Internet Information Server 6.0 & new management features
IIS 6.0 Enhancements Fundamental changes, aimed at: Reliability & Availability Reliability & Availability Performance Performance Manageability Manageability Security Security
INETINFO.EXE Metabase ISAPI Filters and Extensions INETINFO.EXE Metabase ISAPI Filters and Extensions Review of IIS 5 Architecture TCP/IP kernel user WinSock 2.0 DLLHost.EXE ISAPI Extensions DLLHost.EXE ISAPI Extensions DLLHost.EXE ISAPI Extensions
IIS 6 Architecture Web Admin Service Worker Process W3 Core web app HTTP.SYS kernel user
Choosing an Isolation Mode ModeApplications:Compatibility:Isolation: IIS 5.0 Isolation Mode Run inside Inetinfo.exe, and out-of- process applications run in separate DLL hosts Ensures compatibility for most existing applications Prevents one application or site from stopping another Worker Process Isolation Mode Run in an isolated environment Applications must be written to run as multiple instance Allows the administrator to isolate anything from an individual Web application to multiple sites in their own self-contained worker process
HTTP.SYS What is it? Kernel-mode HTTP stack/listener Kernel-mode HTTP stack/listener Always running Always running What does it do? HTTP Listener and Parser HTTP Listener and Parser Process routing based on URL namespace Process routing based on URL namespace Request queues: kernel-mode queuing Request queues: kernel-mode queuing Response cache for static requests Response cache for static requests
Web Admin Service - WAS What is it? Configuration, Application and Process Manager Configuration, Application and Process Manager What does it do? Configures HTTP.SYS for listening and routing Configures HTTP.SYS for listening and routing Periodic Recycling Periodic Recycling Time, Hit, Memory, Schedule-based, and on- demand Time, Hit, Memory, Schedule-based, and on- demand Health Monitoring Health Monitoring Pinging, Crash detection Pinging, Crash detection Rapid fail protection Rapid fail protection Better debugging support Better debugging support Orphan Web Processing Core Host Processes Orphan Web Processing Core Host Processes
Web Processing Core W3WP.exe What is it? Main web processing core responsible for handling web requests Main web processing core responsible for handling web requests Self–contained web server Contains all web request processing functionality Contains all web request processing functionality Loads ISAPI’s – filters and extensions Loads ISAPI’s – filters and extensions ASP, ASP.NET, FrontPage® Server Extensions ASP, ASP.NET, FrontPage® Server Extensions Delivers complete isolation from system components and other web apps
IIS 6.0 Availability: Applications Isolating Applications From Each Other Applications grouped into Application Pools Applications defined by URL namespace Applications defined by URL namespace One or many applications per Application Pool One or many applications per Application Pool Configure Processing features by Application Pool Configure Processing features by Application Pool One or many Worker Processes per Application Pool One or many Worker Processes per Application Pool Service Level Support Service Level Support CPU accounting CPU accounting Bandwidth throttling Bandwidth throttling
Worker Process Web app W3 Core Recycl e time! Worker Process Web app W3 Core IIS 6 Architecture: Managing worker processes kernel user HTTP.SYS Worker Process Web app W3 Core Worker Process Web app W3 Core Web Admin Service Worker Process Web app W3 Core
DEMO: IIS Recycle
IIS 6.0 Security
IIS 5.0 Security Issues Code Red, Nimda, etc., etc. Weaknesses Windows 2000 Installed As An Application Server – Huge attack surface Windows 2000 Installed As An Application Server – Huge attack surface Soft Defaults Soft Defaults High Privilege Accounts High Privilege Accounts No automated way to install patches No automated way to install patches Result: Fixes out for months but not uniformly applied Result: Fixes out for months but not uniformly applied Many companies survived Code Red & Nimda Many companies survived Code Red & Nimda IIS Lockdown Wizard & URLSCAN for IIS 4/5 Improved Patch Management
IIS 6.0 Security Secure Out of the Box Change in approach: Clean up code, improved tools for defect detection Clean up code, improved tools for defect detection Secure defaults, minimize attack surface (static files only by default) Secure defaults, minimize attack surface (static files only by default) Customer ‘enables’ server features after setup Customer ‘enables’ server features after setup An infrastructure that by default installs security hot fixes (customer opts out, not in) An infrastructure that by default installs security hot fixes (customer opts out, not in) Educate the Customer
IIS 6.0 Security Reduced Attack Surface IIS is not installed by default As well as 20+ other services As well as 20+ other services Server Lockdown: Serve HTM files only Only Web service gets installed Only Web service gets installed IsapiRestrictionList IsapiRestrictionList CGIRestrictionList CGIRestrictionList Template-based feature activation Template-based feature activation Web service disabled on upgrade for benefit of non-IIS users Prevent IIS6 install with group policy
DEMO: Blocco del supporto ASP
Web Server Security Enhancements URLscan implemented by default Clean code Architectural changes Process isolation Process isolation Configurable identity Configurable identity Application pool management Application pool management General OS hardening New tools AutoUpdate, SUS, Qchain, MBSA AutoUpdate, SUS, Qchain, MBSA
Overview What’s New in IIS 6.0? Built-in Accounts and IIS 6.0 IIS Pass-Through Authentication Securing Web Traffic How Microsoft Passport Works Configuration file and the.NET Framework Lab: Securing Web Application Sites in IIS 6.0 Lab Discussion Best Practices
What’s New in IIS 6.0? IIS 4.0 IIS 5.0 IIS 6.0 Authentication Anonymous Basic (clear text) Windows NT Challenge / Response Integrated Digest.NET Passport Not available Available as a separate install Fully integrated
Built-in Accounts and IIS 6.0 AccountDescription LocalSystem A built-in account that has a high level of access rights Avoid assigning LocalSystem as an application pool identity Network Service A built-in IIS account with low privileges Interacts throughout the network with the computer account The default application pool identity (recommended) Local Service A built-in IIS account with lowest privileges Connects anonymously over the network Use for local Web applications only IIS_WPG An IIS group account, application pool identity accounts must be a member of this group IUSR_computerna me An IIS account for anonymous IIS access IWAM_computern ame An IIS account for starting out-of-process applications in IIS 5.0 isolation mode ASPNET A built-in account for running Microsoft ASP.NET worker process in IIS 5.0 isolation mode
IIS Pass-Through Authentication
The client requests a page from the host 1 1 IPSec secures internal communication between Web Server and Database Server 3 3 Communication secured 4 4 SSL encrypts communication from Web server to client 2 2 Securing Web Traffic IPSec SSL Client SQL Server Website.msft
How Microsoft Passport Works The client requests a page from the host 1 1 The client logs on to Passport.com 3 3 Passport returns a cookie with ticket information 4 4 The client accesses the host with ticket information 5 5 The host returns a Web form and possibly a new cookie that it can read and write 6 6 The site redirects the client to Passport.com 2 2 Website.msft Passport.com Client
Configuration Files and the.NET Framework The Web server has a Web.config file for ASP.NET Web application settings Each ASP.NET Web application also has its own Web.config file Within the Web.config file, you can control access to individual pages or the entire Web site:
Best Practices Use Run As...never log on as an Administrator Disable NetBIOS Do not put Web files on C: Use the highest level of authentication you can, based on the clients used Always encrypt sensitive information using SSL or IPSec Always use SSL when using basic authentication Do not issue a request for a certificate on a production server Never leave certificates on the server Use the Auto Update feature Use URL Scan Do not install the Resource Kit on a production server