Core:
Fewer Patches
Reduces # of patches by ~60% (based on all Win2000 patches)
Servicing burden is reduced by removing components that are most often
serviced
More Secure, Reliable and Less Management
Removal of non-value add legacy & client components from server
Server Core Overview
Server Core:
Provides minimal server OS functionality
Core sub-systems:
Security logon, networking (TCP/IP), file system, RPC, etc.
Infratructure:
Command-shell, domain join, eventlog, perfcounters, HTTP, IPSec
Basic set of management tools:
Configure ip address, create users, notepad, taskmgr
Uses low surface area server for targeted roles
Includes a set of server roles
Includes the following optional features:
WINS, Failover Clustering, Subsystem for UNIX-based applications, Backup,
Multipath IO, Removable Storage Management, Bitlocker Drive Encryption, SNMP,
Telnet Client, and QoS
Summary
IIS7 builds upon the IIS6 architecture
Process model
Minimal attack surface
Performance optimized
IIS7 offers major architectural enhancements
Modularization, built-in accounts, configurable
caching, compression, server core etc.
Links
App Pool isolation
URL AuthZ
http://www.iis.net/articles/view.aspx/IIS7/Man
aging-IIS7/Configuring-Security/URLAuthorization/Understanding-IIS7-URLAuthorization
IIS 6 Security History
IIS 6 has only 3 advisories released to date,
none of them rated as critical
http://secunia.com/product/1438/?task=advisories
Apache 2.0.x on the other hand has over 35,
several of which are critical rated
http://secunia.com/product/73/?task=advisories
IIS7 Architecture
Service Host
(SVCHost.EXE)
Configuration
(applicationhost.
config)
Worker Process (W3WP.EXE)
Windows Process
Activation Service
(WAS)
World Wide Web
Service (W3SVC)
HTTP.SYS Kernel-Mode Listener
IIS7 Request Flow
Service Host
(SVCHost.EXE)
Bindings:
http://*:80:site1
Worker Process (W3WP.EXE)
Windows Process
Activation Service
(WAS)
Applicationhost.config
World Wide Web
Service (W3SVC)
HTTP Protocol Host
HTTP Listener
Channel
HTTP.SYS Kernel-Mode Listener
Request
Queue
Response
Cache
HTTP.SYS
Accepting HTTP (and HTTPS) connections
Parsing and validating HTTP requests
Queuing of HTTP requests in applicationspecific queues
Caching of HTTP responses
New
SSL
Kernel-Mode Windows authentication
WAS and W3SVC
Windows Process Activation Service (WAS)
Configuration Manager
Reads configuration from applicationhost.config and reacts to changes in configuration
Passes configuration to the World Wide Web Service
Process Manager
Starts worker processes when a listener (e.g. HTTP.SYS) receives the first request
Monitors state and health of worker processes
Recycles worker processes based on certain parameters, e.g. lifetime, number of requests,
schedule etc.
Prevents resource exhaustion, e.g. by limiting number of worker processes that can be
active at the same time
W3SVC
HTTP specific listener adapter
Site binding information (IP address, port, host header)
Application Pool and Application settings
Configuration changes
Worker Process
Establishes a connection with WAS at startup
Responds to WAS requests, e.g. when asked to
shutdown
Picks up requests from the HTTP.SYS request queue
Manages request pipeline
Process requests and send responses
Runs all third-party code
Modules, handlers, isapi filters and extensions, assemblies,
COM objects etc.
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

similar documents