Windows .NET Server Technical Readiness Internet

Download Report

Transcript Windows .NET Server Technical Readiness Internet 

Internet Information Server 6.0
IIS 6.0 Enhancements

Fundamental changes, aimed at:




Reliability & Availability
Performance
Manageability
Security
IIS 6.0
Reliability & Availability
Review of IIS 5 Architecture
DLLHost.EXE
INETINFO.EXE
INETINFO.EXE
ISAPI Filters and
Extensions
Metabase
user
kernel
DLLHost.EXE
ISAPI
Extensions
DLLHost.EXE
ISAPI
Extensions
ISAPI
Extensions
WinSock 2.0
TCP/IP
IIS 6 Architecture
Web
Admin
Service
Worker Process
W3 Core
kernel
user
web app
HTTP.SYS
HTTP.SYS

What is it?



Kernel-mode HTTP stack/listener
Always running
What does it do?




HTTP Listener and Parser
Process routing based on URL namespace
Request queues: kernel-mode queuing
Response cache for static requests
Web Admin Service - WAS

What is it?


Configuration, Application and Process Manager
What does it do?


Configures HTTP.SYS for listening and routing
Periodic Recycling


Health Monitoring



Time, Hit, Memory, Schedule-based, and ondemand
Pinging, Crash detection
Rapid fail protection
Better debugging support

Orphan Web Processing Core Host Processes
Web Processing Core
W3WP.exe

What is it?


Main web processing core responsible for
handling web requests
Self–contained web server


Contains all web request processing
functionality
Loads ISAPI’s – filters and extensions


ASP, ASP.NET, FrontPage® Server Extensions
Delivers complete isolation from system
components and other web apps
IIS 6.0 Availability:
Applications
Isolating Applications From Each Other
 Applications grouped into Application
Pools





Applications defined by URL namespace
One or many applications per Application Pool
Configure Processing features by Application Pool
One or many Worker Processes per Application Pool
Service Level Support


CPU accounting
Bandwidth throttling
IIS 6 Architecture:
Managing worker processes
Web
Admin
Service
Worker
Process
W3 Core
Core
W3
Web app
app
Web
Worker
Worker
Recycl
Process
Process
e
W3
W3time!
Core
Core
Web
Web app
app
user
kernel
HTTP.SYS
Worker
Process
W3 Core
Web app
Working with Application Pools
Recycling


Recycle
periodically to
ensure reliability
Recycle based on:





Uptime
# of requests
Schedule
Virtual memory
consumption
On-Demand
Application Pool Performance

Goal = Support 2000
pools concurrently.


IIS5 Isolated OOP total
was 80.
Scaling Features of
Pools



Idle Timeout
CPU Accounting
Demand Start
Web Gardens

Multiple Processes serving an
application pool

Reliability and fault-tolerance



Allows another already initialized worker process to
take over the current load
Can affinitize worker processes to a set of
processors
Some throughput gains for applications
that rely on process global resources
App Pool Health & Debugging
Features

Worker process
health
monitoring/gating





Process pinging
Startup/Shutdown
limits
Kernel Mode Request
Queuing
Rapid Fail Protection
“Orphan” worker
processes in failure
Configurable Worker Process ID

Worker process can
be started as:




Network Service
(default)
Local System
Local Service
Configured ID
DEMO: IIS Recycle
IIS 6.0 Performance
IIS 6.0 Performance
Designed for high throughput
 Kernel mode cache for static,
unauthenticated content


User-mode worker processes




No transition to user mode for cache
hits
No user mode to user mode process
hop
Talk directly to HTTP.SYS to get
requests
Ability to affinitize worker processes to
CPUs
Support for 64-Bit
IIS 6.0 Scalability
Scale up, out and in
 SSL up to 900% faster
 ISAPI up to 800% faster
 CGI up to 100% faster
 Support 20,000 sites and more per system



Improved Startup/Shutdown times (<2min)
Improved Scalability of Application Isolation
(2000 Isolated Application Pools)
Improved Processor Scalability

3x on a 4-processor box, 5x on an 8-way
IIS 6.0 Management
Installation
Management Enhancements




XML Metabase
WMI Provider
Command-Line Interface
New Web-based Administration Console
IIS Commands

Create web and FTP Sites
c:\>iisweb /create c:\webroot “My Site” /b
169.254.36.174



Create web and FTP V-Dirs
Backup/Restore
Export/Import Configuration



c:\>iiscnfg /import /f MySiteConfig.xml
/sp /lm/w3svc/1
/dp /lm/w3svc/4
IIS 6.0 Security
IIS 5.0 Security Issues
Code Red, Nimda, etc., etc.
 Weaknesses





Windows 2000 Installed As An Application Server –
Huge attack surface
Soft Defaults
High Privilege Accounts
No automated way to install patches


Result: Fixes out for months but not uniformly applied
Many companies survived Code Red & Nimda
IIS Lockdown Wizard & URLSCAN for IIS 4/5
 Improved Patch Management

IIS 6.0 Security
Secure Out of the Box

Change in approach:





Clean up code, improved tools for
defect detection
Secure defaults, minimize attack
surface (static files only by default)
Customer ‘enables’ server features
after setup
An infrastructure that by default
installs security hot fixes (customer
opts out, not in)
Educate the Customer
IIS 6.0 Security
Reduced Attack Surface

IIS is not installed by default


Server Lockdown: Serve HTM files only






As well as 20+ other services
Only Web service gets installed
IsapiRestrictionList
CGIRestrictionList
Template-based feature activation
Web service disabled on upgrade for
benefit of non-IIS users
Prevent IIS6 install with group policy
Managing Web Service Extensions
Support or no support ASP
Web Server Security
Enhancements



URLscan implemented by default
Clean code
Architectural changes





Process isolation
Configurable identity
Application pool management
General OS hardening
New tools

AutoUpdate, SUS, Qchain, MBSA
Questions ?