MSDN Briefing IIS7 für Entwickler Christoph Wille, MVP ASP.NET http://chrison.net/

i n t e r n e t i n f o r m at i o n s e r v i c e s 4/20/2017 9:12 AM s e v e n i n t e r n e t i n f o r m at i o n s e r v i c e s integrated extensible componentized compatible secure delegated supportable © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

IIS – A Colorful Past 1996 - V1 ships with WindowsNT 4.0 V2 & V3 releases came in follow-up SP releases 1997 – V4 part of NT 4 Option Pack 2000 – V5 installed by default in Windows 2000 2001 March 2001, #1 in Internet Site Share Fall 2001, Code Red and Nimda 2003 – V6 released in Windows Server 2003

IIS 6 Today Secure by Default Secure by Design 4/20/2017 9:12 AM IIS 6 Today Secure by Default IIS no longer installed by default with OS IIS installs with “locked down” configuration Runs with minimal permissions, secure configuration Secure by Design Extensive design & code reviews Penetration testing Defense in depth Process architecture design for application failure Health detection Automatic recycling of applications Result: Zero critical security patches since release. #1 in reliability for major internet sites. . © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Agenda Architecture Overview Modularization Extensibility Administration & Troubleshooting

For Developers Where do I get IIS 7.0? Where do I start? Windows Vista Editions with IIS 7.0 Where do I start? What type of developer are you? Native Developers vs. Managed-code Devs Understanding the Core Server Architecture Vista Edition Available Home Basic N Home Premium Business Y Ultimate

Installation Differences IIS 7.0 Rebuilt setup architecture Uses Vista’s Windows Features On and Off Can also use Vista’s Package Manager (Pkgmgr.exe) start /w pkgmgr /iu:IIS-WebServerRole;IIS-WebServer;IIS-CommonHttpFeatures;IIS-StaticContent; IIS-DefaultDocument;IIS-DirectoryBrowsing;IIS-HttpErrors;IIS-HttpRedirect; IIS-ApplicationDevelopment;IIS-ASPNET;IIS-NetFxExtensibility;IIS-ASP;IIS-CGI;IIS-ISAPIExtensions; IIS-ISAPIFilter;IIS-ServerSideIncludes;IIS-HealthAndDiagnostics;IIS-HttpLogging;IIS-LoggingLibraries; IIS-RequestMonitor;IIS-HttpTracing;IIS-CustomLogging;IIS-ODBCLogging;IIS-Security;IIS-BasicAuthentication; IIS-WindowsAuthentication;IIS-DigestAuthentication;IIS-ClientCertificateMappingAuthentication; IIS-IISCertificateMappingAuthentication;IIS-URLAuthorization;IIS-RequestFiltering;IIS-IPSecurity; IIS-Performance;IIS-HttpCompressionStatic;IIS-HttpCompressionDynamic;IIS-WebServerManagementTools; IIS-ManagementConsole;IIS-ManagementScriptingTools;IIS-ManagementService;IIS-IIS6ManagementCompatibility; IIS-Metabase;IIS-WMICompatibility;IIS-LegacyScripts;IIS-LegacySnapIn;IIS-FTPPublishingService; IIS-FTPServer;IIS-FTPManagement;WAS-WindowsActivationService;WAS-ProcessModel;WAS-NetFxEnvironment; WAS-ConfigurationAPI start /w pkgmgr /iu:IIS-WebServerRole;WAS-WindowsActivationService;WAS-ProcessModel; WAS-NetFxEnvironment;WAS-ConfigurationAPI IIS Minimal Install Full Install of all IIS Components

Architecture Introduction IIS 7.0’s architecture, albeit similar to IIS 6.0, offers unique changes Default architecture has same “players” with some fresh new ones W3SVC W3WP HTTP.sys WPAS Inetinfo (optional) Inetinfo W3SVC WAS W3WP HTTP.sys

A Review…IIS 6.0 Architecture Monolithic implementation Install all or nothing… Authentication NTLM Basic Anon … Determine Handler CGI Static File ASP.NET ISAPI PHP … Send Response Extend server functionality only through ISAPI… Log Compress

IIS7 Request Processing Server functionality is split into ~ 40 modules... Authentication Authentication NTLM Basic Anon Authorization … Modules plug into a generic request pipeline… ResolveCache Determine Handler CGI … Static File ExecuteHandler Modules extend server functionality through a public module API. ISAPI … … UpdateCache Send Response SendResponse Log Compress

Architecture in IIS7 What does the “Core” do? Extensibility Exposes interfaces Agrees to “hook” up interfaces via subscription or events Extensibility Primary workhorse for Web server Code authors: Microsoft: In the form of “modules” that will ship with the IIS7 platform You: The rest of the world

IIS6 ASP.NET Integration Runtime limitations Only sees ASP.NET requests Feature duplication Authentication NTLM Basic Anon … Determine Handler CGI Authentication Forms Windows Map Handler ASPX Trace … aspnet_isapi.dll Static File ISAPI … Send Response Log Compress

IIS7 ASP.NET Integration Basic Two Modes Classic (runs as ISAPI) Integrated Integrated Mode .NET modules / handlers plug directly into pipeline Process all requests Full runtime fidelity Anon Authentication Authorization ResolveCache … aspnet_isapi.dll Static File Authentication ExecuteHandler Forms Windows … … ISAPI ASPX UpdateCache Map Handler Trace SendResponse Compress … … Log

Reviewing IIS 7.0 Architecture IIS 6.0 W3WP’s IIS 7.0 W3WP’s W3WP W3WP myparser.dll cacheuri.dll admwprox.dll cachfile.dll myauthurl.dll gzip.dll modrqflt.dll mybscauth.dll iismap.dll cachhttp.dll mylogging.dll iisres.dll modexp.dll compdyn.dll iisRtl.dll mycompres.dll compstat.dll iisutil.dll defdoc.dll myMossint.dll w3comlog.dll iisetw.dll mybscauth.dll w3cache.dll cgi.dll static.dll w3core.dll

Demo The Most Secure Web Server Ever

Metabase vs. “AppHost.config” IIS 6.0’s Metabase Design Supported legacy, out-dated interface (ABO) Maintained own ACL’ing within file, rather than via file system ACL’ing Delegation wasn’t supported, relied solely on Administrative privileges Remote capabilities were limited, not user-friendly experience Schema wasn’t architected in easy-to-use format Extending schema was nearly impossible

Metabase vs. “AppHost.config” (2) Introducing ApplicationHost.config Location: %windir%\system32\inetsrv\config Default configuration: All features disabled *except* Directory Browsing (directoryBrowse) Default Document (defaultDocument) HTTP Redirect (httpRedirect) HTTP Protocol (httpProtocol) Features unlocked using IIS Manager or ApplicationHost.config

Metabase vs. “AppHost.config” (3) ApplicationHost.config Facts: Uses strongly-typed Schema (%windir%\system32\inetsrv\config\schema\IIS_schema.xml) Easily edited using favorite XML editor Broken down into two pieces: system.applicationHost system.webServer Delegation of IIS settings are unlockable and distributable to web.config’s deployed with content

Metabase vs. “AppHost.config” (4) ApplicationHost.config Facts (cont.): Uses well-known XML Organized into tightly-coupled groups for like features (i.e. collections) Uses simple key\value pairs for many options like true\false, 0 or 1, etc. Extending schema is drag\drop experience (add XML file to /config directory and restart IIS) <directoryBrowse enabled="false" />

Configuration Highlights Delegated Configuration Administration Administrators may allow app owner to modify settings Developers can set and deploy settings with their applications Xcopy-deployment of self-contained applications without running admin tool or scripts to configure -- even to centralized UNC share Unified Configuration Model for Entire Web Platform Administrators may use same file for IIS, ASP.NET, Indigo settings Developers can use same API and concepts across entire platform AuthN, AuthZ, custom errors, handlers, etc are set one single way Extensibility and Customization is easy Administrators can control what sections are registered with the system Developers can reuse base classes to quickly develop custom sections Clean schema allows smooth editing by hand (text/XML editor), API or admin tool Compatibility Built-In at the API level ABO / ADSI scripts and applications continue to work

Configuration Layout IIS + ASP.NET + .NET Framework IIS ASP.NET Inheritance… IIS ASP.NET applicationHost.config web.config .NET Framework \Windows\system32\inetsrv\applicationHost.config root web.config \Windows\Microsoft.NET\Framework\v2.0.50727\config\web.config machine.config \Windows\Microsoft.NET\Framework\v2.0.50727\config\machine.config root configuration files web.config files

Configuration Delegation Delegation is: Configuration locking, “overrideMode” ACL’s on configuration files By default… All IIS sections locked except: Default Document Directory Browsing HTTP Header HTTP Redirects All .NET Framework / ASP.NET sections are unlocked

Demo Customized Workload Site Creation – A Tour of the UI Currently Executing Requests Configuring a Site for AuthN

Modules vs. ISAPI IIS 6.0 Development Client vs. Server Versions First-class access to requests were only allowed using Internet Server API (ISAPI) ISAPI only supported C\C++ languages and was rather complex technology Client vs. Server Versions Windows XP Professional shipped with IIS 5.1 yet lots of development was for IIS 6.0 IIS 6.0 shipped on Windows Server 2003 and architected differently than IIS 5.x

Modules vs. ISAPI (2) Client vs. Server Versions (cont.) IIS 7.0 Managed-code development architecture differed heavily between IIS 5.x & 6.0 ASP.NET was written as an ISAPI and had duplicate functionality as IIS 6.0 IIS 7.0 IIS 7.0 on client is the same as on Server (via service packs) Support for multiple development interfaces to interact with IIS 7 Core Server

IIS 7.0 Native Modules Vista ships with the potential of 40+ modules Most are native modules built using the new Native C\C++ APIs Native modules are defined in the <globalModules> section of applicationhost.config IIS 7.0 full install has 33 native modules

Utility Modules Used to help the server engine with it’s internal operations Do not provide configuration for these in applicationhost.config Module Name Purpose If removed? cacheuri.dll Cache configuration, etc. after first request for a URI Performance cachfile.dll Cache of file handles currently opened by core server Performance cachtokn.dll Caches token for password- based authentication Performance

Compression Modules Provides Static & Dynamic compression mechanisms for IIS requests Module Name Purpose If removed? Compdyn.dll Implements in-memory compression of dynamic content None, not installed by default Compstat.dll Implements in-memory as well as file-based compression for static content Network Bandwidth saturation with large requests Configurable locations: system.webServer/httpCompression system.webServer/urlCompression

Authentication Modules IIS 7.0 core authentication modules Module Name Purpose If removed? authanon.dll Implements anonymous authentication Anonymous Authentication is not allowed authbas.dll Implements HTTP basic authentication Basic authentication is not available authsspi.dll Implements Windows Authentication (NTLM\Kerberos) Negotiate (Kerberos), NTLM are unavailable authmd5.dll Implements Digest Authentication Digest Authentication is not available authcert.dll Implements IIS Client Certificate Mapping (Requires SSL) Client Certificates are not accepted for authenticatio authmap.dll Maps SSL Client Certs to an Active Directory Account Active Directory mapping is unavailable

Security Modules Implements URL authorization, and IP\Domain restrictions Module Name Purpose If removed? Urlauthz.dll Implements authorization based on configuration rules No ability to do URL-based denying via configuration and users Iprestr.dll Implements an authorization of requests based on the client’s IPv4 Address No Ip-based restricting of requests modrqflt Implements a powerful set of security rules based on known & unknown attack vector points (previously known as URLScan) No request filtering based on extension, query string size, etc.

Logging & Error Modules Implements logging functionality Implements custom & detailed errors Module Name Purpose If removed? Logcust.dll Implements the ILogPlugin interface on top of IIS7. It is not recommended to use this as it is a old implementation. Recommendation is to write your own module and subscribe to RQ_Log_Request event. Applications dependent on legacy interface will not work Loghttp.dll Implements standard IIS logging No request data will be logged Custerr.dll Allows for the use of custom errors and the new IIS7 detailed error features No error messages (custom or detailed) will be sent to clients

Diagnostics Modules Implements IIS 7.0’s Request Monitoring, tracing, and Failed Request Tracing Module Name Purpose If removed? iisetw.dll Implements Enterprise Tracing for Windows functionality to capture detailed trace logs No tracing of specific requests are available iisfreb.dll Implements tracing of failed requests No automatic tracing based on the configured rules iisreqs.dll Implements the runtime state & control APIs for IIS 7.0 allowing viewing of executing requests, start\stop of sites, etc. Unable to see runtime data or start\stop\pause websites

Development Modules Development technologies offered as to execute code from that platform Implements Managed Interfaces, etc. Module Name Purpose If removed? Isapi.dll Implements ISAPI Extension Server Functionality No ISAPI extension will be executed Filter.dll Implements ISAPI filter functionality No ISAPI filter will be loaded into any process Cgi.dll Implements Common Gateway Interface (CGI) on top of IIS 7.0 No CGI dll or exe will is executed Webengine.dll Connects the IIS core pipeline with the ASP.NET runtime and bridge between native and managed code in IIS 7.0 No managed code will be supported in IIS 7.0

Misc. Modules Performs independent functionality outside of any group Module Name Purpose If removed? defdoc.dll Implements default document feature using defaultdoc section files Specific URL is required and any / will fail dirlist.dll Implements IIS 7.0’s directory browsing functionality Directory browsing will not be allowed protsup.dll Implements: custom/redirect response headers custom HTTP verbs (trace\options) allows use of HTTP keep-alive Specific features outlined in purpose will not be available redirect.dll Implements redirect functionality of incoming requests If redirects are removed, content protected by redirect will be available

Without it, no static file (htm, images, etc.) will be sent to client Misc. Modules (cont.) Module Name Purpose If removed? Iis_ssi.dll Implements server-side includes Special case where this module is actually mapped as handler for .stm, .shtm, and .shtml static.dll Responsible for sending out reponses for extensions listed in mimeMap section Without it, no static file (htm, images, etc.) will be sent to client validcfg.dll Validates at run-time if configuration is valid for IIS 7.0’s integrated mode No validation or help is available when configuration is deployed improperly

IIS 7.0 Managed Modules Managed Modules are loaded in two ways Called by webengine.dll (integrated mode) Called by core ISAPI module – isapimodule.dll (Classic) Integrated Mode offers ASP.NET module features access to all types of content Classic mode runs exactly like IIS 6.0 & ASP.NET 2.0 Managed modules are only defined at application level (<modules>) along with native modules

WindowsAuthentication DefaultAuthentication AnonymousIndentification IIS 7.0 Managed Modules Implements managed code module parity with ASP.NET 2.0 Requires webengine.dll native module to execute Name Purpose system.web WindowsAuthentication Sets the identity for the application to the WindowsAuthenticated user FormsAuthentication Allows authentication against all content using forms-based authenticaiton to a database\file DefaultAuthentication Ensures that an auth object is present in the app context OutputCache Controls the output caching policies for your applcation URLMappingModule Defines a mapping that hides the real URL and maps to a friendly one Session Configures session state settings for current application UrlAuthorization Allows URL-based authorization via managed-code Profile Configures parameters for mapping user profiles values RoleManager Configures an application for role management FileAuthorization Allows file-based authorization via managed-code AnonymousIndentification Configures anonymous auth for application authorization

Demo URL Rewriting Directory Listing Basic “Deluxe”

IIS 6.0 Tracing vs. Failed Request Tracing Tracing: What it is? IIS 6.0 Usage: No User Interface Support Updated as part of Service Pack 1 Very difficult to restrict tracing to extensions, or paths Not extensible with custom events written by developers

IIS 6.0 Tracing vs. Failed Request Tracing (2) IIS 7.0’s Failed Request Tracing Setting up Tracing: IIS Manager Enabled Globally (Administrator) Actual Trace attributes settable per-site or per-application

IIS 6.0 Tracing vs. Failed Request Tracing (3) Viewing Trace Data in IIS 6.0 difficult, yet when understood is very useful Viewing Trace Data in IIS 7.0, easy-to-use XLST breaks out various data to simplify reviewing In Vista RTM In LHS Beta 3

Demo FREB in Action

IIS 6.0 Security vs. 7.0 Security All Bits Installed (%windir%\system32\inetsrv) “Features” turned on\off Uses local account and group for anonymous client requests and process account IIS_WPG: Group for allowing process creation and security URLScan added for additional security features not offered by Core server

IIS 6.0 Security vs. 7.0 Security (2) Change Purpose Benefit Only Install Bits Selected Reduce the footprint, lesson management tasks such as patching, etc. Build truly customizable Web workloads to maximize security and improve performance Convert URLScan to installable features, rather than add-on Bring a popular security tool into the product to simplify deployment, configuring, and supporting With one click, RequestFilteringModule can be installed, and with one easy file deployed with your content it is working Change local accounts to built-in accounts Avoid management of passwords, ACL’ing problems and better handle Web farm deployments Every installation of IIS 7.0 installs the same accounts, with same GUIDs, and with same ACLs and everything “just works.”

Unified authentication, authorization across web server platform Fully supports non-Windows principals! All authentication schemes configured one single way for all types of content Forms authentication is now fully supported IIS extends its ACL authorization model with URL Authorization: Membership system support (includes support for custom providers) Windows principals (stored in the local SAM or Active Directory) Custom configuration credential sections (non Window principals)

Unified Authentication and Authorization Reconciled impersonation model IIS 7.0 always uses the following rules (in order of precedence) If a username/password is configured at a virtual directory it is used first If virtual directory username/password is not configured, the authenticated users credentials are used (anonymous, basic, windows) If no authenticated user (e.g. if forms authentication was used or no authentication module is configured) the process identity is used

Unified Authentication and Authorization Reconciled impersonation model IIS 7.0 always uses the following rules (in order of precedence) If a username/password is configured at a virtual directory it is used first If virtual directory username/password is not configured, the authenticated users credentials are used (anonymous, basic, windows) If no authenticated user (e.g. if forms authentication was used or no authentication module is configured) the process identity is used Web user requests page VDIR has username and password configured Credentials configured for the virtual directory are used

Unified Authentication and Authorization Reconciled impersonation model IIS 7.0 always uses the following rules (in order of precedence) If a username/password is configured at a virtual directory it is used first If virtual directory username/password is not configured, the authenticated users credentials are used (anonymous, basic, windows) If no authenticated user (e.g. if forms authentication was used or no authentication module is configured) the process identity is used Web user requests page VDIR has no username, password configured User is prompted and provides valid Windows credentials. Note - the <authentication> section needs to be configured The client credentials or anonymous identity provided during authentication is used

Unified Authentication and Authorization Reconciled impersonation model IIS 7.0 always uses the following rules (in order of precedence) If a username/password is configured at a virtual directory it is used first If virtual directory username/password is not configured, the authenticated users credentials are used (anonymous, basic, windows) If no authenticated user (e.g. if forms authentication was used or no authentication module is configured) the process identity is used Web user requests page The process identity is used VDIR has no username, password configured No user authentication is configured

Unified Authentication and Authorization Reconciled impersonation model ASP.NET developers can still define their own identity section if required by their applications Useful for applications that reside on different machines Web user requests page ASP.NET developers can use their web.config to impersonate an alternate identity (example - for database access) IIS uses any of the impersonation methods and impersonates some Windows identity

Demo Extending AuthN & AuthZ

Administration Extensibility Delegated administration Non-administrators can change relevant settings. Admins specify what’s allowed per site and application. Unified management for the entire web platform IIS and ASP.NET settings are presented within the same user interface. Extensible architecture Developers can create custom management features. Remote administration Administer locally, over the intranet, or over the Internet. New modern look and feel A new navigation-based, task-oriented, rich user experience.

Architecture

Extensibility Extensibility Points New Features and Pages Register new pages with the Control Panel Existing plug-in points Authentication Lock Configuration Provider Configuration Validation Custom extensibility using the Extensibility Manager

Extensibility Adding a new management module Server Client Write a new Module Provider Write a Module Service Install the DLL to the GAC Register the module in the root configuration Enable the module Client Write a new Module Write a Module Service Proxy Write some Module Pages Plug in existing features using the Extensibility Manager

Demo MRU Server Header End-to-End Sample with Module

Microsoft.Web.Administration

Demo Microsoft.Web.Administration Listing Sites Creating a Site App Pool Creation

Summary Something new for everyone in IIS 7.0 Most radical changes in IIS since IIS 4.0 IIS 6.0 was… Limited for Developers because of ISAPI and less-than desirable support for Managed-code Limiting configuration for key scenarios, such as delegation and schema extensibility Limited troubleshooting capabilities to support zero-repro environments IIS 7.0 is… Easy to extend using any language, native or managed Robust configuration supporting delegation, schema extensibility Task-based oriented, newly re-written IIS Manager supporting delegation, and much more Has awesome diagnostics which is natively built-in to the plumbing of IIS 7.0