IIS6 Web Services

Overview

Application Platform FeaturesReliability FeaturesManageability Features Performance and Scalability FeaturesSecurity Features

Application Platform Features

Web ApplicationsThe Application Server RoleInstalling and Configuring the Application Server RoleConfiguring and Managing Your ServerAdding and Removing Components

Web Applications

A Web Application is a collection of content accessed through hypertext protocols

Static content Web siteCGI scriptsASP pagesActiveX®/COM componentsASP.NET pages.NET Web ServicesComponents of multi-tier applications

The Application Server Role

Combines specific interdependent functionality termed Web Application Server:

Microsoft Internet Information Services (IIS) 6.0Active Server Pages (ASP)ASP .NETComponent Object Model (COM+)Microsoft Data Engine (MSDE)Microsoft Message Queuing (MSMQ)

The Application Server Role

The Application Server Role, which includes IIS 6.0 and other components, is not installed by default in Windows Server 2003Two Interfaces

Configure Your Server/Manage Your Server WizardsAdd/Remove Programs, Add/Remove Windows Components

Configure Your Server and Manage Your Server

Web Application Server role can be added through Configure Your Server or Manage Your Server

Base components are automatically selectedAdditional components are installed based on choices made in wizard

After the role is added, it can be managed through Manage Your Server

Configure Your Server/Manage Your Server

Easy Web server setupConfigures only services required for application

Add/Remove ComponentsAllows for more granular component selection (and risk of incorrect component selection)

Reliability Features

Fault-tolerant ArchitectureHTTP stack (HTTP.sys)Application PoolsWWW ServiceWorker Processes (W3WP.exe)

IIS 5.0 Isolation Mode

Health Monitoring

Process Recycling

Crash Detection and Rapid Fail Protection

Fault-tolerant Architecture: Issues

Web sites and applications may contain flawed codeWeb server needs to be active manager of applications:

Be fault tolerant (not crash on application failure)Monitor the health of Web sites and applicationsActively recycle/restart processesContinue to queue requestsReliability without sacrificing performance

IIS 5.0All requests run through single process (Inetinfo.exe), Out-of-process applications (dllhost.exe) were slowApplication failures could crash server, other applications

Fault-tolerant Architecture: Solution

IIS 6.0 fault-tolerant process isolation architectureIsolates applications from each other and Web serverCore components

HTTP.sys: Kernel mode component for HTTP listening, routing, queuing, and cachingApplication pools: Groups sites and applications for easy management of process isolationWWW Service: Configuration and server management, process health monitoringWorker processes (W3WP.exe): Isolate Web site and application processing

IIS 6.0 Fault-tolerant Architecture

HTTP.sysHTTP.sys

WWW ServiceWWW

Service

KernelKernel

UserUser

W3WP.exeW3WP.exe

Web application

Web application

RequestRequest ResponseResponse

W3WP.exeW3WP.exe

Web application

Web application

Application PoolApplication Pool Application PoolApplication Pool

HTTP Stack (HTTP.sys)

HTTP stack with queuing and caching functionsRuns in kernel modeSupports IPv4 and IPv6Does not load or run any Web site or application codeCannot be affected by applications errors and failuresRoutes requests to IIS application pools based on URL mappingText-based and binary logging

HTTP Stack (HTTP.sys): Kernel-Mode Queuing

HTTP.sys queues incoming HTTP requestsEach queue supports a set of sites/applicationQueue size can be set by administratorIf an application fails:

HTTP.sys continues to accept and queue requests until the application is restarted or the server is shut downOnce the application restarts, the queue is processed until it is empty

Buffers client application from application errorsIncreases site and application availability

Application PoolsDefines a set of Web applications managed together

Separated by process boundariesServed by one or more worker processesRequests routed directly to pool by HTTP.sysNot affected by sites and applications in other poolsApplication cannot be routed to another pool while being serviced by the current poolApplications can be assigned to different pools runningwhile server is

Application Pools: Configuration

Easy to create and manageCan configure up to 20,000 application pools per

server

WWW Service

RolesConfigures HTTP.sysManages worker processes

Application code runs in separate worker processes

No application code runs in WWW ServiceRequests do not route through WWW ServiceEnsures Web server reliabilityApplication errors cannot crash Web server

WWW Service: Configuration

At IIS 6.0 startupReads metabase and initializes HTTP.sys routing table Creates one entry for each URL to app pool mappingDetermines routing from request to worker process

As application pools and applications are added

Configures HTTP.sys to accept new URL requestsSets up the request queues for new application poolsIndicates where the new URLs should be routed

WWW Service: Process Management

During IIS 6.0 operation WWW Service monitors processes

Determines when to start a worker process… when to start additional worker processes… when a worker process has failed or blocked… when to recycle or restart a worker process

Requests continue to be queued and updated while an application is being recycled

Process recycling is invisible to client application

Worker Processes

Responsible for handling Web requests for a set of sites and applicationsEach application pool is served by one or more worker processEach worker process is self–contained

Receives requests directly from HTTP.sysContains Web request processing functionalityLoads ISAPIs: filters and extensions (ASP, ASP .NET, Microsoft FrontPage® Server Extensions)

Delivers complete isolation from system components and other Web applications

Worker Processes: Configuration

Worker process can be started as:

Network Service (default)Local SystemLocal ServiceConfigured ID

IIS 6.0 Fault-tolerant Architecture

WWW ServiceWWW

Service

Con

fig M

grC

onfig

Mgr

Proc

ess

Mgr

Proc

ess

Mgr

HTTP.sysHTTP.sys

Web GardenWeb Garden

W3WP.exeW3WP.exe

ISAPIExtensions(ASP, etc.)

ISAPIExtensions(ASP, etc.)

ISAPI FiltersISAPI Filters

Application Pool 2

Application Pool 2

W3WP.exeW3WP.exe

ASP.NET ISAPIASP.NET ISAPI

CLR Application Domain

CLR Application Domain

W3WP.exeW3WP.exe

ASP.NET ISAPIASP.NET ISAPI

CLR Application Domain

CLR Application Domain

INETINFOINETINFO

metabase

Application Pool 1

Application Pool 1

W3WP.exeW3WP.exe

ISAPIExtensions(ASP, etc.)

ISAPIExtensions(ASP, etc.)

ISAPI FiltersISAPI Filters

Fault-tolerant Architecture: Benefits

Dramatically increased reliabilityNo server rebootsSelf healing on application failureIncreased scalabilitySimplified server administration

IIS 5.0 Isolation ModeSome applications may not work in IIS 6.0 worker process isolation environment

Multiple-instanceSession state persisted in-processApplications written as read raw data filters

IIS 6.0 can switch to IIS 5.0 isolation modeEverything in user mode operates as in IIS 5.0IIS 5.0 methods of application isolation (low, medium [pooled], high)Inetinfo.exe still master processHTTP.sys performance benefits

Kernel-mode request queuing Kernel-mode caching

Process Health MonitoringDetects and recovers from thread deadlock

How does it work?Configurable time limitWWW Service pings each worker processIf (no response in time limit) Default

Kill process Publish event Start new process

Or Take a configured

action => “Orphaning”

Other application pools keep running

HTTP.sysHTTP.sys

WWW ServiceWWW

ServiceW3WP.exeW3WP.exe

KernelKernel

UserUserWeb

applicationWeb

application

Process Health Monitoring: Debug Action

Allows for custom action to be executed when process fails to respond, for example:

Send e-mail to administratorAttach debuggerProcess dump

Process left runningThough WWW Service dropped its process handle

Crash Detection and Rapid Fail Protection

WWW Service detects process crashOn failure

Publish event to event logCheck “crash count”If (Crash count > Max Crashes in time limit)

Disable application poolElse start new process if demand

Rapid Fail ProtectionOnly allow x crashes in y minutesReturn 503 errors when invoked

Manageability FeaturesConfiguration MetabaseXML Metabase AdvantagesChange Configuration While RunningMetabase Save OptionsMetabase Import/ExportServer Configuration Backup/RestoreImproved Patch ManagementIIS WMI ProviderCommand Line/Script AdministrationWeb-based Administration ConsoleLogging

Configuration Metabase: Before IIS 6.0

Hierarchical store of IIS configuration information

EnablesInheritanceData typingChange notificationSecurity

IIS 4.0/IIS 5.0 storage is proprietary binary file

Metabase.binNot easy to read or edit

Admin UIAdmin UI

Active Directory Service Interface

(ADSI)

Active Directory Service Interface

(ADSI)

Admin Base ObjectAdmin Base Object

metabase.bin

Configuration Metabase: IIS 6.0 XML Metabase

Metabase now stored in XMLPlain text fileChange configuration while server is runningAutomatic backup with version controlApplication configuration exportable and importable from fileImport/Export configurationServer-independent backups

Admin Base ObjectsAdmin Base Objects

UIUI WMIWMI ADSIADSI

Metabase.xml MBSchema.xml

XML Metabase AdvantagesEasier to:

Diagnose metabase corruptionExtend existing metabase schema through XMLRead/edit current metabase configuration directly Completely compatible with existing APIs and ADSIExisting binary metabases upgrade to XML cleanly

Better performance/scalability„Faster” read times than IIS 5.0 binary metabaseEquivalent write performance to IIS 5.0 binary metabase

Change Configuration While Running

Metabase can be modified while IIS 6.0 is runningTo enable, select “Enable Direct Metabase Edit”Does not require server restartCan use any text editor—Notepad .NET, PERL, etc

Metabase Save Options

FrequencySave event scheduled 60 seconds after last changeAt save event, if the number of writes since the first change exceeds 30, the save event is deferred 60 secondsIf deferring continues, metabase save occurs 5 minutes from first change

What happensData saved to metabase.xmlWWW Service URL to application pool tables updated

Metabase Import/Export

Export/import metabase config to/from XMLOptions include

Export/Import inherited propertiesExport/Import node only (or entire subtree)Password encrypt exported file

Server Independent Backup/Restore

New capabilities in IIS 6.0

Backup with passwordAutomatic backups

UTF-8 Logging Support

IIS 6.0 now supports writing log files in UTF-8 instead of ASCII or local codepageConfigurable at the WWW service level

Binary LoggingAllows for more than 10,000 sites to write to a single log file in a binary, non-formatted manner

Improved performance because data does not need to be formatted

Provides several scalability benefits Reduction in the number of log file buffers needed

Post-process log file to extract the log entries

Allows for the use of custom tools to process binary log files

Format of the log entries and file published

Logging of HTTP Substatus Codes

IIS returns substatus codes for specific types of problems

Request cannot be served because required application has not been unlocked (for example, ASP by default on clean installations)

The client receives 404 errorIIS actually generates a 404.2 error

Errors now logged to W3C and binary log files

Performance and Scalability Features

Kernel-mode CachingResource Accounting and Quality of Service (QoS)Site ScalabilityIdle Timeout and Demand StartASP.NET and IIS 6.0 Integration

Kernel-mode Caching

Cached responses served straight from HTTP.sys

Can double speedNo user-mode transitionApplications will not see requests if served from cache

Static and dynamic contentSmart caching

RequestRequest ResponseResponse

W3WP.EXE (IIS6.0)W3WP.EXE (IIS6.0)

HTTP SYSHTTP SYSCache

ASP.NET/CLR

User Application

UserKernel

Network StackNetwork Stack

Web Gardens and Processor Affinity

Web GardensApplication pool with multiple worker processesConnection-based routing within garden

Processor AffinitizationBind processes to one or more CPUsMask-based configuration

HTTP.sysHTTP.sys

Web Garden Application Pool

WWW Servi

ce

WWW Servi

ce

Worker ProcessWorker Process

ISAPIExtension

ISAPIExtension

ISAPI FilterISAPI Filter

Resource Accounting and Quality of Service (QoS)Ensures that components or content do not monopolize server resources

Allows administrator to control resources used by sites, application pools, WWW service, and so on Ensures quality of service that other services/sites/applications on the system receive by limiting the resources consumed by particular Web sites/applications, and/or the WWW service itself

QoS features:Connection limits Connection timeouts Application pool queue length limits Bandwidth throttling Process accounting Memory-based recycling

Site Scalability

Targeting many thousands of sites per machine

Current suggested maximum is 20000 sites

Re-architected Startup/Shutdown routines for lazy site initializationCentralized, binary logging

Option to have one central log file per computer rather than tens of thousands when doing dense hosting

Other Platform Improvements

64-bit supportCode base compiled for 32-bit and 64-bit platforms

Internet Protocol version 6 (IPv6) SupportProduction-ready IPv6 stackIf IPv6 protocol stack is installed, IIS 6.0 will automatically handle HTTP requests that arrive over IPv6

Granular CompressionOn congested network, useful to compress responses

In IIS 5.0, compression was an ISAPI filter and could only be enabled for the whole serverIIS 6.0 allows file level compression

Security Features Locked down by defaultMultiple levels of securityUnlocking FunctionalityApplication IsolationNetwork Service AccountSSL v3 ImprovementsConfigurable Worker Process IDPassport AuthenticationWindows Server 2003 Authorization FrameworkConstrained Delegated AuthenticationFTP Security Features

Locked Down By Default

IIS is not installed by install or upgrade default

Except on Windows Server 2003, Web Edition

When initially installed, only requests for static content allowed by default

For example: HTML, text, .jpg, .bmpNo ASP, ASP.NET, CGI, or other dynamic content is allowed (unless ASP or ASP.NET has been installed)

Aggressive, secure default timeoutsAdditional content types must be specifically enabledGroup Policy can be used to prevent IIS installs on workstations or inappropriate servers

Multiple Levels of Security

IIS only serves recognized file extensionsUnrecognized extensions are refused

File verificationServer verifies that content exists before giving request to request handler (ISAPI extension)

Buffer overflow protectionWorker process detects and exits program if buffer overflow detected

Command-line tools inaccessible to Web usersUpload data limitations defined by administrators

Multiple Levels of Security

Write-protected contentAnonymous users cannot modify content

Access Control List (ACL) settingsCommand line filesContentLogfilesCustom error directory On cache directories

No executable virtual directories/SCRIPTS and /MSADC

Unlocking Functionality

In default install, administrator must manually enable:

ISAPICGIASPASP.NETFPSEWebDAVServer Side Includes

Enable using command-line, script, or GUI

Application Isolation

One IIS 6.0 server can securely host many Web sites and applicationsApplication pools provide unit of isolationIsolation is achieved through:

Configurable worker process identityBandwidth and CPU throttlingMemory-based recycling

Configurable Worker Process Identity

Each worker process can be run as

Network ServiceLocal SystemLocal ServiceConfigured ID

IIS_WPGNew user group IIS resource ACLs configured for this group

Network Service Account

New built-in accountVery few privileges

Adjust memory quotas for a process Generate security audits Logon as a service Replace process level token Impersonate a client after authentication Allow logon locally Access this computer from the network

Provides additional security because worker processes have few rights

SSL Improvements

PerformanceFaster and more scalable than IIS 5.0

Remotable Certification ObjectIn IIS 5.0, could not remotely manage SSL certificates because CSP is not remotableCertObject allows remote certificate management

Selectable Crypto-Service ProviderEnables easy selection of third-party Crypto application programming interface (CAPI) providersHardware SSL accelerators

SSL Improvements

SSL StreamFilter is hosted in LSASS.exe process (can give up to 25% throughput gains in SSL loads)Aggressive SSL thread poolSignificant performance work on multiprocessor machines

Increases up to 2X for some workloads on 8P computers

Microsoft Passport Authentication

Integrated with Windows Server 2003Can assign permissions to resources with Passport accountsMap Passport credentials to Microsoft Active Directory® accounts

Windows Server 2003 Authorization Framework

IIS 5.0 authorization model is resource-ACL based

Object-oriented permissionsWeb applications are operation/task-driven, not object-drivenApplication had to provide operation/task access control

IIS 6.0 extends the Windows Server 2003 authorization framework

URL-specific authorizationAuthorization ManagerApplication-specific access

FTP Security Features

IIS 6.0 isolates users into their own directoriesLocks user’s FTP session to a directory under FTP rootAuthenticates using local or domain account Using Active Directory accountUsing local accountAnonymous access with user isolation

FTP Security Features

Isolation levels

Compatibility/no isolationSmall business/stand-alone isolationEnterprise isolation using Active Directory integration