Securing and Tuning IIS7 Microsoft® Hosting Deployment Accelerator
What Well Cover IIS7 Performance New IIS7 Performance Features Tuning IIS7 IIS7 Security Reduced Attack Surface Architectural Changes New Security Features Windows Server Core Get both performance and security benefits
IIS7 Performance Improvements Kernel mode SSL and Windows authentication Performance improvements up to 150% More powerful compression For static and dynamic content Output caching Per URL, query string and/or request headers APIs for putting responses in the output cache Improved scalability Host thousands of sites FastCGI Great way to run PHP on IIS
CGI vs. FastCGI
IIS7 Tuning Tips Enable Output Caching for semi-dynamic pages Low bandwidth Branch Offices? Enable Dynamic Compression (~ 5% CPU overhead) Need to run many web apps on a single box? Run IIS worker processes in Wow64 mode Room for the OS, scalability for your web apps Now a per-AppPool setting: Enable32BitAppOnWow64 Thinking about buying new Web Server hardware? W2K8 scales extremely well on new multi-proc boxes (4 and 8 core)
IIS7 Tuning Tips Thousands of requests per second? Remove modules you dont need Dont know why some pages are so slow? Turn on FREB and the time-taken feature to investigate You * scriptmapped all requests to ASP.NET in IIS6? Integrated Pipeline is much faster than an IIS6 * scriptmap solution Try together with IIS7 URL Authorization
IIS7 Tuning Tips PHP applications? PHP on top of FastCGI is much faster than traditional CGI The majority of your requests go to your Default Document? Put it on top of the list – otherwise IIS7 has to check every time Static default documents will be cached in kernel-mode (+450%) Looking for tools to measure web server performance? Try WCAT 6.3 from
Output Caching
IIS7 Security Building upon a solid foundation - IIS6 Reduced Attack Surface Server Core Componentization Application Pool Isolation and other architectural changes Security Features Request Filtering URL Authorization
IIS7 Installable Components Http Protocol Support Request FilteringModuleProtocolSupportModule OptionsVerbModuleHttpRedirectionModule Logging and Diagnostics HttpLoggingModule CustomLoggingModule Configuration and Metadata Caches TokenCacheModuleUriCacheModule SiteCacheModuleFileCacheModule Core Web Server DirectoryListingModuleCustomErrorModule DynamicCompressionModuleStaticCompressionModule StaticFileModuleDefaultDocumentModule HttpCacheModule RequestMonitorModule TracingModule AuthN/AuthZ BasicAuthModule DigestAuthModule WindowsAuthModule CertificateAuthModule AnonymousAuthModule FormsAuthModule UrlAuthorizationModule Extensibility ISAPIModule ISAPIFilterModule CGIModule ServerSideIncludeModule ManagedEngineModule
Componentization
Security Architecture Improvements Feature delegation Allow non-administrators to manage IIS7 settings remotely Allow fine-grained control over feature delegation Application pool isolation Sandboxing out-of-the-box
Security Architecture Improvements IIS7 identities are built-in Anonymous User IUSR_ IUSR IIS_WPG is now IIS_IUSRS Easier to administer, scale-out and configure You no longer need to add worker process identities to IIS_IUSRS group Anonymous user is no longer required Worker process identity does the job
Application Pool Isolation
Security Features.NET security integration Roles profile, membership forms auth, URL auth modules support any type of content Use of.NET Role and Membership Providers URL Authorization Control access via web.config files instead of using ACLs Request Filtering Filter verbs, sequences, urls, headers
Request Filtering
Server Core Server Core is: A minimal installation option for Windows Server ® 2008 Part of the Windows Server ® 2008 general purpose SKUs Available for x86 and x64
Server Core Benefits Todays challenges Servers have single role or a fixed workload Administrators are required to deploy and service the full OS Non-value add features present a servicing and security burden Administrators think of servers in terms of server roles With Server Core: Fewer Patches Reduces # of patches by ~60% (based on all Win2000 patches) Servicing burden is reduced by removing components that are most often serviced More Secure, Reliable and Less Management Removal of non-value add legacy & client components from server
Server Core Overview Server Core: Provides minimal server OS functionality Co re sub-systems: Security logon, networking (TCP/IP), file system, RPC, etc. Infratructure: Command-shell, domain join, eventlog, perfcounters, HTTP, IPSec Basic set of management tools: Configure ip address, create users, no tepad, taskmgr Uses low surface area server for targeted roles Includes a set of server roles Includes the following optional features: WI NS, Failover Clustering, Subsystem for UNIX-based applications, Backup, Multipath IO, Removable Storage Management, Bitlocker Drive Encryptio n, SNMP, Telnet Client, and QoS
Summary IIS7 builds upon the IIS6 architecture Process model Minimal attack surface Performance optimized IIS7 offers major architectural enhancements Modularization, built-in accounts, configurable caching, compression, server core etc.
Links App Pool isolation URL AuthZ aging-IIS7/Configuring-Security/URL- Authorization/Understanding-IIS7-URL- Authorization aging-IIS7/Configuring-Security/URL- Authorization/Understanding-IIS7-URL- Authorization
IIS 6 Security History IIS 6 has only 3 advisories released to date, none of them rated as critical Apache 2.0.x on the other hand has over 35, several of which are critical rated
IIS7 Architecture Service Host (SVCHost.EXE) HTTP.SYS Kernel-Mode Listener Windows Process Activation Service (WAS) World Wide Web Service (W3SVC) Worker Process (W3WP.EXE) Configuration ( applicationhost. config )
IIS7 Request Flow Service Host (SVCHost.EXE) HTTP.SYS Kernel-Mode Listener Windows Process Activation Service (WAS) World Wide Web Service (W3SVC) Worker Process (W3WP.EXE) Applicationhost.config HTTP Protocol Host Request Queue HTTP Listener Channel Response Cache Bindings:
HTTP.SYS Accepting HTTP (and HTTPS) connections Parsing and validating HTTP requests Queuing of HTTP requests in application- specific queues Caching of HTTP responses New SSL Kernel-Mode Windows authentication
WAS and W3SVC Windows Process Activation Service (WAS) Configuration Manager Reads configuration from applicationhost.config and reacts to changes in configuration Passes configuration to the World Wide Web Service Process Manager Starts worker processes when a listener (e.g. HTTP.SYS) receives the first request Monitors state and health of worker processes Recycles worker processes based on certain parameters, e.g. lifetime, number of requests, schedule etc. Prevents resource exhaustion, e.g. by limiting number of worker processes that can be active at the same time W3SVC HTTP specific listener adapter Site binding information (IP address, port, host header) Application Pool and Application settings Configuration changes
Worker Process Establishes a connection with WAS at startup Responds to WAS requests, e.g. when asked to shutdown Picks up requests from the HTTP.SYS request queue Manages request pipeline Process requests and send responses Runs all third-party code Modules, handlers, isapi filters and extensions, assemblies, COM objects etc.
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.