View
225
Download
3
Category
Tags:
Preview:
Citation preview
MSDN Briefing
IIS7 für Entwickler
MSDN Briefing
IIS7 für Entwickler
Christoph Wille, MVP ASP.NEThttp://chrison.net/
s e v e n supportablesupportable
i n t e r n e t i n f o r m at i o n s e r v i c e s
i n t e r n e t i n f o r m at i o n s e r v i c e s
integratedintegrated extensibleextensible componentizedcomponentized compatiblecompatiblesecuresecuredelegateddelegated
IIS – A Colorful Past
1996 - V1 ships with WindowsNT 4.0V2 & V3 releases came in follow-up SP releases
1997 – V4 part of NT 4 Option Pack2000 – V5 installed by default in Windows 20002001
March 2001, #1 in Internet Site ShareFall 2001, Code Red and Nimda
2003 – V6 released in Windows Server 2003
IIS 6 TodaySecure by Default
IIS no longer installed by default with OSIIS installs with “locked down” configurationRuns with minimal permissions, secure configuration
Secure by DesignExtensive design & code reviewsPenetration testingDefense in depth
Process architecture design for application failureHealth detectionAutomatic recycling of applications
Result: Zero critical security patches since release. #1 in reliability for major internet sites.
Agenda
Architecture OverviewModularizationExtensibilityAdministration & Troubleshooting
For Developers
Where do I get IIS 7.0?Windows Vista Editions with IIS 7.0
Where do I start?What type of developer are you?Native Developers vs. Managed-code DevsUnderstanding the Core Server Architecture
Vista Edition Available
Home Basic N
Home Premium N
Business Y
Ultimate Y
Installation Differences
IIS 7.0Rebuilt setup architectureUses Vista’s Windows Features On and OffCan also use Vista’s Package Manager (Pkgmgr.exe)
start /w pkgmgr /iu:IIS-WebServerRole;IIS-WebServer;IIS-CommonHttpFeatures;IIS-StaticContent;IIS-DefaultDocument;IIS-DirectoryBrowsing;IIS-HttpErrors;IIS-HttpRedirect;IIS-ApplicationDevelopment;IIS-ASPNET;IIS-NetFxExtensibility;IIS-ASP;IIS-CGI;IIS-ISAPIExtensions;IIS-ISAPIFilter;IIS-ServerSideIncludes;IIS-HealthAndDiagnostics;IIS-HttpLogging;IIS-LoggingLibraries;IIS-RequestMonitor;IIS-HttpTracing;IIS-CustomLogging;IIS-ODBCLogging;IIS-Security;IIS-BasicAuthentication;IIS-WindowsAuthentication;IIS-DigestAuthentication;IIS-ClientCertificateMappingAuthentication;IIS-IISCertificateMappingAuthentication;IIS-URLAuthorization;IIS-RequestFiltering;IIS-IPSecurity;IIS-Performance;IIS-HttpCompressionStatic;IIS-HttpCompressionDynamic;IIS-WebServerManagementTools;IIS-ManagementConsole;IIS-ManagementScriptingTools;IIS-ManagementService;IIS-IIS6ManagementCompatibility;IIS-Metabase;IIS-WMICompatibility;IIS-LegacyScripts;IIS-LegacySnapIn;IIS-FTPPublishingService;IIS-FTPServer;IIS-FTPManagement;WAS-WindowsActivationService;WAS-ProcessModel;WAS-NetFxEnvironment;WAS-ConfigurationAPI
start /w pkgmgr /iu:IIS-WebServerRole;WAS-WindowsActivationService;WAS-ProcessModel;
WAS-NetFxEnvironment;WAS-ConfigurationAPI
Full Install of all IIS Components
IIS Minimal Install
Architecture Introduction
IIS 7.0’s architecture, albeit similar to IIS 6.0, offers unique changesDefault architecture has same “players” with some fresh new ones
HTTP.sys
W3SVC
W3WP
W3SVCW3WPHTTP.sysWPASInetinfo (optional)
WAS
Inetinfo
A Review…IIS 6.0 Architecture
Send ResponseLog Compress
NTLM Basic
Determine Handler
CGI
Static File
AuthenticationAnon
Monolithic implementation Install all or nothing…
Extend server functionality only through ISAPI…
ASP.NET
PHPISAPI
…
…
IIS7 Request Processing
Send ResponseLog Compress
NTLM Basic
Determine Handler
CGI
Static File
ISAPI
AuthenticationAnon
SendResponse
Authentication
Authorization
ResolveCache
ExecuteHandler
UpdateCache
…
…
Server functionality is split into ~ 40 modules...
Modules plug into a generic request pipeline…
Modules extend server functionality
through a public module API.
…
…
Architecture in IIS7
What does the “Core” do?Exposes interfacesAgrees to “hook” up interfaces via subscription or events
ExtensibilityPrimary workhorse for Web serverCode authors:
Microsoft: In the form of “modules” that will ship with the IIS7 platformYou: The rest of the world
IIS6 ASP.NET IntegrationRuntime limitationsOnly sees ASP.NET requestsFeature duplication
Send ResponseLog Compress
NTLM Basic
Determine Handler
CGI
Static File
ISAPI
AuthenticationAnon
…
…
AuthenticationForms Windows
Map Handler
ASPX
Trace
…
…
…
aspnet_isapi.dll
IIS7 ASP.NET Integration
Two ModesClassic (runs as ISAPI)Integrated
Integrated Mode.NET modules / handlers plug directly into pipelineProcess all requestsFull runtime fidelity
Log
Compress
Basic
Static File
ISAPI
Anon
SendResponse
Authentication
Authorization
ResolveCache
ExecuteHandler
UpdateCache
…
…AuthenticationForms Windows
Map Handler
ASPX
Trace
…
…
…
aspnet_isapi.dll
Reviewing IIS 7.0 Architecture
IIS 6.0 W3WP’s
W3WP
IIS 7.0 W3WP’s
cacheuri.dll
cachfile.dll
modrqflt.dll
cachhttp.dll
compdyn.dll
compstat.dll
defdoc.dll
iisetw.dll
static.dll
W3WP
admwprox.dll
gzip.dll
iismap.dll
iisres.dll
iisRtl.dll
iisutil.dll
w3comlog.dll
w3cache.dll
w3core.dll
modexp.dll
mybscauth.dll
cgi.dll
mybscauth.dll
myauthurl.dll
mycompres.dll
mylogging.dll
myMossint.dll
myparser.dll
Demo
The Most Secure Web Server Ever
Metabase vs. “AppHost.config”
IIS 6.0’s Metabase DesignSupported legacy, out-dated interface (ABO)Maintained own ACL’ing within file, rather than via file system ACL’ingDelegation wasn’t supported, relied solely on Administrative privilegesRemote capabilities were limited, not user-friendly experienceSchema wasn’t architected in easy-to-use formatExtending schema was nearly impossible
Metabase vs. “AppHost.config” (2)
Introducing ApplicationHost.configLocation: %windir%\system32\inetsrv\configDefault configuration:
All features disabled *except*Directory Browsing (directoryBrowse)Default Document (defaultDocument)HTTP Redirect (httpRedirect)HTTP Protocol (httpProtocol)
Features unlocked using IIS Manager or ApplicationHost.config
Metabase vs. “AppHost.config” (3)
ApplicationHost.config Facts:Uses strongly-typed Schema (%windir%\system32\inetsrv\config\schema\IIS_schema.xml)
Easily edited using favorite XML editorBroken down into two pieces:
system.applicationHostsystem.webServer
Delegation of IIS settings are unlockable and distributable to web.config’s deployed with content
Metabase vs. “AppHost.config” (4)
ApplicationHost.config Facts (cont.):Uses well-known XMLOrganized into tightly-coupled groups for like features (i.e. collections)Uses simple key\value pairs for many options like true\false, 0 or 1, etc.
Extending schema is drag\drop experience (add XML file to /config directory and restart IIS)
<directoryBrowse enabled="false" />
Configuration Highlights
Delegated Configuration AdministrationAdministrators may allow app owner to modify settingsDevelopers can set and deploy settings with their applicationsXcopy-deployment of self-contained applications without running admin tool or scripts to configure -- even to centralized UNC share
Unified Configuration Model for Entire Web PlatformAdministrators may use same file for IIS, ASP.NET, Indigo settingsDevelopers can use same API and concepts across entire platformAuthN, AuthZ, custom errors, handlers, etc are set one single way
Extensibility and Customization is easyAdministrators can control what sections are registered with the systemDevelopers can reuse base classes to quickly develop custom sectionsClean schema allows smooth editing by hand (text/XML editor), API or admin tool
Compatibility Built-In at the API levelABO / ADSI scripts and applications continue to work
Configuration Layout
root configuration files
machine.config
root web.config
applicationHost.config web.config.NET Framework
ASP.NET
IIS
IIS + ASP.NET + .NET Framework
web.config files
Inheritance…
Configuration DelegationDelegation is:
Configuration locking, “overrideMode” ACL’s on configuration files
By default…All IIS sections locked except:
Default DocumentDirectory BrowsingHTTP HeaderHTTP Redirects
All .NET Framework / ASP.NET sections are unlocked
Demo
Customized WorkloadSite Creation – A Tour of the UICurrently Executing RequestsConfiguring a Site for AuthN
Modules vs. ISAPI
IIS 6.0 DevelopmentFirst-class access to requests were only allowed using Internet Server API (ISAPI)ISAPI only supported C\C++ languages and was rather complex technology
Client vs. Server VersionsWindows XP Professional shipped with IIS 5.1 yet lots of development was for IIS 6.0IIS 6.0 shipped on Windows Server 2003 and architected differently than IIS 5.x
Modules vs. ISAPI (2)
Client vs. Server Versions (cont.)Managed-code development architecture differed heavily between IIS 5.x & 6.0ASP.NET was written as an ISAPI and had duplicate functionality as IIS 6.0
IIS 7.0IIS 7.0 on client is the same as on Server (via service packs)Support for multiple development interfaces to interact with IIS 7 Core Server
IIS 7.0 Native Modules
Vista ships with the potential of 40+ modulesMost are native modules built using the new Native C\C++ APIsNative modules are defined in the <globalModules> section of applicationhost.config
IIS 7.0 full install has 33 native modules
Utility Modules
Used to help the server engine with it’s internal operationsDo not provide configuration for these in applicationhost.config
Module Name Purpose If removed?
cachfile.dll Cache of file handles currently opened by core server
Performance
cacheuri.dll Cache configuration, etc. after first request for a URI
Performance
cachtokn.dll Caches token for password- based authentication
Performance
Compression Modules
Provides Static & Dynamic compression mechanisms for IIS requests
Module Name Purpose If removed?
Compdyn.dll Implements in-memory compression of dynamic content
None, not installed by default
Compstat.dll Implements in-memory as well as file-based compression for static content
Network Bandwidth saturation with large
requests
Configurable locations:system.webServer/httpCompressionsystem.webServer/urlCompression
Authentication ModulesIIS 7.0 core authentication modules
Module Name Purpose If removed?
authbas.dll Implements HTTP basic authentication
Basic authentication is not available
authanon.dll Implements anonymous authentication
Anonymous Authentication is not
allowed
authsspi.dll Implements Windows Authentication (NTLM\Kerberos)
Negotiate (Kerberos), NTLM are unavailable
authmd5.dll Implements Digest Authentication Digest Authentication is not available
authcert.dll Implements IIS Client Certificate Mapping (Requires SSL)
Client Certificates are not accepted for authenticatio
authmap.dll Maps SSL Client Certs to an Active Directory Account
Active Directory mapping is unavailable
Security Modules
Implements URL authorization, and IP\Domain restrictions
Module Name Purpose If removed?
Iprestr.dll Implements an authorization of requests based on the client’s IPv4 Address
No Ip-based restricting of requests
Urlauthz.dll Implements authorization based on configuration rules
No ability to do URL-based denying via
configuration and users
modrqflt Implements a powerful set of security rules based on known & unknown attack vector points (previously known as URLScan)
No request filtering based on extension, query string size, etc.
Logging & Error Modules
Implements logging functionalityImplements custom & detailed errors
Module Name Purpose If removed?
Loghttp.dll Implements standard IIS logging No request data will be logged
Logcust.dll Implements the ILogPlugin interface on top of IIS7. It is not recommended to use this as it is a old implementation. Recommendation is to write your own module and subscribe to RQ_Log_Request event.
Applications dependent on legacy interface will
not work
Custerr.dll Allows for the use of custom errors and the new IIS7 detailed error features
No error messages (custom or detailed) will
be sent to clients
Diagnostics ModulesImplements IIS 7.0’s Request Monitoring, tracing, and Failed Request Tracing
Module Name Purpose If removed?
iisfreb.dll Implements tracing of failed requests
No automatic tracing based on the configured
rules
iisetw.dll Implements Enterprise Tracing for Windows functionality to capture detailed trace logs
No tracing of specific requests are available
iisreqs.dll Implements the runtime state & control APIs for IIS 7.0 allowing viewing of executing requests, start\stop of sites, etc.
Unable to see runtime data or start\stop\pause
websites
Development ModulesDevelopment technologies offered as to execute code from that platformImplements Managed Interfaces, etc.
Module Name Purpose If removed?
Filter.dll Implements ISAPI filter functionality No ISAPI filter will be loaded into any process
Isapi.dll Implements ISAPI Extension Server Functionality
No ISAPI extension will be executed
Cgi.dll Implements Common Gateway Interface (CGI) on top of IIS 7.0
No CGI dll or exe will is executed
Webengine.dll Connects the IIS core pipeline with the ASP.NET runtime and bridge between native and managed code in IIS 7.0
No managed code will be supported in IIS 7.0
Misc. ModulesPerforms independent functionality outside of any group
Module Name Purpose If removed?
dirlist.dll Implements IIS 7.0’s directory browsing functionality
Directory browsing will not be allowed
defdoc.dll Implements default document feature using defaultdoc section files
Specific URL is required and any / will fail
protsup.dll Implements:• custom/redirect response headers• custom HTTP verbs (trace\options)• allows use of HTTP keep-alive
Specific features outlined in purpose will not be
available
redirect.dll Implements redirect functionality of incoming requests
If redirects are removed, content protected by
redirect will be available
Misc. Modules (cont.)Module Name Purpose If removed?
static.dll Responsible for sending out reponses for extensions listed in mimeMap section
Without it, no static file (htm, images, etc.) will
be sent to client
Iis_ssi.dll Implements server-side includes Special case where this module is actually
mapped as handler for .stm, .shtm,
and .shtml
validcfg.dll Validates at run-time if configuration is valid for IIS 7.0’s integrated mode
No validation or help is available when
configuration is deployed improperly
IIS 7.0 Managed ModulesManaged Modules are loaded in two ways
Called by webengine.dll (integrated mode)Called by core ISAPI module – isapimodule.dll (Classic)
Integrated Mode offers ASP.NET module features access to all types of contentClassic mode runs exactly like IIS 6.0 & ASP.NET 2.0Managed modules are only defined at application level (<modules>) along with native modules
IIS 7.0 Managed ModulesImplements managed code module parity with ASP.NET 2.0Requires webengine.dll native module to execute
FormsAuthentication Allows authentication against all content using forms-based authenticaiton to a database\file
WindowsAuthentication Sets the identity for the application to the WindowsAuthenticated user
DefaultAuthentication Ensures that an auth object is present in the app context
Name Purpose
OutputCache Controls the output caching policies for your applcation
Session Configures session state settings for current application
UrlAuthorization Allows URL-based authorization via managed-code
Profile Configures parameters for mapping user profiles values
RoleManager Configures an application for role management
FileAuthorization Allows file-based authorization via managed-code
AnonymousIndentification Configures anonymous auth for application authorization
URLMappingModule Defines a mapping that hides the real URL and maps to a friendly one
system.web
Demo
URL RewritingDirectory Listing
Basic“Deluxe”
IIS 6.0 Tracing vs. Failed Request Tracing
Tracing: What it is?IIS 6.0 Usage:
No User Interface SupportUpdated as part of Service Pack 1Very difficult to restrict tracing to extensions, or pathsNot extensible with custom events written by developers
IIS 6.0 Tracing vs. Failed Request Tracing (2)
IIS 7.0’s Failed Request Tracing
Setting up Tracing:• IIS Manager• Enabled Globally
(Administrator)• Actual Trace attributes
settable per-site or per-application
IIS 6.0 Tracing vs. Failed Request Tracing (3)
Viewing Trace Data in IIS 6.0 difficult, yet when understood is very usefulViewing Trace Data in IIS 7.0, easy-to-use XLST breaks out various data to simplify reviewing
In Vista RTM
In LHS Beta 3
Demo
FREB in Action
IIS 6.0 Security vs. 7.0 Security
IIS 6.0 Security –All Bits Installed (%windir%\system32\inetsrv)“Features” turned on\offUses local account and group for anonymous client requests and process accountIIS_WPG: Group for allowing process creation and securityURLScan added for additional security features not offered by Core server
IIS 6.0 Security vs. 7.0 Security (2)
IIS 7.0 Security:
Convert URLScan to installable features, rather than add-on
Bring a popular security tool into the product to simplify deployment, configuring, and supporting
With one click, RequestFilteringModule can be installed, and with one easy file deployed with your content it is working
Only Install Bits Selected Reduce the footprint, lesson management tasks such as patching, etc.
Build truly customizable Web workloads to maximize security and improve performance
Change Purpose Benefit
Change local accounts to built-in accounts
Avoid management of passwords, ACL’ing problems and better handle Web farm deployments
Every installation of IIS 7.0 installs the same accounts, with same GUIDs, and with same ACLs and everything “just works.”
Unified authentication, authorization across web server platform
Fully supports non-Windows principals!
All authentication schemes configured one single way for all types of content
Forms authentication is now fully supported
IIS extends its ACL authorization model with URL Authorization:
Membership system support (includes support for custom providers)Windows principals (stored in the local SAM or Active Directory)Custom configuration credential sections (non Window principals)
IIS 7.0 always uses the following rules (in order of precedence)
1. If a username/password is configured at a virtual directory it is used first
2. If virtual directory username/password is not configured, the authenticated users credentials are used (anonymous, basic, windows)
3. If no authenticated user (e.g. if forms authentication was used or no authentication module is configured) the process identity is used
Unified Authentication and AuthorizationReconciled impersonation model
VDIR has username and password configured
Credentials configured for the virtual directory are used
Web user requests page
Unified Authentication and AuthorizationReconciled impersonation model
IIS 7.0 always uses the following rules (in order of precedence)
1. If a username/password is configured at a virtual directory it is used first
2. If virtual directory username/password is not configured, the authenticated users credentials are used (anonymous, basic, windows)
3. If no authenticated user (e.g. if forms authentication was used or no authentication module is configured) the process identity is used
Unified Authentication and AuthorizationReconciled impersonation model
VDIR has no username, password configured
The client credentials or anonymous identity provided during authentication is used
Web user requests page
User is prompted and provides valid Windows credentials. Note - the <authentication> section needs to be configured
IIS 7.0 always uses the following rules (in order of precedence)
1. If a username/password is configured at a virtual directory it is used first
2. If virtual directory username/password is not configured, the authenticated users credentials are used (anonymous, basic, windows)
3. If no authenticated user (e.g. if forms authentication was used or no authentication module is configured) the process identity is used
VDIR has no username, password configured
The process identity is used
Web user requests page No user
authenticationis configured
Unified Authentication and AuthorizationReconciled impersonation model
IIS 7.0 always uses the following rules (in order of precedence)
1. If a username/password is configured at a virtual directory it is used first
2. If virtual directory username/password is not configured, the authenticated users credentials are used (anonymous, basic, windows)
3. If no authenticated user (e.g. if forms authentication was used or no authentication module is configured) the process identity is used
ASP.NET developers can still define their own identity section if required by their applications
Useful for applications that reside on different machines
Web user requests page
IIS uses any of the impersonation methods and impersonates some Windows identity
ASP.NET developers can use their web.config to impersonate an alternate identity (example - for database access)
Unified Authentication and AuthorizationReconciled impersonation model
Demo
Extending AuthN & AuthZ
Administration Extensibility
Delegated administrationNon-administrators can change relevant settings.Admins specify what’s allowed per site and application.
Unified management for the entire web platformIIS and ASP.NET settings are presented within the same user interface.
Extensible architectureDevelopers can create custom management features.
Remote administrationAdminister locally, over the intranet, or over the Internet.
New modern look and feelA new navigation-based, task-oriented, rich user experience.
IIS 7.0(http://server/MyApp)
Web Management Client
Architecture
Content and Configuration Runtime
stateProvider
Data
Application appdomain
Provider
ConnectionConnection
Module UI
Web Management Server(Standalone Web server : http://server:8080/… )
Connection Manager
Login Handler
Module ServiceModule
Service Proxy
Module UI
Extensibility
Extensibility PointsNew Features and Pages
Register new pages with the Control Panel
Existing plug-in pointsAuthenticationLock ConfigurationProvider ConfigurationValidation
Custom extensibility using the Extensibility Manager
Extensibility
Adding a new management moduleServer
Write a new Module ProviderWrite a Module ServiceInstall the DLL to the GACRegister the module in the root configurationEnable the module
ClientWrite a new ModuleWrite a Module Service ProxyWrite some Module PagesPlug in existing features using the Extensibility Manager
Demo
MRUServer Header
End-to-End Sample with Module
Microsoft.Web.Administration
Demo
Microsoft.Web.AdministrationListing SitesCreating a SiteApp Pool Creation
SummarySomething new for everyone in IIS 7.0Most radical changes in IIS since IIS 4.0IIS 6.0 was…
Limited for Developers because of ISAPI and less-than desirable support for Managed-codeLimiting configuration for key scenarios, such as delegation and schema extensibilityLimited troubleshooting capabilities to support zero-repro environments
IIS 7.0 is…Easy to extend using any language, native or managedRobust configuration supporting delegation, schema extensibilityTask-based oriented, newly re-written IIS Manager supporting delegation, and much moreHas awesome diagnostics which is natively built-in to the plumbing of IIS 7.0
Recommended