Microsoft®
Hosting Deployment
Accelerator
IIS7 Performance
New IIS7 Performance Features
Tuning IIS7
IIS7 Security
Reduced Attack Surface
Architectural Changes
New Security Features
Windows Server Core
Get both performance and security benefits
Kernel mode SSL and Windows authentication
Performance improvements up to 150%
More powerful compression
For static and dynamic content
Output caching
Per URL, query string and/or request headers
API’s for putting responses in the output cache
Improved scalability
Host thousands of sites
FastCGI
Great way to run PHP on IIS
Enable Output Caching for semi-dynamic pages
Low bandwidth Branch Offices?
Enable Dynamic Compression (~ 5% CPU overhead)
Need to run many web apps on a single box?
Run IIS worker processes in Wow64 mode
Room for the OS, scalability for your web apps
Now a per-AppPool setting: Enable32BitAppOnWow64
Thinking about buying new Web Server hardware?
W2K8 scales extremely well on new multi-proc boxes (4 and 8 core)
Thousands of requests per second?
Remove modules you don’t need
Don’t know why some pages are so slow?
Turn on FREB and the “time-taken” feature to investigate
You * scriptmapped all requests to ASP.NET in IIS6?
Integrated Pipeline is much faster than an IIS6 * scriptmap solution
Try together with IIS7 URL Authorization
PHP applications?
PHP on top of FastCGI is much faster than traditional CGI
The majority of your requests go to your Default Document?
Put it on top of the list – otherwise IIS7 has to check every time
Static default documents will be cached in kernel-mode (+450%)
Looking for tools to measure web server performance?
Try WCAT 6.3 from www.iis.net/downloads
Building upon a solid foundation - IIS6
Reduced Attack Surface
Server Core
Componentization
Application Pool Isolation and other architectural changes
Security Features
Request Filtering
URL Authorization
AuthN/AuthZ Extensibility Logging and
Diagnostics
HttpLoggingModule
CustomLoggingModule
RequestMonitorModule
TracingModule
BasicAuthModule
DigestAuthModule
WindowsAuthModule
CertificateAuthModule
AnonymousAuthModule
FormsAuthModule
UrlAuthorizationModule
ManagedEngineModule
ISAPIModule
ISAPIFilterModule
CGIModule
ServerSideIncludeModule
StaticFileModule
HttpCacheModule
Core Web Server
DefaultDocumentModule DirectoryListingModule
DynamicCompressionModule
CustomErrorModule
StaticCompressionModule
Http Protocol Support
Request FilteringModule ProtocolSupportModule
OptionsVerbModule HttpRedirectionModule
Configuration and Metadata Caches
TokenCacheModule
SiteCacheModule
UriCacheModule
FileCacheModule
Feature delegation
Allow non-administrators to manage IIS7 settings remotely
Allow fine-grained control over feature delegation
Application pool isolation
Sandboxing out-of-the-box
IIS7 identities are built-in
Anonymous User IUSR_<machinename> → IUSR
IIS_WPG is now IIS_IUSRS
Easier to administer, scale-out and configure
You no longer need to add worker process identities to
IIS_IUSRS group
Anonymous user is no longer required
Worker process identity does the job
.NET security integration
Roles profile, membership forms auth, URL auth modules support any type of content
Use of .NET Role and Membership Providers
URL Authorization
Control access via web.config files instead of using ACLs
Request Filtering
Filter verbs, sequences, urls, headers
Server Core is:
A minimal installation option for Windows Server ®
2008
Part of the Windows Server ® 2008 general purpose
SKUs
Available for x86 and x64
Today’s challenges
Servers have single role or a fixed workload
Administrators are required to deploy and service the full OS
Non-value add features present a servicing and security burden
Administrators think of servers in terms of server roles
With Server Core:
Fewer Patches
Reduces # of patches by ~60% (based on all Win2000 patches)
Servicing burden is reduced by removing components that are most often serviced
More Secure, Reliable and Less Management
Removal of non-value add legacy & client components from server
Server Core:
Provides minimal server OS functionality
Co re sub-systems:
Security logon, networking (TCP/IP), file system, RPC, etc.
Infratructure:
Command-shell, domain join, eventlog, perfcounters, HTTP, IPSec
Basic set of management tools:
Configure ip address, create users, no tepad, taskmgr
Uses low surface area server for targeted roles
Includes a set of server roles
Includes the following optional features:
WI NS, Failover Clustering, Subsystem for UNIX-based applications, Backup,
Multipath IO, Removable Storage Management, Bitlocker Drive Encryptio n, SNMP,
Telnet Client, and QoS
IIS7 builds upon the IIS6 architecture
Process model
Minimal attack surface
Performance optimized
IIS7 offers major architectural enhancements
Modularization, built-in accounts, configurable caching, compression, server core etc.
App Pool isolation
URL AuthZ http://www.iis.net/articles/view.aspx/IIS7/Man aging-IIS7/Configuring-Security/URL-
Authorization/Understanding-IIS7-URL-
Authorization
IIS 6 has only 3 advisories released to date, none of them rated as critical http://secunia.com/product/1438/?task=advisories
Apache 2.0.x on the other hand has over 35, several of which are critical rated http://secunia.com/product/73/?task=advisories
Service Host
(SVCHost.EXE)
Configuration
( applicationhost.
config )
Windows Process
Activation Service
(WAS)
World Wide Web
Service (W3SVC)
Worker Process (W3WP.EXE)
HTTP.SYS Kernel-Mode Listener
Service Host
(SVCHost.EXE)
Bindings: http://*:80:site1
Applicationhost.config
Windows Process
Activation Service
(WAS)
World Wide Web
Service (W3SVC)
Worker Process (W3WP.EXE)
HTTP Protocol Host
HTTP.SYS Kernel-Mode Listener
Request
Queue
Response
Cache
Accepting HTTP (and HTTPS) connections
Parsing and validating HTTP requests
Queuing of HTTP requests in applicationspecific queues
Caching of HTTP responses
New
SSL
Kernel-Mode Windows authentication
Windows Process Activation Service (WAS)
Configuration Manager
Reads configuration from applicationhost.config and reacts to changes in configuration
Passes configuration to the World Wide Web Service
Process Manager
Starts worker processes when a listener (e.g. HTTP.SYS) receives the first request
Monitors state and health of worker processes
Recycles worker processes based on certain parameters, e.g. lifetime, number of requests, schedule etc.
Prevents resource exhaustion, e.g. by limiting number of worker processes that can be active at the same time
W3SVC
HTTP specific listener adapter
Site binding information (IP address, port, host header)
Application Pool and Application settings
Configuration changes
Establishes a connection with WAS at startup
Responds to WAS requests, e.g. when asked to shutdown
Picks up requests from the HTTP.SYS request queue
Manages request pipeline
Process requests and send responses
Runs all third-party code
Modules, handlers, isapi filters and extensions, assemblies,
COM objects etc.
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.