msdn briefing iis7 für entwickler christoph wille, mvp asp.net

MSDN Briefing

IIS7 für Entwickler

MSDN Briefing

IIS7 für Entwickler

Christoph Wille, MVP ASP.NEThttp://chrison.net/

s e v e n supportablesupportable

i n t e r n e t i n f o r m at i o n s e r v i c e s

i n t e r n e t i n f o r m at i o n s e r v i c e s

integratedintegrated extensibleextensible componentizedcomponentized compatiblecompatiblesecuresecuredelegateddelegated

IIS – A Colorful Past

1996 - V1 ships with WindowsNT 4.0V2 & V3 releases came in follow-up SP releases

1997 – V4 part of NT 4 Option Pack2000 – V5 installed by default in Windows 20002001

March 2001, #1 in Internet Site ShareFall 2001, Code Red and Nimda

2003 – V6 released in Windows Server 2003

IIS 6 TodaySecure by Default

IIS no longer installed by default with OSIIS installs with “locked down” configurationRuns with minimal permissions, secure configuration

Secure by DesignExtensive design & code reviewsPenetration testingDefense in depth

Process architecture design for application failureHealth detectionAutomatic recycling of applications

Result: Zero critical security patches since release. #1 in reliability for major internet sites.

Agenda

Architecture OverviewModularizationExtensibilityAdministration & Troubleshooting

For Developers

Where do I get IIS 7.0?Windows Vista Editions with IIS 7.0

Where do I start?What type of developer are you?Native Developers vs. Managed-code DevsUnderstanding the Core Server Architecture

Vista Edition Available

Home Basic N

Home Premium N

Business Y

Ultimate Y

Installation Differences

IIS 7.0Rebuilt setup architectureUses Vista’s Windows Features On and OffCan also use Vista’s Package Manager (Pkgmgr.exe)

start /w pkgmgr /iu:IIS-WebServerRole;IIS-WebServer;IIS-CommonHttpFeatures;IIS-StaticContent;IIS-DefaultDocument;IIS-DirectoryBrowsing;IIS-HttpErrors;IIS-HttpRedirect;IIS-ApplicationDevelopment;IIS-ASPNET;IIS-NetFxExtensibility;IIS-ASP;IIS-CGI;IIS-ISAPIExtensions;IIS-ISAPIFilter;IIS-ServerSideIncludes;IIS-HealthAndDiagnostics;IIS-HttpLogging;IIS-LoggingLibraries;IIS-RequestMonitor;IIS-HttpTracing;IIS-CustomLogging;IIS-ODBCLogging;IIS-Security;IIS-BasicAuthentication;IIS-WindowsAuthentication;IIS-DigestAuthentication;IIS-ClientCertificateMappingAuthentication;IIS-IISCertificateMappingAuthentication;IIS-URLAuthorization;IIS-RequestFiltering;IIS-IPSecurity;IIS-Performance;IIS-HttpCompressionStatic;IIS-HttpCompressionDynamic;IIS-WebServerManagementTools;IIS-ManagementConsole;IIS-ManagementScriptingTools;IIS-ManagementService;IIS-IIS6ManagementCompatibility;IIS-Metabase;IIS-WMICompatibility;IIS-LegacyScripts;IIS-LegacySnapIn;IIS-FTPPublishingService;IIS-FTPServer;IIS-FTPManagement;WAS-WindowsActivationService;WAS-ProcessModel;WAS-NetFxEnvironment;WAS-ConfigurationAPI

start /w pkgmgr /iu:IIS-WebServerRole;WAS-WindowsActivationService;WAS-ProcessModel;

WAS-NetFxEnvironment;WAS-ConfigurationAPI

Full Install of all IIS Components

IIS Minimal Install

Architecture Introduction

IIS 7.0’s architecture, albeit similar to IIS 6.0, offers unique changesDefault architecture has same “players” with some fresh new ones

HTTP.sys

W3SVC

W3WP

W3SVCW3WPHTTP.sysWPASInetinfo (optional)

WAS

Inetinfo

A Review…IIS 6.0 Architecture

Send ResponseLog Compress

NTLM Basic

Determine Handler

CGI

Static File

AuthenticationAnon

Monolithic implementation Install all or nothing…

Extend server functionality only through ISAPI…

ASP.NET

PHPISAPI

…

…

IIS7 Request Processing


NTLM Basic

Determine Handler

CGI

Static File

ISAPI

AuthenticationAnon

SendResponse

Authentication

Authorization

ResolveCache

ExecuteHandler

UpdateCache

…

…

Server functionality is split into ~ 40 modules...

Modules plug into a generic request pipeline…

Modules extend server functionality

through a public module API.

…

…

Architecture in IIS7

What does the “Core” do?Exposes interfacesAgrees to “hook” up interfaces via subscription or events

ExtensibilityPrimary workhorse for Web serverCode authors:

Microsoft: In the form of “modules” that will ship with the IIS7 platformYou: The rest of the world

IIS6 ASP.NET IntegrationRuntime limitationsOnly sees ASP.NET requestsFeature duplication


NTLM Basic

Determine Handler

CGI

Static File

ISAPI

AuthenticationAnon

…

…

AuthenticationForms Windows

Map Handler

ASPX

Trace

…

…

…

aspnet_isapi.dll

IIS7 ASP.NET Integration

Two ModesClassic (runs as ISAPI)Integrated

Integrated Mode.NET modules / handlers plug directly into pipelineProcess all requestsFull runtime fidelity

Log

Compress

Basic

Static File

ISAPI

Anon

SendResponse

Authentication

Authorization

ResolveCache

ExecuteHandler

UpdateCache

…

…AuthenticationForms Windows

Map Handler

ASPX

Trace

…

…

…

aspnet_isapi.dll

Reviewing IIS 7.0 Architecture

IIS 6.0 W3WP’s

W3WP

IIS 7.0 W3WP’s

cacheuri.dll

cachfile.dll

modrqflt.dll

cachhttp.dll

compdyn.dll

compstat.dll

defdoc.dll

iisetw.dll

static.dll

W3WP

admwprox.dll

gzip.dll

iismap.dll

iisres.dll

iisRtl.dll

iisutil.dll

w3comlog.dll

w3cache.dll

w3core.dll

modexp.dll

mybscauth.dll

cgi.dll

mybscauth.dll

myauthurl.dll

mycompres.dll

mylogging.dll

myMossint.dll

myparser.dll

Demo

The Most Secure Web Server Ever

Metabase vs. “AppHost.config”

IIS 6.0’s Metabase DesignSupported legacy, out-dated interface (ABO)Maintained own ACL’ing within file, rather than via file system ACL’ingDelegation wasn’t supported, relied solely on Administrative privilegesRemote capabilities were limited, not user-friendly experienceSchema wasn’t architected in easy-to-use formatExtending schema was nearly impossible

Metabase vs. “AppHost.config” (2)

Introducing ApplicationHost.configLocation: %windir%\system32\inetsrv\configDefault configuration:

All features disabled *except*Directory Browsing (directoryBrowse)Default Document (defaultDocument)HTTP Redirect (httpRedirect)HTTP Protocol (httpProtocol)

Features unlocked using IIS Manager or ApplicationHost.config


ApplicationHost.config Facts:Uses strongly-typed Schema (%windir%\system32\inetsrv\config\schema\IIS_schema.xml)

Easily edited using favorite XML editorBroken down into two pieces:

system.applicationHostsystem.webServer

Delegation of IIS settings are unlockable and distributable to web.config’s deployed with content


ApplicationHost.config Facts (cont.):Uses well-known XMLOrganized into tightly-coupled groups for like features (i.e. collections)Uses simple key\value pairs for many options like true\false, 0 or 1, etc.

Extending schema is drag\drop experience (add XML file to /config directory and restart IIS)

<directoryBrowse enabled="false" />

Configuration Highlights

Delegated Configuration AdministrationAdministrators may allow app owner to modify settingsDevelopers can set and deploy settings with their applicationsXcopy-deployment of self-contained applications without running admin tool or scripts to configure -- even to centralized UNC share

Unified Configuration Model for Entire Web PlatformAdministrators may use same file for IIS, ASP.NET, Indigo settingsDevelopers can use same API and concepts across entire platformAuthN, AuthZ, custom errors, handlers, etc are set one single way

Extensibility and Customization is easyAdministrators can control what sections are registered with the systemDevelopers can reuse base classes to quickly develop custom sectionsClean schema allows smooth editing by hand (text/XML editor), API or admin tool

Compatibility Built-In at the API levelABO / ADSI scripts and applications continue to work

Configuration Layout

root configuration files

machine.config

root web.config

applicationHost.config web.config.NET Framework

ASP.NET

IIS

IIS + ASP.NET + .NET Framework

web.config files

Inheritance…

Configuration DelegationDelegation is:

Configuration locking, “overrideMode” ACL’s on configuration files

By default…All IIS sections locked except:

Default DocumentDirectory BrowsingHTTP HeaderHTTP Redirects

All .NET Framework / ASP.NET sections are unlocked

Demo

Customized WorkloadSite Creation – A Tour of the UICurrently Executing RequestsConfiguring a Site for AuthN

Modules vs. ISAPI

IIS 6.0 DevelopmentFirst-class access to requests were only allowed using Internet Server API (ISAPI)ISAPI only supported C\C++ languages and was rather complex technology

Client vs. Server VersionsWindows XP Professional shipped with IIS 5.1 yet lots of development was for IIS 6.0IIS 6.0 shipped on Windows Server 2003 and architected differently than IIS 5.x

Modules vs. ISAPI (2)

Client vs. Server Versions (cont.)Managed-code development architecture differed heavily between IIS 5.x & 6.0ASP.NET was written as an ISAPI and had duplicate functionality as IIS 6.0

IIS 7.0IIS 7.0 on client is the same as on Server (via service packs)Support for multiple development interfaces to interact with IIS 7 Core Server

IIS 7.0 Native Modules

Vista ships with the potential of 40+ modulesMost are native modules built using the new Native C\C++ APIsNative modules are defined in the <globalModules> section of applicationhost.config

IIS 7.0 full install has 33 native modules

Utility Modules

Used to help the server engine with it’s internal operationsDo not provide configuration for these in applicationhost.config

Module Name Purpose If removed?

cachfile.dll Cache of file handles currently opened by core server

Performance

cacheuri.dll Cache configuration, etc. after first request for a URI

Performance

cachtokn.dll Caches token for password- based authentication

Performance

Compression Modules

Provides Static & Dynamic compression mechanisms for IIS requests


Compdyn.dll Implements in-memory compression of dynamic content

None, not installed by default

Compstat.dll Implements in-memory as well as file-based compression for static content

Network Bandwidth saturation with large

requests

Configurable locations:system.webServer/httpCompressionsystem.webServer/urlCompression

Authentication ModulesIIS 7.0 core authentication modules


authbas.dll Implements HTTP basic authentication

Basic authentication is not available

authanon.dll Implements anonymous authentication

Anonymous Authentication is not

allowed

authsspi.dll Implements Windows Authentication (NTLM\Kerberos)

Negotiate (Kerberos), NTLM are unavailable

authmd5.dll Implements Digest Authentication Digest Authentication is not available

authcert.dll Implements IIS Client Certificate Mapping (Requires SSL)

Client Certificates are not accepted for authenticatio

authmap.dll Maps SSL Client Certs to an Active Directory Account

Active Directory mapping is unavailable

Security Modules

Implements URL authorization, and IP\Domain restrictions


Iprestr.dll Implements an authorization of requests based on the client’s IPv4 Address

No Ip-based restricting of requests

Urlauthz.dll Implements authorization based on configuration rules

No ability to do URL-based denying via

configuration and users

modrqflt Implements a powerful set of security rules based on known & unknown attack vector points (previously known as URLScan)

No request filtering based on extension, query string size, etc.

Logging & Error Modules

Implements logging functionalityImplements custom & detailed errors


Loghttp.dll Implements standard IIS logging No request data will be logged

Logcust.dll Implements the ILogPlugin interface on top of IIS7. It is not recommended to use this as it is a old implementation. Recommendation is to write your own module and subscribe to RQ_Log_Request event.

Applications dependent on legacy interface will

not work

Custerr.dll Allows for the use of custom errors and the new IIS7 detailed error features

No error messages (custom or detailed) will

be sent to clients

Diagnostics ModulesImplements IIS 7.0’s Request Monitoring, tracing, and Failed Request Tracing


iisfreb.dll Implements tracing of failed requests

No automatic tracing based on the configured

rules

iisetw.dll Implements Enterprise Tracing for Windows functionality to capture detailed trace logs

No tracing of specific requests are available

iisreqs.dll Implements the runtime state & control APIs for IIS 7.0 allowing viewing of executing requests, start\stop of sites, etc.

Unable to see runtime data or start\stop\pause

websites

Development ModulesDevelopment technologies offered as to execute code from that platformImplements Managed Interfaces, etc.


Filter.dll Implements ISAPI filter functionality No ISAPI filter will be loaded into any process

Isapi.dll Implements ISAPI Extension Server Functionality

No ISAPI extension will be executed

Cgi.dll Implements Common Gateway Interface (CGI) on top of IIS 7.0

No CGI dll or exe will is executed

Webengine.dll Connects the IIS core pipeline with the ASP.NET runtime and bridge between native and managed code in IIS 7.0

No managed code will be supported in IIS 7.0

Misc. ModulesPerforms independent functionality outside of any group


dirlist.dll Implements IIS 7.0’s directory browsing functionality

Directory browsing will not be allowed

defdoc.dll Implements default document feature using defaultdoc section files

Specific URL is required and any / will fail

protsup.dll Implements:• custom/redirect response headers• custom HTTP verbs (trace\options)• allows use of HTTP keep-alive

Specific features outlined in purpose will not be

available

redirect.dll Implements redirect functionality of incoming requests

If redirects are removed, content protected by

redirect will be available

Misc. Modules (cont.)Module Name Purpose If removed?

static.dll Responsible for sending out reponses for extensions listed in mimeMap section

Without it, no static file (htm, images, etc.) will

be sent to client

Iis_ssi.dll Implements server-side includes Special case where this module is actually

mapped as handler for .stm, .shtm,

and .shtml

validcfg.dll Validates at run-time if configuration is valid for IIS 7.0’s integrated mode

No validation or help is available when

configuration is deployed improperly

IIS 7.0 Managed ModulesManaged Modules are loaded in two ways

Called by webengine.dll (integrated mode)Called by core ISAPI module – isapimodule.dll (Classic)

Integrated Mode offers ASP.NET module features access to all types of contentClassic mode runs exactly like IIS 6.0 & ASP.NET 2.0Managed modules are only defined at application level (<modules>) along with native modules

IIS 7.0 Managed ModulesImplements managed code module parity with ASP.NET 2.0Requires webengine.dll native module to execute

FormsAuthentication Allows authentication against all content using forms-based authenticaiton to a database\file

WindowsAuthentication Sets the identity for the application to the WindowsAuthenticated user

DefaultAuthentication Ensures that an auth object is present in the app context

Name Purpose

OutputCache Controls the output caching policies for your applcation

Session Configures session state settings for current application

UrlAuthorization Allows URL-based authorization via managed-code

Profile Configures parameters for mapping user profiles values

RoleManager Configures an application for role management

FileAuthorization Allows file-based authorization via managed-code

AnonymousIndentification Configures anonymous auth for application authorization

URLMappingModule Defines a mapping that hides the real URL and maps to a friendly one

system.web

Demo

URL RewritingDirectory Listing

Basic“Deluxe”

IIS 6.0 Tracing vs. Failed Request Tracing

Tracing: What it is?IIS 6.0 Usage:

No User Interface SupportUpdated as part of Service Pack 1Very difficult to restrict tracing to extensions, or pathsNot extensible with custom events written by developers

IIS 6.0 Tracing vs. Failed Request Tracing (2)

IIS 7.0’s Failed Request Tracing

Setting up Tracing:• IIS Manager• Enabled Globally

(Administrator)• Actual Trace attributes

settable per-site or per-application

IIS 6.0 Tracing vs. Failed Request Tracing (3)

Viewing Trace Data in IIS 6.0 difficult, yet when understood is very usefulViewing Trace Data in IIS 7.0, easy-to-use XLST breaks out various data to simplify reviewing

In Vista RTM

In LHS Beta 3

Demo

FREB in Action

IIS 6.0 Security vs. 7.0 Security

IIS 6.0 Security –All Bits Installed (%windir%\system32\inetsrv)“Features” turned on\offUses local account and group for anonymous client requests and process accountIIS_WPG: Group for allowing process creation and securityURLScan added for additional security features not offered by Core server

IIS 6.0 Security vs. 7.0 Security (2)

IIS 7.0 Security:

Convert URLScan to installable features, rather than add-on

Bring a popular security tool into the product to simplify deployment, configuring, and supporting

With one click, RequestFilteringModule can be installed, and with one easy file deployed with your content it is working

Only Install Bits Selected Reduce the footprint, lesson management tasks such as patching, etc.

Build truly customizable Web workloads to maximize security and improve performance

Change Purpose Benefit

Change local accounts to built-in accounts

Avoid management of passwords, ACL’ing problems and better handle Web farm deployments

Every installation of IIS 7.0 installs the same accounts, with same GUIDs, and with same ACLs and everything “just works.”

Unified authentication, authorization across web server platform

Fully supports non-Windows principals!

All authentication schemes configured one single way for all types of content

Forms authentication is now fully supported

IIS extends its ACL authorization model with URL Authorization:

Membership system support (includes support for custom providers)Windows principals (stored in the local SAM or Active Directory)Custom configuration credential sections (non Window principals)

IIS 7.0 always uses the following rules (in order of precedence)

1. If a username/password is configured at a virtual directory it is used first

2. If virtual directory username/password is not configured, the authenticated users credentials are used (anonymous, basic, windows)

3. If no authenticated user (e.g. if forms authentication was used or no authentication module is configured) the process identity is used

Unified Authentication and AuthorizationReconciled impersonation model

VDIR has username and password configured

Credentials configured for the virtual directory are used

Web user requests page







VDIR has no username, password configured

The client credentials or anonymous identity provided during authentication is used


User is prompted and provides valid Windows credentials. Note - the <authentication> section needs to be configured





VDIR has no username, password configured

The process identity is used

Web user requests page No user

authenticationis configured






ASP.NET developers can still define their own identity section if required by their applications

Useful for applications that reside on different machines


IIS uses any of the impersonation methods and impersonates some Windows identity

ASP.NET developers can use their web.config to impersonate an alternate identity (example - for database access)


Demo

Extending AuthN & AuthZ

Administration Extensibility

Delegated administrationNon-administrators can change relevant settings.Admins specify what’s allowed per site and application.

Unified management for the entire web platformIIS and ASP.NET settings are presented within the same user interface.

Extensible architectureDevelopers can create custom management features.

Remote administrationAdminister locally, over the intranet, or over the Internet.

New modern look and feelA new navigation-based, task-oriented, rich user experience.

IIS 7.0(http://server/MyApp)

Web Management Client

Architecture

Content and Configuration Runtime

stateProvider

Data

Application appdomain

Provider

ConnectionConnection

Module UI

Web Management Server(Standalone Web server : http://server:8080/… )

Connection Manager

Login Handler

Module ServiceModule

Service Proxy

Module UI

Extensibility

Extensibility PointsNew Features and Pages

Register new pages with the Control Panel

Existing plug-in pointsAuthenticationLock ConfigurationProvider ConfigurationValidation

Custom extensibility using the Extensibility Manager

Extensibility

Adding a new management moduleServer

Write a new Module ProviderWrite a Module ServiceInstall the DLL to the GACRegister the module in the root configurationEnable the module

ClientWrite a new ModuleWrite a Module Service ProxyWrite some Module PagesPlug in existing features using the Extensibility Manager

Demo

MRUServer Header

End-to-End Sample with Module

Microsoft.Web.Administration

Demo

Microsoft.Web.AdministrationListing SitesCreating a SiteApp Pool Creation

SummarySomething new for everyone in IIS 7.0Most radical changes in IIS since IIS 4.0IIS 6.0 was…

Limited for Developers because of ISAPI and less-than desirable support for Managed-codeLimiting configuration for key scenarios, such as delegation and schema extensibilityLimited troubleshooting capabilities to support zero-repro environments

IIS 7.0 is…Easy to extend using any language, native or managedRobust configuration supporting delegation, schema extensibilityTask-based oriented, newly re-written IIS Manager supporting delegation, and much moreHas awesome diagnostics which is natively built-in to the plumbing of IIS 7.0

msdn briefing iis7 für entwickler christoph wille, mvp asp.net

Documents

default iis

os iis

architecture introduction

installation differences

stati iisdefaultdocumentiis

legacysnapi iisftpserveriis

o n s e r

windows server