Securing and Tuning IIS7

Microsoft®

Hosting Deployment

Accelerator

What We’ll Cover

IIS7 Performance

New IIS7 Performance Features

Tuning IIS7

IIS7 Security

Reduced Attack Surface

Architectural Changes

New Security Features

Windows Server Core

Get both performance and security benefits

IIS7 Performance Improvements

Kernel mode SSL and Windows authentication

Performance improvements up to 150%

More powerful compression

For static and dynamic content

Output caching

Per URL, query string and/or request headers

API’s for putting responses in the output cache

Improved scalability

Host thousands of sites

FastCGI

Great way to run PHP on IIS

CGI vs. FastCGI

IIS7 Tuning Tips

Enable Output Caching for semi-dynamic pages

Low bandwidth Branch Offices?

Enable Dynamic Compression (~ 5% CPU overhead)

Need to run many web apps on a single box?

Run IIS worker processes in Wow64 mode

Room for the OS, scalability for your web apps

Now a per-AppPool setting: Enable32BitAppOnWow64

Thinking about buying new Web Server hardware?

W2K8 scales extremely well on new multi-proc boxes (4 and 8 core)

IIS7 Tuning Tips

Thousands of requests per second?

Remove modules you don’t need

Don’t know why some pages are so slow?

Turn on FREB and the “time-taken” feature to investigate

You * scriptmapped all requests to ASP.NET in IIS6?

Integrated Pipeline is much faster than an IIS6 * scriptmap solution

Try together with IIS7 URL Authorization

IIS7 Tuning Tips

PHP applications?

PHP on top of FastCGI is much faster than traditional CGI

The majority of your requests go to your Default Document?

Put it on top of the list – otherwise IIS7 has to check every time

Static default documents will be cached in kernel-mode (+450%)

Looking for tools to measure web server performance?

Try WCAT 6.3 from www.iis.net/downloads

Output Caching

IIS7 Security

Building upon a solid foundation - IIS6

Reduced Attack Surface

Server Core

Componentization

Application Pool Isolation and other architectural changes

Security Features

Request Filtering

URL Authorization

IIS7 Installable Components

AuthN/AuthZ Extensibility Logging and

Diagnostics

HttpLoggingModule

CustomLoggingModule

RequestMonitorModule

TracingModule

BasicAuthModule

DigestAuthModule

WindowsAuthModule

CertificateAuthModule

AnonymousAuthModule

FormsAuthModule

UrlAuthorizationModule

ManagedEngineModule

ISAPIModule

ISAPIFilterModule

CGIModule

ServerSideIncludeModule

StaticFileModule

HttpCacheModule

Core Web Server

DefaultDocumentModule DirectoryListingModule

DynamicCompressionModule

CustomErrorModule

StaticCompressionModule

Http Protocol Support

Request FilteringModule ProtocolSupportModule

OptionsVerbModule HttpRedirectionModule

Configuration and Metadata Caches

TokenCacheModule

SiteCacheModule

UriCacheModule

FileCacheModule

Componentization

Security Architecture Improvements

Feature delegation

Allow non-administrators to manage IIS7 settings remotely

Allow fine-grained control over feature delegation

Application pool isolation

Sandboxing out-of-the-box

Security Architecture Improvements

IIS7 identities are built-in

Anonymous User IUSR_<machinename> → IUSR

IIS_WPG is now IIS_IUSRS

Easier to administer, scale-out and configure

You no longer need to add worker process identities to

IIS_IUSRS group

Anonymous user is no longer required

Worker process identity does the job

Application Pool Isolation

Security Features

.NET security integration

Roles profile, membership forms auth, URL auth modules support any type of content

Use of .NET Role and Membership Providers

URL Authorization

Control access via web.config files instead of using ACLs

Request Filtering

Filter verbs, sequences, urls, headers

Request Filtering

Server Core

Server Core is:

A minimal installation option for Windows Server ®

2008

Part of the Windows Server ® 2008 general purpose

SKUs

Available for x86 and x64

Server Core Benefits

Today’s challenges

Servers have single role or a fixed workload

Administrators are required to deploy and service the full OS

Non-value add features present a servicing and security burden

Administrators think of servers in terms of server roles

With Server Core:

Fewer Patches

Reduces # of patches by ~60% (based on all Win2000 patches)

Servicing burden is reduced by removing components that are most often serviced

More Secure, Reliable and Less Management

Removal of non-value add legacy & client components from server

Server Core Overview

Server Core:

Provides minimal server OS functionality

Co re sub-systems:

Security logon, networking (TCP/IP), file system, RPC, etc.

Infratructure:

Command-shell, domain join, eventlog, perfcounters, HTTP, IPSec

Basic set of management tools:

Configure ip address, create users, no tepad, taskmgr

Uses low surface area server for targeted roles

Includes a set of server roles

Includes the following optional features:

WI NS, Failover Clustering, Subsystem for UNIX-based applications, Backup,

Multipath IO, Removable Storage Management, Bitlocker Drive Encryptio n, SNMP,

Telnet Client, and QoS

Summary

IIS7 builds upon the IIS6 architecture

Process model

Minimal attack surface

Performance optimized

IIS7 offers major architectural enhancements

Modularization, built-in accounts, configurable caching, compression, server core etc.

Links

App Pool isolation

URL AuthZ http://www.iis.net/articles/view.aspx/IIS7/Man aging-IIS7/Configuring-Security/URL-

Authorization/Understanding-IIS7-URL-

Authorization

IIS 6 Security History

IIS 6 has only 3 advisories released to date, none of them rated as critical http://secunia.com/product/1438/?task=advisories

Apache 2.0.x on the other hand has over 35, several of which are critical rated http://secunia.com/product/73/?task=advisories

IIS7 Architecture

Service Host

(SVCHost.EXE)

Configuration

( applicationhost.

config )

Windows Process

Activation Service

(WAS)

World Wide Web

Service (W3SVC)

Worker Process (W3WP.EXE)

HTTP.SYS Kernel-Mode Listener

IIS7 Request Flow

Service Host

(SVCHost.EXE)

Bindings: http://*:80:site1

Applicationhost.config

Windows Process

Activation Service

(WAS)

World Wide Web

Service (W3SVC)

Worker Process (W3WP.EXE)

HTTP Protocol Host

HTTP.SYS Kernel-Mode Listener

Request

Queue

Response

Cache

HTTP.SYS

Accepting HTTP (and HTTPS) connections

Parsing and validating HTTP requests

Queuing of HTTP requests in applicationspecific queues

Caching of HTTP responses

New

SSL

Kernel-Mode Windows authentication

WAS and W3SVC

Windows Process Activation Service (WAS)

Configuration Manager

Reads configuration from applicationhost.config and reacts to changes in configuration

Passes configuration to the World Wide Web Service

Process Manager

Starts worker processes when a listener (e.g. HTTP.SYS) receives the first request

Monitors state and health of worker processes

Recycles worker processes based on certain parameters, e.g. lifetime, number of requests, schedule etc.

Prevents resource exhaustion, e.g. by limiting number of worker processes that can be active at the same time

W3SVC

HTTP specific listener adapter

Site binding information (IP address, port, host header)

Application Pool and Application settings

Configuration changes

Worker Process

Establishes a connection with WAS at startup

Responds to WAS requests, e.g. when asked to shutdown

Picks up requests from the HTTP.SYS request queue

Manages request pipeline

Process requests and send responses

Runs all third-party code

Modules, handlers, isapi filters and extensions, assemblies,

COM objects etc.

© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.

MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.