ict.ken.be

Delivering solid user friendly software solutions since the dawn of time.

Web Pro Series by Scott Forsyth

Categories: IIS Network

These are some notes from the 'Web Pro Series' by Scott Forsyth. The series is a good start for IIS developers.

Forever Penguin

  • most big sites you can't ping, to limit DoS attacks
  • ping www.google.com -t

Tracert

  • Tracert sends an ICMP echo packet, but it takes advantage of the fact that most Internet routers will send back an ICMP 'TTL expired in transit' message if the TTL field is ever decremented to zero by a router.

DNS

  • Primary zone authoritavie answer
  • Host or A-record
  • Alias or CName
  • Mail or MX (lower number is higher priority, same priority then load balance)
  • TXT mainly used for SPF
  • * wildcard has lowest priority

NsLookup

  • set type=ns
  • set type=mx
  • set type=a
  • set type=ptr
  • + yourdomain.com.
  • server
  • lserver
  • ls (mostly zone transfers no longer allowed)

Cmd Capturing

  • dir /od | clip (copy to clipboard)
  • ipconfig /all > ipconfig.txt (use >> to append to the file)
  • echo "--- end ---" >> ipconfig.txt 
  • copy and paste : properties - enable QuickEdit mode

IIS Bindings

  • Type can be left blank
  • All assigned is a wildcard
  • You can specify the ip manually
  • Port must be specified
  • Hostname left blank will catch everything

SSL Bindings

  • Hostheader lives at application layer, so can not know before decryption
  • Assign a dedicated ip for each website that needs ssl
  • If sharing ip, you must share cert (only one cert per IP)
  • Wildcard certificate
  • Unified Communications Certificate (SAN)
    • Certificates - Computer Account - Local - Properties - Friendlyname put * in front - Hostname will be selectable
    • Select one site as master binding - system32\inetsrv\appcmd set site /site.name:"<SiteName>" /+bindings.[protocol='https',bindinginformation='*:443:<HostHeader>']
    • eg. appcmd set site /site.name:"ict.ken.be" /+bindings.[protocol='https',bindinginformation='10.240.5.22:443:ict.ken.be']
    • Prevent non-https to goto wrong https - On Master - Edit Inbound Rule - Matches the Pattern - .* - Match All - HTTP_HOST Does Not Match the Pattern - ^ict\.ken\.be& - Abort Request

URL Rewrite

  • iis.net - download url rewrite module
<configuration>
<system.webServer>
<rules>
<rule name="Redirect to google">
<match url=".*" />
<action type="None" />
</rule>
</rules>
</system.webServer>
</configuration>
  • global level vs site level
  • {HTTP_HOST} - Matches Regular Expression - ^ken\.be$
  • {REMOTE_HOST} - eg. allow only one specific ip
  • Edit Inbound Rule - login\.aspx$ - {HTTP_HOST} - ^ict\.ken\.be$ - {HTTPS} off - redirect https://ict.ken.be/{R:0}

Regex

  • http://www.ultrapico.com/expresso.htm
  • http://regexlib.com
 ^ start 
$ end
. any single char (not line breaks like \r & \n)
\ to escape special characters
.+ 1 or more
.* 0 or more
| or
? optional
() to create section for back references
(^&) anything but a &
[] character class
/w alphanumeric
/d digit
{n} repeat n times
{R:0} backreference to url
{C:0} backreference to condition

AppDomain will be recycled when

  • iis settings that affect application pool
  • web.config changes (notepad ctrl-s is enough, no need for change)
  • App_* are touched 
  • bin folder is touched
  • adding a folder
  • change the default document order (changes web.config)
  • web.config or machine.config in .Net framework folder
  • not when changing applicationHost.config (system32\inetsrv\config\applicationHost.config)

IIS Outbound Rules

  • update pages and headers on the way out
  • rewrite outbound rule
  • (.*)google\.com(.*) -> {R:1}bing.com{R:2}
  • not possible for static compression
  • Server Variable: RESPONSE_X_Server_Name -> Your domain name is {HTTP_HOST}

IIS Folders

  • Normal folder
  • Application folder (separate bounderies)
  • vDir Only Folder (when folder has different physical location)
  • vDir with Application

Overlapping App Pools (90 seconds)

  • w3wp.exe
  • appcmd list wp
  • http.sys -> w3wp.exe

IIS 7 - Configuration System

redirection.config -> applicationHost.config -> administration.config -> web.config (site) -> web.config (app)
machine.config -> web.config (root) -> web.config (site) -> web.config (app) -> web.config (subfolders)

c:\windows\system32\inetsrv\config

  • Anything on read/write in feature delegation can be changed through the web.config (also for remote configuration)
  • You can see in the statusbar if web.config will be changed.
  • SSL is not delegated by default.

Gotcha's:

  • Easy to overwrite settings
  • AppDomain recycle on change of web.config
  • Configuration is 'all over the place'
  • Not replicated with shared config

applicationHost.config Editing

  • <applicationPools>
  • <sites>
  • <system.webServer>
  • <webFarms>
  • <location>

IIS Schemas: c:\windows\system32\inetsrv\config\schema

Process Monitor: http://www.sysinternals.com

IUSR is used for anonymous access, unless you set it on the pool.

IIS Runtime page requests

  • rsca
  • Worker Processes - Running Pools - Click - View Current Requests
  • appcmd /?
  • appcmd list request /?
  • appcmd list request | clip
  • appcmd list request /site.name:foo.com /eleapsed:5000

Application Pools Identity

  • Remove users for file permissions
  • iis apppool\foo.com (virtual account)
  • Object Types - Make sure built-in security is checked

for iis 7 : icacls c:\inetpub\wwwroot /grant "iis apppool\foo.com":(IO)(IO)(RX)

  • network service controls the iis apppool user
  • User mapping is done by the AppHostSvc on creation.
  • Use custom user when the account needs network access.

Securing IIS

  • LocalService
  • LocalSystem
  • NetworkService
  • ApplicationPoolIdentity (no password needed)
  • Custom Account, no need to add to a group.

Disk Permissions:

  • No need for inheritance, creator owner, users, trustedinstaller.
  • So we have SYSTEM, ADMINISTRATOR and CUSTOM USER
  • Prefer local user to a domain user.

Website - Authentication - Anonymous Access - Set on pool if all individual pools

Web Gardens

Maximum Worker Process defaults to 1 (no garden)

pro

  • Remove contention with concurrent requests
  • PHP ISAPI Mode may benefit (or com+) -> move to FastCGI
  • Troubleshooting measure

con

  • In-proc session state won't work
  • Shared memory/cache is duplicated
  • First hit per worker process
  • Base memory adds up
  • More processes to monitor

There is no real need to use web gardens.

Better performance tuning: http://support.microsoft.com/kb/821268

IP restrictions with URL rewrite

Old fashion way:
IP Address and Domain restrictions feautre.
Add Allow Range - 10.240.0.0 - 255.255.0.0
Feature by default deny

New for example for staging:
eg. <% If Request("HTTP_HOST") = "staging.contoso.com" %>...<% End If %>

(only static rules)
Url Rewrite at global level
Add Rewrite Map - Authorized Admin IP - Add Mapping Entry - Some IP + New Value = 1
If Add Rule - Flag Authorized Admins - Pattern * - {Authorized Admin IP:{REMOTE_ADDR}} - Matches Pattern - 1
Then sdd server variable HTTP_X_AUTHORIZED_ADMIN - yes
Action Type - None
Add Rule - Block unauthorized users
{HTTP_HOST} - Matches - ^staging\..*
{HTTP_X_AUTHORIZED_ADMIN} - Not Match - yes
Custom Response 403 Forbidden