IIS 6.0: Lessons in Trustworthy Computing
By Jeff Gonzalez
In the past couple of years, Microsoft’s security programming practices have come under attack, due largely in part to IIS 4/5 exploits. Last January Microsoft Chief Software Architect Bill Gates delivered a company wide e-mail that outlined a concept known as Trustworthy Computing. This resulted in significant changes in the way Microsoft builds and designs software. Internet Information Services 6.0 is the first version of IIS with security in mind. I will explain some of the features and architectural changes in this article.
Application Server Role Overview
The server role is a new feature with Windows Server 2003. To configure a server role, you can install the server role using the Configure Your Server Wizard ( fig. 1 ) and manage your server roles by using Manage Your Server Wizard ( fig. 2 ). There are several built in roles to choose from such as File server, Print server, Mail server, Terminal server, and the Application Server role which I explain further. An application server is a technology that provides core infrastructure services to applications hosted on the server.
Some typical application servers include the following:
- Resource pooling (COM+)
- Distributed transaction management (DTC)
- Asynchronous communication (Message Queuing Services)
- Automatic Web Service interfaces for accessing business objects (UDDI)
- Failover and server health monitoring (Network Load Balancing)
- Integrated Security (Active Directory)
- Web Server (IIS and ASP.NET)
By configuring your server as an application server, you will be installing Internet Information Services and optional technologies such as ASP.NET and COM+.
Application Platform Improvements IIS 6.0 includes several new platform development features such as:
- New COM+ Services for ASP
- Worker Process Recycling
- Dynamic Cache support via VectorSend
- Improved ISAPI Unicode support
- ISAPI Support for custom errors
- Internal Redirection via ExecuteURL Method
- Native ASP.NET Integration
IIS 6.0 and Windows 2003 Server have made significant improvements on the Windows 2000 platform with such features as:
The entire Windows 2003 Server family code base can be compiled for either 32bit or 64bit platforms.
Windows 2003 now implements a production ready, native TCP/IP version 6 protocol stack.
Granular file level compression
In previous versions of IIS, compression was implemented as an ISAPI filter and could only be enabled globally. It can now be configured at the file level.
Quality of Service via resource monitoring
QoS features for IIS 6.0 come in the form of connection limits, timed out connections, application pool queue limits, cpu throttling, bandwidth throttling and memory based process recycling.
Logging improvements address issues such as international support, large sites, or troubleshooting by adding the following features:
- UTF-8 Logging support
- Binary Logging support
- HTTP Error status subcodes
Improved patch management
The patch process for IIS 5.0 was often a headache due to the downtime involved. This has been addressed in IIS 6.0, allowing for less downtime, and automatic patching. All IIS 6.0 application dlls have been compiled resource free to allow greater internalization and localization.
IIS 6 Architecture Overview
IIS 6.0 has several new features that dramatically improve reliability and scalability, such as a new process isolation model much like the worker process isolation mode of ASP.NET, stable request processing architecture, and a revamped and actively managed runtime. Performance improvements like kernel mode queuing and caching have been added. Kernel mode operation allows the system to react to the incoming requests much faster. IIS 5.0 was designed around one process architecture. The one process known as inetinfo.exe functioned as the Web server process. IIS 6.0, in contrast, was redesigned into two new components, the kernel mode HTTP protocol stack (HTTP.sys) and a user-mode administration and monitoring component. This newly designed architecture allows IIS 6.0 to separate the functionality and operational activity from the processing of application code, without sacrificing performance. The two key components in the IIS 6.0 architecture are:
HTTP.sys is a kernel mode protocol stack that queues and parses incoming HTTP requests and caches and returns application content. This component does not load any application code, making it more secure. HTTP.sys listens for requests and queues them as needed. There is a one-to-one relationship between request queues and application pools. HTTP.sys provides a more reliable method of handling requests, because it never executes any application code. HTTP.sys can not be affected by failures in user-mode application code that would normally affect the health of the Web service. HTTP.sys continues to accept and queue requests in the correct queue until one the following happens: the process has been respawned and begins to accept requests, there are no more available queues, all space has been expended in each queue, or the Web service has been shut down. Due to the nature of kernel-mode processing, HTTP.sys is a very efficient request processor.
WWW Service Administration and Monitoring is a user mode process and configuration manager that delegates server operations and monitors the execution of application code. Like HTTP.sys this component does not load or process any application code.
The WWW Service Administrator and monitoring services play two major roles in the IIS 6.0 architecture, server configuration, and worker process management. When the system is initialized, the configuration manager uses the memory resident configuration metabase to initialize the HTTP.sys namespace routing table. Each entry in this table contains reference information that routes incoming URLs to the application pool that contains the corresponding application code. These steps inform the HTTP.sys component that there is an application pool that responds to requests in a part of the namespace, and that prompts HTTP.sys to request a worker process be started for the application pool if any requests come in. All of this registration is done before HTTP.sys begins to route requests. This routing information can be changed dynamically without requiring a service restart.
Applications pools are for managing Web sites and application code. Application pools are separated by Windows 2003 process boundaries. You can configure up to 2,000 application pools per server. An example configuration would be to have Customer A’s applications configured to run inside “Customer A Application Pool ” and Customer B’s applications configured for “Customer B Application Pool”. This provides each application with a significant operational isolation boundary. This allows application pools to operate independently of each other. A request from one application can not be routed to another application pool while being serviced by the current pool. Applications can, however, be reassigned to other pools while the server is running.
Worker process services and isolation
Worker process services are the second new feature we will discuss. This model will seem very familiar to you, if you have had exposure to ASP.NET’s process architecture. A worker process handles all application execution, including authentication and authorization, as well as ISAPI filter and extension loading. This new executable process is called W3WP.exe. When acting as the worker process manager, the www service is responsible for controlling the lifetime of all worker processes that are processing requests. This is very similar to the machine.config section #&060;processModel#&062;, but allows this information to be managed from a GUI interface ( figure 3 ). This management console allows us to configure options such as when to start or recycle a worker process, how many requests to serve before recycling, and what to do if the worker becomes blocked or unable to continue processing requests.
IIS 6.0 supports an all new application isolation mode for processing application and Web sites. This is referred to as worker process isolation mode. This allows all application code to be executed in a completely isolated environment without suffering any performance penalty incursion. Requests are pulled from the kernel directly, instead of having a user mode process pull them into the process, and then recommunicate the information to another user-mode process. Transferring kernel objects is vastly faster than incurring interprocess communication performance hits. This completely eliminates the process hops encountered when sending a request to DLLHost.exe and returning it back again. It is noteworthy that there is no longer an in-process application. All application runtime services are supported equally. Again this reinforces the separation boundary that allows several Web sites and applications to run concurrently without adverse affect on each other. Another great feature of worker process isolation is that if a worker process has to come down, another can be spawned in its place to deal with subsequent requests. This had the added benefit of being able to support other OS level services such as CPU throttling.
Some features of worker process isolation include:
Recycling of worker process
When a worker process becomes unstable the monitoring service can automatically respawn processes based on pre-configured criteria such as elapsed time, process request limit, resource usage and on demand. This allows administrators and developers to troubleshoot and manage applications by reducing the amount of downtime caused by an error or faulty application.
Orphaning of worker processes
The monitoring service can mark worker processes gone awry for “orphaning”. It can start a new worker process in the place of the “terminally ill” worker process. The monitoring service can also run a command (like attaching a debugger) on orphaned processes.
Worker process time out
An application pool can be configured to shutdown a worker process to reclaim unused resources if the application has been idle for a specified amount of time. Additional worker processes will be created as demanded.
Multiple application pools
By allowing the configuration of 2,000 application pools, Microsoft has greatly improved the amount of concurrent processes that can run without adverse affect on server health. Each application pool can be configured separately.
Better partitioning of applications across clustered environments
The advent of application pools creates a very real physical boundary between applications. This allows for a greater deal of isolation and flexibility.
Web garden support and processor affinity
Multiple processes can be configured to service requests for individual application pools. By default each application pool has only one worker process but can be configured to support x number of processes. This is referred to as a Web garden because it is similar in nature to a Web farm, but the difference being that it is localized to one single server. The worker processes respond to requests in round-robin fashion. The benefit comes from having multiple worker processes being able to process requests even if an application service (such as the scripting engine) becomes unresponsive. Tying a particular process to a specific CPU is also available as an option.
Kernel mode caching
By providing a high performing request broker running in kernel mode, IIS 6.0 is able to achieve a previously unparalleled level of efficiency. HTTP.sys has been tuned to boost performance on both static and dynamic contents.
Benefits of new request processing architecture include: fewer restarts, increased stability and reliability, higher application availability, and strong application platform support.
There have been several improvements to the IIS 6.0 security model. One of the factors that has been a concern with previous version of IIS is default configuration. IIS was installed and enabled by default in Windows 2000 Server family installations. This caused problems when exploits were released and people were affected without realizing that IIS was even installed. Microsoft has taken several steps to decrease the attack surface of IIS significantly. IIS 6.0 is not installed by default on Windows 2003 Server family installations. When IIS 6.0 is installed, it is configured in a locked-down state. It is little more than a static content Web server. You must enable Web service extensions in order to service dynamic content. ( figure 4 ) In this example I have enabled ASP.NET, ASP Classic, and server-side includes.
In addition, both ASP Classic and ASP.NET have been configured to run under the lowest privileged account possible. Some other improvements include disabling the ability to install IIS via group policy, disabling of IIS on upgrade, buffer overflow detection, and write protection for content. IIS 6.0 also allows configurable identities for each worker process.
Authentication and Authorization
Authentication and Authorization are often confused with each other. Authentication is the method of defining who you are, and authorization determines what privileges you have. With ASP.NET Microsoft has implemented a new authentication method focused on their Single Sign On goals. IIS 6.0 now supports native Passport integration. A Passport account can also be mapped to a Windows account. Authorization has been vastly revamped as well. In the past authorization has been utilized as ACL (Access Control Lists). The problem with this method is that it is very object driven, focused on files, directories, etc … . Most Web-based applications are more task or operation based. The new authorization framework with Windows 2003 Server provides a solution. IIS 6.0 uses this tool by providing gatekeeper authorization to specific URLs. Web applications can also use URL authorization in tandem with the Authorization manager to control access from within the same policy to control application specific tasks or operations. Constrained, Delegated authentication is the last security feature. Delegation is the act of letting a server impersonate as a user on the network. This allows Web applications to act as a network user for the purpose of gathering information from another server in the enterprise and bringing it back to the Web server in a consolidated manner. Configured correctly this can be a very powerful tool in designing application suites because applications can make use of RPC or DCOM. There are a few caveats with this feature, such as malicious server administrators impersonating clients to gain access to unauthorized servers and services.
In order to improve scalability many applications have moved to a clustered or Web farm model. This can prove difficult from a management and administrative point of view in a large environment. Microsoft has added several features to improve the manageability of multiple servers. In previous version of IIS, the metabase has been configured as a binary store of settings. While there was an IIS Admin object model to access this configuration store, it often proved ungainly for the average administrator. The metabase has been converted to a plain text, human readable XML file for configuration with IIS 6.0. The metabase supports historical change versioning, meaning if the metabase is changed and saved, IIS automatically makes a copy of the original metabase and copies it into a history folder. This makes rollback operations of Web servers very easy. Another feature is the ability to modify the metabase while the Web services are running. An administrator can modify settings, such as creating a virtual directory, while the Web site is operational. When the file is saved, the changes are automatically detected and validated, and if valid, applied to the Web server with no restart or recompilation. This significantly improves uptime for configuration changes.
I hope I have been able to convey the very exciting improvements made to the Microsoft Internet Server platform with IIS 6.0 and Windows 2003. I feel Microsoft has made leaps and bounds with this new version. I look forward to working with this technology in the future.