Search results matching tag 'IIS 7'

Delegate Application Creation for Non-Admininistrator accounts

krolson — Thu, 12 Nov 2009 18:37:00 GMT

The Web Deployment Tool provides a way to delegate application creation to non-Administrator Windows users or IIS users. This blog covers how to configure this particular delegated setting. If you have not yet set up some users, or are not familiar with remote administration, I highly recommend going through this walkthrough: http://learn.iis.net/page.aspx/159/configuring-remote-administration-and-feature-delegation-in-iis-70/ before trying out these steps.

Server Admin Steps

1. Install the Web Deployment Tool (MSDeploy)

Use the Web Platform Installer (can be found here: http://www.microsoft.com/web/downloads/platform.aspx)
Run and choose Web Deployment Tool 1.0 and click Install. This will also pull in any dependencies you don’t already have on your system.

NOTE: This might take a while if you are missing a lot of dependencies (particularly the Windows Installer 4.5 – as this may require a restart)

2. Launch Inetmgr

Click Start and type inetmgr. Press Enter.

3. Open Management Service Delegation feature UI

Select the server node and double-click the Management Service Delegation icon (in the Management group)

NOTE: if you see these warnings:

This means you need to do 2 things (but they may be done after setting up rules, if you prefer):

Start WMSvc with remote connections allowed
Set up some IIS Manager Permissions.

There is information about doing this here: http://learn.iis.net/page.aspx/159/configuring-remote-administration-and-feature-delegation-in-iis-70/

4. Make a rule to allow marking folders as applications

Click the Add Rule… task in the Actions pane

Choose the Mark Folders as Applications template and click OK

Set the Run-As identity to an account that has write permission to applicationHost.config (such as an Administrator account)
Click Set button under Specify credentials:

Enter user credentials

Click OK

Click OK to finish creation of the rule

5. Add a user to the rule

Note: this dialog will pop up automatically when you create the rule, but you can add users at any time by selecting the rule and clicking the “Add User to Rule…” task

Add a specific Windows user, user group or IIS User. You may also make this rule for all users (*) and the {userScope} path will limit each user to the specific sites/apps they have IIS Manager Permissions for – see section Configure IIS Manager Permissions for a Site or an Application here for more information on this step http://learn.iis.net/page.aspx/159/configuring-remote-administration-and-feature-delegation-in-iis-70/ )

Click OK

6. Add additional rules if you want to allow additional user actions (such as the ability to add content, set ACLs, or access databases) - see last section on this page.

Note – this rule ONLY allows the users to right-click an existing folder and mark it as an application – other rules are probably desired. See the bottom of this article for some common rules.

Client (non-Admin) steps

1. Launch inetmgr

Note: this may be done either from a remote computer or locally. If remote, the remote computer must also have MSDeploy installed in order to use the MSDeploy UI features.

2. Connect to the user’s site (or app)

Right-click on Start Page and choose the Connect to a Site… option

Type in the server name and site name – click Next

Type in user credentials and click Next

You should get to a “Created a new connection successfully.” screen. Click Finish.

3. Expand the site node

4. Right-click a folder

Note: if you do NOT see the Deploy option, then most likely issues are:

MSDeploy UI component is not installed on the computer
There are no Management Service Delegation rules
This user has not been added to any Management Service Delegation rules

5. Select the Deploy > Convert to Application option

Note: other options would appear under Deploy if other rules were specified, such as Delete Folder and Content or Recycle. See the Common Rules section below for a few basic rules to try out.

6. Notice that the folder has now marked as an application (you can tell by the updated icon in the tree view)

Some Common Rules to Get Started

This shows the values for some common rules as they would appear in the administration.config file (%windir%\System32\inetsrv\config\administration.config). The rule just created for createApp has been bolded:

<system.webServer>
            <management>
                <delegation>
                    
                    <rule enabled="true" providers="contentPath, iisApp" actions="*" path="{userScope}" pathType="PathPrefix">
                        <runAs identityType="CurrentUser" />
                        <permissions>
                            <user name="*" isRole="false" accessType="Allow" />
                        </permissions>
                    </rule>
                    <!—This is the “Set Permissions for Applications” rule, with all the template defaults. It allows users to set ACLs to locations they have IIS Manager Permissions for AND appropriate ACLs on the parent physical directories-->
                    <rule enabled="true" providers="setAcl" actions="*" path="{userScope}" pathType="PathPrefix">
                        <runAs identityType="CurrentUser" />
                        <permissions>
                            <user name="*" isRole="false" accessType="Allow" />
                        </permissions>
                    </rule>
                    <!—This is the “Mark Folders as Applications” rule, using the template defaults. The runAs identity was set to a local Administrator account to allow non-administrators to mark folders as applications if they are in a path the user has IIS Manager Permissions for. This rule was the focus of the walkthrough above. -->
                   <rule enabled="true" providers="createApp" actions="*" path="{userScope}" pathType="PathPrefix">
                        <runAs identityType="SpecificUser" userName="Administrator" password="[enc:RsaProtectedConfigurationProvider:jAAAAAECAAADZgAAAKQAAKv+vnsskEdvc7c3Q2tcaJGVbvKW0urtCC8QayxZfYyGVjKrxQKQTob7T5z7ESM/3Zm0mPhIut033tWpyNJ+As4N8H5Wh/w31327eaxe+C6NLK2zmHY978A0aHpqcafcZ7K7YIaGGEem/Up0xa2Jf/LXJt77vLJUkumwGOlO3Dw9NGYGIyj8zk6lHsFQPoU0SHykWhrnMCp12uzFCUN4fYw=:enc]" />
                        <permissions>
                            <user name="*" isRole="false" accessType="Allow" />
                        </permissions>
                    </rule>
                 </delegation>
            </management>
        </system.webServer>

Why do all these rules use {userScope} for the default path?

This makes your job easier by automatically limiting the users to areas you’ve given them permission to using IIS Manager Permissions – which are stored in the same administration.config file. You can see in this sample administration.config section below that both a Windows user (A_Windows_User) and an IIS user (An_IIS_User) are authorized to access Default Web Site – so the {userScope} in the above rules would limit them to altering items under Default Web Site. (Note that for reading/writing content under Default Web Site these accounts will also require you to grant ACLs on Default Web Site’s physical directory. There’s some more information on how to do this here: http://blogs.iis.net/krolson/archive/2009/11/04/using-iis-manager-accounts-for-web-deployment-tool-msdeploy-delegation.aspx - for Windows users just use the user name instead of Local Service)

<system.webServer>
<management>

Using IIS Manager accounts for Web Deployment Tool (msdeploy) delegation

krolson — Wed, 04 Nov 2009 20:04:00 GMT

This blog outlines the basic steps for setting up IIS Manager accounts so that they may be used for Web Deployment Tool delegation.

Most of the steps particular to using IIS Manager users for delegation are required for connecting remotely using the Windows Management service, so if there are already accounts set up for remote management, that work has already been done.

The following steps will allow IIS Manager accounts to be used for management service delegation. Step-by-step instructions with screen shots may be found for steps 1 through 4 on this page, with their section title added in parenthesis: http://learn.iis.net/page.aspx/159/configuring-remote-administration-and-feature-delegation-in-iis-70/

1. Make sure that Windows Management Service is installed (Configuring Remote Connections in IIS Manager)

2. Enable remote connections for IIS users (Enable Remote Connections and Configure Identity Credentials)

The previous steps only need to be performed once, however the following steps may be repeated for any number of new IIS Manager users.

3. Create an IIS Manager account (Add an IIS Manager User)

4. Give the user access to a site or application (Configure IIS Manager Permissions for a Site or an Application)

This next step is vital for remote management, without which IIS users could not access or modify content for a site/application. A complete walkthrough for this step is the main focus of this page.

5. Grant access to the physical site/application content (Configure Access Control Lists (ACLs) for Content Directories)

Open IIS Manager (from start menu type “inetmgr” and press ENTER)
Select the site (or application) you want to give an IIS user access to, right-click, and select the “Edit Permissions…” option.

Go to the Security tab and click “Edit…” under the “Group or user names:” section.

This will open a very similar looking Permissions window. Click the “Add…” button.

Now type in the WMSvc identity in the Select Users, Computers, or Groups dialog (i.e. “Local Service” - without the quotation marks. To confirm that this is the account WMSvc uses, check out the section, below, “How to find out what account to add for IIS user ACLs”). Click OK.

Select the LOCAL SERVICE user and modify the Permissions for LOCAL SERVICE by checking/unchecking the permission boxes. For example, you may want to allow Write or Modify permissions.

When finished editing the permissions, click OK. You may be warned that “You are about to change the permission settings on system folders…” depending on where the directory for your web site is located.
Now you will see LOCAL SERVICE in the list of “Group or user names:” and can view the permissions by selecting that account. If at any point you want to change these permissions, you can follow similar steps by clicking Edit and then changing the check-box permission selections.

Click OK when you are finished.

6. Add the IIS user to existing/new Management Service Delegation rules to allow those users to import content, create applications, and/or modify databases

How to find out what account to add for IIS user ACLs

This will typically be “Local Service”, and it is easy to check this.

Click Start and type “Services” – open the Services feature.

In Services, locate the service named “Web Management Service” and see what is listed under the Log On As column.

How To: Configure MySql to work with IIS DB Manager

Anonymous — Fri, 02 Oct 2009 12:20:00 GMT

As we are aware that with the release of version 1 of IIS Database Manager came in the support for managing MySql Databases. This is a cool thing specially for all the PHP guys out there as MySql is extensively used with PHP applications all over the world. I being a PHP lover myself have been trying to configure the MySql part of IIS DB Manager. It looked pretty simple but turned out to be my miss that made me struggle to get MySql work with DB Manager for quite sometime now. There dint seem to be an article around this so I thought I would write one myself.

Let's start: The first thing we need is IIS DB Manager it self. Information and download location on DB Manager can be obtained from the IIS Extensions site. Once you have downloaded the installation package and installed DB Manager you should be seeing an entry as follows in administration.config.

Note: The above command in the image will only work if you are using IIS 7.5 (ie. you run that command on Windows 7 or Windows Server 2008 R2)

Now, it's time to get it working with MySql. I have a free edition of MySql installed on my local Windows 7 machine so that's what I will be working with. If you don't have MySql you can get it from here. Once that's installed and ready to run try making a few Databases to play around with.

We now have IIS and MySql setup properly to get the whole thing working. Lets open up IIS manager drill down to Default Website. Now double click Database manager. Create a new connection. Give it a new name and click on the drop down for database provider so that we can select "MySql 5.x, 6.x". But hey hold on ... do you see that option?? NO! ... :-) now that's fun aint it??

You have IIS DB Manager configured properly, MySql working properly but you JUST cant see the provider even though it's present in the administration.config file. That was exactly what I missed.

If we check the image above carefully it states MySql provider name to be MySql.Data.MySqlClient ... Now open up your 2.0 machine.config located at %windir%\Microsoft.NET\Framework\v2.0.50727\CONFIG and find MySql.Data.MySqlClient. You are not going to find it. Aha! Now it makes you think what is MySql.Data.MySqlClient after all? Well MySql.Data.MySqlClient is an all-managed .NET driver for MySQL DB from MySql team. Bingo! suddenly everything makes sense. We had the parts but just missed the connector to tie it all up. The latest available version of the connector can be downloaded from the MySql Site for free. It's a pretty simple setup, however you would be requiring Admin privileges to complete the installation.

Once the installation is completed open up machine.config and search the entry. This time you will find it and BANG we are good to go. Now open up your IIS manager, drill down to the default website and double click Database Manager. Now create a new connection. Creating a new connection to MySql is very simple and straight forward. You will be seeing a screen as shown below:

As you can see now we select the Database provider to be "MySql 5.x, 6.x". The rest of the entries as just as simple as the other.

Server: Put down your servername. In my case it was localhost.
Database: Give your database name
User ID: For default installation of MySql it will be root. If that is not the case then put down the User name given to your by your DB Administrator.
Password: Provide the appropriate password for the user id.
Port: The default port used by MySql is 3306.

Click on Ok once all the details are entered and you are now good to go with the IIS DB Manger and MySql. Time to play around! Have Fun!

If you have any problems check this topic at iis.net forums. If the topic doesn't solve your problem then post the issue at the DB Manager forum at iis.net

Windows Cache Extension for PHP is here

Anonymous — Wed, 09 Sep 2009 19:29:00 GMT

Microsoft has released a Beta of a new PHP accelerator named Windows Cache Extension for PHP. It's a pretty cool thing for anybody who deals with a lot of PHP applications on Windows because the way I see it and Microsoft explains is the same. We can now have even better performance from PHP applications! How?

Basically, as the name suggests Windows Cache Extension is a caching technique which results in better performance results, as not every request asking for the same resource needs to go to the source in order to fetch it.

Before we get into the details... here's how you get it ... But even before that lets go over some requirements:

The extension is supported only on the following configurations:

Windows OS:

Windows XP SP3 with IIS 5.1 and FastCGI Extension
Windows Server 2003 with IIS 6.0 and FastCGI Extension
Windows Vista SP1 with IIS 7.0 and FastCGI Module
Windows Server 2008 with IIS 7.0 and FastCGI Module
Windows 7 with IIS 7 and FastCGI Module
Windows Server 2008 R2 with IIS 7.0 and FastCGI Module

PHP:

PHP 5.2.X, Non-thread-safe build
PHP 5.3 X86, Non-thread-safe VC9 build

IMPORTANT: The Windows Cache Extension can only be used when IIS is configured to run PHP via FastCGI.

To download the correct extension choose from the below:

Windows Cache Extension 1.0 for PHP 5.2 - Beta

Windows Cache Extension 1.0 for PHP 5.3 – Beta

Installation of the the extension is not different from the installation of any other PHP extension.

Get hold of the dll
Put it in the \ext directory of php
Modify the php.ini ... (in this case extension = php_wincache.dll )
Refresh the app pools using php and DONE!

Once that is done you should be seeing something like the below:

Windows cache extension for PHP has 3 caching techniques namely:

PHP Opcode Cache
File Cache
Relative File Path Cache

It would take time and a repetitive action to explain then here... So you can get more information and explanation on these can be found here and here.

Have Fun!

Sessions: Tech Ed on the Road, HydTechies

Anonymous — Sat, 04 Jul 2009 09:10:00 GMT

I recently took a couple of sessions on IIS 7 & 7.5 as part of Hyderabad Techies and "Tech-Ed on the Road" revival campaign here in Hyderabad, India. It was great to see the enthusiasm people had for different Microsoft technologies. We had sessions ranging from ASP.NET - Windows Azure and IIS - to SQL Server 2008.

I was responsible for delivering sessions on IIS 7.5 which is going to ship along with Windows Server 2008 R2 and Windows 7. I think I was kind of lucky in that sense, because there is always so much to speak on IIS. There is so much that is running on the web these days and you love it when lots of it is running on IIS.

I knew the best way to spread the word on IIS, is to show what makes IIS the way it is. Then lets leave it to the people to decide what they want... shouldn't we? Anyways, I started from level 100, so that I could show the basic architectural changes in IIS 6 and IIS 7. Detailed explanation can be found in my previous post on differences between IIS 6 and IIS 7 and IIS: changes from 6 to 7.

Moving on I showed the advancements in IIS UI, IIS security and IIS extensions and how they help both the Admins and the developers. IIS extension are these out of band modules which are released by the IIS PG and the community making use of the great extensibility modules available.

It was great to see how much people loved the idea of including a module and the ease of it's installation which originally dint come with the product.

As promised, details on the IIS extensions and download location can be found at http://www.iis.net/extensions. All the information on the Microsoft web application gallery and platform can be found here.

Check out this cool blog on IIS history to see and learn how IIS has evolved. It also answers the 1st question I always face when speaking on IIS... "How to download IIS" ... :)

Have fun... !!!

Troubleshooting: IIS Powershell Module on Windows 7 RC

Anonymous — Sat, 13 Jun 2009 19:38:00 GMT

First thing that you need to know in regard to the IIS PowerShell Snap-in or the module when using it with Windows 7 is that you do not need to download & install the snap-in. In Windows 7 the snap-in is part of the default install of IIS. Moving on, if you want to use the snap-in with PowerShell in Windows 7 RC then you would need to import the module. Now that sounds simple. However, there is a problem. When you try to import the IIS module which is named WebAdministration you are most likely to view the error below.

PS C:\Users\admin> Import-Module WebAdministration
Process should have elevated status to access IIS configuration data.

Fair enough. We are going to access the configuration data from IIS, we would need to be on elevated privileges. Let's try with elevated privileges.

PS C:\Windows\system32> Import-Module WebAdministration
Import-Module : File C:\Windows\system32\WindowsPowerShell\v1.0\Modules\WebAdministration\WebAdministrationAliases.ps1 cannot be loaded because the execution of scripts is disabled on this system. Please see "get-help about_signing" for more details.

Huh! Now, why did this happen? Lets try and troubleshoot. Windows PowerShell has a concept called "Execution Policy". It is the execution policy that determines as to how a script runs on PowerShell. By default, the execution policy in Windows 7 RC is set at "Restricted" ... Oouch. Restricted here means you will not be able to run any script (even the ones you write yourself). Why so severe? Don't know so can't answer. But for sure we wouldn't be working with that execution policy and would have to change that.

There are several levels of Execution Policy that you can set like Restricted, All Signed, RemoteSigned and Unrestricted. But the one we are going to work with is RemoteSigned. So, what is RemoteSigned execution policy anyways? It means, if you want to configure PowerShell to run any scripts that you write yourself, but to run scripts downloaded from the Internet only if those scripts have been signed by a trusted publisher. Sounds fair enough now doesn't it.

To set RemoteSigned as the execution policy, run the following command.
> Set-ExecutionPolicy RemoteSigned

Lets try importing now.
PS C:\Windows\system32> Import-Module WebAdministration
Import-Module : The following error occurred while loading the extended type data file:
Microsoft.PowerShell, C:\Windows\system32\WindowsPowerShell\v1.0\Modules\WebAdministration\iisprovider.types.ps1xml : File skipped because it was already present from "Microsoft.PowerShell".

No go even now :) . When we try to execute any IIS cmd-let like get-website we will get an not recognised cmd-let error. Here's how to solve the entire situation. Close the PowerShell window and re-open it with elevated privileges and enter Get-ExecutionPolicy:

> Get-ExecutionPolicy
RemoteSigned

That's good news ... no more Restricted. Lets try importing the IIS module yet again.

>Import-Module WebAdministration

No error. Success! Now lets try running some simple IIS cmd-let.

> Get-Website

Name ID State Physical Path bindings
---- -- ----- ------------- ---------
Default Web Site 1 Started %SystemDrive%\inetpub\wwwroot http *:80:

Problem Solved! However, to me this still looks like a workaround. Will let you know if and when I come across a solution to this. Till then, have fun!

Patch for Dynamic IP Restrictions for IIS 7 - Beta

krolson — Mon, 08 Jun 2009 22:52:00 GMT

Dynamic IP Restrictions (DIPR) was created to give users a tool to help mitigate the effects of DOS attacks and certain brute-force password breaking attempts. The Out-Of-Band (OOB) feature description is (perhaps more elegantly) outlined on this page: http://www.iis.net/extensions/DynamicIPRestrictions. In short, it is a handy tool that is easy to configure to protect a site/server from certain attacks.

A bug was discovered in the Beta for Microsoft Dynamic IP Restrictions for IIS 7 for which a patch has been released. The bug affects users with site names longer than 22 characters. Installing the feature with a long site name and browsing to that site would result in a distinctive error in the Windows Application logs.

To check whether your version of DIPR beta contains this update, check the Registry. If the value for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IIS Extensions\DynIpRst\Version is 7.1.0394.0, then the installed DIPR is not updated. This value should be 7.1.0487.0 for the updated version. The fix for the DIPR beta is being distributed in 2 ways: an updated installer (.msi) for a new install and a patch (.msp) for existing installs. These are available through WebPI (the Web Platform Installer) and are also posted on Microsoft Download Center (DLC) and IIS.net (see links included below for where to get the update).

If you do not already have WebPI, I highly recommend trying it out – you can get it here: http://www.microsoft.com/web/downloads/platform.aspx. WebPI is a tool that makes it easy to see available new products or even Web applications and streamlines their installation (including any product dependencies). When you launch WebPI, it will start on the “What’s New?” page. You will either see the update patch in the “Updates” section of WebPI:

Or the full product install will be shown in the “Web Platform Beta Extensions” section:

To manually get the patch or update an existing DIPR beta install, the appropriate .msi or .msp file may be downloaded directly from the Download Center (see section, below, for links to Download Center pages). Run the file, and the installer will guide you through the installation steps. For the full install you may be required to stop WMSvc and WAS (from a command line do a net stop wmsvc and net stop was) prior to installing, such as if you have IP Security installed. Note that the patch install may require you to restart your computer. This may be post-poned to a time of your choosing, but the update may not be effective until after a restart.

Where can I download the updated Dynamic IP Restrictions for IIS 7 – Beta or the patch?

Tips for a better experience

Make sure you have the download for the correct architecture and type (x86 or x64, full install or patch)
Back-up your configuration
- Such as by saving a copy of applicationHost.config and administrationHost.config prior to install
Stop WAS and WMSvc before starting the installation (you will have to restart these services after product is installed)
- net stop was
- net stop wmsvc

Why does the install wizard ask to uninstall IP Security?

Installing DIPR beta using the (.msi) wizard will require you to uninstall the IP Security feature if it is installed. It is possible for both features to be installed at the same time, but this does have a performance impact, and it is recommended that only one of the 2 features be installed for this reason. WebPI will not uninstall IP Security when installing DIPR beta because it cannot verify the action with the user, and DIPR beta will not remove an installed feature without the user “OK”. IP Security may be removed after installing DIPR beta, but the IP restriction configuration and settings will be lost, so be conscious of this action.

Do I have to restart my computer?

The patch install may require you to restart your computer whether using WebPI or the .msp directly. If this is inconvenient, the restart may be postponed, but the update may not be effective until after a restart. Recycling WAS or doing an iisreset /restart may have a similar effect. Even if the patch is “actively working,” WebPI will not continue to install other features until after the restart has been completed.

Check Out PHP on IIS 7

tomwoolums — Wed, 27 May 2009 22:24:00 GMT

Making PHP applications run efficiently and reliably on IIS 7 is one of our key goals. The IIS team is working with Zend to optimize the performance of PHP on IIS 7 and the results have been remarkable. In addition to performance improvements to PHP and IIS that make it a fast and reliable platform, installing PHP on Windows is quick and easy with Web Platform Installer 2.0 Beta.

The Windows Web Application Gallery has a number of popular PHP applications for IIS including WordPress, Acquia Drupal, SilverStripe, and Gallery 2. This page on IIS.net: Running PHP Applications on IIS, has links to more information about PHP on IIS and configuring IIS to run PHP applications at their peak performance.

The security, flexibility, and reliability of IIS 7 make it an ideal Web hosting platform and getting started with PHP on IIS 7 is easier than ever. So if you have been waiting for seamless PHP support to adopt IIS 7, now is the time to check it out.

How To: Web PI and Web Gallery and IIS live in action

Anonymous — Sat, 02 May 2009 23:25:00 GMT

IIS Product Unit Manager Mai-Lan has come up with a number of video podcasts which give information on how to work with the Web PI and the Web Application Gallery. These videos can be found here:

1.Real World IIS: Finding and Installing Web Platform Installer 2.0 (videocast).

2.Real World IIS: Staying Current with the Latest Microsoft Web Platform with Web Platform Installer (videocast)

3.Real World IIS: Packaging and Deploying an Open Source Application Using Web Deployment Tool (videocast)

4.Real World IIS: Installing a Free Community Application Using Web Platform Installer (videocast)

These videos cover all the basic information that is needed to get the Web PI and the Web App gallery up and running smoothly. However, that is not the only cool thing about these videos. All the videos are brought to us by the new HTTP streaming mechanism called Smooth Streaming. Trust me it's pretty cool. I have a dead slow connection at my place and yet I was able to watch the videos almost without any interruption. Smooth Streaming dynamically detects your PC and Network conditions and streams the silverlight videos appropriately. What that means is, the better your speed and PC hardware the better quality of video you get.

On the other hand, the web application gallery lets you download and install some of the famous applications on web almost on the fly. Both ASP.Net and PHP. Microsoft has seen to it that the web app gallery includes everything that a beginner requires to kick start a basic website. For those who are not aware of Web PI and Web App Gallery yet, it works with Windows Server 2003 as well. Hope you work with it and deliver some great video content and quality :)

Yes, I am now thinking of including some of this in Tech Ed India as well.

See ya.

IIS Security – Past and Present

TobinTitus — Tue, 28 Apr 2009 08:24:00 GMT

This topic has been covered many times both by Microsoft and non-Microsoft employees. However, I’ve recently been asked what the main features of IIS 7 are and have seen a great deal of misinformation about IIS security on twitter, blog posts and forums.

I think, therefore, the issue deserves yet another look. In this post, I’m going to go over security in the past for IIS and then move on to talk about security features in IIS 7. These are not in any particular order. This post is not meant to diminish the many thoughtful works already created by others – both complimentary and critical. This is just meant to bring the subject back up for discussion again in hopes that you can be properly equipped with the decision making information you may need.

Ghosts of IIS Security Past

The reason for so much misinformation about the current state of security in IIS is likely due to the earned reputation the product had in versions previous to IIS 6.0. A quick search on the web for IIS 5 security vulnerabilities may be like a walk down memory lane for some of the more veteran administrators and IT staff across the globe. The search results are littered with critical vulnerabilities related to buffer overflows, ISAPI extensions, exploits on rarely-used features, or features that were available by a default installation. We are haunted by names like “Code Red” and “Nimda”. I don’t know about you, but those very names send shivers down my spine. I was consulting as a developer and web administrator for a very large property management company when these hit. We were lucky enough to avoid these as we had patched our services. That said, many whom I did business with on a regular basis were not very happy. So, to be clear, I feel the misinformation that is spread today is built on an element of experience with previous versions. Secunia reports 16 advisories and 6 vulnerabilities with IIS 5. And so started the reputation , perhaps deservedly so, that IIS was not secure unless you really knew what you were doing with security.

Bill Gates was apparently visited by the ghosts of security past, present and future when he laid his head on his pillow January 14th, 2002. I say that because on January 15th, 2002 Mr. Gates sent out the now-famous trustworthy computing memo to every employee at Microsoft. This set off a major revamp of products from the ground up. Standards were set for test planning and testing. Writing Secure Code was mandatory reading for every Microsoft developer and tester. The results have been staggering.

Security drastically improved in Microsoft products over the years, and IIS was definitely no exception to this. IIS 6 saw 5 security advisories and 4 vulnerabilities reported since 2003. Not to get ahead of myself, but IIS 7 has exactly 1 advisor and 1 vulnerability from Secunia. Compare this against Apache 2.0.x which has had 39 advisories and 23 vulnerabilities (4 of which are still unpatched as of this writing) and Apache 2.2.x which has had 10 advisories and 16 vulnerabilities (2 of which are still unpatched as of this writing) in the same period. Now I have seen attempts ([1], [2]) to quantify or otherwise explain these numbers further. You can read those articles for yourself and determine how much weight you want to give them. However you skew it, the facts should speak for themselves – IIS has dramatically improved and taken a leadership roll in security in IIS 6 and 7. Our ghost of IIS past still haunts the product’s reputation today, despite obvious strides taken. Even if you feel you like Apache better I think it is only fair to give credit where it is due.

Improvements in IIS 6

The IIS team took the four tenants of Microsoft’s Trustworthy Computing initiative to heart: Secure by Design, Secure by Default, Secure in Deployment and Secure Communication. Since we are already on the next version, I won’t spend a great deal of time talking about the security improvements in the last version other than a brief overview so you know how they relate to changes in our current version, IIS 7.

IIS 6 took vast strides to improve security. During upgrade installations, IIS 6 was disabled by default if the previous server had not been secured by the IIS lockdown tool. The architecture was completely revamped to separate kernel-mode HTTP listening from user-mode application execution. Changes were made to application pools, authentication, access control, encryption and certificate handling, auditing, logging and patch management that made the product far superior to its predecessors. You can find a detailed list of these features on TechNet. SecurityFocus did a comparison of these features in March of 2004.Server Watch wrote an article in December of 2003. By most accounts, everything accomplished in IIS 6 was a huge step in the right direction.

Despite the massive steps already taken in IIS6, IIS 7 took these all a bit further. Let’s go ahead and investigate these now.

Improvements in IIS 7.x

Customizable Installation

Continuing with the tenant of being secure in deployment, IIS 7 has made installation a wonder to behold. In IIS 6, you could reduce your attack surface by disabling features native to web server. However, these features were still loaded into the process. This carried not only a security factor, but also a performance and memory footprint issue. IIS 7 has a completely modular architecture. That means that features which you do not want are not only NOT loaded into the process, you can leave the bits for those features off of your disk completely.

Limitable Attack Surface

This is a bit dubious and is essentially part of the customizable installation. By reducing the modules that are available on disk or loaded into a process, you significantly reduce the attack surface for your specialized web servers. If all you intend to do is serve static content with caching and no default documents, you can simply install the static file handler and caching module and leave the rest of the IIS modules off of your server. Additional controls and limitations will also reduce your attack surface and I’ll cover those below.

IUSR account

Anyone who has tried to migrate an IIS installation from one machine to another or attempted to recover your installation on a new machine, previous to IIS 7, has likely run into an issue with the local “IUSR_<machine_name>” account. IIS 7 now uses a built-in IUSR account that allows you to easily copy your security settings from one machine to the next. This is great news for those using distributed configuration in web farms, recovery, restoration, or replication.

IIS_IUSRS group

IIS 6 introduced the IIS_WPG group. Application pool security identities had to be assigned to this group in order to host the w3wp.exe process. Like the IUSR account, IIS 7 now creates a built-in security group (IIS_IUSRS) and assigns application pool identities to the group automatically. You can find more information about the built-in user and built-in group for IIS 7 on IIS.NET (Understanding the Built-In User and Group Accounts in IIS 7.0).

ASP.NET / IIS Unified Security Architecture

Previous versions of IIS did not provide a unified approach to security with ASP.NET. The IIS 7 unified request pipeline that supports both Windows and non-Windows principals and provides one place to do all authentication and authorization. Apart from simplification and performance improvements, this also reduces the attack surface and allows for greater flexibility in authentication / authorization scenarios with custom modules.

Request Filtering / URL Rewriting

IIS 7.0 includes a request filtering module that is based on the URLScan ISAPI Filter for IIS 6.0. The module helps you tighten security of your Web servers.

The IIS team has also released an add-on URL rewrite module for IIS 7.0, which provides functionality for rule-based URL manipulation. Even though the primary purpose of the URL rewrite module is to rewrite URL paths for requests, the rewrite module can also be used as a security enforcement tool that helps prevent access to Web site content.

Application Pool Identities

On top of Application Pool Isolation, IIS introduces a new security feature in Service Pack 2 of Windows Server 2008 and Windows Vista. It's called Application Pool Identities. Application Pool Identities allows you to run Application Pools under an unique account without having to create and manage domain or local accounts. The name of the Application Pool account corresponds to the name of the Application Pool.

Kernel mode SSL

The implementation of SSL has changed from IIS 6.0 to IIS 7.0. On Windows Server 2003, all SSL configuration was stored in the IIS metabase and encryption/decryption happened in user mode (required a lot of kernel/user mode transitions). On Windows Vista and Windows Server® 2008, HTTP.sys handles SSL encryption/decryption in kernel mode, resulting in up to 20% better performance for secure connections.

Configuration Improvements

IIS 7.0 allows locking and unlocking configuration settings in various levels and scopes. Locking down configuration means that it cannot be overridden (or set at all) at lower levels in the hierarchy. Unlocking configuration can only be done at the level where it was locked. This is useful, for example, when creating different configuration for different sites or paths, and only some of sites and paths are allowed to override it. Locking can be done at the section level or for specific elements, attributes, collection elements and collection directives within sections.

Dynamic IP Restriction

IIS 7 provides a new module that allows dynamic, temporary IP address restriction. This module prevents brute force attacks and HTTP clients that make unusually high number of concurrent requests or a large number of requests over a short period of time.

Summary

A verbose list of security features in IIS 6 and IIS 7 might be nearly impossible. Apart from the obvious features, there were numerous improvements to code made over these two versions that make the product far more secure than IIS 5 and earlier. That said, this should give you a summary start on information. I’ve listed some reference documents that may help you understand these features better. In general, I would encourage you to ask questions of the product team and or other users on the IIS.NET forums if you hear something that sounds negative regarding IIS. If the feedback is true, the product team has the benefit of improving the next release. If the feedback is unfounded, the product team has the benefit of helping you find the information you need to make an informed decision.