Internet Information Server 6.0

Presentation Transcript

IIS 6.0 Enhancements

Fundamental changes, aimed at:

Reliability & Availability
Performance
Manageability
Security

IIS 6.0 Reliability & Availability

INETINFO.EXE

ISAPI Filters and

Extensions

ISAPI Filters and

Extensions

Metabase

DLLHost.EXE

ISAPI

Extensions

ISAPI

Extensions

ISAPI

Extensions

Review of IIS 5 Architecture

WinSock 2.0

user

kernel

TCP/IP

Worker Process

W3 Core

Web Admin Service

web app

HTTP.SYS

IIS 6 Architecture

user

kernel

HTTP.SYS

What is it?

Kernel-mode HTTP stack/listener
Always running

What does it do?

HTTP Listener and Parser
Process routing based on URL namespace
Request queues: kernel-mode queuing
Response cache for static requests

Web Admin Service - WAS

What is it?

Configuration, Application and Process Manager

What does it do?

Configures HTTP.SYS for listening and routing
Periodic Recycling

Time, Hit, Memory, Schedule-based, and on-demand

Health Monitoring

Pinging, Crash detection
Rapid fail protection

Better debugging support

Orphan Web Processing Core Host Processes

Web Processing CoreW3WP.exe

What is it?

Main web processing core responsible for handling web requests

Self–contained web server

Contains all web request processing functionality
Loads ISAPI’s – filters and extensions

ASP, ASP.NET, FrontPage® Server Extensions

Delivers complete isolation from system components and other web apps

IIS 6.0 Availability:Applications

Isolating Applications From Each Other

Applications grouped into Application Pools

Applications defined by URL namespace
One or many applications per Application Pool
Configure Processing features by Application Pool
One or many Worker Processes per Application Pool
Service Level Support

CPU accounting
Bandwidth throttling

Worker Process

W3 Core

Web app

IIS 6 Architecture: Managing worker processes

Web Admin Service

Recycle

time!

user

kernel

HTTP.SYS

Working with Application Pools

Recycling

Recycle periodically to ensure reliability
Recycle based on:

Uptime
# of requests
Schedule
Virtual memory consumption
On-Demand

Application Pool Performance

Goal = Support 2000 pools concurrently.

IIS5 Isolated OOP total was 80.

Scaling Features of Pools

Idle Timeout
CPU Accounting
Demand Start

Web Gardens

Multiple Processes serving an application pool

Reliability and fault-tolerance

Allows another already initialized worker process to take over the current load

Can affinitize worker processes to a set of processors
Some throughput gains for applications that rely on process global resources

App Pool Health & Debugging Features

Worker process health monitoring/gating

Process pinging
Startup/Shutdown limits
Kernel Mode Request Queuing

Rapid Fail Protection
“Orphan” worker processes in failure

Configurable Worker Process ID

Worker process can be started as:

Network Service (default)
Local System
Local Service
Configured ID

DEMO: IIS Recycle

IIS 6.0 Performance

Designed for high throughput

Kernel mode cache for static, unauthenticated content

No transition to user mode for cache hits

User-mode worker processes

No user mode to user mode process hop
Talk directly to HTTP.SYS to get requests
Ability to affinitize worker processes to CPUs

Support for 64-Bit

IIS 6.0 Scalability

Scale up, out and in

SSL up to 900% faster
ISAPI up to 800% faster
CGI up to 100% faster
Support 20,000 sites and more per system

Improved Startup/Shutdown times (<2min)
Improved Scalability of Application Isolation (2000 Isolated Application Pools)

Improved Processor Scalability

3x on a 4-processor box, 5x on an 8-way

IIS 6.0 Management

Installation

Management Enhancements

XML Metabase
WMI Provider
Command-Line Interface
New Web-based Administration Console

IIS Commands

Create web and FTP Sites

c:\>iisweb /create c:\webroot “My Site” /b 169.254.36.174

Create web and FTP V-Dirs
Backup/Restore
Export/Import Configuration

c:\>iiscnfg /import /f MySiteConfig.xml
/sp /lm/w3svc/1
/dp /lm/w3svc/4

IIS 6.0 Security

IIS 5.0 Security Issues

Code Red, Nimda, etc., etc.
Weaknesses

Windows 2000 Installed As An Application Server – Huge attack surface
Soft Defaults
High Privilege Accounts
No automated way to install patches

Result: Fixes out for months but not uniformly applied
Many companies survived Code Red & Nimda

IIS Lockdown Wizard & URLSCAN for IIS 4/5
Improved Patch Management

IIS 6.0 SecuritySecure Out of the Box

Change in approach:

Clean up code, improved tools for defect detection
Secure defaults, minimize attack surface (static files only by default)
Customer ‘enables’ server features after setup
An infrastructure that by default installs security hot fixes (customer opts out, not in)