IIS Flashcards
IIS defined
Internet Information Services (IIS) for Windows® Server is a flexible, secure and manageable Web server for hosting anything on the Web. From media streaming to web applications, IIS’s scalable and open architecture is ready to handle the most demanding tasks.
Centralized Web Farm Management
Deploy and manage Web sites and applications across large farms of Web servers from a central place.
Scalable Web Infrastructure
Dynamically scale web farm capacity with HTTP-based load balancing and intelligent request routing.
Enhanced Server Protection
Maximize web server security through reduced server footprint and automatic application isolation.
Minimize Web Server Footprint
Administrators can depend on IIS 7.0 for more secure hosting of Web applications. IIS 7.0 has been redesigned from the ground up to incorporate a modular architecture that enables administrators to customize their Web servers by selectively installing or removing modules. Administrators can install only the features that address the needs of the business while eliminating the server performance reductions and security risks that come with running unused server functionality. Administrators can easily minimize the attack and servicing surface, as well as shrink the process memory footprint. Only the modules required to run IIS as a static image server are installed by default in IIS 7.0. The default installation allows the IT administrator to start from the most secure base, adding on modules only as needed by the applications and services hosted on the Web server.
Windows Server Core Support
To further limit security exposure administrators can choose to install a minimal environment with the Server Core installation option of Windows Server 2008. Server Core omits graphical services and most libraries, in favor of a stripped-down, command-line driven system. Server Core can be administered locally via the IIS command-line utility AppCmd, or remotely by using WMI. Because Server Core has a select number of roles, it can improve security and reduce the footprint of the operating system. With fewer files installed and running on the server, there are fewer attack vectors exposed to the network; therefore, there is less of an attack surface. Administrators can install just the specific services needed for a given server, keeping the exposure risk to an absolute minimum.
Automatic Web site isolation
IIS 7.0 offers greater application isolation by giving worker processes a completely unique identity and sandboxed configuration by default, further reducing security risks. IIS 7.0 includes automatic application pool isolation and can sandbox thousands of Web sites on a single server. This allows each Web site to run in its own memory space with an automatically generated, unique identity, which helps to ensure applications are not affected by other failures or security breaches of applications running on the same server. This capability enables organizations to consolidate more Web sites onto fewer servers, and increases security and reliability for all Web sites running on a shared host.
Secure Content Publishing
IIS7 makes publishing Web content more secure with built-in support for standards-based publishing protocols.
Secure Content Publishing - FTP
The FTP Publishing Service for IIS 7.0 allows Web content creators to publish content more easily and securely to IIS 7.0 Web servers using modern Internet publishing standards. FTP7 enables secure publishing of content using FTP over SSL (FTPS), with support for Internet standards such as UTF8 and IPv6. New management tools, built-in to IIS Manager, allows users to enable FTP for an existing Web site, instead of creating separate FTP and Web sites to host the same content. FTP for IIS 7.0 also allows hosting multiple FTP sites on the same IP address through virtual host name support. FTP for IIS 7.0 removes the need to create Windows user accounts on the server to enable FTP publishing by allowing authentication using IIS Manager User accounts and .NET Membership. It also provides enhanced logging that records all FTP traffic to help track FTP activity and diagnose potential issues.
WebDAV
Web Distributed Authoring and Versioning (WebDAV) is an extension of the Hypertext Transfer Protocol (HTTP) that allows clients to perform remote Web content authoring operations. WebDAV is defined in RFC 4918 by a working group of the Internet Engineering Task Force.
The WebDAV protocol provides a framework for users to create, change and move documents on a server. The most important features of the WebDAV protocol include the maintenance of properties about an author or modification date, namespace management, collections, and overwrite protection. Maintenance of properties includes such things as the creation, removal, and querying of file information. Namespace management deals with the ability to copy and move web pages within a server’s namespace. Collections deal with the creation, removal, and listing of various resources. Lastly, overwrite protection handles aspects related to locking of files.
Secure Content Publishing - WebDAV
The WebDAV Extension for IIS 7.0 is a new module written specifically for Windows Server 2008 that enables Web authors to publish content more easily and securely than before, and offers Web administrators and hosters better integration, configuration and authorization features.
WebDav
WebDAV for IIS 7.0 integrates seamlessly with the new IIS 7.0 Manager console and allows more secure publishing of content using HTTP over SSL. WebDAV for IIS 7.0 can be enabled at the site level, unlike in IIS 6.0, which enabled WebDAV at the server-level through a Web Service Extension. WebDAV for IIS 7.0 supports per-URL authoring rules, allowing administrators to specify custom WebDAV security settings on a per-URL basis with one set of security settings for normal HTTP requests and a separate set of security settings for WebDAV authoring. WebDAV conforms to the HTTP Extensions for Distributed Authoring standard.
Access Protection
Safeguard your Web server from malicious requests and unauthorized access with new URL authorization rules and built-in request filtering.
IIS 7.0 provides a secure, reliable platform for Web application and services hosting. New support for URL authorization and request filtering rules give administrators fine-grained control over access of site content.
Access Protection - URL Rewriting
Administrators can also use URL Rewriter for IIS 7.0, which enables dynamic modification of URLs based on rules defined by the site administrator, to protect applications on the Web server. For example, rules can be created which prevent other sites from ‘hot-linking’ to a Web site’s images or video content, thereby stealing content from the server and wasting bandwidth. Using rule templates, rewrite maps and other functionality integrated into IIS Manager, administrators can easily set up rules to define URL rewriting behavior based on HTTP headers and server variables.
HTTP Strict Transport Security (HSTS)
IIS 10.0 Version 1709 is the latest version of Internet Information Services (IIS)
HTTP Strict Transport Security (HSTS), specified in RFC 6797, allows a website to declare itself as a secure host and to inform browsers that it should be contacted only through HTTPS connections. IIS 10.0 Version 1709 introduces turn-key support for enabling HSTS without the need for error-prone URL rewrite rules.
Container Enhancements
IIS 10.0 Version 1709 is the latest version of Internet Information Services (IIS)
IIS 10.0 Version 1709 introduces improvements that allow you to run the IIS worker process (w3wp.exe) directly as well as changes to the Central Certificate Provider (CCS) that makes it more ammenable for running in containers.
WAS
The Windows Process Activation Service (WAS), which enables sites to use protocols other than HTTP and HTTPS.
Components in IIS
IIS contains several components that perform important functions for the application and Web server roles in Windows Server® 2008 (IIS 7.0) and Windows Server 2008 R2 (IIS 7.5). Each component has responsibilities, such as listening for requests made to the server, managing processes, and reading configuration files. These components include protocol listeners, such as HTTP.sys, and services, such as World Wide Web Publishing Service (WWW service) and Windows Process Activation Service (WAS).
Protocol Listeners
Protocol listeners receive protocol-specific requests, send them to IIS for processing, and then return responses to requestors. For example, when a client browser requests a Web page from the Internet, the HTTP listener, HTTP.sys, picks up the request and sends it to IIS for processing. Once IIS processes the request, HTTP.sys returns a response to the client browser.1
By default, IIS provides HTTP.sys as the protocol listener that listens for HTTP and HTTPS requests. HTTP.sys was introduced in IIS 6.0 as an HTTP-specific protocol listener for HTTP requests. HTTP.sys remains the HTTP listener in IIS 7 and later, but includes support for Secure Sockets Layer (SSL).
To support services and applications that use protocols other than HTTP and HTTPS, you can use technologies such as Windows Communication Foundation (WCF). WCF has listener adapters that provide the functionality of both a protocol listener and a listener adapter.
Hypertext Transfer Protocol Stack (HTTP.sys)
The HTTP listener is part of the networking subsystem of Windows operating systems, and it is implemented as a kernel-mode device driver called the HTTP protocol stack (HTTP.sys). HTTP.sys listens for HTTP requests from the network, passes the requests onto IIS for processing, and then returns processed responses to client browsers.
In IIS 6.0, HTTP.sys replaced Windows Sockets API (Winsock), which was a user-mode component used by previous versions of IIS to receive HTTP requests and send HTTP responses. IIS 7 and later continue to rely on HTTP.sys for HTTP requests.
HTTP.sys provides the following benefits:
Kernel-mode caching. Requests for cached responses are served without switching to user mode.
Kernel-mode request queuing. Requests cause less overhead in context switching because the kernel forwards requests directly to the correct worker process. If no worker process is available to accept a request, the kernel-mode request queue holds the request until a worker process picks it up.
Request pre-processing and security filtering.
World Wide Web Publishing Service (WWW service)
In IIS 7 and later, functionality that was previously handled by the World Wide Web Publishing Service (WWW Service) alone is now split between two services: WWW Service and a new service, Windows Process Activation Service (WAS). These two services run as LocalSystem in the same Svchost.exe process, and share the same binaries.
Web server platforms
Why Only Three Web Server Platforms Matter Platform Sites Percentage Apache 333,285,741 39.25% Microsoft IIS 236,288,843 27.83% nginx 126,274,778 14.87% Google 20,051,433 2.36%
