Скачать презентацию Internet Information Server 6 0 IIS 6 Скачать презентацию Internet Information Server 6 0 IIS 6

ad3a02d82a44dacfc78706c56ccbabab.ppt

  • Количество слайдов: 32

Internet Information Server 6. 0 Internet Information Server 6. 0

IIS 6. 0 Enhancements u Fundamental changes, aimed at: n n Reliability & Availability IIS 6. 0 Enhancements u Fundamental changes, aimed at: n n Reliability & Availability Performance Manageability Security

IIS 6. 0 Reliability & Availability IIS 6. 0 Reliability & Availability

Review of IIS 5 Architecture DLLHost. EXE INETINFO. EXE ISAPI Filters and Extensions Metabase Review of IIS 5 Architecture DLLHost. EXE INETINFO. EXE ISAPI Filters and Extensions Metabase user kernel DLLHost. EXE ISAPI Extensions Win. Sock 2. 0 TCP/IP

IIS 6 Architecture kernel user Web Admin Service HTTP. SYS Worker Process W 3 IIS 6 Architecture kernel user Web Admin Service HTTP. SYS Worker Process W 3 Core web app

HTTP. SYS u What is it? n n u Kernel-mode HTTP stack/listener Always running HTTP. SYS u What is it? n n u Kernel-mode HTTP stack/listener Always running What does it do? n n HTTP Listener and Parser Process routing based on URL namespace Request queues: kernel-mode queuing Response cache for static requests

Web Admin Service - WAS u What is it? n u Configuration, Application and Web Admin Service - WAS u What is it? n u Configuration, Application and Process Manager What does it do? n n Configures HTTP. SYS for listening and routing Periodic Recycling l n Health Monitoring l l n Time, Hit, Memory, Schedule-based, and ondemand Pinging, Crash detection Rapid fail protection Better debugging support l Orphan Web Processing Core Host Processes

Web Processing Core W 3 WP. exe u What is it? n u Main Web Processing Core W 3 WP. exe u What is it? n u Main web processing core responsible for handling web requests Self–contained web server n n Contains all web request processing functionality Loads ISAPI’s – filters and extensions l u ASP, ASP. NET, Front. Page® Server Extensions Delivers complete isolation from system components and other web apps

IIS 6. 0 Availability: Applications Isolating Applications From Each Other u Applications grouped into IIS 6. 0 Availability: Applications Isolating Applications From Each Other u Applications grouped into Application Pools n n n Applications defined by URL namespace One or many applications per Application Pool Configure Processing features by Application Pool One or many Worker Processes per Application Pool Service Level Support l l CPU accounting Bandwidth throttling

IIS 6 Architecture: Managing worker processes Web Admin Service Worker Process W 3 Core IIS 6 Architecture: Managing worker processes Web Admin Service Worker Process W 3 Core Web app Worker Recycle Process time! W 3 Core Web app user kernel HTTP. SYS Worker Process W 3 Core Web app

Working with Application Pools Working with Application Pools

Recycling u u Recycle periodically to ensure reliability Recycle based on: n n n Recycling u u Recycle periodically to ensure reliability Recycle based on: n n n Uptime # of requests Schedule Virtual memory consumption On-Demand

Application Pool Performance u Goal = Support 2000 pools concurrently. n u IIS 5 Application Pool Performance u Goal = Support 2000 pools concurrently. n u IIS 5 Isolated OOP total was 80. Scaling Features of Pools n n n Idle Timeout CPU Accounting Demand Start

Web Gardens u Multiple Processes serving an application pool n Reliability and fault-tolerance l Web Gardens u Multiple Processes serving an application pool n Reliability and fault-tolerance l n n Allows another already initialized worker process to take over the current load Can affinitize worker processes to a set of processors Some throughput gains for applications that rely on process global resources

App Pool Health & Debugging Features u Worker process health monitoring/gating n n n App Pool Health & Debugging Features u Worker process health monitoring/gating n n n u u Process pinging Startup/Shutdown limits Kernel Mode Request Queuing Rapid Fail Protection “Orphan” worker processes in failure

Configurable Worker Process ID u Worker process can be started as: n n Network Configurable Worker Process ID u Worker process can be started as: n n Network Service (default) Local System Local Service Configured ID

DEMO: IIS Recycle DEMO: IIS Recycle

IIS 6. 0 Performance IIS 6. 0 Performance

IIS 6. 0 Performance Designed for high throughput u Kernel mode cache for static, IIS 6. 0 Performance Designed for high throughput u Kernel mode cache for static, unauthenticated content n u User-mode worker processes n n n u No transition to user mode for cache hits No user mode to user mode process hop Talk directly to HTTP. SYS to get requests Ability to affinitize worker processes to CPUs Support for 64 -Bit

IIS 6. 0 Scalability Scale up, out and in u SSL up to 900% IIS 6. 0 Scalability Scale up, out and in u SSL up to 900% faster u ISAPI up to 800% faster u CGI up to 100% faster u Support 20, 000 sites and more per system n n u Improved Startup/Shutdown times (<2 min) Improved Scalability of Application Isolation (2000 Isolated Application Pools) Improved Processor Scalability n 3 x on a 4 -processor box, 5 x on an 8 -way

IIS 6. 0 Management IIS 6. 0 Management

Installation Installation

Management Enhancements u u XML Metabase WMI Provider Command-Line Interface New Web-based Administration Console Management Enhancements u u XML Metabase WMI Provider Command-Line Interface New Web-based Administration Console

IIS Commands u Create web and FTP Sites c: >iisweb /create c: webroot “My IIS Commands u Create web and FTP Sites c: >iisweb /create c: webroot “My Site” /b 169. 254. 36. 174 u u u Create web and FTP V-Dirs Backup/Restore Export/Import Configuration l l l c: >iiscnfg /import /f My. Site. Config. xml /sp /lm/w 3 svc/1 /dp /lm/w 3 svc/4

IIS 6. 0 Security IIS 6. 0 Security

IIS 5. 0 Security Issues Code Red, Nimda, etc. u Weaknesses u n n IIS 5. 0 Security Issues Code Red, Nimda, etc. u Weaknesses u n n Windows 2000 Installed As An Application Server – Huge attack surface Soft Defaults High Privilege Accounts No automated way to install patches l l Result: Fixes out for months but not uniformly applied Many companies survived Code Red & Nimda IIS Lockdown Wizard & URLSCAN for IIS 4/5 u Improved Patch Management u

IIS 6. 0 Security Secure Out of the Box u Change in approach: n IIS 6. 0 Security Secure Out of the Box u Change in approach: n n u Clean up code, improved tools for defect detection Secure defaults, minimize attack surface (static files only by default) Customer ‘enables’ server features after setup An infrastructure that by default installs security hot fixes (customer opts out, not in) Educate the Customer

IIS 6. 0 Security Reduced Attack Surface u IIS is not installed by default IIS 6. 0 Security Reduced Attack Surface u IIS is not installed by default n u Server Lockdown: Serve HTM files only n n u u As well as 20+ other services Only Web service gets installed Isapi. Restriction. List CGIRestriction. List Template-based feature activation Web service disabled on upgrade for benefit of non-IIS users Prevent IIS 6 install with group policy

Managing Web Service Extensions Managing Web Service Extensions

Support or no support ASP Support or no support ASP

Web Server Security Enhancements u u u URLscan implemented by default Clean code Architectural Web Server Security Enhancements u u u URLscan implemented by default Clean code Architectural changes n n n u u Process isolation Configurable identity Application pool management General OS hardening New tools n Auto. Update, SUS, Qchain, MBSA

Questions ? Questions ?