Professional Documents
Culture Documents
IIS Training
IIS Training
Answer: Internet Information Services (IIS) formerly called Internet Information Server is a web server software
application and set of feature extension modules created by Microsoft for use with Microsoft Windows.[2] IIS 7.5 supports HTTP, HTTPS, FTP, FTPS, SMTP and NNTP. It is an integral part of the Windows Server family of products (and their client counterparts in the cases of Windows NT 4.0 and Windows 2000), as well as certain editions of Windows XP, Windows Vista and Windows 7. IIS is not turned on by default when Windows is installed. The IIS Manager is accessed through the Microsoft Management Console or Administrative Tools in the Control Panel. All versions of IIS prior to 7.0 running on client operating systems supported only 10 simultaneous connections and a single web site. IIS is the third most popular server in the world, behind Apache HTTP Server and nginx (Enginex). IIS dropped from the second most popular position at the end of 2011, where during October it previously held 14% of servers and responded to 12% of total requests.
NGINX, pronounced Engine-X, if you don't know it, is an open-source Web and reverse proxy server and e-mail proxy server to boot. It's has been used for years on many popular Russian Web sites such as Yandex, Vkontakte, and Rambler. In recent years, it's been picked up by major Western sites including Facebook and Wordpress.com.
32 bit tcp/ip kernel Binary windows auth,SSL Kerberos auth,SSL,.net passpot support Kerberos
IIS 5.0 shipped with Windows 2000 and introduced additional authentication methods, management enhancements including a new MMC-based administration application, support for the WebDAV protocol, and enhancements to ASP.[6] IIS 5.0 also dropped support for the Gopher protocol[7] IIS 5.1 was shipped with Windows XP Professional, and was nearly identical to IIS 5.0 on Windows 2000. IIS 6.0, included with Windows Server 2003 and Windows XP Professional x64 Edition, added support for IPv6 and included a new worker process model that increased security as well as reliability.[8] IIS 7.0 was a complete redesign and rewrite of IIS, and was shipped with Windows Vista and Windows Server 2008. IIS 7.0 included a new modular design that allowed for a reduced attack surface and increased performance. It also introduced a hierarchical configuration system allowing for simpler site deploys, a new Windows Forms-based management application, new
command-line management options and increased support for the .NET Framework.[9] IIS 7.0 on Vista does not limit the number of allowed connections as IIS on XP did, but limits concurrent requests to 10 (Windows Vista Ultimate, Business, and Enterprise Editions) or 3 (Vista Home Premium). Additional requests are queued, which hampers performance, but they are not rejected as with XP. IIS 7.5 included in Windows 7 (but it must be turned on in the side panel of Programs and Features) and Windows Server 2008 R2. IIS 7.5 improved WebDAV and FTP modules as well as command-line administration in PowerShell. It also introduced the Best Practices Analyzer tool and process isolation for application pools.[10] IIS 8.0 is only available in Windows Server 2012 and Windows 8. IIS 8.0 includes Application Initialization, centralized SSL certificate support, and multicore scaling on NUMA hardware, among other new features.
Question: In IIS 6.0, the core HTTP engine (HTTP.SYS) runs in kernel mode and all worker processes run in user mode. So what exactly is the difference between kernel mode and user mode programs? User mode and kernel mode refers to the privilege level a process has to the system hardware. The closer to the hardware the process becomes, the more sensitive the system is to provoking system failure. In any OS, you want to separate applications from OS services because you want the OS to remain functional if an application crashes. Typical OS architecture has two rings: one ring running in system mode, and a ring running in user mode. The kernel has full control of the hardware and provides abstractions for the processes running in user mode. A process running in user mode cannot access the hardware, and must use the abstractions provided by the kernel. It can call certain services of the kernel by making "system calls" or kernel calls. The kernel only offers the basic services. All others are provided by programs running in user mode. Kernel mode program also run much faster than User mode programs as they are much closer to the hardware.
World Wide Web Publishing Delivers Web publishing Service (WWW service) services.
File Transfer Protocol (FTP) Allows file uploads and downloads from remote systems. Simple Mail Transfer Protocol (SMTP) Network News Transfer Protocol (NNTP) IIS Admin Service Sends and receives electronic messages (e-mail). Distributes network news messages. Manages the metabase.
MSFTPSVC
Ftpsvc2.dll
Inetinfo.exe
SMTPSVC
Smtpsvc.dll
Inetinfo.exe
NNTPSVC
Nntpsvc.dll
Inetinfo.exe
IISADMIN
Iisadmin.dll
Question
I need multiple FTP sites, but I only have one IP address. Can I use host headers to distinguish the FTP sites as I do for the websites?
Answer
No, you cannot use a Host header to distinguish FTP sites. The FTP protocol, specified by RFC 959, does not support the Host header. The Host header is specified in the HTTP RFC (2616), thus part of the HTTP protocol. HTTP and FTP are two totally different protocol, and a FTP client and server can only "talk" FTP. The only way to run multiple FTP sites (no matter what FTP server you have) is to use a unique port and IP address combination.
Question: What is application Pool Answer: Application pools used to isolate our web application for better security, reliability, and availability and performance
and keep running without impacting each other . The worker process serves as the process boundary that separates each application pool so that when one worker process or application is having an issue or recycles, other applications or worker processes are not affected. One Application Pool can have multiple worker process Also.
Applications
An application is a group of files that delivers content or provides services over protocols, such as HTTP. When you create an application in IIS, the application's path becomes part of the site's URL. In IIS 7 and above, each site must have an application which is named the root application, or default application. However, a site can have more than one application. For example, you might have an online commerce Web site that has several applications, such as a shopping cart application that lets users gather items during shopping and a login application that allows users to recall saved payment information when they make a purchase. In addition to belonging to a site, an application belongs to an application pool, which isolates the application from applications in other application pools on the server. In the case of managed code applications, make sure to associate your application together with an application pool that is running the .NET Framework version that your application requires. As described in the Sites section of this paper, IIS supports HTTP and HTTPS by default, but you can use additional protocols
How can we get the list of worker process running in IIS along with the Application pool name ?
Posted by: Abhijit Jana By running iisapp.vbs script from command Prompt. Below are the steps : 1. Start > Run > Cmd 2. Go To Windows > System32 3. Run cscript iisapp.vbs
LocalSystem
The built-in LocalSystem user account has a high level of access privileges; it is part of the Administrators group. If a worker process identity runs as the LocalSystem user account, that worker process has full access to the entire system. When IIS 6.0 is running in IIS 5.0 isolation mode, this is the default user account for worker process identities. LocalSystem has one default user right, Full access.
Top of page
Network Service
The built-in Network Service user account has fewer access privileges on the system than the LocalSystem user account, but the Network Service user account is still able to interact throughout the network with the credentials of the computer account. For IIS 6.0, it is recommended that the worker process identity that is defined for application pools run as the Network Service user account, which is the default setting. The following table shows the default user privileges for the Network Service account, along with how each privilege is derived. Privilege Source
Replace a process-level token (SeAssignPrimaryTokenPrivilege) Adjust memory quotas for a process (SeIncreaseQuotaPrivilege) Generate security audits (SeAuditPrivilege) Bypass traverse checking (SeChangeNotifyPrivilege)
Explicit assignment Explicit assignment Explicit assignment Through membership in the Everyone group Through membership in the Everyone group
Top of page
Local Service
The built-in Local Service user account has fewer access privileges on the computer than the Network Service user account, and those user privileges are limited to the local computer. Use the Local Service user account if the worker process does not require access outside the server on which it is running. The following table shows the default user privileges for the Local Service account, along with how each privilege is derived. Privilege Source
Replace a process-level token (SeAssignPrimaryTokenPrivilege) Adjust memory quotas for a process (SeIncreaseQuotaPrivilege) Generate security audits (SeAuditPrivilege) Bypass traverse checking (SeChangeNotifyPrivilege)
Explicit assignment Explicit assignment Explicit assignment Through membership in the Everyone group Through membership in the Everyone group
Top of page
IIS_WPG
The IIS IIS_WPG group account has the minimum permissions and user privileges that are necessary to start and run a worker process on a Web server. Application pool identities must be members of this group so the application pool can register with Http.sys. The following table shows the default user privileges for the IIS_WPG account, along with how each privilege is derived. Privilege Source
Privilege
Source
Top of page
IUSR_ComputerName
The IIS IUSR_ComputerName user account is for anonymous access to IIS. By default, when a user accesses a Web site that uses Anonymous authentication, that user is mapped to the IUSR_ComputerName account. The following table shows the default user privileges for the IUSR_ComputerName account, along with how each privilege is derived. Privilege Source
Top of page
IWAM_ComputerName
The IIS IWAM_ComputerName user account is for starting out-of-process applications in IIS 5.0 isolation mode. The following table shows the default user privileges for the IWAM_ComputerName account, along with how each privilege is derived. Privilege Source
Top of page
ASPNET
The built-in ASPNET user account is for running the ASP.NET worker process in IIS 5.0 isolation mode. The following table shows the default user privileges for the ASPNET account, along with how each privilege is derived. Privilege Source
Explicit assignment
Privilege
Source
What are the Different steps to be followed to get SSL(Secure Sockets Layer) for our Web Application ?
Posted by: Chvrsri . Intially we have to Generate a certificate request from our IIS . Now we have to request a certificate from the certificate authority(CA) . This CA is an entity which issues Digital Certificates. . After receiving the certificate we have to install that particular certificate on our Web Server using IIS . We have to use Secure Hyper Text Transfer Protocol(HTTPS) when accessing secure pages in our application. By this way we could make our web page as SSL protected. !!!
What are the Different Authentication Methods(Using Windows Authentication) which are provided by IIS ?
Posted by: Chvrsri
Generally IIS provides four different kinds of Authentication Methods they are : Anonymous Method If we select this authentication, IIS doesn't perform any authentication so that any one can access the application. Basic Method If we select this method, the user who access the application should provide windows username and password to access the application. Although this is sent through a network by transmitting direct text so it it very insecure. Digest Method This method is almost equal to Basic method but the difference is the password is hashed before it is transmitted through out a network. Windows Integrated Method In this the application uses the Kerberos protocol to validate(Authenticate) the user. This uses a Secret key cryptography which provides strign authentication for Client/Server applications
This article describes how to configure Microsoft Internet Information Services (IIS) Web site authentication in Windows Server 2003. You can configure IIS to authenticate users before they are permitted access to a Web site, a folder in the site, or even a particular document contained in a folder in the site. Authentication in IIS can be used to strengthen the level of security on sites, folders, and documents that are not to be viewed by the general public. Authentication in IIS is critical when resources are not meant for anonymous or public access, but when the Web server must be accessible to approved users over the Internet. Examples of Web site applications that require authentication access control include Microsoft Outlook Web Access (OWA) and the Microsoft Terminal Services Advanced Client.
of the server on which IIS is running. By default, the IUSER_ComputerName account is a member of the Guests group. This group has security restrictions, imposed by NTFS file system permissions, that designate the level of access and the type of content that is available to public users. To edit the Windows account used for anonymous access, click Browse in the Anonymous access box. Important If you turn on anonymous access, IIS always tries to authenticate users by using anonymous authentication first, even if you turn on additional authentication methods. Integrated Windows authentication: Formerly named NTLM or Windows NT Challenge/Response authentication, this method sends user authentication information over the network as a Kerberos ticket, and provides a high level of security. Windows Integrated authentication uses Kerberos version 5 and NTLM authentication. To use this method, clients must use Microsoft Internet Explorer 2.0 or later. Additionally, Windows Integrated authentication is not supported over HTTP proxy connections. This option is best used for an intranet, where both the user and Web server computers are in the same domain, and administrators can make sure that every user is using Internet Explorer 2.0 or later. Note If multiple authentication options are selected, IIS tries to negotiate the most secure method first, and then it works down the list of available authentication protocols until a mutual authentication protocol is supported by both client and server. Digest authentication for Windows domain servers: Digest authentication requires a user ID and password, provides a medium level of security, and may be used when you want to grant access to secure information from public networks. This method offers the same functionality as basic authentication. However, this method transmits user credentials across the network as an MD5 hash, or message digest, in which the original user name and password cannot be deciphered from the hash. To use this method, clients must use Microsoft Internet Explorer 5.0 or later. If you turn on digest authentication, type the realm name in the Realm box. Basic authentication (password is sent in clear text): Basic authentication requires a user ID and password, and provides a low level of security. User credentials are sent in clear text across the network. This format provides a low level of security because the password can be read by almost all protocol analyzers. However, it is compatible with the widest number of Web clients. This option is best used when you want to grant access to information with little or no need for privacy. If you turn on basic authentication, type the domain name that you want to use in the Default domain box. You can also optionally enter a value in the Realm box. Microsoft .NET Passport authentication: .NET Passport authentication provides single sign-in security, which provides users with access to diverse services on the Internet. When you select this option, requests to IIS must contain valid .NET Passport credentials on either the query string or in the cookie. If IIS does not detect .NET Passport credentials, requests are redirected to the .NET Passport logon page.
6.
Note When you select this option, all other authentication methods are unavailable (appear dimmed). Another type of authentication is based on the requesting host instead of on user credentials. You can limit access based on source IP address, source network ID, or source domain name. To configure this type of authentication, follow these steps: a. Under IP Address and Domain Name Restrictions, click Edit. b. Do one of the following: To deny access, click Granted Access, and then click Add. In the Deny Access On dialog box that appears, specify the option that you want, and then click OK. The computer, group of computers, or domain that you specified is added to the list. To grant access, click Denied Access, and then click Add. In the Grant Access On dialog box that appears, select the option that you want, and then click OK.
c.
The computer, group of computers, or domain that you selected is added to the list. Click OK. Click OK, and then quit IIS Manager or close the IIS snap-in.
Troubleshooting
You may be prompted to apply any changes that you have made to existing sites. If you want the authentication changes applied to other content, click the content from the list of child nodes, and then click OK. If you do not want the changes applied to any of the child nodes, do not select any items on the list, and then click OK. In IIS, you can set authentication options at the Web site, directory, or file level. The same principles that are discussed in this article apply to each.
Whenever a Web server does something to serve a Web page, a status code is generated and written to the log file for that Web server. The most common status code is "200" - which means the page or resource was found. The next most common status code is "404" - which means the requested resource was not found on the server.
When a page is redirected with a server-level redirect, one of the 300-level status codes is reported. The most common are 301 permanent redirect and 302 - temporary redirect.
301 redirects are permanent. They mean that the page has moved, and they request any search engine or user agent coming to the page to update the URL in their database. This is the most common type of redirect that people should use.
But they don't use it. Instead they use the meta refresh tag or 302 server redirects. And this is a dangerous practice. Search engines don't like either of these redirection techniques because they are a common ploy for spammers to use to get more of their domains up in search engine results.
Another reason to use 301 redirects instead is that then your URLs maintain their link popularity. If you set up 302 redirects, Google and other sites that determine popularity ratings assume that the link is eventually going to be removed. After all, it's a temporary redirect. So the new page doesn't have any of the link popularity associated with the old page. It has to generate that popularity on its own.
Don't look like a spammer. If you're changing your site's domain name, you should definitely not use a 302 redirect. This almost screams "spammer" and is a good way to get all your domains blocked from Google and other search engines. If you have several domains that all need to point to the same place you should use the 301 server redirect. This is common practice for sites to buy additional domains with spelling errors (www.gooogle.com) or for other countries (www.symantec.co.uk), and then redirect them to the primary Web site. As long as you use a 301 redirect, you won't be penalized in search engines.
The best reason to use a 302 redirect is to keep your ugly URLs from being indexed permanently by search engines. For example, if your site is built by a database, you might redirect your homepage from a URL like:
http://www.about.com/
To a URL with lots of parameters and session data on it, that would look like this:
http://www.about.com/home/redir/data? sessionid=123478&id=3242032474734239437&ts=3339475
When a search engine picks up your home page URL, you want them to recognize that the long URL is the correct page, but not define that URL in their database. In other words, you want the search engine to have "http://www.about.com/" as your URL.
If you use a 302 server redirect, you can do that, and most search engines will accept that you're not a spammer.
1. 2.
Don't redirect to other domains. While this is certainly possible to do with a 302 redirect, it has the appearance of being much less permanent. Large numbers of redirects to the same page. This is exactly what spammers do, and unless you want to be banned from Google it's not a good idea to have more than 5 URLs redirecting to the same location.
SSl