Jorke Odolphi Web Platform Architect Evangelist Microsoft Australia  IIS Yesterday and Today  PHP and Fastcgi  Configuration  Security  Management  Performance

{ accelerate it! }

Jorke Odolphi Web Platform Architect Evangelist Microsoft Australia  IIS yesterday and today  PHP and FastCGI  Configuration  Security  Management  Performance

Authentication Monolithic implementation NTLM Basic Anon Install all or nothing

CGI Determine Static Handler File ASP.NET ISAPI PHP Send Response Log Compress Extend server functionality only through ISAPI AuthenticationAuthentication Server functionality is NTLM Basic Anon Authorization split into ~ 40 modules... ResolveCache CGI Modules plug into a generic Determine Static HandlerExecuteHandlerFile ISAPI Modules extend server UpdateCacheSend Response functionality through a LogSendResponseCompress public module API • Runtime limitations Authentication • Only sees ASP.NET requests NTLM Basic Anon • Feature duplication CGI aspnet_isapi.dll Determine Static Authentication File Handler Forms Windows ISAPI ASPX Map Send Response Handler Trace Log Compress Basic Authentication Anon Classic Mode Authorization • runs as ISAPI

ResolveCache aspnet_isapi.dll Static AuthenticationIntegrated Mode ExecuteHandler File Forms• .NETWindows modules / handlers ISAPI plug ASPXdirectly into pipeline UpdateCache Map Handler• ProcessTrace all requests SendResponse Compress • Full runtime fidelity Log  Collaboration with Zend  Develop and deploy on the same platform  Built in support for FastCGI  Reuse of CGI processes, PHP, PERL, Ruby  much faster than standard CGI  Integrated Fast CGI Module part of IIS 7.0 .NET Framework Site Root web.config machine.config Global web.config

NET ASP.NET global settings global settings .NET settings IIS 7 applicationHost.config .. IIS 7 Delegated settings Global settings and location tags {configuring Windows 2008 for web workloads } appcmd set config /section:system.webServer/fastCGI /+[fullpath='c:\php\php-cgi.exe'] appcmd set config /section:handlers /+[name='PHP5',path='*.php',verb='GET,HEAD,PO ST',modules='FastCgiModule',scriptProcessor=' c:\php\php-cgi.exe',resourceType='File'] Secure by default Modular thus smaller attack surface .NET integration Forms + .NET role membership providers Application Pool Isolation by default Ultimate low footprint web server Lower memory requirement Lean OS configuration Minimize attack and maintenance surface architecture Powerful IIS command-line management interface AppCmd scripts and batch files IIS 7 integrates URLScan style rules config

Rules stored in web.config for portability User access to sites, folders, or files without using NTFS URL auth inspired by ASP.NET URL authorization, but designed for admins Rules are stored in .config files for portability All applications can use due to integrated pipeline Each pool with unique identity Anon user assumes pool identity Application Pool Sandbox Configuration Isolation: secure config for pool SID Injection: unique SID for each pool Easier configuration and management

App pool ID auto joins IIS_USR (was IIS_WPG) Active SID Injection Directory Worker Process Service Host (SVCHost.EXE) (W3WP.EXE)

Windows Token Process Domain Users Activation TokenUsers Service LOGON_ (WAS) Everyone BATCH DeniedOK AppPool: newPool HRGroup username: newPoolUser World Wide IIS_OtherpoolNewPool\\ password: Web Service IUSRS newPool ACLACL WwwrootWwwroot\ Administrator:F Administrator:F (W3SVC) default.htm System:F default.htm SiteOwner:FSystem:F newPool:FSiteOwner:F applicationhost.config otherPool:F { server core + forms auth } APPCMD Command line Managed Code Microsoft.Web.Administration WMI IIS Namespace Powershell with managed API and WMI View detailed errors in the browser with prescriptive guidance New APIs expose runtime diagnostic information E.g. See all currently executing requests Rapidly troubleshoot faulty applications

Configurable per application or URL Failed request log chronicles events for trigger Extensible eventing system { management + troubleshooting } appcmd list requests appcmd list requests /site.id:1

[system.reflection.assembly]::LoadFrom(“c:\windows\system32\i netsrv\Microsoft.Web.Administration.dll”) $rq = new-object Microsoft.Web.Administration.ServerManager $rq.workerprocesses | foreach-object {$._GetRequests(0)} Better compression for static and dynamic Output caching a module Per URL / query string / request headers Huge improvements to allow for high density or high availability Multiple servers sharing the same config Updates to config occur in one place No config sync required Config cached in case of disconnect Generally for homogeneous farms installs,modules, certs { performance + scaling } Enable Output Caching for semi-dynamic pages Low bandwidth Branch Offices? Enable Dynamic Compression (~ 5% CPU overhead) Need to run many web apps on a single box? Run IIS worker processes in Wow64 mode Room for the OS, scalability for your web apps -AppPool setting now: Enable32BitAppOnWow64 Thinking about buying new Web Server hardware? W2K8 scales extremely well on new multi-proc boxes (4 and 8 core) ASP.NET op caching vs. IIS op caching vs. KM output caching 1000s of requests per second?

- investigate You * script-mapped all requests to ASP.NET in IIS6? Integrated Pipeline is much faster than an IIS6 * scriptmap solution Try together with IIS7 URL Authorization. PHP applications? PHP on top of FastCGI is much faster than traditional CGI The majority of your requests go to your Default Document? Put it on top of the list Otherwise IIS7 has to check every time Static default documents will be cached in kernel-mode Looking for tools to measures web server performance? Try WCAT 6.3 from www.iis.net/downloads Supports more web application scenarios Fully featured Web server supporting IIS7, SharePoint and the .NET framework Windows Media Services 2008 SQL Server allowed for local web applications Enhanced hardware specification Up to 4 processors Up to 32GB RAM on x64 Servers Streamlined server with small footprint Only includes Web components and role Server Core installation for minimal footprint

{ Jorke Odolphi} © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. Application Health and Security FTP Publishing Development Diagnostics

BasicAuthModule NetFxExtensibility HttpLoggingModule FTPServer

DigestAuthModule ISAPIModule CustomLoggingModule FTPManagement

WindowsAuthModule ISAPIFilterModule RequestMonitorModule Performance CertificateAuthModule CGIModule HTTPTracingModule

AnonymousAuthModule ServerSideIncludeModule ODBCLogging HTTPStaticCompression

IPSecurityModule ASP LoggingLibraries HTTPDynamicCompression

UrlAuthorizationModule ASP.NET

RequestFilteringModule Management

ManagementConsole

Common HTTP Web Server Components ManagementScripting

StaticFileModule DefaultDocumentModule DirectoryListingModule ManagementService

HttpRedirect CustomErrorModule Metabase

WMICompatibility Windows Process Activation Service LegacyScripts LegacySnap-in ProcessModel NetFxEnvironment ConfigurationAPI