360 likes | 598 Views
Internet Information Server 6.0. IIS 6.0 Enhancements. Fundamental changes, aimed at: Reliability & Availability Performance Manageability Security. IIS 6.0 Reliability & Availability. INETINFO.EXE. INETINFO.EXE. ISAPI Filters and Extensions. ISAPI Filters and Extensions.
E N D
IIS 6.0 Enhancements • Fundamental changes, aimed at: • Reliability & Availability • Performance • Manageability • Security
INETINFO.EXE INETINFO.EXE ISAPI Filters and Extensions ISAPI Filters and Extensions Metabase Metabase DLLHost.EXE DLLHost.EXE DLLHost.EXE ISAPI Extensions ISAPI Extensions ISAPI Extensions Review of IIS 5 Architecture WinSock 2.0 user kernel TCP/IP
Worker Process W3 Core Web Admin Service web app HTTP.SYS IIS 6 Architecture user kernel
HTTP.SYS • What is it? • Kernel-mode HTTP stack/listener • Always running • What does it do? • HTTP Listener and Parser • Process routing based on URL namespace • Request queues: kernel-mode queuing • Response cache for static requests
Web Admin Service - WAS • What is it? • Configuration, Application and Process Manager • What does it do? • Configures HTTP.SYS for listening and routing • Periodic Recycling • Time, Hit, Memory, Schedule-based, and on-demand • Health Monitoring • Pinging, Crash detection • Rapid fail protection • Better debugging support • Orphan Web Processing Core Host Processes
Web Processing CoreW3WP.exe • What is it? • Main web processing core responsible for handling web requests • Self–contained web server • Contains all web request processing functionality • Loads ISAPI’s – filters and extensions • ASP, ASP.NET, FrontPage® Server Extensions • Delivers complete isolation from system components and other web apps
IIS 6.0 Availability:Applications Isolating Applications From Each Other • Applications grouped into Application Pools • Applications defined by URL namespace • One or many applications per Application Pool • Configure Processing features by Application Pool • One or many Worker Processes per Application Pool • Service Level Support • CPU accounting • Bandwidth throttling
Worker Process Worker Process Worker Process Worker Process Worker Process W3 Core W3 Core W3 Core W3 Core W3 Core Web app Web app Web app Web app Web app IIS 6 Architecture: Managing worker processes Web Admin Service Recycle time! user kernel HTTP.SYS
Recycling • Recycle periodically to ensure reliability • Recycle based on: • Uptime • # of requests • Schedule • Virtual memory consumption • On-Demand
Application Pool Performance • Goal = Support 2000 pools concurrently. • IIS5 Isolated OOP total was 80. • Scaling Features of Pools • Idle Timeout • CPU Accounting • Demand Start
Web Gardens • Multiple Processes serving an application pool • Reliability and fault-tolerance • Allows another already initialized worker process to take over the current load • Can affinitize worker processes to a set of processors • Some throughput gains for applications that rely on process global resources
App Pool Health & Debugging Features • Worker process health monitoring/gating • Process pinging • Startup/Shutdown limits • Kernel Mode Request Queuing • Rapid Fail Protection • “Orphan” worker processes in failure
Configurable Worker Process ID • Worker process can be started as: • Network Service (default) • Local System • Local Service • Configured ID
IIS 6.0 Performance Designed for high throughput • Kernel mode cache for static, unauthenticated content • No transition to user mode for cache hits • User-mode worker processes • No user mode to user mode process hop • Talk directly to HTTP.SYS to get requests • Ability to affinitize worker processes to CPUs • Support for 64-Bit
IIS 6.0 Scalability Scale up, out and in • SSL up to 900% faster • ISAPI up to 800% faster • CGI up to 100% faster • Support 20,000 sites and more per system • Improved Startup/Shutdown times (<2min) • Improved Scalability of Application Isolation (2000 Isolated Application Pools) • Improved Processor Scalability • 3x on a 4-processor box, 5x on an 8-way
Management Enhancements • XML Metabase • WMI Provider • Command-Line Interface • New Web-based Administration Console
IIS Commands • Create web and FTP Sites c:\>iisweb /create c:\webroot “My Site” /b 169.254.36.174 • Create web and FTP V-Dirs • Backup/Restore • Export/Import Configuration • c:\>iiscnfg /import /f MySiteConfig.xml • /sp /lm/w3svc/1 • /dp /lm/w3svc/4
IIS 5.0 Security Issues • Code Red, Nimda, etc., etc. • Weaknesses • Windows 2000 Installed As An Application Server – Huge attack surface • Soft Defaults • High Privilege Accounts • No automated way to install patches • Result: Fixes out for months but not uniformly applied • Many companies survived Code Red & Nimda • IIS Lockdown Wizard & URLSCAN for IIS 4/5 • Improved Patch Management
IIS 6.0 SecuritySecure Out of the Box • Change in approach: • Clean up code, improved tools for defect detection • Secure defaults, minimize attack surface (static files only by default) • Customer ‘enables’ server features after setup • An infrastructure that by default installs security hot fixes (customer opts out, not in) • Educate the Customer
IIS 6.0 SecurityReduced Attack Surface • IIS is not installed by default • As well as 20+ other services • Server Lockdown: Serve HTM files only • Only Web service gets installed • IsapiRestrictionList • CGIRestrictionList • Template-based feature activation • Web service disabled on upgrade for benefit of non-IIS users • Prevent IIS6 install with group policy
Web Server Security Enhancements • URLscan implemented by default • Clean code • Architectural changes • Process isolation • Configurable identity • Application pool management • General OS hardening • New tools • AutoUpdate, SUS, Qchain, MBSA