Satisfy Your Technical Curiosity

1
Satisfy Your Technical Curiosity

• 27, 28 29 March 2007
• International Convention Center (ICC)
• Ghent, Belgium

2
An Administrators Guide toInternet Information
Services 7.0

• David Lowe
• Senior Product Manager
• Windows Server

3
IIS7 For Administrators

• Improved Security
• Reduced attack surface at installation and
  runtime
• Automatic application pool sandbox
• Easier to Mange
• Efficient, feature-focused administration tool
• Delegated site configuration for site owners
  devs
• New command line tools for IIS7 management
• Increased Uptime with Rapid Troubleshooting
• Detailed errors
• Built in failed request tracing
• Support for Web Farms with shared configuration

4
Lower Infrastructure Support Costs

• Delegate Management to Site Owners
• Manage with Remote Administration Tool
• Supports Vista, Windows 2003, XP
• Secure, firewall-friendly connection over
  HTTP/SSL
• Authenticates both Windows and non-Windows
  credentials
• New WMI .NET API Microsoft.Web.Administration
• Rapidly Resolve Support Issues
• New APIs expose all runtime diagnostic
  information
• Preconfigure automatic tracing for all failed
  request
• Automate Complex Tasks in .NET or VBscript
• Powerful command-line support AppCmd.exe
• Full Windows PowerShell support

5
Fully Customizable

• Easily Customize IIS for Your Datacenter
• Flexible, modular server
• Built on public extensibility APIs
• C/C and .NET Web server extensibility
• Add / remove / replace logging, authentication,
  or any IIS module
• Differentiate Your Web Presence
• Build and host custom core server modules
• Extend IIS configuration and administration stack
• Build powerful new Site administration features

6
Modular Architecture

• Reduced default installation
• Smaller attack surface by default
• Install Only What Your Infrastructure Requires
• 40 setup components to choose from
• Patch only the modules you install
• Conserve Runtime Resources
• Reduce worker processes memory
• Reduce number of intra-process events
• Add or replace modules to provide custom features

7
SERVER manager
8
Security by Default

• Built in Anonymous User Account
• IUSR account is no long a local account
• Improves ability to replicate and restore content
• URL Filtering prevents suspicious request from
  being serviced
• Hide folder like \bin from access
• Configurable rules under your control
• Use .NET role and membership providers
• Enable Forms authentication for any content

9
Enhanced Process Model

• Sandbox Applications on Shared Server
• Process isolation for each new site by default
• Automatic identity isolation for each new AppPool
• Separate, scoped config file for each
  AppPoolcreated at run-time
• Additional Sandboxing actions
• Change Anon user for each site
• Tune permissions on site and common content
  locations

10
Rich Administration Tools

• Intuitive Redesign for IIS Manager
• Rewritten to be more task-oriented
• Context sensitive Actions pane
• Tabs are replaced with Icons
• Allows IIS and ASP.NET configuration
• Completely extensible, written in WinForms
• Write Scripts to Automate Complex Tasks
• .NET API Microsoft.Web.Administration
• Use with Windows Powershell!
• Use VBscript/Jscript against a new WMI Provider
• Easily Administer from the Command Line
• One consolidated tool AppCmd.exe

11
New IIS7 Manager

• Remotes over HTTP, making it firewall friendly
• (Note Remote management is not installed by
  default)
• Supports delegated management of sites and
  applications by non-admins
• Provides managed extensibility for customization

12
IIS Manager
13
Delegated Remote Administration

• Delegate Management to Site Owners
• Allows delegate to change specific settings
  without elevated privileges
• Web.config files contain site configuration
  elements
• XCopy deploy configuration and content
• Granular control over delegated config sections
  allows precise locking
• Example Delegate control on all authentication
  methods except Basic
• Manage Remotely Without Machine Privileges
• Remote Administration from Vista, Windows Server
  2003 XP
• Secure, firewall-friendly connection over
  HTTP/SSL
• Authenticates both Windows and non-Windows
  credentials
• Fully customizable
• Supports auto-deployment of new Administration
  features from server-gtclient

14
Delegated administration
15
IIS6 Architecture - Request Processing
Monolithic implementationInstall all or nothing
Authentication
NTLM
Basic
Anon

Determine Handler
CGI
Static File
ASP.NET
ISAPI
PHP

Send Response
Extend server functionality only through ISAPI
Log
Compress
16
IIS7 Architecture - Request Processing
Server functionality is split into 40 modules...
Authentication
Authentication
NTLM
Basic
Anon
Authorization

Modules plug into a generic request pipeline
ResolveCache
Determine Handler
CGI

Static File
ExecuteHandler
Modules extend server functionality through a
public module API.
ISAPI


UpdateCache
Send Response
SendResponse
Log
Compress
17
IIS6 ASP.NET Integration

• ISAPI-based Implementation
• Only sees ASP.NET requests
• Feature duplication

Authentication
NTLM
Basic
Anon

Determine Handler
CGI
Static File
ISAPI

Send Response
Log
Compress
18
IIS7 ASP.NET Integration
Basic

• Two Modes
• Classic (runs as ISAPI)
• Integrated Mode
• .NET modules / handlers plug directly into
  pipeline
• Process all requests
• Full runtime fidelity

Anon
Authentication
Authorization
ResolveCache
aspnet_isapi.dll

Static File
Authentication
ExecuteHandler
Forms
Windows


ISAPI
ASPX
UpdateCache
Map Handler
Trace
SendResponse
Compress


Log
19
ASP.NET Migration

• Application Pools
• ASP.NET Integrated mode by default
• Configure to load a specific version of the .NET
  Framework
• Integrated Mode
• Different server environment for some pipeline
  notifications
• e.g. request is not authenticated for
  BeginRequest
• Handler and module configuration integrated with
  IIS
• system.webServer/handlers, system.webServer/module
  s
• Validation warns on httpHandlers, httpModules, or
  identity config
• Remove managedHandler precondition on an
  ASP.NET module to have it execute for all content
• Classic Mode (i.e. ISAPI Mode)
• Cant configure HTTP handlers and modules from
  the UI

20
Migrating to Integrated ASP.NET

• Handler and module configuration settings have
  moved
• system.web/httpHandlers ? system.webServer\handler
  s
• system.web/httpModules ? system.webServer\modules
• Watch for module conflicts in request processing
• Setting the managedHandler precondition for a
  module means execute only for ASP.NET requests

21
Migration to integrated asp.net
22
IIS 6.0 ArchitectureCommon Pool Identity
1 Application PoolID Network Service
2 Application Pool ID Network Service
3 Application PoolID Network Service
W3WP.exe
W3WP.exe
W3WP.exe
SVCHOST.exe
INETINFO.exe
W3Core
W3Core
W3Core
W3SVC
metabase
ASP.net Apps
ASP.net Apps
ASP.net Apps
ftp, smtp, nntp
.Net App Domain
.Net App Domain
.Net App Domain
.Net App Domain
.Net App Domain
.Net App Domain
W3 Config Mgr
W3 Process Mgr
.Net App Domain
.Net App Domain
.Net App Domain
User mode
Kernel mode
HTTP.SYS
23
IIS 7.0 ArchitectureApplication Pool Isolation
1 Application PoolID SidforPool3
2 Application PoolID SIDforPool2
3 Application PoolID SIDforPool3
W3WP.exe
W3WP.exe
W3WP.exe
IISADMIN
WAS
IISCore
IISCore
IISCore
modules
modules
modules
metabase
ASP.net Apps
ASP.net Apps
ASP.net Apps
.Net App Domain
.Net App Domain
.Net App Domain
.Net App Domain
.Net App Domain
.Net App Domain
.Net App Domain
.Net App Domain
.Net App Domain
ftp, smtp, nntp
3.config
1.config
2.config
Application Pools can only read their config
User mode
Kernel mode
HTTP.SYS
24
Powerful Diagnostic Capabilities

• View Detailed Errors in the Browser
• New errors provide prescriptive guidance
• Access All Runtime State Info in Real-Time
• New APIs expose all runtime diagnostic
  information
• Ex. See all currently executing requests
• Rapidly Troubleshoot Faulty Applications
• Define failures triggers by error code or time
  taken
• Configurable per application or URL
• Resulting Failed Request log is chronicle of
  events for the failed request
• Quickly identify bottlenecks
• Developers can add custom events

25
IIS Configuration Moves to .config Files

• Main IIS configuration file is now
  applicationHost.config
• No more metabase.bin or metabase.xml files!
• Configure IIS and ASP.NET properties in the same
  file
• Built for simple, schema-based extensibility

26
Replicate Content and Configuration

• Welcome to a world of XCOPY deployment!
• Replicating IIS configuration in
  applicationHost.config
• Built-in Internet User account, no more machine
  specific SIDs
• Simple file copy, no command line tools required
• Watch for machine specific information like IPs
  and drive letters
• Replicating IIS configuration in web.config
  files
• XCOPY with application

27
Configuration Layout
IIS ASP.NET .NET Framework
Inheritance
IIS
ASP.NET
applicationHost.config
web.config
.NET Framework
\Windows\system32\inetsrv\applicationHost.config
root web.config
\Windows\Microsoft.NET\Framework\v2.0.50727\config
\web.config
machine.config
\Windows\Microsoft.NET\Framework\v2.0.50727\config
\machine.config
web.config files
root configuration files
28
Centralize Content and Configuration

• IIS configuration in web.config files can be
  centralized on a file server
• The Vista/Longhorn File Systems provide
• Client Side Caching (CSC)
• Provides a local disk cache
• Distributed File System Replication (DFSR)
• Abstracts multiple file servers to one share name
• Provides content replication

29
Shared Web Server Configuration

• Powerful, XML-file based Management
• Metabase.xml is replaced with Applicationhost.conf
  ig
• Easily copy configuration from server to server
• Use environment variables to abstract physical
  paths
• Administer changes and state managed code,
  Powershell, WMI, or IIS Manager
• All web servers can use a single configuration
  file
• Designate master IIS configuration on central
  UNC share
• Quickly XCopy Deploy Apps Preconfigured
• Distributed Web.config files live with content
• Contains both IIS and ASP.NET configuration
• Can be local or remote UNC path

30
IIS7 Management Tools
GUI Command Line Script Managed Code
IIS Manager appcmd WMI (root\WebAdministration) Wi
ndows PowerShell Microsoft.Web.Administration

• Manage IIS and ASP.NET simultaneously
• View enhanced runtime data
• worker processes, appdomains, executing requests
• Use whichever management tool suits your needs!

31
Appcmd Listing and Filtering
C\gt appcmd list sites SITE "Default Web Site"
(id1,bindingsHTTP/80,stateStarted)SITE
"Site1" (id2,bindingshttp/81,stateStarted)S
ITE "Site2" (id3,bindingshttp/82,stateStoppe
d) C\gt appcmd list requests REQUEST
"fb0000008000000e" (urlGET /wait.aspx?time10000,
time4276 msec,clientlocalhost) C\gt appcmd
list requests /apppool.nameDefaultAppPool C\gt
appcmd list requests /wp.name3567 C\gt appcmd
list requests /site.id1
Filter results by application pool, worker
process, or site
32
IIS 7 and Windows Server

• Distributed File System
• Transactional File System
• High performance TCP/IP layer
• Virtualization
• New clustering features
• Differential file copy over UNC

33
Windows Web Server

• Revamped Web SKU
• 64-bit version
• Greater technical capacity
• SQL install now allowed
• No Artificial Hardware Limitations
• 4 processors and 4GB of RAM
• 32GB of RAM on x64 version
• Supports More Web Application Scenarios
• SQL Server allowed for local Web applications
• Full use rights for IIS, ASP.NET .NET FX 3.0
• Includes Windows SharePoint Services 3.0
• Includes Only Components Relevant to Hosting
• Reduced surface area for patching

34
Summary

• More secure than ever
• Modular design results allow
• Reduced installation footprint
• Customized, streamlined servers
• Application Pools are Sandboxed by default
• Easier to manage
• Redesigned IIS Manger
• Easier to use while allowing more control
• Remote administration over https
• Delegate authority over configuration
• Your choice of powerful management tools
• Increase uptime with
• Prescriptive error messages
• Built in failed request tracing
• Improved web farm support with shared
  configuration

35
(No Transcript)