1 / 32

Internet Information Server 6.0

Internet Information Server 6.0. IIS 6.0 Enhancements. Fundamental changes, aimed at: Reliability & Availability Performance Manageability Security. IIS 6.0 Reliability & Availability. INETINFO.EXE. INETINFO.EXE. ISAPI Filters and Extensions. ISAPI Filters and Extensions.

jada
Download Presentation

Internet Information Server 6.0

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Internet Information Server 6.0

  2. IIS 6.0 Enhancements • Fundamental changes, aimed at: • Reliability & Availability • Performance • Manageability • Security

  3. IIS 6.0 Reliability & Availability

  4. INETINFO.EXE INETINFO.EXE ISAPI Filters and Extensions ISAPI Filters and Extensions Metabase Metabase DLLHost.EXE DLLHost.EXE DLLHost.EXE ISAPI Extensions ISAPI Extensions ISAPI Extensions Review of IIS 5 Architecture WinSock 2.0 user kernel TCP/IP

  5. Worker Process W3 Core Web Admin Service web app HTTP.SYS IIS 6 Architecture user kernel

  6. HTTP.SYS • What is it? • Kernel-mode HTTP stack/listener • Always running • What does it do? • HTTP Listener and Parser • Process routing based on URL namespace • Request queues: kernel-mode queuing • Response cache for static requests

  7. Web Admin Service - WAS • What is it? • Configuration, Application and Process Manager • What does it do? • Configures HTTP.SYS for listening and routing • Periodic Recycling • Time, Hit, Memory, Schedule-based, and on-demand • Health Monitoring • Pinging, Crash detection • Rapid fail protection • Better debugging support • Orphan Web Processing Core Host Processes

  8. Web Processing CoreW3WP.exe • What is it? • Main web processing core responsible for handling web requests • Self–contained web server • Contains all web request processing functionality • Loads ISAPI’s – filters and extensions • ASP, ASP.NET, FrontPage® Server Extensions • Delivers complete isolation from system components and other web apps

  9. IIS 6.0 Availability:Applications Isolating Applications From Each Other • Applications grouped into Application Pools • Applications defined by URL namespace • One or many applications per Application Pool • Configure Processing features by Application Pool • One or many Worker Processes per Application Pool • Service Level Support • CPU accounting • Bandwidth throttling

  10. Worker Process Worker Process Worker Process Worker Process Worker Process W3 Core W3 Core W3 Core W3 Core W3 Core Web app Web app Web app Web app Web app IIS 6 Architecture: Managing worker processes Web Admin Service Recycle time! user kernel HTTP.SYS

  11. Working with Application Pools

  12. Recycling • Recycle periodically to ensure reliability • Recycle based on: • Uptime • # of requests • Schedule • Virtual memory consumption • On-Demand

  13. Application Pool Performance • Goal = Support 2000 pools concurrently. • IIS5 Isolated OOP total was 80. • Scaling Features of Pools • Idle Timeout • CPU Accounting • Demand Start

  14. Web Gardens • Multiple Processes serving an application pool • Reliability and fault-tolerance • Allows another already initialized worker process to take over the current load • Can affinitize worker processes to a set of processors • Some throughput gains for applications that rely on process global resources

  15. App Pool Health & Debugging Features • Worker process health monitoring/gating • Process pinging • Startup/Shutdown limits • Kernel Mode Request Queuing • Rapid Fail Protection • “Orphan” worker processes in failure

  16. Configurable Worker Process ID • Worker process can be started as: • Network Service (default) • Local System • Local Service • Configured ID

  17. DEMO: IIS Recycle

  18. IIS 6.0 Performance

  19. IIS 6.0 Performance Designed for high throughput • Kernel mode cache for static, unauthenticated content • No transition to user mode for cache hits • User-mode worker processes • No user mode to user mode process hop • Talk directly to HTTP.SYS to get requests • Ability to affinitize worker processes to CPUs • Support for 64-Bit

  20. IIS 6.0 Scalability Scale up, out and in • SSL up to 900% faster • ISAPI up to 800% faster • CGI up to 100% faster • Support 20,000 sites and more per system • Improved Startup/Shutdown times (<2min) • Improved Scalability of Application Isolation (2000 Isolated Application Pools) • Improved Processor Scalability • 3x on a 4-processor box, 5x on an 8-way

  21. IIS 6.0 Management

  22. Installation

  23. Management Enhancements • XML Metabase • WMI Provider • Command-Line Interface • New Web-based Administration Console

  24. IIS Commands • Create web and FTP Sites c:\>iisweb /create c:\webroot “My Site” /b 169.254.36.174 • Create web and FTP V-Dirs • Backup/Restore • Export/Import Configuration • c:\>iiscnfg /import /f MySiteConfig.xml • /sp /lm/w3svc/1 • /dp /lm/w3svc/4

  25. IIS 6.0 Security

  26. IIS 5.0 Security Issues • Code Red, Nimda, etc., etc. • Weaknesses • Windows 2000 Installed As An Application Server – Huge attack surface • Soft Defaults • High Privilege Accounts • No automated way to install patches • Result: Fixes out for months but not uniformly applied • Many companies survived Code Red & Nimda • IIS Lockdown Wizard & URLSCAN for IIS 4/5 • Improved Patch Management

  27. IIS 6.0 SecuritySecure Out of the Box • Change in approach: • Clean up code, improved tools for defect detection • Secure defaults, minimize attack surface (static files only by default) • Customer ‘enables’ server features after setup • An infrastructure that by default installs security hot fixes (customer opts out, not in) • Educate the Customer

  28. IIS 6.0 SecurityReduced Attack Surface • IIS is not installed by default • As well as 20+ other services • Server Lockdown: Serve HTM files only • Only Web service gets installed • IsapiRestrictionList • CGIRestrictionList • Template-based feature activation • Web service disabled on upgrade for benefit of non-IIS users • Prevent IIS6 install with group policy

  29. Managing Web Service Extensions

  30. Support or no support ASP

  31. Web Server Security Enhancements • URLscan implemented by default • Clean code • Architectural changes • Process isolation • Configurable identity • Application pool management • General OS hardening • New tools • AutoUpdate, SUS, Qchain, MBSA

  32. Questions ?

More Related