MCTS 70 – 649 Configuring a Web Services Infrastructure

Configuring a Web Services Infrastructure

Configure Web Applications

Web applications can be either directory-dependent or URL specified. Directory-dependent web applications are accessed by referencing the directory where the web application is stored e.g. whereas URL-specified applications are accessed by passing parameters within the URL e.g.

Creating web applications

Inetmgr.exe > web site > right click > add application > follow wizard; providing a valid alias, physical path etc. > OK

or appcmd

appcmd.exe add app /”Default Web Site” /path:/testApp

or PowerShell

New-WebApplication -Name testApp -Site ‘Default Web Site’ -PhysicalPath c:\inetpub\wwwroot\testApp -ApplicationPool DefaultApplicationPool

Application Pools

Application pools allow you to isolate web sites hosted on the same IIS instance, each application pool will have one worker process by default; this worker process handles all the requests for a particular web site.

Application pool managed pipeline modes are integrated and classic; integrated pipelines process ASP.NET requests within a unified pipeline hence better performance whereas the classic pipeline mode passes off ASP.NET to the aspnet_isapi.dll and aspnet_filter.dll plugins.

Application pool configurations; by default an application pool will recycle every 1740 minutes; the optional recycling conditions are specific times, no. of requests, virtual memory usage and private memory usage.

The recycling process uses overlapped recycling by default, this means the current application pool will service existing requests whilst a new instance of the application

.NET framework

The .NET framework executes code in a Common Language Runtime (CLR) environment; the CLR environment is simulated by a application virtual machine. This removes the need of the developer to consider the underlying hardware.

The .NET framework includes the following components:

  • Windows Presentation Framework (WPF) 
  • Windows Communication Framework (WCF)
  • Windows Workflow Foundation (WF)
  • Windows Cardspace

Manage Web Sites

Migrating web sites

IIS 6 sites to IIS 7 sites

Copy content and copy settings manually

UNIX sites to IIS 7

Use the IIS migration wizard (originally written for IIS 5 but works with IIS 7)

Migration as part of OS upgrade

Content will be retained during the upgrade, IIS metabase data will be translated and added to the IIS 7 configuration store ApplicationHost.config.

During the upgrade the IIS 7 installation is not a granular as is possible during a clean install; Microsoft recommend you revisit the role services installed and decide which are needed.

Virtual Directories

Virtual directories allow multiple sites to share common content.

Virtual directories can be created using the IIS 7 manager

inetmgr.exe > parent web site or parent application > right click Add Virtual Directory > follow wizard

or appcmd.exe

appcmd add vdir /"Default Web Site/" /path:/VirtualDir /PhysicalPath:c:\inetpub\vdir1

or PowerShell

New-WebVirtualDirectory -Site "Default Web Site" -Name VirtualDir -PhysicalPath c:\inetpub\vdir1

Configure a File Transfer Protocol (FTP) server

FTP6 – default FTP server in Windows Server 2008

By default allows 100,000 connections and has an idle timeout of 120 seconds.

Logging by default is daily logging; the log file is stored in c:\windows\system32\logfiles

Anonymous access is enabled by default and uses the newly created account IUSR_{machine name}. Basic authentication allows you to secure FTP by username and password but those usernames and passwords are sent in clear text.

The default home directory for FTP is c:\inetpub\ftproot, depending on the whether user isolation is selected or not will determine whether more configuration is needed.

  • Do not isolate users – no more configuration needed, other than creating users etc.
  • Isolate users – create a folder and name it LocalUser within the ftproot folder, create a folder for each user within the LocalUser folder. Any virtual directories defined within the FTP site will need a folder defined within the users folder to allow that user to see it.
  • Isolate users using active directory – the ftproot folder and user folder are defined within the user account attributes msIIS-FTPROOT and msIIS-FTPDir

Directory security allows you to allow or deny a specific IP address or IP address range; IPv4 only.

NTFS permissions and FTP permissions will determine what access a user has to a directory or file; the most restrictive applies e.g. if a user has NTFS permission full control but the folder or file hasn’t been defined the IIS permission read, then no user will be able to get access.

File Server Resource Manager (FSRM) can be used to limit the file types which are uploaded to the FTP server as well as user quotas too.

FTP7 – additional download for Windows Server 2008

By default allows 4 billion connections.

The FTP log files are stored in c:\inetpub\logs\logfiles.

No authentication method is enabled by default but anonymous, basic (using local and domain credentials) and IIS manager authentication are available; FTP 7.0 support (FTPS) FTP over SSL, allowing you to secure credentials sent over the internet.

The isolation options are very similar, the differences are:

  • Do not isolate users has two options; ftp root folder or username folder; if username folder is selected then a folder named the same as the user’s username should be present in the ftp root folder.
  • Isolate users has two new options; username directory with or without global virtual directories. Because of the domain authentication support for basic authentication you know need a folder which matches the domain name which will contain those domain users.

FTP7.5 – default FTP server in Windows Server 2008 R2

Filtering of file types, commands, directories  etc is now included in the FTP interface.

Configure Simple Mail Transfer Protocol (SMTP) services

By default logging is not configured, anonymous authentication is enabled, any computer can connect but relaying is prohibited unless the computer or user is authenticated.

SMTP E-Mail can be configured per server or per site to use a specific SMTP server or pickup directory; mailroot\pickup for local delivery, mailroot\queue for external delivery. Undeliverable messages are placed in the mailroot\badmail folder.

Outbound security can be configured if the SMTP server you connect to requires authentication.

Masquerade domain can be used to rewrite the from domain so all outgoing messages have a consistent from domain name.

LDAP routing allows the SMTP server to use LDAP queries to validate to and from addresses.

The domain defined within the SMTP server is used to stamp outgoing messages with the defined domain name; this should be a publicly resolvable domain name if this SMTP server sends messages externally.

To securely route email to external domains use remote domains within the SMTP console and specify security, smart hosts etc. An Alias domain uses the domain configuration of the primary domain.

Manage Internet Information Services (IIS)

World Wide Web Publishing Service (W3SVC)

This service manages the HTTP protocol and performance counters; w3svc is dependent on WAS and the HTTP service. The w3svc service can be configured to compress static and dynamic content before sending it over the wire.

ISAPI functionality allows developers to extend and modify the request capabilities of IIS; though it is more efficient to add managed or native modules.

w3svc logging can be configured per server or per site; server logging formats are binary and w3c. site logging formats are w3c, IIS, NCSA and custom i.e. odbc.

w3svc module configuration; modules can be added at server, site or application level, modules can be native or managed code. Url rewrite is an example module, as it HttpLoggingModule.

w3svc performance counters are HTTP specific counter for web sites e.g. HTTP Service\UriCacheHits

IIS backup and restore

IIS configuration is held in c:\inetpub\history\ – this should be included in any file system backups

The IIS configuration can be backed up using appcmd or simply by including c:\windows\system32\inetsrv\config\* in a file system backup.

appcmd add backup “IIS Backup…”

To get a list of backups use (these will be backups you have done manually or backups made by the configuration history service)

appcmd list backups

To restore IIS configuration use

appcmd restore backup “IIS Backup…”

Monitoring and logging web server activity

Failed request tracing

Failed request tracing captures and logs the problem allowing you to troubleshoot without having to reproduce it. Site level is where you enable or disable tracing and configure the log file settings such as … Application level is where you specify failure conditions which trigger failed event tracing and which events are written to the failed trace log.

Implementing failed request tracing here

To enable failed request tracing:

Inetmgr.exe > site > failed request tracing rules > edit site tracing > check enable

appcmd configure trace “Default Web Site” /enablesite

To disable failed request tracing:

Inetmgr.exe > site > failed request tracing rules > edit site tracing > uncheck enable

appcmd configure trace “Default Web Site” /disablesite

To create a failed request tracing rule:

Inetmgr.exe > site > failed request tracing rules > add… > follow wizard

appcmd configure trace “{site|application|page}” /enable /path:*|*.aspx|*.asp /areas:{trace provider/area} /verbosity:verbose|warning|general

HTTP logging

HTTP logging is the most commonly used to trace which pages have been visited etc. and from where. The logging fields can capture source IP, requested page, referring search engine etc.

HTTP logging can be configured to log all errors, all successful requests or all requests.

The server and sites can be configured to log different fields:

appcmd set config /section:sites -siteDefaults.logFile.logExtFileFlags:HttpSubStatus

Monitoring Worker Processes and executing requests

To view the current running worker processes:

inetmgr.exe > server node > worker processes


appcmd list wps


get-item iis:\AppPools\{AppPoolName}\WorkerProcesses

To view the current requests for a particular worker process

inetmgr.exe > server node > worker process > view current requests


appcmd list requests


get-item iis:\AppPools\{AppPoolName} | Get-WebRequest

The worker process and request views help debug slow and hanging application to memory leaks and other excessive resource hungry web applications.

If network bandwidth is an issue then web site limits allow you to throttle the bandwidth usage in bytes.

Delegating site and application management

Site and application management can be delegated out to IIS manager user accounts, Windows user accounts or Windows groups; these user accounts and groups can be granted permissions to specific site or application features via the IIS management service; connections to the management service are made over TCP 8172 using the HTTPS protocol.
The feature delegation section allows you to delegate specific features out to users e.g. a developer could configure the default documents for a site using the local web.config or a remote user could configure logging for their site only.

Configure SSL security

SSL certificate requests are generated at the server level, the request file is sent to the CA; the request is called a CSR; the CSR contains the distinguished name and public key; the private key is used to sign the CSR. The response from the CA will be signed by their private key.

Once the certificate request is complete the certificate can be used to create a secure binding on a website; if the certificate is a wildcard and you have multiple sites using the same domain name then the certificate can be used to create a secure bindings on all those sites. SSL host headers allow the secure sites to live on the same IP too.

When the secure binding is complete you can configure the site, application or folder to require SSL enabled connections.

Configure Web site authentication and permissions

Anonymous authentication

Used to serve content which is deemed freely viewable by all; the anonymous connection uses the builtin IUSR account or other defined account; this account will have read permissions on the content.

Forms authentication

Forms authentication uses HTTP 302 login / redirect responses to direct users to a login page (configure the Url property within the forms authentication settings). Forms authentication will be unencrypted unless the login page is secured using SSL. The user authentication is persisted across pages using a authentication cookie; the default timespan of the cookie is 30 minutes.

Challenge-based authentication

Challenge-based authentication uses HTTP 401 challenge response when the content is secured using NTFS file permissions. The authentication methods are:

  • Basic – encodes the users credentials; this authentication method should be secured with SSL.
  • Digest – uses HTTP 1.1 protocol and thus the browser must support this too; authentication is performed by a Windows Server 2008 domain controller.
  • Windows – uses NTLM or kerberos to validate users against the domain or local security database; used primarily in intranet environment where clients and servers are in the same domain.

ASP.NET impersonation

This allows the authenticated user to use the web application security context or other defined user or group to access the content.

Client certificates

Client certificates are used to validate whether a user can access the protected content; primarily used where end user certificates are managed by a systems administration team. The mapping types are:

  • One-to-one – the web server must have a copy of the client certificate; not scalable
  • Many-to-one – the web server validates the client by checking specific certificate information
  • Active Directory – only ever used where the system administrators have complete control

The above methods can be assigned at the server, site, application, virtual directory, folder or file level.

Authorisation rules allow you to protect content without using NTFS permissions; authorisation rules can also be used to deny or allow specific verbs i.e. POST, GET, TRACE etc.

.NET trust levels

  • Full – the application can do anything the account running it can do
  • High – same as full trust but restricted from calling unmanaged code, writing to the event log, accessing message queues, accessing ODBC, OleDB and Oracle data sources.
  • Meduim – same as high trust but restricted from access files outside of the applications directory, cannot access the registry or network and cannot make web service calls.
  • Low – same as medium but the application cannot write to file system or call the assert method; the assert method makes out-of-process calls to databases or the network.
  • Minimal – same as low except the application is restricted to basic processing e.g. calculating algorithms.

Custom trust levels can be defined by copying an existing trust policy file (c:\windows\Microsoft.NET\framework{64}\{v2.0.xxxxx|v4.0.xxxxx}\CONFIG\), naming it something else, then modifying the content e.g. copy medium trust and add the fileIOpermissions to read outside of the application directory

<IPermission class="fileIOPermission" version="1" Read="C:\Windows\temp;$AppDir$" Write="$AppDir$" Append="$AppDir$" PathDiscovery="$AppDir$" />

Add the custom trust level to the web.config within the same directory. Link

New features in Windows Server 2008 R2

Request filtering allows you to hide specific content using filtering rules.

FTP now supports SSL, IPv6 and UTF8 and uses the hierarchical XML configuration files. The FTP protocol can be bound to websites too.

Administration using PowerShell how has specific cmdlets.

One comment

  1. Pingback: MCTS 70-646 Provision applications | Notes from stuff I'm working on

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.