Terri Donahue terridterridme https terridme About me Visual Studio and Development Technologies MVP 4 years Emphasis on IIS Editor Course 10972BAdministering the Web Server IIS Role of Windows Server ID: 543366
Download Presentation The PPT/PDF document "All Things IIS" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
All Things IIS
Terri Donahueterrid@terrid.mehttps://terrid.meSlide2
About meVisual Studio and Development Technologies MVP4 years
Emphasis on IISEditorCourse 10972B:Administering the Web Server (IIS) Role of Windows ServerCI security IIS benchmarksSlide3
SecurityLess is more
Only install needed modulesUse secure protocolsRegistry configurationApplication configurationBuilt-in featuresIp address and domain restrictions
Host header bindings
HSTS – strict transport securitySlide4
Security-installationIIS Minimal install with security features
Version of .net needed to support applicationIp and domain restrictionsurl authorizationTracing
Request monitoringSlide5Slide6
Security-protocolsProtocols – governed by the Internet Engineering Task Force (IETF.org)
TLS 1.1 or 1.2Sslv2Sslv3Tls 1.0Currently being developed
TLS 1.3Slide7
Security-server/applicationServer – protocol/cipher settings
Iis crypto - https://www.nartac.com/Products/IISCryptoCan manually update registryApplicationImplementing tls
1.2
http://blogs.perficient.com/microsoft/2016/04/tsl-1-2-and-net-support/Slide8Slide9
Security-featuresIIS FeaturesIP address and Domain restrictions
Manual configurationDynamicConfigurationHost headersNew to iis10 – wildcard ssl host headersSlide10
Security – Dynamic IP Address RestrictionsProvides the ability to filter IP addresses that exceed a specified number of hits – either concurrent or requests over a period of time
Can choose from multiple Deny Action types:UnauthorizedForbiddenNot FoundAbort – only option that does not perform any logging
Proxy mode allows IPs to be blocked not only by client IP but also by x-forwarded-for HTTP header Slide11
Security – FTP Logon Attempt RestrictionsCan be configured to stop brute force FTP attacks
Configuration options include number of failed login attempts and a time period for the blockOnce the maximum number of login attempts has been reached, the IP will be blocked from accessing the FTP server for the remaining time period (configured in seconds)Can be configured to log only or deny accessSlide12
Security – SNI: SSL ScalabilityServer Name Identification is a TLS extension that includes a virtual domain as part of SSL negotiation
SNI is a core feature of IIS8 and above so there is no additional install/feature enablement neededUses WebHosting certificate store – this certificate store is designed to scale to a higher number of certificates than the personal storeProvides the ability to bind multiple SSL endpoints to a single IP address
Requires client browser to support SNI
Implemented same way as traditional SSL
Supports wildcard host headers in IIS10 Slide13
Security – Application PoolsLeast access rulesApplicationpoolidentity
Virtual accountLimited rightsNetwork access granted to machine accountSlide14
Security – HSTSForces client to use SSL once a site is visited for a specific length of time
If any link tries to go back to http, redirect to https is doneSlide15Slide16
ConfigurationWhere changes are savedServer level
Web.config – root levelApplicationhost.configSite levelWeb.config – site levelApplicationhost.config – location path (only pertains to specific site)Slide17
ConfigurationThings to considerSettings saved in web.config need to be maintained in source control
If change made via gui and not merged into web.config in source, any subsequent updates will overwrite the changesChange recycles appdomainSchedule accordingly for minimal end user impact
Any changes to the
applicationhost.config
will need to be done by a sys adminSlide18
Configuration editorQuick access to configuration file settings
View current settingsUpdate settingsExport script to use in updating settings programmaticallyGenerate scriptC#Javascript
Appcmd
powershellSlide19Slide20
TroubleshootingNone of these are magic bullets but they provide data to resolve issues
Worker Processes – requires request monitor feature to be installedCPU ThrottlingAppcmd – installed with IISFailed request tracing (FTR) – requires tracing feature to be installedStress testSlide21
Troubleshooting – Worker ProcessesView current long running requests via IIS gui
Worker ProcessesAny request taking longer than 0 seconds to complete Slide22Slide23Slide24
Troubleshooting – CPU ThrottlingPart of the application pool configuration
Not a reservation of CPU process but a way to limit usageAssigned per application pool
Each application pool can have different limits configuredSlide25
Troubleshooting - appcmdMust be run as administratorShows command line view of worker process
Appcmd list wpAppcmd list requestsSlide26
Troubleshooting - FRTRequires enabling the Tracing featureProvides additional information related to the error
Wwwlog info - GET / - 100 - Mozilla/5.0- - 500 50 13 125 266 374FRT infoSlide27
Troubleshooting – Stress TestCan show slow or broken pagesOnline or downloadable options
Some do not support https – test before hsts config if usingReportsShow accessed linksResponse timesResponse statusSlide28
Q&A