Free Essay

Internet Information Services

In: Computers and Technology

Submitted By kleanfacekartel
Words 65718
Pages 263
PUBLISHED BY
Microsoft Press
A Division of Microsoft Corporation
One Microsoft Way
Redmond, Washington 98052-6399
Copyright © 2008 by Microsoft Corporation
All rights reserved. No part of the contents of this book may be reproduced or transmitted in any form or by any means without the written permission of the publisher.
Library of Congress Control Number: 2008920571
Printed and bound in the United States of America.
1 2 3 4 5 6 7 8 9 QWT 3 2 1 0 9 8
Distributed in Canada by H.B. Fenn and Company Ltd.
A CIP catalogue record for this book is available from the British Library.
Microsoft Press books are available through booksellers and distributors worldwide. For further information about international editions, contact your local Microsoft Corporation office or contact Microsoft
Press International directly at fax (425) 936-7329. Visit our Web site at www.microsoft.com/mspress.
Send comments to rkinput@microsoft.com.
Microsoft, Microsoft Press, Active Directory, Internet Explorer, JScript, MSDN, Silverlight, SQL
Server, Visual Basic, Visual Studio, Win32, Windows, Windows Media, Windows NT, Windows
PowerShell, Windows Server, Windows Vista and Xbox are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other product and company names mentioned herein may be the trademarks of their respective owners.
The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred.
This book expresses the author’s views and opinions. The information contained in this book is provided without any express, statutory, or implied warranties. Neither the authors, Microsoft Corporation, nor its resellers, or distributors will be held liable for any damages caused or alleged to be caused either directly or indirectly by this book.
Acquisitions Editor: Martin DelRe
Developmental Editor: Karen Szall
Project Editor: Victoria Thulman
Editorial Production: Custom Editorial Productions, Inc.
Technical Reviewers: Bob Dean, Bob Hogan; Technical Review services provided by Content Master, a member of CM Group, Ltd.
Cover: Tom Draper Design; illustration by Todd Daman
Body Part No. X14-14918

Download at Boykma.Com

Contents at a Glance
Part I

1
2
3
4
Part II

5
Part III

6
7
8
9
10
11
12
13
14
Part IV

15
16
17
Part V

A
B
C
D

Foundation
Introducing IIS 7.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Understanding IIS 7.0 Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Understanding the Modular Foundation . . . . . . . . . . . . . . . . . . . . . . . . . 57
Understanding the Configuration System . . . . . . . . . . . . . . . . . . . . . . . . 67

Deployment
Installing IIS 7.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Administration
Using IIS Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Using Command Line Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Remote Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Managing Web Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Managing Applications and Application Pools . . . . . . . . . . . . . . . . . . .
Hosting Application Development Frameworks . . . . . . . . . . . . . . . . . .
Managing Web Server Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Managing Configuration and User Interface Extensions . . . . . . . . . . .
Implementing Security Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

153
187
229
259
291
323
367
421
747

Troubleshooting and Performance
Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535
Tracing and Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563
Performance and Tuning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605

Appendices
IIS 7.0 HTTP Status Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IIS 7.0 Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IIS 7.0 Modules Listing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Modules Sequence. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Download at Boykma.Com

657
663
671
683

iii

iv

Contents at a Glance

E
F
G
H
I
J

IIS 7.0 Default Settings and Time-Outs/Thresholds . . . . . . . . . . . . . . .
IIS 7.0 and 64-Bit Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IIS Manager Features to Configuration References . . . . . . . . . . . . . . .
IIS 6.0 Metabase Mapping to IIS 7.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IIS 7.0 Shared Hosting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Common Administrative Tasks Using IIS Manager . . . . . . . . . . . . . . . .

Download at Boykma.Com

687
719
723
727
739
745

Table of Contents
Acknowledgments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi
What’s New in IIS 7.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi
Overview of Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxii
Document Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii
Reader Aids . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii
Sidebars . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii
Command Line Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiv
Companion Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiv
Find Additional Content Online . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiv
Resource Kit Support Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxv
Part I

1

Foundation
Introducing IIS 7.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Overview of IIS 7.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
What’s New in IIS 7.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Core Web Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Administration Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Windows Process Activation Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Application Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Basic Administration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Creating a Web Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Creating an Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Creating a Virtual Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

What do you think of this book? We want to hear from you!
Microsoft is interested in hearing your feedback so we can continually improve our books and learning resources for you. To participate in a brief online survey, please visit:

www.microsoft.com/learning/booksurvey/
Download at Boykma.Com

v

vi

Table of Contents

Creating an Application Pool. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Assigning an Application to an Application Pool . . . . . . . . . . . . . . . . . . . . . . . . 21
IIS 7.0 Features in Windows Server 2008 and Windows Vista . . . . . . . . . . . . . . . . . . . 22
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Additional Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

2

Understanding IIS 7.0 Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Overview of IIS 7.0 Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
IIS 7.0 Core Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
HTTP.sys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
World Wide Web Publishing Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Windows Process Activation Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Configuration Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Worker Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Request Processing in Application Pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Classic Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
.NET Integrated Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Module Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Module Ordering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Non-HTTP Request Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Additional Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

3

Understanding the Modular Foundation . . . . . . . . . . . . . . . . . . . . . . . . . 57
Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
The Ideas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Types of Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Modules and Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Key Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Extensibility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Built-in Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Additional Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

4

Understanding the Configuration System . . . . . . . . . . . . . . . . . . . . . . . . 67
Overview of the Configuration System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Configuration File Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Configuration File Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Download at Boykma.Com

Table of Contents

vii

The IIS 7.0 Configuration System and the IIS 6.0 Metabase . . . . . . . . . . . . . . . 81
IIS 7.0 and the .NET Configuration Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Editing Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Deciding Where to Place Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Setting Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Understanding Configuration Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Managing Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Backing Up Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Using Configuration History. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Exporting and Importing Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Delegating Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Sharing Configuration Between Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Additional Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Part II

5

Deployment
Installing IIS 7.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Planning the Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Installation Scenarios for IIS 7.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Ways to Install IIS 7.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Using Server Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Using Package Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Using ServerManagerCMD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Unattended Answer Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Sysprep/New Setup System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Auto-Installs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Windows Server 2008 Setup for Optional Features . . . . . . . . . . . . . . . . . . . . . 139
Post Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Folders and Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Registry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Validation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Troubleshooting Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Event Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
IIS 7.0 Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Other Related Logging Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

Download at Boykma.Com

viii

Table of Contents

Removing IIS 7.0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
The User Interface in Windows Server 2008 and Windows Vista . . . . . . . . . 145
Command Line Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Additional Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Part III

6

Administration
Using IIS Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Overview of IIS Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Starting IIS Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
IIS Manager User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Navigation Toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Connections Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Workspace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Actions Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Understanding Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Feature to Module Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Where the Configuration Is Written . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Feature Scope. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
IIS 7.0 Manager Customization and Extensibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Remote Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Additional Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

7

Using Command Line Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Using Command Line Management Tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Appcmd.exe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Getting Started with Appcmd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Appcmd Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Supported Objects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Getting Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Understanding Appcmd Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
General Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Using Range Operators. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Avoiding Common Appcmd Pitfalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Using Basic Verbs: List, Add, Set, Delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Using the List Command to List and Find Objects . . . . . . . . . . . . . . . . . . . . . . 202
Using the Add Verb to Create Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Download at Boykma.Com

Table of Contents

ix

Using the Set Verb to Change Existing Objects . . . . . . . . . . . . . . . . . . . . . . . . . 204
Using the Delete Verb to Remove Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Working with Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Viewing Configuration with the List Config Command . . . . . . . . . . . . . . . . . . 207
Setting Configuration with the Set Config Command . . . . . . . . . . . . . . . . . . . 208
Managing Configuration Delegation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Managing Configuration Backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Working with Applications, Virtual Directories, and Application Pools . . . . . . . . . . . 213
Working with Web Server Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Inspecting Running Worker Processes and Requests . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Listing Running IIS Worker Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Listing Currently Executing Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Working with Failed Request Tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Turning on Failed Request Tracing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Creating Failed Request Tracing Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Searching Failed Request Tracing logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Microsoft.Web.Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Creating Sites with MWA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Creating Application Pools with MWA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Setting Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Windows PowerShell and IIS 7.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
WMI Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
IIS 7.0 Configuration COM Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Additional Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228

8

Remote Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
The IIS Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Web Management Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
WMSvc Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Managing Remote Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
Using Remote Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Additional Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257

Download at Boykma.Com

x

Table of Contents

9

Managing Web Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Web Sites, Applications, Virtual Directories, and Application Pools . . . . . . . . . . . . . 259
Web Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
Virtual Directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
Application Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Administrative Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
Adding a New Web Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Configuring a Web Site’s Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
Limiting Web Site Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Configuring Web Site Logging and Failed Request Tracing . . . . . . . . . . . . . . 275
Starting and Stopping Web Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Managing Virtual Directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Adding a New Virtual Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Configuring Virtual Directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Searching Virtual Directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Managing Remote Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Configuring the Application to Use Remote Content . . . . . . . . . . . . . . . . . . . 285
Selecting the Security Model for Accessing Remote Content . . . . . . . . . . . . 285
Configuring Fixed Credentials for Accessing Remote Content. . . . . . . . . . . . 287
Granting Access to the Remote Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Additional Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289

10

Managing Applications and Application Pools . . . . . . . . . . . . . . . . . . . 291
Managing Web Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Creating Web Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Listing Web Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Managing Application Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Application Pool Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
Adding a New Application Pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Managing Application Pool Identities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Advanced Application Pool Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Managing Worker Processes and Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Monitoring Worker Processes and Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
Additional Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

Download at Boykma.Com

Table of Contents

11

xi

Hosting Application Development Frameworks . . . . . . . . . . . . . . . . . . 323
IIS as an Application Development Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Adding Support for Application Frameworks . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Supported Application Frameworks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Hosting ASP.NET Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
Understanding the Integrated and Classic ASP.NET Modes . . . . . . . . . . . . . . 328
Running Multiple Versions of ASP.NET Side by Side . . . . . . . . . . . . . . . . . . . . . 330
Installing ASP.NET. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
Deploying ASP.NET Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
Additional Deployment Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
Hosting ASP Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
Installing ASP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
Deploying ASP Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Additional Deployment Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
Hosting PHP Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
Deploying PHP Applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
Additional Deployment Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
Techniques for Enabling Application Frameworks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Enabling New Static File Extensions to Be Served. . . . . . . . . . . . . . . . . . . . . . . 354
Deploying Frameworks Based on IIS 7.0 Native Modules . . . . . . . . . . . . . . . . 356
Deploying Frameworks Based on ASP.NET Handlers . . . . . . . . . . . . . . . . . . . . 357
Deploying Frameworks Based on ISAPI Extensions . . . . . . . . . . . . . . . . . . . . . 358
Deploying Frameworks That Use FastCGI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Deploying Frameworks That Use CGI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
Additional Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365

12

Managing Web Server Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
Extensibility in IIS 7.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
IIS 7.0 Extensibility Architecture at a Glance . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
Managing Extensibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
Runtime Web Server Extensibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
What Is a Module? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Installing Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Common Module Management Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
Using IIS Manager to Install and Manage Modules . . . . . . . . . . . . . . . . . . . . . 396
Using IIS Manager to Create and Manage Handler Mappings . . . . . . . . . . . . 400
Using Appcmd to Install and Manage Modules . . . . . . . . . . . . . . . . . . . . . . . . 403
Download at Boykma.Com

xii

Table of Contents

Creating and Managing Handler Mappings . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
Securing Web Server Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
Additional Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420

13

Managing Configuration and User Interface Extensions . . . . . . . . . . . 421
Administration Stack Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
Managing Configuration Extensions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423
Configuration Section Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425
Declaring Configuration Sections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428
Installing New Configuration Sections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
Securing Configuration Sections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432
Managing Administration Extensions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436
How Administration Extensions Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
Installing Administration Extensions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
Securing Administration Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
Managing IIS Manager Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
How IIS Manager Extensions Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
Installing IIS Manager Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
Securing IIS Manager Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
Additional Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446

14

Implementing Security Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
Security Changes in IIS 7.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
Reducing Attack Surface Area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450
Reducing the Application’s Surface Area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460
Configuring Applications for Least Privilege . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
Use a Low Privilege Application Pool Identity . . . . . . . . . . . . . . . . . . . . . . . . . 466
Set NTFS Permissions to Grant Minimal Access . . . . . . . . . . . . . . . . . . . . . . . . 468
Reduce Trust of ASP.NET Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470
Isolating Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
Implementing Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474
IP and Domain Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
Request Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477
Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483
NTFS ACL-based Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484
URL Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485

Download at Boykma.Com

Table of Contents

xiii

Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490
Anonymous Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491
Basic Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493
Digest Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
Windows Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497
Client Certificate Mapping Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
IIS Client Certificate Mapping Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . 503
UNC Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508
Understanding Authentication Delegation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509
Securing Communications with Secure Socket Layer (SSL) . . . . . . . . . . . . . . . . . . . . . 511
Configuring SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511
Requiring SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512
Client Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514
Securing Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
Restricting Access to Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
Securing Sensitive Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520
Controlling Configuration Delegation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530
Additional Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531
Part IV

15

Troubleshooting and Performance
Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535
What’s New? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535
IIS Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536
The XML-Based Logging Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536
Centralized Logging Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . 538
SiteDefaults Configuration Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538
Disable HTTP Logging Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . 539
Default Log File Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539
Default UTF-8 Encoding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539
New Status Codes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540
Management Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540
Log File Formats That Have Not Changed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540
Centralized Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540
W3C Centralized Logging Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541
Centralized Binary Logging Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541

Download at Boykma.Com

xiv

Table of Contents

Remote Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541
Setting Up Remote Logging by Using the IIS Manager . . . . . . . . . . . . . . . . . 542
Setting Up Remote Logging by Using Appcmd . . . . . . . . . . . . . . . . . . . . . . . . 544
Remote Logging Using the FTP 7.0 Publishing Service . . . . . . . . . . . . . . . . . . 545
Custom Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545
Configuring IIS Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547
IIS Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547
Appcmd. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 550
Advanced Appcmd Details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 552
HTTP.sys Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 556
Application Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557
Process Recycling Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557
ASP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558
ASP.NET . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558
IIS Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558
Folder Compression Option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558
Logging Analysis Using Log Parser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 559
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561
Additional Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561

16

Tracing and Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563
Tracing and Diagnosing Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564
Installing the Failed Request Tracing Module . . . . . . . . . . . . . . . . . . . . . . . . . . 564
Enabling and Configuring FRT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565
Reading the FRT Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 572
Integrating Tracing and ASP.NET. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 576
Taking Performance into Consideration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577
Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579
Applying a Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579
Using Tools and Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 581
Troubleshooting HTTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 594
Solving Common Specific Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 601
IIS 6.0 Administration Tools Not Installed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 602
SSl Not Enabled . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 602
Unexpected Recycling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 602
Crashes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 602
Unable to Reach Web Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603
Authentication Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603
Slow Responses or Server Hanging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603
Download at Boykma.Com

Table of Contents

xv

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603
Additional Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604

17

Performance and Tuning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605
Striking a Balance Between Security and Performance . . . . . . . . . . . . . . . . . . . . . . . . 606
How to Measure Overhead. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610
SSL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 611
The Impact of Constrained Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 612
Processor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 612
What Causes CPU Pressure? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 613
Throttling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 613
CPU Counters to Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 614
Impact of Constraints. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 616
Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 616
Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617
What Causes Memory Pressure? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617
Memory Counters to Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 618
Impact of Constraints. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 620
Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 620
Hard Disks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 621
What Causes Hard Disk Pressure? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 621
Hard Disk Counters to Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 621
Impact of Constraints. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 622
Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 622
Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 623
What Causes Network Pressure? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 623
Network Counters to Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 624
Impact of Constraints. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 624
Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625
Application-Level Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 626
64-Bit Mode vs. 32-Bit Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 631
Configuring for Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 632
Server Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633
IIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 634
Optimizing for the Type of Load . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 634
Server-Side Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635
Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 645
Download at Boykma.Com

xvi

Table of Contents

Performance Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647
WCAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647
Reliability And Performance Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647
FRT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 648
Event Viewer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 648
System Center Operations Manager 2007. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 648
Scalability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 649
During Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 649
Scale Up or Out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 649
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 652
Additional Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 653
Part V

A
B

Appendices
IIS 7.0 HTTP Status Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 657
IIS 7.0 Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 663
HTTP Errors in IIS 7.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 664 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 665
Substatus Codes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 666
A Substatus Code Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 667
Language-Specific Custom Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 667
Custom Error Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 668
Execute a URL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 668
Redirect the Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 669

C

IIS 7.0 Modules Listing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 671
Native Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 671
Managed Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 679

D
E

Modules Sequence. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 683
IIS 7.0 Default Settings and Time-Outs/Thresholds . . . . . . . . . . . . . . . 687
ASP.NET . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 687
IIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 694
Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 714
Application Pool Defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 717

F

IIS 7.0 and 64-Bit Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 719
Windows Server 2008 x64 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 719
Configuring a 32-Bit Application on 64-Bit Microsoft Windows . . . . . . . . . . 720

Download at Boykma.Com

Table of Contents

G

xvii

IIS Manager Features to Configuration References . . . . . . . . . . . . . . . 723
ASP.NET . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 723
IIS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 724
Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 726

H
I

IIS 6.0 Metabase Mapping to IIS 7.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 727
IIS 7.0 Shared Hosting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 739
Implementing Process Gating . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 739
Using the Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 740
Configuration Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 741
Enabling Dynamic Idle Threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 741
Using the Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 743
Configuration Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 744

J

Common Administrative Tasks Using IIS Manager . . . . . . . . . . . . . . . . 745
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 753

What do you think of this book? We want to hear from you!
Microsoft is interested in hearing your feedback so we can continually improve our books and learning resources for you. To participate in a brief online survey, please visit:

www.microsoft.com/learning/booksurvey/
Download at Boykma.Com

Download at Boykma.Com

Acknowledgments
The book that you now hold in your hands is the result of the collective effort of many people.
We’d like to start by thanking Bill Staples, Mai-Lan Tomsen Bukovec, and the whole IIS product team for their support. Several of us work in the IIS product team, and we know firsthand that we simply wouldn’t be able to work on this book without the team’s invaluable assistance. Secondly, we are very grateful to Martin DelRe of Microsoft Press for his vision, his hard work in getting this project off the ground and ensuring its successful completion, and also for his never-ending support and encouragement.
It takes a lot of people and a lot of work to bring a book like this to life. There are several people in particular who we would like to acknowledge; the book would not be there without them. Brett Hill started this project and soldiered through till its completion. Special thanks to
Mike Volodarsky, whose passion for quality and completeness resulted in him stepping up as the lead author. Kurt Meyer helped a lot as a project manager coordinating the writing and ensuring that the project milestones were not widely missed.
Many of our colleagues on the IIS product team had significant input into the book content.
In fact, each chapter was reviewed by at least one member of the product team. Other product team members wrote the “Direct from the Source” sidebars that are peppered throughout the book, bringing you a unique insight into the design and development of IIS 7.0. We would like to express our sincere gratitude to the following members of the IIS product team who worked with us on this book, listed in alphabetical order by first name: Anil Ruia, Bill Staples,
Edmund Chou, Eric Deily, Fabio Yeon, Jaroslav Dunajsky, Kanwaljeet Singla, Nazim Lala,
Michael Brown, Thomas Marquardt, Tobin Titus, Ulad Malashanka, and Wade Hilmo.
We would also like to thank Tito Leverette for his guidance on and contributions to
Chapter 17, “Performance and Tuning.”
Many other teams in Microsoft provided technical reviews and shared their experience and insights. In particular, we are grateful to Tom Hawthorn of the Windows Performance team, as well as George Holman and the whole Microsoft.com Operations team. Nick McCollum of
Quixtar Inc. also helped with technical reviews and suggestions in Chapters 5, 15, and 17.
Next, we would like to acknowledge our outstanding editorial team. In particular, we would like to thank the project editors, Karen Szall and Victoria Thulman of Microsoft Press, for their professionalism, mentoring, excellent editorial work, and, more than anything, their patience.

Download at Boykma.Com

xix

xx

Acknowledgments

Bob Hogan and Bob Dean conducted the book technical reviews, ensuring the writing was consistent and easy to understand. Jean Findley of Custom Editorial Productions, Inc., did a great job managing the book production on a tight schedule.
In addition, we would like to thank Susan Chory and Isaac Roybal for helping us to get this project off the ground. We are also grateful to Simon Brown and Arvindra Sehmi for their encouragement for this work.
Thanks to everyone!
Sincerely,
The Author Team: Mike, Olga, Brett, Bernard, Steve, Carlos, and Kurt

Download at Boykma.Com

Introduction
Welcome to the Internet Information Services (IIS) 7.0 Resource Kit! This book is a detailed technical resource for planning, deploying, and operating Microsoft Internet Information
Services (IIS) 7.0, Microsoft’s next generation Web server platform. Though this resource kit is intended primarily for IT professionals who have had experience with previous versions of
IIS, anyone who is interested in learning about how to deploy and operate IIS 7.0 will find this resource kit extremely valuable.
Within this resource kit, you’ll find in-depth information about the improvements introduced by IIS 7.0 and the underlying architectural concepts that will help you better understand the principles behind deploying and managing IIS 7.0 Web servers, and you’ll discover techniques for taking advantage of new IIS 7.0 features and capabilities. You will also review detailed information and task-based guidance on managing all aspects of IIS 7.0, including deploying modular Web servers; configuring Web sites and applications; and improving Web server security, reliability, and performance. You’ll also find numerous sidebars contributed by members of the IIS product team that provide deep insight into how IIS 7.0 works, best practices for managing the Web server platform, and invaluable troubleshooting tips. Finally, the companion media includes additional tools and documentation that you can use to manage and troubleshoot IIS 7.0 Web servers.

What’s New in IIS 7.0
IIS 7.0 has been re-engineered at its core to deliver a modular and extensible Web server platform, forming the foundation for lean, low-footprint Web servers that power customized workloads and Web applications. The new extensible architecture enables the Web server to be completely customized; you can select only the required IIS features and add or replace them with new Web server features that leverage the new rich extensibility application programming interfaces (APIs). In addition, the Web server enables the use of a new distributed configuration system and management tools that simplify Web server deployment and management. The core feature set of IIS 7.0 continues to leverage the reliability and security-focused architecture established by its predecessor, IIS 6.0, and it adds additional improvements to enhance the reliability and security of the Web server platform. IIS 7.0 also includes extended support for application frameworks, including better integration with
ASP.NET and built-in support for FastCGI-compliant application frameworks.
Among its many improvements, IIS 7.0 delivers the following:


Modular Web server architecture Unlike its monolithic predecessors, IIS 7.0 is a

completely modular Web server, containing more than 40 components that the administrator can individually install to create low-footprint, reduced surface-area Web server deployments that play a specific role in the application topology. Furthermore,
Download at Boykma.Com

xxi

xxii

Introduction

the new extensibility architecture enables any of the built-in modular features to be replaced with customized implementations that Microsoft and third parties provide.


.NET Extensibility through ASP.NET integration The new ASP.NET integration

capabilities enable you to develop IIS 7.0 features with the power of ASP.NET and the
.NET Framework, reducing development and maintenance costs for custom Web server solutions. You can use existing ASP.NET services in this mode to enhance any application technologies, even those that were not developed with ASP.NET in mind.
These abilities enable Web applications using IIS 7.0 to further customize the Web server to their needs without incurring the higher development costs associated with the previously used Internet Server Application Programming Interface (ISAPI).


Enhanced application framework support



IIS 7.0 replaces the centralized metabase configuration store with a new configuration system based on a distributed hierarchy of XML files, which enables applications to control their own configuration. The new configuration system enables simplified application deployment without the overhead of required administrative involvement and provides the foundation for more flexible Web server configuration management.



Improved management tools IIS 7.0 offers a host of management tools that leverage the new configuration system to provide more flexible and simpler configuration management for the Web server. This includes a brand new task-based IIS Manager tool, which offers remote delegated management; a new tool for command line management
(Appcmd); and several APIs for managing Web server configuration from scripts,
Windows Management Instrumentation (WMI), and .NET Framework programs.



Enhanced diagnostics and troubleshooting IIS 7.0 provides diagnostic features to help

In addition to improved ASP.NET integration for extending the Web server, IIS 7.0 provides more options for hosting other application frameworks. This includes the built-in support for the FastCGI protocol, a protocol used by many open source application frameworks such as PHP Hypertext Preprocessor
(PHP) so that they can be reliably hosted in a Windows environment.

Distributed configuration system with delegation support

diagnose Web server errors and troubleshoot hard-to-reproduce conditions with a
Failed Request Tracing infrastructure. The diagnostic tracing features are integrated with ASP.NET applications to facilitate end-to-end diagnostics of Web applications.

Overview of Book
The four parts of this book cover the following topics:


Part I: Foundation Provides an overview of IIS 7.0 features, describes the improvements introduced in IIS 7.0, and introduces the core architecture of the Web server

Download at Boykma.Com

Introduction


xxiii

Part II: Deployment Explains the modular installation architecture for deploying IIS 7.0

and provides procedures for installing IIS 7.0 for common Web server workloads


Part III: Administration Describes the key concepts for managing IIS 7.0 and describes

how to perform management tasks using the management tools that IIS 7.0 provides


Describes how to use the logging and tracing infrastructure to provide for smooth operation of the Web server and troubleshoot error conditions, as well as how to monitor and improve Web server performance

Part IV: Troubleshooting and Performance

The book also includes several appendixes on various topics and a glossary for reference.

Document Conventions
The following conventions are used in this book to highlight special features or usage.

Reader Aids
The following reader aids are used throughout this book to point out useful details.
Reader Aid

Meaning

Note

Underscores the importance of a specific concept or highlights a special case that might not apply to every situation

Important

Calls attention to essential information that should not be disregarded

Caution

Warns you that failure to take or avoid a specified action can cause serious problems for users, systems, data integrity, and so on

On the CD

Calls attention to a related script, tool, template, or job aid on the companion CD that helps you perform a task described in the text

Sidebars
The following sidebars are used throughout this book to provide added insight, tips, and advice concerning different IIS 7.0 features.
Sidebar

Meaning

Direct from the Source

Contributed by experts at Microsoft to provide from-the-source insight into how IIS 7.0 works, best practices for managing IIS 7.0, and troubleshooting tips

How It Works

Provides unique glimpses of IIS 7.0 features and how they work

Download at Boykma.Com

xxiv

Introduction

Command Line Examples
The following style conventions are used in documenting command line examples throughout this book.
Style

Meaning

Bold font

Used to indicate user input (characters that you type exactly as shown)

Italic font

Used to indicate variables for which you need to supply a specific value
(for example, file_name can refer to any valid filename)

Monospace font

Used for code samples and command line output

%SystemRoot%

Used for environment variables

Companion Media
The companion media is a valuable addition to this book and includes the following:


Electronic book



Scripts Scripts to help you automate IIS tasks



Tools Links to tools for IIS, Windows® PowerShell, and more that you can put to use right away



Product information Links to information about the features and capabilities of IIA NS
Windows Server® 2008 and other products to help you optimize Windows Server 2008 in your enterprise



Resources Links to guides, technical resources, webcasts, forums, and more to help you use and troubleshoot the features of IIS, Windows Server 2008, and other products



Sample Chapters

The complete text of the print book, in a searchable PDF eBook

Preview chapters from 15 Windows Server 2008 books, in PDF

format

Find Additional Content Online
As new or updated material becomes available that complements your book, it will be posted online on the Microsoft Press Online Windows Server and Client Web site. Based on the final build of Windows Server 2008, the type of material you might find includes updates to book content, articles, links to companion content, errata, sample chapters, and more. This
Web site will be available soon at: http://www.microsoft.com/learning/books/online/serverclient and will be updated periodically.
Digital Content for Digital Book Readers: If you bought a digital-only edition of this book, you can enjoy select content from the print edition’s companion CD.
Visit http://go.microsoft.com/fwlink/?LinkId=108439 to get your downloadable content. This content is always up-to-date and available to all readers.

Download at Boykma.Com

Introduction

xxv

Resource Kit Support Policy
We have made every effort to ensure the accuracy of this book and the content of the companion media. Microsoft Press provides corrections to this book through the Web at: http://www.microsoft.com/learning/support/search.asp. If you have comments, questions, or ideas regarding the book or companion media content, or if you have questions that are not answered by querying the Knowledge Base, please send them to Microsoft Press by using either of the following methods:
E-mail:
rkinput@microsoft.com
Postal Mail:
Microsoft Press
Attn: Microsoft Internet Information Services 7.0 Resource Kit, Editor
One Microsoft Way
Redmond, WA 98052-6399
Please note that product support is not offered through the preceding mail addresses.
For product support information, please visit the Microsoft Product Support Web site at: http://support.microsoft.com. Download at Boykma.Com

Download at Boykma.Com

Part I

Foundation
In this part:
Chapter 1: Introducing IIS 7.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Chapter 2: Understanding IIS 7.0 Architecture. . . . . . . . . . . . . . . . . . . . . . . . 1
Chapter 3: Understanding the Modular Foundation. . . . . . . . . . . . . . . . . . . 1
Chapter 4: Understanding the Configuration System . . . . . . . . . . . . . . . . . . 1

Download at Boykma.Com

Download at Boykma.Com

Chapter 1

Introducing IIS 7.0
In this chapter:
Overview of IIS 7.0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
What’s New in IIS 7.0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Basic Administration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
IIS 7.0 Features in Windows Server 2008 and Windows Vista . . . . . . . . . . . . . . . . 22
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Additional Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Microsoft Internet Information Services (IIS) 7.0 in Windows Server 2008 is a Web server that provides a secure, easy-to-manage platform for developing and reliably hosting Web applications and services. IIS 7.0 has been completely redesigned and offers major advantages over previous versions of IIS. With its new modular and extensible architecture, IIS 7.0 makes developing, deploying, and configuring and managing Web applications and infrastructure easier and more efficient than ever before.
To put it simply, IIS 7.0 is the most powerful Microsoft Web server platform ever released. It provides an array of new capabilities that improve the way Web applications and services are developed, deployed, and managed. The modular design of IIS 7.0 gives administrators full control over their Web servers’ functionality, providing an extensible architecture that enables administrators and developers to build customized and specialized Web servers. New administration capabilities and the distributed XML-based configuration system make deploying and managing Web applications on IIS 7.0 more straightforward and efficient than on any other Web server. In addition, new diagnostic and troubleshooting capabilities of IIS 7.0 enable administrators and developers alike to minimize potential downtime.
In this chapter, we will focus on the major new features and functionality in IIS 7.0 and their advantages over previous versions of IIS. We will also look at basic administration tasks and discuss the differences in the availability of IIS 7.0 features in Windows Server 2008 and
Windows Vista.

Overview of IIS 7.0
IIS 7.0 provides features and functionality that enable administrators to reliably and effectively manage Web infrastructures; developers to rapidly build Web applications and services; and hosters to provide a cost-effective, scalable, and reliable Web hosting to a broad set of customers.
Download at Boykma.Com

3

4

Part I:

Foundation

For administrators, IIS 7.0 provides a secure, reliable, and easy-to-manage Web server platform. The customizable installation of IIS 7.0 ensures that they can minimize the attack surface, patching requirements, and the memory footprint of their Web infrastructure. The
IIS 7.0 process model makes Web sites and applications more secure by automatically isolating them, providing sandboxed configuration and unique process identity by default.
IIS 7.0 reduces management complexity, providing a set of tools that make administration of Web infrastructures more efficient. IIS Manager has a new task-based, feature-focused management console, which provides an intuitive user interface for administrative tasks. In addition to IIS Manager, there is also a new command line administration tool, a Windows
Management Instrumentation (WMI) provider, and a .NET application programming interface (API).
IIS 7.0 supports simplified management of Web farms where Web server configuration can be stored together with Web application code and content on a centralized file server and can be shared across front-end Web servers on a farm.
IIS 7.0 enables administrators to securely delegate site and application administrative control to developers and content owners without administrative privileges on the server, thus reducing the administrative burden and cost of ownership. Using IIS Manager from Windows
Vista, Windows XP, Windows Server 2003, or Windows Server 2008, developers and content owners can manage their sites and applications remotely while connected to a server over
HTTPS from any location.
In addition, new troubleshooting and diagnostics capabilities in IIS 7.0 enable administrators to reduce Web server downtime.
For developers, IIS 7.0 provides a flexible, more extensible Web server platform for developing and deploying Web applications on Windows Server 2008 and Windows Vista. Developers can build applications on IIS 7.0 using the Web framework of their choice, including ASP.NET, classic ASP, PHP, PERL, ColdFusion, Ruby, and many others.
IIS 7.0 provides unprecedented extensibility. It has a fully componentized architecture, with more than 40 pluggable modules built on top of public extensibility APIs. Developers can create new or replacement modules in native or managed code, extend IIS configuration, and build IIS Manager extensions that plug in seamlessly to the management console.
IIS 7.0 has a distributed file-based configuration system that enables IIS settings to be stored in web.config files along with the ASP.NET settings. This unified configuration system simplifies development and enables applications to be xcopy-deployed, preconfigured, to
IIS 7.0 servers.
In addition, new diagnostic capabilities, including access to run-time information and automatically tracing failed requests, help developers to troubleshoot issues quicker and minimize Web site downtime.
For hosters, IIS 7.0 provides a cost-effective, more scalable Web server platform for delivering reliable Web hosting to a broad set of customers. IIS 7.0 lowers costs by providing a new,
Download at Boykma.Com

Chapter 1: Introducing IIS 7.0

5

scalable shared hosting architecture that is capable of hosting thousands of Web sites on a single IIS 7.0 server without sacrificing isolation or reliability.
IIS 7.0 enables Web hosters to reach more customers by using a new FastCGI module that is capable of providing fast and reliable hosting for PHP and other Web frameworks.
In addition, IIS 7.0 provides a File Transfer Protocol (FTP) server that enables Web hosters to offer their customers a fully integrated Web/FTP platform with modern publishing capabilities, such as FTP over Secure Sockets Layer (SSL) and membership-based authentication.

What’s New in IIS 7.0
IIS 7.0 has been completely redesigned and re-engineered from the ground up. The new features and functionality provide many new capabilities that enable administrators and developers to:


Minimize patching and security risks with fine-grained control over the Web server footprint. ■

Implement new Web solutions rapidly by using an extensibility framework.



Go to market faster with simplified deployment and configuration of applications.



Reduce administrative costs by managing Web infrastructures more efficiently.



Reduce Web site downtime by quickly resolving faulty applications.

These advancements have been made possible because of major innovations in IIS 7.0, as follows: ■

A modular, extensible core Web server



A unified, distributed file-based configuration system



Integrated health monitoring and diagnostics



A set of new administration tools with delegation support

In addition, IIS 7.0 offers a new Windows Process Activation Service (WAS) that exposes IIS 7.0 processing model to both HTTP and non-HTTP based applications and services.
Let’s look at these innovations and their advantages over previous versions of IIS in more detail. Core Web Server
The IIS 7.0 core Web server has been completely redesigned and is very different from IIS 6.0.
Its new, fully componentized architecture provides two fundamental enhancements that form a foundation for many advantages in security, performance, scalability, manageability, and flexibility. These two fundamental enhancements are modularity and extensibility.
Download at Boykma.Com

6

Part I:

Foundation

Modularity
In previous versions of IIS, all functionality was built by default into a monolithic server. There was no easy way to extend or replace any of that functionality. In IIS 7.0, the core Web server has a completely modular architecture. All of the Web server features are now managed as standalone components. The IIS 7.0 Web core is divided into more than 40 separate components, each of which implements a particular feature or functionality. These components are referred to as modules. You can add, remove, and replace the modules depending on your needs.
In IIS 7.0, the ASP.NET run time is fully integrated with the core Web server, providing a unified request processing pipeline. Both native and managed code is processed through this single request pipeline. All notification events in the request pipeline are exposed to both native and managed modules. This integration enables existing ASP.NET features—including forms-based authentication, membership, session state, and many others—to be used for all types of content, providing a consistent experience across the entire Web application.
Figure 1-1 shows the unified request processing pipeline, with several stages shown at the beginning and at the end of request processing. At the Authenticate Request stage, Figure 1-1 shows authentication modules that are available for all requests. Basic Authentication, Windows
Authentication, and Anonymous Authentication are native modules. Forms Authentication is a managed module. Both native and managed authentication modules provide services for any content type, including managed code, native code, and static files.
HTTP Request

Worker Process
Basic
Authentication

Begin Request

Windows
Authentication

Authenticate Request
Authorize Request

Forms
Authentication
Anonymous
Authentication

Update Cache
Log Request
End Request

HTTP Response

Figure 1-1

IIS 7.0 integrated request processing.
Download at Boykma.Com

Chapter 1: Introducing IIS 7.0

7

Note For more information on request processing, refer to Chapter 2, “Understanding
IIS 7.0 Architecture.”

IIS 7.0 modularity enables you to do the following:


Secure the server by reducing the attack surface area. Reducing an attack surface area is one of the major steps to a secure system. In IIS 7.0, Web server features that are not required can be safely removed without affecting the functionality of your applications, thus reducing the attack surface area.



Improve performance and reduce memory footprint. When you remove Web server features that are not required, the server’s memory usage is reduced. In addition, the amount of code that executes on every request is reduced, leading to improved performance. ■

Build custom and specialized servers. Selecting a particular set of server features and removing the ones that are not required allows you to build custom servers that are optimized for performing a specific function, such as edge caching or load balancing.

Note For more information on server modularity, refer to Chapter 3, “Understanding the Modular Foundation.”

Extensibility
The modular architecture of IIS 7.0 enables you to build server components that extend or replace any existing functionality and add value to Web applications hosted on IIS.
The core Web server includes a new Win32 API for building core server modules. You can add custom features to extend or replace the existing Web server features with your own or third-party core Web server extensions built using this new extensibility API.
The core Web server modules are new and more powerful replacements for Internet Server
Application Programming Interface (ISAPI) filters and extensions, although these filters and extensions are still supported in IIS 7.0. The new C++ extensibility model in IIS 7.0 uses a simplified object-oriented API that promotes writing robust server code to alleviate problems that previously plagued ISAPI development.
Moreover, IIS 7.0 also includes support for development of core Web server extensions using the .NET Framework. IIS 7.0 has integrated the existing IHttpModule API for ASP.NET, enabling custom managed code modules to access all events in the request pipeline, for all requests. ASP.NET integration in IIS 7.0 enables server modules to be rapidly developed using capabilities of ASP.NET and the .NET Framework, instead of using the lower-level IIS C++ API. ASP.NET
Download at Boykma.Com

8

Part I:

Foundation

managed modules are capable of fully extending the server and are able to service requests for all types of content including, for example, ASP, Common Gateway Interface (CGI), and static files.
Using ASP.NET or native C++ extensibility, developers can build solutions that add value for all application components, such as custom authentication schemes, monitoring and logging, security filtering, load balancing, content redirection, and state management.
Note For more information on core Web server extensibility, refer to Chapter 12, “Managing
Web Server Modules.”

Configuration
The early versions of IIS had few configuration settings, and they were stored in the registry.
IIS 5.0 introduced a binary store called the metabase for managing URL-based configuration.
In IIS 6.0, the binary metabase was replaced with an XML-based metabase to store configuration data. IIS 7.0 introduces a distributed XML file–based configuration system that enables administrators to specify settings for IIS and its features in clear text XML files that are stored with the code and content. The XML files hold the configuration settings for the entire Web server platform, including IIS, ASP.NET, and other components. The files store settings on the server, site, and application levels, and they may optionally be set at the content directories level together with the Web content, enabling delegated management.
Because Web site and application settings are no longer tied to a centralized configuration store on the local machine—as in previous versions of IIS—this distributed file-based configuration system dramatically simplifies application deployment by providing xcopy deployment of configuration together with application code and content. In addition, this configuration system enables sharing configuration for a site or application across a Web farm.
IIS 7.0 configuration is based on the .NET Framework configuration store. This common format enables IIS configuration settings to be stored alongside an ASP.NET configuration in a web.config files hierarchy, providing one configuration store for all Web platform configuration settings that are accessible via a common set of APIs and stored in a consistent format.
The distributed configuration hierarchy includes the global, computer-wide, .NET Framework configuration files, machine.config and root web.config, the global IIS configuration file applicationHost.config, and distributed web.config configuration files located within the Web sites, applications, and directories, as shown in Figure 1-2.
The .NET Framework global settings for a server machine are stored in the machine.config file located in the %SystemRoot%\Microsoft .NET\Framework \\config folder. Global
ASP.NET settings for a Web server are stored in the root web.config file located in the same folder on the server machine.
Download at Boykma.Com

Chapter 1: Introducing IIS 7.0

machine.config
.NET Framework global configuration applicationHost.config
IIS global configuration

root web.config
ASP.NET global configuration site web.config
ASP.NET & IIS site configuration application web.config
ASP.NET & IIS application configuration directory web.config
ASP.NET & IIS directory configuration Figure 1-2

File-based distributed configuration store.

IIS 7.0 stores global configuration in the applicationHost.config file located in the
%SystemRoot%\System32\Inetsrv\Config folder. ApplicationHost.config has two major configuration sections: and .
The section contains settings for site, application, virtual directory, and application pools. The section contains configuration for all other settings, including global Web defaults.
URL-specific configuration is stored in applicationHost.config via tags. IIS 7.0 reads and writes URL-specific configuration in the web.config files hierarchy for sites, applications, and content directories on the server, along with ASP.NET configuration.
Figure 1-3 shows the structure of a site web.config file and its inheritance from global configuration files.

Download at Boykma.Com

9

10

Part I:

Foundation

ASP.NET machine.config root web.config

IIS 7.0 applicationHost.config Figure 1-3

site web.config












Site web.config file.

The server administrator may delegate different levels of the configuration hierarchy to other users, such as the site administrator or the application developer. By default, write access to configuration settings is limited to the server administrator only. The server administrator may delegate management of specific configuration settings to users without administrative privileges on the server machine.
The file-based configuration for a specific site or application can be copied from one computer to another, for example, when the application moves from development into test and then into production. Due to xcopy deployment of configuration beside code and content, it is significantly easier to deploy applications on IIS 7.0.
Distributed configuration system also enables configuration for a site or application to be shared across a Web server farm, where all servers retrieve configuration settings from a single server. After a Web site is in production, administrators can share configuration information across multiple front-end Web servers, avoiding costly and error-prone replication and manual synchronization issues.
The IIS 7.0 configuration system is fully extensible and allows you to extend the configuration store to include custom configuration. The system is backward compatible with previous versions of IIS at the API level, and with previous versions of the .NET Framework at the XML level. Note For more information on IIS 7.0 distributed configuration system, refer to Chapter 4,
“Understanding the Configuration System.”

Administration Tools
IIS 7.0 administration tools have been completely rewritten. They provide different interfaces for reading from and writing to the hierarchy of configuration files on the server, including the applicationHost.config file, the .NET Framework root web.config file, and web.config files for sites, applications, and directories, as well as interfaces for working with run-time information and different providers on the server.
Download at Boykma.Com

Chapter 1: Introducing IIS 7.0

11

IIS 7.0 provides the following administration tools:


IIS Manager is a new management console that offers an intuitive, feature-focused, taskoriented graphical user interface (GUI) for managing both IIS 7.0 and ASP.NET. IIS Manager in IIS 7.0 is implemented as a Windows Forms application that replaces the MMC snap-in used in previous versions of IIS.



A command line tool, Appcmd.exe, replaces IIS 6.0 command line scripts. It provides command line access to configuration files hierarchy and other server settings.



The Microsoft.Web.Administration interface provides a strongly typed managed API for managed code access to configuration and other server settings.



A new WMI provider offers scripting access to all IIS and ASP.NET configuration. The legacy IIS 6.0 WMI provider is still available for backward compatibility with existing scripts. You can also use Windows PowerShell for powerful scripting access to distributed configuration hierarchy. Note

For more information on using PowerShell to manage IIS 7.0, refer to Chapter 7,
“Using Command Line Tools.”

In addition, the IIS 6.0 MMC snap-in is also provided with Windows Server 2008 to support remote administration and to administer FTP sites.
All new administration tools fully support the new IIS 7.0 distributed configuration, and all of them allow for delegation of access to configuration for individual sites and applications to users without administrative privileges on the server machine.
Note

You can install administration tools and Web server components separately.

Figure 1-4 shows the new IIS Manager user interface that has a browser-like feel with an address bar similar to Windows Explorer. The main body of the IIS Manager window is divided into three areas:


The Connections pane on the left side of the IIS Manager window enables you to connect to servers, sites, and applications. The connections are displayed in a tree.



A central area referred to as a workspace is located in the middle of IIS Manager window.
The workspace has two views: Features View and Content View.


Features View enables you to view and configure features for the currently selected configuration path. Each IIS Manager feature typically maps to a configuration section that controls the corresponding Web server feature.
Download at Boykma.Com

12

Part I:

Foundation




Content View provides a read-only display of content corresponding to the currently selected configuration path. In Content View, when you select a node in the tree in the Connections pane tree, its content is listed in the workspace.

An Actions Pane is located on the right side of IIS Manager. Items in the Actions pane are task-based and context-specific.

Figure 1-4

IIS Manager UI.

As with other administration tools, delegated management is one of the most important capabilities of IIS Manager. With this capability, users of hosted services can run IIS Manager on their desktops and connect remotely to manage their sites and applications on the server where they are hosted without having administrative access to the server machine. To identify users, IIS Manager can use Windows credentials and also alternative credentials stores. IIS
Manager credentials are particularly useful in scenarios in which you don’t want to create
Windows accounts for all remote users, or when the credentials are already stored in a non-Windows authentication system and you want to keep them in a single store.
IIS Manager supports remote administration over a firewall-friendly HTTPS connection, allowing for seamless local and remote administration without requiring Distributed
Component Object Model (DCOM) or other administrative ports to be opened on the firewall.
In IIS 6.0, management console remoting was through the MMC and was always enabled.
This is different in IIS 7.0, where remote management through IIS Manager is disabled by default and must be explicitly enabled. For remote administration of IIS 7.0, Web Management
Service (WMSvc) must be installed on the server computer, and the remote connections to this service must be enabled. WMSvc is a Windows service that provides the ability to manage
IIS 7.0 sites and applications remotely using IIS Manager. IIS Manager remoting architecture is shown in Figure 1-5.
Download at Boykma.Com

Chapter 1: Introducing IIS 7.0

IIS Manager

Figure 1-5

HTTPS

Web
Management
Service

Read/
Write

13

config files

IIS Manager remoting.

IIS Manager in IIS 7.0 is customizable and extensible. It has its own configuration file, administration.config, that enables custom functionality to be added to the tool. Any added administration plug-ins are integrated into the tool and appear alongside IIS and ASP.NET features.
Note

For more information on IIS Manager, refer to Chapter 6, “Using IIS Manager,” and for more information on Appcmd.exe, WMI, and Microsoft.Web Administration API, refer to
Chapter 7.

Diagnostics
IIS 7.0 introduces major improvements in diagnostics and troubleshooting of Web sites and applications. It enables you to troubleshoot issues quicker and minimize Web site downtime through powerful new diagnostic capabilities including access to run-time information and automatic tracing of failed requests. The diagnostics and troubleshooting changes in IIS 7.0 enable you to see, in real time, requests that are running on the server and to automatically trap errors with a detailed trace log.

Access to Run-Time Information
IIS 7.0 includes a new Runtime State and Control API (RSCA) that provides real-time state information about application pools, worker processes, sites, application domains, and running requests.
The RSCA is designed to give administrators an in-depth view into the current state of the run-time objects, including current worker processes and their currently executing requests, and also to enable administrators to use the same API to control those objects. RSCA allows administrators to get detailed run-time data that was not previously available.
This information is exposed through a native Component Object Model (COM) API. The API itself is wrapped and exposed through the new IIS 7.0 WMI provider, Microsoft.Web.Administration
API, command line management tool Appcmd.exe, and IIS Manager.
Download at Boykma.Com

14

Part I:

Foundation

For example, using IIS Manager, administrators can get run-time information on what requests are currently executing, how long they have been running, which URLs they are invoking, what client called them, and what their status is.

Failed Request Tracing
IIS 7.0 provides detailed trace events throughout the request and response path, enabling you to trace a request as it makes its way to IIS, through the IIS request processing pipeline, into any existing page-level code, and back out to the response. These detailed trace events enable you to understand not only the request path and any error information that was raised as a result of the request, but also elapsed time and other debugging information to assist in troubleshooting all types of errors and when a system stops responding.
Problems such as poor performance on some requests, authentication-related failures on other requests, or the server 500 error can often be difficult to troubleshoot unless you have captured the trace of the problem when it occurs. That’s where failed request tracing can be helpful. It is designed to buffer the trace events for a request and then save them to disk into the trace log if the request fails. To enable the collection of trace events, you can configure
IIS 7.0 to automatically capture full trace logs in XML format for any given request based on elapsed time or error response codes.
The diagnostic capabilities in IIS 7.0 are extensible, and new trace events can be inserted into custom modules.
Note For more information on diagnostics and troubleshooting, refer to Chapter 16,
“Tracing and Troubleshooting.”

Windows Process Activation Service
IIS 7.0 provides a new protocol-independent Windows Process Activation Service (WAS) that is an extended and generalized successor to Windows Activation Service in IIS 6.0. The HTTP process activation model was introduced in IIS 6.0 with application pools. This service has been extended in IIS 7.0 to be available for more than just Web applications. It is capable of receiving requests or messages over any protocol and supports pluggable activation of arbitrary protocol listeners. In addition to being protocol-independent, WAS provides all types of message-activated applications with intelligent resource management, on-demand process activation, health monitoring, and automatic failure detection and recycling. The
Windows Communication Foundation (WCF) ships with protocol adapters that can leverage the capabilities of WAS. Using these capabilities can dramatically improve the reliability and resource usage of WCF services.
Note

For more information on WAS and non-HTTP support in IIS 7.0, refer to Chapter 2.
Download at Boykma.Com

Chapter 1: Introducing IIS 7.0

15

Application Compatibility
IIS 7.0 is built to be compatible with previous releases of IIS. Most existing ASP, ASP.NET 1.1, and ASP.NET 2.0 applications are expected to run on IIS 7.0 without code changes, using the compatible ISAPI support.
All existing ISAPI extensions and most ISAPI filters also continue to work. However, ISAPI filters that use READ RAW DATA notification are not supported in IIS 7.0.
For existing Active Directory Service Interfaces (ADSI) and WMI scripts, IIS 7.0 provides feature parity with previous releases, enabling the scripts to use legacy configuration interfaces by using the Metabase Compatibility layer.
Note

For more information on application compatibility, see Chapter 11, “Hosting
Application Development Frameworks.”

Basic Administration Tasks
For a Web server to start serving content, it must have a basic configuration: a site, an application, a virtual directory, and an application pool. IIS 7.0 provides a default configuration that includes the Default Web Site with a root application mapped to a physical directory
%SystemDrive%\Inetpub\Wwwroot and a default application pool called DefaultAppPool that this application belongs to.
However, you may need to create your own site, add an application to the site, add a virtual directory to the application, create a new application pool, and assign an application to the application pool. The following sections describe how to perform these basic administration tasks by using IIS Manager.
Note For information on how to perform other common administrative tasks, refer to
Appendix J, “Common Administrative Tasks Using IIS Manager.”

To start IIS Manager, from the Administrative Tools program group, launch Internet
Information Services (IIS) Manager.

Creating a Web Site
A site is a container for applications and virtual directories. Each site can be accessed through one or more unique bindings. The binding includes the binding protocol and the binding information. The binding protocol defines the protocol over which communication occurs between the IIS 7.0 server and a Web client such as a browser. The binding information defines the information that is used to access the site. For example, the binding protocol of a
Download at Boykma.Com

16

Part I:

Foundation

Web site can be either HTTP or HTTPS, and the binding information is the combination of IP address, port, and optional host header.
To create a Web site using IIS Manager, perform the following steps:
1. In the Connections pane, expand the server node, right-click the Sites node, and then click Add Web Site. The Add Web Site dialog box appears.

2. In the Site Name box, type a name for your Web site, for example, www.contoso.com.
3. If you want to assign a different application pool than the one listed in the Application
Pool box, click Select. Then in the Select Application Pool dialog box, choose an application pool from the Application Pool drop-down list and click OK.
4. In the Physical Path box, type the physical path of the Web site’s folder or navigate to the folder by using the browse button (...).
If the physical path that you entered points to a remote share, click Connect As and specify the required credentials. If no credentials are required to access the path, select the Application User (Pass-Thru Authentication) option in the Connect As dialog box.
5. Optional: Click Test Settings to verify the settings you specified.
6. Configure the desired bindings for your new site:


If you are using HTTPS for the Web site access, in the Type drop-down list, change the protocol from HTTP to HTTPS.



If you have a dedicated static IP address for the site, in the IP Address box, type that IP address. If you don’t have a static IP address for the site, leave the default value of All Unassigned.
Download at Boykma.Com

Chapter 1: Introducing IIS 7.0

17



If your site will use a different port number than the default port number of 80, in the Port box, type that port number.



If your site will use a host header, in the Host Name box, type that host header name for your site. For example, type www.contoso.com.

7. If you want the Web site to be immediately available, select the Start Web Site
Immediately check box.
8. Click OK. The new Web site has been created and appears in the Connections pane.

Creating an Application
An application is a group of files that delivers content or provides services over protocols, such as HTTP. When an application is created, the application’s path becomes part of the URL.
A site can contain many applications including that site’s default application, which is called the root application. In addition to belonging to a site, an application belongs to an application pool, which isolates the application from applications in other application pools on the server.
To create an application using IIS Manager, perform the following steps:
1. In the Connections pane, right-click the site where you want the new application to run.
Then select Add Application. The Add Application dialog box appears.

Download at Boykma.Com

18

Part I:

Foundation

2. In the Alias box, type a value for the application URL, such as Ads. This value is used to access the application in a URL.
3. If you want to assign a different application pool than the one listed in the Application
Pool box, click Select. Then in the Select Application Pool dialog box, choose an application pool from the Application Pool drop-down list and click OK.
4. In the Physical Path box, type the physical path of the Web site’s folder or navigate to the folder by using the browse button (...).
If the physical path that you entered points to a remote share, click Connect As and specify the required credentials. If no credentials are required to access the path, select the Application User (Pass-Thru Authentication) option in the Connect As dialog box.
5. Optional: Click Test Settings to verify the settings you specified.
6. Click OK. The new application has been created and appears in the Connections pane.

Download at Boykma.Com

Chapter 1: Introducing IIS 7.0

19

Creating a Virtual Directory
A virtual directory is a directory name (also referred to as path) that is mapped to a physical directory on a local or remote server. That name becomes part of the URL, and a request to this URL from a browser accesses content in the physical directory, such as a Web page or a list of a directory’s content.
An application can contain many virtual directories. Each application must have a root virtual directory that maps the application to the physical directory that contains the application’s content. To create a virtual directory using IIS Manager, perform the following steps:
1. In the Connections pane, right-click the site where you want the virtual directory to appear. Then select Add Virtual Directory. The Add Virtual Directory dialog box appears. 2. In the Alias box, type a value for the virtual directory URL, such as Download. This value is used to access the application in a URL.
3. In the Physical Path box, type the physical path of the Web site’s folder or navigate to the folder by using the browse button (...).
If the physical path that you entered points to a remote share, click Connect As and specify the required credentials. If no credentials are required to access the path, select the Application User (Pass-Thru Authentication) option in the Connect As dialog box.
4. Optional: Click Test Settings to verify the settings you specified.
5. Click OK. The new virtual directory has been created and appears in the Connections pane. Download at Boykma.Com

20

Part I:

Foundation

Creating an Application Pool
An application pool is a group of one or more applications that a worker process, or a set of worker processes, serves. Application pools set boundaries for the applications they contain, providing isolation between applications running in different application pools.
In IIS 7.0, ASP.NET requests within application pools can be executed in one of two managed pipeline modes: Integrated or Classic. In Integrated mode, the server uses the unified, or integrated, request processing pipeline to process the request. In Classic mode, the server processes ASP.NET requests using two different IIS and ASP.NET pipelines, in the same way as if the application were running in IIS 6.0.
To create an application pool using IIS Manager, perform the following steps:
1. In the Connections pane, expand the server node and right-click the Application Pools node. Select Add Application Pool. The Add Application Pool dialog box appears.

2. In the Name box, type a friendly name for the application pool, for example,
Advertising.
Download at Boykma.Com

Chapter 1: Introducing IIS 7.0

21

3. From the .NET Framework Version drop-down list, select the version of the .NET
Framework required by your managed applications, modules, and handlers. If the applications that you run in this application pool do not require the .NET Framework, select No Managed Code.
4. From the Managed Pipeline Mode drop-down list, select one of the following options:


Integrated Select this if you want to use the integrated IIS and ASP.NET request processing pipeline. This is the default mode.



Classic Select this if you want to use IIS and ASP.NET request-processing modes

separately.
5. By default, the Start Application Pool Immediately check box is selected. If you do not want the application pool to start, clear the box.
6. Click OK. The new application pool has been created and appears in the Application
Pools list.

Assigning an Application to an Application Pool
You can assign an application to its own application pool if you want to isolate this application from other applications running on the server. You can assign several applications to the same application pool if all the applications use the same run-time configuration settings, for example, worker process settings or ASP.NET version.
To assign an application to an application pool using IIS Manager, perform the following steps: 1. In the Connections pane, right-click an application you want to assign to a different application pool, select Manage Application, and then click Advanced Settings.
Download at Boykma.Com

22

Part I:

Foundation

2. On the Advanced Settings page, select Application Pool and then click the browse button. The Select Application Pool dialog box appears.

3. Select the application pool you want the application to run in.
4. Click OK. The application has been assigned to the application pool.

IIS 7.0 Features in Windows Server 2008 and
Windows Vista
IIS 7.0 is a part of Windows Server 2008 and Windows Vista. However, the availability of IIS
7.0 features varies between Windows Server 2008 and the editions of Windows Vista.
Windows Server 2008 includes all IIS 7.0 features. IIS 7.0 is available in all editions of
Windows Server 2008. There is no difference in functionality among editions. IIS 7.0 is available on 32-bit and 64-bit platforms.
IIS 7.0 is supported in Server Core installations of Windows Server 2008. IIS 7.0 on Server
Core provides you with a Web server on top of a minimal footprint server operating system, with a smaller disk space requirement, lower memory utilization, reduced attack surface, and lower servicing needs. IIS 7.0 installation on Windows Server 2008 Server Core is

Download at Boykma.Com

Chapter 1: Introducing IIS 7.0

23

different from a regular Windows Server 2008 IIS 7.0 installation. On Server Core, there is no
Windows shell and .no NET Framework. As a result, IIS Manager is not available, and you cannot run ASP.NET modules, handlers, and applications on Server Core. You can, however, run
ASP, PHP, CGI, and other nonmanaged application code on Server Core installations of IIS 7.0.
Note

For more information on installing IIS 7.0 on Server Core, refer to Chapter 5, “Installing

IIS 7.0.”

In Windows Vista editions, IIS 7.0 provides Web developers with a Web platform for building and testing Web applications for IIS 7.0 and also enables process activation and management infrastructure for Microsoft’s Windows Communication Foundation (WCF) applications.
This infrastructure is provided by Windows Process Activation Service.
The IIS 7.0 features available in a Windows Vista installations depend on the edition of
Windows Vista, as follows:


In Windows Vista Starter and Home editions, IIS 7.0 components only offer supporting infrastructure for WCF but do not provide a Web server that supports static content,
Classic ASP, or ASP.NET.



In Windows Vista Home Premium edition, most of the IIS 7.0 Web Server features required for Web site development are available. However, FTP server, advanced Web authentication and authorization, and remote administration are not available.



In Windows Vista Business, Enterprise, and Ultimate editions, all of the IIS 7.0 features are available with exception of remote administration.

Table 1-1 lists availability of features in Windows Server 2008 and editions of Windows Vista.
Within the table, the features are grouped into categories as follows:


Common HTTP features



Application development features



Health and diagnostics features



Security features



Performance features



Management tools



Windows Process Activation Service



File Transfer Protocol (FTP) publishing service features



Simultaneous connection limits

Download at Boykma.Com

24

Part I:

Foundation

Within each category, the feature availability is described as follows:


Default The feature is selected by default when you install IIS 7.0. You can decide not to

install this feature if you do not need it.


Available The feature is available, but it is not selected by default when you install IIS

7.0. You can install this feature if you need it.


Unavailable

Table 1-1

The feature is unavailable and cannot be installed when you install IIS 7.0.

IIS Features in Windows Server 2008 and Windows Vista

Feature Name

Windows
Server 2008
Editions

Windows Vista Editions
Ultimate,
Business, and
Enterprise

Home
Premium

Home Basic and
Starter

Common HTTP Features
Static Content

Default

Default

Default

Unavailable

Default Document

Default

Default

Default

Unavailable

Directory Browsing

Default

Default

Default

Unavailable

HTTP Errors

Default

Default

Default

Default

HTTP Redirection

Default

Default

Default

Default

Application Development Features
ASP.NET

Available

Available

Available

Unavailable

.NET Extensibility

Default

Default

Default

Default

ASP

Available

Available

Available

Unavailable

CGI

Available

Available

Available

Unavailable

ISAPI Extensions

Available

Available

Available

Unavailable

ISAPI Filters

Available

Available

Available

Unavailable

Server-Side Includes

Available

Available

Available

Unavailable

Default

Default

Health and Diagnostics Features
HTTP Logging

Default

Default

Logging Tools

Default

Default

Default

Default

Request Monitor

Default

Default

Default

Default

Tracing

Default

Default

Default

Default

Custom Logging

Available

Available

Available

Unavailable

ODBC Logging

Available

Available

Unavailable

Unavailable

Available

Available

Available

Unavailable

Windows Authentication Available

Available

Unavailable

Unavailable

Security Features
Basic Authentication
Digest Authentication

Available

Available

Unavailable

Unavailable

Client Certificate
Available
Mapping Authentication

Available

Unavailable

Unavailable

Download at Boykma.Com

Chapter 1: Introducing IIS 7.0

25

Table 1-1 IIS Features in Windows Server 2008 and Windows Vista

Feature Name

Windows
Server 2008
Editions

Windows Vista Editions
Ultimate,
Business, and
Enterprise

Home
Premium

IIS Client Certificate
Available
Mapping Authentication

Available

Unavailable

Unavailable

URL Authorization

Available

Available

Available

Available

Request Filtering

Available

Available

Available

Available

IP and Domain
Restrictions

Available

Available

Available

Available

Static Content
Compression

Default

Default

Default

Default

Dynamic Content
Compression

Available

Available

Available

Available

IIS Management Console Default
(IIS Manager)

Default

Default

Unavailable

IIS Management Scripts and Tools

Available

Available

Available

Home Basic and
Starter

Performance Features

Management Tools

Available

Management Service

Available

Available

Available

Unavailable

IIS 6.0 Management
Compatibility

Available

Available

Available

Available

IIS Metabase
Compatibility

Available

Available

Available

Available

IIS 6 WMI Compatibility

Available

Available

Available

Unavailable

IIS 6 Scripting Tools

Available

Available

Available

Unavailable

IIS 6 Management
Console

Available

Available

Available

Unavailable

Windows Process Activation Service Features
Process Model

Default

Default

Default

Default

.NET Environment

Available

Available

Available

Available

Configuration APIs

Available

Available

Available

Available

File Transfer Protocol (FTP) Publishing Service Features
FTP Server

Available

Available

Unavailable

Unavailable

FTP Management
Console

Available

Available

Unavailable

Unavailable

10

3

3

Simultaneous Connection Limits
Simultaneous
Connection Limits

Unlimited

Download at Boykma.Com

26

Part I:

Foundation

Summary
IIS 7.0 has been completely redesigned and re-engineered from the ground up. IIS 7.0 offers major advantages over previous versions of IIS and makes developing, deploying, and configuring and managing Web applications and infrastructure easier and more efficient than ever before.
IIS 7.0 delivers many new powerful features and functionality based on the following key enhancements: ■

Modularity IIS 7.0 architecture is fully componentized. It enables administrators to customize which features are installed and running on the Web server. With more than
40 feature modules that can be independently installed, administrators can reduce the potential attack surface and lower the footprint requirements of the server.



Extensibility



Unified distributed configuration system IIS 7.0 provides a unified distributed file-

The core Web server features of IIS 7.0 have been built using a new set of comprehensive public APIs that developers can use to extend, replace, or add functionality to a Web server. These APIs are available as native Win32 APIs as well as managed .NET Framework APIs. Developers can also extend IIS configuration and build
IIS Manager extensions that plug in seamlessly to the management console.

based configuration system for storing all IIS and ASP.NET settings in a single clear-text
XML format in a configuration files hierarchy where configuration files are stored together with Web site and application content. This configuration system enables xcopy deployment of configuration alongside application code and content, and it also provides an easy way to share a configuration across a Web farm.


New administration tools IIS 7.0 offers a set of administration tools that simplify managing Web infrastructure and allow administrators to delegate administrative control for sites and applications to developers and content owners. IIS 7.0 includes a new GUI management console, IIS Manager; a new command line utility, Appcmd.exe; a new WMI provider for automating administration tasks; and a new managed API. All of these tools provide unified support for managing IIS and ASP.NET settings together.
Administrators and developers can also use Windows PowerShell for scripting access to configuration information for the entire Web platform.



Integrated diagnostics

IIS 7.0 enables administrators and developers to minimize downtime by using new diagnostics and troubleshooting capabilities. IIS 7.0 exposes run-time diagnostic information including currently executing requests. IIS 7.0 can also be configured to automatically log detailed trace events for failed requests for errant
Web sites and applications.

Download at Boykma.Com

Chapter 1: Introducing IIS 7.0

27

Additional Resources
These resources contain additional information and tools related to this chapter:


For more information on IIS 7.0 request processing, refer to Chapter 2, “Understanding
IIS 7.0 Architecture.”



For more information about modularity, refer to Chapter 3, “Understanding the
Modular Foundation.”



For more information on IIS 7.0 extensibility, refer to Chapter 12, “Managing Web
Server Modules,” and Chapter 13, “Managing Configuration and User Interface
Extensions.”



For more information about the unified distributed configuration system, refer to
Chapter 4, “Understanding the Configuration System.”



For more information about administration tools, refer to Chapter 6, “Using IIS
Manager,” and Chapter 7, “Using Command Line Tools.”



For more information about the troubleshooting capabilities of IIS 7.0 and how to use them, refer to Chapter 16, “Tracing and Troubleshooting,” and Chapter 17,
“Performance and Tuning.”

Download at Boykma.Com

Download at Boykma.Com

Chapter 2

Understanding IIS 7.0
Architecture
In this chapter:
Overview of IIS 7.0 Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
IIS 7.0 Core Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Request Processing in Application Pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Non-HTTP Request Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Additional Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
This chapter looks into the end-to-end request processing architecture in IIS 7.0. IIS 7.0 has been completely redesigned in comparison with the previous versions of IIS. As we have discussed in the previous chapter, the key architecture innovations are as follows:


Modularity IIS 7.0 core Web server functionality is implemented by more than 40 builtin native and managed modules. Because of IIS and ASP.NET run-time integration, both native and managed modules can serve requests for any content type. We will look into IIS 7.0 integrated request processing pipeline later in this chapter.



Extensibility



Configuration system In IIS 7, IIS and ASP.NET configuration is unified. IIS 7.0 stores

IIS 7.0 is fully extensible and provides a set of public APIs to enable developers to extend its features and functionality. The core Web server modules in
IIS 7.0 have been built using new public APIs that are available as native Win32 APIs as well as managed .NET APIs. In addition to extending Web server, developers can also extend IIS configuration and build extensions for the IIS Manager. The end-to-end
IIS 7.0 extensibility is discussed in depth in Chapter 12, “Managing Web Server
Modules” and Chapter 13, “Managing Configuration and User Interface Extensions.”

all IIS and ASP.NET settings together in clear-text XML-based files that form a distributed configuration hierarchy, also referred to as configuration store. This hierarchy replaces the legacy configuration store, the metabase. We will look into how configuration store is used in request processing later in this chapter. Further, the IIS 7.0 configuration hierarchy, schema, and settings are discussed in detail in Chapter 4, “Understanding the
Configuration System.”

Download at Boykma.Com

29

30

Part I:


Foundation

Administration stack IIS 7.0 provides a set of administration tools that support

managing IIS and ASP.NET settings together, and enable delegation of administrative control to users without administrative access to server machine. IIS 7.0 includes a new
GUI management console, IIS Manager; a new command line utility, Appcmd.exe; a new WMI provider for automating administration tasks; and a new managed API. The administration tools are discussed in detail in Chapter 6, “Using IIS Manager,” and
Chapter 7, “Using Command Line Tools.”


Diagnostics and troubleshooting Diagnostics and troubleshooting capabilities in IIS 7.0 enable administrators and developers to increase efficiency and minimize downtime.
Moreover, because IIS 7.0 exposes its process model to non-HTTP applications and services, the diagnostic capabilities are also available to these applications and services.
We will look into non-HTTP processing in IIS 7.0 later in this chapter. The diagnostic and troubleshooting of IIS 7.0 are discussed in depth in Chapter 16, “Tracing and
Troubleshooting.”

To fully understand the implications of these and other architectural changes, we need to look into how IIS 7.0 processes requests. The end-to-end request processing architecture in IIS 7.0 is the focus of this chapter. We will begin with the core IIS 7.0 components and their role in the processing of an HTTP request. We will then look at how a request is executed, focusing on the integrated request processing pipeline and core Web server modularity. Finally, we will discuss non-HTTP request processing in IIS 7.0.

Overview of IIS 7.0 Architecture
IIS 7.0 includes several core components that work together to process client HTTP requests.
Each component has different responsibilities in the request processing, such as listening for requests made to the server, activating and managing processes, and executing requests.
Figure 2-1 shows IIS 7.0 architecture and core components.
The core components shown in Figure 2-1 are as follows:


HTTP protocol stack (HTTP.sys) HTTP.sys is the kernel mode protocol listener that listens for HTTP and HTTPS requests.



World Wide Web Service Publishing Service (W3SVC)



Windows Process Activation Service (WAS, also known as WPAS)



Configuration store

W3SVC is an HTTP listener adapter. It owns communication with HTTP.sys and Windows Process Activation
Service and provides configuration information to HTTP.sys.

WAS provides management of worker processes. It starts, stops, and recycles application pools and monitors the health of worker processes at run time. In addition, it obtains configuration information from the configuration store.
Configuration store is a distributed XML-based file hierarchy that stores both IIS and ASP.NET settings. IIS server-wide configuration information is
Download at Boykma.Com

Chapter 2: Understanding IIS 7.0 Architecture

31

contained in the IIS global configuration file applicationHost.config located on the top of the hierarchy. The global.NET Framework configuration files, machine.config and root web.config, are also located on the top of the hierarchy.


Worker process w3wp.exe W3wp.exe is a long-running process that processes requests and generates responses. The requests are executed within a worker process. Multiple worker processes can run concurrently. A worker process can execute requests in one of two ways: in .NET Integrated mode by using IIS and the ASP.NET integrated request processing pipeline, or in Classic mode where IIS and ASP.NET requests processing is not integrated, as in IIS 6.0. These modes are discussed in the section titled “Request
Processing in Application Pool” later in this chapter.

Application pool
Worker Process (w3wp.exe)

Begin Request
Authenticate Request
Authorize Request
Configuration
Store
Update Cache
Log Request

Svchost.exe
World Wide Web
Publishing Service
(W3SVC)

Windows Process
Activation Service
(WAS)

End Request

User Mode
Kernel Mode
HTTP.sys

Figure 2-1

IIS 7.0 architecture.

IIS 7.0 core components perform key functions in the processing of an HTTP request. Before looking into the roles that IIS 7.0 core components play in request processing, we need to understand how the server determines which worker process should execute a particular request. Download at Boykma.Com

32

Part I:

Foundation

When an HTTP request arrives at the server from the client, the path in the request URL is parsed to determine which site and application the request is for. Each application runs within an application pool. One or more worker processes serve an application pool.
When IIS 7.0 receives a request for an application, IIS maps the request to a worker process for an application pool the application belongs to. If this is the first request for the application pool, the worker process is started, and the server functionality is loaded into the process.
Then, the request is passed to the worker process. The worker process executes the request, and the resulting HTTP response is returned to the client.
Figure 2-2 shows the end-to-end HTTP request processing and the interaction between IIS 7.0 components. w3wp.exe

Begin Request
Authenticate Request
Authorize Request applicationHost.config Update Cache

3

Log Request

Svchost.exe
World Wide Web
Publishing Service
User Mode 2

2
5

Windows Process
Activation Service

6

4

End Request

7

Kernel Mode
HTTP.sys

1
HTTP Request

Figure 2-2

9
HTTP Response

HTTP request processing in IIS 7.0.

Download at Boykma.Com

8

Chapter 2: Understanding IIS 7.0 Architecture

33

In IIS 7.0, HTTP request processing consists of the following steps, as shown in Figure 2-2:
1. An HTTP request from a client browser arrives to the server. HTTP.sys intercepts the request. 2. HTTP.sys checks if it has the configuration information for an application the request is sent to.


If HTTP.sys has the configuration information, it forwards the request to an appropriate worker process (see step 7).



If HTTP.sys doesn’t have the configuration information, it contacts W3SVC, which passes the request for information to WAS.

3. WAS obtains configuration information from the IIS global configuration file, applicationHost.config. 4. WAS checks the worker process in the application pool to which the request is made. If there is no worker process, WAS starts a worker process for that application pool.
5. WAS passes configuration, including as application pool and application configuration settings, to W3SVC.
6. W3SVC uses configuration received from WAS to configure and update HTTP.sys.
7. HTTP.sys forwards the request to the worker process.
8. The worker process begins a request processing pipeline to execute the request. A request processing pipeline is an ordered list consisting of components that perform specific tasks to process a request. At the end of this processing, a response is generated and returned to HTTP.sys. We will discuss the request processing pipeline in the section titled “Request Processing in Application Pool” later in this chapter.
9. HTTP.sys sends a response to the client.

IIS 7.0 Core Components
In this section, we will look at IIS 7.0 core components and their role in process activation and request processing.

HTTP.sys
HTTP.sys is the protocol listener that listens for HTTP and HTTPS requests. HTTP.sys was introduced in IIS 6.0 as an HTTP-specific protocol listener for HTTP requests. In IIS 7.0, HTTP.sys also includes support for Secure Sockets Layer (SSL), which Lsass.exe provided in IIS 6.0.
HTTP.sys is a kernel-mode device driver for HTTP protocol stack. It is part of the networking subsystem of the Windows operating systems. Beginning with IIS 6.0, this kernel-mode driver replaced Windows Sockets API (Winsock), which was a user-mode component that previous versions of IIS used to receive HTTP requests and send HTTP responses.
Download at Boykma.Com

34

Part I:

Foundation

When a client browser requests a Web page from a site on the IIS 7.0 server, HTTP.sys picks up the request on the site binding on the server machine and then passes it to the worker process for processing. After the request has been processed, HTTP.sys returns a response to the client browser.
Apart from intercepting and returning HTTP requests, HTTP.sys also performs the following tasks: ■

Preprocessing and security filtering of the incoming HTTP requests



Queuing of HTTP requests for the application pools



Caching of the outgoing HTTP responses

Figure 2-3 shows HTTP.sys request queues and response cache.

HTTP.sys

Response Cache
App Pool
Queue

Figure 2-3

App Pool
Queue

App Pool
Queue

HTTP request queue and response cache.

Having a request queue and a response cache served by a kernel-based HTTP listener reduces overhead in context switching to user mode and results in performance enhancements, as follows: ■



Kernel-mode request queuing Requests cause less overhead in context switching because the kernel forwards requests directly to the correct worker process. If no worker process is available to accept a request, the kernel-mode request queue holds the request until a worker process picks it up.
Kernel-mode caching

Requests for cached responses are served without switching to

user mode.
HTTP.sys maintains a request queue for each worker process. It sends the HTTP requests it receives to the request queue for the worker process that serves the application pool where the requested application is located. For each application, HTTP.sys maintains the URI namespace routing table with one entry. The routing table data is used to determine which application pool responds to requests from what parts of the namespace. Each request queue corresponds to one application pool. An application pool corresponds to one request queue within HTTP.sys and one or more worker processes.
If a faulty application causes a worker process failure, service is not interrupted, and the failure is undetectable by an end user because the kernel queues the requests while the WAS service starts a new worker process for that application pool. When the WAS service identifies
Download at Boykma.Com

Chapter 2: Understanding IIS 7.0 Architecture

35

an unhealthy worker process, it starts a new worker process if outstanding requests are waiting to be serviced. Although a temporary disruption occurs in user-mode request processing, the user does not experience the failure, because TCP/IP connections are maintained, and requests continue to be queued and processed. Only those requests that are running in the worker process when it fails will result in users seeing an error status. The requests that haven’t been processed yet will be redirected to the new worker process.
Other than retrieving a stored response from its internal cache, HTTP.sys does not process the requests that it receives. Therefore, no application-specific code is ever loaded into kernel mode but is processed inside the worker process that runs in the user mode. As a result, bugs in application-specific code cannot affect the kernel or lead to system failures.

World Wide Web Publishing Service
World Wide Web Publishing Service (W3SVC) changed significantly in IIS 7.0 in comparison with IIS 6.0.
In IIS 6.0, W3SVC was responsible for HTTP.sys management, configuration management, process management, and performance monitoring, as shown in Figure 2-4.
Svchost.exe
W3SVC
Performance
Monitoring

Configuration
Manager

HTTP.sys
Manager

Process
Manager

Figure 2-4

W3SVC in IIS 6.0.

In IIS 7.0, this functionality is split between two services: W3SVC and a service that is new to
IIS 7.0, WAS. These two services run as LocalSystem in the same Svchost.exe process, and they share the same binaries. W3SVC and WAS in IIS 7.0 are shown in Figure 2-5.
Svchost.exe
W3SVC
Performance
Monitoring
HTTP.sys
Manager

Figure 2-5

WAS
Process
Manager

Configuration
Manager

Listener Adapter Interface

W3SVC and WAS in IIS 7.0.
Download at Boykma.Com

36

Part I:

Foundation

In IIS 7.0, W3SVC acts as listener adapter for the HTTP listener, HTTP.sys. Listener adapters are components that establish communication between WAS and protocol listeners. WAS includes a listener adapter interface that provides communication with listener adapters.
W3SVC is responsible for configuring HTTP.sys, updating HTTP.sys when configuration changes, and notifying WAS when a request enters the request queue. Additionally, W3SVC continues to collect the counters for Web sites. However, it no longer reads configuration information from the configuration store or manages application pools and worker processes.
Instead, responsibilities for reading configuration and process activation and management are factored into WAS.
The changes in W3SVC service functionality between IIS 7.0 and IIS 6.0 are summarized in the following list:


Configuration management






In IIS 6.0, W3SVC reads configuration information from IIS 6.0 configuration store, the metabase.
In IIS 7.0, W3SVC no longer reads configuration information from configuration store. Instead, WAS reads the configuration info from IIS 7.0 configuration store, applicationHost.config, and then passes it to W3SVC.

HTTP.sys management






In IIS 6.0, W3SVC configures and updates HTTP.sys using configuration information it read from the metabase.
In IIS 7.0, W3SVC configures and updates HTTP.sys by using configuration information received from WAS. As a listener adapter for HTTP protocol, W3SVC owns communication between WAS and HTTP.sys.

Process management






In IIS 6.0, W3SVC manages application pools and worker processes, including starting, stopping, and recycling worker processes. Additionally, W3SVC monitors the health of the worker processes and invokes rapid fail detection to stop new processes from starting when several worker processes fail in a specified amount of time.
In IIS 7.0, W3SVC no longer has any responsibilities for managing worker processes. These responsibilities have been passed to WAS.

Performance monitoring


In IIS 6.0, W3SVC monitors performance and provides performance counters for
Web sites and for IIS cache.



In IIS 7.0, W3SVC continues to collect the counters for Web sites.

Download at Boykma.Com

Chapter 2: Understanding IIS 7.0 Architecture

37

Note

Because performance counters remain part of W3SVC, they are HTTP-specific and do not apply to WAS.

Windows Process Activation Service
The HTTP process activation model was introduced in IIS 6.0 with application pools. In IIS
7.0, this service has been extended and is called Windows Process Activation Service (WAS).
It is capable of receiving requests or messages over any protocol and supports pluggable activation of arbitrary protocol listeners.
In IIS 7.0, WAS manages application pool configuration and worker processes. W3SVC performs this function in IIS 6.0. WAS includes the following components, as shown in
Figure 2-5:


Configuration manager, which reads application and application pool configuration from configuration store.



Process manager, which maps application pools to existing worker processes and is responsible for starting new instances of W3wp.exe to host new application pools in response to activation requests.



Listener adapter interface, which defines how external listeners communicate activation requests they receive to WAS. For example, the W3SVC service owns the communication with HTTP.sys and communicates HTTP activation requests to WAS across the listener adapter interface.

On startup, the configuration manager in WAS reads information from the configuration store and then passes that information to the HTTP listener adapter, W3SVC, which is responsible for communication with the HTTP listener, HTTP.sys. After W3SVC receives configuration information, it configures HTTP.sys and prepares it to listen for requests.
The configuration manager in WAS obtains the following information from configuration store: ■

Global configuration information



Protocol configuration information



Application pool configuration, such as the process account information



Site configuration, such as bindings and applications



Application configuration, such as the enabled protocols and the application pools to which the application belongs

Download at Boykma.Com

38

Part I:

Foundation

If configuration changes, the configuration manager in WAS receives a notification and subsequently updates W3SVC with the new information. After W3SVC receives the new configuration, it updates and configures HTTP.sys. For example, when you add or delete an application pool, the configuration manager processes the configuration changes and communicates them to W3SVC, which updates HTTP.sys to add or delete the application pool queue.
The process manager in WAS is responsible for managing the worker processes, which includes starting the worker processes and maintaining information about the running worker processes. It also determines when to start a worker process, when to recycle a worker process, and when to restart a worker process if it becomes blocked and is unable to process any more requests.
When HTTP.sys picks up a client request, the process manager in WAS determines if a worker process is already running. If an application pool already has a worker process servicing requests, then HTTP.sys passes the request to the worker process for processing. If there is no worker process in the application pool, the process manager starts a new worker process so that HTTP.sys can pass the request for processing to that worker process.
In addition to HTTP, WAS supports other protocols. The same configuration and process model used for HTTP are made available to non-HTTP applications and services. We will look into this capability in the section titled “Non-HTTP Request Processing” later in this chapter.

Configuration Store
In IIS 6.0, configuration data is stored in the XML-based metabase. IIS 7.0 no longer uses the metabase. Instead, configuration settings are stored in a distributed XML file–based configuration system that combines both IIS and ASP.NET settings.
The distributed configuration hierarchy includes the global, computer-wide, .NET Framework configuration files machine.config and root web.config; the global IIS configuration file applicationHost.config; and distributed web.config configuration files located within the Web sites, applications, and directories, as shown in Figure 2-6.
Because configuration files are stored together with Web site and application content, this configuration system enables xcopy deployment of configuration alongside application code and content, allows the server administrator to delegate administration of sites and applications to users without administrative privileges on the server computer, and also provides an easy way for sharing configuration across a Web farm.
IIS global server-wide configuration is stored in the applicationHost.config file located in the
%SystemRoot%\system32\Inetsrv\Config folder. The WAS service obtains application pools and application configuration information from this file.

Download at Boykma.Com

Chapter 2: Understanding IIS 7.0 Architecture

machine.config
.NET Framework global configuration 39

applicationHost.config
IIS global configuration

root web.config
ASP.NET global configuration site web.config

application web.config

directory web.config

application web.config

directory web.config

Figure 2-6

directory web.config

IIS 7.0 distributed configuration store.

IIS 7.0 provides several administration tools and application programming interfaces (APIs) that read and write configuration in the IIS 7.0 configuration system. The configuration files are clear text-based XML files, so you can use Notepad to work with IIS 7.0 configuration if you really wish. However, even for simple web.config files, this is very much prone to error and better to be avoided.
To simplify administration tasks, IIS 7.0 provides redesigned, task-based, feature-focused IIS
Manager for graphical user interface (GUI)–based Web server management, and also offers a command line administration tool, Appcmd.exe. For programmatic access, there is a COM
API for managing configuration programmatically from C++ programs, and a .NET API,
Microsoft.Web.Administration, for .NET programs. Most of IIS Manager features are implemented using this new .NET API. An IIS 7.0 Windows Management Instrumentation (WMI) provider for scripting is provided as well, together with the legacy IIS 6.0 WMI provider that is available for backward compatibility with existing scripts.
Microsoft.Web.Administration API, Appcmd.exe, and the WMI provider are written on top of the COM API. This new administration stack is shown in Figure 2-7.
Download at Boykma.Com

40

Part I:

Foundation

IIS Manager

Microsoft.Web.
Administration

AppCmd.exe

WMI

COM API

config files

Figure 2-7

IIS 7.0 administration stack.

Note

For more information on the IIS 7.0 configuration system and global applicationHost.config file, refer to Chapter 4, “Understanding the Configuration System.”

The legacy configuration store, the metabase, is not a part of IIS 7.0. However, for backward compatibility, IIS 7.0 provides the optional Metabase Compatibility feature that installs the
IIS Administration Service (IISADMIN), which reads and writes the metabase in IIS 6.0.
The Metabase Compatibility feature also installs the Inetinfo.exe process, which hosts the
IISADMIN service. These two components provide the translation layer called the Admin
Base Objects (ABO) Mapper. The ABO Mapper supports the legacy ABO APIs for working with the metabase but stores configuration directly in the IIS 7.0 configuration files. If you do not install the Metabase Compatibility feature, IIS 7.0 does not use IISADMIN service or the
Inetinfo.exe process.

Worker Process
The role of a worker process is to process requests. A worker process is a self-contained longrunning user mode process that runs as an executable named w3wp.exe.
Each worker process provides the core Web server functionality. As a result of a request processing within the worker process, the response is generated and is subsequently returned to the client. Each worker process uses HTTP.sys to receive requests and to send responses.
One worker process serves one application pool. An application pool groups together one or more applications. Because of this, you can apply specific configuration settings to groups of applications and to the worker processes servicing those applications.
Each application runs within an application pool. An application pool can be served by a set of worker processes. A worker process can serve only one application pool. Multiple worker processes that serve different application pools can run concurrently, as shown in Figure 2-8.

Download at Boykma.Com

Chapter 2: Understanding IIS 7.0 Architecture

Application pool

Application pool

Application pool

w3wp.exe

w3wp.exe

w3wp.exe

AppDomain

AppDomain

AppDomain

AppDomain

AppDomain

AppDomain

AppDomain

AppDomain

41

AppDomain

Figure 2-8

Process and application isolation.

The worker process boundaries separate application pools, which enables all application code to run in an isolated environment so that individual applications can execute within a selfcontained worker process. The worker process isolation model was first introduced in IIS 6.0.
This model prevents applications running within one application pool from affecting applications in a different application pool on the server, providing sandboxing of applications.
Within a worker process, application domains provide application boundaries for .NET applications. Each .NET application runs in its own application domain (AppDomain), as shown in Figure 2-8. An application domain loads the application’s code when the application starts. Virtual directories within an application are served by the same AppDomain as the application to which they belong.

Direct from the Source: Application Pool Isolation in IIS 7.0
The application pool design introduced by IIS 6.0 has been the foundation of enabling greater security isolation of multiple applications and improving the fault-tolerance of the Web server. IIS 7.0 continues to leverage this concept, and it no longer provides support for the legacy IIS 5.0 Isolation Model. The majority of the features that made application pools successful with IIS 6.0 remain, including the ability to run each application pool with different credentials and configure intelligent health monitoring and recycling settings to maintain application reliability.
IIS 7.0 goes further, by providing automatic application pool isolation through automatically generated Security Identifiers (SIDs) for application pools, and automatically isolating server-level configuration such that it can only be read by the application pool it affects. This makes it easier than ever before to configure fully isolated Web applications by leveraging application pools.
In addition, IIS 7.0 in Windows Server 2008 delivers a number of performance improvements that significantly increase the number of application pools that can be configured

Download at Boykma.Com

42

Part I:

Foundation

and active on a single Web server, both through lower worker process footprint and intelligent worker process management features. These improvements make it easier for Web hosting providers to place each individual application into a separate application pool, in order to achieve the maximum security and fault isolation for those applications. Be sure to fully utilize the capabilities afforded by application pool isolation when designing your Web application infrastructure.
Mike Volodarsky
IIS Core Server Program Manager
Requests within each worker process can be executed in one of two different ways: in .NET
Integrated mode when both IIS and ASP.NET requests use the same integrated request processing pipeline, or in Classic mode when two separate pipelines are used for IIS and ASP.NET processing. You can configure an application pool to determine in which of the two modes to execute ASP.NET requests. In the next section, we will focus on the request processing architecture within worker processes serving the application pools.

Request Processing in Application Pool
In IIS 7.0, two modes are available for an application pool: Integrated mode and Classic mode.
When you configure an application pool with Integrated mode, IIS 7.0 processes ASP.NET requests using the integrated IIS and ASP.NET request processing pipeline. When you configure an application pool with Classic mode, IIS 7.0 processes ASP.NET requests using the separate IIS and ASP.NET request processing pipelines, as in IIS 6.0.
Application pools configured with different modes can run on the same server machine.
You can specify the mode for an application pool by configuring the Managed Pipeline Mode setting in IIS Manager.
To use IIS Manager to configure the ASP.NET processing mode for an application pool, perform the following steps:
1. In IIS Manager, expand the server node and select the Application Pools node in the
Connections pane.
2. On the Application Pools page, select the application pool you’d like to configure.

Download at Boykma.Com

Chapter 2: Understanding IIS 7.0 Architecture

43

3. In the Actions pane, under Edit Application Pool, select Basic Settings.
4. In the Edit Application Pool dialog box, in the Managed Pipeline Mode drop-down list, choose the desired mode (Integrated or Classic) and click OK.

Classic Mode
Classic mode in IIS 7.0 provides backward compatibility with IIS 6.0. When an application pool is in Classic mode, IIS 7.0 processes ASP.NET requests using two separate IIS and
ASP.NET request processing pipelines, as in IIS 6.0. To understand Classic mode in IIS 7.0, let’s first look into how ASP.NET requests are processed in IIS 6.0.
Figure 2-9 shows ASP.NET request processing in IIS 6.0. In IIS releases up to version 6.0,
ASP.NET connects to the Web server as a stand-alone application framework. In these releases, ASP.NET is implemented as an IIS Internet Server Application Programming
Interface (ISAPI) extension.

Download at Boykma.Com

44

Part I:

Foundation
Worker Process
HTTP Request

Begin Request

Authenticate Request
Basic
Authentication

Windows (NTLM)
Authentication

Anonymous
Authentication

aspnet_isapi.dll
Authenticate Request

Determine Handler
Static File

Forms
Authentication

ISAPI

Windows
Authentication

Map Handler

ASPX

Log Request

End Request

HTTP Response

Figure 2-9

ASP.NET request processing in IIS 6.0.

In IIS 6.0, the ASP.NET ISAPI extension (aspnet_isapi.dll) is responsible for processing the content types that are registered to it, such as ASPX and ASMX. For those requests, it offers powerful features, for example, Forms Authentication and Response Output Caching.
However, only content types registered to ASP.NET can benefit from these services. Other content types—including ASP pages, static files, images, and Common Gateway Interface
(CGI) applications—have no access to these features at all.
A request to an ASP.NET content type is first processed by IIS and then forwarded to aspnet_isapi.dll that hosts the ASP.NET application and request processing model. This effectively exposes two separate server pipelines, one for native ISAPI filters and extension components, and another for managed application components. ASP.NET components execute entirely inside the ASP.NET ISAPI extension and only for requests mapped to
ASP.NET in the IIS script map configuration. Requests to non-ASP.NET content, such as ASP pages or static files, are processed by IIS or other ISAPI extensions and are not visible to
ASP.NET.
In addition, even for ASP.NET resources, certain functionalities are not available to ASP.NET because of run-time limitations. For example, it is not possible to modify the set of outgoing
HTTP response headers before they are sent to the client because this occurs after the
ASP.NET execution path.
In IIS 7.0 in Classic mode, ASP.NET requests are also processed using the ASP.NET ISAPI extension, as shown in Figure 2-10. The core Web server in IIS 7.0 is fully componentized,
Download at Boykma.Com

45

Chapter 2: Understanding IIS 7.0 Architecture

whereas in IIS 6.0, it is monolithic. However, the ASP.NET requests in Classic mode are processed by asnet_isapi.dll in the same way as in IIS 6.0. After the request has been processed by asnet_isapi.dll, it is routed back through IIS to send the response.
Worker Process
HTTP Request
Basic
Authentication
Begin Request
Authenticate Request
Authorize Request

Windows
Authentication
Anonymous
Authentication
Static File

Execute Handler
ISAPI

aspnet_isapi.dll
Authenticate Request
Forms
Authentication

Windows
Authentication

Map Handler

Update Cache

ASPX

Log Request
End Request

HTTP Response

Figure 2-10 ASP.NET request processing in Classic mode in IIS 7.0.

Classic mode in IIS 7.0 has the same major limitations as ASP.NET processing in the IIS 6.0. In summary, these limitations are as follows:


Services provided by ASP.NET modules are not available to non-ASP.NET requests.



Some processing steps are duplicated, such as authentication.



Some settings must be managed in two locations, such as authorization, tracing, and output caching.



ASP.NET applications are unable to affect certain parts of IIS request processing that occur before and after the ASP.NET execution path due to the placement of the ASP.NET
ISAPI extension in the server pipeline.

Classic mode is provided only for backward compatibility with IIS 6.0. Simply put, you should add an application to an application pool in Classic mode only if the application fails to work in Integrated mode.

Download at Boykma.Com

46

Part I:

Foundation

Note

For more information on application compatibility in IIS 7.0, see Chapter 11, “Hosting
Application Development Frameworks.”

.NET Integrated Mode
When an application pool is configured with .NET Integrated mode, you can take advantage of the integrated request processing architecture of IIS 7.0 and ASP.NET.
In IIS 7.0, ASP.NET run time is integrated with the core Web server. The IIS and ASP.NET request pipelines are combined, providing a unified (that is, integrated) request processing pipeline that is exposed to both native and managed modules.
The IIS 7.0 request processing pipeline is implemented by the core Web server engine. It enables multiple independent modules to provide services for the same request. All of the
Web server features are implemented as stand-alone modules. There are over 40 separate native and managed modules. Each module implements a particular Web server feature or functionality, such as logging or output caching.
Note

For the full list of IIS 7.0 built-in modules, both native and managed, refer to
Appendix C, “IIS 7.0 Modules Listing.”

Native modules are implemented as dynamic-link libraries (DLLs) based on public IIS 7.0
C++ extensibility APIs. Managed modules are implemented as managed .NET Framework classes based on the ASP.NET integration model in IIS 7.0. (IIS 7.0 has integrated the existing
IHttpModule API for ASP.NET.) Both of these APIs enable modules to participate in the IIS 7.0 request processing pipeline and access all events for all requests.
An IIS 7.0 integrated request processing pipeline is shown in Figure 2-11. A pipeline is an ordered list consisting of native and managed modules that perform specific tasks in response to requests. When a worker process in an application pool receives a request from HTTP.sys, the request passes through an ordered list of stages. As a result of processing, the response is generated and sent back to HTTP.sys.
Each stage in the pipeline raises an event. Native and managed modules subscribe to events in the stages of the pipeline that are relevant to them. When the event is raised, the native and managed modules that subscribe to that event are notified and do their work to process the request. The pipeline event model enables multiple modules to execute during request processing. Download at Boykma.Com

Chapter 2: Understanding IIS 7.0 Architecture
HTTP Request

47

Worker Process

Begin Request
Authenticate Request
Authorize Request
Resolve Cache
Map Handler
Acquire State
Static File
Pre-execute Handler
ASPX
Execute Handler
ISAPI
Release State
CGI
Update Cache
Log Request
End Request

HTTP Response

Figure 2-11 IIS 7.0 integrated processing pipeline.

Most of the pipeline events are intended for a specific type of task, such as authentication, authorization, caching, and logging. The following list describes stages and corresponding events in the request processing pipeline:


Begin Request stage This stage starts request processing. The BeginRequest event is

raised.


Authenticate Request stage



Authorize Request stage



Resolve Cache stage At this stage, ResolveRequestCache event is raised. This stage checks

This stage authenticates the requesting user. The
AuthenticateRequest event is raised.

At this stage, the AuthorizeRequest event is raised. This stage checks access to the requested resource for the authenticated user. If access is denied, the request is rejected. to see if the response to the request can be retrieved from a cache.



At this stage, the MapRequestHandler event is raised. This stage determines the handler for the request.
Map Handler stage

Download at Boykma.Com

48

Part I:

Foundation



Acquire State stage At this stage, the AcquireRequestState event is raised. This stage retrieves the required state for the request.



Pre-execute Handler stage



Execute Handler stage At this stage, the ExecuteRequestHandler event is raised. The handler executes and generates the response.



Release State stage At this stage, the ReleaseRequestState event is raised. This stage

At this stage, the PreExecuteRequestHandler event is raised. This stage signals that the handler is about to be executed and performs the preprocessing tasks if needed.

releases the request state.


Update Cache stage This stage updates the cache. The UpdateRequestCache event is

raised.


Log Request stage



End Request stage

At this stage, the request is logged. The LogRequest event is raised.

At this stage, the EndRequest event is raised, which signals that the request processing is about to complete.

Modules that subscribe to an event provide specific services appropriate for the relevant stage in the pipeline. For example, Figure 2-12 shows several native and managed modules that subscribe to the AuthenticateRequest event at the Authenticate Request stage, such as the Basic
Authentication module, the Windows Authentication module, the ASP.NET Forms Authentication module, and the Anonymous Authentication module. Basic, Windows, and Anonymous Authentication modules are native modules, whereas Forms Authentication is a managed module.
.NET integrated pipeline provides several key advantages over previous versions of IIS, as follows: ■

Allowing services provided by both native and managed modules to apply to all requests. All file types can use features that in IIS 6.0 are available only to managed code. For example, you can now use ASP.NET Forms authentication and Uniform Resource
Locator (URL) authorization for static files, ASP files, CGI, static files, and all other file types in your sites and applications.



Eliminating the duplication of several features in IIS and ASP.NET.
For example, when a client requests a managed file, the server calls the appropriate authentication module in the integrated pipeline to authenticate the client. In previous versions of IIS, this same request goes through an authentication process in both the IIS pipeline and the ASP.NET pipeline. Other unified IIS and ASP.NET functionality includes URL authorization, tracing, custom errors, and output caching.

Download at Boykma.Com

Chapter 2: Understanding IIS 7.0 Architecture


49

Managing all of the modules in one location, thus simplifying site and application administration on the server.
Instead of managing some features in IIS and some in the ASP.NET configuration, there is a single place to implement, configure, monitor, and support server features. For example, because of the run-time integration, IIS and ASP.NET can use the same configuration for enabling and ordering server modules, as well as configuring handler mappings.



Extending IIS with ASP.NET managed modules.
IIS 7.0 enables ASP.NET modules to plug directly into the server pipeline, in the same way as modules developed with the native C++ IIS API. ASP.NET modules can execute in all run-time stages of the request processing pipeline and can be executed in any order with respect to native modules. The ASP.NET API has also been expanded to allow for more control over request processing than was previously possible.

HTTP Request

Worker Process
Basic
Authentication

Begin Request
Authenticate Request
Authorize Request
Resolve Cache
Map Handler

Windows
Authentication
Forms
Authentication
Anonymous
Authentication

Acquire State
Pre-execute Handler
Execute Handler
Release State
Update Cache
Log Request
End Request

HTTP Response

Figure 2-12 Native and managed modules in the integrated processing pipeline.

Note

For more information on extending IIS 7.0, refer to Chapter 12, “Managing Web Server
Modules.”
Download at Boykma.Com

50

Part I:

Foundation

How ASP.NET Integration Is Implemented
Though native and managed modules implement the same logical module concept, they use two different APIs. To enable an integrated pipeline model for both native and managed modules, IIS 7.0 provides a special native module called Managed Engine. The Managed
Engine module in effect provides an integration wrapper for ASP.NET modules that enables these managed modules to act as if they were native IIS modules and handlers. It acts as a proxy for event notifications and propagates a required request state to the managed modules.
Together with the ASP.NET engine, it sets up the integrated pipeline and is also responsible for reading the managed modules and handlers configuration.
When a request requires a managed module, the Managed Engine module creates an
AppDomain where that managed module can perform the necessary processing, such as authenticating a user with Forms authentication. Figure 2-13 shows the Managed Engine module, with the managed Forms Authentication module executing within an AppDomain.
Worker Process
HTTP Request

AppDomain

Begin Request
Authenticate Request

Managed
Engine

Forms
Authentication

Authorize Request

Update Cache
Log Request
End Request

HTTP Response

Figure 2-13 Managed Engine module.

All managed modules are dependent on the Managed Engine module, and they cannot execute without it. For the integrated pipeline and ASP.NET applications to work, the
Managed Engine module must be installed and enabled in IIS 7.0.
In Windows Server 2008, the Managed Engine module is installed as a part of the Role Service component and .NET Extensibility Component. In Windows Vista, it is installed as a part of the .NET Extensibility component.
Download at Boykma.Com

Chapter 2: Understanding IIS 7.0 Architecture

Note

51

For more information on ASP.NET integration, refer to Chapter 12.

Module Scope
Modules can be installed and enabled on different levels. Modules that are enabled on the server level provide a default feature set for all applications on the server. The IIS global configuration store, applicationHost.config, provides the unified list of both native and managed modules. Each time WAS activates a worker process, it gets the configuration from the configuration store, and the worker process loads all globally listed modules.
Native modules can be installed only at the server level. They cannot be installed at the application level. At the application level, the global native modules that are enabled at the server level can be removed, or those that are installed but not enabled globally can be enabled for that application.
Managed modules can be added at the server, site, and application levels. Application-specific modules are loaded upon the first request to the application. Application managed modules can be xcopy-deployed together with other application files.
You can manage both native and managed modules using the Modules feature in IIS Manager.
Note

For more information on managing modules, refer to Chapter 12.

Module Ordering
The pipeline model ensures that the typical Web server processing tasks are performed in the correct order. For example, authentication must happen before authorization: authenticating the user associated with a request at the Authenticate Request stage has to happen before checking that user’s access to the requested resource at the Authorize Request stage.
The server uses the sequence of modules list in the configuration section to order module execution within each request processing stage. By executing during the relevant stage, the majority of modules automatically avoid ordering problems. However, multiple modules that execute within the same stage may have ordering dependencies. For example, the built-in authentication modules that run at the Authenticate Request stage should be executed in the strongest to weakest order so that the request is authenticated with the strongest credentials available.
To manage ordering dependencies, the administrator can control the ordering of modules by changing the order in which they are listed in the section. This can be done, for example, using the Modules feature in IIS Manager.

Download at Boykma.Com

52

Part I:

Foundation

To view, and optionally change, the ordered list of modules for a server, perform the following steps:
1. In IIS Manager, in the Connections pane, select the server node.
2. In the server’s home page, open the Modules feature.

3. In the Actions pane, click View Ordered List.

4. You can change a position of a module in the processing sequence by selecting the module and then using Move Up and Move Down options in the Action pane to move it to the desired position in the list.

Download at Boykma.Com

Chapter 2: Understanding IIS 7.0 Architecture

53

Note

For information about the default order of built-in modules, refer to Appendix D,
“Modules Sequence.”

Non-HTTP Request Processing
In IIS 7.0, WAS supports non-HTTP protocols, enabling you to use IIS to host non-HTTP– based applications and services. The WAS process model generalizes the process model for the HTTP server by removing the dependency on HTTP. Because WAS manages application pool configuration and worker processes in IIS 7.0, the same configuration and process model that is used for HTTP can be used for non-HTTP applications. All IIS process management features, such as on-demand activation, process health monitoring, enterprise-class manageability, and rapid failure protection, are available to non-HTTP–based applications and services in IIS 7.0.
To support services and applications that use protocols other than HTTP and HTTPS, you can use technologies such as Windows Communication Foundation (WCF). The WAS process model enables WCF-based applications and services to use both HTTP and non-HTTP protocols in a hosting environment that supports message-based activation and offers the ability to host a large number of applications on a single machine. Windows Communication
Foundation ships with protocol adapters that can leverage the capabilities of the WAS, improving the reliability and resource use of WCF services.
WAS is capable of receiving requests or messages over any protocol, and it supports pluggable activation of arbitrary protocol listeners. Protocol listeners receive protocol-specific requests, send them to IIS for processing, and then return responses to requestors. With WCF, a listener adapter includes the functionality of a protocol listener. Figure 2-14 shows WAS with listener adapters for non-HTTP protocols.

Svchost.exe
WAS
Process
Manager

Configuration
Manager

Listener Adapter Interface

TCP Listener
Adapter

Named Pipes
Listener
Adapter

MSMQ
Listener
Adapter

Figure 2-14 Non-HTTP protocol support in WAS.
Download at Boykma.Com

54

Part I:

Foundation

Listener adapters are Windows services that receive messages on specific network protocols and communicate with WAS to route incoming requests to the correct worker process. The listener adapter interface is used to communicate activation requests that are received over the supported non-HTTP protocols. There are several non-HTTP listener adapters, as follows:


NetTcpActivator for TCP protocol



NetPipeActivator for Named Pipes



NetMsmqActivator for Message Queuing (also known as MSMQ)

If you do not need HTTP functionality, you can actually run WAS without W3SVC. For example, you can manage a Web service through a WCF listener adapter, such as NetTcpActivator, without running W3SVC if you do not need to listen for HTTP requests in
HTTP.sys.
The global IIS configuration store, applicationHost.config, can contain configuration for nonHTTP protocols. For example, a TCP listener adapter, NetTcpActivator, can be configured based on information that WAS reads from configuration store. After NetTcpActivator is configured, it listens for requests that use the TCP protocol. When a listener adapter receives a request, WAS starts a worker process so that the listener adapter can pass the request to it for processing. This architecture is shown in Figure 2-15. applicationHost.config Svchost.exe

w3wp.exe
AppDomain

WAS
Configuration
Manager

Process
Manager

AppDomain

Listener Adapter Interface
AppDomain

NetTcpActivator

Figure 2-15 Non-HTTP processing in IIS 7.0.

Because WAS manages processes for both HTTP and non-HTTP protocols, you can run applications with different protocols in the same application pool. For example, you can host an application over both HTTP and TCP protocols.
In addition to being protocol independent, the WAS process model in IIS 7.0 provides all types of message-activated applications with intelligent resource management, on-demand
Download at Boykma.Com

Chapter 2: Understanding IIS 7.0 Architecture

55

process activation, health-monitoring, and automatic failure detection and recycling. It allows these applications to take advantage of the IIS process model without requiring the deployment footprint of a full IIS installation.
Note

For more information on listener adapters, see the article titled “WAS Activation
Architecture” at http://go.microsoft.com/fwlink/?LinkId=88413.

Summary
In this chapter, we looked at the end-to-end request processing architecture of IIS 7.0. IIS 7.0 includes several core components that work together to execute the HTTP request. These components are as follows:


HTTP.sys, the kernel-level HTTP protocol listener



World Wide Web Publishing Service (W3SVC), the HTTP listener adapter



Windows Process Activation Service (WAS), which provides process activation and management ■

Configuration store, the distributed XML file–based configuration hierarchy that contains both IIS and ASP.NET settings



Worker process, w3wp.exe, the self-contained user mode process that executes HTTP requests and generates responses

Each worker process serves one application pool. An application pool can be configured in one of two Managed Pipeline modes: Integrated mode and Classic mode. Depending on this configuration setting, an ASP.NET request can be executed in one of two ways within the worker process that serves the application pool:


In the Integrated mode, IIS and ASP.NET processing is unified into an integrated processing pipeline.



In the Classic mode, IIS and ASP.NET pipelines are separate, as in IIS 6.0.

The integrated processing pipeline provides the foundation for IIS 7.0 modular architecture. It exposes the request to more than 40 built-in, self-contained native and managed modules that implement the Web server functionality. The key benefits of the integrated processing pipeline are as follows:


Enabling services provided by both native and managed modules to apply to all content types ■

Eliminating duplication of features in IIS and ASP.NET

Download at Boykma.Com

56

Part I:

Foundation



Managing all of the modules in one location, thus simplifying site and application administration on the server



Extending IIS with ASP.NET managed modules

In addition to executing HTTP requests, IIS 7.0 supports hosting of non-HTTP applications and services that can take advantage of its process model.
On the Disc

Browse the CD for additional tools and resources.

Additional Resources
These resources contain additional information and tools related to this chapter:


For more information about IIS 7.0 configuration system, refer to Chapter 4,
“Understanding the Configuration System.”



For more information about application compatibility, refer to Chapter 11, “Hosting
Application Development Frameworks.”



For more information about integrated processing pipeline and managing Web server modules, refer to Chapter 12, “Managing Web Server Modules.”



For a full list of IIS 7.0 native and managed modules, refer to Appendix C, “IIS 7.0
Modules Listing.”



For the default sequence of IIS 7.0 built-in modules, refer to Appendix D, “Modules
Sequence.”



For more information on listener adapters, see the article titled “WAS Activation
Architecture” at http://go.microsoft.com/fwlink/?LinkId=88413.

Download at Boykma.Com

Chapter 3

Understanding the Modular
Foundation
In this chapter:
Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Key Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Built-in Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Additional Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
What does modular core mean to Microsoft Internet Information Services (IIS) 7.0? How does it make IIS 7.0 the most powerful Microsoft Web server ever? And what are the built-in modules shipped with IIS 7.0? No worries—by the end of this chapter, you will be able to answer all these questions and have a clear understanding of the new design concept behind
IIS 7.0. You will take a look at the idea of componentized design in IIS 7.0, the intentions behind the revamped architecture, and the advantages of the design. You’ll also get detailed information about the built-in modules that ship with IIS 7.0.

Concepts
One of the core changes for IIS 7.0 is its component-based architecture, which incorporates lessons learned from IIS 6.0 and feedback from customers. IIS 7.0 debuts with a completely redesigned architecture; the Web server core is now broken down into discrete components called modules. For the first time, as a Web administrator, you have the power to custom build an IIS server according to your requirements. You can easily add built-in modules whenever they are needed or, even better, add or replace functionality with modules of your own design, produced commercially or provided by the developer community on IIS.net. In this way, the modular engine enables you to achieve exactly the functionality you want from the Web server and at the same time provides flexibility so that you can remove unwanted modules to better lock down the Web server.
Although the main modularity point in IIS 7.0 is the Web server itself, features throughout the entire platform are implemented as modules. The administration stack, for example, is modular. For detailed information about extensibility of the IIS 7.0 Web server and the administration stack, see Chapter 12, “Managing Web Server Modules,” and Chapter 13,
“Managing Configuration and User Interface Extensions.”
Download at Boykma.Com

57

58

Part I:

Foundation

The Ideas
A module resembles a brick in a child’s LEGO toy set, which comes with bricks in many different colors and shapes. When combined with additional bricks from other sets, you can assemble many different structures in a variety of shapes. IIS 7.0 uses the same idea in the design of its framework foundation. By using modules as the building blocks, this pluggable architecture combined with the flexible configuration system and an extensible user interface
(UI) make it possible to add or remove any capability to craft a server that fits the specific needs of your organization. This new and open design is revolutionary for Microsoft and opens new doors for the Web platform.

How It Works: The Modular Design
IIS 7.0 ships with many different modules. Each module is a component (but not in the
Component Object Model [COM] sense) that provides services to the Web server’s
HTTP request processing pipeline. For example, StaticFileModule is the module that handles all static content such as HTML pages, image files, and so on. Other modules provide capabilities for dynamic compression, basic authentication, and the other features you typically associate with IIS. Modules are discretely managed in IIS 7.0. They can easily be added to or removed from the core engine via the new configuration system.
Internally, the IIS Web server core provides the request processing pipeline for modules to execute. It also provides request processing services, whereby modules registered in the processing pipeline are invoked for processing requests based on registered event notifications. As an administrator, you cannot control which events the modules are coded to use. This is done in the code within the module. However, you have the ability to control which modules are loaded globally, and you can even control which modules are loaded for a specific site or application. For details about how to control module loading, see Chapter 12.
Each time the IIS 7.0 worker process starts, it reads the server configuration file and loads all globally listed modules. Application modules are loaded at the time of the first request to the application. It is the modular design and configuration system that make it easy for you to plug in, remove, and replace modules in the request pipeline, offering full extensibility to the IIS 7.0 Web server.

Types of Modules
IIS 7.0 ships with approximately 40 modules, including security-related authentication modules and modules for content compression. Modules build up the feature sets of the Web server, and the Web application is made up of many modules servicing the requests. In terms of roles, modules can be categorized as providing either request services such as compression and authentication or request handling such as delivering static files, ASP.NET pages, and
Download at Boykma.Com

Chapter 3:

Understanding the Modular Foundation

59

so on. Regardless of their roles, modules are the key ingredients to IIS 7.0. Developers can create two types of IIS modules:


Managed modules A managed module is a .NET Framework component based on the
ASP.NET extensibility model. With the IIS 7.0 integrated processing architecture,
ASP.NET application services are no longer restricted to requests for .ASPX pages or other content mapped to ASP.NET. The managed modules are plugged in directly to the
Web server’s request processing pipeline, making them as powerful as the modules built using the native extensibility layer in IIS 7.0. In order to use services provided by
ASP.NET modules for all requests, your application must run in an application pool that uses Integrated mode. This integration is possible via the ManagedEngine module, which provides the .NET integration into the request processing pipeline. Managed modules are loaded globally only when the application pool is marked as integrated. For more information about the new integrated pipeline processing mode, see Chapter 12.



Native modules A native module is a Microsoft Windows dynamic-link library (DLL) typically written in C++ that provides request processing services. In IIS 7.0, a new set of native server (C++) application programming interfaces (APIs) have replaced the
Internet Server API (ISAPI) filters and extension APIs provided by earlier versions of IIS.
These new APIs are developed in an object-oriented model and are equipped with more powerful interfaces that give you more control when it comes to processing requests and handling responses. Developers familiar with ISAPI and the new native module APIs have been very positive about how much easier it is now to code using native code than in previous versions of IIS.

Note

For details on how to write native modules, see “How to Build a Native Code IIS7
Module Using C++” at http://www.iis.net/go/938.

Developers can manage and configure native and managed modules the same way in IIS 7.0, with the exception of how they deploy the modules. Native modules are installed globally on the server, and can be enabled or disabled for each application. Managed modules can be enabled globally or provided by each application. For more information about the deployment of modules, see Chapter 12.

Modules and Configuration
For modules to provide certain features or services to IIS 7.0, the modules must be registered in the configuration system. This section of the book looks at the relationship between modules and various sections in the configuration file, and it provides a high-level overview of the module settings in the configuration store. For more information about the IIS 7.0

Download at Boykma.Com

60

Part I:

Foundation

configuration system, which is based on Extended Markup Language (XML), see Chapter 4,
“Understanding the Configuration System.”
Inside the section of the ApplicationHost.config file (the main server configuration file), there are three different sections related to modules:


Configurable at the server level only, this section defines all native code modules that will provide services for requests. The module declaration in the configuration section also specifies the related DLL file that provides the module’s features. All native modules must be defined or registered in this section before they can be turned on or enabled for application usage as defined in the section.
// Example of configuration section

...

...



Configurable at the server level and the application level, this section defines modules enabled for the application. Although native modules are registered in the section, native modules must be enabled in the section before they can provide their services for requests to applications. Managed code modules, however, can be added directly to the section. For example, you can add a custom managed basic authentication module to an application’s Web.config file or you can deploy the ApplicationHost.config file at the server level.

// Example of configuration section

...

...



Configurable at the server level, the application level, and the Uniform
Resource Locator (URL) level, this section defines how requests are handled. It also maps handlers based on the URL and HTTP verbs, specifying the appropriate module that supports the related handler. By parsing the handler mapping configuration, IIS 7.0 determines which modules to call when a specific request comes in.

// Example of configuration section

...

Download at Boykma.Com

Chapter 3:

Understanding the Modular Foundation

61

...

Key Benefits
The modular architecture in IIS 7.0 offers many advantages compared with previous versions of IIS. This section outlines the benefits derived from this design. It also provides scenarios illustrating how a Web administrator can take advantage of these benefits while building a robust Web server.

Security
Security is of the utmost concern when it comes to today’s Web applications. IIS 6.0 is not installed by default except in the Windows Server 2003 Web Server edition. The IIS 6.0 default installation serves static content only. All other functionality is disabled. IIS 7.0 reflects the Web server’s modular nature, enabling the user to install only the modules that are required for the application. Binaries that comprise the other features are not installed, but instead are kept in a protected operating system installation cache. This means that you will not be prompted for a CD or asked to point to a source location when installing new updates or adding features. The binaries that you are not using are not loaded by the IIS worker processes; rather, they are quarantined so that they cannot be accessed. When security updates from Microsoft are applied, the features that have not been installed will be fully updated in the installation cache. This can eliminate the need to reapply service packs when you install new features later.
From the security perspective, the modular design brings several key advantages including:


Minimized attack surface By giving you the power to install only those components that are needed, IIS 7.0 directly minimizes the areas of possible attack. The attack points are limited to the installed components because the binaries exist only for the installed components. Because only the installed components can be subject to potential exploits, this is the best defense. For example, with the IIS 7.0 default installation, about
10 components are installed to support internal IIS logging and management as well as serving static content requests. Technically speaking, these are the only surfaces that are exposed for potential attack.



Reduced maintenance overhead Modular design not only provides new flexibility when adding, removing, and even replacing components, it also provides a new maintenance experience through opt-in patching. You need apply fixes or patches only to required or installed components. Unused components or modules that have not
Download at Boykma.Com

62

Part I:

Foundation

been installed do not require immediate attention, and no downtime is required when patching components that are not installed. It also means that fewer administrative tasks are needed for routine maintenance and upgrades. For example, if an IIS 7.0 server uses
Windows authentication only for its applications, only Windows authentication module patches are applicable to the server. On the other hand, if Basic authentication module is subject to a known exploit, immediate patching is not required because the module is not in use. Note, however, that Microsoft recommends that you apply all patches to ensure that modules and features you are not using will be current in the event they are installed later.
Important

Microsoft recommends that you apply all patches to the server. When patching components that aren’t in use, the server doesn’t have to experience any downtime. If the components are eventually installed, the latest versions of their binaries will be used automatically, and there is no need to reapply any patches.



Unified Security Model IIS 7.0 is now better integrated with ASP.NET. Having both

IIS 7.0 native modules and ASP.NET managed modules running in the same request pipeline yields many benefits including unifying the configuration system and security models for both IIS and ASP.NET. From the security perspective, ASP.NET advanced security services can be plugged in directly to the IIS main request processing pipeline and used together with the security features that IIS offers. In short, with IIS 7.0, it is now possible to configure ASP.NET security services for non-ASP.NET requests. For example, with earlier versions of IIS, if an application consists of both PHP and ASP.NET resources, ASP.NET Forms authentication can be applied to only ASP.NET resources.
With the IIS 7.0 integrated process model, it is now possible to have Forms authentication for PHP, ASP.NET, as well as other types of resources such as static content (HTML,
Images) and ASP pages.

Direct from the Source: The Most Secure Web Server in the World
The first time we presented IIS 7.0 to a large audience was also my first TechEd breakout session, hosted at TechEd 2005. My first demo showcased the componentization capabilities of IIS 7.0 by showing off what we jokingly called “the most secure Web server in the world.”
As part of the demo, I walked through how to edit the configuration in the ApplicationHost.config file, removing all of the modules and handler mappings. After saving the file, IIS automatically picked up the changes and restarted, loading absolutely no modules. After making a request to the default Web site, I would swiftly get back an empty 200 response (this configuration currently returns a 401 Unauthorized error because no authentication modules are present). The server had no modules loaded and therefore would perform virtually no processing of the request and return no
Download at Boykma.Com

Chapter 3:

Understanding the Modular Foundation

63

content, thus truly becoming the most secure Web server in the world. After a pause, I commented that, though secure, this server was also fairly useless, and then I segued into adding back the functionality that I needed for my application.
I had done this demo earlier for internal audiences to much acclaim, but I will always remember the audience reaction during that TechEd session. The people in the audience went wild, some even breaking into a standing ovation. This was a resounding confirmation of our efforts to give administrators the ability to start from nothing, building up the server with an absolutely minimal set of features to produce a simple-to-manage Web server with the least possible surface area.
Mike Volodarsky
IIS7 Core Server Program Manager

Performance
With its componentized architecture, IIS 7.0 provides very granular control when it comes to the Web server memory footprint. Modules are loaded into memory only if they are installed and enabled. By removing unnecessary IIS 7.0 features, fewer components are loaded in the processing pipeline—in other words, fewer steps are needed to fulfill incoming requests and, therefore, overall server performance improves. At the same time, by reducing memory usage for the IIS 7.0 server, more free memory space is available for the Web application and operating system. For example, in IIS 6.0, all authentication providers (Anonymous,
Windows, Digest, and so on) are loaded in the worker process. In IIS 7.0, only the necessary authentication modules are loaded and included in the request processing. For more details on removing modules you do not require, see Chapter 12.

Extensibility
In earlier versions of IIS, extending or adding IIS features is not easy, because it can be done only through ISAPI programming with limited API support and limited access to information in the request processing pipeline. With the new modular-based engine and the tight integration between ASP.NET and IIS, extending IIS 7.0 is much easier. IIS 7.0 modules can be developed with the new native Web Server C++ API or using the ASP.NET interfaces and the functionality of the .NET Framework. Not only are you able to decide which features to include in the Web server, but you can also extend your Web server by adding your own custom components to provide specific functionality.
For example, you can develop an ASP.NET basic authentication module that uses the Membership service and a SQL Server user database in place of the built-in IIS Basic authentication feature that works only with Windows accounts. In short, you can build your own custom server to deliver the feature sets your applications require. You might, for example, deploy a set of IIS 7.0 servers just for caching purposes, or you might deploy a custom module to perform a specific function in an application such as implementing your own ASP.NET
Download at Boykma.Com

64

Part I:

Foundation

application load balancing algorithm based on customer requirements. For more information on customizing modules in IIS 7.0, see Chapter 12.

Built-in Modules
Modules shipped with IIS 7.0 are grouped into different categories according to the roles of the services they provide. Table 3-1 highlights the different service categories and lists sample built-in modules within those categories. A complete list of modules is included in Appendix C,
“Module Listing.”
Table 3-1

Module Categories

Category
Application Development

Module
CgiModule (%windir%\system32\inetsrv\cgi.dll)
Facilitates support for Common Gateway Interface (CGI) programs
FastCgiModule (%windir%\system32\inetsrv\iisfcgi.dll)
Supports FastCGI, which provides a high-performance alternative to old-fashioned CGI-based programs
System.Web.SessionState.SessionStateModule (ManagedEngine)
Provides session state management, which enables storage of data specific to a single client within an application on the server

Health and Diagnostics

FailedRequestsTracingModule (%windir%\system32\inetsrv\iisfreb.dll)
More commonly known as Failed Request Event Buffering (FREB), this module supports tracing of failed requests; the definition and rules defining a failed request can be configured
RequestMonitorModule (%windir%\system32\inetsrv\iisreqs.dll)
Implements the Run-time State and Control API (RSCA), which enables its consumers to query run-time information such as currently executing requests, the start or stop state of a Web site, or currently executing application domains

HTTP Features

ProtocolSupportModule (%windir%\system32\inetsrv\protsup.dll)
Implements custom and redirect response headers, handles HTTP
TRACE and OPTIONS verbs, and supports keep-alive configuration

Performance

TokenCacheModule (%windir%\system32\inetsrv\cachtokn.dll)
Caches windows security tokens for password-based authentication schemes (anonymous authentication, basic authentication, and IIS client certificate authentication).
System.Web.Caching.OutputCacheModule (ManagedEngine)
Defines the output caching policies of an ASP.NET page or a user control contained in a page

Download at Boykma.Com

Chapter 3:

Table 3-1

Understanding the Modular Foundation

65

Module Categories

Category

Module

Security

RequestFilteringModule (%windir%\system32\inetsrv\modrqflt.dll)
Provides URLSCAN-like functionality in IIS 7.0 by implementing a powerful set of security rules to reject suspicious requests at a very early stage
UrlAuthorizationModule (%windir%\system32\inetsrv\urlauthz.dll)
Supports rules-based configurations for content authorization
System.Web.Security.FormsAuthenticationModule (ManagedEngine)
Implements ASP.NET Forms authentication against requested resources Server Components

ConfigurationValidationModule (%windir%\system32\inetsrv\ validcfg.dll) Responsible for verifying IIS 7.0 configuration, such as when an application is running in Integrated mode but has handlers or modules declared in the section
ManagedEngine/ManagedEngine64 (webengine.dll)
Managed Engine has a special place within all the other modules because it is responsible for integrating IIS with the ASP.NET run time

For more information regarding the module configuration store, module dependencies, and potential issues when a module is removed, see Appendix C.

Summary
The key features delivered by IIS 7.0 come from its modular design. This is the first time Web administrators have full control over the IIS server. It is also the first version of IIS that is fully extensible. It provides a unified request processing model that integrates ASP.NET and IIS.
Modules are fundamental building blocks in IIS 7.0 server. IIS 7.0 provides numerous ways to manage modules (the basic units of the IIS feature set) so that you can implement efficient low-footprint Web servers optimized for a specific task. By choosing the right set of modules, you can enable a rich set of functionality on your server, or you can remove features you do not need so as to reduce the security surface area and improve performance. In Chapter 12, you can learn more about the different types of modules IIS 7.0 supports, how they work, and how to properly deploy and manage them in the IIS environment.

Additional Resources
These resources contain additional information and tools related to this chapter:


Chapter 4, “Understanding the Configuration System,” for information about the new
XML–based configuration system and important configuration files in IIS 7.0.
Download at Boykma.Com

66

Part I:

Foundation



Chapter 12, “Managing Web Server Modules,” for information about modules loading and managing modules in IIS 7.0.



Chapter 13, “Managing Configuration and User Interface Extensions,” for information about extending the IIS 7.0 configuration system.



Chapter 14, “Implementing Security Strategies,” for information about security strategies.



Appendix C, “Module Listing,” for information about the complete detail of each built-in module that shipped in IIS 7.0.



“Develop a Native C\C++ Modules for IIS 7.0” article on the Web Resource page at http://www.iis.net/go/938. Download at Boykma.Com

Chapter 4

Understanding the
Configuration System
In this chapter:
Overview of the Configuration System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Editing Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Managing Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Additional Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

On the Disc

Browse the CD for additional tools and resources.

Many of the new features and capabilities of Internet Information Services (IIS) 7.0 can be attributed to its entirely new configuration system. The metabase of old has been transformed into a .NET configuration–inspired system that is much easier on many levels to support. The new design provides the basis for delegated configuration, centralized configuration,
ASP.NET integration, xcopy deployment of configuration, and many other benefits.
In many cases, the IIS 7.0 configuration system will “just work,” and you won’t need to know what’s going on behind the scenes. However, when you add flexibility to a system, you often introduce complexity, which is the case with the IIS 7.0 configuration system. This chapter details the configuration’s operation so that you’ll have a thorough understanding of what’s going on.
As shown in Figure 4-1, the configuration of IIS 7.0 as a whole is composed of several systems that work both together and independently. For administrators with an understanding of the .NET configuration files and how they work, IIS 7.0 configuration is a quick study. If your only exposure to IIS configuration has been using a tool such as Metabase Explorer, then there’s a bigger—but worthwhile—learning curve.

Download at Boykma.Com

67

68

Part I:

Foundation

asp.NET
Machine.config

Root Web.config

IIS 7.0

applicationHost.config

IIS_schema.xml

Figure 4-1

Site Web.config












Application Web.config












.xml

The IIS 7.0 configuration system.

Overview of the Configuration System
The IIS 7.0 configuration system is in many ways a complete departure from the metabase, the configuration model that previous IIS versions use. The new architecture reflects requirements that the IIS 7.0 configuration system be more manageable and flexible in supporting key deployment scenarios.
The IIS 7.0 configuration system is based on a hierarchy of XML configuration files, which contain structured XML data that describes the configuration information for IIS and its features. This hierarchy includes the .NET Framework configuration files, machine.config and root web.config; the main IIS configuration file called applicationHost.config; and distributed web.config configuration files located inside the Web site directory structure. One key benefit of this hierarchy is the ability to unify the location of IIS and ASP.NET configuration information. The other is the ability to include IIS configuration together with the Web site’s content, which makes the Web site portable and alleviates the need to have administrative privileges to deploy the Web site.
The configuration files in the hierarchy contain configuration sections, which are structured
XML elements that describe configuration settings for specific IIS features. Unlike the property/ value model used by the metabase, the structured XML nature of the IIS 7.0 configuration sections helps the configuration become cleaner and easier to understand. This makes configuration self-explanatory, and you can easily edit it by hand. For example, the application developer can place the following configuration in a web.config file located in the root of the Web site to enable the IIS default document feature and configure a specific default document to be used.

Download at Boykma.Com

Chapter 4:

Understanding the Configuration System

69

Because the IIS 7.0 configuration system uses the same web.config files as the ASP.NET configuration system, your application can provide both ASP.NET and IIS configuration settings side by side in the same file. Because this file travels with your application content, it enables the application to be deployed to an IIS server simply by copying its contents, without having to modify any central configuration.
At the same time, the server administrator can place server-level IIS configuration, such as the
Web site and Application pool definitions, in the server-level applicationHost.config file. This file can also contain the default configuration for other IIS sections, which are by default inherited by all Web sites on the server. Unlike the Web site’s web.config files, which may be accessible to the Web site or application administrator, applicationHost.config is accessible only to the server administrator. Using the configuration-locking mechanisms that the configuration system provides, the administrator can specify which configuration can be modified by applications through the use of distributed web.config files.
All in all, the new configuration file hierarchy offers a lot more flexibility than the IIS 6.0 metabase and enables key deployment and management scenarios. Next, we will look at how the configuration file hierarchy works and the syntax of configuration sections.

Configuration File Hierarchy
The metabase in previous versions of IIS was comprised of a single configuration file, Metabase.xml, that contained a URL-centric configuration tree. Nodes of that tree corresponded to URLs on the server, and each node contained a set of properties that specified the configuration for that URL along with properties inherited from parent nodes. If you are familiar with the IIS 6.0 metabase, you may remember that these nodes are addressed via paths that look something like “LM\W3SVC\1\ROOT”, which translates to “the root of the
Web site with ID of 1.”
In IIS 7.0, configuration file hierarchy includes multiple configuration files. Instead of encoding the entire URL hierarchy in a single file, the configuration file hierarchy maps to the URL hierarchy. Each file defines configuration that is implicitly associated with a specific URL level based on the position of this file in the configuration hierarchy. For example, applicationHost.config contains global settings applying to all sites on the server, and web.config, contained in the Web site root, is site-specific—and when contained in an application directory, it is directory-specific. Web.config typically maps to a URL such as http://www.contoso.com/ appfolder. Note that the use of web.config to contain distributed configuration information is optional (but enabled by default for certain settings). ApplicationHost.config can and often does contain site- and application-specific settings. There are other configuration files involved with IIS 7.0 that we will discuss later in the chapter, but for the sake of simplicity, we’ll focus on the files used to configure sites and applications, as listed in Table 4-1.
Download at Boykma.Com

70

Part I:

Foundation

Table 4-1

IIS 7.0 Configuration Files

File

Location

Configuration Path

machine.config

%windir%\Microsoft
.NET\Framework \
\config

MACHINE

root web.config

%windir%\Microsoft
.NET\Framework \
\config

MACHINE/WEBROOT

applicationHost.config

%windir%\system32\ inetsrv\config MACHINE/WEBROOT/APPHOST

distributed web.config files Web site directory structure MACHINE/WEBROOT/APPHOST
//

Just like the metabase, the IIS 7.0 configuration system uses a configuration path to describe the level in the configuration hierarchy where a particular configuration setting is set. This level corresponds both to the URL namespace at which the configuration is effective and a configuration path used in commands (such as when using Appcmd) to reference the correct configuration store. In this way, the IIS 7.0 configuration file hierarchy maps to the URL namespace and can correspond to an actual configuration file where this configuration is set.
When the configuration system retrieves configuration for a specific configuration path, it merges the contents of each configuration file corresponding to each segment of the path, building an effective configuration set for that path. This works well with the ability to specify distributed web.config files inside the Web site’s directory structure, which may enable any part of the Web site to set specific configuration for its URL namespace simply by including it in a web.config file in the corresponding directory.
In this system, the configuration path for a particular URL becomes MACHINE/WEBROOT/
APPHOST//, where the is the name of the site and the is the URL’s virtual path. When reading configuration for this path, the server will merge the configuration in machine.config, root web.config, applicationHost.config, and all distributed web.config files that exist in the physical directories corresponding to each segment of the virtual path, starting with the site’s root.
Important The root web.config corresponding to WEBROOT in the configuration system is the one located in %windir%\Microsoft .NET\Framework \\config. This is not the same as a web.config file that can placed in a Web site’s home directory, which is often referred to as the web root. In the first case, we are talking about web.config used by .NET that is the parent, or root of all Web site web.config files. In the latter case, we’re talking about the web.config found in a Web site’s home folder. The web.config in the Web site’s home folder will inherit configuration settings found in the .NET root web.config.

Server-level configuration for IIS features is stored in the applicationHost.config file. This file stores configuration for sections that only make sense globally on the server, as well as
Download at Boykma.Com

Chapter 4:

Understanding the Configuration System

71

configuration defaults for other sections that are inherited by all URLs on the server unless another file lower in the configuration hierarchy overrides them.
For example, if you wanted to configure the server to disable directory browsing by default, you would put that configuration in the applicationHost.config file. Then, if you wanted to allow directory browsing for the /App1 application in the default Web site, you would place a web.config file containing configuration that enables directory browsing in the physical directory root of the /App1 application. When a request is made to the root of the default
Web site, the server will read configuration for the “MACHINE/WEBROOT/APPHOST/
Default Web Site/” path and apply the inherited configuration from applicationHost.config that disables the directory browsing. However, when an HTTP request is made to the /App1 application, the server will read configuration for “MACHINE/WEBROOT/APPHOST/Default
Web Site/App1/”, which merges the configuration set by the application’s web.config and enables directory browsing for that URL.

machine.config and root web.config
Even though machine.config and the root.web.config are .NET Framework configuration files, they are read and mapped in by the IIS configuration system. This allows IIS 7.0 to share its configuration with ASP.NET in site and application web.config files, consume .NET modules in the managed pipeline, and integrate .NET configuration that is enabled in the IIS Manager.
As previously mentioned, machine.config contains machine-wide .NET Framework configuration settings loaded by all .NET applications on the machine, and root web.config contains
ASP.NET-specific configuration settings loaded by all ASP.NET applications. These files are modifiable only by machine administrators.
These files are located in the %windir%\Microsoft .NET\.NET Framework \\config, where the is determined by the managedRuntimeVersion setting for the application pool within which the configuration is being read. This way, IIS application pools that are set to use different versions of the .NET Framework automatically include the configuration files for the right .NET Framework version. Note that as in IIS 6.0, an application pool cannot host more than one version of the .NET Framework.

applicationHost.config
The main IIS configuration file is applicationHost.config, which is located in the %windir%\ system32\ inetsrv\config directory. It is modifiable only by machine administrators.
ApplicationHost.config contains configuration sections and settings that only make sense globally on the server. For example, it contains site, application, and virtual directory definitions in the section and the application pool definitions for the section.
Other global sections include the configuration section, which contains a list of native modules that are loaded by all IIS worker processes, and the section that lists enabled compression schemes and content types that can be compressed.
Download at Boykma.Com

72

Part I:

Foundation

These sections cannot be overridden at lower levels, and the server only reads them at the
MACHINE/WEBROOT/APPHOST level.
ApplicationHost.config also stores all of the default settings for IIS configuration sections, which are inherited by all other URLs unless another configuration file lower in the configuration hierarchy overrides them. In fact, if you examine the contents of applicationHost.config, you will see that it declares all IIS configuration sections.





You may notice that these section definitions include an element named allowDefinition that is set in our example to “AppHostOnly”. The allowDefinition settings assign a scope to the section that limits where the section can be used. In this case, the Sites section can only be used in applicationHost.config and is not legal in any other location. It is strongly recommended that you do not edit the allowDefinition settings from the defaults.
Finally, this file also contains information about which configuration sections are allowed to be overridden by lower configuration levels, and which are not. Child override is controlled by the overrideModeDefault attribute in the example just provided of the configuration sections declarations. The server administrator can use this attribute to control the delegation of IIS features to the site administrators. We will review controlling section delegation in the
Delegating Configuration section of this chapter.

Distributed web.config Files
The IIS 7.0 configuration hierarchy enables the site directory structure to contain web.config configuration files. These files can specify new configuration settings or override configuration settings set at the server level for the URL namespace corresponding to the directory where they are located (assuming the configuration sections used are unlocked by the administrator). Download at Boykma.Com

Chapter 4:

Understanding the Configuration System

73

This is the foundation for the delegated configuration scenario, which enables applications to specify required IIS settings together with their content, and which makes simple xcopy deployment possible.
Finally, because the ASP.NET configuration system also reads these files, they can contain both IIS and ASP.NET configuration settings.

redirection.config
You will also find redirection.config located in the %windir%\system32\ inetsrv\config directory, and it is used to store configuration settings for Shared Configuration. It is not part of the IIS 7.0 configuration hierarchy, but the configuration system uses it to set up redirection for the applicationHost.config file.
When in use, it specifies the location and access details required for IIS 7.0 to load applicationHost.config from a remote network location, instead of the local inetsrv\config directory. This enables multiple IIS 7.0 servers to share a central configuration file for ease of management.
You can learn more about shared configuration in the “Sharing Configuration Between
Servers” section of this chapter.

administration.config
The IIS Manager tool uses administration.config (also not part of the IIS 7.0 configuration hierarchy) exclusively to specify its own configuration. It is also located in the
%windir%\system32\ inetsrv\config directory.
Among other things, administration.config contains the list of IIS Manager extensions that the tool loads. These extensions provide the features you see in the IIS Manager. Like IIS, the
IIS Manager is fully extensible. You can learn more about the extensibility model provided by
IIS Manager and how its extensions are configured in Chapter 12, “Managing Web Server
Modules.”

Temporary Application Pool .config Files
One of the new IIS 7.0 features is enhanced Application Pool Isolation. At run time, IIS 7.0 reads applicationHost.config configuration and generates filtered copies of it for each application pool, writing them to:
%systemdrive%\inetpub\temp\appPools\.config

The filtered configuration files contain only the application pool definitions for the current application pool (other application pool definitions that may contain custom application pool identities are filtered out). Also removed are all site definitions and site-specific configuration specified in location tags for sites that do not have applications in the current application pool. Download at Boykma.Com

74

Part I:

Foundation

The temporary configuration file created for each application pool is protected in such a way that only the application pool for which it is created can read the file. This ensures that no worker process (application pool) can read the configuration settings for any other worker process. The application pool configuration files are not intended to be used for updates, and neither administrators nor developers should edit them directly or indirectly. Their use is completely transparent, but it is part of the configuration system, so we thought it should be called out here. For more details, see Chapter 14, “Implementing Security Strategies.”

Configuration File Syntax
Each configuration file uses special XML elements called configuration sections to specify configuration information. A configuration section is the basic unit of configuration, typically defining the behavior of a specific part or feature in the Web server.
Here is an example of a configuration file that specifies multiple configuration sections:

As you can see, this is a well-formed XML file, with a mandatory root element that contains multiple subelements. These subelements are either configuration section elements directly, or section group elements such as . Section groups do not define any settings, they simply group related section elements together. For example, all of the IIS Web server features are under the section group. Sections are the elements, shown in bold, that contain specific configuration settings.
The configuration section elements each follow a specific structure defined by their schema, which controls what attributes and child elements are allowed inside the section, the type of data they can contain, and various other configuration syntax restrictions. The schema
Download at Boykma.Com

Chapter 4:

Understanding the Configuration System

75

information is provided inside configuration schema files registered with the IIS 7.0 configuration system. Unlike the ASP.NET configuration system, which uses code to define the structure of its configuration, the IIS 7.0 configuration system is based entirely on declarative schema information. We will examine this schema mechanism a little later in the chapter.
In addition to section groups and configuration sections themselves, configuration files can also contain section declarations and location tags. Section declarations are necessary to declare a particular section before it can be used, and they also indicate what section group the section belongs to. Location tags enable configuration to be scoped to a specific configuration path, rather than to the entire namespace to which the current configuration file corresponds.

Direct from the Source: Working Around Limits on web.config
File Size
By default, the IIS 7.0 configuration system enforces a limit of 100 KB on the file size of web.config files. This is for security purposes, to avoid possible denial-of-service attacks on the server by providing very large configuration files.
In most cases, this size should be sufficient for most situations, but what if your configuration file is bigger than 100 KB? This can happen for applications that use web.config files extensively to store custom configuration. To allow these larger files, you can override the maximum limit by adding a registry key. Create the following key.
HKLM\Software\Microsoft\InetStp\Configuration

Then create a DWORD value.
MaxWebConfigFileSizeInKB

Set this value to the file size in kilobytes (make sure you select Decimal when entering the value) to set this as a new machine-wide limit on web.config file size.

Section Declarations
Each section that is used in a configuration file contains a section declaration in applicationHost.config. Section declarations are generally created during the installation of the feature and do not typically need to be added manually. For example, following is an excerpt from the applicationHost.config configuration file that declares all IIS configuration sections.

Download at Boykma.Com

76

Part I:

Foundation

This fragment defines a number of IIS configuration sections, including the global and sections read by WAS, and various sections for Web server features, including and . You’ll also notice that these sections are nested within the appropriate section groups. Section declarations can specify a number of properties that control where the section is available, including allowDefinition, which determines at which level in the configuration hierarchy the section can be used, and overrideModeDefault, which determines if lower configuration levels can use the section by default. After the section is declared, it can be used in the current configuration file or anywhere lower in the configuration file hierarchy, meaning it does not need to be re-declared in configuration files below (re-declaring this section will actually result in a configuration error). In fact, all IIS configuration sections are declared in applicationHost.config and therefore are available in any Web site web.config configuration file. The allowDefinition and overrideModeDefault attributes control the actual ability to use this configuration section in the lower levels.

Section Groups
You use section group elements to group related configuration sections together. When you declare each section, it specifies which section group it belongs to by placing its element within the corresponding element. This implicitly declares the section group itself. Section groups cannot define any attributes and therefore do not carry any configuration information of their own. Section groups can be nested within one another, but sections cannot. Think of section groups as a namespace qualification for sections.
When specifying the configuration section, you must place it inside the section group element according to the declaration. For example, when providing configuration for the section, which is declared in the / section group, the configuration section must be nested in the corresponding section group elements as follows.

Download at Boykma.Com

Chapter 4:

Understanding the Configuration System

77

Table 4-2 lists most of the section groups you will find in the IIS 7.0 configuration system by default, what configuration they contain, and where they are declared.
Table 4-2

Section Groups

Section Group

Description

Declared In

system.applicationHost

Contains global protocol-neutral IIS configuration used by the Windows
Process Activation Service, including
, ,
, and more

applicationHost.config

system.webServer

Contains all configuration for the IIS applicationHost.config Web server engine and features, including , ,
, ,
, and dozens more; also contains several child section groups

system.webServer /security Contains security-related Web server configuration, including
, , and more

applicationHost.config

system.webServer /security Contains configuration for all applicationHost.config /authentication authentication Web server features, including ,
, and more system.webServer /tracing

Contains configuration for tracing
Web server features, including and

applicationHost.config

system.web

Contains all ASP.NET configuration

Framework machine.config

Not listed in Table 4-2, for the sake of brevity, are section groups declared in .NET’s machine.config. These sections control various aspects of the .NET Framework behavior, including system.net, system.xml.serialization, and others.

Sections
The configuration section is the focus of the IIS 7.0 configuration system, because it is the basic unit of configuration. Each configuration section has a specific structure defined by its schema, containing specific attributes, elements, and collections of elements necessary to express the required configuration for the corresponding IIS feature.
A configuration section may contain 0 or more of the elements (depending on the schema) shown in Table 4-3.

Download at Boykma.Com

78

Part I:

Foundation

Table 4-3

Configuration Section Elements

Element

Description

Attributes

A named XML attribute, using a type specified in the schema. Supported types include int, string, timespan, enumerations, and others. Attributes may have associated validation rules, which restrict the allowed values.
They may also have additional metadata such as default values, or they may specify whether or not the attribute must be specified when the section is used.

Child elements

Child XML elements, which in turn can contain attributes and other child elements. Collections

A collection is a child element that can contain a list of other child elements (typically , , and ) that can be used to create lists of configuration items. Collection elements have metadata associated with them that define their behavior, including what attributes serve as collection item keys, the order in which collection items are added when collections are merged between configuration files, and more.

Most configuration sections specify default values for all of the attributes in their schema.
This becomes the default configuration for that section if it’s not defined in any configuration file (by default, collections are always empty). Each configuration file can specify the section element to explicitly set the value of one or more attributes, or modify the collections in the section. The section can be specified at multiple configuration files, in which case when the configuration system retrieves the contents of this section for a particular configuration path, it merges the contents of all instances of this section. Merging attributes overrides the values specified in the configuration levels above, and merging collections adds/removes/clears items in collections based on the usage of collection elements.
For example, here are the contents of a web.config file that you could place in the root of a
PHP application. The contents contain the configuration for the section and enable the index.php page to serve as a default document.

This configuration overrides the global enabled attribute set in applicationHost.config or a higher order web.config, setting its value to “true”. It also adds a new item to the collection to enable “index.php” to serve as a default document. If configuration files earlier in the hierarchy defined other default document types in the collection, then the effective collection for your application would contain those items plus the item we just added at our scope. Likewise, if the parent configuration files disabled the default document feature by setting its enabled attribute to “false”, our configuration will override that value for the application.
Download at Boykma.Com

Chapter 4:

Understanding the Configuration System

79

The section titled “Editing Configuration” later in this chapter discusses setting configuration by specifying configuration sections.

Configuration Section Schema
All IIS configuration sections are defined in the IIS_Schema.xml file located in a schema file in the %windir%\system32\inetsrv\config\schema directory. To learn more about the syntax of each configuration section, you can review its schema. For example, here is an excerpt from the schema definition for the configuration section.

The schema contains the definitions for the “enabled” attribute and the collection that we used earlier to set default document configuration. As you can see, the schema contains more information than just the structure of the configuration section—it also contains various metadata about the format and behavior of attributes and collections, including the types for attributes and which attributes serve as unique keys for collections. The section is a fairly simple section, so it doesn’t fully illustrate the flexibility of section schema information, but it is a good example of how you can use the schema information to define configuration sections and control their behavior.
Note When working with IIS configuration, you will likely never have to work with section schema. However, it is useful to know where the schema information is located if you need a reference for the structure and semantics of IIS configuration sections. You should never attempt to modify the IIS schema files. However, if you are developing new IIS features, you can publish custom configuration schema files into the inetsrv\config\schema directory in order to use new configuration sections with the IIS configuration system.

In the schema directory, you will also find the FX_schema.xml and ASPNET_schema.xml files, which contain the schema definitions for .NET Framework and ASP.NET configuration sections respectively.
The IIS 7.0 configuration system is fully extensible. Custom configuration sections registered with the IIS 7.0 configuration schema will have their own schema files published in the schema directory.

Download at Boykma.Com

80

Part I:

Foundation

Location Tags
By default, configuration specified in a particular configuration file applies to the entire URL namespace corresponding to that file. For example, configuration set in applicationHost.config applies to the entire server, and configuration set in the site’s root web.config file applies to the entire site (unless overridden by more specific web.config files). This works most of the time. However, in some cases it is necessary to apply configuration to a specific subset of the URL namespace, or to a specific URL. Location tags are the mechanism that enables this by specifying a configuration path for which all configuration specified within a location tag applies.
Here is an example of using a location tag to scope configuration to a specific Web site.

This location tag, when specified in applicationHost.config, applies the configuration section to the “MACHINE/WEBHOST/APPHOST/Default Web Site/” configuration path. You can find Location tags in use with three common scenarios in IIS 7.0:
1. Defining site-specific directory or file configuration in applicationHost.config. This is necessary to apply specific configuration for a content in a Web site without defining it in the site’s web.config. For example, this is the technique commonly used by shared hosting servers to set site-specific configuration without giving the site administrators control over that configuration. When making changes to configuration in the IIS
Manager or one of the programmatic interfaces, if a setting is not delegated, it is written to applicationHost.config by using location tags.
2. Locking or unlocking a specific configuration section for a particular configuration path. By placing a configuration section inside the location tag for a particular path, you can use the overrideMode attribute on the location tag to lock or unlock this configuration section for that path. For example, this is necessary for configuration sections declared with overrideModeDefault = Deny so that you can allow delegated configuration in web.config files.
3. Specifying configuration for a specific nonphysical URL. If you need to apply specific configuration to a URL that does not correspond to a physical directory (a file or a virtual
URL), it’s necessary to define it using a location tag inside a physical parent directory.
You can use a location tag to keep all of the configuration for a site or application in a single web.config file, instead of placing pieces of it in many different web.config files in various subdirectories.
We will discuss using location tags in more detail later in this chapter.
Download at Boykma.Com

Chapter 4:

Understanding the Configuration System

81

The IIS 7.0 Configuration System and the IIS 6.0 Metabase
So far, we’ve been discussing in some detail the contents and mechanics of the configuration system, but we should back up a bit and discuss applicationHost.config itself rather than its contents.

Differences Between the IIS 7.0 Configuration System and the IIS 6.0
Metabase
The IIS 6.0 configuration store is Metabase.xml and is stored in %windir%\system32\inetsrv.
For IIS 7.0, Metabase.xml is transformed into applicationHost.config located in
%windir%\system32\inetsrv\config.
Why did the IIS team invest such time and effort in a wholesale change to the structure and mechanics of the configuration system? Primarily to make a quantum leap in performance, scale, and manageability. The IIS 6.0 configuration system is based on a system conceived and implemented with IIS 4.0 that was part of Windows NT. It was time to rebuild with a new set of design criteria.
The resulting system is quite a bit more complex because it is very ambitious. Yet at the same time, it is more manageable, scalable, and flexible. Table 4-4 compares some of the key differences between the IIS 6.0 metabase and the IIS 7.0 configuration files.
Table 4-4

Metabase.xml Comparison to IIS 7.0 Configuration System
IIS 7.0 Configuration
IIS 6.0 Metabase.xml System

Why This Matters

Delegated configuration Not possible—all configuration is centrally stored and requires Administrative privileges to change

Enables both administrator-controlled configuration in applicationHost.config and delegated configuration in web.config files

Administrators can delegate configuration tasks to application owners; applications can be xcopy-deployed with all of their configuration

Structural organization Properties are not grouped Provides a hierarchy of section groups, sections, elements, and subelements

Easy to read, search, and manage; enables use of shorter element name because each item is logically grouped in a section rather than in a flat listing

Simplified description of properties with multiple values

Uses multi-sz key types and bit masks to handle multiple element values such as NT AuthenticationProviders

Uses collections with
Easier to read, edit, and simple add/remove/clear query settings that can syntax based on .NET have multiple values
Framework configuration syntax and usage

Feature

Download at Boykma.Com

82

Part I:

Foundation

Table 4-4

Metabase.xml Comparison to IIS 7.0 Configuration System

Feature
Memory vs. file-based configuration

IIS 7.0 Configuration
IIS 6.0 Metabase.xml System
Metabase is a memory construct that is written to
Metabase.xml;
synchronization issues can occur

Configuration is file-based; configuration writes are persisted directly to the configuration files

Schema extensibilty Difficult to extend for Based on IIS_Schema.xml; use with custom apps; schema easily extended inhibits innovation with XML snippets from the community

Why This Matters
IIS configuration is always fully represented in .config files

Enables application developers to easily integrate application settings into IIS 7.0

IIS 6.0 Metabase Compatibility
Despite the complete overhaul of the configuration system, IIS 7.0 continues to maintain backward compatibility with existing configuration scripts and tools that target the metabase for configuring the server.
This is accomplished by providing a metabase emulation layer that enables the metabase
APIs, exposed through the Active Base Objects (ABO) interfaces on which all other metabase tools and scripting APIs are based. The metabase emulation layer, called the ABO Mapper, provides immediate translation of the metabase configuration structure and actions triggered by callers to the new configuration system. This maps all writes and reads to the metabase to the corresponding IIS 7.0 configuration.
This service performance is transparent to the caller so that the existing installers, configuration scripts, and tools continue to work as if they were working on IIS 6.0. The ABO Mapper makes a best-effort attempt to map all IIS 6.0 metabase properties to the corresponding IIS 7.0 configuration properties that have a known mapping. In the end, virtually all metabase properties can be successfully mapped to the IIS 7.0 configuration, with rare exceptions.
Note You can find documentation that describes how IIS 6.0 metabase properties map to the new IIS 7.0 configuration schema at http://msdn2.microsoft.com/en-us/library/ aa347565.aspx. Metabase compatibility is not enabled by default, and you don’t need it if you are not running any legacy IIS 6.0 configuration scripts or using third-party installers that require ABO. If you are, though, you will need to install the IIS 6.0 Metabase Compatibility component from the
IIS/Metabase Compatibility category in the Turn Windows Features On And Off page of
Control Panel\Programs And Features on Windows Vista, or the IIS role in the Server
Manager tool on Windows Server 2008, as shown in Figure 4-2.

Download at Boykma.Com

Chapter 4:

Figure 4-2

Understanding the Configuration System

83

Installing IIS 6.0 Metabase Compatibility with Server Manager.

You can also chose to install the legacy IIS 6.0 configuration scripts from the IIS 6.0 Metabase
Compatibility category, which provides scripts such as adsutil.vbs and iisweb.vbs. However, we recommend that for your configuration scripts and programs, you start to use the new configuration tools and APIs that the IIS 7.0 configuration system provides.

IIS 7.0 and the .NET Configuration Systems
The .NET configuration files on IIS 7.0 (machine.config, root web.config, and application web.config) behave exactly the same as they do on IIS 6.0. In fact, the .NET configuration system isn’t really aware it’s running on IIS 7.0 and does not read any of the IIS 7.0 configuration settings. However, IIS 7.0 is very aware of .NET. The IIS 7.0 configuration hierarchy includes the server-level .NET configuration files, machine.config and root web.config
(in addition to applicationHost.config), but the .NET configuration system does not include
IIS configuration stored in applicationHost.config.
One of the primary benefits of this design is that IIS 7.0 configuration settings can be stored in the same distributed web.config configuration files as the ASP.NET configuration settings.
This enables applications to contain all of the configuration they need to run on the IIS platform in the web.config file, and it also enables simple xcopy deployment.
Download at Boykma.Com

84

Part I:

Foundation

From a developer perspective, it also enables managed modules developed for IIS 7.0 to access
.NET configuration by using IIS 7.0 Microsoft.Web.Administration and other .NET classes in the same way they can access IIS 7.0 configuration sections. Likewise, the IIS 7.0 configuration
APIs can be used to manage the .NET configuration sections in automated deployment and management scenarios.
In addition, the IIS Manager tool exposes a number of ASP.NET configuration features. For example, you can configure database connection strings in the IIS Manager instead of having to open up the .config file. IIS Manager also enables you to manage users and roles by using the .NET role and membership providers. This is very useful for managing user information for features such as forms authentication and storing IIS Manager users. You can learn more about IIS Manager support for ASP.NET features in Chapter 6, “Using IIS Manager.”
The unification of the .NET and IIS 7.0 configuration hierarchies does pose a few issues that stem from the fact that the two configuration systems have completely separate implementations, yet they work with the same configuration hierarchy and configuration sections. The fact that the ASP.NET configuration system does not read IIS 7.0 configuration sections eliminates a lot of potential problems with the differences in behavior. However, some problems do still exist.
One of the key limitations stems from the difference in encryption support between the two configuration systems. The .NET configuration files may contain user names and passwords that the developer can encrypt. This way, when you view the .config file, you see an encrypted secret rather than plain text. The problem arises because IIS 7.0 and the .NET configuration system use different methods for encrypting secrets. The .NET configuration system supports section-level encryption, which encrypts the entire contents of the configuration section. The
IIS 7.0 configuration system supports only attribute-level encryption, which encrypts specific attributes. Because of this, if you attempt to read an encrypted ASP.NET configuration section through the IIS 7.0 configuration system or any of the APIs that use it, you will receive an error. For example, this will happen if you encrypt any of the configuration sections that the
IIS Manager uses to administer ASP.NET functionality. Likewise, you cannot encrypt ASP.NET configuration sections with IIS 7.0 configuration encryption because ASP.NET will fail to read their contents. For more details on this issue and how to solve it, see Chapter 14. Another limitation stems from the lack of a versioning mechanism for the .NET configuration schema files provided by the IIS 7.0 configuration system. As of this writing, the IIS 7.0 configuration system provides schema files only for the .NET Framework 2.0 configuration, and therefore
IIS 7.0 might experience problems when writing configuration to configuration files for .NET
Framework 1.1 or future versions of the .NET Framework. Moreover, some of the tools in the
IIS 7.0 configuration stack, including Appcmd.exe, can’t write to .NET Framework configuration files for versions other then 2.0. Future versions of IIS may address this problem.
The use of IIS 7.0 configuration in ASP.NET web.config files may also create a problem for
ASP.NET applications that are using .NET Framework 1.1. This is because the ASP.NET configuration system is not aware of the IIS 7.0 configuration sections located in the
Download at Boykma.Com

Chapter 4:

Understanding the Configuration System

85

section group (or any custom configuration sections you create using the IIS 7.0 section extensibility mechanism), and the configuration system will generate an error when it encounters these sections in web.config files. ASP.NET 2.0 includes a special configuration declaration in machine.config that maps to a special configuration section handler type that ignores the sections when they are found.

However, ASP.NET 1.1 does not include this special configuration declaration because
ASP.NET was released long before IIS 7.0 development began. Therefore, you may need to manually add this section declaration for and other custom IIS 7.0 sections/section groups so that you can use them in web.config files.

Editing Configuration
The IIS 7.0 configuration system provides a lot of flexibility for editing server configuration.
Because the configuration is stored in plain-text XML files and uses a well-structured, humanreadable syntax, you can edit it manually using Notepad or your favorite text editor. In fact, many people prefer this approach when editing configuration for distributed web.config files located within the site’s directory structure.
In addition to enabling configuration to be edited by hand, IIS 7.0 provides a complete administration stack that offers tools and APIs for editing configuration. This includes the IIS
Manager, a completely redesigned GUI task-based experience for managing most of the IIS 7.0 configuration. It also includes the Appcmd command line tool, which you can use to edit configuration quickly from the command line. Finally, it includes several administrative scripts and APIs for editing configuration programmatically, including the IIS 7.0 configuration COM objects that can be accessed from native C++ programs (called the Application Host
Administration objects or AHADMIN) and Windows scripts, a WMI provider, and new
Microsoft.Web.Administration APIs for managing configuration from .NET programs.
Note

Where possible, use tools to manipulate IIS 7.0 configuration instead of changing configuration by hand. This is much easier and provides protection against generating incorrect configuration.

In fact, you should choose to use tools to edit the configuration on the server, because doing so ensures that you are interacting correctly with the underlying complexity of the configuration system and guarantees that the configuration is written using the correct syntax. The IIS Manager is a great way to do this, because it provides a simplified task-based view of many IIS 7.0 features, so you don’t need to understand their configuration structure.
You can read about managing IIS 7.0 with the IIS Manager in Chapter 6.

Download at Boykma.Com

86

Part I:

Foundation

However, there are times when you need to specify configuration by hand or use one of the lower-level tools like Appcmd or programmatic interfaces like the Microsoft.Web.Administration namespace provided in .NET. In this case, you do need to understand the structure of configuration sections and inheritance behavior of the configuration hierarchy in order to do this correctly. In the remainder of this section, we will discuss the basics of editing IIS 7.0 configuration that will help you to do it correctly.
Note

Use Appcmd to edit configuration in situations in which IIS Manager does not expose the desired configuration functionality. Appcmd can perform most configuration tasks you can do by hand, and it offers the benefit of additional validation. It also allows you to perform configuration tasks in an automated fashion on other machines if needed. For more information on using Appcmd, see Chapter 7, “Using Command Line Tools.”

Caution Before modifying configuration, always make sure you have a backup of the current state so you can come back to it if necessary. See the section titled “Backing Up Configuration” later in this chapter for more information on how to easily back up and restore IIS configuration.

Deciding Where to Place Configuration
Earlier in the chapter, I described the IIS 7.0 configuration hierarchy. This hierarchy contains multiple configuration files, comprising the .NET configuration files, applicationHost.config, and distributed web.config files in your site directory structure. This hierarchy allows you to map configuration to a URL namespace on your server by placing it in the right configuration file. When the server reads configuration for a particular Web site or URL, it merges all configuration files along the configuration path, merging the configuration specified in them to achieve the effective set of configuration for a given path.
Because of the configuration merging, configuration specified at a higher configuration path always inherits to all child paths, unless it is overridden lower down. For example, configuration specified in applicationHost.config is inherited by all sites and URLs on the server, unless it is overridden in their respective web.config files.
Table 4-5 indicates where you may chose to place configuration in order to apply it to the desired scope.
Table 4-5

Placement of Configuration

Configuration For

Place In

Entire server

applicationHost.config

A specific site

web.config in the site’s physical root directory

A specific application

web.config in the application’s physical root directory

A specific virtual directory

web.config in the virtual directory’s physical root

A specific URL

If the URL corresponds to a physical directory, in web.config in that directory; otherwise, in any existing parent web.config file with a location tag for the specific URL

Download at Boykma.Com

Chapter 4:

Understanding the Configuration System

87

When specifying configuration at a specific site or URL, you always have a choice of specifying configuration in a distributed web.config file corresponding to the URL or placing it in a configuration file higher in the hierarchy (for example, applicationHost.config) and applying it to the specific URL by using location tags. Both have advantages and disadvantages you need to consider.
Using location tags can allow you to place all configuration in a single location, instead of multiple web.config configuration files which may be harder to discover and manage. Also, if configuration is locked at a particular configuration path (for example, configuration that should only be set by server administrators is typically locked in applicationHost.config), you are forced to use location tags at that path in order to apply configuration to child paths.
However, placing configuration in distributed web.config files allows the site/application/ directory to become portable and xcopy-deployed to other servers or places in the site structure without having to set any configuration elsewhere or requiring administrative privileges on the server. This is a very powerful ability.
Finally, a note about configuration delegation—not all configuration sections are allowed to be specified in distributed web.config files by default. It is up to the server administrator to decide which configuration sections are delegated and to unlock them in applicationHost.config. This may impact your ability to run applications that specify configuration in distributed web.config files, generating errors if locked configuration is specified. We will discuss managing configuration delegation in the section titled “Delegating Configuration” later in this chapter.

Setting Configuration
To set configuration, you need to know three things: the name of the section that contains the desired configuration settings, the desired property of that section, and the configuration path at which you want to set this setting to apply (as we discussed in the previous section).
You will typically know the first two from the documentation of the feature you are attempting to configure. For more information about what configuration sections are available and their format, you can consult the schema files in the %windir%\system32\inetsrv\config\schema directory. When you know this information, you can specify the corresponding section element in the configuration file.

Note the element—this must always be the root element of any configuration file. Also, notice the element—this is the section group element for the section (and all other IIS 7.0 configuration settings) that is being configured.
Download at Boykma.Com

88

Part I:

Foundation

Configuration sections contain the properties that you intend to configure, such as defaultDocument, but you need to do more than just provide a name. You turn the default document feature on and off and provide the list of default documents using attributes or collection elements contained inside the section.

Setting Section Attributes
The majority of configuration settings are expressed via attributes, which may either be exposed on the collection element itself or in one of the child elements of the collection.
To specify a value for the attribute, you simply need to set the value of that attribute. This effectively overrides any default value or value previously set to this attribute in earlier configuration paths. Following is an example of setting the enabled value on the section.

Each attribute has a specific type and may have additional validation rules associated with it in the schema definition of the section. Likewise, attributes may be given default values that are taken on by them if they are not explicitly set in configuration. This will be documented for each section to assist you in setting their values.

Manipulating Configuration Collections
In addition to attributes, configuration sections can also contain collections. Collections allow lists of items to be represented in configuration, and they support additional behaviors such as adding or removing elements in multiple configuration levels and preventing duplicate items from being added.
Collections are typically configured through three different operations: adding collection elements, removing collection elements, and clearing the collection.
Adding Items to a Collection with To add items to a collection, you typically use the element and specify the desired attribute values inside of it. For example, following is an excerpt from the collection of the section specified in applicationHost.config after installation.



In this case, elements in the collection only support a single attribute called “value”.
However, collection elements are not limited to a single attribute—they can define any number
Download at Boykma.Com

Chapter 4:

Understanding the Configuration System

89

of attributes, child elements, or even subcollections. In fact, each collection element has the same schema flexibility as any other configuration element or the section itself. Following is an example from the section.

The section is a collection of elements (notice that it uses as the name for its element—this is a capability provided by the IIS configuration schema that some sections take advantage of for readability). Each element in turn is a collection of elements, which in turn contain a collection of elements.
Each element also has a child element, which itself is a collection of site bindings. You can find a detailed description of the new site, application, and virtual directory structure in Chapter 9, “Managing Web Sites.”
Luckily, the section is the most complicated section on the entire IIS 7.0 configuration schema, and most other sections are a lot simpler.
Most collections enforce item uniqueness to prevent duplicate items from being added. This is done by marking one or more of the attributes allowed on the collection elements as the collection key. If an item with a duplicate key is specified, the collection will trigger a configuration error when accessed.
When you add collection elements at a particular configuration level, they add to the existing elements that were inherited from a parent level. For example, the section can use this to specify a base set of default documents in applicationHost.config and then add specific default documents at the site or virtual directory levels.
The ordering of collection items inside a collection is determined by the order in which they are added. When collection items are inherited from the parent configuration levels, they are placed before the collection items specified at the current level. This is true for most collections, except for collections that elect to have a prepend order—these collections place the elements declared at the current level before elements inherited from parent levels. These include the IIS and the ASP.NET sections.
Removing Items from a Collection with Because of the collection inheritance, it is sometimes necessary to remove elements that are declared at a higher configuration level.
For example, you may want to remove a specific module from the configuration
Download at Boykma.Com

90

Part I:

Foundation

collection for a specific application if you do not need this module to run. For more about managing modules, see Chapter 12.
Note If you are removing a collection element that is added at the current configuration level, you can simply delete the corresponding element. Use to remove the elements that are specified by parent configuration levels.

To do this, you can use the element. Each remove element specifies the attributes that together comprise the collection key to uniquely identify the element that is to be removed. For example, following is the configuration you can use to remove “Default.asp” from the collection of the section.

Clearing the Collection with Sometimes you may want to completely clear the collection items that are defined by the parent configuration levels and specify only the items that are required. This is often done whenever the current configuration level has to have complete control over the contents of the collection and cannot inherit parent items.
This is accomplished with the element. The element removes all of the inherited collection items, leaving only the items that are added at the current level after the element. The following example clears the default document collection and adds back a single element to make sure that only Default.aspx is treated as a default document.

Important

Be careful when using the element, however, because it completely stops the inheritance of parent collection items to the current configuration level or its children. This means that if the administrator adds new collection items at the server level, they will not be propagated to the current level. Therefore, use only when you want to take complete control over the contents of the collection.

Understanding Configuration Errors
In contrast to IIS 6.0, when editing configuration with tools like the IIS Manager and
Appcmd, or programmatically with APIs like Microsoft.Web.Administration, the underlying configuration system APIs will make sure that the resulting configuration is correct. This will
Download at Boykma.Com

Chapter 4:

Understanding the Configuration System

91

catch most attempts to produce incorrect configuration, including using data of the wrong type for attribute values, attempting to set nonexisting attributes, or using data out of range of accepted values. It will even prevent you from adding a duplicate collection element or attempting to write configuration that has been locked at a parent configuration level. This is the reason why you should always prefer to use tools to write configuration, rather than doing it manually.
Note

Use tools to set configuration—this will catch most mistakes and prevent you from generating incorrect configuration.

However, there are times when you may still run into a situation in which configuration is incorrect. This is most likely if you edit configuration by hand and make a mistake in the section syntax or set attributes to unsupported values. However, it may also happen in other cases—for example, if an application that defines configuration is deployed to a server where some of the sections are locked at the server level, resulting in a lock violation.
Because of this, it is important to be able to understand various configuration error conditions, and be able to use the resulting configuration error information to resolve them.
Caution

Always back up configuration before making changes to it. You can learn more about backing up configuration in the section titled “Backing Up Configuration” later in this chapter. There are several types of configuration errors that are handled differently by the configuration system and have varying degrees of impact on IIS. Table 4-6 summarizes some of the common error conditions and the impact they have on the server.
Table 4-6

Common Error Conditions

Error

Impact
If Framework machine.config, root web.config, or IIS 7.0’s applicationHost.config: the entire server will be taken offline.
Otherwise: All URLs corresponding to the configuration file and below will return configuration errors.



If Framework machine.config, root web.config, or applicationHost.config: the entire server will be taken offline.



Configuration file cannot be accessed: The file is locked by another process, access denied, no network connectivity for UNC paths.





Configuration file is not valid XML

Otherwise: All URLs corresponding to the configuration file and below will return configuration errors.

Download at Boykma.Com

92

Part I:

Foundation

Table 4-6

Common Error Conditions

Error

Impact
If the error is in one of the system. applicationHost configuration sections that are read by WPAS, the server may be taken offline.
If the error is in one of the core Web server sections, all requests to the URLs affected by the errors will return configuration errors.



Attribute validation error: There is an invalid data type; value fails attribute validation rules.





Configuration section syntax error: The configuration section has unexpected elements or attributes, or it is missing required attributes.

Otherwise, requests that use features that read the configuration section will return configuration errors.

Same as above.

Collection validation error: There are duplicate Same as above. collection elements.
Lock violation: Specifying configuration for
Same as above. the section or attribute that is locked at a parent level. The key to understanding these error conditions is to understand how the configuration system handles errors. Errors that cause the entire configuration file to become unavailable, because it cannot be read or because it contains invalid XML (as shown in Figure 4-3), cause all attempts to read configuration from that file to fail. Because of this, all operations that require reading this file will fail—if this file is applicationHost.config, which is read by the
Windows Process Activation Service component of IIS that is responsible for managing IIS worker processes, the entire server will be taken offline. In this case, you will not be able to get a detailed request error describing the error condition, because the server will not be able to start any IIS worker processes to serve the request. In this case, the error information will be logged by WPAS to the System EventLog.
If the file is a distributed web.config file that corresponds to a particular URL namespace, that namespace will not be available. However, IIS worker processes will still be able to start and generate a detailed configuration request error that will describe the reason, and sometimes even the position in the file, where the error has occurred.
Finally, for all other errors in configuration sections that are not invalid XML, only accesses to the affected section will fail. If the error is in one of the system.applicationHost sections that are read by WPAS, including and , WPAS may again fail to start
IIS worker processes, resulting in the entire server being offline and errors being logged to the
System EventLog. If the error is in one of the core IIS configuration sections that are read on every request, which include , , and , all requests to the
URL namespace corresponding to the invalid configuration will return configuration errors.
Download at Boykma.Com

Chapter 4:

Understanding the Configuration System

93

These errors will contain the exact reason why the configuration access failed, including details such as the line number and the element or attribute in question that has incorrect configuration, as shown in Figure 4-4. You can use this information to quickly pinpoint the location of configuration syntax error and resolve it.

Figure 4-3

EventLog error from malformed XML in applicationHost.config.

Figure 4-4

IIS 7.0 configuration error message.

Download at Boykma.Com

94

Part I:

Foundation

Note

To see the detailed configuration error, you will need to either make a request locally on the server or enable detailed errors.

For all other sections, only requests that use features whose configuration has the error will trigger request errors. This also means that if you make a mistake in configuration for a feature that is not being used (for example, the module is disabled), no error will be given and invalid configuration will remain ignored.
Finally, if the error is in an ASP.NET configuration section, which is read by the ASP.NET using the .NET configuration system, you may get an ASP.NET exception error page containing the configuration error details.
Note To see the detailed ASP.NET configuration exception, you will need to either make a request locally on the server or enable ASP.NET detailed errors.

Managing Configuration
In the course of working with IIS configuration, you will need to perform a variety of management tasks in addition to editing the configuration itself. Notably, you will need to back up and restore configuration, in order to revert from unintended changes or recover from corrupted configuration files. This is especially critical because the ease of editing IIS XML configuration files also makes it easy to make undesired changes.
In fact, when working with IIS configuration, you should always insure that you make a backup that can be used to go back to the state before the changes. Luckily, IIS makes it very easy to do this.
In this section, we will review the management tasks around backing up and restoring IIS configuration. We will also discuss setting up shared configuration between multiple servers and setting up configuration delegation that enables some configuration to be set in distributed web.config configuration files.

Backing Up Configuration
Before making changes to IIS configuration files, you should back them up so that you can restore them later if your changes corrupt configuration or result in incorrect server operation.
The latter is a critical reason—the server may look like its working properly initially until a future time when problems are detected, at which point you may want to come back to the previous configuration state.
Typically, it is not necessary to make special arrangements to back up delegated configuration located in web.config inside your Web site structure, because those files are backed up
Download at Boykma.Com

Chapter 4:

Understanding the Configuration System

95

together with your site content (of course, you need to maintain backups of your site content for this to work).
However, if you make changes to the server-level configuration files, you should make a backup of server configuration. Thankfully, IIS 7.0 makes it easy to do that via the Appcmd command line tool.
From an administrative command prompt, type
%windir%\system32\inetsrv\ AppCmd Add Backup MyBackup
This creates a backup of IIS configuration files, including applicationHost.config, redirection.config, and administration.config, and custom schema files if there are any. The backup is created as a named directory under the %windir%\system32\inetsrv\backup directory, using the name you specified to the “Add Backup” command. This directory will contain the backed-up files.
Note

If you do not specify a backup name, Appcmd will automatically create a name using the current date and time.

You can list the backups made on your system by using the List Backups command.
%windir%\system32\inetsrv\AppCmd List Backups

Then, you can restore any of the listed backups by using the Restore Backup command.
%windir%\system32\inetsrv\AppCmd Restore Backup "MyBackup"

The restore command will restore all of the files in the backup folder, overwriting the current server configuration with those files. No confirmation prompt is given, so always consider backing up the current configuration first before restoring another set.
A note about configuration file security and encryption: the backup process simply copies the server configuration files to the inetsrv\backup directory, which by default is secured with the same NTFS permissions as the inetsrv\config directory, which contains the original files.
If the files contain encrypted configuration, those details will stay encrypted in the backed-up copies. No additional encryption is performed as part of the backup mechanism. Therefore, the files are only protected when they are in the backup directory and are not safe to place in an offline location without additional protection.

Using Configuration History
By default, IIS 7.0 via the AppHostSvc will check every two minutes to see if applicationHost.config has changed, and if so will make a backup of the file. You’ll find the backed-up configuration files in the Inetpub\history folder by default. You can change both the location
Download at Boykma.Com

96

Part I:

Foundation

of the backups as well as several other configurable parameters in the configuration section, as shown in Table 4-7.
Table 4-7

Attributes

Attribute

Default Setting

Definition

Enabled

True

This value indicates whether configuration history is enabled or disabled

Path

%systemdrive%\ inetpub\history The path where history directories will be created and stored maxHistories

10

The maximum number of directories retained by IIS 7.0

Period

00:02:00

The time between each check made for changes by IIS 7.0

If you do nothing at all, the values listed in Table 4-7 are preconfigured for you. To modify these values, you need to enter them into applicationHost.config, because the IIS Manager does not have a UI for configuring this section of applicationHost.config. You can use
Appcmd for this. For example, the following command will change the path for storing backups to %systemdrive%\MyWebHistory. Note that the path must exist first or the service will not work.
%windir%\system32\inetsrv\Appcmd set config /section:configHistory
"/path:%systemdrive%\MyWebHistory"

You can use the Appcmd Restore Backup command to restore any of the configuration history backups the same way you restore manual backups performed by the Appcmd Add
Backup command. You can list all of the available backups, including both manual and configuration history backups, by doing the following.
%windir%\system32\inetsrv\AppCmd List Backups

For more information about configHistory, see the article “Using IIS7 Configuration History” at http://www.iis.net/articles/view.aspx/IIS7/Managing-IIS7/Configuring-the-IIS7-Runtime/
Understanding-AppHost-Service/Using-IIS7-Configuration-History?Page=1.

Exporting and Importing Configuration
By default, IIS 7.0 configuration stores no secrets and therefore is not tied to a specific server as it was in previous versions. The reason for the IIS 6.0 metabase to be tied to a local server and protected is that by default it contains the passwords for the anonymous user and IWAM user. If these passwords were discovered, it is feasible they could be used to log on to the server. They were random and complex, which provided a high very high degree of security.
In IIS 7.0, the anonymous user (IUSR) is a “built-in” account rather than a local account, so it does not require a password. Don’t worry, even though there is no password, you can’t use this built-in account to log on to the server. There is no possibility that the IUSR account can

Download at Boykma.Com

Chapter 4:

Understanding the Configuration System

97

be used to log on locally or remotely except through IIS. In addition, there is no IWAM account, since IIS5 application isolation mode is not part of IIS 7.0. Since there are no secrets by default in applicationHost.config, there is no need to key it to an individual server.
This means that you can take applicationHost.config from one server and copy it to another server provided you also synchronize the server encryption keys, presuming the target server has the same content and directory structure. This provides a simple mechanism for exporting and importing configuration between servers.
Note

To use the applicationHost.config file from one server on another server, you do need to make sure the servers use the same configuration encryption keys. This is because applicationHost.config contains encryption session keys that are themselves encrypted using the server’s RSA configuration key. You can learn more about exporting and importing server encryption keys in the section titled “Sharing Configuration Between Servers” later in this chapter. In the case in which your configuration files do contain encrypted information, such as application pool identities, the configuration files are tied to the specific server on which the encryption information is generated. You can, however, export and import the configuration keys in order to allow multiple servers to share the same encrypted configuration—in fact, this is one of the requirements for the shared configuration feature supported by IIS 7.0. You can learn more about setting up shared configuration later in this chapter. You can also find an in-depth discussion of configuration encryption in Chapter 14.
Unlike IIS 6.0, IIS 7.0 does not provide a built-in mechanism to export configuration for a particular site, as opposed to exporting the entire server’s configuration. In a lot of cases, this can be accomplished by manually re-creating the site definition on the target server and then simply copying the site content, which can now define its configuration in the web.config files contained within the site’s directory structure.
However, if the site configuration is located inside location tags in applicationHost.config, there is no automated mechanism to export it. You can, of course, simply copy the contents contained in the location tag (including the location tags) and add it to the bottom of another applicationHost.config. An automated mechanism may become available in the future.

Delegating Configuration
The new configuration system in IIS 7.0 was designed to provide rich support for feature delegation. This term has a special meaning in IIS 7.0—the ability to designate features that
Web site administrators or application managers can control at the site or application level— without making them administrators on the server. As you will see, feature delegation works hand in hand with remote administration and is built into the IIS Manager, which allows you to configure delegation and at the same time respects delegation settings, limiting access to locked or limited features.
Download at Boykma.Com

98

Part I:

Foundation

Feature delegation is implemented in two ways. First, the configuration hierarchy itself allows configuration to be specified in distributed web.config files, which are typically under control of the site administrator or application developer who do not have to be server administrators to set or change configuration therein. The server administrator has control over what configuration can be set in the delegated manner in web.config files, versus what configuration can only be set by a server administrator in applicationHost.config. This control is accomplished through configuration locking, which can be done at the section level by locking the section in applicationHost.config or at the granular level by locking specific configuration settings in a particular configuration section. Granular configuration locking is described in more detail in this chapter in the section titled “Granular Configuration Locking.”
The second way is implemented by IIS Manager, which subsumes the configuration section locking mechanism and provides a way to manage the delegation of the underlying configuration and the corresponding IIS Manager UI features for seamless integration with remote administration through the tool. Managing feature delegation through the IIS Manager has the advantage of ensuring correctly configured delegation. The IIS Manager will respect delegation settings so that a remote user cannot see features that are hidden (marked as Not
Delegated in the IIS Manager), and cannot make changes to features that are marked as Read
Only in the IIS Manager.
Important

Any user that can upload a web.config can overwrite IIS 7.0 and ASP.NET settings in web.config. If you use the IIS Manager to write configuration, these settings will be properly maintained and users will only be allowed to change configuration for which they have access. If a web.config file is created outside of using the IIS Manager and then uploaded to the site, it may contain configuration settings that are not permitted by the delegation settings. In this event, IIS 7.0 will present a configuration locking error, and the previous, correct, web.config details may be lost, since the original web.config has been overwritten.

When you delegate control to others, there will be a strong incentive for them to control their site or application configuration using the IIS Manager, as it will show only features that the user has the right to see or control.
In general, features in IIS 7.0 are related to configuration “sections” in applicationHost.config.
We’ve already described this in the discussion earlier in this chapter on section definitions and the value for “overrideModeDefault” associated with each section. The IIS Manager, of course, is the main tool for controlling configuration of these sections, and it’s much easier to understand and manage delegation using the IIS Manager than any other way.

Delegation Settings in the IIS Manager
Let’s examine the various settings in the IIS Manager related to delegation. Figure 4-5 shows the results you’ll see if you select the server node in the tree view and then Feature Delegation from the features pane.
Download at Boykma.Com

Chapter 4:

Figure 4-5

Understanding the Configuration System

99

Feature Delegation in the IIS Manager.

The Delegation column lists the current delegation setting for each feature. The names for these various states for delegation may not be as clear as they might be to describe what’s going on, so you should not try to infer a great deal from the terms:


Not Delegated When a feature is marked as Not Delegated, the corresponding configuration section will be locked in applicationHost.config by placing it inside a tag with the overrideMode value set to Deny. When a feature is marked as Not Delegated, any changes you make to this feature at server level (that is, with the server icon selected in the tree view) will be recorded in applicationHost.config.
Changes at the site or application level can only be made by the server administrator and will be recorded in applicationHost.config using tags to apply them to the required path. When using the IIS Manager to connect to the site or application, remote users will not be able to see the corresponding feature icon or change its settings.
If a web.config file is uploaded that contains settings for a Not Delegated feature, a configuration error occurs.



Read Only This is the same as Not Delegated, except that remote users will be able to

see this feature; however, they cannot change any values. This is a useful setting when you want users to know, for example, what authentication methods are available to them, but you don’t want them to be able to turn them on or off.


Read/Write When a feature is marked as Read/Write, the configuration section will

be unlocked for distributed web.config files. This is accomplished by placing the configuration section in a tag with the overrideMode value set to Allow. Any changes you make to this at feature at server level will be recorded in applicationHost.config. Changes to this feature at the site or application level will be recorded in the appropriate web.config. (A reference to site level designates the web.config in the site root. The application level refers to the web.config file that resides in a folder within the site that has been designated as an application.) When using the IIS Manager to connect to the site or application, remote users will be able to see and change the settings.
Additional delegation values may be provided by third-party extensions to the tool that have extension-specific meaning.
Download at Boykma.Com

100

Part I:

Foundation

You can learn more about configuring IIS Manager feature delegation and determining which users have the right to manage the Web server configuration remotely in Chapter 8,
“Remote Administration.”

Default Settings for Delegated Configuration
As mentioned, certain settings in IIS 7.0 are delegated by default, whereas others are specifically locked down. Table 4-8 is from a prerelease version of the IIS 7.0 Hosting Deployment
Guide, which can be located on IIS.net. The information in the table details which features are delegated and why. You may want to make different decisions than the IIS team regarding these default settings, but a great deal of thought has gone into these settings, so we would advise not making changes to the global settings without good reason.
Table 4-8

Features and Delegated Settings

Feature

Delegated Setting

Reason

.NET Compilation

Read Only

Specifies settings for ASP.NET compilation processing directives like the temporary compilation directory.

(changed from
Read/Write)

Prevents users from setting the temporary compilation directory manually.
.NET Globalization

Read/Write

Specifies settings for default culture and globalization properties for Web requests.

.NET Profile

Read/Write

Specifies settings for user-selected options in
ASP.NET applications.

.NET Roles

Read/Write

Specifies settings for groups for use with .NET users and forms authentication.

.NET Trust Levels

Read Only

Specifies the trust level. By locking down the trust level when you follow the ASP.NET guidance in this document, you will be setting this to Read Only and locking it for the server.

(changed from
Read/Write)

Prevents Web site owners from setting the trust level to a higher level than set by the server administrator. For example, if a custom trust level is set by the administrator, this setting should be set to Read Only so it cannot be overridden. .Net Users

Configuration
Read/Write

Specifies settings for management of users who belong to roles and use forms authentication. Application Settings

Read/Write

Specifies settings for storing data (name and value pairs) that managed code applications can use at run time.

ASP

Read Only

Specifies Classic ASP settings.

ASP.NET Impersonation

Read/Write

Specifies impersonation settings. Site owners can use this to run their site under a different security context.

Download at Boykma.Com

Chapter 4:

Table 4-8

Understanding the Configuration System

101

Features and Delegated Settings

Feature

Delegated Setting

Reason

Authentication—
Anonymous

Read Only

Specifies anonymous authentication settings.

Authentication—Forms

Read/Write

Specifies forms authentication settings.

Authentication—Windows Read Only

Specifies Windows authentication settings.

Authorization Rules

Read/Write

Specifies the list of Allow or Deny rules that control access to content.

CGI

Read Only

Specifies properties for CGI applications.
Should be left set to Read Only to prevent users from changing settings.

Compression

Read/Write

Specifies settings to configure compression.

Connection Strings

Read/Write

Specifies connection strings that applications can use.

Default Document

Read/Write

Specifies default documents for the Web site.
By leaving this Read/Write, users will be able to specify a custom default document for their site without contacting the server administrator. Directory Browsing

Read/Write

Specifies directory browsing settings.

Error Pages

Read Only

Specifies what HTTP error responses are returned. Failed Request Tracing
Rules

Read/Write

Specifies settings for failed request tracing rules. Enables users to create rules for tracing requests based on parameters like time taken or status code and to diagnose problems with their site.

Feature Delegation

Remove Delegation

Specifies settings for delegating features to applications. (changed from
Read/Write)

It can be turned off unless server administrators want to enable this feature for site owners.

Handler Mappings

Read/Write

HTTP Response Headers

Read/Write

Specifies HTTP headers that are added to responses from the Web server.

ISAPI Filters

Read Only

Specifies ISAPI filters that process requests made to the site or server, such as ASP.NET.

Logging

Remove Delegation

Machine Key

Read/Write

Specifies hashing and encryption settings for applications services, such as view state, forms authentication, and membership and roles.

MIME Types

Read Only

Specifies what file types can be served as static files. Download at Boykma.Com

102

Part I:

Foundation

Table 4-8

Features and Delegated Settings

Feature

Delegated Setting

Reason

Modules

Read/Write

Specifies native and managed code modules that process requests made to the site or server.

Output Caching

Read/Write

Specifies rules for caching output.

Pages and Controls

Read/Write

Specifies page and control settings for applications. Redirect Rules

Read/Write

Specifies settings for redirecting requests to another file or URL.

Session State

Read/Write

Specifies session state and forms authentication cookie settings.

SMTP E-mail

Read/Write

Specifies e-mail address and delivery options for e-mail sent from the site.

SSL Settings

Read Only

Specifies settings for SSL.

Directly Configuring Delegation
Although you can manage the delegation of many IIS features in the IIS Manager, it only allows you to manage the underlying configuration delegation for features that have corresponding UI pages in the IIS Manager. For those features, selecting the IIS Manager delegation state also generates the required configuration delegation settings to control whether the corresponding configuration sections can be used at the site or application level.
However, there are times when you will need to manage configuration delegation directly.
One such case is when the configuration section does not have a corresponding IIS Manager feature. For example, IIS 7.0’s URL Filtering feature does not, at the time of this writing, have a UI component. In these cases, you can work with the configuration system directly or the Appcmd command line tool to configure the desired configuration delegation.
The initial ability to delegate a specific configuration section is controlled by the overrideModeDefault attribute on its declaration (see the “Section Declarations” section earlier in this chapter). Some of the built-in IIS 7.0 configuration sections like allow delegation by default by specifying Allow for this attribute in their declarations, and others like do not by specifying Deny. This decision is typically made by the developer of the feature that reads this configuration section, based on whether or not the feature configuration should be by default delegated to users who are not server administrators.
Caution Do not change the overrideModeDefault setting on section declarations to unlock them. The IIS team recommendations for default delegation settings are well reasoned.
If you need to override the default setting globally, use Location tags referencing the “*” path
(or a null path, “”).

Download at Boykma.Com

Chapter 4:

Understanding the Configuration System

103

The overrideModeDefault setting on the section declarations in applicationHost.config sets the default value for delegation. You can modify the delegation status of each configuration section by locking or unlocking it. Unlocking sections is often needed in order to be able to specify configuration for certain sections in web.config files of your Web site. Likewise, you may want to lock certain other sections if you do not want the Web sites on your server to be able to override the settings set in applicationHost.config.
To unlock a section, you can use the Appcmd.exe command line tool as follows.
%windir%\system32\inetsrv\AppCmd Unlock Config /section:

Where is the name of the section, for example, “system.webServer/serverRuntime”.
To lock a section that is currently unlocked, you can use the following command.
%windir%\system32\inetsrv\AppCmd Lock Config /section:

Locking or unlocking a section produces a location tag in applicationHost.config that sets the delegation state of the configuration section by setting the overrideMode attribute to
Allow or Deny. For example, if we use the unlock command shown previously to unlock the section, we will generate the following in applicationHost.config.

Likewise, you can lock or unlock configuration sections for a particular configuration path only, by specifying this path in the command. This can allow you, for example, to keep the configuration section locked for the entire server but allow a specific site to override its settings. %windir%\system32\inetsrv\AppCmd Unlock Config "Default Web Site/"
/section:system.webServer/serverRuntime /commit:apphost

In this example, we unlock the section for the “Default Web Site” only and commit these changes to applicationHost.config (this is required). This produces a location tag in applicationHost.config that uses the path attribute to apply itself only to “Default Web
Site/”.
This enables you to quickly manage the configuration delegation on a section level. However, sometimes it is necessary to allow the delegation of the section but keep control over a specific setting inside that section. This can be accomplished using granular configuration locking, which we’ll discuss in the section titled “Granular Configuration Locking” later in this chapter.

Download at Boykma.Com

104

Part I:

Foundation

Additional Configuration for Remote Administration
For a user to manage a site or application remotely using the IIS Manager, it is necessary to assign specific permissions to the content. The service account for the Web Management
Service (WMSvc) must have read and write permissions to web.config in order to successfully connect remotely. Please refer to Chapter 8 for these and other details.

Granular Configuration Locking
You have explored the configuration’s ability to lock and unlock sections for delegation and used the location tag for creating settings for a site or directory that override the inherited defaults. Feature delegation controls whether or not the entire section can be used in a configuration file at a certain level. However, there are some cases in which the configuration section contains some configuration that should be delegated and some configuration that should be locked.
To support these scenarios, the configuration system allows you to exercise more fine-grained control over what specific configuration settings should be delegated through granular locking. Granular locking is achieved through the use of special locking directives supported by the configuration system.
To use granular configuration locking, you have to edit the configuration through some means other than the IIS Manager. At this time, the IIS Manager does not support configuring granular locking.
Note

The semantics for granular locking are based on the configuration system for ASP.NET, so if you are familiar with that, you will be ahead of the game.

Granular configuration locking is accomplished by using one of the special attributes listed in
Table 4-9.
Table 4-9

Granular Configuration Locking

Locking Directive

Used To

lockAttributes

Lock specific attributes to prevent them from being specified.

lockAllAttributesExcept

Lock all attributes on the element other than the specified attributes.

lockElements

Lock the specified elements to prevent them from being specified (and therefore lock all other attributes and child elements of the specified elements)

lockAllElementsExcept

Lock all elements on the current element except the specified elements.

lockItem

Lock the current collection element to prevent it from being removed.
Download at Boykma.Com

Chapter 4:

Understanding the Configuration System

105

lockAttributes, lockAllAttributesExcept The lockAttributes configuration directive can be specified on a configuration element in order to lock specific attributes on the element and prevent them from being specified at lower configuration levels. The lockAttributes directive specifies a comma-separated list of attribute names that are valid for the current element.
For example, in order to allow the section to be delegated but make sure that the feature itself cannot be disabled, we can set the enabled attribute to “true” and then lock it using the lockAttributes directive as follows:

In this example, lockAttributes instructs IIS 7.0 to disallow any change to the enabled attribute.
As a result, if the Web administrator attempts to turn off the default document feature
(enabled=“false”) the error message shown in Figure 4-6 occurs.

Figure 4-6

Error message due to configuration locking.

As you can see in Figure 4-6, the lock violation is called out and the offending line in web.config is clearly displayed. Removing this line, in this case, clears the error.

Download at Boykma.Com

106

Part I:

Foundation

The lockAllAttributesExcept form of the attribute lock provides a convenient mechanism for cases in which you want to lock all attributes on the element except for one or two attributes that should be unlocked. In that case, you can use it instead of the lockAttributes element and specify the attributes that you want to keep unlocked. lockElements, lockAllElementsExcept The lockElements locking directive allows you to lock a particular child element of the current element (as opposed to an attribute). This prevents this element from being specified at lower configuration levels. The lockElements directive specifies a comma-separated list of element names to lock.
For example, we can use the lockElements directive to prevent the collection of the section from being specified, therefore effectively preventing lower configuration levels from changing the contents of the default document list.

This setup prevents a Web administrator from changing the files in the default document list, but it does permit turning the feature on and off (via the enabled attribute).
The lockElements directive can also be used to do collection locking. By locking the ability to use certain collection elements (such as , , and ) it is possible to prevent the collection from being changed or prevent elements from being removed while still allowing new elements to be added.
For example, if you lock the element (or the corresponding element that acts as the element for the collection), lower configuration levels will not be able to add new elements to the collection. Likewise, if you lock the and elements, lower levels will not be able to remove elements from the collection but will be able to add new ones.
The lockAllElementsExcept directive can be used with configuration elements that have multiple subelements, when you want to lock all of them but one. In practice, we don’t expect that this will be widely used, but it is a possibility to keep in mind should you encounter a situation in which it is applicable. lockItem The lockItem directive can be used to lock specific collection elements from being removed or modified, as opposed to preventing all elements in the collection from being removed by locking the element using lockElements. The lockItem directive is specified on each collection element that is to be locked and accepts Boolean values.

Download at Boykma.Com

Chapter 4:

Understanding the Configuration System

107

Returning to our example, we want to allow a Web site administrator to be able to add new entries to the list of default pages but not remove Default.aspx from the list. In applicationHost.config, you can lock in the Default.aspx page by finding the configuration section in applicationHost.config as follows.

This will prevent lower configuration levels from being able to explicitly remove the
Default.aspx entry, as well as using to remove all items from the collection. They will still be able to add new entries to the collection.
An important use of lockItem is implemented in applicationHost.config. If you examine the section, you’ll notice that modules are added with lockItem set to “true.” This means that if IIS 7.0 encounters a or in a web.config or location tag that references the locked module, you will get a locking error. These locks are enabled by default since delegation is enabled for modules in order to permit .NET applications to add modules, a feature that is quite common. However, by delegating the modules section, it is also possible to remove modules in web.config. This could allow a user to inadvertently create an insecure or nonfunctional configuration. To prevent this from occurring, while at the same time ensuring maximum compatibility with .NET, modules are declared with lockItem specified as true.

Sharing Configuration Between Servers
An entirely new feature in IIS 7.0 is the ability to have multiple Web servers share a single configuration file. This feature was designed with load-balanced Web farms in mind in order to eliminate the need to keep multiple server configuration in sync. Toward this end, shared configuration is an excellent feature that will be useful in many Web farm situations.
Note

Shared configuration is not a complete Web farm solution in itself, because it does not eliminate the need to synchronize application content and local components like SSL certificates or .NET assemblies registered in the GAC.

Download at Boykma.Com

108

Part I:

Foundation

Enabling Shared Configuration
You can enable shared configuration using the IIS Manager. You’ll find the IIS Manager
Shared Configuration icon in the features pane when the Server node is selected in the tree view. Look for it at the bottom in the Management section, as shown in Figure 4-7.
Note

It is possible to enable shared configuration without using IIS Manager by modifying
IIS configuration manually and performing all the necessary import steps. However, IIS
Manager is recommended because it automates a lot of these steps and makes setting up shared configuration a lot easier than it otherwise would be.

Figure 4-7

The Shared Configuration icon in IIS Manager.

How Shared Configuration Works
The basic notion behind shared configuration is to place the main configuration files for IIS
7.0 on a shared UNC path and have all the servers in the farm use the remote configuration store as if it were local. In addition, if you direct command line administration tools to modify settings on a server that uses the shared configuration, those instructions are redirected to the shared store. The net result is that if you have 10 servers sharing configuration, and you add an application pool, all 10 servers will have that pool immediately.
Download at Boykma.Com

Chapter 4:

Understanding the Configuration System

109

Setting up shared configuration involves three main actions: First, you have to create a location with the proper permissions and a user identity that will be used to access the content. Second, you must export the configuration files to a centralized location. Third, you have to set up the servers to use the shared configuration files instead of the local configuration files. At that point, they are all functionally identical.
Step 1: Preparing for Shared Configuration The IIS Manager has to write to the remote configuration as a user of some kind, so it must be provided with the credentials of a local or domain user that has the correct permissions. So the first task is to create a user that has the correct permissions and then assign NTFS permissions for that user to the shared location.
1. Create a user that you will use to provide read and write access to the shared configuration files. This can be a local user that has the same credentials on each server, or a domain user presuming all the servers are joined to a domain. net user ConfigAccess HighSecurePasswordhere /add

2. Create a folder that will contain the shared configuration files. This can be on one of the
Web servers or the file server. The only real requirement is that it be accessible via a standard UNC share from all the servers.
3. Configure the folder for sharing with the appropriate share permissions. We’ll use the
SharedConfig folder in this example.
Net share sharedconfig$=%SystemDrive%\sharedconfig /grant:ConfigUser,Read
/grant:Administrators,Full /grant:System,Full

4. Carefully inspect the configuration of the server you plan to use as the source for the shared configuration. The IIS 7.0 configuration you export will be shared by all the other servers, so take some time to make sure it is correct. You can, of course, change it after you’ve enabled shared configuration, but the changes will affect multiple servers at that time.
5. Back up the existing configuration files with the following commands from an administrative command prompt. windir%\system32\inetsrv appcmd add backup SharedConfigBackup

Step 2: Export the Configuration Files
1. In the IIS Manager, click the server node and then double-click the Shared Configuration icon.
2. In the Actions pane, click Export Configuration to open the Export Configuration dialog box, as shown in Figure 4-8.
3. Under Configuration Location in the Physical Path text box, enter the UNC path to shared configuration.
Note You can export the configuration files to a local, nonshared path if you prefer and then manually copy the files to the shared location.
Download at Boykma.Com

110

Part I:

Foundation

Figure 4-8

The Export Configuration dialog box.

4. Click Connect As and enter the credentials that have write access to the share. You could also enter administrative credentials here. These credentials are just used to write the configuration file in this export step and are not used for regular access to the shared configuration settings.
Caution

Do not use the ConfigAccess credentials you created for accessing the configuration from the Web server. These credentials should not have write access to the share.

5. Under Encryption Keys, enter a password that will be required to protect the exported encryption keys when transported off the server. You will need to provide this password on any server that will use the shared configuration files so that it can import the exported encryption keys. Note that the password must be at least eight characters, have a symbol, mixed case, and a number before it will be accepted. At this time, creating the encryption key cannot be automated.
6. Press OK. You will see a message that says the export was successful.
At this point you have not yet enabled shared configuration, just created a set of files that could be used for shared configuration. Before you proceed, you might want to see what was (and was not) copied. See the sidebar titled “Inspecting the Exported Configuration
Files” for more information.
Download at Boykma.Com

Chapter 4:

Understanding the Configuration System

111

Inspecting the Exported Configuration Files
Open the location where you exported the files and examine the contents. You’ll find a copy of applicationHost.config, administration.config, and an encrypted file named
ConfigEncryptedKey.key. The .key file is used to decrypt any secrets stored in the
.config files. For this to work, all the servers in the farm have to know a shared secret, and that’s the reason for a strong key to be entered when you export these configuration settings. By default, there are no secrets in the config files, because the anonymous user is now a built-in account and no longer requires a password since it cannot be used to log on to the server. In addition, the IWAM account found on IIS 4.0, IIS 5.0, and IIS 6.0 is deprecated. However, many companies use unique identities as principals for application pools and the IIS anonymous user in order to increase security and provide more granular details in audit logs.
Passwords created in the IIS manager associated with UNC paths, applications pool principals, and custom anonymous users are encrypted and stored in the configuration files. These encrypted items cannot be deciphered by default on other IIS 7.0 servers.
Shared configuration, however, makes this possible by allowing you to export the encryption keys from the server whose configuration is being exported and reimport them to all other machines using the shared configuration.
You should note that you will not see any web.config, custom modules, Web site content, certificates, or other files that are related to the server configuration. Centralized configuration enables sharing of applicationHost.config and administration.config files only. All other items needed to keep the servers functionally identical need to be managed by processes you institute outside of IIS 7.0.
Note that you can expect to see tools or updates to this feature from the IIS team after
Windows Server 2008 is released that will help with replication and synchronization tasks. Step 3: Enable Shared Configuration You’re now ready to enable shared configuration.
Typically, you’ll start with the server used for the shared configuration export. Exporting the configuration does not automatically cause the server to start using the exported settings. In fact, if you make any changes at this point to the IIS 7.0 configuration, you will see them on the local server, but unless you re-export the configuration, the shared configuration will not have the most recent changes.
The procedure is simple and is the same for each server:
1. In the Shared Configuration feature, select the Enable Shared Configuration check box.

Download at Boykma.Com

112

Part I:

Foundation

2. Enter the Physical Path, User Name, and Password you used to create the share and user for the share. In our example, this would be:
Path: \\Contoso\SharedConfig\
User: ConfigAccess
Password: HighSecurePasswordHere
3. At the prompt, enter the password you used to export the settings. You will see the message shown in Figure 4-9.

Figure 4-9

Backing up encryption keys.

This message informs you that if you decided to revert back to your local settings, the IIS
Manager will fix your encryption keys so they will work on your local configuration files. Otherwise, any passwords you entered in the configuration system for UNC paths, custom anonymous users, or application pool identities could not be deciphered by IIS.
4. Click OK to close the message box. You will see another message that says you need to close and reopen the IIS Manager and reset (stop and start) the Web Management
Service for changes to take effect. When you close and reopen the IIS Manager, you will load the redirected configuration files instead of the local files. Restarting the Management Service will cause remote administration requests to be redirected.
You will need to repeat this procedure on each server.
Download at Boykma.Com

Chapter 4:

Understanding the Configuration System

113

Shared Configuration Considerations
Shared configuration will help to reduce the administrative burden of configuration replication between servers in a Web farm. It is not, however, a Web farm management tool.
You will still need to manage replication of any content or configuration item that is local to a server in the farm. This typically involves such items as content replication, directory structure maintenance, SSL certificates, recycling of services, operating system updates, registering
COM objects, placing new content in the .NET global assembly cache, network configuration, and other settings that are stored locally.
Consider the scenario in which you want to change the type of application pool from Classic to Integrated. This is one of the few settings that will cause an application pool to recycle.
Making changes that affect the application pool environment, such as the application pool type or pool identity, will cause all of your application pools to recycle across all the shared servers, potentially resulting in your Web application becoming unavailable for a short period of time. As a result of this and other scenarios such as content updates, you will want to devise a method for rolling in updates so that you can more precisely control the settings.
For example, if you need to make a configuration change that would result in a recycle, you should export the settings from a second server to a new shared location. This server will be the only one using that location while the other servers in the farm continue to deliver requests. You then make the updates you want to this server and test the results. When you are satisfied, you move the other shared servers to the new shared location in series. If at any time you don’t like what’s going on, you can roll back to the prior configuration. If things proceed well, you will continue moving each server over until all the servers are using the new configuration. Summary
The IIS 7.0 configuration system is the foundation for many key deployment and management capabilities of the server. For the first time, it enables scenarios including delegated management of configuration, true xcopy deployment of IIS applications, and sharing configuration between multiple servers.
In this chapter, you reviewed the basics of editing Web server configuration, and performing key configuration management tasks such as backing up configuration and setting up shared configuration for multiple servers on a Web farm.
The configuration system is the core of the IIS 7.0 Administration stack, which offers a full set of options for managing the server. To learn how to manage IIS using GUI, see Chapter 6. You can also learn about managing IIS 7.0 configuration from the command line in Chapter 7.
In the spirit of IIS 7.0 end-to-end extensibility, the IIS 7.0 configuration system is also completely extensible, allowing third-party Web server modules to store their configuration in the IIS 7.0 configuration system. This extensibility allows developers to make use of the same
Download at Boykma.Com

114

Part I:

Foundation

configuration capabilities and management tools used by IIS 7.0. For example, an administrator could configure the custom feature using Appcmd or a developer could use .NET to manage the feature state and configuration.
For more information about protecting configuration on your server, including using configuration encryption and properly taking advantage of configuration isolation, see Chapter 14.

Additional Resources
These resources contain additional information and tools related to this chapter:


The IIS 7.0 Web Reference can be found at http://msdn2.microsoft.com/en-us/library/ ms691259.aspx. ■

You can search for configuration information on the IIS Web site at http://www.iis.net and in the IIS 7.0 online help files.



You’ll find information about how IIS 6.0 metabase properties map to IIS 7.0 configuration schema at http://msdn2.microsoft.com/en-us/library/aa347565.aspx.



For more information about configHistory, see the article “Using IIS7 Configuration
History” at http://www.iis.net/articles/view.aspx/IIS7/Managing-IIS7/Configuring-theIIS7-Runtime/Understanding-AppHost-Service/Using-IIS7-Configuration-History?Page=1.

Download at Boykma.Com

Part II

Deployment
In this part:
Chapter 5: Installing IIS 7.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Download at Boykma.Com

Download at Boykma.Com

Chapter 5

Installing IIS 7.0
In this chapter:
Planning the Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Post Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Troubleshooting Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Removing IIS 7.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Additional Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

On the Disc

Browse the CD for additional tools and resources.

Windows Server 2008 has a great story when it comes to installing and configuring your Web server. Internet Information Services (IIS) 7.0 has a modular setup design that gives you complete control when you set up your Web server.
Windows Server 2008 introduces new tools to install IIS 7.0. You can use Server Manager, a graphical user interface (GUI)-based tool, or two command line tools called Package Manager
(Pkgmgr.exe) and ServerManagerCMD. Along with the new tools, IIS 7.0 supports legacy scripts that use Active Directory Service Interfaces (ADSI) or Windows Management
Instrumentation (WMI).
In addition to the various ways to install IIS 7.0, the new XML-based configuration system introduced in Windows Server 2008 allows you to copy your base build files to other machines. After you have created your master image, you can copy the IIS 7.0 configuration files to another IIS 7.0 server. The new modular architecture enables you to design and implement a server that meets your needs.
But before you start to install IIS 7.0, you should do a little planning.

Planning the Installation
IIS 7.0 has a modular architecture that enables you to customize exactly which features are installed and run on the Web server. The Web server features are now separated into more than 40 modules that can be independently installed, enabling you to greatly reduce the potential attack surface. (See Chapter 3, “Understanding the Modular Foundation,” for more
Download at Boykma.Com

117

118

Part II:

Deployment

details.) A smaller installation footprint also minimizes your patching requirements. If you implement a default installation, IIS 7.0 installs with 10 modules and will deliver only static content as an anonymous user. However, you will likely want to do more than this.
To take full advantage of the modular architecture, you should plan your IIS 7.0 installation to match the requirements of the applications you plan to deploy. This chapter provides specific information about what modules you’ll need to handle various workloads. Reducing the number of installed modules makes it easier to support, monitor, and troubleshoot your applications once they are deployed in a production environment.
When you plan your installation, think about which installation tool you want to use. Server
Manager (which first launches when you log into Windows Server 2008) provides an intuitive
UI that gives you complete control over which roles and features are installed. Server Manager automatically takes care of any dependencies necessary to support the various modules. You can use Server Manager to determine which modules are required for a particular workload and then use this information to automate your installation with command line tools. The
Server Manager UI is not available on Server Core installations of Windows Server 2008.
ServerManagerCMD is a command line version of Server Manager. It is a managed code executable that offers more flexibility when automating your server installation. ServerManagerCMD is easy to use as a command line installation tool because it has knowledge of server roles, role services, and their dependencies. For example, with a single command, you can install all the components necessary to run a static Web server. Other roles and features such as Message Queuing can be installed in a similar way. ServerManagerCMD is intended to be a global tool used at a server level. ServerManagerCMD is not available on Server Core installations. Package Manager is a command line tool that provides for custom and automatic installations of IIS 7.0. Package Manager offers the most flexibility and the most granularity for your IIS 7.0 installations. Unlike with Server Manager, you have to be aware of the modules and their dependencies. If you do not install the appropriate modules and the associated dependencies, your server won’t work as expected. Package Manager is available on all versions of Windows
Server 2008.
Which of these tools you use depends on your environment. If you do not need to automate the installation process, Server Manager will fill your needs. If you are designing the rollout of servers for an enterprise or hosting company, you’ll want to look at Package Manager or
ServerManagerCMD. But you’ll probably want to choose only one of these rather than learn and maintain two tools. If you plan to have Server Core machines, Package Manager is your only option, and it will do the job well. If you do not plan to deploy Server Core machines,
ServerManagerCMD becomes an option. Whatever tool you use, IIS 7.0 provides multiple tools to help automate your server installs. You’ll find a discussion of ServerManagerCMD and
Package Manager in the “Using ServerManagerCMD” and “Using Package Manager” sections in this chapter.
Download at Boykma.Com

Chapter 5:

Installing IIS 7.0

119

Installation Scenarios for IIS 7.0
One concept introduced in Windows Server 2008 is workload-specific setups. Some common workload scenarios that can be used in Windows Server 2008 are


Static Content Web Server (Default installation)



ASP.NET



Classic ASP



FastCGI-based applications



IIS Managed Modules and .NET Extensibility



IIS Full Install



Server Core Web Edition

Static Content Web Server (Default Installation)
Web Server with the Static Content role service is the default installation and one of the most commonly used installation workload types. Other workloads and product installations use it. The preselected setup defaults of IIS 7.0 provide all the IIS modules required to support this configuration. This includes the ability to serve static HTML files, documents, and images.
Additionally, it provides support for default documents, directory browsing, logging, and anonymous authentication. The IIS Manager Console is also installed.
Table 5-1 lists all the components that are selected by default when you install IIS 7.0. The table includes the appropriate update names. Update names are the names used to perform
Package Manager installations.
Table 5-1

Default Server Install Components

Server Manager

Update Name

Static Content

IIS-StaticContent

Default Document

IIS-DefaultDocument

Directory Browsing

IIS-DirectoryBrowsing

HTTP Errors

IIS-HttpErrors

HTTP Logging

IIS-HttpLogging

Logging Tools

IIS-LoggingLibraries

Request Monitor

IIS-RequestMonitor

Request Filtering

IIS-RequestFiltering

Static Content Compression

IIS-HttpCompressionStatic

IIS Management Console

IIS-ManagementConsole

Download at Boykma.Com

120

Part II:

Deployment

To install IIS features for a Static Content Web server via Package Manager, use the following command from a command prompt. (The command has been formatted to fit on the printed page.) start /w pkgmgr.exe /iu:IIS-WebServerRole;IIS-WebServer;IIS-CommonHttpFeatures;
IIS-StaticContent;IIS-DefaultDocument;IIS-DirectoryBrowsing;
IIS-HttpErrors;IIS-HealthAndDiagnostics;IIS-HttpLogging;
IIS-LoggingLibraries;IIS-RequestMonitor;IIS-Security;
IIS-RequestFiltering;IIS-HttpCompressionStatic;
IIS-WebServerManagementTools;IIS-ManagementConsole;
WAS-WindowsActivationService;WAS-ProcessModel;
WAS-NetFxEnvironment;WAS-ConfigurationAPI

To install IIS features for Static Content Web Server via ServerManagerCMD, use the following command from a command prompt:
ServerManagerCMD.exe –install Web-Server

ASP.NET
The Microsoft ASP.NET Web server is probably the most commonly used server workload type. ASP.NET has proven to be very popular among developers. IIS 7.0 and ASP.NET are designed to work closely together, and ASP.NET is a first-class citizen in IIS 7.0. Developers can deploy managed code at the same level as native modules. The integrated pipeline option provides this functionality. The Static Content Web Server modules, along with specific
ASP.NET options, make up the ASP.NET workload server.
Table 5-2 lists all components that are installed when you configure your server to use the
ASP.NET workload server. The table includes the appropriate update names.
Table 5-2

ASP.NET Workload Server Options

Server Manager

Update Name

Static Content

IIS-StaticContent

Default Document

IIS-DefaultDocument

Directory Browsing

IIS-DirectoryBrowsing

HTTP Errors

IIS-HttpErrors

HTTP Logging

IIS-HttpLogging

Logging Tools

IIS-LoggingLibraries

Request Monitor

IIS-RequestMonitor

Request Filtering

IIS-RequestFiltering

Static Content Compression

IIS-HttpCompressionStatic

IIS Management Console

IIS-ManagementConsole

ASP.NET

IIS-ASPNET

.NET Extensibility

IIS-NetFxExtensibility

ISAPI

IIS-ISAPIFilter

ISAPI Extensions

IIS-ISAPIExtensions
Download at Boykma.Com

Chapter 5:

Installing IIS 7.0

121

To install IIS features for the ASP.NET server workload via Package Manager, use the following command from a command prompt: start /w pkgmgr.exe /iu:IIS-WebServerRole;IIS-WebServer;
IIS-CommonHttpFeatures;IIS-StaticContent;IIS-DefaultDocument;
IIS-DirectoryBrowsing;IIS-HttpErrors;IIS-ApplicationDevelopment;
IIS-ASPNET;IIS-NetFxExtensibility;IIS-ISAPIExtensions;
IIS-ISAPIFilter;IIS-HealthAndDiagnostics;IIS-HttpLogging;
IIS-LoggingLibraries;IIS-RequestMonitor;IIS-Security;
IIS-RequestFiltering;IIS-HttpCompressionStatic;
IIS-WebServerManagementTools;IIS-ManagementConsole;
WAS-WindowsActivationService;WAS-ProcessModel;
WAS-NetFxEnvironment;WAS-ConfigurationAPI

To install IIS features for the ASP.NET server workload via ServerManagerCMD, use the following command from a command prompt:
ServerManagerCmd.exe
ServerManagerCmd.exe
ServerManagerCmd.exe
ServerManagerCmd.exe
ServerManagerCmd.exe
ServerManagerCmd.exe

-install
-install
-install
-install
-install
-install

Web-Server
Web-ASP-NET
Web-NET-Ext
Web-Filtering
Web-ISAPI-Filter
Web-ISAPI-Ext

Classic ASP
Before Microsoft released ASP.NET, classic ASP was used as the main programming language on IIS. Many Web sites still use classic ASP today, and IIS 7.0 supports classic ASP. Your classic
ASP applications will easily port to IIS 7.0. You can take advantage of the new benefits such as diagnostics, logging, and troubleshooting, while at the same time maintaining your existing applications, enabling you to have the best of both worlds. You will be able to keep your classic ASP around and have the benefits of IIS 7.0. The static file modules, along with specific classic ASP options, make up the ASP workload server.
Table 5-3 lists all components that are installed when you configure your server to use the classic ASP workload server. The table includes the appropriate update names.
Table 5-3

Classic ASP Workload Server Options

Server Manager

Update Name

Static Content

IIS-StaticContent

Default Document

IIS-DefaultDocument

Directory Browsing

IIS-DirectoryBrowsing

HTTP Errors

IIS-HttpErrors

HTTP Logging

IIS-HttpLogging

Logging Tools

IIS-LoggingLibraries

Request Monitor

IIS-RequestMonitor

Request Filtering

IIS-RequestFiltering
Download at Boykma.Com

122

Part II:

Deployment

Table 5-3

Classic ASP Workload Server Options

Server Manager

Update Name

Static Content Compression

IIS-HttpCompressionStatic

IIS Management Console

IIS-ManagementConsole

ASP

IIS-ASP

ISAPI Extensions

IIS-ISAPI-Extensions

To install IIS features for the classic ASP server workload via Package Manager, use the following command from a command prompt: start /w pkgmgr.exe /iu:IIS-WebServerRole;IIS-WebServer;
IIS-CommonHttpFeatures;IIS-StaticContent;IIS-DefaultDocument;
IIS-DirectoryBrowsing;IIS-HttpErrors;IIS-ApplicationDevelopment;
IIS-ASP;IIS-ISAPIExtensions;IIS-HealthAndDiagnostics;
IIS-HttpLogging;IIS-LoggingLibraries;IIS-RequestMonitor;
IIS-Security;IIS-RequestFiltering;IIS-HttpCompressionStatic;
IIS-WebServerManagementTools;IIS-ManagementConsole;
WAS-WindowsActivationService;WAS-ProcessModel;
WAS-NetFxEnvironment;WAS-ConfigurationAPI

To install IIS features for the classic ASP Web server workload via ServerManagerCMD, use the following command from a command prompt:
ServerManagerCmd.exe
ServerManagerCmd.exe
ServerManagerCmd.exe
ServerManagerCmd.exe

-install
-install
-install
-install

Web-Server
Web-ASP
Web-Filtering
Web-ISAPI-Ext

FastCGI Server Workload
FastCGI is an alternative to CGI (Common Gateway Interface). This is a language-independent extension to CGI that provides high performance without being tied to a specific server platform. Note For more information on the FastCGI module for IIS, please read Bill Staples’s blog at http://blogs.iis.net/bills/archive/2006/10/31/PHP-on-IIS.aspx. The blog discusses how to enhance your PHP applications with IIS 7.0 and FastCGI modules.

One of the design goals of Windows Server 2008 is to provide a common Web server platform for all types of applications. This includes applications based on Microsoft technology such as
ASP.NET and classic ASP, as well as non-Microsoft technology such as PHP.
Table 5-4 lists all components that are installed when you configure your server to use the
FastCGI workload server. The table includes the appropriate update names.

Download at Boykma.Com

Chapter 5:

Table 5-4

Installing IIS 7.0

123

FastCGI Workload Server Options

Server Manager

Update Name

Static Content

IIS-StaticContent

Default Document

IIS-DefaultDocument

Directory Browsing

IIS-DirectoryBrowsing

HTTP Errors

IIS-HttpErrors

HTTP Logging

IIS-HttpLogging

Logging Tools

IIS-LoggingLibraries

Request Monitor

IIS-RequestMonitor

Request Filtering

IIS-RequestFiltering

Static Content Compression

IIS-HttpCompressionStatic

IIS Management Console

IIS-ManagementConsole

CGI

IIS-CGI

To install IIS features for the FastCGI server workload via Package Manager, use the following command from a command prompt: start /w pkgmgr.exe /iu:IIS-WebServerRole;IIS-WebServer;
IIS-CommonHttpFeatures;IIS-StaticContent;IIS-DefaultDocument;
IIS-DirectoryBrowsing;IIS-HttpErrors;IIS-ApplicationDevelopment;
IIS-CGI;IIS-HealthAndDiagnostics;IIS-HttpLogging;
IIS-LoggingLibraries;IIS-RequestMonitor;IIS-Security;
IIS-RequestFiltering;IIS-HttpCompressionStatic;
IIS-WebServerManagementTools;IIS-ManagementConsole;
WAS-WindowsActivationService;WAS-ProcessModel;
WAS-NetFxEnvironment;WAS-ConfigurationAPI

To install IIS features for the FastCGI server workload via ServerManagerCMD, use the following command line:
ServerManagerCmd.exe -install Web-Server
ServerManagerCmd.exe -install Web-CGI

IIS Managed Modules and .NET Extensibility Server Workload
It is possible to take advantage of .NET without installing ASP.NET. You probably wonder when this type of server workload would be appropriate. Imagine you have developed your own custom HTTP modules specific to your environment. (This could include various content handling, redirection, session management, logging, or other custom application components.) This type of server workload would enable you to deploy servers with only the necessary modules to support your applications. You would have the power of IIS 7.0 and a small secure Web server footprint to meet your needs. The static file modules, along with the
IIS Managed Modules and .NET Extensibility, make up this workload type.

Download at Boykma.Com

124

Part II:

Deployment

Table 5-5 lists all components that are installed when you configure your server to use the IIS
Managed Modules and .NET Extensibility workload server. The table includes the appropriate update names.
Table 5-5

IIS Managed Modules and .NET Extensibility Server Options

Server Manager

Update Name

Static Content

IIS-StaticContent

Default Document

IIS-DefaultDocument

Directory Browsing

IIS-DirectoryBrowsing

HTTP Errors

IIS-HttpErrors

HTTP Logging

IIS-HttpLogging

Logging Tools

IIS-LoggingLibraries

Request Monitor

IIS-RequestMonitor

Request Filtering

IIS-RequestFiltering

Static Content Compression

IIS-HttpCompressionStatic

IIS Management Console

IIS-ManagementConsole

.NET Extensibility

IIS-NetFxExtensibility

To install IIS features for the IIS Managed Modules and .NET Extensibility server workload via
Package Manager, use the following command from a command prompt: start /w pkgmgr.exe /iu:IIS-WebServerRole;IIS-WebServer;
IIS-CommonHttpFeatures;IIS-StaticContent;IIS-DefaultDocument;
IIS-DirectoryBrowsing;IIS-HttpErrors;IIS-ApplicationDevelopment;
IIS-NetFxExtensibility;IIS-ISAPIExtensions;IIS-ISAPIFilter;
IIS-HealthAndDiagnostics;IIS-HttpLogging;IIS-LoggingLibraries;
IIS-RequestMonitor;IIS-Security;IIS-RequestFiltering;
IIS-HttpCompressionStatic;IIS-WebServerManagementTools;
IIS-ManagementConsole;WAS-WindowsActivationService;
WAS-ProcessModel;WAS-NetFxEnvironment;WAS-ConfigurationAPI

To install IIS features for the IIS Managed Modules and .NET Extensibility server workload via
ServerManagerCMD, use the following command from a command prompt:
ServerManagerCmd.exe -install Web-Server
ServerManagerCmd.exe -install Web-Net-Ext

IIS Full Install
You might want to do a complete IIS 7.0 installation in a test environment to evaluate everything IIS 7.0 has to offer. When you install all 40-plus modules, you are guaranteed that everything you need is available. In a true development scenario, however, it is probably not a good idea to do a full installation, because you could run into issues when you migrate your applications to a production environment that contains only a subset of modules. If you install only the minimum number of modules and features in your development environment, you will gain a complete understanding of what modules are needed and why. This will help keep
Download at Boykma.Com

Chapter 5:

Installing IIS 7.0

125

your production server installation footprint smaller and more secure. The fewer modules deployed, the better your application performance will be. The more you do to match your development environment to your production servers, the more likely it is that you’ll have a smooth transition from development to production.
Table 5-6 lists all the components installed when you do a full installation of IIS 7.0. The table includes the appropriate update names.
Table 5-6

Full Server Install Components

Server Manager

Update Name

Internet Information Services

IIS-WebServerRole

World Wide Web Services

IIS-WebServer

Common HTTP Features

IIS-CommonHttpFeatures

Static Content

IIS-StaticContent

Default Document

IIS-DefaultDocument

Directory Browsing

IIS-DirectoryBrowsing

HTTP Errors

IIS-HttpErrors

HTTP Redirection

IIS-HttpRedirect

Application Development

IIS-ApplicationDevelopment

ASP.NET

IIS-ASPNET

.NET Extensibility

IIS-NetFxExtensibility

ASP

IIS-ASP

CGI

IIS-CGI

ISAPI Extensions

IIS-ISAPIExtensions

ISAPI Filters

IIS-ISAPIFilter

Server-Side Includes

IIS-ServerSideInclude

Health and Diagnostics

IIS-HealthAndDiagnostics

HTTP Logging

IIS-HTTPLogging

Logging Tools

IIS-LoggingLibraries

Request Monitor

IIS-RequestMonitor

Tracing

IIS-HttpTracing

Custom Logging

IIS-CustomLogging

ODBC Logging

IIS-ODBCLogging

Security

IIS-Security

Basic Authentication

IIS-BasicAuthentication

Windows Authentication

IIS-WindowsAuthentication

Digest Authentication

IIS-DigestAuthentication

Client Certificate Mapping Authentication

IIS-ClientCertificateMappingAuthentication

IIS Client Certificate Mapping Authentication

IIS-IISCertificateMappingAuthentication

URL Authorization

IIS-URLAuthorization

Request Filtering

IIS-RequestFiltering
Download at Boykma.Com

126

Part II:

Deployment

Table 5-6

Full Server Install Components

Server Manager

Update Name

IP and Domain Restrictions

IIS-IPSecurity

Performance

IIS-Performance

Static Content Compression

IIS-HttpCompressionStatic

Dynamic Content Compression

IIS-HttpCompressionDynamic

Management Tools

IIS-WebServerManagementTools

IIS Management Console

IIS-ManagementConsole

IIS Management Scripts and Tools

IIS-ManagementScriptingTools

Management Service

IIS-ManagementService

IIS 6 Management Compatibility

IIS-IIS6ManagementCompatibility

IIS Metabase Compatibility

IIS-Metabase

IIS 6 WMI Compatibility

IIS-WMICompatibility

IIS 6 Scripting Tools

IIS-LegacyScripts

IIS 6 Management Console

IIS-LegacySnapIn

FTP Publishing Service

IIS-FTPPublishingService

FTP Server

IIS-FTPServer

FTP Management Console

IIS-FTPManagement

Windows Process Activation Service

WAS-WindowsActivationService

Process Model

WAS-ProcessModel

.NET Environment

WAS-NetFxEnvironment

Configuration APIs

WAS-ConfigurationAPI

To install IIS features for a full server install via Package Manager, use the following command from a command prompt: start /w pkgmgr.exe /iu:IIS-WebServerRole;IIS-WebServer;
IIS-CommonHttpFeatures;IIS-StaticContent;IIS-DefaultDocument;
IIS-DirectoryBrowsing;IIS-HttpErrors;IIS-HttpRedirect;
IIS-ApplicationDevelopment;IIS-ASPNET;IIS-NetFxExtensibility;
IIS-ASP;IIS-CGI;IIS-ISAPIExtensions;IIS-ISAPIFilter;
IIS-ServerSideIncludes;IIS-HealthAndDiagnostics;IIS-HttpLogging;
IIS-LoggingLibraries;IIS-RequestMonitor;IIS-HttpTracing;
IIS-CustomLogging;IIS-ODBCLogging;IIS-Security;
IIS-BasicAuthentication;IIS-WindowsAuthentication;
IIS-DigestAuthentication;IIS-ClientCertificateMappingAuthentication;
IIS-IISCertificateMappingAuthentication;IIS-URLAuthorization;
IIS-RequestFiltering;IIS-IPSecurity;IIS-Performance;
IIS-HttpCompressionStatic;IIS-HttpCompressionDynamic;
IIS-WebServerManagementTools;IIS-WebServerManagementTools;
IIS-ManagementConsole;IIS-ManagementScriptingTools;
IIS-ManagementService;IIS-IIS6ManagementCompatibility;
IIS-Metabase;IIS-WMICompatibility;IIS-LegacyScripts;
IIS-LegacySnapIn;IIS-FTPPublishingService;IIS-FTPServer;
IIS-FTPManagement;WAS-WindowsActivationService;WAS-ProcessModel;
WAS-NetFxEnvironment;WAS-ConfigurationAPI

Download at Boykma.Com

Chapter 5:

Installing IIS 7.0

127

To perform a full server install via ServerManagerCMD, use the following command from a command prompt:
ServerManagerCMD.exe –install Web-Server –allSubFeatures

Table 5-7 lists all ServerManagerCMD update names. Note that to perform a full installation using ServerManagerCMD, you can simply specify the –a switch. Refer to Table 5-7 when you need to install specific modules.
Table 5-7

Complete List of ServerManagerCMD Update Names

Server Manager

Update Name

Common HTTP Features

Web-Common-Http

Static Content

Web-Static-Content

Default Document

Web-Default-Doc

Directory Browsing

Web-Dir-Browsing

HTTP Errors

Web-Http-Errors

HTTP Redirection

Web-Http-Redirect

Application Development

Web-App-Dev

ASP.NET

Web-Asp-Net

.NET Extensibility

Web-Net-Ext

ASP

Web-ASP

CGI

Web-CGI

ISAPI Extensions

Web-ISAPI-Ext

ISAPI Filters

Web-ISAPI-Filter

Server Side Includes

Web-Includes

Health and Diagnostics

Web-Health

HTTP Logging

Web-Http-Logging

Logging Tools

Web-Log-Libraries

Request Monitor

Web-Request-Monitor

Tracing

Web-Http-Tracing

Custom Logging

Web-Custom-Logging

ODBC Logging

Web-ODBC-Logging

Security

Web-Security

Basic Authentication

Web-Basic-Auth

Windows Authentication

Web-Windows-Auth

Digest Authentication

Web-Digest-Auth

Client Certificate Mapping Authentication

Web-Client-Auth

IIS Client Certificate Mapping Authentication

Web-Cert-Auth

URL Authorization

Web-Url-Auth

Request Filtering

Web-Filtering

IP and Domain Restrictions

Web-IP-Security
Download at Boykma.Com

128

Part II:

Deployment

Table 5-7

Complete List of ServerManagerCMD Update Names

Server Manager

Update Name

Performance

Web-Performance

Static Content Compression

Web-Stat-Compression

Dynamic Content Compression

Web-Dyn-Compression

Management Tools

Web-Mgmt-Tools

IIS Management Console

Web-Mgmt-Console

IIS Management Scripts and Tools

Web-Scripting-Tools

Management Service

Web-Mgmt-Service

IIS 6 Management Compatibility

Web-Mgmt-Compat

IIS 6 Metabase Compatibility

Web-Metabase

IIS 6 WMI Compatibility

Web-WMI

IIS 6 Scripting Tools

Web-Lgcy-Scripting

IIS 6 Management Console

Web-Lgcy-Mgmt-Console

FTP Publishing Service

Web-Ftp-Publishing

FTP Server

Web-Ftp-Server

FTP Management Console

Web-Ftp-Mgmt-Console

Windows Process Activation Service

WAS

Process Model

WAS-Process-Model

.NET Environment

WAS-NET-Environment

Configuration APIs

WAS-Config-APIs

Server Core Web Edition Server Workload
Windows Server 2008 introduces Server Core, which is a complete command line shell operating system.
Note

A good introduction to IIS 7.0 Server Core is available at http://www.iis.net/articles/ view.aspx/IIS7/Explore-IIS7/Getting-Started/IIS7-on-Server-Core. Server Core provides an installation option that produces a server that can be treated as an appliance. Traditional UI components such as Microsoft Internet Explorer and Windows
Media Player are not installed. Server Core Web Edition is perfect for hosting IIS 7.0 when you want to support classic ASP; static, PHP-based; Internet Server Application Programming
Interface (ISAPI); and other Web applications that do not require .NET. Server Core does not include ASP.NET and .NET functionality. Even without ASP.NET, you can use Server Core
Web Edition for various workloads. For example, you can use Server Core to serve images.
Only two modules are required for this server workload: the StaticFileModule and
AnonymousAuthenticationModule. The following example shows the power and flexibility of the IIS 7.0 modular architecture.
Download at Boykma.Com

Chapter 5:

Installing IIS 7.0

129

Installing IIS 7.0 on Server Core Web Edition
To install IIS 7.0 on Server Core Web Edition, follow these steps:
1. Install Server Core Web Edition and configure the Server Core instance with an IP address. You’ll need two commands to configure your server with an IP address. Enter the following command at a command prompt: netsh interface ipv4 show interfaces

The output is similar to the following:
Idx
--2
1

Met
MTU
State
Name
--- ----- ----------- ------------------10
1500 connected
Local Area Connection
50 4294967295 connected
Loopback Pseudo-Interface

Next, enter the following command at the command prompt (replace the IP information with appropriate values for your environment): netsh interface ipv4 set address name="2" source=static address=192.168.0.10 mask=255.255.255.0 gateway=192.168.0.1

2. Now, to perform a default installation of IIS 7.0, run the following command at the command prompt: start /w pkgmgr /iu:IIS-WebServerRole;WAS-WindowsActivationService;
WAS-ProcessModel

3. Back up the current ApplicationHost.config file by running the following command at the command prompt:
%windir%\System32\Inetsrv\appcmd add backup “ContosoComConfig”

4. Open the file %windir%\System32\Inetsrv\Config\ApplicationHost.config in Notepad.
To do this, you can type the following from the command line:
Notepad %windir%\system32\inetsrv\config\applicationHost.config

5. Locate the Global Modules section and change it as follows:

Download at Boykma.Com

130

Part II:

Deployment

6. Locate the Modules section in ApplicationHost.config and change it to match the following: 7. Open a browser from a remote machine and visit http:/// welcome.png. This should display the Welcome message.
From a command prompt on the Server Core, you can verify that just three modules related to IIS 7.0 are loaded. To do so, run the following command from the command prompt: tasklist /m /fi "Imagename eq w3wp.exe"

The resulting output should look like this:
Image Name
PID Modules
========================= ======== ============================================ w3wp.exe 1108 ntdll.dll, kernel32.dll, ADVAPI32.dll,
RPCRT4.dll, msvcrt.dll, USER32.dll,
GDI32.dll, ole32.dll, IISUTIL.dll,
CRYPT32.dll, MSASN1.dll, USERENV.dll,
Secur32.dll, WS2_32.dll, NSI.dll,
IMM32.DLL, MSCTF.dll, LPK.DLL, USP10.dll,
NTMARTA.DLL, WLDAP32.dll, PSAPI.DLL,
SAMLIB.dll, w3wphost.dll, OLEAUT32.dll, nativerd.dll, XmlLite.dll, IISRES.DLL, rsaenh.dll, CLBCatQ.DLL, mlang.dll, comctl32.dll, SHLWAPI.dll, iiscore.dll,
W3TP.dll, w3dt.dll, HTTPAPI.dll, slc.dll, faultrep.dll, VERSION.dll, mswsock.dll,
DNSAPI.dll, NLAapi.dll, IPHLPAPI.DLL, dhcpcsvc.DLL, WINNSI.DLL, dhcpcsvc6.DLL, wshtcpip.dll, wship6.dll, static.dll, authanon.dll, loghttp.dll

Notice the last three dynamic-link libraries (DLLs) are static.dll, authanon.dll, and loghttp.dll.
The DLLs are loaded in the same order as they are listed in the ApplicationHost.config file.
The other modules are related to the operating system.
This example demonstrates a lightweight yet flexible server that can serve images and log the hits in standard IIS logs. You can use your normal Web reporting tools to track the images being served.

Download at Boykma.Com

Chapter 5:

Installing IIS 7.0

131

Caution

Back up your ApplicationHost.config file whenever you manually edit the file.
Doing so allows you to restore your server to its original state if a problem should occur. You would not make it a regular task to restore your ApplicationHost.config file, however; you would only run the restore command if there was an issue, or for this example, to restore your server to its original state.

Windows Server 2008 modular architecture provides the ability to customize your server setup. Except for the Server Core workload example, the examples presented in this chapter are common workload scenarios that show how to customize IIS 7.0 to fit your everyday application needs.
Note

For more information about administering IIS 7.0 on Server Core installations of
Windows Server 2008, go to http://blogs.iis.net/metegokt/archive/2007/06/26/administeringiis7-on-server-core-installations-of-windows-server-2008.aspx.

Ways to Install IIS 7.0
Server Manager, Package Manager (Pkgmgr.exe), and ServerManagerCMD are the basic tools you use to install IIS 7.0. In addition, when you are deploying IIS 7.0 throughout an enterprise, you should know about some alternative techniques. The following sections offer some basic pointers and tips that you should keep in mind when using each tool and option for installing
IIS 7.0.

Using Server Manager
Before you install IIS 7.0, you need to be aware of least-privileged user accounts (LUA). The goal of Windows User Account Control is to reduce the exposure and attack surface. It requires that all users run in standard user mode. If you are logged onto an account other than the built-in local administrator account, you might see the security alert dialog box shown in
Figure 5-1.

Figure 5-1

Windows security (User Account Control).

Download at Boykma.Com

132

Part II:

Deployment

Preparing Local User Administrator Security
Make sure to either log on using the built-in Administrator account or else to explicitly start your applications by using the built-in Administrator account credentials. You can use the runas command line tool. For example, to launch Notepad, you could run the following command: runas /user:Administrator Notepad.exe

You will then be prompted for the password of the Administrator account.
Note

It’s useful to have a command prompt shell that already has elevated credentials. You can start such a shell with the following command:

runas /user:administrator cmd.exe

Every application you run from the resulting command prompt will use elevated credentials as well, and you will not need to use the runas command line tool from that command prompt.

Installing IIS 7.0 Using Server Manager
Server Manager provides a single console to perform all administrative functions on Windows
Server 2008. When you first log into Windows Server 2008, Server Manager should automatically launch. To manually launch Server Manager, from the Start menu, click All Programs,
Administrative Tools, and then Server Manager.
Follow these steps to install the Web Server (IIS) Server Role using Server Manager:
1. Start Server Manager.
2. Select Roles and then click Add Roles.
3. Follow the Add Roles Wizard prompts and select the IIS features you want to install.
Note

The following article walks you through an installation of IIS 7.0 using Server Manager: http://www.iis.net/articles/view.aspx/IIS7/Deploy-an-IIS7-Server/Installing-IIS7/Install-IIS7-onLonghorn-Server?Page=2. Using Package Manager
Windows optional features in both Windows Vista and Windows Server 2008 can be installed using Package Manager (pkgmgr). The command line syntax using Package Manager is as follows: start /w pkgmgr.exe /iu:update1:update2...

Download at Boykma.Com

Chapter 5:

Installing IIS 7.0

133

Note

If you run Package Manager without the start /w prefix, the pkgmgr command will return immediately, and you will not know when the installation has completed.

See the following list for the most common Package Manager commands. For a complete list of available commands, run the following command:
Pkgmgr.exe /?



/iu:{update name}; Specifies updates to install by update name. You can specify multiple updates to install by separating each update with a semicolon.



/uu:{update name}; Specifies updates to uninstall. You can specify multiple updates to uninstall by separating each update with a semicolon. At least one update name must be specified.



Specifies an XML file that provides information for an unattended installation. (For information about performing an unattended installation, see the section titled “Unattended Answer Files” later in this chapter.)
/n:{unattend XML}

Note

For more information about IIS.NET and Package Manager, see http://www.iis.net// articles/view.aspx/IIS7/Deploy-an-IIS7-Server/Installing-IIS7/Install-IIS7-from-theCommand-Line. Using ServerManagerCMD
ServerManagerCMD, along with the GUI version of Server Manager, enables you to query, install, and remove roles and features from the server. ServerManagerCMD also displays all roles, role services, and available features, and it shows which are installed on the computer.
You can run the following command from the command prompt:
ServerManagerCMD.exe -query

Figure 5-2 shows an example of the resulting output.
If you want to install the Web Server role, for example, you could use the following command:
ServerManagerCmd -install Web-Server

You can also place the installation actions in an XML document like this (the xmlns string has been formatted on multiple lines to fit on the printed page):

Download at Boykma.Com

134

Part II:

Deployment

Figure 5-2

ServerManagerCMD query of current modules.

If the XML were saved in a file named WebServerInstall.xml, you could then use the following
-whatIf switch from a command prompt to determine what would be installed based on the input file.
ServerManagerCmd.exe -inputPath WebServerInstall.xml –whatIf

The resulting output is shown in Figure 5-3.

Figure 5-3

Download at the -whatIf
ServerManagerCMD output from Boykma.Comswitch.

Chapter 5:

Installing IIS 7.0

135

To actually perform the Web Server installation, run this command:
ServerManagerCmd –inputPath WebServerInstall.xml

Recall that if you want to find out what roles and features are installed, you can use the following query:
ServerManagerCmd -query

To save the list of installed roles and features to an XML file, use the following command:
ServerManagerCmd -query currentConfig.xml

Viewing the Currentconfig.xml file gives you all the information you need to figure out which roles and features are installed on a server.
Here is the complete syntax for ServerManagerCMD:
-query [] [-logPath ]
-install
[-setting =]* [-allSubFeatures]
[-resultPath [-restart] | -whatIf] [-logPath
]
-remove
[-resultPath [-restart] | -whatIf] [-logPath
]
-inputPath
[-resultPath [-restart] | -whatIf] [-logPath
]
-help | -?
-version
Switch Parameters:
-query []
Display a list of all roles, role services, and features available, and shows which are installed on this computer. (Short form: -q)
If is specified, the information is also saved to a query.xml file, in XML format.
-inputPath
Installs or removes the roles, role services, and features specified in an XML answer file, the path and name of which is represent by . (ShortForm: -ip)
-install
Install the role, role service, or feature on the computer that is specified by the parameter. (Short form: -i)
-setting =
Used with the -install parameter to specify required settings for the installation. (Short form: -s)
-allSubFeatures
Used with the -install parameter to install all subordinate role services and features along with the role, role service, or feature named with the -install parameter. (Short form: -a)
-remove
Removes the role, role service, or feature from the computer that is specified by the parameter. (Short form: -r)

Download at Boykma.Com

136

Part II:

Deployment

-resultPath
Saves the result of the ServerManagerCmd.exe operation to a file, in XML format. (Short form: -rp)
-restart
Restarts the computer automatically, if restarting is necessary to complete the operation.
-whatIf
Display the operations to be performed on the current computer that are specified in the answer.xml file. (Short form: -w)
-logPath
Specify the non-default location for the log file. (Short form: -l)
-help
Display help information. (Short form: -?)
-version
Display the version of the Server Manager command that is running,
Microsoft trademark information, and the operating system.
(Short form: -v)
Examples:
ServerManagerCmd.exe -query
ServerManagerCmd.exe -install Web-Server -resultPath installResult.xml
ServerManagerCmd.exe -inputPath install.xml -whatIf

Unattended Answer Files
Windows Server 2008 unattended answer files, including IIS 7.0, are now formatted as XML, unlike in previous versions of Windows. An answer file can provide a consistent, repeatable approach when you need to install IIS 7.0 on many servers. You can use an answer file with
Package Manager and ServerManagerCMD. Each tool requires a slightly different format when using an answer file. This section examines a sample answer file for each tool.
Package Manager is a Windows Server 2008 native tool provided to install IIS 7.0. To experiment with an unattended installation, use Notepad to create the following sample answer file and then save it as Unattend.xml.
On the Disc

This answer file is also included on the companion media.

You’ll need to determine the version and processorArchitecture settings for your environment and appropriately change the bold type lines shown in the following code before proceeding with an unattended install using Package Manager.
Note

To obtain the version number, open Windows Explorer, navigate to
%windir%\System32, right-click Regedt32.exe, and select Properties. Select the Details tab, locate the File Version property (as shown in Figure 5-4), and use this value for the version setting in your Unattend.xml file. To obtain the architecture, run Set from a command prompt and look for the processor_architecture variable.

Download at Boykma.Com

Chapter 5:

Figure 5-4

Installing IIS 7.0

Determining the file version.

To run the installation process, enter the following command at the command prompt: pkgmgr /n:unattend.xml

Download at Boykma.Com

137

138

Part II:

Deployment

You can save your XML unattended answer file on a network share and point Package
Manager to this file. Maintaining a single installation file helps streamline administration of your installation processes.
ServerManagerCMD is the command line version of Server Manager. The syntax for the unattended answer file is slightly different than the Package Manager syntax. You can use
ServerManagerCMD on all versions of Windows Server 2008 except Server Core.
Here is a sample file you can use with ServerManagerCMD. This example shows installing a
Static Content Web Server. Save the following content as Default.xml in your local disk (again, the xmlns string has been split to fit on the printed page).
On the Disc

This file is also provided on the companion media.

To use this answer file with ServerManagerCMD, open a command prompt and type the following:
ServerManagerCMD.exe –inputPath Default.xml

Note

For more information about ServerManagerCMD and various workloads, see http://blogs.iis.net/metegokt/archive/2007/04/13/installing-iis-7-0-using-servermanagercmdexe.aspx. Sysprep/New Setup System
Sysprep has been used for years to prepare standard image files as part of a server deployment process. Windows Server 2008 and IIS 7.0 support Sysprep-based deployments. As an alternative approach to running an unattended install every time you deploy a new server, you can build a single server and install and configure IIS 7.0 on the server to fit your environment.
Once you run Sysprep, you can use an image capture program such as ImageX, which is included in the Windows Automated Installation Kit (WAIK). You could then use Windows
Deployment Services (WDS) to deploy the image to servers in your environment.
One limitation to be aware of when using Sysprep with an IIS 7.0 installation is that the original machine key values are encrypted and stored in the ApplicationHost.config file.
When the image is rolled out to a new machine, you’ll need to correct the machine key value as part of your post-build process that occurs as part of the first logon procedure. The first logon procedure can vary, depending on which tools you use to deploy images in your environment.
Download at Boykma.Com

Chapter 5:

Installing IIS 7.0

139

Auto-Installs
Microsoft introduced Windows Deployment Services (WDS) in Windows Server 2003 Service
Pack 2 (SP2).
Windows Server 2008 includes Windows Deployment Services (WDS), which is the successor to Remote Installation Services (RIS). WDS uses Pre-boot Execution Environment (PXE) to deploy a Sysprep image or a scripted installation.
Whatever tools you decide to use, Windows Server 2008 and IIS 7.0 provide a variety of options to help streamline your server deployment.
Note

For more information about WDS, see http://technet2.microsoft.com/WindowsVista/ en/library/9e197135-6711-4c20-bfad-fc80fc2151301033.mspx?mfr=true. For more information about the WDS role that is included in Windows Server 2008, see http://technet2.microsoft.com/windowsserver2008/en/library/b279dfef-892e-4b12bb6b-c250cf8c95f41033.mspx?mfr=true. Windows Server 2008 Setup for Optional Features
The tools introduced in Windows Server 2008 completely replace previous installation tools such as Sysocmgr.exe and Setup.exe. A common install base provides many benefits. Windows Server 2008 offers a componentized install architecture.
Note

For more information about installing optional features, see http://www.iis.net/ articles/view.aspx/IIS7/Deploy-an-IIS7-Server/Installing-IIS7/Understanding-Setup-in-IIS7. Direct from the Source: Debating Which Features to Include in IIS 7.0
During the design of Windows Vista, the IIS team started to consider how to integrate the new modular design of IIS 7.0 with the new installation technologies of Windows
Vista. (Windows Vista and Windows Server 2008 are based on the same code base, so the many technologies that appear in Windows Server 2008 first appeared in Windows
Vista.) Although there were numerous technical issues to resolve, of course, the philosophical debate about what to install with IIS 7.0 by default was one of the hot topics.
When IIS 6.0 is installed, it has a lot of capabilities such as digest authentication, compression, default document handling, and other features that are more or less taken for granted, because they are always there. With IIS 7.0, these and other features are individual .dll files that can be installed or removed using the various operating system

Download at Boykma.Com

140

Part II:

Deployment

installation technologies (Server Manager, ServerManagerCMD, or Package Manager).
The question facing the IIS team was whether IIS 7.0 should be installed by default with features equivalent to those in the default installation of IIS 6.0, or—since the new architecture is modular—whether only a minimal set of features should be installed.
The argument for IIS 6.0 equivalency is that this is what customers are expecting, and
IIS 6.0 was considered secure out of the box. The argument for a reduced feature set is that it follows best practices to install only the minimal set required and have customers opt-in for features explicitly.
In the end, the minimal feature set was the choice, and I think it is the right choice. If you decide to install the Web Server (IIS) role and no other options, the only capability IIS
7.0 will have is to deliver static, anonymous content. You need to explicitly select additional capabilities.
The nice thing is that Server Manager and ServerManagerCMD will respect dependencies that are fully described in the underlying packages that make up the installation components for the various subsystems. So, if a customer wants to install ASP.NET, they just need to select that option, and the installation system will automatically install
ISAPI capabilities and any other features that may be required to support the requested feature. In this way, the customer gets enhanced security out of the box, and an easy way to add functionality to the server.
Brett Hill

Post Installation
After your installation is complete, one of the first things you need to do is back up your
ApplicationHost.config, Administration.config, and Redirection.config files. These are stored in the %windir%\System32\Inetsrv\Config folder. You can either make copies of these files manually or use the Appcmd.exe Backup feature to make copies as follows:
//How to make a backup using Appcmd
%windir%\system32\inetsrv\appcmd.exe add backup “MyBackup”

This process will place critical files in the %windir%\System32\Inetsrv\Backup\MyBackup folder. The Administration.config, ApplicationHost.config, Mbschema.xml, Metabase.xml, and Redirection.config files are stored in this location.
After you back up your configuration, use the Web Server (IIS) Role Page to view the status of
IIS. Use the IIS Manager Console to configure the IIS features you installed.

Download at Boykma.Com

Chapter 5:

Installing IIS 7.0

141

Folders and Content
Use the following list to validate your installation. These key files and folders store the critical content and binaries for your IIS 7.0 installation.


%windir%\system32\inetsrv Root install folder of all IIS processes.



%windir%\system32\inetsrv\config Contains all configuration files related to IIS including the ApplicationHost.config, Administration.config, and Redirection.config files. These configuration files store all critical configuration information and data related to IIS.



%windir%\system32\inetsrv\config\schema

Stores all XML schema definition files used

by configuration files.


Default root folder for IIS content. Note that it is suggested you place your Web sites on a drive other than %SystemDrive%.



%SystemDrive%\inetpub\AdminScripts



%SystemDrive%\inetpub

Contains scripts used for administering IIS and related services. This folder is not installed by default. This folder is only installed when compatibility components are installed.

%SystemDrive%\inetpub\custerr

Location for all IIS custom error Web pages. This is a

new location in IIS 7.0.


%SystemDrive%\inetpub\history Contains the automatic backups of the configuration made by the ConfigHistory features in IIS 7.0. See Chapter 4, “Understanding the
Configuration System,” for details.



%SystemDrive%\inetpub\ftproot

Default FTP root folder for the built-in FTP Publishing

Service.


%SystemDrive%\inetpub\logs\failedreqlogfiles Location for all IIS Failed Request Event

Tracing. This is a new location in IIS 7.0.
Note

The built-in FTP Publishing Service and SMTP Service logs are stored by default in %windir%\System32\LogFiles.



%SystemDrive%\inetpub\mailroot

Root folder for all SMTP Service–related processes.

This is not installed by default.


%SystemDrive%\inetpub\temp Used by ASP.NET and IIS to store ASP compiled

templates and IIS temporary compressed files.


%SystemDrive%\inetpub\wwwroot Root Folder for Default Web Site. Note that it is suggested you place your Websites on a drive other than %SystemDrive%.

Download at Boykma.Com

142

Part II:

Deployment



%windir%\IIS7.log Setup Log file used to record the installation.



%windir%\system32\inetsrv\config\applicationHost.config Core configuration file used

by IIS. This is the main file that replaces the metabase in previous IIS versions.

Registry
The IIS 7.0 installation also records information about what is installed in the registry key.
HKEY_LOCAL_MACHINE\Software\Microsoft\InetStp\Components\.

This registry key contains only items that are currently installed. Modules that have never been installed or that have been uninstalled are not listed.
Note

For more information about this topic, including a reference table with each registry key value, see http://www.iis.net/articles/view.aspx/IIS7/Deploy-an-IIS7-Server/Installing-IIS7/
Discover-Installed-Components.

Services
Table 5-8 is a list of the system services that get installed during a Web server role installation, when all role services are selected.
Table 5-8

List of System Services Installed with the Web Server Role

Service Name

Description

ASP.NET State Service

Provides support for out-of-process session states for
ASP.NET. If this service is stopped, out-of-process requests will not be processed.

IIS Admin Service

Enables this server to administer metabase FTP services. If this service is stopped, the server will be unable to run metabase or FTP sites.

Web Management Service

Enables remote and delegated management capabilities so that administrators can manage the Web server, sites, and applications present on the machine.

Windows Process Activation
Service (WAS)

Provides process activation, resource management, and health management services for message-activated applications. World Wide Publishing Service

Provides Web connectivity and administration through the
IIS Manager.

FTP Publishing Service (Built-in)

Enables this server to be a File Transfer Protocol (FTP) server. Download at Boykma.Com

Chapter 5:

Installing IIS 7.0

143

Validation
To validate the Web Server (IIS) Server Role, you can open Server Manager and select Web
Server (IIS) Server Role. This provides a central console to view event logs, services related to
IIS, and other related services. You can also open the IIS Manager Console directly from the
Administrative Tools program group. One of the features in the IIS Manager Console you can use to verify your installation is Modules. Double-click Modules to see if the appropriate modules are listed as installed.

WebUI
IIS 7.0 introduces an entirely new IIS Manager. This application provides a single interface to manage all IIS 7.0 Web sites and ASP.NET settings. Windows Server 2008 also provides the
Internet Information Services (IIS) 6.0 Manager to manage the built-in FTP Publishing and
SMTP Services. Chapter 6, “Using IIS Manager,” provides in-depth information about using
IIS Manager.

Users and Groups Provided in Windows Server 2008
New accounts and groups have been added in Windows Server 2008 for IIS 7.0. The IUSR account replaces the IUSR_MachineName account. This is the default identity used when anonymous authentication is enabled. The IUSR_MachineName account is still created and used only when the FTP server is installed. If FTP is not installed, this account is not created.
The IIS_IUSRS group replaces the IIS_WPG group. This built-in IIS_IUSRS group has been granted access to all the necessary file and system resources so that an account, when added to this group, can act as an application pool identity.
Both the IUSR account and IIS_IUSRS group are built into Windows Server 2008. The IUSR account is a limited account and does not need a password. This enables you to use Xcopy.exe
/o to seamlessly copy files along with their ownership and access control list (ACL) information to different machines. (Note that these user accounts will not be localized. Regardless of the language of Windows you install, the IIS account name is always IUSR, and the group name is IIS_IUSRS.) The IUSR account is the same type of account as the NETWORK SERVICE or LOCAL SERVICE accounts. It has the same Security Identifier (SID) across all machines.

Troubleshooting Installation
The new XML declarative installation process provides rich and detailed log information. This can be helpful when you want to determine if the installation was successful. You can use several areas to determine how the installation completed. You can use the traditional Windows Event Logs, the IIS7.log file, and the ServerManagerCMD log file that was created if you

Download at Boykma.Com

144

Part II:

Deployment

specified the appropriate ServerManagerCMD switch (see the section titled “Other Related
Logging Options” below).

Event Logs
You can use the built-in Application, Security, and System event logs to help troubleshoot and determine if your installation was successful. These are important sources of information that are maintained by the operating system. The event logs catalog all kinds of events including errors that happen during a failed installation. This can help you track down specific errors.

IIS 7.0 Log
The new componentized installation provides rich and detailed logging of information to help troubleshoot installation issues. The most common errors are related to not being logged in as
Administrator or not having administrative privileges. IIS provides a detailed log located in the file %windir%\IIS7.log. This log contains easy-to-read and descriptive text for each component’s installation. This information can be used to troubleshoot your entire IIS installation or to troubleshoot a specific component. The following is an example of the IIS log:
[05/09/2007 00:43:31] [ ***** IIS 7.0 Component Based Setup ***** ]
[05/09/2007 00:43:31] "C:\Windows\System32\inetsrv\iissetup.exe"
/install SharedLibraries
[05/09/2007 00:43:31] Created NetFrameworkConfigurationKey
[05/09/2007 00:43:32] Set ACLs on NetFrameworkConfigurationKey
[05/09/2007 00:43:32] Created iisWasKey
[05/09/2007 00:43:32] Created iisWasKey user key
[05/09/2007 00:43:32] Created iisConfigurationKey
[05/09/2007 00:43:33] Created iisConfigurationKey user key
[05/09/2007 00:43:33] Set ACLs on iisConfigurationKey
[05/09/2007 00:43:33] iisConfigurationKey already exists
[05/09/2007 00:43:33] Created AesProvider
[05/09/2007 00:43:33] Created IISWASOnlyAesProvider
[05/09/2007 00:43:33] Install of component SharedLibraries succeeded!
[05/09/2007 00:43:33] Success!
[05/09/2007 00:43:33] [ End of IIS 7.0 Component Based Setup ]

Whenever you need to troubleshoot installation issues, the IIS7.log should be the first place you look for errors.

Other Related Logging Options
The ServerManagerCMD tool provides extensive logging capabilities. This section describes how to invoke the logging option when you use ServerManagerCMD.
To capture output of your installation results, use the following command:
ServerManagerCMD.exe –install Web-Server –resultPath InstallResults.xml
–logPath InstallResults.txt

Download at Boykma.Com

Chapter 5:

Installing IIS 7.0

145

To capture output of your uninstall results, use the following command:
ServerManagerCMD.exe –remove Web-Server –resultPath UnInstallResults.xml
–logPath UnInstallResults.txt

Each of these result logs contains detailed information that can help you troubleshoot issues or determine your installation status. You can use a text editor such as Notepad to view the results. If you are experiencing an error, you can locate the error by using the Find command inside your text editor.
Package Manager (pkgmgr.exe) also provides logging to help troubleshoot deployments. The location of the log file and folder is %windir%\Logs\CBS\CBS.log. Here is an excerpt showing a command executed. The following example shows the command issued to install the
Default Web-Server role:
2007-11-20 05:27:44, Info
CBS
Pkgmgr: called with:
"pkgmgr.exe /iu:IIS-WebServerRole;IIS-WebServer;IISommonHttpFeatures;IIS-StaticContent;IIS-DefaultDocument;IISirectoryBrowsing;IIS-HttpErrors;IIS-HealthAndDiagnostics;IISttpLogging;IIS-LoggingLibraries;IIS-RequestMonitor;IIS-Security;IISequestFiltering;IIS-HttpCompressionStatic;IIS-WebServerManagementTools;
IS-ManagementConsole;WAS-WindowsActivationService;WAS-ProcessModel;WASetFxEnvironment;WAS-ConfigurationAPI"
2007-11-20 05:27:44, Info
CSI
0000001@2007/11/20:13:27:44.373 WcpInitialize (wcp.dll version 0.0.0.5) called (stack @0x700e7ee9 @0xca1672 @0xc9b8fa @0xc9c378 @0x77cb1cc2
@0x77d88785)

Removing IIS 7.0
As easy as it is to install IIS 7.0 using Server Manager, ServerManagerCMD, or Package Manager, these tools allow for similarly efficient and straightforward techniques to remove specific features or to remove the entire Web Server (IIS) Server Role.

The User Interface in Windows Server 2008 and Windows Vista
To uninstall IIS or the Web Server Role by using ServerManager, complete the following steps: 1. Start Server Manager by clicking Start Menu, All Programs, Administrative Tools, Server
Manager. The Server Manager window is displayed.
2. In the Server Manager, select Roles.
3. The Roles Summary view is displayed, as shown in Figure 5-5.
4. Click the Remove Roles link to display the Remove Roles Wizard.
5. Click Next to display the Remove Server Roles page.

Download at Boykma.Com

146

Part II:

Deployment

Figure 5-5

Server Manager, Roles Summary view.

6. Clear the Web Server (IIS) check box to uninstall the Web Server Role, as shown in
Figure 5-6.

Figure 5-6

Clear the Web Server (IIS) check box to uninstall the Web Server Role.
Download at Boykma.Com

Chapter 5:

Installing IIS 7.0

147

7. Click Next to display the Confirm Removal Selections page, as shown in Figure 5-7.

Figure 5-7

Remove Roles Wizard confirmation page.

8. Click Remove.
9. Click Close to return to Server Manager. You might be prompted to restart your computer depending on the roles that were uninstalled. When you return to Server Manager, the Web Server Role will have been removed.

Command Line Method
You can use either Package Manager or ServerManagerCMD to uninstall the Web Server Role.

Using Package Manager
This section contains the process for using Package Manager to uninstall IIS. This example assumes that all components were installed. Here is the syntax used: start /w pkgmgr.exe /uu:{}

The parameter /uu:{} specifies the updates to uninstall. You can list multiple updates by separating them with a semicolon. At least one update name must be specified.

Download at Boykma.Com

148

Part II:

Deployment

Note

/uu indicates uninstall and is then followed by the selected update names.

The following command uninstalls everything related to the Web Server (IIS) Server Role using Package Manager: start /w pkgmgr.exe /uu:IIS-WebServerRole;IIS-WebServer;
IIS-CommonHttpFeatures;IIS-StaticContent;IIS-DefaultDocument;
IIS-DirectoryBrowsing;IIS-HttpErrors;IIS-HttpRedirect;
IIS-ApplicationDevelopment;IIS-ASPNET;IIS-NetFxExtensibility;
IIS-ASP;IIS-CGI;IIS-ISAPIExtensions;IIS-ISAPIFilter;
IIS-ServerSideIncludes;IIS-HealthAndDiagnostics;IIS-HttpLogging;
IIS-LoggingLibraries;IIS-RequestMonitor;IIS-HttpTracing;
IIS-CustomLogging;IIS-ODBCLogging;IIS-Security;
IIS-BasicAuthentication;IIS-WindowsAuthentication;
IIS-DigestAuthentication;IIS-ClientCertificateMappingAuthentication;
IIS-IISCertificateMappingAuthentication;IIS-URLAuthorization;
IIS-RequestFiltering;IIS-IPSecurity;IIS-Performance;
IIS-HttpCompressionStatic;IIS-HttpCompressionDynamic;
IIS-WebServerManagementTools;IIS-ManagementConsole;
IIS-ManagementScriptingTools;IIS-ManagementService;
IIS-IIS6ManagementCompatibility;IIS-Metabase;IIS-WMICompatibility;
IIS-LegacyScripts;IIS-LegacySnapIn;IIS-FTPPublishingService;
IIS-FTPServer;IIS-FTPManagement;WAS-WindowsActivationService;
WAS-ProcessModel;WAS-NetFxEnvironment;WAS-ConfigurationAPI

Using ServerManagerCMD
You can also use ServerManagerCMD to uninstall the Web Server Role. To uninstall, use the following syntax:
ServerManagerCMD.exe –remove Web-Server

To generate a detailed log of the uninstall process, you can pipe the results and command line syntax to a log file called ServerManagerCMD_Uninstall.txt, as shown here:
ServerManagerCMD.exe –remove Web-Server –resultPath results.xml
–logPath ServerManagerCMD_Uninstall.txt

Summary
We have covered the various ways you will be able to install the Web Server Role, specific role services, and IIS 7.0 features. Windows Server 2008 offers a variety of ways to install, configure, and remove IIS 7.0. The additional logging features can help you troubleshoot installation problems. The information in this chapter should help make IIS 7.0 easier to install and faster to configure, and the information can guide you in creating a cookie-cutter approach to rolling out IIS 7.0 throughout your enterprise.

Download at Boykma.Com

Chapter 5:

Installing IIS 7.0

149

Additional Resources
These resources contain additional information and tools related to this chapter:


Go to “Setup and Migration” in the TechCENTER on IIS.net at http://www.iis.net/ default.aspx?CategoryID=13&tabid=2. ■

View the “IIS7—Setup and Migration” forums at http://forums.iis.net/1047.aspx.



For more information about the FastCGI module for IIS, read Bill Staples’s blog at http://blogs.iis.net/bills/archive/2006/10/31/PHP-on-IIS.aspx. ■

A good introduction to IIS 7.0 Server Core is available at http://www.iis.net/articles/ view.aspx/IIS7/Explore-IIS7/Getting-Started/IIS7-on-Server-Core. ■

For more information about administering IIS 7.0 on Server Core installations of Windows
Server 2008, see http://blogs.iis.net/metegokt/archive/2007/06/26/administering-iis7-onserver-core-installations-of-windows-server-2008.aspx.



The following article will walk you through an IIS installation using Server Manager: http://www.iis.net/articles/view.aspx/IIS7/Deploy-an-IIS7-Server/Installing-IIS7/ Install-IIS7-on-Longhorn-Server?Page=2.

Download at Boykma.Com

Download at Boykma.Com

Part III

Administration
In this part:
Chapter 6: Using IIS Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .153
Chapter 7: Using Command Line Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . .187
Chapter 8: Remote Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .229
Chapter 9: Managing Web Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .259
Chapter 10: Managing Applications and Application Pools . . . . . . . . . .291
Chapter 11: Hosting Application Development Frameworks . . . . . . . . .323
Chapter 12: Managing Web Server Modules . . . . . . . . . . . . . . . . . . . . . . .367
Chapter 13: Managing Configuration and User Interface Extensions . .421
Chapter 14: Implementing Security Strategies . . . . . . . . . . . . . . . . . . . . .447

Download at Boykma.Com

Download at Boykma.Com

Chapter 6

Using IIS Manager
In this chapter:
Overview of IIS Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Starting IIS Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
IIS Manager User Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Understanding Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
IIS 7.0 Manager Customization and Extensibility . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Remote Administration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Additional Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
IIS Manager is a graphical user interface (GUI) administration tool for Internet Information
Services (IIS) 7.0. It provides an intuitive, feature-focused, task-oriented management console for working with both IIS 7.0 and ASP.NET settings. The user interface (UI) has fine granularity and enables you to configure IIS 7.0 server and ASP.NET applications from within one console. With IIS Manager, you can set up delegated management to allow application owners to manage their applications remotely without having administrative access to the server.
IIS Manager is highly customizable and provides an extensible platform that you can use to plug in your own features to manage custom settings and applications.
In this chapter, we will focus on the IIS Manager interface, discuss feature and configuration mapping, and talk about IIS Manager customization and extensibility. We will also look at configuring IIS Manager for remote administration.
Note

For a more detailed remote administration discussion, please refer to Chapter 8,
“Remote Administration,” and for instructions on how to use IIS Manager to perform common administration tasks, see Appendix J, “Common Administration Tasks Using IIS Manager.”

Overview of IIS Manager
IIS Manager is a server administration tool that enables you to configure IIS 7.0 and ASP.NET features from one fully integrated interface. You can get health and diagnostic information and monitor a server’s operation including currently running requests, and you can also administer membership. With its task-based intuitive GUI interface, the tool is aimed at simplifying the administration tasks and reducing management complexity.
Download at Boykma.Com

153

154

Part III:

Administration

IIS Manager in IIS 7.0 is much easier to use in comparison with the previous versions of the
IIS management console. In previous versions of IIS, the server management console was implemented as a Microsoft Management Console (MMC) snap-in called Inetmgr.exe. The
MMC snap-in interface consisted of tabs with configuration settings. IIS 7.0 exposes many more settings, and exposing more settings in the old management console would require additional tabs in the snap-in. Having many tabs would make it difficult to locate a setting and perform the administration tasks.
In IIS 7.0, the server administration tool has been completely rearchitectured and rewritten from the ground up. Instead of an MMC snap-in, the management console for IIS 7.0 is implemented as a user-friendly Windows Forms application that provides an easy-to-use, feature-focused, task-based interface for configuring both IIS and ASP.NET features. As in previous versions of IIS, the IIS 7.0 Manager application is also named Inetmgr.exe and is located in the %SystemRoot%\System32\Inetsrv folder. But make no mistake—despite the same name and location, it is a completely different IIS Manager!
One of the most important capabilities of IIS Manager is delegated management. IIS Manager enables delegated management, letting application owners manage their applications remotely without having administrative access to the server. With this capability, users of hosted services can run IIS Manager on their desktop and remotely manage their sites and applications on the server where they are hosted. Securely delegating administrative responsibilities can save a significant amount of time for a server administrator and can help to eliminate the Web administration bottleneck. The server administrator, of course, has complete control over what features are delegated to site and application owners.
IIS Manager supports remote administration over a firewall-friendly HTTPS connection, with an option to support both Windows-based and other credentials for authentication. In addition to Windows credentials, IIS Manager can also use alternative credentials stores to identify users. IIS Manager credentials are particularly useful in scenarios in which you don’t want to create Windows accounts for all remote users, or when the credentials are already stored in a non-Windows authentication system and you want to keep them in a single store.
To connect to the server, IIS Manager uses HTTPS to establish a connection with the Web
Management Service (WMSvc). WMSvc is a Windows service that provides the ability to manage IIS 7.0 sites and applications remotely using IIS Manager. By default, WMSvc listens for requests on port 8172 on all unassigned IP addresses, but an alternate port and an IP address can be configured if necessary. After the connection is established, based on user actions in the UI, IIS Manager sends Management Service requests, for example, requesting a change to a configuration setting in a web.config file. When the Web Management Service gets a request from IIS Manager, it performs the requested action and returns a response. All interactions between IIS Manager on the remote machine and WMSvc on the server computer are over HTTPS. This architecture is shown in Figure 6-1.

Download at Boykma.Com

Chapter 6:

machine.config

Using IIS Manager

155

applicationHost.config

root web.config

site web.config
IIS Manager

HTTPS

Web
Management
Service

Read/
Write

application web.config directory web.config application web.config directory web.config Figure 6-1

directory web.config IIS Manager and the Web Management Service.

Most requests from IIS Manager to the Web Management Service are to read from, and write to, the hierarchy of configuration files on the server, including applicationHost.config file,
.NET Framework root web.config, and web.config files for sites, applications, and directories.
Other IIS Manager requests include requests to read the run-time state and work with providers on the server.
What’s more, IIS Manager is extensible. It has its own configuration file, administration.config, that enables custom functionality to be added. Any added administration plug-ins are integrated into IIS Manager and appear alongside IIS and ASP.NET features. From this perspective, IIS Manager is not just an application, but rather an extensible platform that developers can use to plug in their own features to manage custom settings.

Starting IIS Manager
You can start IIS Manager from the Administrative Tools program group, or you can run
%SystemRoot%\System32\Inetsrv\Inetmgr.exe from the command line or from Windows
Explorer. The IIS Manager Start page is shown in Figure 6-2.

Download at Boykma.Com

156

Part III:

Administration

Figure 6-2

IIS Manager Start page.

Note

To run IIS Manager with administrative privileges on the server machine, instead of logging on as an administrator, it is recommended you use the runas command in the non-administrative user context, for example: runas /user:
“%SystemRoot%\system32\inetsrv\inetmgr.exe”.

The Start page enables you to open recent connections by double-clicking them in the
Recent Connections list. You can create new ones by selecting a task from the Connection
Tasks list. You may need to provide account credentials to create a new connection.
The Start page also provides links to online IIS resources and enables you to obtain recent online news. The news is disabled by default. To enable news, click Enable IIS News in the upper-right corner of the IIS News pane.

IIS Manager User Interface
IIS Manager has been completely redesigned in IIS 7.0. The look and feel differs from the previous versions of IIS. IIS Manager navigation has a more browser-like feel with an address bar similar to Windows Explorer. When you select a server, site, or application, the list of their features in the central area somewhat resembles the Control Panel. Though some interface elements are consistent with the previous versions of IIS, most of the interface is different. Figure 6-3 shows the typical view of the IIS Manager user interface, with a server home page in the central area. Download at Boykma.Com

Chapter 6:

Figure 6-3

Using IIS Manager

157

IIS Manager: server home page.

IIS Manager window is divided into several sections. In the top section of IIS Manager window, there are two bars:


The Navigation toolbar, which provides buttons and an address bar for easy navigation within the UI.



The Menu toolbar, which provides three menus: File, View, and Help.

The main body of IIS Manager window is divided into three areas:


The Connections pane and toolbar enable you to connect to servers, sites, and applications. The connections are displayed in a tree.



The central pane, referred to as a workspace, displays pages that list information and enable you to change settings. The workspace has two views: Features View and Content View.






Features View enables you to view and configure features for the currently selected configuration path. Each IIS feature typically maps to a configuration section that controls the corresponding Web server feature.
Content View provides a read-only display of content corresponding to the currently selected configuration path. In Content View, when you select a node in the Connections pane tree, its content is listed in the workspace.

The Actions pane is task-based. The list of displayed tasks is context-specific and reflects the currently selected node and feature.
Download at Boykma.Com

158

Part III:

Administration

Let’s look into these interface sections in more detail.

Direct from the Source: Content View and Features View . . . Why?
At the early stages when we were building IIS Manager, it had a very different look and feel. It was a radical change from what we had in IIS 6.0 and earlier versions. For example, it didn’t have a tree view to navigate the objects; it would open multiple tabs, similar to Web browsers today, for managing different objects; the home page had only links and images in a complex layout; and there were many more ways in which it differed from the final IIS 7.0 version. At the time, all of the differences made sense to us— we always thought that earlier versions of IIS Manager gave too much relevance to content. The UI was displaying the files and folders of your site, but when you needed to change a setting, you ended up with a small modal dialog box with lots of tabs that only had a small UI area left to list a few settings and was extremely limited in functionality (for example, no sorting, grouping, filtering, etc.). Our idea for IIS 7.0 was to allow the UI space for what the tool is intended to do—managing configuration—and enhance the experience while doing so.
Then we started doing some usability studies, and it turned out that we were not entirely right. The people in the studies raised a lot of concerns, and they told us that many features we thought were useful were not so useful, and many features we thought were not needed actually were important to users. The most remarkable thing we learned was about the tree view: it turned out to be a critical feature for almost every user, as it helped people to understand the hierarchy of the system as well as which configuration is being changed. So of course that was one of the first features we brought back!
Next, users really wanted to see a similar view of what earlier versions offered—essentially, the list of folders and files, and to have the “right-click properties” experience. That’s when we decided that we needed something that could yield a similar paradigm but without the problems of small modal dialogs and lots of tabs.
Content View was the answer to this issue. When you use Content View, you get almost the same look and feel that older versions of IIS Manager had, allowing you to drill down to any object, right-click it, and choose properties to change any of its settings.
However, in this case, rather than selecting the properties context menu item, it shows a switch to Features View that has the same effect.
In the end, we were happy to be able to offer both views. Immediately, the results of usability studies increased, and users really liked what IIS Manager became. It was an amazing experience to really use customer feedback directly in every decision we made and to take the time to validate again and again most of the design decisions.
Carlos Aguilar Mares
Senior Development Lead, IIS
Download at Boykma.Com

Chapter 6:

Using IIS Manager

159

Navigation Toolbar
The top bar in IIS Manager is the navigation toolbar, from which you can navigate the UI. The navigation toolbar contains:


The Address bar, which shows a breadcrumb path to your location within the UI



Navigation buttons that may be available or may appear dimmed, depending on your location or selection within the UI; they provide the familiar functionality:


Back button goes back one page view



Forward button goes forward one page view



Refresh Page button updates the view of the currently selected object in the UI



Stop button stops the current action in the UI from completing



Home button navigates to the home page of the current selection



Help button opens a list of links to Help documentation

Connections Pane
On top of the Connections pane, there is a toolbar from which you can connect to Web servers, sites, and applications.
When you connect to a Web server, site, or application from the Connections pane, the connection is loaded into the pane as a tree hierarchy that displays the children of the parent connection, as follows:


When you connect to a server, the tree displays the server connection with the application pools and the sites on that server.



When you connect to a site, the tree displays the site connection with the applications within that site.



When you connect to an application, the tree displays the application connection with the physical and virtual directories within that application.
Note

You can also display a file node in a tree hierarchy, within a connection the file belongs to. To add a file node, switch to Content View, select the file, and then switch to
Features View from the Actions pane or from the shortcut menu.

The Connections toolbar contains the following buttons:


Opens a menu with three options: connect to a server, a site, or an application. Selecting an option starts the appropriate connection wizard so that you can connect to a Web server, a site, or an application.

Create New Connection

Download at Boykma.Com

160

Part III:

Administration

Note The same options are available from the Start Page (Connection Tasks list) and from the File menu.



Save Current Connections Saves the connection information for the current

connections in the tree.


Up Moves the current selection up one level in the tree hierarchy.



Delete Connection Removes the selected connection from the tree. If the currently selected node is not the connection node, the parent connection is removed from the tree. For example, if a virtual or physical directory is selected when the user clicks this button, the parent application will be removed.

Creating New Connections
To create a new connection, click the Create New Connection button on the Connections toolbar and select the desired action. You can also select these actions from the File menu or from the Start page. Selecting an action from any of these locations opens the same wizard.
To connect to a server, the wizard prompts you for the server name, as shown in Figure 6-4.
If WMSvc on the server is listening on a port that is different from 8172 (the default port number), you’ll need to provide the port number preceded by a colon, for example, www.contoso.com:8080. If you connect to the local computer, type localhost instead of a server name. Then, the wizard prompts you for the user credentials for the connection.
Only server administrators can connect to a server. Finally, you can specify a friendly name for this connection. This name will appear as that server connection node name in the
Connection pane tree.

Figure 6-4

Download at Boykma.Com
Connect To Server Wizard.

Chapter 6:

Using IIS Manager

161

To connect to a site, the wizard prompts you for the name of the server where the site is hosted, as well as that site name, as shown in Figure 6-5. If WMSvc on the server is using a port that is different from 8172, then you’ll need to provide the port number. Then, the wizard prompts you for the user credentials for the connection. Server administrators and designated site administrators can connect to Web sites. Finally, the wizard enables you to specify a friendly name for this connection. This name will appear as that site connection node name in the tree.

Figure 6-5

Connect To Site Wizard.

To connect to an application, the wizard prompts you for the name of the server where the application is hosted, the name of the site the application belongs to, and then the full name of the application including the path within the site, as shown in Figure 6-6. If WMSvc on the server is using a port that is different from 8172, you’ll need to provide the port number. Then, the wizard prompts you for the user credentials for the connection. Server administrators, site administrators for the application’s parent site, and designated application administrators can connect to an application. Finally, the wizard enables you to specify a friendly name for this connection. This name will appear as that application connection node name in the tree.
Note

For more information about troubleshooting remote connections, refer to Chapter 8.

Download at Boykma.Com

162

Part III:

Administration

Figure 6-6

Connect To Application Wizard.

Workspace
The workspace is the central area of IIS Manager, located between the Connections pane and the Actions pane. The workspace displays pages that list features, provide other information, and enable you to change settings.
The workspace has two views: Features View and Content View. You can switch between these views by using the buttons at the bottom of the workspace, as shown in Figure 6-7.

Figure 6-7

Features View and Content View buttons.

Features View
When you select Features View, a list of features for a currently selected object in the
Connections pane—such as a server, a site, an application, a virtual directory, a folder, or a file— is displayed. For example, Figure 6-3 shows the list of features displayed when the user selects a server connection in the Connections pane.
Each feature reads from and writes to configuration section(s) in a .config file hierarchy.
Features View enables you to view and change configuration settings for features.
Home Page When you select a server, a site, an application, a virtual directory, a folder, or a file node in the tree, a corresponding home page for that object is displayed. The home page displays a feature list for that node.
Download at Boykma.Com

Chapter 6:

Using IIS Manager

163

For example, when you select a site node in the tree, the home page for that site is displayed, as shown in Figure 6-8 for site www.contoso.com.

Figure 6-8

Site home page grouped by area.

The feature list on a home page can be grouped by area or category, viewed in different layouts, and sorted by feature name or description.
The IIS Manager features are listed in Table 6-1. For each feature, the table provides a brief description, an area and category the feature belongs to, and a feature scope (tree levels and corresponding home pages where this feature appears).
Table 6-1

IIS Manager Features

Feature

Description

Category

Scope

.NET
Compilation

Configure properties for
ASP.NET
compiling managed code

Area

Application
Development

Server, site, application, virtual directory, folder, file .NET
Globalization

Configure globalization properties for managed code ASP.NET

Application
Development

Server, site, application, virtual directory, folder, file .NET Profile

Configure options for the
ASP.NET Profile feature, which tracks user information in ASP.NET applications ASP.NET

Application
Development

Site, application, virtual directory, folder, file

Download at Boykma.Com

164

Part III:

Administration

Table 6-1

IIS Manager Features

Feature

Description

.NET Roles

Area

Category

Scope

Configure roles for the
ASP.NET
ASP.NET Roles feature, for use with .NET Users and
Forms authentication

Security

Site, application, virtual directory, folder, file

.NET Trust
Levels

Configure trust levels for ASP.NET managed modules, handlers, and applications

Security

Server, site, application, virtual directory, folder, file .NET Users

Manage users for the
ASP.NET Membership feature Security

Site, application, virtual directory, folder, file

Application
Settings

Configure name/value
ASP.NET
pairs that managed code applications can use at run time Application
Development

Server, site, application, virtual directory, folder, file Authentication

Configure authentication settings for sites and applications Security

Server, site, application, virtual directory, folder, file ASP.NET

IIS

Note: Some options within the
Authentication
feature are only available at the server level.
Compression

Configure settings to compress responses

IIS

Performance

Server, site, application, virtual directory, folder, file Connection
Strings

Configure strings that
ASP.NET applications can use to connect to data sources ASP.NET

Application
Development

Server, site, application, virtual directory, folder, file Default Document

Configure default files to return when clients request the root of a directory IIS

HTTP Features

Server, site, application, virtual directory, folder, file Directory
Browsing

Configure whether or not IIS
IIS displays a directory listing when clients request the root of a directory HTTP Features

Server, site, application, virtual directory, folder, file Error Pages

Configure pages to return IIS when HTTP errors occur

HTTP Features

Server, site, application, virtual directory, folder, file Download at Boykma.Com

Chapter 6:

Table 6-1

Using IIS Manager

165

IIS Manager Features

Feature

Description

Area

Category

Scope

Failed Request
Tracing Rules

Configure logging of failed request traces

IIS

Health and
Diagnostics

Server, site, application, virtual directory, folder, file

Feature
Delegation

Configure the default delegation state for features at lower levels in
IIS Manager

Management Security

Root node of the connection (server, site, application)

Handler
Mappings

Specify handlers that handle responses for specific request types

IIS

Server
Components

Server, site, application, virtual directory, folder, file

HTTP Redirect

Specify rules for
IIS
redirecting incoming requests to another file or
URL

HTTP Features

Server, site, application, virtual directory, folder, file HTTP Response
Headers

Configure HTTP headers that are added to responses from the Web server IIS

HTTP Features

Server, site, application, virtual directory, folder, file IIS Manager
Permissions

Configure users who can Management Security set up delegated features in sites or applications for which they are granted permissions Server

IIS Manager
Users

Manage IIS Manager users Management Security

Server

ISAPI and CGI
Restrictions

Restrict or enable specific IIS
Internet Server Application
Programming Interface
(ISAPI) extensions and
Common Gateway
Interface (CGI) programs on the Web server

Security

Server

ISAPI Filters

Specify ISAPI filters that modify IIS functionality

IIS

Server
Components

Server, site

Logging

Configure how IIS logs requests on the Web server IIS

Health and
Diagnostics

Server, site, application, virtual directory, folder, file

Machine Key

Configure hashing and
ASP.NET
encryption settings for
ASP.NET application services such as view state,
Forms authentication, membership and roles, and anonymous authentication Application
Development

Server, site, application, virtual directory, folder, file Download at Boykma.Com

166

Part III:

Administration

Table 6-1

IIS Manager Features

Feature

Description

Area

Category

Scope

MIME Types

Configure file extensions and associated content types that are served as static files

IIS

HTTP Features

Server, site, application, virtual directory, folder, file Modules

Configure native and managed code modules that process requests on the Web server

IIS

Server
Components

Server, site, application, virtual directory, folder, file Output Caching Specify rules for caching response content in the output cache

IIS

Performance

Server, site, application, virtual directory, folder, file Pages and
Controls

Configure settings for
ASP.NET pages and controls ASP.NET

Application
Development

Server, site, application, virtual directory, folder, file Providers

Configure providers for provider-based application services

ASP.NET

Application
Development

Server, site, application, virtual directory, folder, file Server Certificates

Request and manage certificates for Web sites that use Secure Sockets
Layer (SSL)

IIS

Security

Server

Session State

Configure session state settings and Forms authentication cookie settings ASP.NET

Application
Development

Server, site, application, virtual directory, folder

Shared
Configuration

Configure shared configuration Management Other

Server

SMTP E-mail

Configure e-mail address and delivery options to send e-mail from Web applications ASP.NET

Application
Development

Server, site, application, virtual directory, folder, file SSL Settings

Specify requirements for
SSL and client certificates

IIS

Security

Site, application, virtual directory, folder, file

Worker
Processes

View information about
IIS
worker processes and about currently executing requests running inside those worker processes

Health and
Diagnostics

Server

Download at Boykma.Com

Chapter 6:

Using IIS Manager

167

Features on the home page can be displayed in groups. Using the Group By drop-down list on the home page toolbar or the Group By option on the View menu, you can set up how features are organized in groups, as follows:


Selecting the Area option displays ASP.NET features and IIS features separately in two groups (for the server node on a local machine, an additional Management group is displayed):


ASP.NET



IIS

Note

Additional groups may appear when default IIS installation is extended. For example, adding the Media pack adds the Media group.

An example of Area grouping is shown in Figure 6-8. Table 6-1 shows which area each
IIS Manager feature belongs to.


Selecting the Category option displays the features for both ASP.NET and IIS in six categories (for the server node on a local machine, there may be an additional category called Other):


Application Development



Health and Diagnostics



HTTP Features



Performance



Security



Server Components

An example of category grouping is shown in Figure 6-9. Table 6-1 shows which category each IIS Manager feature belongs to.

Download at Boykma.Com

168

Part III:

Administration

Figure 6-9


Site home page grouped by category.

Selecting the No Grouping option lists all features in alphabetical order, as shown in
Figure 6-10.

Figure 6-10 Site home page without grouping of features.

Download at Boykma.Com

Chapter 6:

Using IIS Manager

169

Using the View button on the home page toolbar or the View option from the View menu, you can view the list of features in different layouts:


Details view displays the list of features in a table. For each feature, the first column contains a small icon and a name, and the second column contains a brief description.
In this view, you can sort the features in ascending or descending order by feature name or description by clicking the column header. The sorting is applied within feature groups. For example, Figure 6-11 shows Details view for the site home page, with both
ASP.NET and IIS groups sorted by feature name.

Figure 6-11 Site home page Details view.


Icons view displays the list of icons. This view has a feel that is similar to Control Panel.
This is the default view.



Tiles view displays the list of tiles (smaller icons with the feature name).



List view shows a list of feature names.

Features are used to view and change configurations. For example, if you need to configure the default file(s) for a site, double-click the Default Document feature on that site’s home page to display the Default Document page (shown in Figure 6-12) and make the changes.
Note the Configuration line on the left of the status bar at the bottom of IIS Manager in
Figure 6-12. The line points to the web.config file for that site. When the feature settings are displayed, the status bar shows the configuration file where the configuration settings for that feature would be written to. In this example, it is web.config for the site www.contoso.com.

Download at Boykma.Com

170

Part III:

Administration

Figure 6-12 Default Document feature.

Page Layouts Information and configuration settings on feature pages can be presented in different layouts. Depending on the page layout, there are three types of feature pages:


List pages



Property pages



Dialog pages

The most frequently used layout of a page is a list page. A list page contains a list displayed in a table. By using the Group By drop-down list, you can group the list by values in one or more columns. In addition, you can sort the data by value in a column by clicking on the column header. An example of a list page is shown in Figure 6-13. It is an Error Pages feature page.

Figure 6-13 Error Pages page: an example of a list page layout.

Download at Boykma.Com

Chapter 6:

Using IIS Manager

171

Sites and application pools pages are list pages that let you filter the list entries by searching in a column for entries that match a search string. Specify the search string in the Filter drop-down list and then select the column from the Go drop-down list. Figure 6-14 shows a Sites page with available column filters.

Figure 6-14 Filtering the Sites page.

On the Sites page, you can search in the following columns:


Site Name



Host Name



IP Address



Port



Physical Path



Protocol

On the Application Pools page, you can search in the following columns:


Name



.NET Framework Version



Identity



Managed Pipeline Mode

Filtering functionality is particularly useful for list pages with a large number of entries when you need to quickly locate the entry, for example, for servers that host a large number of sites.
A property page layout is also frequently used. A property page shows a property grid with a look and feel that is similar to a Microsoft Visual Studio property grid. When you select a
Download at Boykma.Com

172

Part III:

Administration

property in the grid, a description of that property appears at the bottom of the grid. The
Display drop-down list at the top of the property grid lets you choose how you would like the property names to be displayed:


Friendly Names



Configuration Names



Both Names When you choose this option, friendly names are displayed followed by

(default setting)

configuration names in square brackets.
After you’ve made your selection in a grid, click Apply in the Actions pane to save the changes.
If you navigate away from the property grid without clicking Apply to save changes, IIS
Manager will prompt you to save the changes; otherwise, your changes will be lost.
Figure 6-15 shows the .NET Compilation property grid with friendly names displayed.

Figure 6-15 .NET Compilation page: an example of a property grid page layout.

The third type of page layout is a dialog page. Dialog pages display check boxes, text boxes, and radio buttons. After you’ve made your selection in a dialog page, click Apply in the Actions pane to save the changes. If you navigate away from the dialog page without clicking Apply to save changes, IIS Manager will prompt you to save the changes; otherwise, your changes will be lost.
Figure 6-16 shows a Session State feature page that is a good example of a dialog page. You can see the radio buttons for the Session State Mode Settings, the text boxes for Connection
String and Time-Out, and a check box for Enable Custom Database.

Download at Boykma.Com

Chapter 6:

Using IIS Manager

173

Figure 6-16 Session State page: an example of a dialog page layout.

Content View
When you select Content View, the actual content of the currently selected object in the
Connections pane is displayed. For example, when you select a site node from the tree, the contents of that site are displayed, including virtual directories, folders, and files. Figure 6-17 shows Content View for the site www.contoso.com, which contains a default document default.aspx, a site configuration file web.config, an application, and a virtual directory.

Figure 6-17 Content View.

Download at Boykma.Com

174

Part III:

Administration

Content View is a read-only display. You cannot create, copy, move, or delete files or folders in this view. You can browse to selected content by selecting Browse either from the Actions pane or by right-clicking the object in Content View.
You can navigate within the Content View by double-clicking an object to see its contents.
For example, double-clicking a directory in Content View displays the content of that directory in the workspace, and the node of this directory becomes selected in the tree in the
Connections pane.
You can access Content View by clicking Content View at the bottom of IIS Manager or by right-clicking a tree node and selecting Switch To Content View.
Content View has the list layout. You can filter content by searching in the Name and Type columns for a search string specified in the Filter drop-down list, sort content by name and type by clicking a column header, and group content by type by using the Group By drop-down list.
If you select an object in Content View, such as a directory or a file, you can configure the features for that object by switching to Features View. You can switch to Features View at the bottom of IIS Manager by selecting Switch To Features View in the Actions pane or by right-clicking an object in the Content View and selecting Switch To Features View.
Note

The only way to set configuration for a file is to switch to Content View, select the file, and then switch to Features View from the Actions pane or right-click the menu.

When you are in Content View, you can view the Windows properties of a selected object, such as a file or directory. To view the Windows properties for a selected object in Content
View, select Edit Permissions either from the Actions pane or by right-clicking the object.

Actions Pane
The Actions pane is used to configure IIS, ASP.NET, and IIS Manager settings. You can use the Actions pane to open dialog boxes and wizards that let you complete tasks in IIS Manager, such as creating a site, configuring authentication, or adding a connection string for an application. Items in the Actions pane are task-based. The list of displayed tasks is context-specific and depends on the currently selected object, such as a selected node in the tree in the
Connections pane, and the selected feature or content in the workspace.
For example, Figure 6-3 shows that when a server node is selected in the tree, the Actions pane displays tasks that are specific to the server connection level, such as starting and stopping the Web server or delegating a feature. Figure 6-8 shows that when a site node is selected in the Connections pane, the Actions pane displays tasks that are specific to the site
Download at Boykma.Com

Chapter 6:

Using IIS Manager

175

connection level, including starting and stopping that Web site or editing bindings for that
Web site.
Items in the Actions pane are also available from the context menu when you right-click an object in IIS Manager.

Understanding Features
IIS Manager features read from and write to corresponding configuration section(s) in the
.config files hierarchy. For example, the Application Settings feature corresponds to the section in the web.config files, whereas the Directory Browsing feature corresponds to the element in the section.
Few exceptions read and write configuration into other locations outside of IIS that are different from the configuration files hierarchy. For example, the Server Certificates feature gets its settings from the certificate store on the local server, and the Management Service feature gets its settings from the registry on the local server.

Feature to Module Mapping
IIS Manager features and the corresponding configuration section(s) in the .config files are listed in Table 6-2.
In addition, the table shows the server modules that consume the configuration sections. For each server module, both the module name and the type or dll name are listed, with the type or dll name in parentheses.
In some cases, a configuration section can be consumed directly by the IIS core Web server,
IIS Manager, .NET Framework, or ASP.NET run time, which are shown in square brackets.
Table 6-2

IIS Manager Features Mapping to Configuration and Modules

Feature Name

Configuration Section

Consumed By

.NET Compilation

system.web/compilation

[ASP.NET compilation system]

.NET Globalization

system.web/globalization

[ASP.NET runtime]

.NET Profile

system.web/profile

Profile (System.Web.Profile.
ProfileModule)

.NET Roles

system.web/roleManager

Roles service, RoleManager
(System.Web.Security.RoleManagerModule), and the configured default Roles provider

.NET Trust Levels

system.web/trust

[ASP.NET run time]

.NET Users

system.web/membership

[Membership service, the configured default Membership provider] Download at Boykma.Com

176

Part III:

Administration

Table 6-2 IIS Manager Features Mapping to Configuration and Modules
Feature Name

Configuration Section

Consumed By

[Authentication]
Anonymous

system.webServer/security/ anonymousAuthentication AnonymousAuthenticationModule (authanon.dll)

[Authentication] Basic

system.webServer/security/ basicAuthentication BasicAuthenticationModule
(authbas.dll)

[Authentication] Digest

system.webServer/security/ digestAuthentication DigestAuthenticationModule
(authmd5.dll)

[Authentication] Forms

system.web/authentication

FormsAuthentication
(System.Web.Security.
FormsAuthenticationModule)

[Authentication] Windows system.webServer/security/ windowsAuthentication WindowsAuthenticationModule
(authsspi.dll)

Application Settings

appSettings

[ASP.NET application code]

ASP

system.webServer/asp (indirect)

IsapiModule (isapi.dll)

Authorization Rules

system.webServer/security/ authorization UrlAuthorizationModule
(urlauthz.dll)

CGI

system.webServer/cgi

CgiModule (cgi.dll)

Compression

system.webServer/httpCompression DynamicCompressionModule system.webServer/urlCompression (compdyn.dll)
StaticCompressionModule
(compstat.dll)

Connection Strings

connectionStrings

[ASP.NET features and application code]

Default Document

system.webServer/ defaultDocument DefaultDocumentModule
(defdoc.dll)

Directory Browsing

system.webServer/directoryBrowse

DirectoryListingModule
(dirlist.dll)

Error Pages

system.webServer/httpErrors

CustomErrorModule (custerr.dll)

Failed Request Tracing
Rules

system.webServer/tracing/ traceFailedRequests FailedRequestsTracingModule
(iisfreb.dll)

system.webServer/tracing/ traceProviderDefinitions Handler Mappings

system.webServer/handlers

[IIS Server Core]

HTTP Redirect

system.webServer/httpRedirect

HttpRedirectionModule
(redirect.dll)

HTTP Response Headers

system.webServer/httpProtocol

ProtocolSupportModule
(protsup.dll)

IIS Manager Permissions

administration.config: system.webServer/management [IIS Manager, Web Management
Service (WMSvc)]

IIS Manager Users

administration.config: system.webServer/management [IIS Manager, Web Management
Service (WMSvc)]

Download at Boykma.Com

Chapter 6:

Using IIS Manager

177

Table 6-2 IIS Manager Features Mapping to Configuration and Modules
Feature Name

Configuration Section

Consumed By

IPv4 Address and Domain
Restrictions

system.webServer/ipSecurity

IpRestrictionModule (iprestr.dll)

ISAPI and CGI Restrictions

system.webServer/security/ isapiCgiRestriction CgiModule (cgi.dll)

ISAPI Filters

system.webServer/isapiFilters

IsapiFilterModule (filter.dll)

Logging

system.applicationHost/log

[IIS Server Core]

system.webServer/httpLogging

HttpLoggingModule
(loghttp.dll)

Machine Key

system.web/machineKey

[ASP.NET run time and features that use cryptography]

Management Service

Registry:

[Web Management Service
(WMSvc)]

HKLM\SOFTWARE\Microsoft\
WebManagement\Server

IsapiModule (isapi.dll)

MIME Types

system.webServer/staticContent

StaticFileModule (static.dll)

Modules

system.webServer/globalModules

[IIS Server Core]

system.webServer/modules
Output Caching

system.webServer/caching

Pages and Controls

system.web/pages

[ASP.NET]

Providers

system.web/membership

[ASP.NET Roles, Membership, and Profile features]

system.web/roleManager

HttpCacheModule (cachhttp.dll)

system.web/profile
Server Certificates

[Local Machine Certificate Store]

[Operating System, HTTP.SYS,
Windows applications]

Server Side Includes

system.webServer/ serverSideInclude ServerSideIncludeModule
(iis_ssi.dll)

system.web/sessionState

Session (System.Web.
SessionState.SessionStateModule)

Session State

system.web/sessionPageState
Shared Configuration

redirection.config: configurationRedirection [IIS configuration system]

SMTP E-mail

system.net/mailSettings/smtp

[.NET Framework]

SSL Settings

system.webServer/access

[IIS Server Core]

Worker Processes

applicationHost.config: system. applicationHost/applicationPools [Windows Process Activation
Service]

Where the Configuration Is Written
When the feature configuration settings are changed, IIS Manager writes those settings to a configuration file. Depending on the connection level (server, site, or application) and the locking in the configuration files hierarchy, the IIS Manager feature settings appear as
Read/Write or Read-Only.
Download at Boykma.Com

178

Part III:

Administration

Server connections can write to server-level configuration files, applicationHost.config and root web.config, and all distributed web.config files on that server. Only a server machine administrator can connect to a server. Features on the server level can both read from and write to configuration files. Even if a configuration section is locked in applicationHost.config, the corresponding feature will be Read/Write in a server connection. The configuration changes will be written to applicationHost.config in a tag.
Site connections can write only to web.config files in or below the site’s root folder. Server administrators and designated site administrators can connect to Web sites. If a configuration section is locked in applicationHost.config, the corresponding feature will appear Read-Only in that site connection, because site connections cannot write to applicationHost.config
(even in a tag).
Application connections can only write to web.config files in or below the application’s root folder. Server administrators, site administrators for the application’s parent site, and designated application administrators can connect to an application. If a configuration section is locked in applicationHost.config or the site’s web.config file, the corresponding feature will appear Read-Only in that application connection.
Provided that a feature is not Read-Only and enables the settings to be saved, two rules define what files the configuration settings for that feature are written to:


applicationHost.config vs. root web.config for server level configuration:


If the feature is listed under the ASP.NET area in IIS Manager, server-level configuration will be written to the root web.config file for .NET Framework.



If the feature is listed under the IIS area in IIS Manager, server-level configuration will be written to applicationHost.config.



The only exception is Forms Authentication, which is in the Authentication feature under the IIS area. The Forms Authentication configuration will be written to the root web.config file.

Note

IIS Manager makes a choice between saving server-level configuration for a feature to applicationHost.config or root web.config, depending on where a corresponding configuration section is defined. If the section is defined in applicationHost.config, the configuration will be saved there; otherwise, it will be saved to root web.config.



Locked versus unlocked configuration for site level and application level configuration:


All ASP.NET configuration sections, and a few IIS configuration sections, are unlocked by default. For unlocked sections, IIS Manager will write to the site’s web.config if the configuration is changed for the site or to an application’s web.config if the configuration is changed for an application.

Download at Boykma.Com

Chapter 6:


Using IIS Manager

179

Most IIS configuration sections are locked by default. For locked sections, IIS
Manager will always write to applicationHost.config, even when modifying configuration for sites and applications.

IIS Manager determines where to save configuration using the following logic: it always tries to save the configuration to the configuration file that is the closest in the hierarchy to the object being configured. For example, for directory configuration, IIS Manager will try to save settings in that directory’s web.config; for application configuration, it will try to save to that application’s web.config; and so on. However, if the corresponding section is locked in the closest file, then it moves to the closest parent and tries saving it there using a location tag. If the section is locked in the parent configuration file, IIS Manager continues this process until it reaches the top configuration file for the connection. If the section is still locked, then configuration is considered Read-Only.
When you select feature configuration settings, IIS Manager shows you the location of the file where those settings are stored. The configuration file location is shown on the lower-left side of IIS Manager and is identified by the Configuration prefix. The format is as follows.
Configuration: 'config_file_object_path' config_file_name

The config_file_object_path is the path to the configuration file object. Let’s look at a couple of examples: ■

‘localhost’ Appears for the server-level configuration on the local machine. For IIS

features, it is followed by applicationHost.config. For ASP.NET features, it is followed by root web.config. Figure 6-15 shows the .NET Compilation feature page as an example of the latter.


www.contoso.com Appears as the path to the web.config file in the www.contoso.com

physical folder (www.contoso.com is followed by web.config).
The config_file_name is the name of the target configuration file. Let’s look at several examples:


applicationHost.config for IIS features For example, for Directory Browsing for the

server connection, the status bar will display the following text.
Configuration: 'localhost' applicationHost.config



root.web.config for ASP.NET features For example, for the .NET Trust Levels feature for the server connection, the status bar will display the following text.
Configuration: 'localhost' root web.config



For example, as Figure 6-16 shows, for the Session
State feature in the site www.contoso.com, the status bar will display the following text.

web.config, a target web.config file

Configuration: 'www.contoso.com' web.config

Download at Boykma.Com

180

Part III:

Administration

The location_path is the location path to the object being configured (for more information on location paths, see Chapter 4, “Understanding the Configuration System”). This portion of the text appears only if the feature’s corresponding configuration section is locked at a higher level. For example, as Figure 6-13 shows, for the Error Pages feature for the site www.contoso.com, the status bar will display the following text.
Configuration: 'localhost' applicationHost.config ,

Feature Scope
Home pages for nodes in different levels in the tree may display different features. Table 6-1 shows where each feature appears by default.
A feature appearance in a home page for a selected object is defined by three factors:


Object level Some features are applicable only to certain levels.



If feature delegation is specifically set to Not Delegated, that feature will not appear on a home page.



Local Connection or Remote Connection

Delegation

Some features only appear in Local Connection.

Most IIS Manager features are applicable to all nodes in the tree: server, site, application, virtual directory, folder, and file. These features appear on home pages for all levels. However, there are exceptions for a server level. Some features are applicable only to the server level.
They configure server-wide configuration, data, or information. These features appear only on a server home page:


IIS Manager Users



IIS Manager Permissions



ISAPI and CGI Restrictions



Server Certificates (this feature doesn’t appear in remote connections)



Management Service (this feature doesn’t appear in remote connections)



Worker Processes



Active Directory and Client Certificates options that are within the Authentication feature

In addition, some features appear on all home pages except the server home page. These are the features that refer to application configuration and therefore make more sense on levels other than server. Other features, such as SSL, work better that way. These features are:


.NET Users



.NET Roles



.NET Profile



SSL Settings
Download at Boykma.Com

Chapter 6:

Using IIS Manager

181

Another exception is the Feature Delegation feature that appears only for the root node of a connection, such as server, site, or application. This feature is not available for virtual directories and folders.
In addition, feature delegation settings change the way that a feature appears in IIS Manager.
For details on feature delegation, refer to Chapter 8.

IIS 7.0 Manager Customization and Extensibility
IIS Manager is not just an application, but rather an extensible platform that developers can use to plug in their own features to manage custom settings and applications. Developers can change the UI, remove existing features, and add new administration features.

Direct from the Source: IIS Manager—Built on Top of Public
Extensibility API
During the design phase of the new IIS Manager, we decided to make extensibility a core feature and to build IIS Manager as a real platform so that not only could we extend and enhance its functionality, but third-party developers could as well. To make sure we were designing a flexible API, we decided to implement all the features using this API so that none of our features would be a special case inside the product. That’s why there are several dlls in the IIS installation, such as Microsoft.Web.Management.Iis.dll and
Microsoft.Web.Management.Aspnet.dll. By following these strict guidelines of building the API outside the core framework, we’ve made sure that anything that we built others could enhance or even replace with their own implementation. This of course was a challenging process, but at the same time, it made our platform flexible enough to ensure that additional IIS features such as FTP, WebDAV, and others will have a place inside the new IIS Manager.
Carlos Aguilar Mares
Senior Development Lead, IIS
IIS 7.0 ships with an application programming interface (API) that enables developers to change the IIS Manager UI and to manage custom settings and applications on the server. For example, this API provides the extensibility mechanism to develop UI features represented as list pages, property grids, and dialog pages; a custom-designed Actions pane; wizards and dialog boxes; and the ability to add custom nodes to the Connections pane.
IIS Manager is designed to have distributed client-server architecture. In addition, IIS Manager has a modular infrastructure in which every UI feature is its own entity. Each feature follows the client-server paradigm. This architecture of IIS Manager separates the logic that manipulates server settings from the presentation code, which displays these settings in a user-friendly manner for each of the UI features.
Download at Boykma.Com

182

Part III:

Administration

IIS 7.0 Management and Administration API
The API is located within two assemblies that provide a framework for modifying IIS
Manager UI and developing new features to manage custom applications on the server.
These assemblies are as follows:


Microsoft.Web.Management.dll



Microsoft.Web.Administration.dll This assembly provides the framework for developers to change settings on the server. It gives developers a programmatic way to access and update the Web server configuration and administration information. It does not support adding any UI extensibility or functionality. In fact, most features in IIS Manager use this API to manage configuration settings on the server.

This assembly provides the framework that enables developers to create new UI features and make modifications to IIS Manager.
It provides the base classes and other functionality that enables the newly developed extensions to appear with a look and feel identical to the built-in IIS and ASP.NET features. It does not support changing the settings on the server.

Each IIS Manager feature has two components:


A client-side module that provides UI experience



A server-side module service that manipulates the settings on the server

This architecture is illustrated in Figure 6-18. IIS Manager extensions must follow this architecture that is enforced by the base classes provided within the API.
The first step to deploy the new IIS extension is to install its client and server components in the global assembly cache (GAC) on the server. The second step is to register the new extension with IIS Manager. Each extension has to be individually registered with IIS
Manager. IIS Manager is built on top of configuration system extensibility that enables custom functionality to be easily added.
IIS Manager uses a special file called administration.config that defines IIS Manager configuration. The administration.config file is located on the server in the folder %SystemRoot%\
System32\Inetsrv\Config. Administration.config is an XML configuration file that includes a list of IIS Manager built-in features and extensions. On IIS Manager startup, this file is checked to determine what features should be displayed in IIS Manager. If IIS Manager is connecting remotely, then the Web Management Service compares the module providers available on the server with the module providers available on the client. If a new extension is available on the server, the client is prompted to download and install that extension.

Download at Boykma.Com

Chapter 6:

Using IIS Manager

machine.config

183

applicationHost.config

root web.config

InetMgr.exe

Module

site web.config
Module
Service
Proxy

Module
Service

Read/
Write

application web.config directory web.config application web.config directory web.config directory web.config Figure 6-18 An IIS Manager feature client server architecture.

The section in the administration.config file defines all IIS Manager extensions that are registered on the system. To register an extension, you need to add the fully qualified type name of that extension module provider to the section and add the module name to the section. Depending on the desired extension scope, you may need to add the corresponding module name to the appropriate section that will define the sites and applications where this extension will appear in IIS
Manager. The following excerpt from the administration.config file shows a built-in module provider for the DefaultDocument module in the section and the module
DefaultDocument in the section with the root location path of “.” that makes it available to all sites and applications on the server.

Download at Boykma.Com

184

Part III:

Administration



After you’ve registered the extension, on the next IIS Manager startup, the client will be prompted to download and install the client component of that extension.
Note

For more details on extending IIS Manager and also creating custom configuration sections in .config files, see Chapter 13, “Managing Configuration and User Interface Extensions.”

Remote Administration
In IIS Manager, remote connections are not available by default. To manage IIS 7.0 running on
Windows Server 2008 remotely, you need to set up the client machines and configure the server for remote administration.
To administer IIS 7.0 running on Windows Server 2008 remotely from client machines running Windows Vista Service Pack 1 (SP1), Windows Server 2003 SP1, and Windows XP
SP2, you need to install IIS Manager on these client machines and then connect to sites and applications on the server you need to manage. You can download IIS Manager for these operating systems from http://iis.net/downloads.
On the server, you must explicitly enable remote management of IIS 7.0 through IIS Manager.
This is different than IIS 6.0, where management console remoting was through the MMC and was always enabled. For remote administration of IIS 7.0, Web Management Service
(WMSvc) must be installed and running on the server, and remote connections to the service must be enabled.
Web Management Service is not installed by default—you need to install Web Management
Service manually. During installation, you can specify the IP address and port number the service will listen on or accept the defaults: All Unassigned for the IP address, and 8172 for the port number. For detailed WMSvc installation instructions, refer to Chapter 8.
After you have installed Web Management Service, the Management Service Feature appears on the home page for the server in IIS Manager, and you can configure this feature to enable remote connections to service.
To enable remote connections, perform the following steps in IIS:
1. Select the server node in the Connections pane. The server home page is displayed.

Download at Boykma.Com

Chapter 6:

Using IIS Manager

185

2. Double-click the Management Service feature to open the Management Service feature page. 3. In the Management Service feature page, in the Actions pane, click Stop to stop the service.

4. Check the Enable Remote Connections check box. Doing so enables server administrators to connect remotely to the server, as well as to sites and applications.
Note

The setting that enables remoting is stored in the dword registry value
EnableRemoteManagement under the registry key HKLM\SOFTWARE\Microsoft\
WebManagement\Server.

5. If you would like users without administrative privileges to manage sites and applications on this server, choose the type of identity credentials for these users. Configure other settings if needed, such as connections and logging options and IPv4 and domain restrictions. Click Apply in the Actions pane to save the changes and then click Start to start the service.
Note

For a detailed discussion of remote administration, including the Web
Management Service settings, refer to Chapter 8.

Download at Boykma.Com

186

Part III:

Administration

Summary
IIS Manager has been completely redesigned and rearchitectured from the ground up in
IIS 7.0, and it differs significantly from the MMC snap-in used in previous versions of IIS. IIS
Manager in IIS 7.0 is a client application with an intuitive, feature-focused, task-oriented, granular interface that significantly reduces management complexity.
IIS Manager provides integrated management of IIS and ASP.NET features within one tool.
Features in IIS Manager map to configuration sections in the .config files and provide an easy-to-use interface for working with complex settings in the hierarchy of .config files.
IIS Manager is fully customizable and provides an extensible platform that developers can use to plug in their own administration features for managing custom settings and applications.
IIS Manager supports remote administration and feature delegation, enabling users without administrative privileges on the server to manage sites and applications remotely from their client computers.

Additional Resources


For information on command line tool Appcmd.exe, WMI management provider, and
PowerShell, refer to Chapter 7, “Using Command Line Tools.”



For information on using IIS Manager remotely, refer to Chapter 8, “Remote
Administration.”



For information on extending IIS Manager, refer to Chapter 13, “Managing
Configuration and User Interface Extensions.”



For a list of common administration tasks performed using IIS Manager, refer to
Appendix J, “Common Administrative Tasks Using IIS Manager.”



For getting started with IIS 7.0 Manager, refer to http://www.iis.net//articles/view.aspx/
IIS7/Use-IIS7-Administration-Tools/IIS-Manager-Administration-Tool/Getting-Started-withIIS-Manager.

Download at Boykma.Com

Chapter 7

Using Command Line Tools
In this chapter:
Using Command Line Management Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Appcmd.exe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Getting Started with Appcmd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Using Basic Verbs: List, Add, Set, Delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Working with Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Working with Applications, Virtual Directories, and Application Pools . . . . . . . 213
Working with Web Server Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Inspecting Running Worker Processes and Requests. . . . . . . . . . . . . . . . . . . . . . . 215
Working with Failed Request Tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Microsoft.Web.Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Windows PowerShell and IIS 7.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
WMI Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
IIS 7.0 Configuration COM Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Additional Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228

On the Disc

Browse the CD for additional tools and resources.

Using Command Line Management Tools
It isn’t always possible or practical to use IIS Manager to perform administration tasks. Quite often, Microsoft Internet Information Services (IIS) administrators need to use command line tools for on-demand or automated tasks. Common administration tasks such as creating and configuring sites, application pools, and virtual directories can be performed more efficiently through command line tools and programming interfaces.
This chapter focuses on command line management of IIS 7.0 by using Appcmd.exe, a single command line tool that replaces multiple scripts and tools provided by previous versions of
IIS. Appcmd is installed by default and is immediately available for managing IIS from the command line. It can be used to manually perform almost any management task in IIS 7.0

Download at Boykma.Com

187

188

Part III:

Administration

quickly from the command line and to efficiently perform large numbers of configuration operations in an automated fashion.
In addition to Appcmd, IIS 7.0 provides a number of other automation options that require the development of custom script code. These options may be appropriate for more complex automation tasks or tasks that must be executed in the context of another program. These options are not covered in depth in this chapter, but resources are given at the end of the chapter so that you can learn more about them.
These options include:


Microsoft.Web.Administration Use the Microsoft.Web.Administration (MWA)

namespace to perform common administration tasks from an .NET Framework based application. ■

Windows PowerShell Install this Windows Server 2008 feature to configure and manage IIS in a command line environment. (Windows PowerShell is also a free download for computers running Windows Vista, Windows Server 2003, and Windows XP.)



WMI Provider The new Windows Management Instrumentation (WMI) provider

exposes the ability to manage IIS 7.0 configuration by using the WMI object model from scripts. ■

IIS 7.0 Configuration COM objects You can use the IIS 7.0 Configuration Component

Object Model (COM) objects directly from C++ programs, script, or managed code to access the IIS 7.0 configuration system directly.
When you select the option for command line or programmatic administration of IIS 7.0, your choice is frequently guided by preferences for the programming model and the environment within which the management functionality needs to exist. Additionally, you should also consider the benefits and limitations of the available options, described in Table 7-1.
Table 7-1
Option
Appcmd

Benefits and Limitations of Command Line Administration Options
Pros

Cons



Quick management with no code required



No remote management support ■

Works on Windows full and Server Core installations ■

Requires Administrative privileges ■



Provides best performance for many operations next to configuration COM objects Command line may be limited for complex management tasks

Download at Boykma.Com

Chapter 7:

Table 7-1

Using Command Line Tools

189

Benefits and Limitations of Command Line Administration Options

Option

Pros

Cons

Supports remote management ■

Best option for native
C++ programs and scripts Works on Windows full and Server Core installations ■

Supports remote management ■

Provides best performance ■

Supports remote management ■

Works on Windows full and Server Core installations ■

PowerShell

Provides the flexibility of the Windows PowerShell command line environment Code required



Is not available on Server
Core but can be used to manage Server Core servers remotely



Code required



Code required



Introduces WMI overhead ■

Requires administrative privileges ■

Does not support remote management directly in
Windows Server 2008



Is not available on Server
Core but can be used to manage Server Core servers remotely
Requires the development of custom cmdlets Allows remote management from down-level Windows operating systems







WMI

Best option for .NET
Framework programs



Configuration COM objects




Microsoft.Web.Administration

Appcmd.exe
Appcmd.exe is a new command line tool included with IIS 7.0. It exposes most of the Web server management tasks through a single intuitive command line interface. This tool replaces a host of command line tools and scripts provided in IIS 6.0 to perform key management scenarios.

Download at Boykma.Com

190

Part III:

Administration

Appcmd enables a Web server administrator to do the following from the command line:


Add and configure Web sites, applications, virtual directories, and application pools



Install, enable, and configure Web server modules



Start and stop sites and recycle application pools



View currently running worker processes and list requests that are currently executing



Search, list, and manipulate IIS and ASP.NET configuration



Configure Failed Request Tracing (FRT) settings

Most notable is the ability to list and edit IIS configuration, which enables administrators to quickly perform or automate any configuration task regardless of the feature they are trying to configure. The other functionality exposes some of the common configuration and management tasks for convenience.
Appcmd.exe is intended for local management of the Web server (it does not support remoting in IIS 7.0) and requires the user to have administrative privileges when using it. If you require remote management or the ability to configure the Web server without being an administrator on the server, you need to use the remote delegation support that IIS
Manager provides. For more information, see Chapter 8, “Remote Administration.”

Getting Started with Appcmd
Appcmd.exe is located in the %SystemRoot%\System32\Inetsrv directory. Because this directory is not part of the PATH environment variable by default, you will need to either add it to the PATH or always use the full path to the command to be able to run Appcmd commands. For example, when using the latter, you can always run Appcmd as follows.
%systemroot%\system32\inetsrv\Appcmd list sites

In the commands in the rest of this chapter, we will omit the full path when showing Appcmd commands, assuming that you have either added the Inetsrv directory to the PATH environment variable or will manually add the full path to each command.
Note To run Appcmd.exe, you will need to either add the Inetsrv directory to the PATH environment variable or use a full path to Appcmd.exe to run Appcmd commands.

To run Appcmd, you must be logged in as a member of the Administrators group on the local computer. Additionally, when using Appcmd on Windows Vista, you will need to run the tool as Administrator to make sure that the User Account Control does not prevent the tool from executing correctly. To do this, you should launch Appcmd commands from an elevated command prompt by launching the command prompt with the Run As Administrator option.
Download at Boykma.Com

Chapter 7:

Using Command Line Tools

191

To do this, open the Start menu, click All Programs, select Accessories, right-click Command
Prompt, and choose Run As Administrator.
Note

To use Appcmd, you must be logged in as a member of the Administrators group. On
Windows Vista, you will need to launch Appcmd commands from a command prompt started with the Run As Administrator option.

Appcmd commands use a natural language syntax of verb object, instead of the object verb syntax that some other Windows tools use to support commands on multiple object contexts
(for example, netsh). For example, to list the Web sites on the server that are using the Site object, you would use the following command.
Appcmd list sites

Each command outputs one or more object instances or messages generated during the command execution. For example, the previous command may have the following output.
SITE "Default Web Site" (id:1,bindings:http/*:80:,state:Started)
SITE "TestSite" (id:2,bindings:http/*:80:testsite,state:Started)

The output is a list of Site objects, including their identifiers (Default Web Site, TestSite, and some of the key attributes of the object [id, bindings, state]).
Appcmd supports a number of objects, and most of the objects support a standard set of verbs such as List, Add, Set, and Delete. Some objects have additional verbs specific to the object. All verbs accept one or more parameters that you can use to customize the behavior of each command. Finally, some verbs accept a special parameter called the identifier, which uniquely identifies an instance of an object on which the verb should operate using an object-specific naming convention.
For example, you can use the Delete Site command with the site name as the identifier to delete a Web site, as in the following example.
Appcmd Delete Site "TestSite"

This has the following output.
SITE object "TestSite" deleted

The Appcmd syntax and the list of supported objects are explained further in the following section titled “Appcmd Syntax.”

Appcmd Syntax
Appcmd uses the following syntax.
Appcmd [identifier] [/parameter:value]

Download at Boykma.Com

192

Part III:

Administration

This syntax includes the following parts:


Verb The verb is the action to be performed on the specified object. Each object

supports a fixed set of verbs, and each verb may support using the identifier and one or more parameters, some of which may be required. Most objects support basic commands such as List, Add, Set, and Delete, and some objects support additional commands. The verb must always be specified. It is not case-sensitive.


Object



Identifier The identifier is an optional argument that follows the object, which you can use to uniquely identify the specific instance of the object that the command is being performed on. It is required by most commands that perform actions on a specific instance of the object, such as the Set and Delete commands. The identifier has an objectspecific format used to identify instances of that object, and it may or may not be casesensitive. For information about the identifier format, refer to the section in this chapter that corresponds to each object.



Parameter Each verb supports zero or more parameters, which are in the /name:value format, to control the execution of the command. The parameter names are not casesensitive, but the values may be. For information about the supported parameters, refer to the section in this chapter that corresponds to each object. In addition, the tool itself supports a set of general parameters that affect the execution of every command.
For more information on these parameters, see the section titled “General Parameters” later in this chapter.

The object is the name of the management object on which the specified verb is being invoked. Together with the verb, it determines the actual command that will be executed. The supported objects are listed in Table 7-2. The object must always be specified. It is not case-sensitive.

Each Appcmd command must at minimum specify the object and verb. For example, to use the List verb on the Site object to list Web sites on the server, you can use the following command. Appcmd List Site

The List verb of the Site object can accept an optional identifier to uniquely specify the Web site you are interested in listing. The Site object uses the Web site name as the unique identifier (not the Web site id). Therefore, to find a specific Web site named Default Web Site, we can use the following syntax.
Appcmd List Site "Default Web Site"

Alternatively, we can use optional parameters instead of the identifier to search for all Web site instances that have certain attributes. In fact, you can specify any of the configuration attributes in the Web site definition as parameters to the List Site command, to find all sites that have those configuration parameters set to the provided values. For example, to find all

Download at Boykma.Com

Chapter 7:

Using Command Line Tools

193

Web sites that have the serverAutoStart configuration attribute set to false, you can use the following syntax.
Appcmd List Site /serverAutoStart:false

For the list of supported objects and verbs, see the following section titled “Supported
Objects.”

Supported Objects
Appcmd supports the objects and corresponding commands listed in Table 7-2.
Table 7-2

Appcmd-Supported Objects

Object

Description

Commands

Site (Sites)

Manage Web sites

List, Set, Add, Delete, Start, Stop

App (Apps)

Manage applications

List, Set, Add, Delete

Vdir (Vdirs)

Manage virtual directories

List, Set, Add, Delete

Apppool (Apppools)

Manage application pools

List, Set, Add, Delete, Start, Stop,
Recycle

Config (Configs)

Manage IIS configuration sections

List, Set, Search, Lock, Unlock,
Clear, Reset, Migrate

Wp (Wps)

List currently executing worker processes List

Request (Requests)

List currently executing HTTP requests

List

Module (Modules)

Manage Web server modules

List, Set, Add, Delete, Install,
Uninstall

Backup (Backups)

Manage configuration backups

List, Add, Delete, Restore

Trace (Traces)

Manage Failed Request Tracing (FRT) configuration and trace logs

List, Configure, Inspect

Note Note that in the Object column, the plural form of each object name is also listed.
This is because Appcmd supports an alias for each object and uses this to enable the plural form of the object to also be used to refer to it. Because of this, you can use the List Sites
(plural) command to list Web sites while using Set Site (singular) to set a configuration attribute on the Web site.

Each of the objects and supported commands is described in more detail later in this chapter.
You can also get information about the supported objects, verbs, and the syntax for each verb by using the built-in Appcmd command line help. Find out more about this in the following section titled “Getting Help.”

Download at Boykma.Com

194

Part III:

Administration

Getting Help
Because Appcmd supports such a variety of objects and verbs, and each has a different set of parameters, it provides a fairly extensive help system to aid you as you navigate the usage of the tool.
You can get three levels of help from Appcmd:
1. Top-level help. Provides a list of objects supported by Appcmd, as well as the general tool parameters that you can use with any command. To obtain this help, simply run
Appcmd with no parameters or use the /? parameter, for example, Appcmd /?.
2. Object help. Provides a list of verbs supported on a specific object. To obtain this help, use the /? parameter following the object name, for example, Appcmd Site /?.
3. Verb help. Provides a list of supported parameters and examples for a specific verb of a specific object. To obtain this help, use the /? parameter following the verb and object names, for example, Appcmd List Site /?.
These three levels represent the typical ways people use the Appcmd help system to learn how to perform a particular command. First, you can display the list of the supported objects by using the top-level help. The resulting output will include the list of supported objects, as shown here.
General purpose IIS command line administration tool.
APPCMD (command) (object-type)
Supported object types:
SITE
APP
VDIR


Administration of virtual sites
Administration of applications
Administration of virtual directories

(To list commands supported by each object use /?,
e.g. 'appcmd.exe site /?')
General parameters:
/?
Display context-sensitive help message.
/text

/xml

Generate output in text format (default).
/text:* shows all object properties in detail view.
/text: shows the value of the specified attribute for each object.
Generate output in XML format.
Use this to produce output that can be sent to another command running in /in mode.

Use "!" to escape parameters that have same names as the general parameters, like "/!debug:value" to set a config property named "debug".

Download at Boykma.Com

Chapter 7:

Using Command Line Tools

195

In addition, the top-level help shows the list of general tool parameters that control the operation of the tool regardless of the command. For more information on these parameters, see the section titled “General Parameters” later in this chapter.
At this point, you can get more information about a specific object type by using the Appcmd
Object /? syntax to display the list of supported verbs. For example, to get the list of supported verbs on the Site object, use the following.
Appcmd Site /?

The output will contain the following.
Administration of virtual sites
APPCMD (command) SITE
Supported commands: list List virtual sites set Configure virtual site add Add new virtual site delete Delete virtual site start Start virtual site stop Stop virtual site
(To get help for each command use /?, e.g. 'appcmd.exe add site /?'.)

At this point, the final step is to obtain the specific syntax of the required verb by using the Appcmd Verb Object /? syntax. For example, to get the specific syntax for the List Site command, use the following.
Appcmd List Site /?

This will have the following output.
List virtual sites
APPCMD list SITE
Lists the virtual sites on the machine. This command can be used to find a specific site by using its identifier or url, or match zero or more sites based on the specified site attributes.
Supported parameters: identifier Site name or url of the site to find
/site.name
Site name or url of the site to find (same as identifier)
/?
Display the dynamic site properties that can be used to find one or more site objects
Examples:
appcmd list sites
List all sites on the machine.

Download at Boykma.Com

196

Part III:

Administration

appcmd list site "Default Web Site"
Find the site "Default Web Site". appcmd list site http://localhost/app1
Find the site associated with the specified url. appcmd list site /serverAutoStart:false
Find all sites that have the "serverAutoStart" configuration property set to "false".

Note that the help output contains the list of supported parameters, including the identifier.
The /? parameter listed here indicates that you can also use dynamic parameters exposed by each instance of the object. With the List Site command, you can specify any of the configuration attributes in the Web site definition as parameters to find all Web site instances that have the specified values.
Note To get the list of dynamic parameters, you can use the Set verb with an instance of the object specified with the identifier and then use the /? parameter to list the supported attributes. For example: Appcmd Set Site "Default Web Site" /?. This is not ideal, but it does provide a quick way to look up dynamic parameters you can use for each command that supports dynamic object parameters.

The list of examples for each command is valuable, because it showcases the common ways for using each command. For example, for the Web site object, it shows how to list all sites, list sites using their identifier (name), list sites that serve a particular URL, or list sites by searching for a specific configuration parameter value.
Note

Be sure to review examples in the verb help to get a quick feel for different ways of using the command.

Understanding Appcmd Output
The output of Appcmd typically contains a list of items. For commands that retrieve lists of object instances, such as the List command, it is the list of object instances. For commands that perform actions on object instances, it is a list of messages that indicate the action that was performed.
For instance, for the List Site command, the output contains a list of Web site object instances.
Here is an example.
SITE "Default Web Site" (id:1,bindings:http/*:80:,state:Started)
SITE "TestSite" (id:2,bindings:http/*:80:testsite,state:Started)

By default, Appcmd uses a friendly list view that lists the object type, the identifier that can be used to identify each of the instances in subsequent commands, and several common
Download at Boykma.Com

Chapter 7:

Using Command Line Tools

197

attributes of each object instance. For the Site object, it is the Web site id, a list of configured bindings, and the state of the Web site (indicating whether it is started or stopped).
In fact, each Site object instance contains more attributes than are shown in the friendly list view. To display those parameters, you have several options:


Text view In this view, all of the attributes of each object instance are displayed in a hierarchical text property/value tree.



Single parameter view In this view, you can display the value of a particular attribute of

each object instance.


In this view, the underlying configuration element for each object instance is shown as a configuration fragment.
Configuration view

Note

For the list of general parameters, see the section titled “General Parameters” later in this chapter.

The text view can be a quick way to show all of the attributes of each object instance. To use the text view, you need to use the /text:* general parameter. For example, following is a fragment of the output for the List Sites command when using the /text:* parameter.
SITE
SITE.NAME:"Default Web Site"
SITE.ID:"1"
bindings:"http/*:80:,https/*:443: state:"Started" [site] name:"Default Web Site" id:"1" serverAutoStart:"true"
[bindings]
[binding] protocol:"http" bindingInformation:"*:80:"
[binding]
protocol:"https" bindingInformation:"*:443:" [limits] maxBandwidth:"4294967295" maxConnections:"4294967295" connectionTimeout:"00:02:00" As you can see, this output contains more information about each Web site instance than the default output.
Alternatively, if you are interested in just the specific attribute of each object instance, you can use the single parameter view by using the /text:ParameterName general parameter, where

Download at Boykma.Com

198

Part III:

Administration

ParameterName is the attribute whose value you want to display. Here is the output of the List
Sites command when using the /text:name parameter to show just the site names.
Default Web Site
TestSite

Finally, you can use the configuration view to display the configuration element associated with each object instance as a configuration fragment. You can do this by using the /config general parameter to display all explicitly set configuration or by using /config:* to display all configuration. The Config object uses this format by default. Here is the output of the List Sites commands with the /config switch.

You can also use the /xml switch to output the results of Appcmd commands in XML. This switch can be used to pipe the results from one Appcmd command to chain multiple related commands together when using command pipelining.
Note For more information about command pipelining, see http://mvolo.com/blogs/ serverside/archive/2007/06/19/Do-complex-IIS-management-tasks-easily-with-appcmdcommand-piping.aspx. The XML output mode can also be used to export results of Appcmd commands to other software programs and perform bulk operations.
Note

For more information on bulk operations, see http://mvolo.com/blogs/serverside/ archive/2007/10/06/Create-IIS7-websites-and-application-pools-fast-with-appcmd.aspx. Download at Boykma.Com

Chapter 7:

Using Command Line Tools

199

General Parameters
In addition to verb-specific parameters, Appcmd also supports general parameters that affect the execution of all Appcmd commands. These parameters are listed in Table 7-3.
Table 7-3

Appcmd General Parameters

Parameter

Description

/?

Display context-sensitive help message. For more information, see the section titled “Getting Help” earlier in this chapter.

/text

Generate the output in text format. This is the default. You can also specify /text:* to show a detailed text view containing all attributes of each object being displayed. Alternatively, you can also specify /text: attribute to display only the value of the specific attribute for each object. For more information, see the section titled “Understanding
Appcmd Output” earlier in this chapter.

/xml

Generate the output in XML format. You can use this format to store or transport the output of the tool to another program, and it is the basis for the command pipelining support.

- or /in

Perform the command on the dataset provided from the standard input. Use this parameter to execute Appcmd commands on sets of objects provided by the output of another command.

/config

Show the configuration associated with each displayed object. You can also use /config:* to display all configuration, including values that are inherited from the schema defaults.

/metadata

Show the configuration metadata when displaying configuration objects and using /text:*. This includes information about the type of each configuration attribute.

/commit

Controls for which the command commits configuration. By default, the configuration is written to the same configuration path where it applies, which by default favors delegated configuration when setting configuration at the Web site, application, or URL levels. However, using this parameter allows you to control this independent of the configuration path to which the configuration is being applied. You can specify a fixed configuration path, or apphost, machine, and webroot for the corresponding server-level configuration files. Alternatively, you can use the Site, App, and Parent values to commit to a segment of the current configuration path. For more information, see the sidebar titled
“Understanding Where Configuration Is Saved” later in this chapter.

/debug

Display debug information about the execution of each command, including the time taken to execute, the parameters passed in, how many objects were returned, and any errors. You can use this to debug or optimize Appcmd commands.

If you need to pass a parameter to a command that has the same name as a general parameter, you can escape it with a ! sign. For example, if you need to set the commit configuration attribute on the fictional mysection configuration section, you can use the following syntax. appcmd set config /section:mysection /!commit:somevalue

Download at Boykma.Com

200

Part III:

Administration

Using Range Operators
When using the List verb on any Appcmd object, you can include parameters to filter the returned results by the values of the specified attributes. For example, if you are looking for all sites that have the serverAutoStart attribute set to false, you can use the following syntax. appcmd list sites /serverAutoStart:false

Note For more information on using the List command to list objects, see the section titled
“Using the List Command to List and Find Objects” later in this chapter.

However, filtering by exact values of object attributes may be limiting in some scenarios.
Often, you need the ability to search for objects that fall into a range of possible values. To support this, Appcmd enables the use of range operators to filter for objects that satisfy an expression on each attribute, rather then a fixed value.
For example, if we wanted to find all Web sites that have ids larger than 300, we could use the
>= operator as follows. appcmd list sites "/id:$>=300"

Note

Because the > and < characters have special handling at the command line, be sure to enclose the entire parameter by placing the ranged operator in quotation marks.

You can specify the range operators for any supported attribute by using the $OPVAL syntax, where OP corresponds to the ranged operator, and VAL corresponds to the value for the operator. Table 7-4 shows the supported operators.
Table 7-4

Appcmd-Supported Operators

Operator

Description

>

Greater than operator, for numeric attributes. Matches all values of the attribute that are greater than the value specified. For example, /id:$>10 matches 11 but not 9.

>=

Greater than or equal to operator, for numeric attributes. Matches all values of the attribute that are greater than or equal to the value specified.
For example, /id:$>=10 matches 10 but not 9.

<

Less than operator, for numeric attributes. Matches all values of the attribute that are less than the value specified. For example, /id:$

Similar Documents

Premium Essay

Assignment 1.2 - Itt

...specific system types. Each different version of Windows Server 2008 bring different features to the table for server management. Some of the popular versions of Windows server 2008 are Window Server – Datacenter, Windows Server – Enterprise, and Windows Server – Standard. (Microsoft.com) Datacenter is designed for large scale virtualization, with this it can help reduces costs on power consumption on the server and reduce infrastructure maintenance. Enterprise provides high levels of system uptime, giving the capability to have numerous services running in the office, offsite, and international. Windows Server standard edition allows the basic services provided by Windows Server 2008, being able to maintain a basic serviced server. (Microsoft.com) Windows Server 2008 has several new features and enhancements. Some of these are: IIS 7, Role-based installation, and Network access protection. Internet Information Server, is a group of internet servers with additional capabilities giving windows HTTP capability. (TechTarget) Role-based installation allows for scalability in large heavy email traffic.(GFI) With it being a less extreme version of server core gives a more simplistic adding and removing roles. Simply put pick what role the server is to be and it will be it. There are many difference between Server 2008 and 2003. One of the most significant differences is the introduction of Hyper-V. A 64-bit architecture is an advantage because it has the capability of having...

Words: 387 - Pages: 2

Free Essay

Student

...Exams & Answer Keys Exams & Answer Keys Networking Application Services and Security Course Revision Table Footer Date: 09/30/07 10/10/07 Section: All All Reason for Change: New Curriculum QA Edits Implementation Date: December 2007 December 2007 © ITT Educational Services, Inc. Date: 10/10/07 Exams & Answer Keys [Exam I —Unit 6] DATE: ________________________________ STUDENT NAME: ________________________________ COURSE NUMBER: ________________________________ INSTRUCTOR: ________________________________ ITT COLLEGE: ________________________________ General Instructions: 1. This is a closed-book, closed-notes Exam. No reference material (including assignments and lab) will be permitted for use during the exam session. 2. The exam contains true/false and multiple choice types of questions. 3. Please use the separate answer sheet provided to you for marking your answers. 4. Each question is worth two points. Good luck! © ITT Educational Services, Inc. Date: 10/10/07 Exams & Answer Keys 1. The most common cause of security breaches is ______. a. no alarm system b. weak passwords c. untrained security guards d. poor perimeter lighting 2. Windows Server administrators should not use the Administrator account for everyday activity. They should use the ________ command, only when performing administrative functions. a. super user b. run as c. task manager d. power user 3. For organizations with wireless networks, deployment of ________ is necessary...

Words: 3277 - Pages: 14

Free Essay

Technology Roles

...currently has three locations and sells high-end gourmet food to consumers. The business appears to be well run and is obtaining a profit a review of the business was commenced to determine if there are any deficiencies that need to be addressed. After a review of all departments it was determined that a deficiencies existed in the human resources department in combination with the Payroll Department. The deficiency is that currently employees manually have to record timesheets, have them reviewed by the Store Manager, faxed to Payroll and finally entered by hand into the Payroll System. To address this deficiency it has been determined that Kudler Fine Foods needs to implement a web-based timesheet tracker system. To implement any new information technology system in a business environment the entire system must be researched and considered to make the implementation as smooth as possible. In the previous needs document, Kudler Fine Foods was shown to have a need for a new web-based time sheet entry system. The needs documents also explained two use cases on how the technology could be used. The first use case was the timesheet entry. In this use case, the employee would complete a timesheet on the website and submit to store manager for approval. To build this system it is necessary to design throughly the system and account for every issue. Riordan will use the Unified Software Development Process (USDP) to design the system (www.technologyuk.net). USDP has four phases...

Words: 1391 - Pages: 6

Premium Essay

Ocper

...there is a clear need to maximize the available resources between employees then it is appropriate to add additional servers to facilitate the sharing of files as well as the configuration of remote access services to allow for remote and secure working. In order to complement the existing network scenario this proposal is based around the configuration and deployment of Microsoft Windows Server 2012 as the network operating system. This is a stable and secure server environment which will allow the designated services to be configured and will equally allow for scalability while at the same time decreasing the overall maintenance and administration to support the network and associated servers. Given the size of the current organization and the IT systems at present, Windows Server 2012 Standard edition would be the most appropriate version for deployment as this will also keep the up-front costs down to a minimum – there is no requirement for the Enterprise Edition whose features will not be required in this implementation. One of the critical roles for the new server implementations will be that of a File Server capability – this can be easily configured within the Ocper, Inc. network through a Static IP address being assigned to this machine and then the File Services role being added to the default configuration (see Figure 1). This will allow File Shares to be created with specific permissions assigned across various employees and there will also be the opportunity to...

Words: 630 - Pages: 3

Free Essay

Random Walk Shoes

...sell T320 tower server series is good choice. 2. Most Web server software runs on Microsoft Windows Server products, Linux, or other UNIX-based operating systems such as FreeBSD. They have both advantages and disadvantages. ----- | advantages | disadvantages | Microsoft | Simpler for their information systems staff to learn and use than UNIX-based systems. | Security weaknesses | Linux | An open-source operating system, Fast, efficient, easy to install. Downloaded free from web, user-friendly like Microsoft, Secure and stable | Compatibility | UNIX | Secure and stable operating system | user-friendly is not good, need type the command code, | I will recommend Amy choose Linux because it is an open-source operating system. Linux can be downloaded free from the Web. For some small and medium-sized companies, they don’t need to buy window. Linux system security is very high, unlike Windows system often update and close loophole. Especially, LAMP is very popular combination for Web server computer construction today. That means Linux + Apache + MySql + PhP. 3. The two commonly used Web server programs is Apache Http Server and Microsoft Internet Information Server (IIS). The NetCraft Web server surveys show that...

Words: 462 - Pages: 2

Free Essay

Hshajs

...knows how to get it to work? Options: Reply•Quote Re: 404 Error Page when try to start LocalHost/phpMyAdmin Posted by: yfastud (Moderator) Date: September 12, 2011 11:58PM Make sure no other program conflict Wamp such as IIS, Microsoft Web Deploy, SQL, Skype, Zonealarm, firewall/antivirus, NOD32, Eset, any web related program including Remote Desktop, Teamviewer or Apache, MySQL, PHP outside wamp folder (ie. in Program Files or System32 folder) ... IIS and Apache/Wamp are both web server and might conflict in some way, so you have to disable IIS in order for Wamp to work Disable IIS in Vista/W7: Control Panel, Uninstall Programs, Turn Widows Features On or Off, uncheck Internet Information Services Disable IIS in XP: Control Panel, Add/Remove Programs, Add/Remove Windows Components, uncheck Internet Information Services (IIS) Restart computer, then restart Wamp 1 of 3 16/01/2013 18:40 - PHP, Apache, MySQL, Windows : WampServer http://forum.wampserver.com/read.php?2,77471,77478 Also, in folder C:\WINDOWS\System32\drivers\etc, open file hosts and delete anything in this file and have only this line below and nothing else 127.0.0.1 localhost If using Skype, open...

Words: 598 - Pages: 3

Premium Essay

Nt2670 Project Part 1 Develop a Drp

...Matthew Klutts NT2670 2/21/2016 Project part 1 I do this IIS or Internet Information Services is the best choice for an application server. This is because it is a windows system. It provides a secure, easy to manage, modular and extensible platform for hosting websites, services and applications. With IIS you can maximize web security with a reduced server foot print and automatic application isolation. IIS 7.0 and up have a modular architecture. Modules, also called extensions, can be added or removed individually so that only modules that are required for specific functions are installed. IIS in my opinion will be the best choice for this server, because of all the information that I provided above, and the fact that I’m more comfortable with windows based systems. The ports that need to be open to host ftp, http, https, and streaming media are listed below. 1. FTP a. The default port range is 1024-5000, but the upper range can be changed. 2. HTTP b. Port 80 or port 8530 3. HTTPS c. Port 443 or port 8531 4. Streaming media d. Windows Media server uses TCP in ports to accept an incoming HTTP connection (80), RTSP connection (554), MMS connection (443). e. Windows Media Server uses UDP out ports 1024-5000 and 5004. Due to the design of IIS and its security features I don’t see many security concerns with having all these ports open on the same server. Although there is no way for any system to be completely safe...

Words: 769 - Pages: 4

Premium Essay

Network Consultation for Designit

...design that interconnects the following considerations: ◾DesignIT plans to relocate three (3) servers already configured as follows: ◦1 Web Server – Microsoft IIS Server ◦1 File Server – Microsoft Server 2008 ◦1 Server – Server 2008 Small Business Server ◾DesignIT has requested that the design include the following: ◦High speed Internet access ◦Firewall ◦Antivirus / malware protection ◦Six (6) computers ◦Three (3) color laser printers ◦Wireless access for portable devices ◾DesignIT has requested the consideration of all interconnected devices and wiring, along with speeds, for best performance. Section 1: Network Consultation Proposal (Microsoft Word) Create a cost analysis, and develop a proposal for the company. 1.Write an five to seven (5-7) page proposal in which you: a.Recommend one (1) suitable network design. b.Suggest one (1) network architecture. c.Suggest LAN and Wireless LAN (WLAN) wiring considerations. d.Recommend hardware options and costs. e.Suggest security considerations for: i.Firewall ii.Antivirus software f.Recommend software options and costs. g.Outline the labor costs, equipment costs, and service costs for your suggested design in table format. h.Identify the single point of failure, and recommend potential mitigation strategies. i.Use at least three (3) quality resources in this assignment. Note: Wikipedia and similar Websites do not qualify as quality resources. Section 1 of your assignment must follow these formatting...

Words: 513 - Pages: 3

Free Essay

Bibliofind

...Chapter 8 Case 2: Random Walk Shoe 1 .Determine the features and capacities (RAM, disk storage, processor speed) that Amy should include in the Web server computer that she will need for her site. Summarize your purchase recommendation in a one-page memorandum to Amy. You may include information from vendor's site (such as Dell, Hewlett Packard, or Sun) as an approach to your memorandum. Amy Lawrence have paid to education by decorating sneaker her used hand painted designs and started as collect her education, it is a successful of business her now plan to open an c-commerce a website where to expects to get wider audience and customers can choose their own design-shoes combinations. Website would be to uploaded, host and maintain by Amy Lawrence web server computers of different kinds exist in the order to make the right choice it all depends on what hardware, operating system the web server software you choose. What exactly your web server can be either the hardware to computer or software the computer application that helps deliver web content that can be accessed through to internet. The hosting a website can be made from almost any computer with help of special hardware the website can become more efficient. If you have when choose to host your website power at your hands and rapid updates are made to the website without have hiring of an external company. The web users have a low tolerance the show page loads many will simply press to back button or close the...

Words: 750 - Pages: 3

Premium Essay

Lab 1 Server 2012

...LAB 1 Questions Exercise 1.1 1. Remove the File 2. Check to make sure that the drive is installed correctly in the PC and then if it still occurs you need to reformat the drive to work with the windows server. Exercise 1.2 Roles on the Server Manager are File Services and Web Server (IIS) 3. The conditions that the upgrade option is not available during the windows server 2012 installation process is when it is a new hard drive with no previous version of windows. 4. An example of a compatibility note that will stop the upgrade process and force you to take action before restarting the installation would be when the previous version of windows installed is not able to be upgraded to windows server 2012. Using server manager determine which roles are installed on the server and make a note of them in the space on your worksheet. File and Storage Services and Web Server (IIS) 5. The proof that you would have that the procedure just completed has upgraded the operating system on the computer and not just performed a new, clean installation is to check to see if previous users are still available. Exercise 1.3 6. You cannot install the Server Migration tools to the Server running Windows Server 2008 using the Add Roles and Features Wizard on your server because you must Register Windows Server Migration Tools on source computers that are running older releases of Windows Server than your destination server. That would be Windows Server 2012, Windows...

Words: 269 - Pages: 2

Free Essay

Cis175 It Consult

... Network Consultation Proposal In order to design and deliver a reliable and secure network for DesignIT, many critical factors must be considered such as the network topology and architecture, the selection of hardware and software components designed to meet the client’s requirements, and also appropriate security services. DesignIT has decided to upgrade from a temporary workplace to a permanent office space. The new space measures 56’ x 36’ giving DesigntIT over 2000 square feet of dedicated space. This new space contains four cubicles, one executive office, one server room, one reception desk, and one conference room and allows DesignIT to hire two full time designers and a receptionist. As stated in the Request for Proposal (RFP) issued by DesignIT, the design must incorporate the following considerations: * Relocation of three servers configured as follows: * One (1) Web Server – Microsoft IIS Server * One (1) File Server- Microsoft Server 2008 * One (1) Server – Server 2008 Small Business Server Furthermore, DesignIT has stated the design must also include the following deliverables: * High speed internet access * Firewall * Antiviurs/Malware protection * Six (6) computers * Three (3) color laser printers * Wireless access for portable devices A critical first step in designing a network to meet DesignIT’s requirements is designating the network topology. A network topology is both the logical...

Words: 731 - Pages: 3

Free Essay

Chapter 4 Solutions

...Chapter 4 Review Questions 1. Your company has four departments: Marketing and Sales, Manufacturing, Product Research, and Business. Which of the following Active Directory container design plans might you use to best manage the user accounts and network access needs of each department? a. Create four trees. b. Create four parent domains in one site. c. Create four OUs in one domain. d. Create four trees and map them to four domains. 2. Using the example in Question 1, what Active Directory capability can you use to establish different account lockout policies for each of the four departments? a. fine-grained password policies b. lightweight group policies c. password distribution groups d. shadow password files 3. Your colleague is trying to create a universal security group for the three administrators of the single stand-alone server in his company. The problem is that he can’t find an option to create a universal security group. What is the problem? a. He must first create the administrators’ personal accounts before it is possible to create a universal group. b. He needs to put the account creation tool into the Advanced Features mode. c. He must create a universal distribution group first and then create the universal security group. d. He cannot create a universal security group on a stand-alone server and must instead create a local security group. 4. One of the DCs in your company reports that it has an Active Directory error. You need to...

Words: 1179 - Pages: 5

Premium Essay

Ecommerce

...A website has to be hosted on a web server before it can be accessed by online users from the Internet. There is a wide range of web servers running on different platform to choose from within the web hosting market today. According to Netcraft, a company that keeps statistics on the leading web servers and the platforms on the Internet, the most popular platforms and web servers are: * Unix and Linux running Apache web server (60.17%) * Window NT/2000 running Internet Information Server (IIS) (30.78%) Other web servers include SunONE, Zeus, WebLogic, iPlanet and etc. Given the widespread popularity of Apache (closed to 60% market share) and Microsoft IIS (approximately 30%), you can almost guarantee you can find these two platforms are supported by most of the web hosting providers.

All computers require an operating system (an important piece of software) to be installed before it can function properly. For example, most of the personal computers today have installed Microsoft Windows operating system: Win98, WinXP or Win2000. Likewise, all web servers need operating system to perform different functionalities and different web servers run on different operating systems (or so called platforms). One of the most commonly found platform is UNIX that comes in various varieties that are popular with web hosts, including FreeBSD, NetBSD, OpenBSD and Linux. Another popular platform that has gained strong ground as a platform for web hosting market is Microsoft Windows...

Words: 347 - Pages: 2

Premium Essay

Code Red

...Code Red was a computer worm observed on the Internet on July 15, 2001. It attacked computers running Microsoft's IIS web server. The Code Red worm was first discovered and researched by eEye Digital Security employees Marc Maiffret and Ryan Permeh. They named it "Code Red" because Code Red Mountain Dew was what they were drinking at the time. Although the worm had been released on July 13, the largest group of infected computers was seen on July 19, 2001. On this day, the number of infected hosts reached 359,000. The worm exploited a vulnerability in the indexing software distributed with IIS, described in Microsoft Security Bulletin MS01-033. The worm spread itself using a common type of vulnerability known as a [[buffer overflow]]. It did this by using a long string of the repeated character 'N' to overflow a buffer, allowing the worm to execute arbitrary code and infect the machine. Kenneth D. Eichman was the first to discover how to block it. Days 1-19: Trying to spread itself by looking for more IIS servers on the Internet. Days 20–27: Launch [[denial of service]] attacks on several fixed [[IP address]]es. The IP address of the [[White House]] web server was among those. Days 28-end of month: Sleeps, no active attacks. When scanning for vulnerable machines, the worm did not test to see if the server running on a remote machine was running a vulnerable version of IIS, or even to see if it was running IIS at all. The worm's payload is the string following the last 'N'. Due...

Words: 383 - Pages: 2

Premium Essay

Building on Prior Success

...The primary reason for using networks is to enable clients to communicate and share resources efficiently. Most networks rely on server that exceeds the minimum hardware requirements suggested by the software vendor. To determine the optimal hardware for your servers, be sure to ask the following questions: • What kinds of applications will run on the server? • How many clients will connect to the server? • How much storage space will each user need? • How much downtime, if any, is acceptable? • What can the organization afford? Out of these questions the first one is the most important. For example, use can purchase an inexpensive, low-end server that runs Linux adequately and suffices for resource sharing and simple application services. However, to perform more advanced functions and run resources-intensive applications on your network, you would need to invest in a server that has significantly more processing power and memory. Every application comes with different processor, RAM, and storage requirements. Explain what network operating system you would suggest. The network operating system that I have chosen is The Window Server 2008 is the latest version of Microsoft’s NOS, released in February 2008. It’s an enhancment of its predecessor, Window Server 2003, though many of the older NOS’s features remain in the newer version. Windows-based NOSs are known for their intuitive graphical user interface (GUI), multitasking capabilities, and compatibility...

Words: 711 - Pages: 3