Professional Documents
Culture Documents
6427A:
Configuring and Troubleshooting
Internet Information Services in
Windows Server® 2008
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part
of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted
in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for
any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory,
regarding these manufacturers or the use of the products with any Microsoft technologies. The
inclusion of a manufacturer or product does not imply endorsement of Microsoft of the
manufacturer or product. Links may be provided to third party sites. Such sites are not under the
control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link
contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for
webcasting or any other form of transmission received from any linked site. Microsoft is providing
these links to you only as a convenience, and the inclusion of any link does not imply endorsement
of Microsoft of the site or the products contained therein.
© 2007 Microsoft Corporation. All rights reserved.
Microsoft, and Windows are either registered trademarks or trademarks of Microsoft Corporation in
the United States and/or other countries.
All other trademarks are property of their respective owners.
Part Number:
Released: 12/2007
If you comply with these license terms, you have the rights below.
1. OVERVIEW.
Licensed Content. The licensed content includes software, printed materials, academic materials
(online and electronic), and associated media.
License Model. The licensed content is licensed on a per copy per device basis.
2. INSTALLATION AND USE RIGHTS.
a. Licensed Device. The licensed device is the device on which you use the licensed content. You
may install and use one copy of the licensed content on the licensed device.
b. Portable Device. You may install another copy on a portable device for use by the single
primary user of the licensed device.
c. Separation of Components. The components of the licensed content are licensed as a single
unit. You may not separate the components and install them on different devices.
d. Third Party Programs. The licensed content may contain third party programs. These license
terms will apply to your use of those third party programs, unless other terms accompany those
programs.
3. ADDITIONAL LICENSING REQUIREMENTS AND/OR USE RIGHTS.
a. Media Elements and Templates. You may use images, clip art, animations, sounds, music,
shapes, video clips and templates provided with the licensed content solely for your personal
training use. If you wish to use these media elements or templates for any other purpose, go to
www.microsoft.com/permission to learn whether that use is allowed.
b. Academic Materials. If the licensed content contains academic materials (such as white papers,
labs, tests, datasheets and FAQs), you may copy and use the academic materials. You may not
make any modifications to the academic materials and you may not print any book (either
Remarque : Ce le contenu sous licence étant distribué au Québec, Canada, certaines des
clauses dans ce contrat sont fournies ci-dessous en français.
EXONÉRATION DE GARANTIE. Le contenu sous licence visé par une licence est offert « tel quel ».
Toute utilisation de ce contenu sous licence est à votre seule risque et péril. Microsoft n’accorde aucune
autre garantie expresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la
protection dues consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit
locale, les garanties implicites de qualité marchande, d’adéquation à un usage particulier et d’absence de
contrefaçon sont exclues.
LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES
DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de
dommages directs uniquement à hauteur de 5,00 $ US. Vous ne pouvez prétendre à aucune indemnisation
pour les autres dommages, y compris les dommages spéciaux, indirects ou accessoires et pertes de
bénéfices.
Cette limitation concerne:
• tout ce qui est relié au le contenu sous licence , aux services ou au contenu (y compris le code)
figurant sur des sites Internet tiers ou dans des programmes tiers ; et
• les réclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilité
stricte, de négligence ou d’une autre faute dans la limite autorisée par la loi en vigueur.
Elle s’applique également, même si Microsoft connaissait ou devrait connaître l’éventualité d’un tel
dommage. Si votre pays n’autorise pas l’exclusion ou la limitation de responsabilité pour les dommages
indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou l’exclusion ci-dessus
ne s’appliquera pas à votre égard.
EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez avoir d’autres
droits prévus par les lois de votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les
lois de votre pays si celles-ci ne le permettent pas.
Contents
Module 1: Configuring an IIS 7.0 Web Server
Lesson 1: Introducing Internet Information Services 7.0 1-3
Lesson 2: Installing the Web Server Role 1-7
Lesson 3: Installing Configuring Application Development, Health and
Diagnostics, and HTTP Features 1-15
Lesson 4: Configuring Performance, Security, and SMTP Features 1-22
Lab: Configuring an IIS 7.0 Web Server 1-29
Module 5: Securing the IIS 7.0 Web Server and Web Sites
Lesson 1: Configuring Secure Web Sites and Servers 5-3
Lesson 2: Configuring Other Aspects of Web Server Security 5-13
Lesson 3: Configuring Logging for IIS 7.0 5-22
Lab: Securing the IIS 7.0 Web Server and Web Sites 5-30
Course Description
The purpose of this three-day course is to prepare you to configure, manage, and
support Internet Information Services 7.0 (IIS 7.0) in an enterprise environment.
Audience
The primary audience for this course is individuals who want to become a Web
server administrator in an enterprise environment. Also, individuals who are
assuming a new role requiring skills to manage content served by an IIS 7.0 Web
server over the Internet, an intranet, and extranet, should be interested in this
course. The secondary audience for this course is Web-based applications
developers with networking skills who wish to learn more about IIS 7.0.
Student Prerequisites
This course requires that you meet the following prerequisites:
• Course 6420 Foundational Series: Fundamentals of a Windows Server 2008
Network Infrastructure and Application Platform
- or -
• A minimum of 1 year of experience administering and supporting a Web
Server role using Windows Server 2003
• Network + certification
Course Objectives
After completing this course, students will be able to:
• Install the Web Server role using Server Manager, on Server Core, and from an
unattended setup.
• Configure IIS role services such as HTTP; security; performance and
diagnostics; and management features.
• Configure IIS 7.0 Web sites and application pools.
• Configure application settings using ASP.NET.
• Configure and manage modules in IIS7.0.
• Secure Web sites and servers.
• Configure delegation and remote administration.
• Use command line tools like PowerShell and AppCmd for scripting IIS7.0.
• Configure Web sites and servers for the best performance.
• Ensure high availability of Web farms using backup and restore, Network
Load Balancing, and shared configurations.
• Use various tools to troubleshoot common Web server-related issues with
authentication, authorization, communication, and configuration.
Course Outline
This section provides an outline of the course:
Module 1, "Configuring an IIS 7.0 Web Server" This module covers how to install
the Web Server role on Windows Server 2008 and how to configure the most
common features of IIS.
Module 2, "Configuring IIS 7.0 Web Sites and Application Pools" This module
covers how to create, configure, and manage new Web sites, applications, and
application pools.
Module 3, "Configuring IIS 7.0 Application Settings" This module covers how to
configure application settings and how to deploy and secure multiple applications
on a single Web server.
Module 4, "Configuring IIS 7.0 Modules" This module covers how to configure
and edit native and managed modules.
Module 5, "Securing the IIS 7.0 Web Server and Web Sites" covers how to secure
Web sites and servers including configuring and managing authorization,
authentication, and restrictions.
Module 6, "Configuring Delegation and Remote Administration" This module
covers how to use the delegated rights assignment and remote administration
features in IIS 7.0.
Module 7, "Using Command-line and Scripting for IIS 7.0 Administration" This
module covers how to use command-line and scripting for IIS 7.0 Administration.
Module 8, "Tuning IIS 7.0 for Improved Performance" This module covers some
best practices for improving performance in IIS 7.0 including how to manage
applications pools to achieve performance goals.
Module 9, "Ensuring Web Site Availability with Web Farms" This module covers
how to ensure high availability of Web farms using backup and restore, Network
Load Balancing, and shared configurations.
Module 10, "Troubleshooting IIS 7.0 Web Servers" This module covers how to use
logging and the new tracing infrastructure to troubleshoot and fix some common
types of problems.
Course Materials
• Course Handbook. The Course Handbook contains the material covered in
class. It is meant to be used in conjunction with the Course Companion CD.
• Course Companion CD. The Course Companion CD contains the full course
content, including expanded content for each topic pages, full lab exercises
and answer keys, topical and categorized resources and Web links. It is meant
to be used both inside and outside of the class.
Note: To access the full course content, insert the Course Companion CD into the
CD-ROM drive, and then in the root directory of the CD, double-click StartCD.exe.
• Course evaluation. At the end of the course, you will have the opportunity to
complete an online evaluation to provide feedback on the course, training
facility, and instructor.
Important: At the end of each lab, you must close the virtual machine and must
not save any changes. To close a virtual machine without saving the changes,
perform the following steps: 1. On the host computer, click Start | All Programs |
Microsoft Virtual Server, Virtual Server Administration Website. 2. Under
Navigation, click Master Status. 3. For each virtual machine that is running, point
to the virtual machine name, and then in the context menu, click Turn off Virtual
Machine and Discard Undo Disks. 4. Click OK.
The following table shows the role of each virtual machine used in this course:
Software Configuration
The following software is installed on each VM:
• Windows Server 2008 Enterprise Edition
Classroom Setup
Each classroom computer will have the same virtual machine configured in the
same way.
Module 1
Configuring an IIS 7.0 Web Server
Contents:
Lesson 1: Introducing Internet Information Services 7.0 1-3
Lesson 2: Installing the Web Server Role 1-7
Lesson 3: Installing Configuring Application Development, Health and
Diagnostics, and HTTP Features 1-15
Lesson 4: Configuring Performance, Security, and SMTP Features 1-22
Lab: Configuring an IIS 7.0 Web Server 1-29
Module Overview
Internet Information Services 7.0 provides the components necessary for the Web
server role of the Windows Server 2008 platform. Internet Information Services is
an add-on server role for Windows Server 2008. This module briefly introduces
the new component-based setup model of IIS 7.0. In this module, you will learn
the fundamental workload scenarios for Web servers, and how to prepare for and
install the Web server role of the Windows Server 2008 platform. You will also
learn how to configure the most common features of IIS.
Lesson 1:
Introducing Internet Information Services 7.0
Key Points
Internet Information Services 7.0 introduces some important architectural changes
from IIS 6.0.
The new modular design allows administrators to install only what is needed,
thereby reducing footprint, attack surface, and management overhead. It also
allows custom modules to be installed to extend the Web server features. The key
features of the new modular design are:
• Completely modular Web server
• Native extensibility
• .NET extensibility
The Web server role can be installed on Windows Server 2008 Server Core. Server
Core is a minimal installation of Windows Server 2008 with no local graphical user
interface and a small footprint. The key advantages of running IIS on Server Core
are:
• No added overhead
• Completely remote administration
Question: Which features of the new IIS 7.0 architecture will you use in your
organization?
Key Points
A workload describes the type of content and applications that the Web server will
provide. Before installing the Web server role, it is important to understand how
the server will be used so that the proper components are installed.
Question: Why is it not a good idea to install all of the components on every
server?
Lesson 2:
Installing the Web Server Role in Windows
Server 2008
Key Points
There are three methods of installing IIS 7.0. The most common method is via the
Graphical User Interface (GUI). In Windows Server 2008 this is done through
Role Manager which is part of the Server Manager tool.
Using the command line interface, Pkgmgr can be used to install the IIS role and
components either as a series of command lines or by using an XML file for
unattended setup.
Question: What installation methods do you currently use to deploy IIS in your
organization?
Key Points
Server Manager provides the setup user interface on Windows Sever 2008. It
replaces Manage Your Server in Windows Server 2003. Server Manager also
provides server role management Here you can access a role's installed state,
current status, and management tasks.
Question: What are the scenarios in which you would you use the GUI to install
the IIS role?
Key Points
The new command line tool for installing optional features in Windows Vista and
Windows Server 2008 is Pkgmgr.exe. It replaces sysocmgr.exe for installing
Windows Optional Features on previous versions of Windows.
Pkgmgr.exe allows you to install / uninstall Windows Optional Features directly
from command prompt or from scripts. For example, it can take a list of
Windows features to install on the command line, or it can take an xml file name
as a parameter for unattended installations.
Key Points
• Xml files containing the information necessary for an unattended installation
can be written and provided to Setup.exe for installation of IIS 7.0 during the
initial installation of the Windows operating system.
• Alternately, an unattended XML file can be written and used with pkgmgr.exe
to install IIS and its features after the operating system has been installed.
Question: When would you choose to install using unattended setup with an XML
file versus through specifying the installation options through the command line?
Key Points
Installing IIS 7.0 from the command line requires that you explicitly specify the
features you wish to have installed by name. You will also need to ensure that any
dependencies get specified in the installation syntax. Failure to include
dependencies in the setup syntax will cause the installation to be unsuccessful.
Key Points
Windows Server 2008 Server Core does not have a graphical user interface, so you
must install the IIS role at the command line or via unattended setup.
Question: How might you deploy Server Core Web servers in your organization?
Key Points
If several servers run applications that consume only a fraction of the available
resources, virtual machine technology can be used to enable them to run side by
side on a single server, even if they require different versions of the operating
system or middleware. Windows Server virtualization provides customers an ideal
platform for key virtualization scenarios, such as:
• Production server consolidation
• Business continuity management
• Software test and development
• Dynamic data center
Lesson 3:
Configuring Application Development, Health
and Diagnostics, and HTTP Features
Key Points
The configuration of IIS 7.0 is stored in XML configuration files. The XML
configuration files:
• Replace the Metabase of previous versions of IIS
• Can be modified through various configuration interfaces
• Are fully extensible
Question: When would you use the Command Line configuration tool to modify
the configuration instead of IIS Manager?
Key Points
Every level of the URL namespace may have associated configuration.
Configuration for a given level inherits down to child levels, unless specifically
overridden by a child level. A simple way to achieve per-URL configuration is by
using web.config files, in the physical file-system folders that are mapped to the
virtual paths.
Key Points
Configuring ASP.NET:
• IIS 7.0 is configured to use the new Integrated mode for new applications and
this is the default behavior.
• The pipeline mode and .NET Framework version are configured by using the
application pool settings.
Key Points
Configure the appropriate Health and Diagnostics features depending on the needs
and maturity of your sites and applications.
Question: In what scenarios would you want to enable more detailed Health and
Diagnostics features?
Lesson 4:
Configuring Performance, Security, and SMTP
Features
Key Points
• Static caching will cache static content such as HTML pages and graphics files.
This can greatly improve page response times for clients. To enable static
caching:
• Add a cache rule in IIS Manager
• Configure the file types that you want to cache, such as JPG or HTML.
• Set the change notification
• Dynamic Output caching will cache versions of output that change depending
on a Web application’s output. For example, you may have a page that is
nearly identical except for localized text. You can cache the possible versions
of the page and automatically reload the content into the cache if it has
expired. To enable Dynamic Output Caching:
• Add a cache rule in IIS Manager
• Set a time interval
• Set the differentiator that distinguishes the versions, such as localized
language or other variable(s) used by the Web application.
• There are other settings that will be covered in more detail in later modules,
such as application pools, http compression, network, and operating system
settings.
Key Points
Configure the security settings to match the needs of the sites and applications.
Question: What are the security needs of the applications in your organization?
Key Points
Some Web sites need to send email through an SMTP (Simple Mail Transfer
Protocol) server. To enable this functionality, you need to configure information
needed to contact the SMTP server. This can be accomplished through the Site
settings in IIS Manager.
Key Points
Discuss your organization's current environment in a classroom discussion, led by
your instructor, and determine possible installation and configuration solutions in
IIS7.
Review Questions
1. What is the benefit of a modular architecture?
2. Describe various scenarios in which organizations may benefit from
implementing IIS on Windows Server Core.
3. Which installation method can be used with scripting?
4. Which workloads are not available on Windows Server Core?
Module 2
Configuring IIS 7.0 Web Sites and Application
Pools
Contents:
Lesson 1: Introducing Web Sites and Application Pools 2-3
Lesson 2: Creating and Configuring Web Sites and Applications 2-9
Lesson 3: Creating and Configuring a New Application Pool 2-16
Lesson 4: Maintaining an Application Pool 2-20
Lab: Configuring IIS 7.0 Web Sites and Application Pools 2-27
Module Overview
IIS 7.0 makes Web sites and applications more secure by automatically isolating
them, providing sandboxed configuration and unique process identity by default.
This module briefly introduces the new integrated pipeline mode of IIS 7.0 and
new features of application pools. In this module, you will learn the how to create
new sites, applications, and application pools. You will also learn how to configure
and manage application pools.
Lesson 1:
Introducing Web Sites and Application Pools
Key Points
An application pool is a group of one or more URLs that are served by a worker
process or a set of worker processes. Application pools set boundaries for the
applications they contain, which means that any applications running outside of a
given application pool cannot affect the applications within the application pool.
Question: Do you have multiple applications running under one application pool
in your organization?
Key Points
In IIS7, the ASP.NET request processing pipeline overlays the IIS pipeline directly,
essentially providing a wrapper over it instead of plugging into it.
A request arriving for any content type is processed by IIS, with both native IIS
modules and ASP.NET modules being able to provide request processing in all
stages. This enables services provided by ASP.NET modules like Forms
Authentication or Output Cache to be used for requests to ASP pages, PHP pages,
static files, and so on.
The ability to plug in directly into the server pipeline allows ASP.NET modules to
replace, run before, or run after any IIS functionality. This enables, for example, a
custom ASP.NET basic authentication module written to use the Membership
service and SQL Server user database to replace the built in IIS basic authentication
feature that works only with Windows accounts.
Question: What is an ISAPI filter and why was it used in IIS 6.0?
Key Points
The identity of an application pool is the name of the service account under which
the application pool's worker process runs. By default, application pools operate
under the Network Service user account, which has low-level user access rights.
You can configure application pools to run under one of the built-in user accounts
in the Windows Server 2008 operating system. For example, you can specify the
Local System user account, which has higher-level user privileges than either the
Network Service or Local Service built-in user accounts. However, remember that
running an application pool under an account with high-level user rights is a
serious security risk.
Question: What are the scenarios in your organization that you might use a
custom identity for an application pool?
Key Points
Authentication is the process for verifying that an entity or object is who or what it
claims to be. IIS 7.0 supports the following authentication methods:
• Basic authentication prompts the user for a user name and a password, also
called credentials, which are sent unencrypted over the network.
• Integrated Windows authentication uses hashing technology to scramble user
names and password before sending them over the network.
• Digest authentication operates much like Basic authentication, except that
passwords are sent across the network as a hash value. Digest authentication is
only available on domains with domain controllers running Windows Server
operating systems.
• Anonymous authentication allows everyone access to the public areas of the
Web sites, without asking for a user name or password.
Key Points
The default application pool is named DefaultAppPool. It is set to use ASP.NET
integrated mode and runs under the Network Service identity.
Question: What application pool settings would you change if upgrading a key
server from IIS 6.0 to II 7.0 in your environment?
Lesson 2:
Creating and Configuring Web Sites and
Applications
In this lesson, you will learn the difference between sites and applications, and
how to create sites and applications. You will also learn how to configure virtual
directories and authentication, and some scenarios and best practices for hosting
sites in a virtualized environment.
Key Points
When you want to publish content for access over the Internet or an intranet
connection, you can add a Web site to your Web server to hold the content.
Question: Why would you add more than one site to a server?
Key Points
An ASP.NET Web application, in its simplest form, consists of a directory made
available by means of HTTP, using the IIS administration tool or through the Web
Sharing tab of a folder’s Properties dialog box (or by creating a webapplication
project in Visual Studio .NET) and at least one ASP.NET page, designated by the
.aspx file extension. This file (or files), typically contains a mix of HTML and
server-side code. The HTML and server-side code combine to create the final
output of the page, typically consisting of HTML markup that is sent to the client
browser.
Key Points
A Web application is a grouping of content at the root level of a Web site or a
grouping of content in a separate folder below the Web site's root directory. When
you add a Web application in IIS 7.0, you designate a directory as the application
root, or starting point, for the application and then specify properties specific to
that particular application, such as the application pool that the application will
run in.
Key Points
A virtual directory is a directory name, used in an address, which corresponds to a
physical directory on the server. You can add a virtual directory to include
directory content in a Web site or Web application without needing to move the
content physically into that Web site or Web application directory.
Configuring Authentication
Key Points
You can configure IIS to authenticate users before they are permitted access to a
Web site, a folder in the site, or even a particular document contained in a folder in
the site. Authentication in IIS can be used to strengthen the level of security on
sites, folders, and documents that are not to be viewed by the general public.
Authentication in IIS is critical when resources are not meant for anonymous or
public access, but when the Web server must be accessible to approved users over
the Internet. Examples of Web site applications that require authentication access
control include Microsoft Outlook Web Access (OWA) and the Microsoft Terminal
Services Advanced Client.
Question: When would you configure authentication at the site level versus the
application level?
Key Points
IIS 7.0 can run on a virtual machine. To get the most from this configuration:
• On a 64-bit host machine, enable 32-bit processes and run multiple 32-bit
Web server (each will have access to up to 4GB memory)
• Consolidate legacy Web sites and applications to virtual servers running older
operating systems to free hardware and resources
• Use virtual machines to further isolate sites. Deploy identical virtual servers
with virtual directories hosted on network attached storage to host multiple
sites.
Lesson 3:
Creating and Configuring a New Application
Pool
Key Points
Application pools isolate Web sites and Web applications to address reliability,
availability, and security issues.
Key Points
You can configure the basic settings for the application pool.
Question: When would you want to configure the application pool through a
script?
Key Points
Configure an Application Pool's Advanced Settings to change the pipeline mode
and configure health management and recycling settings.
Lesson 4:
Maintaining an Application Pool
In addition to basic configuration, there are some specific tasks you may need to
perform periodically to maintain application pools. This lesson describes these
tasks and the common settings and scenarios in which they might be performed.
Key Points
Recycling only works on an application pool that is already running
Key Points
Stopping an application pool causes the WWW service to shut down all running
worker processes serving that application pool. The WWW service does not restart
these worker processes. An administrator must restart all stopped application
pools. All applications routed to a stopped application pool receive 503 Service
Unavailable errors.
Question: Why would you stop an application pool instead of recycling it?
Key Points
Not all settings are available in the Basic properties.
Key Points
You might decide to rename an application pool to better associate it with the
applications it contains.
Key Points
If an application pool does not have any applications assigned to it, you can
remove the application pool. However, if the application pool has applications
assigned to it, you must assign those applications to another application pool
before removing the original application pool. Applications cannot run unless they
are associated with an application pool.
Managing Authentication
Key Points
You can perform this procedure by using the user interface (UI), by running IIS 7.0
command-line tool commands in a command-line window, by editing
configuration files directly, or by writing WMI scripts.
Review Questions
1. What is the benefit of the unified request pipeline?
2. What are application pools?
3. How do you remove an application pool?
4. If an application pool is stopped, what response will clients receive?
Module 3
Configuring IIS 7.0 Application Settings
Contents:
Lesson 1: Configuring Application Settings 3-3
Lesson 2: Configuring ASP.NET Security 3-14
Lab: Configuring IIS 7.0 Application Settings 3-19
Module Overview
Because of the runtime integration, IIS and ASP.NET can use the same
configuration for enabling and ordering server modules, and configuring handler
mappings. Other unified functionality includes tracing, custom errors, and output
caching. In this module, you will learn the how to configure application settings.
You will also learn how to deploy and secure multiple applications on a single Web
server.
Lesson 1:
Configuring Application Settings
Key Points
A request arriving for any content type is processed by IIS, with both native IIS
modules and ASP.NET modules being able to provide request processing in all
stages.
The ability to plug in directly into the server pipeline allows ASP.NET modules to
replace, run before, or run after any IIS functionality.
Key Points
If you use the Add Roles Wizard to install IIS 7.0, you get the default installation,
which has a minimum set of role services. If you need additional IIS 7.0 role
services, such as Application Development or Health and Diagnostics, make sure to
select the check boxes associated with those features in the Select Role Services
page of the wizard.
Key Points
• Custom error messages let you provide a friendly or a more informative
response by serving a file, executing a resource, or redirecting to a URL, when
visitors to your site cannot access the content they requested.
• By default, IIS serves error messages that are defined in files stored in the
systemroot\Help\IisHelp\Common folder. You can create a custom error
message for users and configure IIS to return this page whenever it encounters
a specific HTTP error on your site.
Question: What are the scenarios in your organization that you might use custom
errors for an application?
Key Points
In previous versions of IIS, moving a Web site from one server to another meant
that you had to explicitly configure IIS application settings in the machine-level
metabase repository before the application could function properly. With IIS 7.0,
however, the process of deploying a Web site is now much easier.
Question: Name three scenarios in your organization that you might use stage and
deploy to deploy an application.
Key Points
IIS lets you configure the following .NET compilation settings:
• Batch settings, such as the maximum file size that you can batch and the
maximum number of pages that you can have per batched compilation.
• Behavior settings, such as the number of times resources are dynamically
compiled before the application is restarted.
• General settings, such as the default programming language that is used in
dynamic compilation files.
Question: What is the difference between culture settings and language settings?
Give an example of both.
Key Points
Session State:
When clients visit a site, they generally navigate from one page to another and
frequently change some of the pages they visit. If you want to track where they go
and what they change, you must configure session state. Session state can be saved
in process or on a server.
Pages and Controls:
IIS 7.0 lets you configure the following ASP.NET page and user controls settings:
• Behavior settings: for example, whether the Web page maintains its view state
and the view state of any server controls it contains when the current page
request ends.
• General settings: for example, namespaces that are included for all pages.
• Compilation settings: for example, whether pages are compiled or interpreted.
• Services: for example, whether session state is enabled.
Key Points
A connection string provides the information that an application or provider must
have to communicate with a particular database. A connection string usually
supplies the server or location of the database server, the particular database to
use, and the authentication information. If you use a connection string, this
enables you to connect to databases from managed code applications in a
centralized manner.
ASP.NET 2.0 includes several services that store state in a database or other data
store. A provider is a software module that implements a uniform interface
between one of these services and a data source. In IIS 7.0, you can set the default
provider for your application. You can also configure the provider properties. For
example, Users is a provider-based feature where one provider stores the user data
in SQL whereas another provider stores the user data in a text file.
Question: How do you use database servers in your current Web application
deployments?
Key Points
Configure application settings when you want to store key/value pairs as part of
your configuration in the Web.config file. Application settings provide a quick and
easy to access area to store configuration data for your application.
Machine keys help protect Forms authentication cookie data and page-level view
state data. They also verify out-of-process session state identification. ASP.NET uses
the following types of machine keys:
• A validation key computes a Message Authentication Code (MAC) to confirm
the integrity of the data. This key is appended to either the Forms
authentication cookie or the view state for a specific page.
• A decryption key is used to encrypt and decrypt Forms authentication tickets
and view state.
Question: What are some examples of Web application settings and how are they
used by the application?
Lesson 2:
Configuring ASP.NET Security
In this lesson, you will learn about securing content and your Web server through
File and Folder security. You will also learn about configuring advanced security to
reduce the attack surface of your application, adding ISAPI filters in Classic mode,
and configuring .NET trust levels.
Key Points
A virtual directory is a directory name, used in an address, which corresponds to a
physical directory on the server. You can add a virtual directory to include
directory content in a Web site or Web application without needing to move the
content physically into that Web site or Web application directory. When an
application uses content from a virtual directory, whether local or on a remote file
share, you must configure that directory's security to allow the application pool
identity read and/or write access.
In addition, any other resources that your application needs to access or modify
must be configured to allow the appropriate permissions.
Key Points
You can improve server security by reducing the number of attack points. This
means only installing what you need and disabling any unnecessary functionality.
Key Points
Internet Server Application Programming Interface (ISAPI) filters are programs that
you can add to IIS to enhance Web server behavior. ISAPI filters receive every
HTTP request made to the Web server to provide additional functionality for the
server, such as logging request information, authenticating and authorizing users,
rewriting URLs, and compressing Web content to reduce bandwidth cost.
• In IIS 7.0, modules replace ISAPI filters, but you can still add ISAPI filters if
you require the functionality that they provide.
• You can add an ISAPI filters at the server level and the site level. If you add the
ISAPI filter at the server level, the filter will intercept all requests made to the
server. If you add the ISAPI filter to a specific site, the filter will intercept all
requests made to that site.
Question: How are you using ISAPI filters in your organizations applications
today?
Key Points
An application's trust level determines the permissions that are granted by the
ASP.NET code access security (CAS) policy. CAS defines two trust categories: full
trust and partial trust. An application that has full trust permissions can access all
resource types on a server and perform privileged operations. Applications with
full trust are affected only by the security settings of the operating system.
Question: When might you change the .NET trust level of an application?
Lab Review
Review Questions
1. How can you improve the user experience when a problem is encountered?
2. What are application settings and how are they used?
3. If an application is completely self-contained and does not need to access
external information, what is the best setting for its .NET trust level?
Module 4
Configuring IIS 7.0 Modules
Contents:
Lesson 1: An Overview of IIS 7.0 Modules 4-3
Lesson 2: Reviewing Native Module Functionality 4-8
Lesson 3: Configuring Native Modules 4-12
Lesson 4: Configuring Managed Modules 4-20
Lab: Configuring and Editing IIS 7.0 Modules 4-26
Module Overview
IIS 7.0's Web-server feature set is componentized into more than thirty
independent modules. A module is either a Win32 DLL (native module) or a .NET
2.0 type contained within an assembly (managed module). Similar to a Lego set,
modules are added to the server in order to provide the desired functionality for
your applications. Likewise, all IIS modules can be removed, or replaced with
custom modules developed using the new IIS 7.0 C++ APIs, or the familiar
ASP.NET 2.0 APIs.
Lesson 1
An Overview of IIS 7.0 Modules
IIS 7.0 provides significant enhancements over IIS 6.0 in many areas, particularly
in regards to customization and modularity. The modular nature of IIS 7.0 offers
many administrative advantages, including increased security, expandability, and
customization.
Key Points
• IIS 6.0 features a monolithic implementation which forces the administrator to
install all or nothing.
• IIS 6.0 extends server functionality only through ISAPI, which restricts
expandability.
Question: Have you encountered any limitations with IIS 6.0 where you expect
improvement by deploying IIS 7.0.
Key Points
• The server functionality is split into about many modules
• The request-processing architecture consists of a list of modules that perform
specific tasks in response to requests.
• You can manage all of the modules in one location, instead of managing some
features within IIS and some in the ASP.NET configuration.
Question: Which modules do you think pose the greatest security risk and you
would most likely not deploy in your organization.
Key Points
• Internet Server Application Programming Interface (ISAPI) filters are programs
that you can add to IIS to enhance Web server behavior.
• In IIS 7.0, modules replace ISAPI filters, but you can still add ISAPI filters if
you require the functionality that they provide.
Key Point
• Modules process parts of a request to provide a desired service, such as
authentication or compression.
• Typically, modules do not generate responses to clients; instead, handlers
perform this action because they are better suited for processing specific
requests for specific resources.
Lesson 2
Reviewing Native Module Functionality
Native modules are components that are built into IIS 7.0 and can be deployed,
configured, and managed to suit the needs of the individual Web site and server.
Key Points
• A minimal number of modules are registered by default for a base
configuration of IIS 7.0.
• These modules perform basic functions like managing anonymous
authentication, serving static files, and managing basic logging.
Question: Can you imagine any scenarios where you would want to de-register any
of these basic modules.
Key Points
• These modules primarily manage caching and so should be deployed to
improve server performance in situations where they would match the types of
content being served.
Question: Which of these modules would be useful for Web sites that you've
deployed?
Key Points
• ApplicationHost.config is the root file of the IIS 7.0 configuration system.
• It includes definitions for all:
• Sites
• Applications
• Virtual directories
• Application pools
Lesson 3
Configuring Native Modules
It is easy to manage the native modules in IIS 7.0. They can be managed by
manually editing the IIS 7.0 configuration store, by using the IIS Manager, or by
using the AppCmd.exe command line tool.
Key Points
• In order to install a native module, it needs to be registered with the server.
• It can be registered by manually editing the applicationHost.config file, by
using the IIS Manager, or by using the AppCmd.exe command line tool.
• Typically editing the applicationHost.config file is a more reliable method, and
offers you greater control over how to register native modules.
Key Points
• After you register a native module from this dialog box, you must also add it to
the Modules list on the Web server before the module can process requests
• In the Edit Native Module Registration dialog box, you can enter the
descriptive module name and the full path and file name of the associated .dll
file.
Key Points
• Use the Modules feature page to manage the native modules and managed
modules.
• The Modules feature page lists all the modules currently installed on the
server.
• The information displayed includes name, code, module type, and entry type.
Key Points
• After you register a native module, that module will be loaded and available in
every application pool on the server, but you must also enable it by adding it
to the list on the Modules feature page.
• Only server administrators can add native modules to the Web server.
• Native modules can be added only at the server level in IIS 7.0.
Key Points
• Use the Add Module Mapping and Edit Module Mapping dialog boxes to add
new or edit existing module mappings on the Web server.
• You can map a specific file or file name extension to a native module on the
Web server, so that when a user requests the file or a file that has the specified
extension, the module will process the request.
Key Points
• You can un-install a native module if that module is no longer in use on the
server, or if you would like to replace it with another module.
• You can do that by removing the corresponding module entry from the
<globalModules> configuration list, and the associated entry in the <modules>
configuration list.
• You can do this by manually editing the applicationHost.config file, using the
IIS Manager, or using the AppCmd.exe command line tool.
Key Points
• When you remove a native module from site or an application, you are
removing the associated native module from a specific application on the
server, but you are not removing the registration of the native module from the
Web server.
• Typically this is a more reliable method, and offers you greater control over
how to disable native modules.
Lesson 4
Configuring Managed Modules
A managed module does not require installation, and can be enabled directly for
each application.
Key Points
• A managed module does not require installation, and can be enabled directly
for each application.
• Enabling a module allows it to provide its service for a particular application.
In order to enable a native module, it must first be installed on the server.
• Managed module types include built-in managed modules and user-created C#
programs.
Key Points
• IIS 7.0 includes several managed modules that process parts of requests, such
as authentication and caching.
• You can edit existing managed modules, or add new modules to extend the
functionality of the Web server.
Key Points
• You can use the IIS Manager to change the settings for a managed module.
Key Points
• To edit a managed module at the server level, use the following syntax:
appcmd set module /name:string /type:string /preCondition:string
• The variable name:string is the name of the managed module that you want to
edit at the server level. The variable type:string is managed type for the
module. Optionally, specify a condition or conditions under which the module
will run by including the variable preCondition:string.
Key Points
• You can remove a managed module from a site or application if the site or
application does not require the module for processing.
• Removing a managed module means that the module is removed from the list
of active modules; however, the code still exists on the Web server.
• You can add the module again if application requirements change.
Exercise Overview
In this exercise, students will learn how to remove native modules from a Web
server to improve security and reduce the server footprint.
The main tasks for this exercise are as follows:
1. Start the 6427A-NYC-WEB virtual machine and log on as Administrator.
2. Backup the current Web server configuration.
3. Examine the modules currently installed on the Web server.
4. Remove the Default Document Module and the Directory Listing Module.
5. Validate that the modules have been removed and test the new server
configuration.
6. Restore the modules to the Web server configuration.
7. Validate that the modules have been restored and test the server configuration.
f Task 5: Validate that the modules have been removed and test the
new server configuration.
f Task 7: Validate that the modules have been restored and test the
server configuration.
Results: After this exercise, you should have successfully removed native modules from
a Web server, and then confirmed that the server operates as expected
Exercise Overview
In this exercise, students will learn how to add new managed modules to a Web
server.
The main tasks for this exercise are as follows:
1. Install the logging managed module.
2. Confirm the installation of the logging managed module.
3. Test the Web site’s forms authentication page.
4. Examine the modules currently running on the Web server.
5. Remove the forms authentication managed module.
6. Test the new configuration.
Results: After this exercise, you should have successfully added a managed module to
the Web server.
Review Questions
1. What typically generates the response to the client; native modules, managed
modules, ISAPI filters, or handlers?
2. Do both, native modules and managed modules need to be added to the
<globalModules> configuration section of the applicationHost.config?
3. Native module files have what type of file extension?
4. When would you use the precondition variable?
5. You need a new managed module build by the development team. What
programming language would you recommend that they use for creating the
module?
Tools
Module 5
Securing the IIS 7.0 Web Server and Web Sites
Contents:
Lesson 1: Configuring Secure Web Sites and Servers 5-3
Lesson 2: Configuring Other Aspects of Web Server Security 5-13
Lesson 3: Configuring Logging for IIS 7.0 5-22
Lab: Securing the IIS 7.0 Web Server and Web Sites 5-30
Module Overview
Web servers are often placed in a very precarious position. They are typically
public-facing servers, but they also need to maintain very tight security in order to
maintain the integrity of the server and to ensure confidence to their users.
Microsoft IIS 7.0 provides many tools and techniques for maintaining a highly
secure Web server environment.
Lesson 1
Configuring Secure Web Sites and Servers
There are many tools and techniques available for securing Web sites and servers.
These include such techniques as restricting certain IP addresses, setting up
authorization rules, and managing authentication. By using these and other
techniques, you can make sure your Web server more secure and highly available.
Key Points
There are many features and tools built in to IIS 7.0 that allow customizing of Web
site and server security. These tools help secure and restrict unauthorized access to
the Web sites and server.
Key Points
There are many features that can be used to secure an IIS 7.0 server. Some of them
are designed as part of the IIS 7.0 system and installation process, while others
need to be manually configured and monitored by the administrator.
Key Points
• IP address and domain restrictions can restrict or grant access to Web site
content based on IP addresses or domain names.
• IP address and domain restrictions can restrict or grant access to specific users
or organizations that Web site administrators deem harmful or unwanted.
Question: Do you feel that this type of security would be useful to your
organization?
Key Points
• Authorization allows users to access Web server content, and you can
authorize it based on NTFS permissions, publishing point permissions, and
the client's IP address.
• In many cases, authorization is combined with authentication.
Key Points
There is a lot of flexibility in defining authorization rules. Authorization rules can
be defined for specific verbs, specific roles, specific users, and/or specific groups.
Managing Authentication
Key Points
• IIS 7.0 may use authentication to identify users. This information can be
placed in log files or you can use it in combination with authorization plug-ins
to control content access.
• IIS 7.0 offers many different types of authentication to optimally customize the
level of security and access to Web sites.
Key Points
• ISAPI and CGI restrictions are request handlers that allow dynamic content to
execute on a server.
• Allowing all unspecified extensions is a security risk, because your Web server
could become susceptible to computer viruses or worms that exploit these
technologies. To reduce this risk, as a best practice you should allow only
those specific ISAPI extensions or CGI files that you need to run on your Web
server.
Key Points
Authentication helps you confirm the identity of users requesting access to your
Web sites. IIS 7.0 supports both challenge-based and login redirection-based
authentication methods.
Question: What are some scenarios where delegation and remote administration
would be useful for managing a complex Web server deployment?
Key Points
• There are many different type of authentication available in IIS 7.0. Different
type of authentication can provide different types of Web site security.
• Only Anonymous Authentication is enabled by default.
Lesson 2
Configuring Other Aspects of Web Server
Security
There are additional tools and techniques that can be managed to enhance Web
server security. Certificates are a key component of creating a trusted relationship
between the Web client and the Web server.
Reviewing Certificates
Key Points
• Web server certificates protect Internet communication by establishing a trust
relationship between the Web client and Web server.
• You can obtain certificates from a mutually trusted third-party organization
called a certification authority. Server certificates provide a way for users to
confirm the identity of your Web site before they transmit personal
information, such as a credit card number.
Question: Name some common scenarios that use certificates and SSL-encrypted
connections?
Key Points
Renewing expired certificates is easy. There are several tools and wizards available
in IIS 7.0 for managing certificates.
Question: Do you currently use Web server certificates? Do you plan on deploying
them in the future for new projects?
Key Points
Adding security certificates to Web sites is very easy. There are several tools and
wizards available in IIS 7.0 for managing certificates.
Question: Can any of your Web sites benefit from the addition of security
certificates?
Key Points
• URLScan was a security tool that was provided as an add-on to earlier versions
of IIS so administrators could enforce tighter security polices on their Web
servers.
• There are many different filters that can be deployed when managing Request
Filtering.
Question: What aspects of attacks, malware, viruses and worms can be stopped
by implementing aspects of Request Filtering?
Key Points
• IIS 7.0 features a completely modular Web server infrastructure where only
the bare minimum number of components are installed and enabled by
default.
• This has a lot of benefits since administrators can choose exactly what they
want to install. With fewer components installed, there is a much smaller
surface area available to attackers and there are fewer things to manage and
maintain.
Key Points
RPC over HTTPS to provide an easy and secure method of connecting a Microsoft
Outlook client to a Microsoft Exchange server. You can configure user accounts in
Outlook to connect to an Exchange Server over the Internet without the need to
use VPN connections.
Key Points
Permit a Windows user to connect to a site or an application when you want to let
the user configure delegated features in that Web site or application using IIS
Manager. You can either permit a specific Windows user, or specify a Windows
group so that users of that group can connect to the site or application.
Key Points
• ISAPI and CGI restrictions are request handlers that allow dynamic content to
execute on a server.
• These restrictions are either CGI files (.exe) or ISAPI extensions (.dll).
Lesson 3
Configuring Logging for IIS 7.0
Effective monitoring and auditing of Web server logs is necessary for maintaining
useful and stable Web sites. The logging options in IIS 7.0 are highly configurable.
Key Points
• You can collect information about user activity by enabling logging for your
Web sites and servers.
• Logging information in IIS 7.0 goes beyond the scope of the simple event
logging or performance monitoring features in Microsoft Windows.
• The logs can include information such as who has visited your site, what the
visitor viewed, and when the information was last viewed.
Question: How have you used Web site logging in the past?
Key Points
• Logging can help secure Web sites and servers. You can collect information
about user activity by enabling logging for your Web sites.
• The logs can include information such as who has visited your site, what the
visitor viewed, and when the information was last viewed. You can use these
Web logs to assess content popularity or to identify information bottlenecks.
Question: Do you currently audit your Web logs for unauthorized and possibly
harmful Web site requests?
Key Points
• Logging options are very customizable in IIS 7.0. There are many fields and
information that can be integrated into the Web site log files.
• Effective use of the Logging Options all you to build comprehensive Web logs
that are manageable in size.
Question: What fields might be most useful in reviewing Web site logs?
Key Points
• There are many different formats, encoding, and options for Web site logging.
• The default logging method for IIS 7.0, the W3C Extended Log File Format is
a standard defined by the World Wide Web Consortium. This logging format
can divulge a large amount of information on the activity of your IIS server,
and IIS lets you drill down to select which options you want to log.
Question: What type of log file rollover setting might be most useful in your
organization?
Key Points
• The View Log Files option opens the log file directory.
• The View Log Files option may be unavailable. If it is not available, you can use
Notepad or a third-party product to view the logs.
Question: What third-party applications can you use for analyzing Web site log
files?
Key Points
• You can use the logs to assess content popularity of certain Web site pages or
files. You can also identify information bottlenecks.
• You can use security auditing techniques to track the activities of users and to
detect unauthorized attempts to access your NTFS file system directories and
files.
Key Points
• It is important to maintain good practices when managing and review your
Web log files.
• Locate the log file on a secure, reliable drive and should be stored in a
directory other than systemroot.
• Maintain a reliable corporate policy on log file retention.
• Monitor and manage the maximum number of log files to keep and the
maximum size of the log files.
• Find and secure access to obsolete files.
Question: Do you know of any other good practices in managing and monitoring
Web site logs?
f Task 7: Set ISAPI and CGI restrictions to use ASP.NET version 1.1
f Task 8: Set the rights and permissions for Active Directory users
Results: After this exercise, you should have successfully set IP restrictions, ISAPI and
CGI restrictions, and Active Directory permissions, as specified in a service request
document
f Task 1: Turn off the Web site cache for the shared documents folder
f Task 2: Sign into the Woodgrove Bank Web site and retrieve the
confidential memo
Results: After reconfigure the Web site’s authorization and authentication, so that all
content uses forms authentication and thereby protecting the confidential memo, the
only way to obtain the memo is by having the correct credentials.
Results: After examining the configuration of the Web server’s logging settings, the
current log file was examined and proven to successfully track the Web server’s
activity.
Review Questions
1. After reviewing your Web server logs you notice some suspicious requests
employing non-ASCII characters. What security feature could you employ in
response to this particularly hazard?
2. Which user is assigned access to files when you allow anonymous access?
3. A developer wants to deploy an application, authenticating users using the
new Passport system. Which Authentication method would you recommend?
4. A developer wants to add a shopping component to a Web site. What would
you do to ensure confidence and security for users to enter their credit card
numbers into a Web form?
Active Server Pages not running Check to make sure that ASP content is
activated in the ISAPI and CGI restrictions.
Tools
Module 6
Configuring Delegation and Remote
Administration
Contents:
Lesson 1: Configuring Remote Administration 6-3
Lesson 2: Configuring Delegated Administration 6-13
Lesson 3: Configuring Feature Delegation 6-17
Lab: Configuring Delegation and Remote Administration 6-25
Module Overview
This module helps students to use the delegated rights assignment system and the
remote administration system in IIS 7.0. Students will assign rights to Web sites to
users and configure users to serve as remote administrators of a server and its
corresponding Web sites.
Lesson 1
Configuring Remote Administration
The IIS 7.0 remote administration service uses the HTTPS protocol to allow remote
Web server administration. This lesson focuses on configuring the Remote
Administration service.
Delegation Overview
Key Points
IIS 7.0 delegated administration is useful in a multiple scenarios, including the
following:
• You are a server administrator and you are not the primary person providing
content on your server.
• You are a developer and you want your server administrator to give you more
control over IIS configuration for your application.
Key Points
There are two steps for configuring remote administration:
• Specify the users that can connect to a site or application
• Configure and start the Web Management Service (WMSVC)
Key Points
The Management Service enables computer and domain administrators to
remotely manage a Web server that uses IIS Manager.
The service also enables delegated administrators to locally and remotely manage
delegated features of Web sites and Web applications on the Web server that uses
IIS Manager.
Key Points
The Remote Administration Connection Settings are highly configurable and
customizable to create a best fit for your organization.
The Remote Administration Connection Settings available for configuration
include:
• IP Address
• Port
• SSL Certificate
• Log Requests to
Question: What benefits and drawbacks are experienced when using a self-signed
certificate?
Key Points
It's easy to configure Remote Administration for IIS.
Configuring Remote Administration for IIS includes the following steps:
1. Install the Web Management Service (WMSVC)
2. Enable remote connections
3. Optionally set other configuration.
4. Start WMSVC, and optionally change the service Startup Type from Manual to
Automatic
5. Configure Identity Credentials
6. Configuring Users and Permissions for IIS Manager
Key Points
The IIS 7.0 Remote Administration tool uses HTTP with the SSL protocol and
offers the following advantages:
• Administrators can manage the entire Web server
• Administrators have almost the same experience as local use of the IIS
Manager tool.
• Both Administrators and non-administrators can use the tool.
• Windows User accounts and IIS Manager User accounts can be delegated
permission.
• The server Administrator decides what non-administrators can view and
change through Feature Delegation.
• The IIS 7.0 Remote Administration tool uses HTTPS which is a secure firewall
friendly protocol which requires opening only one port on a firewall to permit
inbound access to the tool.
Lesson 2
Configuring Delegated Administration
IIS 7.0 distributes its configuration data among several XML files. This allows
considerable flexibility in configuring individual sites or applications. The IIS 7.0
distributed configuration system also makes it possible to delegate administrative
access to individual Web sites or applications. This lesson focuses on how the IIS
7.0 distributed configuration system is used to delegate Web site or application
configuration.
Key Points
The IIS 7.0 configuration system uses the following files:
• A central configuration file named applicationHost.config that is located in
%WINDIR%\System32\InetSrv\Config\.
• Several Web.config files can appear at any level of the URL hierarchy.
• The machine.config file defines the properties that are required for all
ASP.NET Framework features.
• Configuration file settings inherit from parent to child file from machine.config
down to the last Web.config file (if any) and the effective configuration is
calculated for a given path. Any setting at a lower level in the hierarchy will
override a parent setting defined in a file above the current level.
Key Points
There are three key files that control the operation of IIS 7.0.
• The first file is machine.config. This file contains the .NET Framework
settings for the server. In Windows Vista and Windows Server 2008, this file
contains all the global settings for .NET-related components and features.
• The applicationHost.config file contains settings for IIS and other services
that have settings in common with IIS.
• The next file in the hierarchy is the root Web.config file, which defines the
global settings for properties defined for all ASP.NET Web applications. This
file exists for each version of the .NET Framework installed on the server
• There may be optional Web.config files in the root of the Web content
directories which control the behavior of that site.
Key Points
The process of delegating administrative rights includes the following tasks:
1. Add site administrators to a site, and add application administrators to an
application.
2. Configure the delegation state of site and application features for site and
application administrators to view and configure.
3. Configure connection settings and enable remote management.
Lesson 3
Configuring Feature Delegation
IIS 7.0 can delegate permission in a granular fashion. By using feature delegation,
server administrators can determine which features can be modified by site or
application administrators. This lesson focuses on using feature delegation.
Key Points
IIS 7.0 feature delegation has the following characteristics:
• The server administrator decides which features non-administrators can view
and change.
• Features which are not delegated are not visible in the UI at site or application
levels.
• Feature delegation works by locking or unlocking configuration sections.
Key Points
The server administrator can configure individual features with the following
states:
Read/Write: When you select Read/Write for a feature, you unlock the feature's
related configuration section(s) in ApplicationHost.config.
Read Only: When you select Read Only for a feature, you lock the feature's related
configuration section(s) in ApplicationHost.config.
Remove Delegation: When you select Remove Delegation for a feature, you lock
the feature's related configuration section(s) in ApplicationHost.config.
Reset to Inherited: When you select Reset to Inherited for a feature, the delegation
state for that feature is returned to its default setting.
Configuration Read/Write: When you select Configuration Read/Write for a
feature, you unlock the feature's configuration section(s) in ApplicationHost.config.
Configuration Read Only: When you select Configuration Read Only for a feature,
you lock the feature's configuration section(s) in ApplicationHost.config.
Key Points
The default feature delegation settings were created with the best practices in
mind.
Key Points
Configuring feature delegation in IIS 7.0 includes the following steps:
1. Open IIS Manager (Start, Run, type inetmgr.exe) and click on the connection
to the local server in the treeview on the left-hand side.
2. Scroll down the feature list, find Feature Delegation, and double-click to open.
3. Click on a feature to set the delegation options in the task pane on the right.
Key Points
Feature delegation is a useful tool for allowing non-administrators to manage
discrete components of a Web site.
Using feature delegation and remote management together includes the following
steps:
1. Set the desired feature delegation settings.
2. Specify the users that can connect to a site or application.
3. Install the Web Management Service.
4. Configure and Enable remote management.
5. Start the Web Management Service.
6. Test the configuration by connecting from a remote machine.
Key Points
It is important to maintain good practices when deploying feature delegation.
Best practices for feature delegation include:
• Back up configuration files before modifying them.
• Give only the needed level of access.
• Don’t change the system account.
• Don't make delegation more restrictive after initial configuration.
Results: After completing this exercise, you should have configured the IIS
Management Service to accept remote connections and you should have tested a
remote connection from NYC-DC-01.
<location overrideMode="Allow">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="true" userName="IUSR" />
<basicAuthentication />
<clientCertificateMappingAuthentication />
<digestAuthentication />
<iisClientCertificateMappingAuthentication />
<windowsAuthentication />
</authentication>
</security>
</system.webServer>
</location>
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled=”false” />
<anonymousAuthentication enabled="false" />
</authentication>
</security>
</system.webServer>
Results: After completing this exercise, you should have successfully delegated
administration for the Human Resources Web site to Kim Abercrombie and delegated
administration for the Sales Web site to Jim Hay.
Results: After completing this exercise, you should have successfully configured
the Human Resources and Sales sites so that the site owners can customize error
pages for each site.
Review Questions
1. What are the steps in configuring the Web management service?
2. What files are involved in delegated administration?
3. What are some best practices for feature delegation?
Module 7
Using Command-line and Scripting for IIS 7.0
Administration
Contents:
Lesson 1: Tools for Running Administrative Tasks in IIS 7-3
Lesson 2: Executing Scripts for Administrative Tasks 7-9
Lesson 3: Managing IIS Tasks 7-16
Lab: Using Command-line and Scripting for IIS 7.0 Administration 7-24
Module Overview
This module helps you to use command-line and scripting for IIS 7.0
Administration.
After completing this module, you will be able to:
• Use PowerShell for IIS 7.0 administration.
• Extend PowerShell with scripts.
• Run a script using PowerShell.
• Use Microsoft.Web.Administration for IIS 7.0 administration.
• Perform AppCmd tasks for IIS 7.0
• Use WMI objects to perform administrative tasks.
Lesson 1
Tools for Running Administrative Tasks in IIS
This lesson will provide some introductory information for command-line and
scripting for IIS 7.0 administration. The new tools for use with IIS 7.0 will be
explained and the benefits highlighted.
Key Points
New administration tools for IIS 7.0:
• IIS Manager – Feature-focused administration tool with dialogs for common
administrative tasks.
• PowerShell – New command-line administration tool that can use WMI
provider and .NET API.
• AppCmd – For use specifically for IIS 7.0 administration.
Question: When would you choose to use command-line tools instead of the IIS
Manager?
PowerShell Overview
Key Points
Windows PowerShell is a new tool to perform command-line administration.
• Object-Oriented Data Handling - PowerShell, based on the .NET Framework
platform, provides a powerful object-model command-line environment.
• Namespaces - As a WMI interface provider, scripting in PowerShell can
significantly shorten the amount of time required to do repetitive maintenance
and management.
• Pipelining - You can pipe the output from one command as the input into
another command.
• Transparent access to the commands is available through the Command
Prompt.
• Trusted Scripts - As an option, all scripts may be required to be digitally signed
before they are allowed to run.
Key Points
PowerShell is a command-line tool like cmd.exe, except it is more powerful. The
improvements over cmd.exe make PowerShell a better choice for IIS 7.0
administration.
Key Points
• The Microsoft.Web.Administration provides a programmatic way to access and
update the Web server configuration and administration information.
• The Microsoft.Web.Administration.dll is an easy way for users to tweak
settings on the server.
• The MWA API would be used when you wanted to write a program in
managed code (C#, VB etc) to configure the server in a particular manner in
order. This API can be used from PowerShell.
Key Points
AppCmd.exe is the single command line tool for managing IIS 7.0. It exposes all
key server management functionality through a set of intuitive management objects
that can be manipulated from the command line or from scripts. AppCmd enables
you to easily control the server without using a graphical administration tool and
to quickly automate server management tasks without writing code.
Question: How does administration with AppCmd.exe differ from IIS Manager?
Lesson 2
Executing Scripts for Administrative Tasks
This lesson will explain how to use scripting for IIS 7.0 administrative tasks.
Sample scripts will be examined; as well, as techniques for writing scripts.
Key Points
• Ways to use scripts for IIS 7.0 administration include PowerShell scripts,
PowerShell Command-lets, AppCmd.exe scripts and through the use of the
Microsoft.Web.Administration API.
• The AppCmd.exe command line is built on top of a set of top level server
management objects, such as Site and Application. These objects expose
methods that can be used to perform various actions on those objects, and
object instances expose properties that can be inspected and manipulated.
Key Points
• The net effect of this example script will be to copy all files listed in file
AppManifest.txt, located on machine DemoServer1, to all the machines listed
in file RestOfFarm.txt.
• The script uses the get-content cmdlet to read machine names from file
RestOfFarm.txt and file names from file AppManifest.txt.
• The foreach loop: The outer loop iterates through each machine name stored
in variable $farmList, storing each name into variable $targetMachine in turn.
The inner loop is similar and stores each file into $file in turn.
• The join-path cmdlet is used to intelligently concatenate strings to produce
complete source and destination paths.
• Finally the copy-item cmdlet is used to perform the copy actions, where the -
recurse switch will copy all sub-directories and the -force switch causes
existing files to be overwritten. Notice this script has all information about
source and destination locations hard-coded into the script.
Question: If you are familiar with Visual Basic, how would this code translate to
Visual Basic?
Question: In a production environment, would you want to hard code the source
and destination location into the script?
Key Points
Windows PowerShell supports cmdlets that are derived from two different base
classes:
• Most cmdlets are based on .NET classes that derive from the Cmdlet base
class.
• More complex cmdlets are based on .NET classes that derive from the
PSCmdlet base class.
Question: If you were writing a cmdlet that created an application pool, what
would you name the cmdlet?
Key Points
Before you can serve a single request from your IIS7 server, you need to create a set
of configuration that describes how the server listens for requests, and how these
requests are then dispatched to your scripts or static files. To do this, you need to
at minimum create a site, an application, a virtual directory, and an application
pool.
Key Points
Microsoft.Web.Administration.dll can be loaded into PowerShell and then used to
view information such as Web site names.
Lesson 3
Managing IIS Tasks
This lesson will go into detail of how to use PowerShell, AppCmd, WMI and MWA
to perform IIS 7.0 administrative tasks.
Key Points
• In IIS 6.0 several of administrative tasks were performed using several
scattered VBS script files. This made it difficult to find out what script needed
to be run. IIS 7.0 is powered with AppCmd.exe which provides all the options
you need to administer IIS 7.0.
• AppCmd works by executing a command on one of the supported
management objects, with optional parameters used to further customize the
behavior of the command:
Question: Do you have any administrative tasks for IIS 6.0 in your organization
that requires the use of more than one script?
Key Points
• An object will often support additional commands, such as START and STOP
for the Site object.
• <OBJECT> is the one of the management objects supported by the tool.
Key Points
AppCmd can be used for commonly performed tasks, such as creating backups,
viewing a Web site's configuration, or starting Web sites.
Question: Can you think of a situation where AppCmd would be useful in your
organization?
Key Points
You can use PowerShell scripts to automate tasks. These tasks can be set to start
with any number of triggered events such as a disk failure or a scheduled time.
Key Points
Built-in PowerShell cmdlets provide easy access to commonly performed tasks.
Key Points
• PowerShell can extract specify information.
• You can format your output to meet your needs.
• Piping with PowerShell cmdlets allows you to input the result of one cmdlet
into another.
Key Points
WMI scripting lets you manage worker processes and application domains
(AppDomains) in IIS 7.0.
Results: After this exercise, you should have successfully identified, stopped and
started services using PowerShell.
f Task 4: Use the findsite function to list the default Web site, the
default Web site ID, and then stop and start the default Web site
f Task 6: Use WMI to list the default Web site on the Web server
• Using Notepad create a file named GetSite.vbs with the following code:
Results: After this exercise, you should have successfully used AppCmd to recycle
application pools, move application and store configuration information to a file. You
should have also successfully identified the default Web site using WMI.
Review Questions
1. What are the different tools available for IIS 7.0 administration?
2. How can you use scripts to simplify IIS 7.0 administration?
3. What are the benefits of PowerShell?
4. What things can you do with AppCmd.exe?
5. What is Microsoft.Web.Administration and how can it be used?
6. What are some examples of tasks you can perform using WMI?
Module 8
Tuning IIS 7.0 for Improved Performance
Contents:
Lesson 1: Implementing Best Practices for Improving IIS Performance 8-3
Lesson 2: Configuring Options to Improve IIS Performance 8-7
Lesson 3: Managing Application Pools to Improve IIS Performance 8-13
Lab: Tuning IIS 7.0 for Improved Performance 8-18
Module Overview
Lesson 1:
Implementing Best Practices for Improving IIS
Performance
Key Points
When a change is made at the site or application level, the changes are picked up
immediately by the Web server. Only the global changes that affect multiple sites
and applications will cause the running processes to recycle. If changes are made
in a localized scope, then the rest of the sites and applications will not be restarted.
Because of this, you should schedule global changes for off-peak times to avoid
service interruption.
Key Points
When you standardize on fewer physical servers, the number of machines and
complex configurations you need to manage decreases. This has two key benefits:
• Increased reliability and availability: Standardize high availability
configurations and make fewer changes.
• Improved Security: Standardizing configuration and secure management
practices improve security.
Key Points
Use Web Site Limits configure performance settings for your Web site based on
bandwidth usage and connection limits. For example, by restricting either
bandwidth or the number of connections, or both, on a low-priority Web site, you
enable other, higher-priority sites to handle larger traffic loads. You can adjust
these settings as network traffic and usage changes.
Question: Why are Web site limits important when consolidating servers?
Lesson 2:
Configuring Options to Improve IIS
Performance
In this lesson, you will learn how to configure output caching and compression.
You will also learn how to install and configure Windows Server Resource
Manager, and some scenarios and best practices for configuring logging for best
performance.
Key Points
In IIS 7.0, you can configure output caching to improve performance on your Web
server, site, or application. When a user requests a Web page, IIS processes the
request and returns a page to the client browser. If you enable output caching, a
copy of that processed Web page is stored in memory on the Web server and
returned to client browsers in subsequent requests for that same resource. This
eliminates the requirement to reprocess the page every time that it is requested.
This is helpful when your content relies on an external program for processing,
such as with a Common Gateway Interface (CGI) program, or includes data from
an external source, such as from a remote share or a database.
Key Points
HTTP compression lets you make more efficient use of bandwidth and enhances
the performance of sites and applications. You can configure HTTP compression
for both static and dynamic sites.
IIS provides the following compression options:
• Static files only
• Dynamic application responses only
• Both static files and dynamic application responses
Question: When would enabling dynamic compression improve the page load
time for the client?
Key Points
Microsoft Windows System Resource Manager (WSRM) on Windows Server 2008
allows you to control how CPU and memory resources are allocated to
applications, services, and processes on the computer.
Question: How are you currently using WSRM for Windows Server 2003 in your
organization?
Key Points
Logging a lot of information about the Web server can consume resources and
disk i/o. To minimize the impact to performance:
• Log only minimal information for routine statistics
• Consider saving log files to a separate disk
• Recycle logs
• Configure Failed Request Event Tracing for exceptions
• Use FREB to capture detailed information only in exceptional situations
• Critical errors
• Unresponsive states
Question: What are some scenarios in which you might use dynamic output
caching?
Lesson 3:
Managing Application Pools to Improve IIS
Performance
Key Points
You can configure IIS to isolate applications to separate application pools, or
consolidate them. With WSRM you can distribute the processing load.
Additionally, you can configure IIS to automatically recycle worker processes at
specified intervals or when specific resource usage thresholds are met.
Question: Why would you recycle an application pool on a specific time interval?
Key Points
Consolidating multiple applications can significantly save resources on the server.
You might consider assigning multiple applications to an application pool when:
• The applications are known to be stable
• All use same .NET version
• The scenario does not require highest level of security
• There are tight resource constraints on the server
Question: What is the default behavior for application pools when you create a
new application?
Key Points
Xcopy deployment describes deployment where you use the drag-and-drop feature
in Microsoft Windows Explorer, File Transfer Protocol (FTP), or the DOS Xcopy
command to copy files from one location to another. The application requires no
modifications to the registry and has no special installation requirements for the
host company on hosted sites.
Question: How would you leverage scripting in deploying applications via Xcopy?
Review Questions
1. What is the difference between compression and caching and how do they
interact?
2. What impact do the various performance settings have on CPU usage, memory
usage, disk i/o, and network bandwidth?
3. What options do you have for ensuring that an application does not
monopolize resources?
Module 9
Ensuring Web Site Availability with Web Farms
Contents:
Lesson 1: Backing Up and Restoring Web Sites 9-3
Lesson 2: Introducing Shared Configurations 9-8
Lesson 3: Working with Shared Configurations 9-15
Lesson 4: Configuring Network Load Balancing for IIS 9-23
Lab: Ensuring Web Site Availability with Web Farms 9-29
Module Overview
Lesson 1
Backing Up and Restoring Web Sites
The backup and restore process is a critical process for maintaining a reliable IT
infrastructure. This lesson provides an overview of the backup and restore process
and details specific considerations for Windows Server 2008 II 7.0 systems.
Key Points
• IIS 7.0 uses XML config files within the Web sites to manage Web site
configurations and settings. .
• The critical files for Web site backups include all the applications, data files,
and XML config files that reside in the Web site folders.
Question: What backup software, processes, and media might be best used for
backing up IIS 7.0 Web sites and servers?
Key Points
Windows Server 2008 IIS 7.0 provides an easy method to relocate Web server files
onto UNC shares. However, even with the critical Web site files located in a secure
storage device, it is still necessary to perform regular backups of Web servers
because critical files are still stored on the server.
Question: Web server log files can grow to be very large. What techniques to you
use in your organization to manage Web server log files?
Key Points
• A Web server can be easily rebuilt by reinstalling the system and restoring the
Web site application, data, and XML config files.
• Alternately, if the all the Web site data resides locally on the Web server, a
complete restore will be able to return the server to previous functionality.
Key Points
• It is critical to insure that Web server backups are complete and accurate and
meet the necessary long term data storage requirements.
• It is important to integrate a server backup validation strategy into your
backup plan.
• There are many techniques that may be performed to test and ensure that the
backups have been completed successfully.
Question: What strategies have you used in the past to insure the validity of
system backups?
Lesson 2
Introducing Shared Configurations
Shared configurations provide an effective way of managing multiple IIS 7.0 Web
servers, to maintain consistent configurations across the server farm. This lesson
provides an introduction to shared configurations, describing the use and benefits.
Key Points
• Centralized shared configurations helps supports homogeneous Web farms
where machines share the same configuration across a server group.
• After exporting the configuration from the main server, additional servers in
the Web server farm can be set to use the configuration set on the central file
server.
• By having the servers all using the same files on the same share, IIS 7.0
eliminates the need for replication or synchronization.
Key Points
• Using IIS 7.0 on DFS provides a number of advantages, including easier
management, better performance, and high availability. .
• DFS allows you to use centralized network resources in a unified namespace,
so that it appears to users that files reside in one place on the network. .
Question: What Web sites do you think employ technologies like DFS? What
kinds of advantages do these technologies offer?
Key Points
• Shared offline configuration files offer some benefits over using a complex DF
infrastructure. Shared offline configuration files provide a faster solution that is
quicker and easier to set up.
• While more complex and difficult to deploy, DFS offers many advantages.
Key Points
• DFS can be used to make files that are distributed across multiple servers. and
allows the network resources to be centralized in a single unified namespace.
• When you use DFS as the filing system for IIS, you can use relative links in
your Web site. These links can point to any network resource even if the
resource does not reside on that same physical server.
Key Points
• Use the DFS Administrator tool to build a single hierarchical view of multiple
file servers and file server shares that are physically distributed across a
network. Then build a logical DFS folder of the main Internet Web site.
• First, make sure the File Server Role Services for Distributed File System
has been installed.
• Start the Distributed File System admin tool.
• Create a New DFS Root.
• Select the name of the domain where you want to create the DFS root
• Type the path and the name of the root for the Web site.
Key Points
• Using IIS 7.0 shared configurations offers many advantages for Web site and
server management.
• Manage Portability: Using shared configurations makes it very easy to
relocate a Web site.
• Deploy Replication: Configuration can be pushed out onto multiple
servers, with the same settings, sites, and application pools, to work across
large Web farms.
• Maintain Synchronization: With shared configuration, all the servers will
be updated simultaneously.
• Re-deploy Staged Deployments and Rollback: It is easy to create versions
of configuration and test changes on identically configured servers.
Lesson 3
Working with Shared Configurations
It is very easy to configure and deploy shared configurations with IIS 7.0. You can
use the IIS Manager or the command line to enable shared configurations. This
lesson describes the steps to enable shared configurations. It also offers various
tips, tricks, and best practices for using shared configurations.
Key Points
Before you can enable shared configurations, make sure you have your UNC share
configured and enabled. Shared configurations in IIS 7.0 is very robust and
supports a very large number of servers.
Key Points
While not as easy to use, the command line, along with the AppCmd, can be used
to manage and deploy shared configurations.
Key Points
Here we have the site owner able to deploy their IIS configuration, their ASP.NET
configuration and code, and their content, straight to the server.
Key Points
An important consideration is what would happen if the server hosting the config
file goes down, while the Web server stay up. The IIS 7.0 shared configuration
system is designed so that the Web site and server's configurations will remain
cached in the Web server, keeping the Web sites functioning until the problem
with the configuration file server is resolved.
Key Points
• It is important to research and maintain best practices if you are deploying
shared configurations. Best practices are always being updated and refined, so
it important to keep up with the latest recommendations.
• A key point in maintaining a healthy shared configuration infrastructure is to
make sure all servers in the server farm have identical configurations and the
same components.
Key Points
• If you want to use Xcopy to deploy your server configuration instead of using
the IIS Manager, it’s important to note a few things.
• The machine keys are used to encrypt properties like passwords for
application pool identities or anonymous users.
• If you installed any custom modules or certificates, they should exist on all
the machines before your share configuration.
• You need to install any components on all servers in the farm before sharing
their configs. If you install a filter or an IIS component, such as Basic
authentication, you must remove the server from shared configuration and
install it locally. Then ensure it exists on all machines before restoring sharing
configurations.
Key Points
• Session states lets you associate a server-side string or object dictionary
with a particular HTTP client session.
• The session data is stored on the server side in one of the supported
session state stores.
• Using session state in an ASP.NET application can add noticeable
overhead to the application performance.
• By taking advantage of optimizations using best practices, the impact of
session state management may be reduced.
• Not all pages will need access to session state.
Lesson 4
Configuring Network Load Balancing for IIS
Key Points
• Network Load Balancing is a system where multiple servers share a single IP
address and where clients access services through the shared IP address.
• Load balancing can be hardware- or software-based. Windows Server 2008
includes software-based load balancing. If you use hardware-based load
balancing, you must consider the scalability and fault tolerance of the Network
Load Balancing hardware.
Key Points
• Network Load Balancing can be used in different areas of a Web enterprise,
including, setting up a high-availability firewall cluster, a large farm of Web
servers, and a robust array of data storage servers.
• Network Load is particularly useful for ensuring that Web pages from a server
running IIS 7.0 are highly available and can be scaled out by adding additional
servers as the load increases. The ease with which Network Load Balancing
allows you to replace a malfunctioning server or add a new server to provide
scalability.
Key Points
IIS 7.0 Shared Configurations allows for easier deployment and management of
Network Load Balanced server farms.
Key Points
It is important to test and continuously monitor Network Load Balancing
functionality. There are many tools available to help automate the task of
monitoring your servers and clusters.
Key Points
• There are many sources for recommendations for the best ways to configure
and manage Network Load Balancing systems. A few are mentioned here, but
it is important to perform thorough research before deploying this type of
complex system.
• There are many sources for recommendations for the best ways to configure
and manage Network Load Balancing systems. A few are mentioned here, but
it is important to perform thorough research before deploying this type of
complex system.
f Task 2: Backup the Web site, Web application, and config files to the
E: drive.
Results: After this exercise, you should have successfully backed up a Web site. Provide
the results of the exercise so students will know when and if they have completed the
lab exercise successfully.
f Task 2: Restore the Web site, Web application, and config files from
the shared drive.
Results: After this exercise, you should have successfully restored a Web site to a
second server. Provide the results of the exercise so students will know when and if
they have completed the lab exercise successfully.
f Task 2: Add the second Web server to use the Shared Configuration.
Results: After this exercise, you should have successfully configured a two-server
network with an underlying foundation of shared configurations. Provide the results of
the exercise so students will know when and if they have completed the lab exercise
successfully.
f Task 2: Add the second host to the Network Load Balancing cluster
f Task 3: Add the second server to the Network Load Balancing cluster
Results: After this exercise, you should have successfully restored a Web site to a
second server. Provide the results of the exercise so students will know when and if
they have completed the lab exercise successfully.
Review Questions
1. Question: Explain some of the actions that may be taken to validate that a Web
server backup was completed successfully?
Answer: Examine backup logs, Check for error messages, Perform occasional
test recoveries, Check the integrity of the data.
3. Question: Explain the benefits of using shared configurations in a IIS 7.0 Web
server enterprise.
Answer: Manage Portability: The IIS site configuration is stored in the
Web.config file, along with the code and content, making it very easy to move
a Web site. A developer or server administrator can control configuration and
to deploy from a test or dev machine straight to the server. Another aspect of
portability is that environment variables, such as %windir%, can be used in the
configuration file.
Deploy Replication: Configuration can be pushed out onto multiple servers,
with the same settings, the same sites, and the same application pools, to work
across a Web farm. Maintain Synchronization: It is important to synchronize
changes across a Web server farm. With shared configuration, all the servers
will be updated simultaneously.
Re-deploy Staged Deployments and Rollback: We need to be able to
implement new features across a Web server farm. It is now easy to create
versions of configuration and test changes on identically configured servers.
4. Question: Explain what happens if the file server with the configuration files
goes down, but the Web servers remain functional.
Answer: The configurations will be cached in memory. Files are copied locally
and then used until file server hosting the config files is back online. If the
Web server or service is restarted, it will report an invalid config.
Shared configuration export fails Make sure the UNC share is configured
properly
Shared configuration fails Make sure you are using the correct password
Tools
Module 10
Troubleshooting IIS 7.0 Web Servers
Contents:
Lesson 1: Using IIS 7.0 Logging for Troubleshooting 10-3
Lesson 2: Troubleshooting Authentication and Authorization 10-10
Lesson 3: Troubleshooting Communication 10-17
Lesson 4: Troubleshooting Configuration 10-22
Lab: Troubleshooting IIS 7.0 Web Servers 10-26
Module Overview
Logging and tracing are essential to troubleshooting many types of Web server
issues. In addition, the new tracing infrastructure allows detailed error messages to
help administrators solve problems quickly. In this module, you learn about the
supportability enhancements to IIS 7.0 and you will use them to troubleshoot a
variety of problems.
Lesson 1:
Using IIS 7.0 Logging for Troubleshooting
Key Points
In addition to the Windows Server 2008 system and security logs, you should
configure IIS to log site visits. When users access your server that is running IIS
7.0, IIS logs the information. The logs provide valuable information that you can
use to identify any errors that occur on your Web server.
Key Points
In IIS 6.0, all of the tracing data was hard-coded into ETW (Event Tracing for
Windows), requiring the use of ETW to gather trace logs. With IIS 7.0, this has
changed. All tracing is now emitted through a single tracing infrastructure. A
custom module can also register for tracing notifications.
All tracing is done through the unified pipeline and consumed by two modules
that ship with IIS, the ETW trace module and the IIS Failed Request Tracing
module. Developers can easily create their own trace events. The modular
infrastructure also allows Microsoft to ship updated tracing modules without
requiring an operating system upgrade or service pack installation.
Key Points
Request-based tracing provides a great way to figure out what exactly is happening
to requests, provided the problem can be reproduced. Problems like poor
performance on some requests, authentication related failures, or Server 500 errors
from ASP or ASP.NET can be very difficult to troubleshoot unless you have
captured the trace of the problem when it occurs. Failed Request Tracing is
designed to buffer the trace events for a request and only save them to disk if the
request meets the criteria defined by the administrator.
Question: What are the scenarios in your organization that you might use Failed
Event Tracing for an application?
Key Points
With tracing for failed requests, you can capture an XML formatted log of a
problem when it occurs, so that you do not have to reproduce the problem before
you start troubleshooting. Additionally, you can define failure conditions for
applications and configure which trace events to log on a per-URL basis.
Tracing for failed requests is configured at two levels:
• At the site level, you enable or disable tracing and configure log file settings.
• At the application level, you specify the failure conditions for capturing the
trace events and also configure which trace events should be captured in the
log file entries.
Question: How would you configure Failed Event Tracing differently for the life
cycle of an application (test, initial deployment, etc.)?
Key Points
Enable logging for a site when you want IIS to selectively log only certain requests
to a site based on configured criteria. As soon as site logging is enabled, you can
enable selective logging for any applications on the site. You can also then view the
log file to see both which requests are failing and which requests are succeeding.
Question: What business requirements for reporting does your organization have
that might impact logging for specific applications?
Key Points
Logging can impact performance and resources on the Web server. Use Best
Practices to minimize the impact while maintaining useful logs.
Question: What best practices are in place for logging in your environment?
Lesson 2:
Troubleshooting Authentication and
Authorization
Key Points
HTTP 401 errors are among the most common errors you may have to deal with in
IIS. While the causes for these errors can vary greatly, the causes fall into a finite
number of categories. Correctly identifying the category of the cause for your HTTP
401 error can decrease the amount of time needed to identify the root cause of the
error.
Question: What are the different ways in which a 401 error may appear to an end-
user? How does it vary depending on IIS setting, browser, and browser settings?
Key Points
When you troubleshoot HTTP 401 errors, the first step should always be to
determine the substatus code.
Code Definition
401.1 Authentication was attempted, but failed.
401.2 Authentication was not attempted because the server and client could
not agree on an authentication protocol.
401.3 Authentication was successful, but the account that authenticated does
not have sufficient permissions to access the requested resource or
content.
Key Points
Enable trace logging for failed requests when you want IIS to log information about
a request that is failing to serve content from a site or an application. When trace
logging for failed requests is enabled, IIS provides targeted logging so that you no
longer have to look through a list of irrelevant log entries to find a failed request.
Additionally, you do not have to re-create an error in order to troubleshoot it.
The trace will contain the identity, the authentication method, and the resources
being accessed.
Question: How can a trace log help you separate authentication and authorization
failures?
Key Points
Use logs to find the point of failure in the authentication and authorization
process. The distinction between authentication and authorization is important in
understanding why connection attempts are either accepted or denied:
• Authentication is the verification of the credentials of the connection attempt.
This process consists of sending the credentials from the remote access client
to the remote access server in an either plaintext or encrypted form by using
an authentication protocol.
• Authorization is the verification that the connection attempt is allowed.
Authorization occurs after successful authentication.
Question: What business process could you put into place to decide what errors to
trace?
Lesson 3:
Troubleshooting Communication
When communication between the client and server fails, or is intermittent, it can
be difficult to detect on the server. In addition, communication issues between
servers can cause Web sites and applications to fail. In this lesson, you will learn
about common communication errors, and how to use logs and tools to
troubleshoot them.
Key Points
When troubleshooting communication issues, you need to determine if the client
can communicate with the Web server at all. If the server is responding to the
client with a substatus code, then you can troubleshoot the communication from
the server side.
Key Points
Client errors
Status codes between 400 and 500 specify an error made by the client, e.g. bad
syntax or a request to a resource that doesn't exist. You can try this by requesting a
bogus URL from the Web-site of your choice, for example:
http://<IIS7Server>/this_resource_does_not_exist. You get a "404 - File not found"
error.
Server errors
Status codes starting with 500 are errors caused by the server. The most common
causes for 500 errors on IIS systems are
• An ASP or ASPX page that contains a syntax error
• The Web server configuration or the application configuration cannot be read
or is invalid
• The site is stopped
Verifying Communication
Key Points
Ping your server
If your Web browser returned either the Cannot find server error or The page
cannot be displayed error, then use the ping command to test for the following:
• The name resolution server resolves your IIS Web server's name to its IP
address
• Your server responds to network requests from a remote computer
Lesson 4:
Troubleshooting Configuration
Configuration issues can be difficult to diagnose because they can look like other
types of errors. In this lesson, you will learn about common configuration errors,
and how to use IIS logs, tracing and detailed errors to troubleshoot them.
Key Points
Server software and Web servers are very complex and highly configurable systems
that support multi-tier applications using a variety of technologies and subsystems.
IIS7 strives to improve the experience of diagnosing and solving problems when
they do occur. Since configuration problems can appear as other types of errors,
knowing how to use the new IIS7 diagnostics features is essential to
troubleshooting server problems.
Question: Why not enable detailed error messages for all users?
Key Points
Typically, 403 errors occur when an operation or request is disallowed because a
requirement other than proper authentication credentials is not met.
503 errors are generated by the WAS (formerly W3SVC) service, which is
responsible for creating IIS worker processes to handle incoming http requests.
When WAS fails to create a worker process, it will generate this error.
500 errors indicate an error condition on the server when trying to process the
request. Use Failed Request Tracing and detailed error messages to find out the
cause.
Question: Why not enable detailed error messages for all users?
Key Points
Because of the complexity of configuration errors, making use of all available tools,
such as logs, Failed Request Tracing, and detailed error messages will greatly speed
the troubleshooting process.
Use the tracing logs to pin point the point of failure and detailed error messages
for most likely causes and resolutions.
Review Questions
1. What is the difference between custom errors and detailed errors?
2. Why are configuration issues difficult to diagnose?