.Internet Information Services Manager (8.0)

Web page by Kevin Harris of Homer IL

Please contact Kevin Harris of Homer IL concerning this web site

Internet Information Services (IIS)

Internet Information Services (IIS) is Microsoft's extensible web server for the Windows family of operating systems. IIS supports HTTP, HTTPS, FTP, FTPS, SMTP and NNTP. It has been an integral part of the Windows family since Windows NT 4.0. However, IIS is not turned on by default. Instead you use the Add/Remove Programs dialog box in Control Panel to install IIS and add/remove optional components . Then the IIS Manager is accessed through the Microsoft Management Console or Administrative Tools in the Control Panel.

ASP.NET continues to evolve with self-hosting and host agnostic abilities, but the majority of ASP.NET web applications currently run on IIS. The history of IIS shows there have been significant redesigns of the server for reason of security, reliability, and performance. IIS 7 was a complete redesign of IIS which reduced the attack surface and provided for improved reliability and performance. IIS 7 introduced the Integrated Pipeline working mode which merged the IIS pipeline with ASP.NET processing. This allowed ASP.NET to manipulate the requests with custom modules and handlers. From compatibility IIS 7 also supports the classic mode (the only mode in IIS 6 and below) in which there were two separate pipelines for IIS and ASP.NET processing. The working mode is selected for a particular application pool, then all applications within that pool have the same working mode. The integrated Pipeline mode is the default mode and it provides faster request serving and more resource control

IIS 5 was one executable assembly which executed all the requests for all the web sites on a machine. The IIS 5 design was vulnerable to a buffer overflow attack as was used by the Code RedM worm. The Code Red worm defaced websites and launched denial of service attacks on certain days of the month. Shortly thereafter, the even more effective Nimda worm exploited the IIS 5 directory traversal vulnerabilities. Nimda used five different attack vectors which was capable of infecting files over the network. Nimda quickly spread around the world. Nimda would create a guest account with administrative privileges which required no password. It would also turn any drive from C to Z into an open network share and disabled sharing security.

The worms which attacked IIS 5 were successfull because IIS 5 ran web code in Kernel mode. This allowed the worms to take over the entire server. In IIS 6 Microsoft created a User mode (Worker Processes = w3wp.exe) and a Kernel mode (HTTP.sys) to keep the user processes isolated from the Kernel mode. The request arrive in the Kernel mode, but then they are transferred to the worker processes in the User mode to execute the web code. The User mode contains application pools (app pools), which are really application settings around a group of worker processes. App pools are isolated from each other, so processes in one app pool can not affect processes in another app pool. And one app pool that is having a problem can not affect the entire server.

Each app pool has its own request queue. If one process fails, it does not affect the other requests which are waiting in the pool. An app pool can only execute one version of .NET. Prior to IIS 7, the process in the app pool which started first determined the .NET version for the entire app pool. This could cause problems for other apps in the pool. So in IIS 7+ it is specified which version of .NET the app pool will support. IIS7 allows you to configure events to create logs, such as the logEventOnRecycle event, which will allow you to create a log entry each time an app pool recycles.

Worker processes are actual operating system process which runs the web code. They can be seen as w3wp.exe in the Windows Task Manager. Output caching occurs in the Kernel mode. If a request can be handled data from cache, it does not have to go on to a worker process, but can just go back out from the Kernel. The Kernel has its own error log located at C:\Windows\System32\LogFiles\HTTPERR\httperr1.log.

The isolation of web code execution from the Kernel in IIS 6 was successful in resolving the security problems. The IIS 7 redesign focused on splitting up the Kernel processing into modules with extensible (pluggable) components. The pluggable component model reduced the attack surface by allowing uneeded components to not be installed. This also improved performance. The pluggable component model also allowed for custom implementations to be used. The applicationHost.config file contains the list of modules to be executed in the IIS pipeline. This file can be changed in the IIS manager, or manually edited, to specify which modules (including customer modules) will be executed in the processing pipeline.

applicationHost.config = c:\Windows\Sytem32\inetsrv\config\applicationHost.config

IIS Versions and Associated Operating System
Version Operating System
1.0 Windows NT Server 3.51
2.0 Windows NT Server 4.0
3.0 Windows NT Server 4.0
4.0 Windows NT Server 4.0 SP3
5.0 Windows 2000
5.1 Windows XP Professional
6.0 WIndows Server 2003
7.0 Windows Vista and Windows Server 2008
7.5 Windows 7 and Windows Server 2008 R2
8.0 Windows 8 and Windows Server 2012
10.0 Windows 10 and Windows Server 2012 R2

Development Web Servers

.IIS Express

IIS Express - Development Web Server in Visual Studio

Visual Studio provides a development web server for testing web applications during development. The Cassini development web server was built into Visual Studio version prior to VS 2010. Then the IIS Express development web server was built in to VS 2012, VS2013, and VS2015. It is possible to upgrade VS 2010 SP1 with IIS Express.

Cassini was a limited server which did not contain features of the full production web server. When developing with Cassini, problems would not appear until the application was deployed to the production server. IIS Express provides almost all the features of IIS 7. For example, Cassini did not support HTTPS, while IIS Express does support HTTPS. Before IIS Express, developers would often install a local version of IIS to fully test how their applications would behave before releasing to the production web server. However this required administrator privileges matching the version of IIS to the operating system version. IIS Express works with all versions of ASP.NET and supports all ASP.NET application types. IIS Express provides a development environment which is built in to the newer version of Visual Studio and more closely matches the features of IIS7+.

IIS Configurations

Each web application running on a single web server must differ in one of these three ways:

  1. IP Address
  2. Port Number
  3. Host Header

Web applications are grouped into app pools. Configurations in IIS are frequently made at the app pool level, affecting all web applications with the app pool. Two app pool configurations which are commonly adjusted are:

  1. Recycling - The default is approximately every 29 hours. Since the session and cache are lost when the worker processes recycle, this configuration is commonly set to a time of day when there are likely to be few users on the system. Recycling is an important process as it allows worker process to he restarted, so if any issues, like memory leaks, will be cleaned up.

  2. Worker Process Idle Time Outs -
  3. the default worker process idle timeout is 20 minutes. If the web applications have light traffic, you may wish to adjust this to a large value. Note, this is different that the session time out. However when the worker process times out, it will drop the session and cache.

Configurations can also be made to all the web applications running on a server by changing the machine.config file.

machine.config = C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config

Three common misconfiguration problems for production web applications are displaying the developer exception page (instead of friendly, less revealing, error page) and running in debug mode or with tracing enabled. In IIS 7 the deployment retail can be added to the machine.config file which will override all three of these setting in all the web.config files to be appropriate for production. That is, by adding <deployment retail = "true"> to machine.config, it OVERRIDES the settings in all the web.config files to:

  1. <customErrors mode = "On" />
  2. <compilation debug = "false" />
  3. <tracing enabled = "false" />

Configurations to all web applications on a machine can also be made by changing the root web.config file.

root web.config = c:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config

Server configurations to individual web applications can also be made by making changes to the <system.webServer> section of the web.config file. Configurations are inherited down the chain of configuration files (machine.config, root web.config, site web.config, local web.config) with the more local settings taking precedence.

Delegation allows web administrators to decide which configurations can be overridden at the lower level (perhaps by a developer). This is set in the applicationHost.config file with the overrideModeDefault="Allow" settings in the system.webServer sections. The is also an allowDefinition setting which controls where the configuration can be changed (MachineOnly|MachineToApplication|AppHostOnly|Everywhere). Delegation allows administrators to determine which configurations are "safe" for developers to changes. This can allow developers to move an application through stages (development, test, production) without having administrators change settings for each stage.


.Internet Information Services Manager (10.0)

Internet Information Services 10 (Windows 10/Windows Server 2012 R2)

IIS Administration

IIS 10.0 Manager, allows you to:

  • Manage IIS and ASP.NET in one tool.
  • View health and diagnostic information that includes the ability to view currently running requests in real time.
  • Configure user and role authorization for sites and applications.
  • Delegate site and application configuration to non-administrators.
  • Connect to a web server, site, or application remotely by using HTTP.
,aspnet_regiis (ASP.NET Administration Options)

ASP.NET Administration Options

The ASP.NET IIS Registration tool (e.g. %windir%\Microsoft.NET\Framework\v4.0.30319\Aspnet_regiis.exe) is used to register ASP.NET applications with IIS. It can perform the following tasks:

  1. Display the status of all installed versions of ASP.NET.
  2. Register or remove the .NET Framework ASP.NET installation with IIS.
  3. Create new ASP.NET application pools.
  4. Encrypt configuration files.

To display all the version of .NET registered with ISS, from an admin command prompt, enter:

  1. cd %windir%\Microsoft.NET\Framework\v4.0.30319\
  2. aspnet_regiis -lv

To resolve conflicts, such as when IIS is intalled after Visual Studio, from an admin command prompt, enter:

  1. cd %windir%\Microsoft.NET\Framework\v4.0.30319\
  2. aspnet_regiis -i