IIS 8 Workshop Notes

$WORK paid for me to attend a three-day class on IIS 8. “IIS Administration, Troubleshooting, and Best Practices.” Since I’ve gotta take notes anyway…

I’m historically a Unix guy so some of this is probably really obvious and newbie-level, but welp. Also, yes, they did send copies of the slides, and no, I can’t legally share them. Shame, that, they’re very well-commented and could almost serve as an IIS textbook all by themselves.

New features in IIS 8

  • Improvements for large environments (people hosting thousands of sites on a single server). SNI support, which makes me very happy indeed. Per-site/per-app-pool sandboxing. Dynamic IP blocks, as a form of DOS protection.
  • App Initialization, a form of pre-loading application code so the first visitor to a site doesn’t have to wait forever for the site to load. IIS 7.5 as a module (“Application Warmup”), IIS 8+ as core.
  • WebSockets. Protocol for bidirectional communication over HTTP. (Is this standard or proprietary?)
  • NUMA support, automatic or manual CPU affinity. Another benefit for those hosting LOTS of sites on a single host, or maybe for those running lots of wicked code.
  • IIS 7/8 have good PowerShell support. For IIS8.5 a basic install is a one-liner: Enable-WindowsOptionalFeature –Online –FeatureName IIS-WebServerRole

IIS Internals

  • “Core” stuff in C:WindowsSystem32inetsrv, site root still C:inetpub – but you probably shouldn’t often look around the former, and the latter can be changed on a per-site basis anyway.
  • Changes in IIS 8 process model (versus IIS 6): SSL and Windows authentication moved from userland to kernel (the micro-kernel people are weeping), NNTP support discontinued (in case anyone still remembers Usenet), FTP now managed by svchost instead of inetinfo (as of 7.5), metabase functionality replaced by a multi-file distributed Configuration Store (but the metabase is still emulated for backwards compatibility)
  • Fun fact: Even though SSL is now in kernel-land as part of http.sys, the response cache still won’t cache static requests. So there’s still a thriving market for SSL front-ends.

Configuration

  • IIS 7+ server configurations are “just” big XML files, with known locations. You could theoretically put your IIS servers into Puppet or a similar config management system.
  • Configuration files hierarchy:
    • %windir%\microsoft.net\framework\v2.0.50727\config\machine.config
    • %windir%\system32\inetsrv\config\applicationHost.config
    • %windir%\microsoft.net\framework\v2.0.50727\config\web.config
    • per-site/per-dir web.config files
  • Other config files, not directly related to the above, include redirection.config (to define shared configuration files) — but now the “master” file location is a SPOF (so put your master in a failover cluster and UNC-mount it?)
  • The rules for what settings can legally go in which files seem really arcane and I think I’ll just use the GUI where possible
  • IIS 7.5+ also includes a “Configuration Editor” tool that’s a sort of minimalist interface that manages everything in the config XML files, including things not exposed anywhere else.
  • C:\windows\system32\inetsrv\appcmd add backup does an all-in-one backup of your current IIS config

CLI Tools

  • I’m still amused that CLI tools even exist for Windows, but then again I’m old and cranky.
  • Two different toolsets for IIS: appcmd (old and busted), PowerShell WebAdministration module (new hotness)
  • appcmd available on older versions of IIS (how far back?) but has some questionable misfeatures (like allowing you to create bogus sites where the physical path doesn’t exist, and NOT returning a visible error or errorlevel)
  • The “Configuration Editor” GUI tool actually can export AppCmd and PowerShell commands to make requested changes, so you don’t have to remember so many arcane settings. Neat.

Configuration Delegation Stuff

  • IIS 7+ supports a fair amount of configuration delegation
  • User levels:
    • Server admins (who must also be Windows admins)
    • Site admins (don’t have to be Windows server admins)
    • Application admins (ditto)
  • Feature Delegation is a server-level module, or a whole bunch of XML tags, you can use to limit who can change what server settings
  • Can be ridiculously granular
  • Takes precendence over NTFS permissions – if an app owner tries to enter “illegal” settings in her web.config, she gets a lovely 500 Internal Server Error response (500.19, if you’re into such things)

Security/Hardening

  • Mostly basic Windows sysadmin stuff: Don’t run sites as “Local System”, use ApplicationPoolIdentity and/or a separate user per-pool, don’t install components you don’t need
  • Don’t move inetpub off C:, or if you do, don’t remove C:Inetpub when you’re done, you’ll make Microsoft sad
  • Disable directory browsing, remove default documents you’re not using (the latter is more performance than security)
  • Stop the default site – it has a known site ID (1)
  • If you use remote management, change the port (I’m not sure about this one, reeks of security-through-obscurity and probably makes the remote tools harder to use, just make sure they’re firewalled correctly)

Random Best Practices

  • Set your server to give priority to background server processes (this is the default for Server variants of Windows, but we all know people that run Web Servers on desktop OSes)
  • If performance is a must, split Web content/logs/OS onto different disks (just like you would for SQL Server)
  • If you have static content, be sure to configure IIS to send a suitable Expires: header so it’s cached client-side
  • Use Windows kernel-mode authentication when possible, it saves a couple trips between userspace and kernelspace
  • Consider disabling anti-virus scans for your IIS content and logging directories (or at least on-access scanning)
  • Consider enabling compression (if you’ve got plenty of CPU) for a faster end-user experience

Troubleshooting Tools

  • LogParser looks like a fun little Frankentool (takes IIS log files, and SQL-like queries, and can spit out CSV, graphics, etc)
  • DebugDiag (but that might be more of a developer tool, since it dives into application code)
  • Perfmon, SysInternals Procmon and Procexp, the usual stuff basically

Unsorted Trivia

  • IIS 8.5 (at least) will display an error if you try to enter duplicate info (putting the same Host: name on two different sites). IIS 6 would just randomly stop one of the sites, usually the “older” one in my experience. Huzzah for error messages!
  • PROTIP: On your 64-bit OS, run your application pools as 32-bit. RAM usage is automatically limited to ~2GB per process, to limit runaway memory consumption.
  • There’s an SNI Readiness Tool so you can prove conclusively that your users aren’t in the Dark Ages any longer. Or so you can see that they are and weep. Y’know, whichever.
  • The “Web Hosting Certificate Store” (basically: dump all your SSL certs for all your sites in a shared folder, IIS loads them on-demand and hopefully gets it right) looks really awesome assuming it works as advertised. I’m not sure I’m brave enough for it, though.
IIS 8 Workshop Notes