8/9/2019 SEMANA 2 IIS 7

1/39

MSc. Carlos Peña

CICLO 2014-II Módulo:1Unidad: 1 Semana: 2

TECNOLOGIA e-BUSINESS

8/9/2019 SEMANA 2 IIS 7

2/39

IIS 7: The Administrator’s Guide

8/9/2019 SEMANA 2 IIS 7

3/39

8/9/2019 SEMANA 2 IIS 7

4/39

IIS6 Request Processing

Send ResponseLog Compress

NTLM Basic

DetermineHandler

CGIStaticFile

Authentication Anon

Monolithic implementationInstall all or nothing …

Extend server functionality onlythrough ISAPI …

ASP.NET

PHPISAPI

…

…

8/9/2019 SEMANA 2 IIS 7

5/39

IIS7 Request Processing

Send ResponseLog Compress

NTLM Basic

DetermineHandler

CGIStaticFile

ISAPI

Authentication Anon

SendResponse

Authentication

Authorization

ResolveCache

ExecuteHandler

UpdateCache

…

…

Server functionality is splitinto ~ 40 modules ...

Modules plug into ageneric request pipeline…

Modules extend server functionalitythrough a public module API.

…

…

8/9/2019 SEMANA 2 IIS 7

6/39

Many, Many Modules

Install, manage, and patch only the modules you use…• Reduces attack surface• Reduces in-memory footprint• Provides fine grained control

… replace core server components with customcomponents…

8/9/2019 SEMANA 2 IIS 7

7/39

Consistently install the same set of modules…

Avoid: – 503 “Service Unavailable”

[m odu le is enabled but n ot ins ta l led]

– Application doesn’t work as expected [web.conf ig references a module that isn’t installed] [unexpec ted mo dule conf l ic t s wi th cus tom m odule ]

8/9/2019 SEMANA 2 IIS 7

8/39

IIS6 ASP.NET Integration

• Runtime limitations• Only sees ASP.NET

requests• Feature duplication

Send ResponseLog Compress

NTLM Basic

DetermineHandler

CGIStaticFile

ISAPI

Authentication Anon

…

…

AuthenticationForms Windows

Map

Handler

ASPX

Trace…

…

…

aspnet_isapi.dll

8/9/2019 SEMANA 2 IIS 7

9/39

8/9/2019 SEMANA 2 IIS 7

10/39

Replicate Content and Config

• Main IIS configuration file (applicationHost.config) – Built- in “IUSR” account, no more machine specific SID’s – Simple file copy, no command line tools required – …watch for machine specific data like IP’s and drive letters

• IIS config web.config, XCOPY with application

8/9/2019 SEMANA 2 IIS 7

11/39

Centralize Content and Config

• IIS config web.config, centralize on file server

• File System: – Client Side Caching (CSC)

• provides a local disk cache – Distributed File System Replication (DFSR)

• abstracts multiple file servers to one share name• provides content replication

8/9/2019 SEMANA 2 IIS 7

12/39

Configuration moves to .configfiles…

• Configure IIS and ASP.NET properties in the same file• Use locking to provide delegation• Built for simple, schema-based extensibility

… welcome to a world of xcopy deployment…

8/9/2019 SEMANA 2 IIS 7

13/39

Configuration Layout

root configuration files

machine.config

root web.config

applicationHost.config web.config.NETFramework

ASP.NET

IIS

IIS +

ASP.NET +.NET Framework

web.config files

Inheritance…

8/9/2019 SEMANA 2 IIS 7

14/39

Configuration Delegation• Delegation is: – Configuration locking, “overrideMode” – ACL’s on configuration files

• By default…

– All IIS sections locked except:• Default Document• Directory Browsing• HTTP Header• HTTP Redirects

– All .NET Framework / ASP.NET sections are unlocked

8/9/2019 SEMANA 2 IIS 7

15/39

Determine your configuration lockdown policy…

– Be conservative at first – Unlock as necessary (locking later could break apps)

8/9/2019 SEMANA 2 IIS 7

16/39

Compatibility: ABO Mapper• Provides compatibility for:

– scripts – command line tools – native calls into ABO

• Not installed by default

• Can only do what IIS6 could do… – Can’t read/write new IIS properties

• Application Pools: managedPipelineMode,managedRuntimeVersion

• Request Filtering• Failed Request Tracing

– Can’t read/write ASP.NET properties – Can’t read/write web.config files – Can’t access new runtime data, e.g. worker

processes, executing requests

applicationHost.config

IISADMIN

ABOMapper

IIS6 ADSI Script

8/9/2019 SEMANA 2 IIS 7

17/39

Management Tools

• Manage IIS and ASP.NET• View enhanced runtime data

– worker processes, appdomains, executing requests• Manage delegation• Use whichever management tool suits your

needs…

GUICommand Line

Script

Managed Code

IIS Managerappcmd

WMI (root\WebAdministration)

Microsoft.Web.Administration

8/9/2019 SEMANA 2 IIS 7

18/39

IIS Manager

• Remotes over HTTP, making it firewall friendly(remoting is not installed by default)

• Provides managed extensibility• Supports non-admin management of sites and

applications

8/9/2019 SEMANA 2 IIS 7

19/39

Educate end users who publish their application anduse IIS Manager configure it…

Scenario:

– User publishes application – User changes app’s web.config using IIS Manager – User copies updated web.config to his local version of the

application – Several days later, user re-publishes application** modifications make to the app’s web.config using IIS Manager

have just been blown away**

8/9/2019 SEMANA 2 IIS 7

20/39

8/9/2019 SEMANA 2 IIS 7

21/39

Scripting: IIS6 WMI ProviderSet oIIS = GetObject("winmgmts:root\MicrosoftIISv2")

' Create binding for new site

Set oBinding = oIIS.Get("ServerBinding").SpawnInstance_oBinding.IP = ""oBinding.Port = "80"oBinding.Hostname = "www.site.com"

' Create site and extract site name from return valueSet oService = oIIS.Get("IIsWebService.Name='W3SVC'")strSiteName = oService. CreateNewSite ("NewSite", array (oBinding), "C:\inetpub\wwwroot")

Set objPath = CreateObject("WbemScripting.SWbemObjectPath")objPath.Path = strSiteNamestrSitePath = objPath.Keys.Item("")

Set oSite = oIIS.Get("IIsWebServer.Name='" & strSitePath & "'")oSite.Start

' Create the vdir for our applicationSet oVDirSetting = oIIS.Get("IIsWebVirtualDirSetting"). SpawnInstance_ oVDirSetting.Name = strSitePath & "/ROOT/bar"oVDirSetting.Path = "C:\inetpub\bar"oVDirSetting.Put_

' Make the VDir an applicationSet oVDir = oIIS.Get("IIsWebVirtualDir.Name='" & strSitePath & "/ROOT/bar'")oVDir. AppCreate2 1

Create Site

Create Virtual Directory

Create Application

NOT CONSISTENT

8/9/2019 SEMANA 2 IIS 7

22/39

Scripting: new WMI Provider

Set oService = GetObject("winmgmts:root\WebAdministration")

' Create binding for siteSet oBinding = oService.Get("BindingElement").SpawnInstance_oBinding.BindingInformation = "*:80:www.site.com"oBinding.Protocol = "http"

' Create site

oService.Get("Site").Create _"NewSite", array (oBinding), "C:\inetpub\wwwroot"

' Create applicationoService.Get("Application").Create _

"/foo", "NewSite", "C:\inetpub\wwwroot\foo"

Static Create methods

CONSISTENT

8/9/2019 SEMANA 2 IIS 7

23/39

Coding:Microsoft.Web.Administration

ServerManager iisManager = new ServerManager();

foreach (WorkerProcess w3wp in iisManager.WorkerProcesses ) {Console.WriteLine("W3WP ({0})", w3wp.ProcessId);

foreach (Request request in w3wp.GetRequests (0)) {

Console.WriteLine("{0} - {1},{2},{3}",request.Url,request.ClientIPAddr,request.TimeElapsed,request.TimeInState);

}}

8/9/2019 SEMANA 2 IIS 7

24/39

New Troubleshooting Features

• Detailed custom errors, just like ASP.NET• Failed Request Tracing

– No more ETW tracing and waiting for a repro…

• New runtime data: – worker processes – appdomains – currently executing requests

8/9/2019 SEMANA 2 IIS 7

25/39

Failed Request Tracing• No- repro tracing for “failed requests” • Configure custom failure definitions per URL

– Time taken – Status/substatus codes – Error level

• Persist failure log files

• Will it tell me what’s wrong? – Sometimes… for example, ACL issues – Look for clues

• Can use for all requests to see what’s going on

8/9/2019 SEMANA 2 IIS 7

26/39

Summary

Troubleshoot… – Use: Detailed Errors, Failed Request Tracing, Currently

Executing requests

Manage… Manage IIS and ASP.NET through the same toolsUse ABO Mapper compatibility (not installed by default)

Determine configuration lockdown policy

Deploy… ~ 40 modules, install only what you needMigrate to ASP.NET Integrated ModeEasier centralization/replication

8/9/2019 SEMANA 2 IIS 7

27/39

• TechCenter to easily find the info you need• Advice and assistance in Forums• Insider info on new technology (IIS7!)

– Online labs, play with IIS7 in your browser

New home for IIS Community!

8/9/2019 SEMANA 2 IIS 7

28/39

Some upcoming IIS sessions… Today

3:15 – 4:30 Chalktalk: Configuration Management of Web Platform

Tomorrow8:30 – 9:45 IIS 7: Under the Hood for Web Request Tracing

10:15 – 11:30 Chalktalk: Using Managed Code to Administer IIS 7

1:00 – 2:15 Chalktalk: Introducing the New and Improved IIS Manager in IIS 72:45 – 4:00 IIS 6: Effective Management of Web Farms

4:30 – 5:45 IIS 6: Everything the Web Administrator Needs to Know about MOM

Wednesday8:30 – 9:45 Chalktalk: Extending the IIS Manager Tool in IIS 7

2:00 – 3:15 Chalktalk: IIS 6.0 Security: Setting the Record Straight

4:45 – 5:00 Chalktalk: IIS and Microsoft.com Operations: Migrating IIS 6.0 to 64 bit

5:30 – 6:45 Chalktalk: IIS 7 Q&A

8/9/2019 SEMANA 2 IIS 7

29/39

Fill out a sessionevaluation onCommNet and

Win an XBOX 360!

8/9/2019 SEMANA 2 IIS 7

30/39

Additional Information

8/9/2019 SEMANA 2 IIS 7

31/39

Installation Options

• Lots of components• Static server by default• [client] Use Windows

Features

• Replaces sysocmgr

• File format iscompletely different

• [client] Pick components,cannot set configuration

8/9/2019 SEMANA 2 IIS 7

32/39

Install, Migration, Upgrade• Install log: \Windows\IIS7.log• Uninstall

– Stop services to avoid a reboot – Deletes configuration files, backup before uninstall

• Migration: none for Vista, LH Server TBD… • Upgrade

– All web and/or FTP components are installed, uninstallunnecessary components afterwards…

– Application pools will be ISAPI mode, configured for no

managed code => all ASP.NET requests will fail

8/9/2019 SEMANA 2 IIS 7

33/39

ASP.NET: Migration• Application Pools

– ASP.NET Integrated mode by default – Configure to load a specific version of the .NET Framework

• Integrated Mode

– Different server environment for some pipeline notifications• e.g. request is not authenticated for BeginRequest

– Handler and module configuration integrated with IIS• system.webServer/handlers, system.webServer/modules

– Validation warns on httpHandlers, httpModules, or identity

config – Remove “managedHandler” precondition on an ASP.NET

module to have it execute for all content

• ISAPI Mode

– Can’t configure HTTP handlers and modules from the UI

8/9/2019 SEMANA 2 IIS 7

34/39

Replicating applicationHost.config• Will cause all application pools to recycle:

– changes to default settings for all application pools – changes to the list

• Will cause one application pool to recycle: – application pool settings

• Use only RSA machine-encryption (default), replicateRSA machine key – http://msdn2.microsoft.com/en-

us/library/yxw286t2(VS.80).aspx

• Gotcha's: – Machine specific data, like IP addresses or drive letters – Servers must have same set of modules installed (reference

to non-existent module in causes 503's)

http://msdn2.microsoft.com/en-us/library/yxw286t2(VS.80).aspxhttp://msdn2.microsoft.com/en-us/library/yxw286t2(VS.80).aspxhttp://msdn2.microsoft.com/en-us/library/yxw286t2(VS.80).aspxhttp://msdn2.microsoft.com/en-us/library/yxw286t2(VS.80).aspxhttp://msdn2.microsoft.com/en-us/library/yxw286t2(VS.80).aspx

8/9/2019 SEMANA 2 IIS 7

35/39

Configuration Delegation

• Two kinds of configuration locking: – overrideMode (similar to "allowOverride") – granular locking, e.g. lockItem, lockElements

• By default…

– All IIS sections locked (overrideMode =“Deny”) except: • Default Document, Directory Browsing, HTTP Header, HTTP

Redirects, Validation

– All .NET Framework / ASP.NET sections are unlocked

• Determine your configuration lockdown policy – be conservative at first – unlock as necessary (locking later could break apps)

8/9/2019 SEMANA 2 IIS 7

36/39

Configuration Schema

• Use the schema file to see all config settings:windir \system32\inetsrv\config\schema\IIS_schema.xml

• Schema describes: – property types

– default values – validation – encrypted by default?

note : con f ig i s case sens i t ive

8/9/2019 SEMANA 2 IIS 7

37/39

Appcmd – Viewing Config SchemaC:\> appcmd list config /section:? | findstr system.webServersystem.webServer/globalModulessystem.webServer/serverSideIncludesystem.webServer/httpTracing...

C:\> appcmd list config /section:directoryBrowse

C:\> appcmd list config /section:directoryBrowse /config:*

C:\> appcmd list config /section:directoryBrowse /text:*CONFIG

CONFIG.SECTION: system.webServer/directoryBrowsepath: MACHINE/WEBROOT/APPHOSToverrideMode: Inherit[system.webServer/directoryBrowse]

enabled:"true"showFlags:"Extension, Size, Time, Date"

C:\>

C:\>

IIS sections – also try“system.web” and“system.applicationHost”

C:\>

C:\>Shows attributes thataren’t set explicitly

8/9/2019 SEMANA 2 IIS 7

38/39

Coding:Microsoft.Web.Administration

• First managed code API for administering IIS – Same objects and functionality as WMI, appcmd

• What about System.Configuration? – System.Configuration:

• Strongly typed ASP.NET and .NET Framework config

– Microsoft.Web.Administration:• Weakly typed IIS, ASP.NET, and .NET Framework config• Strongly typed IIS objects like Sites and Application Pools

8/9/2019 SEMANA 2 IIS 7

39/39

GRACIAS