Securing and Tuning IIS7 Microsoft® Hosting Deployment Accelerator.

Securing and Tuning IIS7

Microsoft®

Hosting Deployment Accelerator

What We’ll Cover

IIS7 PerformanceNew IIS7 Performance FeaturesTuning IIS7

IIS7 SecurityReduced Attack SurfaceArchitectural ChangesNew Security Features

Windows Server CoreGet both performance and security benefits

IIS7 Performance Improvements

Kernel mode SSL and Windows authenticationPerformance improvements up to 150%

More powerful compressionFor static and dynamic content

Output cachingPer URL, query string and/or request headersAPI’s for putting responses in the output cache

Improved scalabilityHost thousands of sites

FastCGIGreat way to run PHP on IIS

CGI vs. FastCGI

demo

IIS7 Tuning Tips

Enable Output Caching for semi-dynamic pages

Low bandwidth Branch Offices?Enable Dynamic Compression (~ 5% CPU overhead)

Need to run many web apps on a single box?Run IIS worker processes in Wow64 modeRoom for the OS, scalability for your web appsNow a per-AppPool setting: Enable32BitAppOnWow64

Thinking about buying new Web Server hardware?W2K8 scales extremely well on new multi-proc boxes (4 and 8 core)

IIS7 Tuning Tips

Thousands of requests per second?Remove modules you don’t need

Don’t know why some pages are so slow? Turn on FREB and the “time-taken” feature to investigate

You * scriptmapped all requests to ASP.NET in IIS6?Integrated Pipeline is much faster than an IIS6 * scriptmap solution

Try together with IIS7 URL Authorization

IIS7 Tuning Tips

PHP applications?PHP on top of FastCGI is much faster than traditional CGI

The majority of your requests go to your Default Document?Put it on top of the list – otherwise IIS7 has to check every time

Static default documents will be cached in kernel-mode (+450%)

Looking for tools to measure web server performance?Try WCAT 6.3 from www.iis.net/downloads

Output Caching

demo

IIS7 Security

Building upon a solid foundation - IIS6Reduced Attack SurfaceServer Core

ComponentizationApplication Pool Isolation and other architectural changesSecurity Features

Request FilteringURL Authorization

IIS7 Installable Components

Http Protocol SupportRequest FilteringModuleProtocolSupportModule

OptionsVerbModule HttpRedirectionModule

Logging and Diagnostics

HttpLoggingModule

CustomLoggingModule

Configuration and Metadata CachesTokenCacheModule UriCacheModule

SiteCacheModule FileCacheModule

Core Web ServerDirectoryListingModule CustomErrorModule

DynamicCompressionModule StaticCompressionModule

StaticFileModule DefaultDocumentModule

HttpCacheModule

RequestMonitorModule

TracingModule

AuthN/AuthZ

BasicAuthModule

DigestAuthModule

WindowsAuthModule

CertificateAuthModule

AnonymousAuthModule

FormsAuthModule

UrlAuthorizationModule

Extensibility

ISAPIModule

ISAPIFilterModule

CGIModule

ServerSideIncludeModule

ManagedEngineModule

Componentization

demo

Security Architecture Improvements

Feature delegationAllow non-administrators to manage IIS7 settings remotelyAllow fine-grained control over feature delegation

Application pool isolationSandboxing out-of-the-box

Security Architecture Improvements

IIS7 identities are built-inAnonymous User IUSR_<machinename> → IUSRIIS_WPG is now IIS_IUSRSEasier to administer, scale-out and configureYou no longer need to add worker process identities to IIS_IUSRS group

Anonymous user is no longer requiredWorker process identity does the job

Application Pool Isolation

demo

Security Features

.NET security integrationRoles profile, membership forms auth, URL auth modules support any type of content

Use of .NET Role and Membership Providers

URL AuthorizationControl access via web.config files instead of using ACLs

Request FilteringFilter verbs, sequences, urls, headers

Request Filtering

demo

Server Core

Server Core is:A minimal installation option for Windows Server® 2008Part of the Windows Server® 2008 general purpose SKUsAvailable for x86 and x64

Server Core BenefitsToday’s challenges

Servers have single role or a fixed workloadAdministrators are required to deploy and service the full OSNon-value add features present a servicing and security burden

Administrators think of servers in terms of server roles

With Server Core:Fewer Patches

Reduces # of patches by ~60% (based on all Win2000 patches)Servicing burden is reduced by removing components that are most often serviced

More Secure, Reliable and Less ManagementRemoval of non-value add legacy & client components from server

Server Core OverviewServer Core:

Provides minimal server OS functionalityCore sub-systems:Security logon, networking (TCP/IP), file system, RPC, etc.Infratructure:Command-shell, domain join, eventlog, perfcounters, HTTP, IPSecBasic set of management tools:Configure ip address, create users, notepad, taskmgr

Uses low surface area server for targeted roles

Includes a set of server roles

Includes the following optional features:WINS, Failover Clustering, Subsystem for UNIX-based applications, Backup, Multipath IO, Removable Storage Management, Bitlocker Drive Encryption, SNMP, Telnet Client, and QoS

Summary

IIS7 builds upon the IIS6 architectureProcess modelMinimal attack surfacePerformance optimized

IIS7 offers major architectural enhancementsModularization, built-in accounts, configurable caching, compression, server core etc.

Links

App Pool isolation

URL AuthZhttp://www.iis.net/articles/view.aspx/IIS7/Managing-IIS7/Configuring-Security/URL-Authorization/Understanding-IIS7-URL-Authorization

IIS 6 Security History

IIS 6 has only 3 advisories released to date, none of them rated as critical

http://secunia.com/product/1438/?task=advisories

Apache 2.0.x on the other hand has over 35, several of which are critical rated

http://secunia.com/product/73/?task=advisories

IIS7 Architecture

Service Host (SVCHost.EXE)

HTTP.SYS Kernel-Mode Listener

Windows Process Activation Service

(WAS)

World Wide Web Service (W3SVC)

Worker Process (W3WP.EXE)

Configuration (applicationhost.

config)

Read Configuration

Authenticate

Authorize

Map Request

Handle Request

Send Response

Log Request

Static File

Handler

PHP

ASP.Net

IIS7 Request Flow

Service Host (SVCHost.EXE)

HTTP.SYS Kernel-Mode Listener

Windows Process Activation Service

(WAS)

World Wide Web Service (W3SVC)

Worker Process (W3WP.EXE)

Applicationhost.config

Read Configuration

Authenticate

Authorize

Map Request

Handle Request

Send Response

Log Request

Static File

Handler

PHP

ASP.Net

HTTP Protocol Host

Request Queue

HTTP Listener

Channel

Response Cache

Bindings: http://*:80:site1

HTTP.SYS

Accepting HTTP (and HTTPS) connectionsParsing and validating HTTP requestsQueuing of HTTP requests in application-specific queuesCaching of HTTP responsesNew

SSLKernel-Mode Windows authentication

WAS and W3SVCWindows Process Activation Service (WAS)

Configuration ManagerReads configuration from applicationhost.config and reacts to changes in configurationPasses configuration to the World Wide Web Service

Process ManagerStarts worker processes when a listener (e.g. HTTP.SYS) receives the first requestMonitors state and health of worker processesRecycles worker processes based on certain parameters, e.g. lifetime, number of requests, schedule etc.Prevents resource exhaustion, e.g. by limiting number of worker processes that can be active at the same time

W3SVCHTTP specific listener adapter

Site binding information (IP address, port, host header)Application Pool and Application settingsConfiguration changes

Worker Process

Establishes a connection with WAS at startupResponds to WAS requests, e.g. when asked to shutdownPicks up requests from the HTTP.SYS request queueManages request pipelineProcess requests and send responses

Runs all third-party codeModules, handlers, isapi filters and extensions, assemblies, COM objects etc.

© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after

the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.