Eric Deily Senior Program Manager Lead SVR303

IIS7 Overview Management Security Troubleshooting Summary Questions and Answers

New Modular Architecture and Request Pipeline Redesigned Configuration System New UI and Suite of Management Tools Deep ASP.Net Integration Detailed Tracing and Troubleshooting Tools Delegated Remote Administration Granular Feature Delegation Shared Configuration for Web farms FastCGI Module for PHP Hosting

Static file webserver by default Install what you need Application infrastructure Authentication schemes Diagnostics Metabase Compat Metabase Compat for existing deployment scripts

Main IIS configuration file is now applicationHost.config No more metabase.bin or metabase.xml files! Configure IIS and ASP.NET properties in the same file Built for simple, schema-based extensibility Machine Independent Can be shared across multiple machines

Web.Config Site #1 Delegation SettingsDelegation Settings App SettingsApp Settings.Net Settings.Net Settings Web.Config Site #2 Delegation SettingsDelegation Settings App SettingsApp Settings.Net Settings.Net Settings Web.Config Site #3 Delegation SettingsDelegation Settings App SettingsApp Settings.Net Settings.Net SettingsApplicationHost.configAdministration.config Server Wide SettingsServer Wide Settings Global Feature DelegationGlobal Feature Delegation IIS Manager UsersIIS Manager UsersApplicationHost.configAdministration.config Server Wide SettingsServer Wide Settings Global Feature DelegationGlobal Feature Delegation IIS Manager UsersIIS Manager Users Sites IIS7 Server IIS7 Server Server Changes “Global” “Global” Individual Site Changes

Eric Deily Senior Program Manager Lead IIS

Global settings and location tags.NET Framework ASP.net global settings Global web.config.NET global settings Machine.config IIS 7 Server Applicationhost.config Web.config IIS7 Delegated IIS7 Delegatedsettings.NET settings.NET settings

Welcome to a world of XCOPY deployment! Replicate IIS configuration in to multiple servers… Built-in “Internet User” (IUSR) account, no more machine specific SIDs Simple file copy, no command line tools required Watch for machine specific information like IP’s and drive letters (Now has support of OS variables i.e. %systemroot%) Replicating IIS site configuration in web.config files… XCOPY with application

Intuitive redesign of IIS Manager Rewritten to be more task-oriented New ways to automate tasks Microsoft.Web.Administration (can use with PowerShell) WMI Provider (use with Vbscript/Jscript and PowerShell) Easy command line administration One, consolidated tool: AppCmd.exe Delegate management to site owners Allows delegate to change specific settings without elevated privileges Manage remotely without the need of OS p rivileges Secure, firewall-friendly connection over HTTP/SSL

Remotes over HTTP, making it firewall friendly Forces HTTPS (Note: Remote management is not installed by default) Supports delegated management of sites, applications and features to non- admins Provides managed extensibility for customization

Eric Deily Senior Program Manager Lead IIS

Delegated control to site owners Site owners control designated settings without elevated OS privileges Runs as an NT Service (WMSCV) Delegated settings written to Web.config files Site and/or application level Shared with ASP.net configuration XCopy deploy configuration and content Granular control over delegated settings allows precise locking Example: Always require Basic Auth on all sites, but let site owner add/control Windows Auth

Only Administrator can connect to server node Can see all settings and connect to other nodes Does not need explicit permissions If Remote Administration is enabled, a server administrator can log in Non-admins can connect only to sites and apps Can only connect to sites or app that permission has been granted Explicit permission required Content can be ACL’d for greater security

Eric Deily Senior Program Manager Lead IIS

Install, manage, and patch only the modules you use… Reduces attack surface (10 modules installed by default) Reduces in-memory footprint Provides fine grained control Replace server modules provided by Microsoft with your own custom components

Two APP Pool Modes Two APP Pool Modes Classic (runs as ISAPI) Integrated Mode. NET modules / handlers plug directly into pipeline Process all requests Full runtime fidelity Log Compress Basic Static File ISAPI Anon SendResponse Authentication Authorization ResolveCache ExecuteHandler UpdateCache … … Authentication Forms Windows Map Handler ASPX Trace … … … aspnet_isapi.dll

Provide Windows Hosting of PHP Applications Built-in FastCGI module - Optimized for high performance 10x faster than standard CGI on Windows Fully tested against latest PHP.NET builds (PHP 5.2.1) Host multiple versions of PHP side-by-side Supports Internet Standards FastCGI standard allows for Python, Ruby, PERL, etc.

Eric Deily Senior Program Manager Lead IIS

New IIS 7 feature significantly improves application pools isolation Prevents pools from reading secrets in another pool’s config Works automatically, and is transparent to configuration and operation Process identity is unchanged Network Service by default

IUSR no longer “keyed” to each server IUSR instead of IUSR_ IUSR instead of IUSR_ IUSR is “built in” to IIS, not an NT local account No password to worry about Cannot logon to OS with this account Same SID on all Vista/LH servers File ACLs are valid between servers No need to re-ACL each server Allow anonymous access & turn off IUSR: Use process identity for anon access when enabled Disabled by default

Control access to sites, folders, or files without using NTFS ACLs Inspired by ASP.net URL authorization, but designed for administrators Rules are stored in.config files Delegate control stored in web.config Authorization rules are then portable Xcopy and maintain security Use Windows principles or.NET provider Native to IIS 7

IIS7 integrates URLScan style rules Very strong security feature Prevent URLs that contain “any string” Block URLs over “X” in length Prevent delivery of certain extensions or content (i.e. “.config” or “/bin”) Easy to read rules stored in.config Delegate control to store in web.config Filtering rules are then portable Cannot be edited in UI New error codes track rejections

Eric Deily Senior Program Manager Lead IIS

New verbose errors provides much more information Suggests causes and solutions – often suggests corrective action or lines of inquiry Details include configuration section in question, module in use, page, etc. Verbose errors only delivered to localhost by default Provided by CustomErrors IIS7 module

Enable no-repro instrumentation for “failed requests” Turn tracing on, but only keep the events for “failed requests” Allows for custom failure criteria per URL Time taken Status/substatus codes Enable per-URL trace configuration Allows for custom traces on each site Trace on specific types content – example: trace only “*.aspx” Persist failure log files beyond process lifetime Common scenarios: Request takes too long/hangs -> very common today Request error -> request completes, but with error status code Authentication/Authorization problems Server 500 errors

Eric Deily Senior Program Manager Lead IIS

More than a Web server, Internet Information Services 7.0 provides an accessible, extensible platform for developing and reliably hosting Web applications and services. Modular & Extensible Agile Administration Built in Request Tracing Improved Security Integrated with.NET IIS 7.0 Enhancements Reduced Attack Surface StreamlinedServers Easier to manage Easier to manage Extend/Modify IIS Features Fast Diagnostics

In-depth technical articles and samples In-depth technical articles and samples Connect with other IIS experts on blogs & forums Connect with other IIS experts on blogs & forums Free advice and assistance in forums Free advice and assistance in forums Download center with IIS solutions Download center with IIS solutions

© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Proven Scalability MySpace - 23 Billion Page* Views/Month Microsoft.com - 10k Req/sec & 300K Concurrent Connections Match.com -30 million page view daily Proven Security No critical IIS 6 hotfixes since RTM Proven Trust 54% of Fortune 1000 use IIS (port80software.com) A solid foundation to build on.

*As of 4/4/07

Customer feedback revealed: Site density on shared servers is too low Metabase corruption and replication issues Too few options for site owner administration Site/server failures too difficult to troubleshoot Not enough flexibility for customization Current support for PHP apps is inadequate

Windows Web Server 2008 is built for Internet Web serving Removed features unnecessary for web severing Two default roles (three possible): Web (IIS), Windows SharePoint Services, Windows Media Services (download and install) Increased hardware limits: 4 processors and 4GB of RAM (32 GB on x64 version) Benefits Small footprint, Reduced Attack Surface, Lower Cost Supports More Web Application Scenarios SQL Server allowed for local Web applications Full use rights for IIS, ASP.NET and.NET FX 3.0