Securing and Tuning IIS7 Microsoft® Hosting Deployment Accelerator What We’ll Cover IIS7 Performance New IIS7 Performance Features Tuning IIS7 IIS7 Security Reduced Attack Surface Architectural Changes New Security Features Windows Server Core Get both performance and security benefits IIS7 Performance Improvements Kernel mode SSL and Windows authentication Performance improvements up to 150% More powerful compression For static and dynamic content Output caching Per URL, query string and/or request headers API’s for putting responses in the output cache Improved scalability Host thousands of sites FastCGI Great way to run PHP on IIS CGI vs. FastCGI IIS7 Tuning Tips Enable Output Caching for semi-dynamic pages Low bandwidth Branch Offices? Enable Dynamic Compression (~ 5% CPU overhead) Need to run many web apps on a single box? Run IIS worker processes in Wow64 mode Room for the OS, scalability for your web apps Now a per-AppPool setting: Enable32BitAppOnWow64 Thinking about buying new Web Server hardware? W2K8 scales extremely well on new multi-proc boxes (4 and 8 core) IIS7 Tuning Tips Thousands of requests per second? Remove modules you don’t need Don’t know why some pages are so slow? Turn on FREB and the “time-taken” feature to investigate You * scriptmapped all requests to ASP.NET in IIS6? Integrated Pipeline is much faster than an IIS6 * scriptmap solution Try together with IIS7 URL Authorization IIS7 Tuning Tips PHP applications? PHP on top of FastCGI is much faster than traditional CGI The majority of your requests go to your Default Document? Put it on top of the list – otherwise IIS7 has to check every time Static default documents will be cached in kernel-mode (+450%) Looking for tools to measure web server performance? Try WCAT 6.3 from www.iis.net/downloads Output Caching IIS7 Security Building upon a solid foundation - IIS6 Reduced Attack Surface Server Core Componentization Application Pool Isolation and other architectural changes Security Features Request Filtering URL Authorization IIS7 Installable Components Logging and Diagnostics AuthN/AuthZ HttpLoggingModule CustomLoggingModule RequestMonitorModule TracingModule Extensibility BasicAuthModule ManagedEngineModule DigestAuthModule ISAPIModule WindowsAuthModule ISAPIFilterModule CertificateAuthModule CGIModule AnonymousAuthModule ServerSideIncludeModule FormsAuthModule UrlAuthorizationModule Core Web Server StaticFileModule DefaultDocumentModule HttpCacheModule DirectoryListingModule DynamicCompressionModule Http Protocol Support CustomErrorModule StaticCompressionModule Configuration and Metadata Caches Request FilteringModule ProtocolSupportModule TokenCacheModule UriCacheModule OptionsVerbModule HttpRedirectionModule SiteCacheModule FileCacheModule Componentization Security Architecture Improvements Feature delegation Allow non-administrators to manage IIS7 settings remotely Allow fine-grained control over feature delegation Application pool isolation Sandboxing out-of-the-box Security Architecture Improvements IIS7 identities are built-in Anonymous User IUSR_<machinename> → IUSR IIS_WPG is now IIS_IUSRS Easier to administer, scale-out and configure You no longer need to add worker process identities to IIS_IUSRS group Anonymous user is no longer required Worker process identity does the job Application Pool Isolation Security Features .NET security integration Roles profile, membership forms auth, URL auth modules support any type of content Use of .NET Role and Membership Providers URL Authorization Control access via web.config files instead of using ACLs Request Filtering Filter verbs, sequences, urls, headers Request Filtering Server Core Server Core is: A minimal installation option for Windows Server® 2008 Part of the Windows Server® 2008 general purpose SKUs Available for x86 and x64 Server Core Benefits Today’s challenges Servers have single role or a fixed workload Administrators are required to deploy and service the full OS Non-value add features present a servicing and security burden Administrators think of servers in terms of server roles With Server Core: Fewer Patches Reduces # of patches by ~60% (based on all Win2000 patches) Servicing burden is reduced by removing components that are most often serviced More Secure, Reliable and Less Management Removal of non-value add legacy & client components from server Server Core Overview Server Core: Provides minimal server OS functionality Core sub-systems: Security logon, networking (TCP/IP), file system, RPC, etc. Infratructure: Command-shell, domain join, eventlog, perfcounters, HTTP, IPSec Basic set of management tools: Configure ip address, create users, notepad, taskmgr Uses low surface area server for targeted roles Includes a set of server roles Includes the following optional features: WINS, Failover Clustering, Subsystem for UNIX-based applications, Backup, Multipath IO, Removable Storage Management, Bitlocker Drive Encryption, SNMP, Telnet Client, and QoS Summary IIS7 builds upon the IIS6 architecture Process model Minimal attack surface Performance optimized IIS7 offers major architectural enhancements Modularization, built-in accounts, configurable caching, compression, server core etc. Links App Pool isolation URL AuthZ http://www.iis.net/articles/view.aspx/IIS7/Man aging-IIS7/Configuring-Security/URLAuthorization/Understanding-IIS7-URLAuthorization IIS 6 Security History IIS 6 has only 3 advisories released to date, none of them rated as critical http://secunia.com/product/1438/?task=advisories Apache 2.0.x on the other hand has over 35, several of which are critical rated http://secunia.com/product/73/?task=advisories IIS7 Architecture Service Host (SVCHost.EXE) Configuration (applicationhost. config) Worker Process (W3WP.EXE) Windows Process Activation Service (WAS) World Wide Web Service (W3SVC) HTTP.SYS Kernel-Mode Listener IIS7 Request Flow Service Host (SVCHost.EXE) Bindings: http://*:80:site1 Worker Process (W3WP.EXE) Windows Process Activation Service (WAS) Applicationhost.config World Wide Web Service (W3SVC) HTTP Protocol Host HTTP Listener Channel HTTP.SYS Kernel-Mode Listener Request Queue Response Cache HTTP.SYS Accepting HTTP (and HTTPS) connections Parsing and validating HTTP requests Queuing of HTTP requests in applicationspecific queues Caching of HTTP responses New SSL Kernel-Mode Windows authentication WAS and W3SVC Windows Process Activation Service (WAS) Configuration Manager Reads configuration from applicationhost.config and reacts to changes in configuration Passes configuration to the World Wide Web Service Process Manager Starts worker processes when a listener (e.g. HTTP.SYS) receives the first request Monitors state and health of worker processes Recycles worker processes based on certain parameters, e.g. lifetime, number of requests, schedule etc. Prevents resource exhaustion, e.g. by limiting number of worker processes that can be active at the same time W3SVC HTTP specific listener adapter Site binding information (IP address, port, host header) Application Pool and Application settings Configuration changes Worker Process Establishes a connection with WAS at startup Responds to WAS requests, e.g. when asked to shutdown Picks up requests from the HTTP.SYS request queue Manages request pipeline Process requests and send responses Runs all third-party code Modules, handlers, isapi filters and extensions, assemblies, COM objects etc. © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.