1 / 59

MSDN Briefing IIS7 für Entwickler

MSDN Briefing IIS7 für Entwickler. Christoph Wille, MVP ASP.NET http://chrison.net/. integrated. extensible. componentized. delegated. secure. compatible. s e v e n. i n t e r n e t i n f o r m at i o n s e r v i c e s. supportable. IIS – A Colorful Past.

niabi
Download Presentation

MSDN Briefing IIS7 für Entwickler

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. MSDN BriefingIIS7 fürEntwickler Christoph Wille, MVP ASP.NET http://chrison.net/

  2. integrated extensible componentized delegated secure compatible s e v e n i n t e r n e t i n f o r m at i o n s e r v i c e s supportable

  3. IIS – A Colorful Past • 1996 - V1 ships with WindowsNT 4.0 • V2 & V3 releases came in follow-up SP releases • 1997 – V4 part of NT 4 Option Pack • 2000 – V5 installed by default in Windows 2000 • 2001 • March 2001, #1 in Internet Site Share • Fall 2001, Code Red and Nimda • 2003 – V6 released in Windows Server 2003

  4. IIS 6 Today • Secure by Default • IIS no longer installed by default with OS • IIS installs with “locked down” configuration • Runs with minimal permissions, secure configuration • Secure by Design • Extensive design & code reviews • Penetration testing • Defense in depth • Process architecture design for application failure • Health detection • Automatic recycling of applications Result: Zero critical security patches since release. #1 in reliability for major internet sites.

  5. Agenda • Architecture Overview • Modularization • Extensibility • Administration & Troubleshooting

  6. For Developers • Where do I get IIS 7.0? • Windows Vista Editions with IIS 7.0 • Where do I start? • What type of developer are you? • Native Developers vs. Managed-code Devs • Understanding the Core Server Architecture

  7. Installation Differences • IIS 7.0 • Rebuilt setup architecture • Uses Vista’s Windows Features On and Off • Can also use Vista’s Package Manager (Pkgmgr.exe) start /w pkgmgr /iu:IIS-WebServerRole;IIS-WebServer;IIS-CommonHttpFeatures;IIS-StaticContent;IIS-DefaultDocument;IIS-DirectoryBrowsing;IIS-HttpErrors;IIS-HttpRedirect;IIS-ApplicationDevelopment;IIS-ASPNET;IIS-NetFxExtensibility;IIS-ASP;IIS-CGI;IIS-ISAPIExtensions;IIS-ISAPIFilter;IIS-ServerSideIncludes;IIS-HealthAndDiagnostics;IIS-HttpLogging;IIS-LoggingLibraries;IIS-RequestMonitor;IIS-HttpTracing;IIS-CustomLogging;IIS-ODBCLogging;IIS-Security;IIS-BasicAuthentication;IIS-WindowsAuthentication;IIS-DigestAuthentication;IIS-ClientCertificateMappingAuthentication;IIS-IISCertificateMappingAuthentication;IIS-URLAuthorization;IIS-RequestFiltering;IIS-IPSecurity;IIS-Performance;IIS-HttpCompressionStatic;IIS-HttpCompressionDynamic;IIS-WebServerManagementTools;IIS-ManagementConsole;IIS-ManagementScriptingTools;IIS-ManagementService;IIS-IIS6ManagementCompatibility;IIS-Metabase;IIS-WMICompatibility;IIS-LegacyScripts;IIS-LegacySnapIn;IIS-FTPPublishingService;IIS-FTPServer;IIS-FTPManagement;WAS-WindowsActivationService;WAS-ProcessModel;WAS-NetFxEnvironment;WAS-ConfigurationAPI start /w pkgmgr /iu:IIS-WebServerRole;WAS-WindowsActivationService;WAS-ProcessModel;WAS-NetFxEnvironment;WAS-ConfigurationAPI IIS Minimal Install Full Install of all IIS Components

  8. Architecture Introduction • IIS 7.0’s architecture, albeit similar to IIS 6.0, offers unique changes • Default architecture has same “players” with some fresh new ones W3SVC W3WP HTTP.sys WPAS Inetinfo (optional) Inetinfo W3SVC WAS W3WP HTTP.sys

  9. A Review…IIS 6.0 Architecture Monolithic implementation Install all or nothing… Authentication NTLM Basic Anon … Determine Handler CGI Static File ASP.NET ISAPI PHP … Send Response Extend server functionality only through ISAPI… Log Compress

  10. IIS7 Request Processing Server functionality is split into ~ 40 modules... Authentication Authentication NTLM Basic Anon Authorization … Modules plug into a generic request pipeline… ResolveCache Determine Handler CGI … Static File ExecuteHandler Modules extend server functionality through a public module API. ISAPI … … UpdateCache Send Response SendResponse Log Compress

  11. Architecture in IIS7 • What does the “Core” do? • Exposes interfaces • Agrees to “hook” up interfaces via subscription or events • Extensibility • Primary workhorse for Web server • Code authors: • Microsoft: In the form of “modules” that will ship with the IIS7 platform • You: The rest of the world

  12. aspnet_isapi.dll Authentication Forms Windows … ASPX Map Handler Trace … … IIS6 ASP.NET Integration • Runtime limitations • Only sees ASP.NET requests • Feature duplication Authentication NTLM Basic Anon … Determine Handler CGI Static File ISAPI … Send Response Log Compress

  13. IIS7 ASP.NET Integration Basic • Two Modes • Classic (runs as ISAPI) • Integrated • Integrated Mode • .NET modules / handlers plug directly into pipeline • Process all requests • Full runtime fidelity Anon Authentication Authorization ResolveCache aspnet_isapi.dll … Static File Authentication ExecuteHandler Forms Windows … … ISAPI ASPX Map Handler UpdateCache Trace SendResponse Compress … … Log

  14. Reviewing IIS 7.0 Architecture IIS 7.0 W3WP’s IIS 6.0 W3WP’s cacheuri.dll myparser.dll admwprox.dll myauthurl.dll cachfile.dll gzip.dll modrqflt.dll mybscauth.dll iismap.dll mylogging.dll cachhttp.dll iisres.dll compdyn.dll modexp.dll iisRtl.dll W3WP W3WP mycompres.dll compstat.dll iisutil.dll myMossint.dll defdoc.dll w3comlog.dll mybscauth.dll iisetw.dll w3cache.dll cgi.dll static.dll w3core.dll

  15. Demo • The Most Secure Web Server Ever

  16. Metabase vs. “AppHost.config” • IIS 6.0’s Metabase Design • Supported legacy, out-dated interface (ABO) • Maintained own ACL’ing within file, rather than via file system ACL’ing • Delegation wasn’t supported, relied solely on Administrative privileges • Remote capabilities were limited, not user-friendly experience • Schema wasn’t architected in easy-to-use format • Extending schema was nearly impossible

  17. Metabase vs. “AppHost.config” (2) • Introducing ApplicationHost.config • Location: %windir%\system32\inetsrv\config • Default configuration: • All features disabled *except* • Directory Browsing (directoryBrowse) • Default Document (defaultDocument) • HTTP Redirect (httpRedirect) • HTTP Protocol (httpProtocol) • Features unlocked using IIS Manager or ApplicationHost.config

  18. Metabase vs. “AppHost.config” (3) • ApplicationHost.config Facts: • Uses strongly-typed Schema (%windir%\system32\inetsrv\config\schema\IIS_schema.xml) • Easily edited using favorite XML editor • Broken down into two pieces: • system.applicationHost • system.webServer • Delegation of IIS settings are unlockable and distributable to web.config’s deployed with content

  19. Metabase vs. “AppHost.config” (4) • ApplicationHost.config Facts (cont.): • Uses well-known XML • Organized into tightly-coupled groups for like features (i.e. collections) • Uses simple key\value pairs for many options like true\false, 0 or 1, etc. • Extending schema is drag\drop experience (add XML file to /config directory and restart IIS)

  20. Configuration Highlights • Delegated Configuration Administration • Administrators may allow app owner to modify settings • Developers can set and deploy settings with their applications • Xcopy-deployment of self-contained applications without running admin tool or scripts to configure -- even to centralized UNC share • Unified Configuration Model for Entire Web Platform • Administrators may use same file for IIS, ASP.NET, Indigo settings • Developers can use same API and concepts across entire platform • AuthN, AuthZ, custom errors, handlers, etc are set one single way • Extensibility and Customization is easy • Administrators can control what sections are registered with the system • Developers can reuse base classes to quickly develop custom sections • Clean schema allows smooth editing by hand (text/XML editor), API or admin tool • Compatibility Built-In at the API level • ABO / ADSI scripts and applications continue to work

  21. Configuration Layout IIS + ASP.NET + .NET Framework Inheritance… IIS ASP.NET web.config applicationHost.config .NET Framework \Windows\system32\inetsrv\applicationHost.config root web.config \Windows\Microsoft.NET\Framework\v2.0.50727\config\web.config machine.config \Windows\Microsoft.NET\Framework\v2.0.50727\config\machine.config web.config files root configuration files

  22. Configuration Delegation • Delegation is: • Configuration locking, “overrideMode” • ACL’s on configuration files • By default… • All IIS sections locked except: • Default Document • Directory Browsing • HTTP Header • HTTP Redirects • All .NET Framework / ASP.NET sections are unlocked

  23. Demo • Customized Workload • Site Creation – A Tour of the UI • Currently Executing Requests • Configuring a Site for AuthN

  24. Modules vs. ISAPI • IIS 6.0 Development • First-class access to requests were only allowed using Internet Server API (ISAPI) • ISAPI only supported C\C++ languages and was rather complex technology • Client vs. Server Versions • Windows XP Professional shipped with IIS 5.1 yet lots of development was for IIS 6.0 • IIS 6.0 shipped on Windows Server 2003 and architected differently than IIS 5.x

  25. Modules vs. ISAPI (2) • Client vs. Server Versions (cont.) • Managed-code development architecture differed heavily between IIS 5.x & 6.0 • ASP.NET was written as an ISAPI and had duplicate functionality as IIS 6.0 • IIS 7.0 • IIS 7.0 on client is the same as on Server (via service packs) • Support for multiple development interfaces to interact with IIS 7 Core Server

  26. IIS 7.0 Native Modules • Vista ships with the potential of 40+ modules • Most are native modules built using the new Native C\C++ APIs • Native modules are defined in the <globalModules> section of applicationhost.config IIS 7.0 full install has 33 native modules

  27. Utility Modules • Used to help the server engine with it’s internal operations • Do not provide configuration for these in applicationhost.config

  28. Compression Modules • Provides Static & Dynamic compression mechanisms for IIS requests Configurable locations: system.webServer/httpCompression system.webServer/urlCompression

  29. Authentication Modules • IIS 7.0 core authentication modules

  30. Security Modules • Implements URL authorization, and IP\Domain restrictions

  31. Logging & Error Modules • Implements logging functionality • Implements custom & detailed errors

  32. Diagnostics Modules • Implements IIS 7.0’s Request Monitoring, tracing, and Failed Request Tracing

  33. Development Modules • Development technologies offered as to execute code from that platform • Implements Managed Interfaces, etc.

  34. Misc. Modules • Performs independent functionality outside of any group

  35. Misc. Modules (cont.)

  36. IIS 7.0 Managed Modules • Managed Modules are loaded in two ways • Called by webengine.dll (integrated mode) • Called by core ISAPI module – isapimodule.dll (Classic) • Integrated Mode offers ASP.NET module features access to all types of content • Classic mode runs exactly like IIS 6.0 & ASP.NET 2.0 • Managed modules are only defined at application level (<modules>) along with native modules

  37. IIS 7.0 Managed Modules system.web • Implements managed code module parity with ASP.NET 2.0 • Requires webengine.dll native module to execute

  38. Demo • URL Rewriting • Directory Listing • Basic • “Deluxe”

  39. IIS 6.0 Tracing vs. Failed Request Tracing • Tracing: What it is? • IIS 6.0 Usage: • No User Interface Support • Updated as part of Service Pack 1 • Very difficult to restrict tracing to extensions, or paths • Not extensible with custom events written by developers

  40. IIS 6.0 Tracing vs. Failed Request Tracing (2) • IIS 7.0’s Failed Request Tracing • Setting up Tracing: • IIS Manager • Enabled Globally (Administrator) • Actual Trace attributes settable per-site or per-application

  41. IIS 6.0 Tracing vs. Failed Request Tracing (3) • Viewing Trace Data in IIS 6.0 difficult, yet when understood is very useful • Viewing Trace Data in IIS 7.0, easy-to-use XLST breaks out various data to simplify reviewing In Vista RTM In LHS Beta 3

  42. Demo • FREB in Action

  43. IIS 6.0 Security vs. 7.0 Security • IIS 6.0 Security – • All Bits Installed (%windir%\system32\inetsrv) • “Features” turned on\off • Uses local account and group for anonymous client requests and process account • IIS_WPG: Group for allowing process creation and security • URLScan added for additional security features not offered by Core server

  44. IIS 6.0 Security vs. 7.0 Security (2) • IIS 7.0 Security:

  45. Unified authentication, authorization across web server platform • Fully supports non-Windows principals! • All authentication schemes configured one single way for all types of content • Forms authentication is now fully supported • IIS extends its ACL authorization model with URL Authorization: • Membership system support (includes support for custom providers) • Windows principals (stored in the local SAM or Active Directory) • Custom configuration credential sections (non Window principals)

  46. Unified Authentication and AuthorizationReconciled impersonation model • IIS 7.0 always uses the following rules (in order of precedence) • If a username/password is configured at a virtual directory it is used first • If virtual directory username/password is not configured, the authenticated users credentials are used (anonymous, basic, windows) • If no authenticated user (e.g. if forms authentication was used or no authentication module is configured) the process identity is used

  47. Unified Authentication and AuthorizationReconciled impersonation model • IIS 7.0 always uses the following rules (in order of precedence) • If a username/password is configured at a virtual directory it is used first • If virtual directory username/password is not configured, the authenticated users credentials are used (anonymous, basic, windows) • If no authenticated user (e.g. if forms authentication was used or no authentication module is configured) the process identity is used Web user requests page VDIR has username andpassword configured Credentials configured for the virtual directory are used

  48. Unified Authentication and AuthorizationReconciled impersonation model • IIS 7.0 always uses the following rules (in order of precedence) • If a username/password is configured at a virtual directory it is used first • If virtual directory username/password is not configured, the authenticated users credentials are used (anonymous, basic, windows) • If no authenticated user (e.g. if forms authentication was used or no authentication module is configured) the process identity is used User is prompted and provides valid Windows credentials. Note - the <authentication> section needs to be configured Web user requests page VDIR has no username, password configured The client credentials or anonymous identity provided during authentication is used

  49. Unified Authentication and AuthorizationReconciled impersonation model • IIS 7.0 always uses the following rules (in order of precedence) • If a username/password is configured at a virtual directory it is used first • If virtual directory username/password is not configured, the authenticated users credentials are used (anonymous, basic, windows) • If no authenticated user (e.g. if forms authentication was used or no authentication module is configured) the process identity is used Web user requests page The process identity is used VDIR has no username, password configured No user authenticationis configured

  50. Unified Authentication and AuthorizationReconciled impersonation model • ASP.NET developers can still define their own identity section if required by their applications • Useful for applications that reside on different machines Web user requests page ASP.NET developers can use their web.config to impersonate an alternate identity (example - for database access) IIS uses any of the impersonation methods and impersonates some Windows identity

More Related