Worker PROCESS:

When IIS starts, the Web Administration Service initializes the http.sys namespace routing table with one entry for each application. This routing table determines to which application pool an application should be routed. When http.sys receives a request, it asks WAS to start up one or more worker processes to handle that application pool. This isolation of processes makes the web server as a whole more stable.

What is the Role of Http.Sys in IIS ?

HTTP.SYS is the kernel level components of IIS. All client request comes from client hit the HTTP.Sys of Kernel level. HTTP.SYS then makes a queue for each and every request for each and individual application pool based on the request.

Whenever we create any application pool IIS automatically registers the pool with HTTP.SYS to identify the particular during request processing.

APPLICATION POOL

Application pools are used to separate sets of IIS worker processes that share the same configuration and application boundaries. Application pools used to isolate our web application for better security, reliability, and availability and performance and keep running without impacting each other . The worker process serves as the process boundary that separates each application pool so that when one worker process or application is having an issue or recycles, other applications or worker processes are not affected.

One Application Pool can have multiple worker process Also

IIS: it has the websites and websites are working under the application pools.

for every site different application pool will be there or default app pool will be there.

if there are issues with app pool it will impact only one website, else if issues is for default app pool it will impact the all the sites..

we can set the logging for the sites at the server level for the IIS

http redirect: it is the future used to re direct to a page for a site in the downtimes.

authentication:

here we have some authentications

Anonymous authentication:

asp.net impersonation:

Another important security feature is the ability to control the identity under which code is executed. Impersonation is when ASP.NET executes code in the context of an authenticated and authorized client. By default, ASP.NET does not use impersonation and instead executes all code using the same user account as the ASP.NET process, which is typically the ASPNET account. This is contrary to the default behavior of ASP, which uses impersonation by default. In Internet Information Services (IIS) 6, the default identity is the NetworkService account.

If you enable impersonation, ASP.NET can either impersonate the authenticated identity received from IIS or one specified in the application’s Web.config file.

•Impersonation is disabled. This is the default setting. For backward compatibility with ASP, you must enable impersonation and change the ASP.NET process identity to use the Local System account. In this instance, the ASP.NET thread runs using the process token of the application worker process regardless of which combination of IIS and ASP.NET authentication is used. By default, the process identity of the application worker process is the ASPNET account. For more information, see ASP.NET Process Identity.

Copy<identity impersonate="false" />

•Impersonation enabled. In this instance, ASP.NET impersonates the token passed to it by IIS, which is either an authenticated user or the anonymous Internet user account (IUSR_machinename).

Copy<identity impersonate="true" />

•Impersonation enabled for a specific identity. In this instance, ASP.NET impersonates the token generated using an identity specified in the Web.config file.

Copy<identity impersonate="true"

userName="domain\user"

password="password" />

basic authentication

forms authentication

windows authentication

ASP.NET Delegation

Impersonation enables ASP.NET to execute code and access resources in the context of an authenticated and authorized user, but only on the server where ASP.NET is running. To access resources located on another computer on behalf of an impersonated user requires authentication delegation (or delegation for short). You can think of delegation as a more powerful form of impersonation, as it enables impersonation across a network.

IIS first checks to make sure the incoming request comes from an IP address that is allowed access to the domain. If not it denies the request.

Next IIS performs its own user authentication if it configured to do so. By default IIS allows anonymous access, so requests are automatically authenticated, but you can change this default on a per – application basis with in IIS.

If the request is passed to ASP.net with an authenticated user, ASP.net checks to see whether impersonation is enabled. If impersonation is enabled, ASP.net acts as though it were the authenticated user. If not ASP.net acts with its own configured account.

Finally the identity from step 3 is used to request resources from the operating system. If ASP.net authentication can obtain all the necessary resources it grants the users request otherwise it is denied. Resources can include much more than just the ASP.net page itself you can also use .Net’s code access security features to extend this authorization step to disk files, Registry keys and other resources.

The windows Authentication provider lets you authenticates users based on their windows accounts. This provider uses IIS to perform the authentication and then passes the authenticated identity to your code. This is the default provided for ASP.net.

The passport authentication provider uses Microsoft’s passport service to authenticate users.

The forms authentication provider uses custom HTML forms to collect authentication information and lets you use your own logic to authenticate users. The user’s credentials are stored in a cookie for use during the session.

<authentication mode="windows">

authentication mode="passport">

<authentication mode="forms">

How the SSL works:

When you open website like facebook.com or gmail.com, first it creates TCP connection to web server of that site.

If we send the password of this accounts, there might be chance of it getting hacked.

In this case, we will be using the cryptography method.

In this, we will encrypt the data using the key and decrypt it using the same key. This is called symmetric key

This is not a good option as we would use same key for to decrypt it.

What if , we use one key for encryption and another key for decryption. This is called asymmetric key.

We will do the public key to encrypt the data and private key to decrypt the data.

Here is how the SSL hand shake works

After TCP connection established, then the process of SSL hand shake starts

For this hand shake, first client sends client hello message which contains client highest SSL version, ciphers /compressions and random data

And server responds with the SSL version that will be used ,ciphers/compressions and random data and session id for the session.

After this, server sends the digital certificate and this certificate serves 2 purposes,

1. Public key and also chain of certificates.

2. It establishes the identify of server, from where it is coming.

Then server sends server hello done message

Then client sends certificate verified message

Client again sends change cipher messages means from now on wards , the data sends over this http session will be encrypted

Browser sends finished message with all the messages that exchanged till now, to check none of the messages have been tampered

Server sends the change cypher messages

Server sends finished message with all the messages that exchanged till now, to check none of the messages have been tampered

At this point, ssl hand shake is set to be complete and the browser can generate Asymmetric secret key that will be used by session to encrypt and decrypt.

This key is only decrypted by server.

If the some validations failed, SSL connection will be terminated and browser shows the error.

Server certificates:

what are the certificates installed at the server level.

edit permissions for the site is used to give the permissions for the site and share it etc.

ssl settings : we have settings here for the client certificate

to see the certificate i.e. binded to site.. go to site and right click and edit bindings and edit it so that u can see the certificate…

if we want to add/remove the services we can use the server manager, roles->web services and do the things.

regards,

Chaitanya

Best Practices for IIS Architecture:

Web farm-> load balancing

Multiple types of clusters are there

1. Windows cluster: where we see the node A and node B sharing the storage area network(SAN)

Only active node is working at a time and another one is passive

Copy of SAN is placed in 2 machined, if one server is down another one is pointed to this

We have nodes that have SAN and for these nodes requests are coming using NLB mgr

we have environment like

las Vegas

a,b,c,d nodes with ip address 1 and NLB,

new York

e,f,g,h, nodes with ip address 2 and NLB ,then in dns, these 2 IP address register for the http://www.nuggetlab.com

so some people will go to las Vegas network and some people will go to new York network

this is the large sites will build

Firewalls will block the traffic that comes through the ports

IIS is behind the firewall, so attacking on iis will be reduced as the firewall is there

Another way to reduce attacks on iis is don’t install the roles what you don’t need

Go to iis thru server manager, check the best practice analyzer

Scan that role every time and check what you missed some roles

if any malware is there, we can find it through IIS SEO toolkit

regards,

Chaitanya

Network load balancer:

It is installed on many web servers with same iis configuration and iis contents

1. Over view of architecture

2. Installation

3. configuring

4. content replication and configuration replication

For every web server the network adapter is there and it is assigned with some IP address

And every computer is having unique mac address and ip address

Here Network adapter uses the MAC address for communication

When NLB is installed it will create a virtual mac address and it is attached to network adapter

in addition to NIC mac address there will be another MAC address i.e. Virtual MaC Address (Fake)

if you install NLB on different servers, then all the servers are in same NLB cluster then then all the servers are having same virtual MAC address

When the request came to virtual IP address then the all the computers that having the virtual MAC address will pick the request and NLB will decide the which server needs to process. and other server requests will be discarded.

When any server is not responding other servers in NLB is take care of the requests

Installation: go to server manager, features, add feature and check the nlb , install it

after installation go to nlbmgr from run and create new cluster with name as localhost as it takes local configuration, click on next and create a cluster IP address, give the ip address , use the subnet mask ,click on next, it have network address it is the MAC Address

NLB will operate on all ports.

we can add/edit rule

we can allow the requests from ports from our interest like 80 to 80 or 80 to 443.

By default, NLB allows all ports.

Affinity is Single

We have many webservers serving the request. When the user sends the request and session is created and session id is send to browser along with content

after that if user requested again with the same session id , then nlb routes the request to other server where the session is not stored, then web page comes for user to re login.

Its issue, so affinity is having 3 modes

1. NONE: every time user requested the requested to redirected to new server

this is the best performance mode; it is not compatible with in memory session state

But we can access the session by keeping the session ids in database

2.Single:this is done on clients IP address, at first time clients request, NLB remembers the ip address , after that every requests from that IP address NLB sends to same server

session state is stored in Memory, moderate performance

if the clients are going through proxy address where the clients are from the large network, then client will send requests from 2 or 3 ip address. so at that time it will be a problem

s

for intranet where the proxies are not used, it is fine

3. Network: worst performance

Whenever client comes from some network, it is routed to one server,

If the requests are coming from same network, then the requests ARE routed to same server

It is used for internet connections

If we have web farm, we need the iis configurations sync with all servers

We can use XCOPY or Robocopy to do the configuration.

When we do the configuration change for one iis, we can manually replicate these changes in the other servers using XCOPY, robocopy

or we can have the shared configuration in one place and it is shared by multiple servers

Another option is MSDeploy.exe tool for content replication and Sync IIS settings and it is free.

For commercial products, go to repliweb.com

Repliweb.com web deployment tool

Regards,

Chaitanya

Performance Tuning and Monitoring

Performance is low due to the user code

So we can find out that thing using the below

Http .sys listener in kernel mode is passing the requests to websites app pools and worker process of app pool will execute the requests.

if the worker process will get the requests of type html pages, then the performance will be high.

This is best case for iis.

IIS will be worst when executing the following

ASp.net code

asp code

php

CGI

fast CGI

ISAPI extensions

IIS performance will be fast when it executes the MS code

It will be slow when it executes the user code

Means Bad performance in IIS is not iis fault, its developer fault.

When the server configured for iis is also having the sql server, my sql, active directory etc… Then the iis needs to share the memory with them

Tools:

1…WCAT: it will send the numerous static web page requests to IIS

we can do test like this

Check the sermon’s and by running wcat tool to send requests to IIS

and do the test in the other server

when u r running wcat , don’t use asp,asp.net,php etc.. only use html static request

in the perfmon.msc add the counter like w3wp, wap (app pool) and checks the performance

in the other server check the performance for user code , if there is huge difference ask the dev team to fix the code

2… IIS SCOM PACK:

—->check the graph in the perfmon.msc, if processor is taking high and iis is taking low then it means processor not enough to handle the iis request or there are some other resources to that are using processors

check the task manager check the processes that are consuming more memory than worker processes

Troubleshooting IIS

For troubleshooting iis related issues,

Event Logs:

1. first check the issue is related to iis configuration.

For that

Go to server manager

in event viewer, application and service logs, Microsoft, windows, iis configuration,

we can see the iis logs related to administrative stuff and operation logs

2. If there is no configuration issue, then go to windows logs, check the application related and system related.

When the site is moving to other server, copy the web.config file so that we can’t do the Settings manually

Web service logs:

go to site and go to logging and troubleshoot the logs

or

web log expert analyzer is the tool for troubleshooting logs

For troubleshooting issues with SSL, we have tool like ssl diagnostics

For site we can turn the Failed request tracing, so that failed requests will be gone to that files

Failed request tracing rules:

We can add the rules like

Trace the php file — *.php, status code–> 401-599

Regards,

Chaitanya

Advanced web server configuration

1. Compression: Static and dynamic

2. Default documents/Directory browsing.

3. Custom errors

4. CGI and Fast CGI

5. Limits (BW and connections)

6. Http headers: i.e. http response headers.

Compression:

IIS can compress the files so that now band width usage will be reduced.

at server level, we have configuration for static compression

Only compress files >2700 (2.7 kb)

Compress files will be stored in the path.

Per app pool disk limit 100 mb

It will compress the files up to 100 mb for every app pool. after 100 mb over new files will be overridden the old ones

It will be like caching.

Dynamic content compression:

It will increase processor utility and reduce the overall performance of server

2. Default documents:

It will give to client whenever he wants only like below

http://localhost:8080/

Here user not specifying any document name, so default documents that are in that directory will be checked against the default document module for a website in order. if it matches it will display that file

Try to place the default document in the top of list so that iis burden is reduces and performance will increase

Directory browsing:

Go to site and enable directory browsing module, so all the contents of directory will be seen in the directory format

We can see this by removing the default documents

Customer errors:

Here we can see the custom error pages whenever page encounters any issues.

We can set the CGI and Fast CGI settings.

we can set the limits for a website for not to use the more band width so that other sites performance will not decrease.

We can set the limit for no of connections to connect for iis

We can set the limit for band width usage.

We can configure the limits at website level, not at server level….

http header response: it is sent along with content to client.

Regards,

Chaitanya

SSL and Digital certificates

How digital certificates work:

Digital certificate have 2 different encryption keys

1. private key: it is kept private, the person who uses that are called IIS only

2. Public key: anybody uses the public key

Both are called asymmetric keys.

Anything encrypted using public key can be decrypted using private key

Anything encrypted using private key can be decrypted using public key

When you sent a request to web server where it uses the certificate, then it process the request and got the data and encrypted the data using the private key and send it to client along with server certificate.

That certificate has the public key and it is extracted by browser and decrypt the content.

CA (certification authority): server can have certificates (go to internet options, content, certificates, we have trusted root certification authorities) here we have authorities so that the server can accept the certificates that are issued by that authorities..

when we go to amazon.com and do the checkout then it will go to https and gives the certificate and it checked in the certificates of our browser and checks the is this certificate is from the intended authorities.

Means the certificate is issued to amazon.com by authority and authority will take the all the company information and issues to amazon

Certificate types:

1. Domain only: here the CA did not verify the company. it will issue the certificate to the company.

It will issue because you have domain so they issues certificate.

It will only encrypt the files; it will cost 20 bucks for every year

2. Normal SSL (Transport layer security)… normally called the ssl

It will cost 100 bucks for every yr., as company needs to prove their identity for every yr.

They have opportunity to re verify the identity

It will cost more CA needs to verify all things about certificates

Both the above certificates are issued to a host.

Ex: http://www.mycompany.com

If you try to install it on other web server, it will give error. This certificate does not match the hostname

3. SAN (Wildcard) Certificate: subject alternative name

it will be used to issues certificates to *.mycompany.com

ex: ftp.mycompany.com

users.mycompany.com

it is costlier than ssl, but it is cheaper as compared to ssl when buying certificates for multiples hosts.

4. Extended verification (EV)-> it’s a high grade security certificate.

so much process for this.

if we go to amazon.com after address bar, we will get the lock symbol. it’s a normal ssl certificate.

if you go to icicibank, after address bar, you will get the lock symbol with icici bank name.

And address bar is in green color.

If certificate is expired then address bar will turn to red or orange color

Certificates can be assigned to multiple websites, but they are managed at server level.

Go to server certificates, create certificate request, give the information of company details,

Cryptographic service provider -> rsa, bit length 1024

Export it to a file. Take the information from file and submit to the SSL Admin to get the certificate.

Import this certificate in IIS and do the binding to the site. and in ssl settings check the check box, allow ssl.

Create domain certificate request, it’s a certificate created by our self, no one issued the certificate.

Regards,

Chaitanya