لطفا منتظر باشید ...
OVERVIEW
Internet Information Services incorporates some of the most advanced Web technologies in a single integrated set of functions. For the system administrator, IIS offers Web security, data and process reliability, Web-based application development, and management tools. A brief examination of these features should put IIS functionality into perspective.
Administrators of IIS 5.0 will find the Windows Server 2003 upgrades to IIS 6.0 operationally familiar; however, beneath the familiar interface reside significant changes to this product''s basic architecture. The design of IIS 6.0 assumes an environment that is in a constant state of change. This means that any hosting software must intelligently deal with the legacy approach and the next generation of Internet applications and services. As such, it must proactively be fault tolerant with the ability to dynamically restart processes as necessary while retaining request queues. All this must be accomplished in a very secure environment.
New Manageability Features
The rapid growth of the Internet has resulted in the need for greater scalability and manageability. Increasingly, Web sites are not confined to a single server. Web farms that cluster multiple servers to perform unique functions are becoming commonplace. This reality has only increased the complexity of management. IIS 6.0 introduces two important management features that should be welcomed by any administrator. First, IIS 6.0 adds an XML-based, storage-layer replacement of the configuration store metabase. Second, Windows Management Instrumentation (WMI) support plus command-line support allow more flexible administration outside the IIS 5.0based MMC IIS snap-in.
The metabase can be edited with built-in safeguards. Windows Server 2003 file-change notification service receives alerts when the metabase file has been edited. After the detection of an edited metabase, IIS compares this file to the corresponding history file of the same version that resides in the History directory. Differences between the two files are evaluated and IIS uses the most recent edit. IIS formulates an appropriate Admin Base Object (ABO) API commands to apply these changes to the in-memory metabase. IIS saves its in-memory metabase values and creates a new history file. The history file is copied into the History directory. Editing is accomplished by first stopping iisadmin, then setting the EnableEditWhileRunning property in the metabase to "1". Restart iisadmin. Alternatively, the administrator can use the IIS snap-in Computer Properties Enable Direct Metabase Edit.
XML METABASE
The XML metabase is a hierarchical store of configuration values. The information includes inheritance, data typing, change notification, and security. In versions 4.0 and 5.0, IIS configuration store was a nonreadable and noneditable binary file called Metabase.bin. This is replaced by a plain-text, XML-formatted file that can be edited, imported/exported, and reviewed easily for troubleshooting. The XML format provides compatibility with existing public metabase APIs. IIS 6.0 extends ADSI schema and schema extensibility support. Other specific features include:
Automatic version and history.
Changes in the metabase are automatically written to disk in a new file called Metabase.xml. Version numbers are automatically assigned so that rollback or restoration can be applied easily.
On-the-fly editing.
Metabase.xml can be edited while IIS is running using a program like Notepad, and no reboot is required after edits are complete.
Configuration import and export.
Using the new ABO methods of Export ( ) and Import ( ), configurations from any node can be moved across servers.
Server-specific backup.
Backup and restoration can be accomplished independently on an individual server basis.
IIS WMI PROVIDER AND COMMAND-LINE ADMINISTRATION
Building on the functionality introduced in Windows 2000 WMI, IIS 6.0 leverages the programming interface to permit greater customization. Any schema extensions developed through ADSI are automatically reflected in WMI. When changes are made to the ADSI schema, they are pushed to the IIS WMI provider.
IIS 6.0 also affords support of scripts, including those shipped in the Windows\System32 folder. Those VB scripts interface with the WMI provider to retrieve and set configuration data within the metabase. The scripts shipped with IIS 6.0 include:
iisweb.vsb to create, delete, start, stop, and list Web sites
iisftp.vsb to create, delete, start, stop, and list FTP sites
iisdir.vsb to create, delete, start, stop, and display virtual directories
iisftpdr.vsb to create, delete, start, stop, and display virtual directories under an FTP root
iiscnfg.vbs to export and import IIS configuration to an XML file
NOTEThe Web Server version of Windows Server 2003 automatically installs the new Web administration tool set. If you are deploying this version of the operating system, this toolset will provide a primary management source.
IIS Security Features
The IIS application suite relies on and is integrated with Windows Server 2003 security schemes. It also relies on additional standard Internet security features. This section reviews IIS high-level security; for additional information about Windows Server 2003 security and authentication, refer to Chapters 8 through 10.
Because IIS 5.0 took heavy hits on security, it seems appropriate to first underscore the enhancements made to IIS 6.0. The new preventive measures are based on analysis of the patterns displayed by the hacker community. The major improvements designed to lock down a site and apply patches include:
IIS Lockdown Wizard.
This wizard is designed to permit administrators to enable/disable IIS features. IIS 6.0 is shipped in locked-down state. This means that only static content such as , .jpg, and .bmp is serviced. To make functions such as Active Server Pages or Front Page Server Extensions available, the system administrator must enable them.
Configurable work process identity.
As discussed later, the process architecture now isolates activities into something known as work processes.
IIS 6.0 runs as a low-privileged account.
By default, the IIS 6.0 work process is a low-privileged account called NetworkService. Running IIS 6.0 as a low-privileged account greatly reduces a hacker''s ability to perform broad-based system attacks.
FTP user isolation.
Hackers of any operating system using TCP/IP haven''t been able to invade via FTP. IIS 6.0 isolates FTP from other system functions.
IIS SECURITY MECHANISMS
IIS security works in parallel with the Windows Server 2003 operating system security; the range of mechanisms includes access control, authentication, encryption, certificates, and system auditing. These are briefly examined in the following list:
Access control.
Access control simply oversees how a user who has been granted access to the IIS server can use resources. NTFS permissions are applied to system resources in the same way as they are with any other Windows Server 2003 activity, but IIS also uses HTTP Web security specifications. In particular, WebDAV (described in greater detail later) permits navigation through files and directories. With WebDAV commands, also known as verbs, authorized users can edit, delete, and add files and directories.
Authentication.
IIS 6.0 employs several forms of user name and password authentication.
- Anonymous Authentication uses the IUSR_computername user account, to which special permissions should be applied, if appropriate, to avoid any user''s gaining access to the public content of the Web site or FTP site. When enabled, IIS always authenticates a user through this account first.
- Basic FTP Authentication uses the user name and password associated with a specific Windows Server 2003 user account on the system. Its major downside is that passwords are transmitted without encryption and can be captured, exposing user accounts to security breaches.
- Kerberos v5 authentication is ideal for intranets in Windows Server 2003 environments. However, since it does not work in conjunction with HTTP Proxy services, it may have significant limitations on the Internet.
Encryption.
Encryption scrambles information at one end of the communication and deciphers it at the verified receiving end. It is commonly used for financial and banking transactions such as transmission of credit card numbers. Encryption is based on the Secure Sockets Layer (SSL 3.0) protocol and its extension, Server-Gated Cryptography. In the United States and Canada, IIS encryption can use a minimum 128-bit session key rather than the 48-bit or 56-bit DES standard used in other parts of the world.
Certificates.
Certificates are digital documents used in the authentication process. They are required when encrypted data is sent over an SSL 3.0 connection. A certificate is created through Microsoft''s Certificate Authority, discussed in Chapter 11, or obtained from third-party certificate grantors.
Services auditing.
Monitoring the IIS services for irregular activities is an important security safeguard. Auditing uses logs to detect activities that violate file and directory policies. Either Windows Server 2003 auditing features or IIS 5.0configured logs can be employed and are generated through the Audit Policies or Internet Information Services snap-in tool.
IIS INTERNET SECURITY TECHNOLOGIES
In addition to security features employed by the Windows Server 2003 operating system itself, such as Kerberos version 5, IIS''s Web-specific security schemes include the following:
Basic authentication is derived from the HTTP 1.0 specification and is the most widely used Web-based method for matching user names and passwords for access purposes. A password is sent in Base64 encoded format, but it is not encrypted, which means that in nonsecured environments, it can be captured by a sniffer. For this reason, Basic Authentication provides only marginal Web security. Its major advantage is that most Web browsers support this HTTP 1.0 standard.
Digest authentication is based on the W3C (World Wide Web Consortium) standards for HTTP 1.1. It extends Basic Authentication by using a one-way hash (or message digest) for password interpretation. The password is not decipherable from the hash, which prevents password capture in a nonsecure environment. Only advanced browsers like Internet Explorer 5.0 or later can receive data using this technology; older browsers are returned an error message.
Advanced Digest Authentication is based on Internet Engineering Task Force (IETF) RFC 2617. It behaves similarly to digest authentication except in the way user credentials are stored on the domain controller (DC). Digest authentication only sends users credentials across the network as an MD5 hash. Advanced Digest Authentication mirrors this routine and also stores user credentials in Active Directory on the DC as an MD5 hash. This hash is known as a message digest. Advanced Digest Authentication is available to Web Distributed Authoring and Versioning (WebDAV) directories. It does not replace Digest Authentication.
Certificate-based Web transactions that use PKCS #7/PKCS #10 protocols are also supported by IIS. Used with IIS certification functions, PKCS #7 establishes encryption formats for datalike digital signatures. PKCS #10 determines the request format for certificates.
Fortezza is a U.S. government cryptographic standard used for authentication, nonrepudiation, access control, and systems security.
Secure Sockets Layer (SSL 3.0) uses certification authorities and is one of the most widely used methods on the Web to ensure authentication and message integrity.
Server-Gated Cryptography (SGC) is used primarily by banking and financial institutions over the Internet.
Transport Layer Security (TLS) extends SSL by providing cryptographic authentication. Its API framework permits the writing of TLS-enabled applications.
Applying these standards in an IIS environment is covered in other sections. IIS also supports three security-related wizards:
Certificate leads the administrator through the creation and establishment of life cycles for a certificate.
Certificate Trust Lists (CTL) constructs a list of trusted certificate authorities for a directory.
Permissions consolidates authentication and NTFS permissions for Web site and FTP access.
IIS Data and Process Reliability
To meet changing requirements of the Internet and the new demands of .NET framework, IIS 6.0 relies on a fundamentally altered architecture. IIS 6.0 introduces a concept known as work process isolation mode, which separates active process management into an application isolation environment. This actively managed runtime relies on kernel-level request queuing.
The work process isolation mode runs all applications in an isolated environment. Unlike previous versions, which request process hops to an out-of-process DLL host, user mode work processes are pulled directly from the kernel.
From an administrative perspective, the work process isolation scheme supports different Web applications and Web sites to exist in separate pools, known now as application pools. Application pools should be viewed as a set of Web applications that share one or more work processes. Each application pool is discrete. This means that if one application pool malfunctions, other application pools are not affected. Another way to look at an application pool is as a namespace group.
An application pool by default consists of a single work process. However, this default can be overridden so that multiple work processes can exist in the same application pool. Such multiple work process application pools are known as Web gardens. Conceptually, a Web garden is a single serverbased equivalent to a Web farm. One of the best aspects of the Web garden technology is that in the event of a work process failure, new work processes are available to accept queue requests.
Figure 16.1 illustrates the new architecture of IIS 6.0 that separates kernel-mode and user-mode activities.
Figure 16.1. IIS 6.0 Architecture
PROCESS ARCHITECTURE
When shared resources are used, unstable elements can affect the environment. In IIS 5.0, Web services were run in the inetinfo.exe process space and pooled application requests to DLLHost.exe processes. The disadvantage of pooled processes is that if one application fails, all the others die. The advantage is that even in the event of failure, the IIS server will continue to run unaffected. By contrast, IIS 6.0 is redesigned to support two components using kernel-mode drivers. The larger boxed portion of Figure 16.1 shows the relations of the new components of the Http.sys, Web Administration Service, and Work Processes.
Http.sys component.
The Http.sys resides in the kernel mode. It is the point of contact for all incoming HTTP requests. It listens for requests and queues them until they are all processed, no more queues are available, or the Web server is shut down. Each request queue is treated as an application pool that is defined as one request queue and one or more work processes. Because this component accepts and processes request queues in the kernel mode, outstanding requests will be restarted even if the user mode Web services crash. Third-party code is never loaded in this isolated component.
Web Administration Service (WAS).
Residing in the user mode, WAS is responsible for configuration and process management. The process manager portion reads metabase information and initializes the Http.sys namespace routing table. One entry is entered for each application and includes which application pool requests match the route. A preregistration of applications thereby is established so that the Http.sys can respond to the requests. With every new application or application pool, WAS configures Http.sys to accept the requests for new URLs and other data. WAS is also responsible for controlling work processes that process requests. Therefore, WAS determines when to start a work process or when to restart a process. WAS monitors the health of work processes through a pinging activity. If the ping comes back to indicate that the process is blocked or otherwise nonresponsive, WAS terminates the processes while simultaneously creating a new work process to accept the queued requests.
Several other benefits are associated with this new architecture, including the following:
On-demand start.
When the first request is made to the application pool''s namespace, the work processes are launched. This eliminates the overhead of supporting nonrequested application pools.
Idle timeout.
Application pools can be configured to shut down when a predefined time-out idle time has been reached.
Rapid fail protection.
It is possible to configure IIS 6.0 to disable an application pool when WAS detects a predefined number of failures.
Orphaning work processes.
By default, WAS terminates an ill work process and starts another. There are times, however, when analysis of the ill work process is required to identify a problem. So, rather than terminate the ill work process, the administrator can have it set aside as an orphan while its work is handed off to a new worker. This course is generally not recommended, however, because orphans can be heavy resource consumers.
Recycling work processes.
Rather than having to reboot an entire Web server to account for problems such as memory leaks, IIS 6.0 permits the restarting of individual work processes. Service interruptions are prevented because a new work process takes on the namespace of the current work process before it completes its last request prior to termination.
Persisted ASP template cache.
With IIS 6.0, ASP cache templates are persisted on disk rather than process memory.
Large memory support for x86.
IIS 6.0 can support cache of up to 64 GB on an x86 system. Further, the Web garden feature allows scaling of individual application memory requests larger than 2 GB.
Win64 support.
IIS 6.0 supports both Win32 and Win64 models.
PROCESS FEATURES COMMON TO IIS 5.0 AND IIS 6.0
With regard to process architecture, IIS 5.0 and IIS 6.0 share a number of underlying features including:
Socket pooling.
A socket consists of a default node (computer) address and a port number, such as the server''s IP address Internet Web TCP number 80. IIS 5.0 permits the pooling of sockets so that more sites can be bound to the same IP address and use the same port number.
Process and bandwidth throttling.
When running multiple sites on the same server, it may be appropriate to limit processes, CPU usage, and bandwidth. This is equally true when multiple applications are running on the IIS server. Process and Bandwidth Throttling allows the system administrator to set these limits, and over time it can be used to obtain maximum system performance. Process accounting should also be employed to measure CPU usage or to determine if an application or script is using a disproportionate amount of resources.
Site hosting scalability.
Scalability is achieved by permitting multiple Web sites to share an IP address. Multiple sites can be hosted in IIS by appending port numbers to one IP address or by adding IP addresses to one server. In the first case, the port number is appended to the end of the IP address, such as 111.111.111.111:80 or 111.111.111.111:140. Individuals share the IP address but are connected through different ports. An alternative to ports is to use headers to distinguish sites on an IP address and computer and resolve domain names to that address. Multiple IP addresses are bound to a single network interface card or multiple cards on the same system. Once it arrives at the server, the header determines which site is to be contacted. The simplicity of this alternative can be very attractive because it makes multiple IP addresses or port tables unnecessary. However, it cannot be used in conjunction with SSL and other encryption environments because the header information will not be readable.
Clustering for IIS.
For mission-critical Web and FTP environments, clustering (discussed in Chapter 17) should certainly be considered. With clustering, when one node (server) has services or hardware problems, a second system assumes the activities in the failover process. This type of redundancy, although more costly, can provide significantly greater reliability. Also to be considered is the use of a mirrored or RAID-5 disk system, as discussed in Chapter 14.
Dfs for Web file systems.
The physical distribution of files across a network has always been a major problem. The distributed file system (Dfs) is easily adaptable to a Web-based environment, allowing the client browser to be used for resource access throughout the network.
IIS 5.0 ISOLATION MODE
With the introduction of work process isolation in IIS 6.0, Microsoft recognized that some earlier applications will simply not operate in that environment. Therefore, Windows Server 2003 provides an IIS 5.0 isolation mode to address applications that demand session-state persistent processes, applications written as read raw file filters, and multiple-instance applications. In this arrangement (Figure 16.2), inetinfo.exe is the master process manager. However, the environment has the added benefit of the Http.sys kernel-mode request queuing and caching.
Figure 16.2. IIS 5.0 Isolation Mode Architecture
NOTEThe isolation modes offered in IIS 6.0 reflect only Web servers. Other services managed by inetinfo including FTP and SMTP work just like they did under IIS 5.0. Only Web services use the Http.sys.
The Web Application Environment
A centerpiece of IIS support for application sharing and development is Web Distributed Authoring and Versioning (WebDAV). This is an extension to the HTTP 1.1 specification that addresses publishing and manipulating Web documents. By setting WebDAV properties and permissions, different Windows Server 2003 clients can have different levels of access such as Read/Write or Read-Only.
Application development for IIS uses Active Server Pages as the preferred Web medium. Although development issues are outside our scope, we note that ASP helps integrate HTML, scripts (including Java and VScript), and COM components.
IIS Management Components
Later in this chapter we will explore how to apply administrative tools to the management of IIS. Here we provide a brief overview of IIS management tools and techniques that are common to IIS 5.0 and 6.0.
Command-line script administration.
Much traditional Web administration is UNIX-based and by definition heavily reliant on command-line utilities and scripts. Acknowledging this, Microsoft has made at least a partial effort to permit UNIX-type administrative interaction. For example, the Cscript.exe command can invoke Visual Basic scripts. Other commands allow the use of CGI, Perl, and other scripts.
Internet Information Services snap-in centralized administration.
A replacement for the older Internet Services Manager, the Internet Information Services snap-in is an integrated tool for creating, modifying, and managing IIS components and properties, which is explored later in the chapter. Its Remote administration is made possible through Terminal Services.
Delegation to Web site operators.
One strength of Windows Server 2003 is the ability to delegate certain administrative responsibilities. Web Site Operators is an administrative group with authority over IIS functions. Its responsibility can be extensive or site specific, which can be valuable in environments with multiple sites on one server. A Web site operator for a specific site can be granted full control over it but have no authority over other sites.
Custom error messaging.
The system administrator''s burden can be reduced greatly through the use of instructive error messages. IIS employs the HTTP 1.1 error-messaging scheme to handle standardized problems. Use of this facility and the errors it handles are dealt with later.
