a considerate solution of iis for trouble handling with applications and websites. by manish kumar...

A considerate solution of A considerate solution of IIS for trouble handling IIS for trouble handling with Applications and with Applications and Websites.Websites.

ByByManish KumarManish KumarWeb Server AdministratorWeb Server AdministratorKochhar LexServe Pvt. Ltd.Kochhar LexServe Pvt. Ltd.

AgendaAgenda

IIS 6.0 – an overviewIIS 6.0 – an overview Reliability – a new process modelReliability – a new process model SecuritySecurity Performance and scalabilityPerformance and scalability Improving manageabilityImproving manageability

ConsiderationsConsiderations ResourcesResources Q&AQ&A

ReliabilityReliability A New Architecture for IIS 6.0 W3SVCA New Architecture for IIS 6.0 W3SVC

GOAL: permit complete GOAL: permit complete application isolation from other application isolation from other Web applications and the core Web applications and the core Web serverWeb server

Web Service functionality in Web Service functionality in INETINFO split out to do this:INETINFO split out to do this: HTTP.sys: kernel mode listener HTTP.sys: kernel mode listener

and request routerand request router W3SVC: now the configuration W3SVC: now the configuration

and process managerand process manager W3Core: where Web applications W3Core: where Web applications

are processedare processed Multiple W3Core DLLs loaded Multiple W3Core DLLs loaded

into W3WP.exe filesinto W3WP.exe files Two process model modesTwo process model modes

[Default] worker process [Default] worker process isolation modeisolation mode

IIS 5.0 isolation modeIIS 5.0 isolation mode

HTTP.SYSHTTP.SYSke

rnel

kern

el

W3SVCW3SVC W3CoreW3Core

WebWebappapp

ReliabilityReliability A Reminder – Process Model for IIS 5.0A Reminder – Process Model for IIS 5.0

INETINFO.exeINETINFO.exe

metabasemetabase ftp, smtp, ftp, smtp, nntpnntp

W3SVCW3SVC

WinsockWinsock

ISAPI FiltersISAPI Filters

In-procIn-proc

AppsApps

ASP.NETASP.NET

.Net App .Net App DomainDomain



ASPNET_WP.exeASPNET_WP.exe

Pooled Pooled OOP AppsOOP Apps

DLLHOST.exeDLLHOST.exe

Isolated Isolated OOP AppOOP App






User mode

Kernel mode

ReliabilityReliability IIS 6.0 Worker Process Isolation ModeIIS 6.0 Worker Process Isolation Mode

INETINFO.exeINETINFO.exe

metabasemetabase

ftp, smtp, ftp, smtp, nntpnntp

User mode

Kernel mode

HTTP.SYSHTTP.SYS

W3SVCW3SVC

SVCHOST.exeSVCHOST.exe

W3

Co

nfi

g M

gr

W3

Co

nfi

g M

gr

W3

Pro

ce

ss

Mg

rW

3 P

roc

es

s M

gr

W3CoreW3Core


W3WP.exeW3WP.exe

All AppsAll Apps

(no OOP)(no OOP)

Application PoolApplication Pool

W3CoreW3Core


W3WP.exeW3WP.exe

All AppsAll Apps

(no OOP)(no OOP)


W3CoreW3Core

W3WP.exeW3WP.exe


ASP.net AppsASP.net Apps




ReliabilityReliabilityApplication PoolsApplication Pools

Can create one or more Can create one or more application poolsapplication pools Each served by one or Each served by one or

more W3WP.exe filesmore W3WP.exe files Each W3WP.exe serves Each W3WP.exe serves

only one poolonly one pool Requests routed directly to Requests routed directly to

pool by HTTP.syspool by HTTP.sys

Isolate applications Isolate applications based on:based on: Site/CustomerSite/Customer FunctionalityFunctionality ReliabilityReliability

ReliabilityReliabilityPeriodic Process RecyclingPeriodic Process Recycling

What is it?What is it? Periodically restart Periodically restart

applications based on:applications based on: [Default] uptime[Default] uptime number of requestsnumber of requests Scheduled timeScheduled time Memory consumptionMemory consumption On-demandOn-demand

Why use it?Why use it? Refresh applications to Refresh applications to

ensure availabilityensure availability Prevent bad applications from Prevent bad applications from

taking over the systemtaking over the system Effect on applicationsEffect on applications

In-process state or cache lost In-process state or cache lost on recycleon recycle

Possible multi-instance Possible multi-instance issuesissues

ReliabilityReliabilitySelf-Healing ArchitectureSelf-Healing Architecture Health check (pinging) - What Health check (pinging) - What

is it?is it? Designed to detect W3WP.exe Designed to detect W3WP.exe

thread deadlockthread deadlock Will engage if there are no Will engage if there are no

threads in W3WP.exe threads in W3WP.exe available to respond in timeavailable to respond in time

How does it work?How does it work? W3SVC will “ping” each W3SVC will “ping” each

W3WP.exeW3WP.exe Process has a configured Process has a configured

time limit to respondtime limit to respond If (no response in time limit)If (no response in time limit)

Default: kill process, Default: kill process, publish event, and start publish event, and start new processnew process

Or: can be configured to Or: can be configured to take a configured action take a configured action on process => on process => “Orphaning”“Orphaning”

ASP and ASP.NET uses the ASP and ASP.NET uses the ping to request a recycle if ping to request a recycle if they are unhealthythey are unhealthy

ReliabilityReliabilityCrash Detection and RecoveryCrash Detection and Recovery

Crash detectionCrash detection W3SVC detects W3WP.exe W3SVC detects W3WP.exe

“crash”“crash” W3SVC will start new W3SVC will start new

W3WP.exe if there is W3WP.exe if there is demanddemand

Requests queued in Requests queued in HTTP.sys while new HTTP.sys while new W3WP startedW3WP started

Net effect: no Interruption Net effect: no Interruption in servicein service

Rapid fail protectionRapid fail protection Only allow Only allow xx crashes in crashes in yy

minutesminutes Automatically stop pool if Automatically stop pool if

this value is exceeded – this value is exceeded – 503s to requests for this 503s to requests for this poolpool

ReliabilityReliabilityApplication ConsiderationsApplication Considerations Design applications to be recycledDesign applications to be recycled

Persist state/caches external to host processPersist state/caches external to host process For ASP.NET, use External session state service or For ASP.NET, use External session state service or

Microsoft® SQL Server™ to store stateMicrosoft® SQL Server™ to store state Be aware of multi-instance issuesBe aware of multi-instance issues

May be encountered during:May be encountered during: Recycles – overlap by default, but can disable overlap recycle Recycles – overlap by default, but can disable overlap recycle

or recycling altogetheror recycling altogether Two application pools loading the same application codeTwo application pools loading the same application code

If unable to change code, assign all URLs to the same poolIf unable to change code, assign all URLs to the same pool ““IIS 5-isms” – dependencies on IIS 5.0 behaviorsIIS 5-isms” – dependencies on IIS 5.0 behaviors

Running as LocalSystemRunning as LocalSystem Global data filtersGlobal data filters If the above cannot be worked around, run IIS 6.0 in IIS 5.0 If the above cannot be worked around, run IIS 6.0 in IIS 5.0

isolation modeisolation mode Loads W3Core into INETINFO, same IIS 5.0 OOPLoads W3Core into INETINFO, same IIS 5.0 OOP

Security on IIS 6.0Security on IIS 6.0Secure on InstallationSecure on Installation

Clean installationClean installation IIS not installed on a IIS not installed on a

clean install by defaultclean install by default Use Configure Your Use Configure Your

Server Wizard to install Server Wizard to install application server role – application server role – installs:installs: IIS 6.0IIS 6.0 FPSE (not enabled)FPSE (not enabled) ASP.NET (not enabled)ASP.NET (not enabled)

Upgrade installationUpgrade installation W3SVC disabled unless W3SVC disabled unless

URLScan is installed URLScan is installed before upgradebefore upgrade

Security on IIS 6.0Security on IIS 6.0Attack Surface ReducedAttack Surface Reduced

Restriction listRestriction list Only execute requests for Only execute requests for

“allowed” extensions and CGIs“allowed” extensions and CGIs No extensions or CGIs allowed No extensions or CGIs allowed

by defaultby default 404.2 returned if request for 404.2 returned if request for

“prohibited” extension or CGI“prohibited” extension or CGI Use Use Web Service ExtensionsWeb Service Extensions

node in MMC to “allow” and node in MMC to “allow” and “prohibit” extensions and CGIs“prohibit” extensions and CGIs

Known file extensionsKnown file extensions Only serve requests that are Only serve requests that are

defined in MIMEMAPdefined in MIMEMAP 404.3 for requests not in 404.3 for requests not in

MIMEMAPMIMEMAP ConsiderationsConsiderations

If using Visual Studio® .NET – If using Visual Studio® .NET – define .tmp files in MIMEMAPdefine .tmp files in MIMEMAP

Visual Studio .NET to fix this in Visual Studio .NET to fix this in SP1SP1

Security in IIS 6.0 Security in IIS 6.0 Configurable Worker Process IdentityConfigurable Worker Process Identity

Worker process can be Worker process can be started as:started as: Network service (default)Network service (default) Local systemLocal system Local serviceLocal service Configured IDConfigured ID

IIS_WPGIIS_WPG New user group New user group IIS resources put into an IIS resources put into an

ACL in this groupACL in this group Will get 503s if Will get 503s if

configurable account is not configurable account is not part of IIS_WPGpart of IIS_WPG

ConsiderationsConsiderations Passport Active Directory® Passport Active Directory®

mapping requires local mapping requires local systemsystem

Kerberos might require Kerberos might require additional configuration for additional configuration for this IDthis ID

Security in IIS 6.0Security in IIS 6.0 Secure Changes from IIS 5.0Secure Changes from IIS 5.0

Sub authentication is not installed by default on Sub authentication is not installed by default on clean installationsclean installations Effect = passwords might expire for IWAM and IUSR Effect = passwords might expire for IWAM and IUSR

accountsaccounts Solution = must install SubAuth or come up with own Solution = must install SubAuth or come up with own

synchronization schemesynchronization scheme

URLs restricted to maximum length of 16 KB with URLs restricted to maximum length of 16 KB with more restrictive parsingmore restrictive parsing No special chars, etc.No special chars, etc.

Content in Inetpub is now overwrite protectedContent in Inetpub is now overwrite protected Command-line tools limited to the administrators Command-line tools limited to the administrators

group onlygroup only

Security in IIS 6.0 Security in IIS 6.0 RecommendationsRecommendations

Do a clean installation vs. upgrade – more secure Do a clean installation vs. upgrade – more secure by defaultby default No lockdown tool yet for IIS 6.0 to handle upgrade caseNo lockdown tool yet for IIS 6.0 to handle upgrade case

Run application pool W3WP.exe files as Network Run application pool W3WP.exe files as Network Service (default)Service (default)

Only “allow” extensions that are vital to all Only “allow” extensions that are vital to all applicationsapplications Prohibit everything else to reduce attack surfaceProhibit everything else to reduce attack surface

Check IIS hit logs and HTTPERR logCheck IIS hit logs and HTTPERR log IIS hit logs – substatus codes logged for W3C and binary-IIS hit logs – substatus codes logged for W3C and binary-

formatted filesformatted files HTTPERR – detail on reason for 503s and connection HTTPERR – detail on reason for 503s and connection

terminationsterminations

Performance in IIS 6.0Performance in IIS 6.0Caching Responses in HTTP.SYSCaching Responses in HTTP.SYS

Cached dynamic content served straight from HTTP.SYSCached dynamic content served straight from HTTP.SYS Could run double speed when served from kernel – no user-Could run double speed when served from kernel – no user-

mode transitionmode transition Your applications will not see requests if served from cache Your applications will not see requests if served from cache Static files cached by defaultStatic files cached by default

Smart caching - only “hot” static content cached Smart caching - only “hot” static content cached

Invalidation API callbackInvalidation API callback Also leverage “Expires” header to automatically set Also leverage “Expires” header to automatically set

“staleness” timeout for cached responses“staleness” timeout for cached responses ConsiderationsConsiderations

Use for dynamic responses if they can be “stale” for a period of Use for dynamic responses if they can be “stale” for a period of timetime

Lessens load on Web server if response from cache can be servedLessens load on Web server if response from cache can be served ASP.NET => use ASP.NET => use OutputCache Location=“Server”OutputCache Location=“Server” directive to directive to

mark response as cacheablemark response as cacheable

Performance in IIS 6.0Performance in IIS 6.0Capacity Planning TracingCapacity Planning Tracing

Hooks at key positions during request lifetime, from start Hooks at key positions during request lifetime, from start of request to final send of response:of request to final send of response: HTTP Start, Route, Cache Hit, EndHTTP Start, Route, Cache Hit, End ISAPI Filter Start/Stop (filter name, notification)ISAPI Filter Start/Stop (filter name, notification) ISAPI Extension Start/StopISAPI Extension Start/Stop ASP Start/StopASP Start/Stop ASP.net Start/StopASP.net Start/Stop

Useful in debugging as well – Where is my request Useful in debugging as well – Where is my request blocked? blocked?

Customer exampleCustomer example Uses this to find high CPU-usage pagesUses this to find high CPU-usage pages Also used to diagnose where the delay isAlso used to diagnose where the delay is

W3CoreW3Core


W3WP.exeW3WP.exe

All AppsAll Apps

(no OOP)(no OOP)

W3CoreW3Core


W3WP.exeW3WP.exe

All AppsAll Apps

(no OOP)(no OOP)

Performance in IIS 6.0Performance in IIS 6.0Web Gardens and Processor AffinityWeb Gardens and Processor Affinity

Web GardensWeb Gardens Application pool with more Application pool with more

than one worker processthan one worker process Connection-based routing Connection-based routing

within Gardenwithin Garden Processor affinitizationProcessor affinitization

Bind application pool Bind application pool processes to one or more processes to one or more CPUsCPUs

Mask-based configurationMask-based configuration ConsiderationsConsiderations

Web GardensWeb Gardens Possible multi-instance Possible multi-instance

issuesissues Recycling – possible all-Recycling – possible all-

at-onceat-once AffinitizationAffinitization

Create virtual silos of work Create virtual silos of work on large MP boxeson large MP boxes

Affinitize based on MP Affinitize based on MP architecture (bind to CPUs architecture (bind to CPUs on same pod)on same pod)

W3SVCW3SVC

SVCHOST.exeSVCHOST.exe

W3

Co

nfi

g M

gr

W3

Co

nfi

g M

gr

W3

Pro

ce

ss

Mg

rW

3 P

roc

es

s M

gr

W3CoreW3Core


W3WP.exeW3WP.exe

All AppsAll Apps

(no OOP)(no OOP)

Web GardenWeb Garden


HTTP.SYSHTTP.SYS

kern

elke

rnel

Performance in IIS 6.0Performance in IIS 6.0Idle Timeout and Demand StartIdle Timeout and Demand Start Idle timeoutIdle timeout

Time out and shut down idle processes if process is idle for Time out and shut down idle processes if process is idle for given period of timegiven period of time

Frees resources for active applicationsFrees resources for active applications Applications still available even if worker process idles out Applications still available even if worker process idles out

and is shutdown! and is shutdown! Demand startDemand start

Only start worker process if there is demand for the Only start worker process if there is demand for the application poolapplication pool

ConsiderationsConsiderations Use idle timeout to free resources for other heavy-use Use idle timeout to free resources for other heavy-use

applicationsapplications Consider disabling idle timeout if application startup takes a Consider disabling idle timeout if application startup takes a

long timelong time Note: will cause idle processes to terminateNote: will cause idle processes to terminate

Loss of in-memory cacheLoss of in-memory cache

Manageability in IIS 6.0Manageability in IIS 6.0Metabase ImprovementsMetabase Improvements

XML MetabaseXML Metabase Metabase now stored in Metabase now stored in

XMLXML Auto-versioning: like an Auto-versioning: like an

automatic backupautomatic backup Edit while runningEdit while running

Make changes directly to Make changes directly to the Metabase.xml file the Metabase.xml file while while IIS is runningIIS is running

Any editor can be used – Any editor can be used – Notepad .NET, PERL, etc.Notepad .NET, PERL, etc.

ConsiderationsConsiderations Safer and more secure to Safer and more secure to

use ADSI or UI to make use ADSI or UI to make changes to metabasechanges to metabase

Note: Metabase.bin still Note: Metabase.bin still exists, but only as a stub exists, but only as a stub file for legacy backup file for legacy backup applicationsapplications

Admin Base ObjectsAdmin Base Objects

ADSIADSI UIUI

Metabase.xmlMetabase.xml MBSchema.xmlMBSchema.xml

Manageability in IIS 6.0Manageability in IIS 6.0Metabase Improvements – Import/ExportMetabase Improvements – Import/Export

Export/import metabase Export/import metabase configuration to/from XMLconfiguration to/from XML

Options include:Options include: Export/Import inherited Export/Import inherited

propertiesproperties Export/Import node only (or Export/Import node only (or

entire subtree)entire subtree) Password-encrypted exported Password-encrypted exported

filefile Use with ASP.NET XCOPY Use with ASP.NET XCOPY

deployment of applicationsdeployment of applications1.1. Export IIS 6.0 metabase Export IIS 6.0 metabase

configuration for .NET configuration for .NET applicationapplication

2.2. Store in .NET application Store in .NET application directorydirectory

3.3. Import application metabase Import application metabase configuration file after XCOPYconfiguration file after XCOPY


ADSIADSI UIUI


Manageability in IIS 6.0Manageability in IIS 6.0WMI Provider and New Command Line ToolsWMI Provider and New Command Line Tools

IIS WMI ProviderIIS WMI Provider Query supportQuery support AssociationsAssociations ScriptableScriptable

New command-line toolsNew command-line tools Task-based approachTask-based approach Supported tools – currently in Supported tools – currently in

%windir%\system32%windir%\system32 Based on WMI ProviderBased on WMI Provider Example: use IISCNFG.vbs as Example: use IISCNFG.vbs as

part of .NET application part of .NET application migration strategy between migration strategy between two IIS 6.0 boxestwo IIS 6.0 boxes


ADSIADSI UIUIWMIWMI


Command Command Line ToolsLine Tools

SummarySummary

IIS 6.0 was made better by making Web IIS 6.0 was made better by making Web applications more:applications more: SecureSecure ReliableReliable ScalableScalable ManageableManageable

ResourcesResources

IIS 6.0 Overview on TechNet: IIS 6.0 Overview on TechNet:

http://www.microsoft.com/windows.netserver/evaluation/overview/technologies/iis.mspx

IIS 6.0 Technical Overview:IIS 6.0 Technical Overview:http://www.microsoft.com/windows.netserver/docs/IISOverview.doc



http://www.microsoft.com/windows.netserver/docs/IISOverview.doc

Thank you for joining.Thank you for joining.

For any doubt and query in future about IIS6.0, Please For any doubt and query in future about IIS6.0, Please

visit: visit:

http://manishmishramcp.wordpress.com/iishttp://manishmishramcp.wordpress.com/iis

Your feedback is sincerely appreciated. Please send any Your feedback is sincerely appreciated. Please send any

comments or suggestions on the given address:comments or suggestions on the given address:[email protected]

mailto:[email protected]

a considerate solution of iis for trouble handling with applications and websites. by manish kumar...

Documents