securing and tuning iis7 microsoft® hosting deployment accelerator
TRANSCRIPT
Securing and Tuning IIS7
Microsoft®
Hosting Deployment Accelerator
What We’ll Cover
IIS7 PerformanceNew IIS7 Performance FeaturesTuning IIS7
IIS7 SecurityReduced Attack SurfaceArchitectural ChangesNew Security Features
Windows Server CoreGet both performance and security benefits
IIS7 Performance Improvements
Kernel mode SSL and Windows authenticationPerformance improvements up to 150%
More powerful compressionFor static and dynamic content
Output cachingPer URL, query string and/or request headersAPI’s for putting responses in the output cache
Improved scalabilityHost thousands of sites
FastCGIGreat way to run PHP on IIS
CGI vs. FastCGI
demo
IIS7 Tuning Tips
Enable Output Caching for semi-dynamic pages
Low bandwidth Branch Offices?Enable Dynamic Compression (~ 5% CPU overhead)
Need to run many web apps on a single box?Run IIS worker processes in Wow64 modeRoom for the OS, scalability for your web appsNow a per-AppPool setting: Enable32BitAppOnWow64
Thinking about buying new Web Server hardware?W2K8 scales extremely well on new multi-proc boxes (4 and 8 core)
IIS7 Tuning Tips
Thousands of requests per second?Remove modules you don’t need
Don’t know why some pages are so slow? Turn on FREB and the “time-taken” feature to investigate
You * scriptmapped all requests to ASP.NET in IIS6?Integrated Pipeline is much faster than an IIS6 * scriptmap solution
Try together with IIS7 URL Authorization
IIS7 Tuning Tips
PHP applications?PHP on top of FastCGI is much faster than traditional CGI
The majority of your requests go to your Default Document?Put it on top of the list – otherwise IIS7 has to check every time
Static default documents will be cached in kernel-mode (+450%)
Looking for tools to measure web server performance?Try WCAT 6.3 from www.iis.net/downloads
Output Caching
demo
IIS7 Security
Building upon a solid foundation - IIS6Reduced Attack SurfaceServer Core
ComponentizationApplication Pool Isolation and other architectural changesSecurity Features
Request FilteringURL Authorization
IIS7 Installable Components
Http Protocol SupportRequest FilteringModuleProtocolSupportModule
OptionsVerbModule HttpRedirectionModule
Logging and Diagnostics
HttpLoggingModule
CustomLoggingModule
Configuration and Metadata CachesTokenCacheModule UriCacheModule
SiteCacheModule FileCacheModule
Core Web ServerDirectoryListingModule CustomErrorModule
DynamicCompressionModule StaticCompressionModule
StaticFileModule DefaultDocumentModule
HttpCacheModule
RequestMonitorModule
TracingModule
AuthN/AuthZ
BasicAuthModule
DigestAuthModule
WindowsAuthModule
CertificateAuthModule
AnonymousAuthModule
FormsAuthModule
UrlAuthorizationModule
Extensibility
ISAPIModule
ISAPIFilterModule
CGIModule
ServerSideIncludeModule
ManagedEngineModule
Componentization
demo
Security Architecture Improvements
Feature delegationAllow non-administrators to manage IIS7 settings remotelyAllow fine-grained control over feature delegation
Application pool isolationSandboxing out-of-the-box
Security Architecture Improvements
IIS7 identities are built-inAnonymous User IUSR_<machinename> → IUSRIIS_WPG is now IIS_IUSRSEasier to administer, scale-out and configureYou no longer need to add worker process identities to IIS_IUSRS group
Anonymous user is no longer requiredWorker process identity does the job
Application Pool Isolation
demo
Security Features
.NET security integrationRoles profile, membership forms auth, URL auth modules support any type of content
Use of .NET Role and Membership Providers
URL AuthorizationControl access via web.config files instead of using ACLs
Request FilteringFilter verbs, sequences, urls, headers
Request Filtering
demo
Server Core
Server Core is:A minimal installation option for Windows Server® 2008Part of the Windows Server® 2008 general purpose SKUsAvailable for x86 and x64
Server Core BenefitsToday’s challenges
Servers have single role or a fixed workloadAdministrators are required to deploy and service the full OSNon-value add features present a servicing and security burden
Administrators think of servers in terms of server roles
With Server Core:Fewer Patches
Reduces # of patches by ~60% (based on all Win2000 patches)Servicing burden is reduced by removing components that are most often serviced
More Secure, Reliable and Less ManagementRemoval of non-value add legacy & client components from server
Server Core OverviewServer Core:
Provides minimal server OS functionalityCore sub-systems:Security logon, networking (TCP/IP), file system, RPC, etc.Infratructure:Command-shell, domain join, eventlog, perfcounters, HTTP, IPSecBasic set of management tools:Configure ip address, create users, notepad, taskmgr
Uses low surface area server for targeted roles
Includes a set of server roles
Includes the following optional features:WINS, Failover Clustering, Subsystem for UNIX-based applications, Backup, Multipath IO, Removable Storage Management, Bitlocker Drive Encryption, SNMP, Telnet Client, and QoS
Summary
IIS7 builds upon the IIS6 architectureProcess modelMinimal attack surfacePerformance optimized
IIS7 offers major architectural enhancementsModularization, built-in accounts, configurable caching, compression, server core etc.
Links
App Pool isolation
URL AuthZhttp://www.iis.net/articles/view.aspx/IIS7/Managing-IIS7/Configuring-Security/URL-Authorization/Understanding-IIS7-URL-Authorization
IIS 6 Security History
IIS 6 has only 3 advisories released to date, none of them rated as critical
http://secunia.com/product/1438/?task=advisories
Apache 2.0.x on the other hand has over 35, several of which are critical rated
http://secunia.com/product/73/?task=advisories
IIS7 Architecture
Service Host (SVCHost.EXE)
HTTP.SYS Kernel-Mode Listener
Windows Process Activation Service
(WAS)
World Wide Web Service (W3SVC)
Worker Process (W3WP.EXE)
Configuration (applicationhost.
config)
Read Configuration
Authenticate
Authorize
Map Request
Handle Request
Send Response
Log Request
Static File
Handler
PHP
ASP.Net
IIS7 Request Flow
Service Host (SVCHost.EXE)
HTTP.SYS Kernel-Mode Listener
Windows Process Activation Service
(WAS)
World Wide Web Service (W3SVC)
Worker Process (W3WP.EXE)
Applicationhost.config
Read Configuration
Authenticate
Authorize
Map Request
Handle Request
Send Response
Log Request
Static File
Handler
PHP
ASP.Net
HTTP Protocol Host
Request Queue
HTTP Listener
Channel
Response Cache
Bindings: http://*:80:site1
HTTP.SYS
Accepting HTTP (and HTTPS) connectionsParsing and validating HTTP requestsQueuing of HTTP requests in application-specific queuesCaching of HTTP responsesNew
SSLKernel-Mode Windows authentication
WAS and W3SVCWindows Process Activation Service (WAS)
Configuration ManagerReads configuration from applicationhost.config and reacts to changes in configurationPasses configuration to the World Wide Web Service
Process ManagerStarts worker processes when a listener (e.g. HTTP.SYS) receives the first requestMonitors state and health of worker processesRecycles worker processes based on certain parameters, e.g. lifetime, number of requests, schedule etc.Prevents resource exhaustion, e.g. by limiting number of worker processes that can be active at the same time
W3SVCHTTP specific listener adapter
Site binding information (IP address, port, host header)Application Pool and Application settingsConfiguration changes
Worker Process
Establishes a connection with WAS at startupResponds to WAS requests, e.g. when asked to shutdownPicks up requests from the HTTP.SYS request queueManages request pipelineProcess requests and send responses
Runs all third-party codeModules, handlers, isapi filters and extensions, assemblies, COM objects etc.
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after
the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.