IIS and .NET Security Application Pools Pamella Smith June 18, 2009
Application Pool Defined Application Pool and Application Domain IIS 5.0 Process Model IIS 6 Process Model IIS 7 Process Model Security Issues Application Pool Configuration Caveats 8/30/2019
Application Pool Defined An application pool is a way to isolate applications/Web sites within the IIS framework. Each application pool is given its own set of server resources. An application pool may have 1 to many processes. 8/30/2019
Application Pool or Application Domain An application domain used to isolate executed applications to prevent resource and memory interference. One application may have many application domain. One process may be associated with many application domains. An application pool can contain one or many applications. Each application pool runs in its own worker process. Application pools can be configured to provide required isolation needs. 8/30/2019
IIS 5.0 Process Model The IIS inetinfo.exe process listens on Port 80 for incoming HTTP requests. Since this is a process, it runs in “user mode”. Requests are queued to a single process queue. ASP.NET requests handed to the ASP.NET ISAPI. ISAPI communicates with ASP worker process via a named pipe. ASP worker process delivers the request to the ASP.NET HTTP runtime environment. ASP.NET web applications are hosted inside the worker process. Uses the concept of app domain…each virtual directory is executed in a single app domain. 8/30/2019
IIS 5.0 Application Protection Low Medium High 8/30/2019
IIS 6 Process Model Applications run in different worker processes. Each application pool can contain multiple application domains Multiple processes may host one application pool. Incoming HTTP requests are handled and queued at the kernel level versus the user mode (HTTP.SYS) Request is routed directly to correct application pool/specific worker process. The worker process loads the ASP.NET ISAPI extension. Request dispatching is not affected by crashes and problems at user level. 8/30/2019
IIS 7 Process Model More modular Separate modules for authentication schemes Can uninstall or “not” install Reduces attack surface of server ASP.NET integrated – communication with ASP.NET ISAPI eliminated Still uses application pools Classic Mode Integrated Mode 8/30/2019
Security Issues .NET-integrated enhancements in IIS 6 and IIS 7 provide a greater level of application stability. Application Pools provide greater isolation levels for applications. High-risk applications can be grouped into properly configured application pools. Application pools can be tuned to provide a more granular level of security and safety. 8/30/2019
Application Pool Configuration Creation Request-Processing Mode Recycling Start/Stop Performance Health Identity Other Configuration Options 8/30/2019
Application Pool Creation Simple APPCMD Programmatically ADMIN extension 8/30/2019
Request-Processing Mode (Classic and Integrated mode (IIS 7)) Handles requests as IIS 6.0 Duplication of some steps, i.e., authentication. Integrated Only configured steps are executed, i.e., one-time authentication Managed features available to all content types 8/30/2019
Recycling Restarting the worker process Default 1740 minutes Useful for problematic code 8/30/2019
Performance Idle Time-Out Request Queue Limit Enable CPU monitoring Max number worker processing 8/30/2019
Health Enable Pinging Enable Rapid-Fail Protection Startup Time Limit Shutdown Time Limit 8/30/2019
Identity Predefined LocalSystem NetworkService LocalService 8/30/2019
Other Configuration Options Specify .NET framework Automatic Startup Assign applications to an application pool. 8/30/2019
Caveats Don’t have too many application pools. Set memory capacities 8/30/2019
References Working With Application Pools in Internet Information Server www.windowsnetworking.com/articles_tutorials/Working-Application-Pools-Internet-Information-Server.html IIS 5.0 Process Model Dotnetextract.googlepages.com/iis-5.0-process-model IIS 6.0 Process Model Dotnetextract.googlepages.com/ii6.0processmodel IIS 7.0 Process Model http://learn.iis.net/page.aspx/101/introduction-to-iis7-architecture 8/30/2019
Ditto http://www.casabaseurity.com/iis7_security_guide http://learn.iis.net http://mscn.microsoft.com http://technet.microsoft.com http://www.windowsnetworking.com/articles_tutorials/working-application-pools-internet-information-server 8/30/2019