Study and learning note
Backup of configuration(note that only configuration, not files):
Purpose:
- Speeds recovery in case of loss or damage from a security breach
- Minimizes work required to move site to different server or directory
- Scale the network for loading balance purpose, so we can reduce the configuration work.
Location of active configuration: %SystemDrive%\%SystemRoot%\System32\inetsrv\config
System automatic backup: IIS check the change of configuration “administration.config” and “applicationhost.config” every 2 mins and keep 10 copies. The location is %SystemDrive%\InetPub\history. If need to roll back, just copy files to the active configuration folder.
Manual backup: Use appcmd.exe which is located in %SystemDrive%\%SystemRoot%\System32\inetsrv.
Syntax:
AppCmd add backup “BackupName”
.- BackupName parameter is optional.
- Backup consists of set of .xml files and .config files
Appcmd list backups
.Appcmd restore backup "BakcupName"
Monitor IIS
Two monitoring features added to IIS 7
- The real-time status of application pools, sites, worker processes, application domains, and running requests: Click the server name(not site name) first, then click “worker Processes”.
- Metrics:
Percentage of CPU;
Amount of memory being consumed; - Others:
Worker processes;
Process ID;
State
- Metrics:
- Failed request tracing: Ability to create detailed trace event logs in XML format.
- Allows you to create a log file of failed requests for a specific site;
- Enables quick identification of problem areas;
- More efficient than trying to locate specific error transactions in a log file;
- Location: %SystemDrive%\inetpub\logs\FailedReqLogFiles
- Number of versions of the trace file: 10;
- Configure logging
- Can help manage usage trends for capacity planning and resource allocation
- Standard location: %SystemDrive%\inetpub\logs\LogFiles
- W3C log file format is the default: Customizable text-based format
- Log file rollover: Default is to rollover daily
- Third party software: AWStats( open source); Sawmil(commercial)
Delegation of Administrative rights
Custom site delegation allows adjustment of settings on a site-by-site basis
Two types of credentials:
- Windows credentials
- IIS Manager credentials
IIS Manager users are stored in IIS itself; Users only have access to IIS.
Three choices:
- Read/Write
- Read Only
- Not Delegated
Users who want to manage sites remotely can download IIS 7 Manager from the Microsoft Download Center.
Choose to enable remote connections
- Can also specify what identity credentials to use
- Default remote management port is 8172;
- Can restrict access to specify IP addresses to reduce attack surfaces on the server
SSL security
Secure Sockets Layer is method for securing communication between a Web server and web client.
Symmetric or Asymmetric encryption:
Symmetric:
- Same key for lock and unlock;
- Fast to encrypt or decrypt
- Hard to share the key over network, will be a secure problem.
Asymmetric:
+++
Reliably Identifies the server to the client:
- Server must have a server certificate.
- Certificate generated by third-party certificate authority(CA).
- Self-signed certificate may be used for a test or development environment.
Lab reflection
1. The AWstats: To install the AWstats, we need
- the Perl to be installed first.
- Then, Add module CGI: open server role, right click the IIS server, add role, check the CGI under “Application development”.
- Then we need to tell IIS to execute the .pl file by add the script map.
Open Internet Information Services Manager and open the Handler Mappings interface. - Click on the action, “Add Script Map”.
- To allow IIS to execute Perl script files (.pl), configure the new script mapping with the following settings:
- Request path: *.pl
- Executable: C:perlbinperl.exe “%s” %s (where ‘C:perl’ is the location where you extracted the Perl binaries)
- Name: Perl-pl
- In the Request Restrictions dialog, set the Verbs tab to allow the following: GET,HEAD,POST.
- Additionally, if Perl scripts will be deployed as CGI files (.cgi), a script mapping will need to be configured for this file type as well:
- Request path: *.cgi
- Executable: C:perlbinperl.exe “%s” %s
- Name: Perl-cgi
- Verbs: GET,HEAD,POST
After that, we can follow the installation instructions from the AWstats website.
2. Problem: The “IIS Manager” option in the “IIS manager permissions” greyed out. Enable remote connections so that Windows users and IIS Manager users can connect to this computer by using IIS Manager on their computers. By default, the Management Service allows connections only from users that have Windows credentials, but you can configure it to also allow connections from users with IIS Manager credentials.
3. WSUS causing IIS Buffer Overflow
WSUS adds a global compression section to the root iis schema. The files needed for this compression are of course removed when WSUS is uninstalled, but the changes to the iis schema remain.
I ran the following command to list the http compression options:
C:\Windows\System32\inetsrv>appcmd.exe list config -section:system.webServer/httpCompression
This gave me:
<system.webServer> <httpCompression directory="%SystemDrive%\inetpub\temp\IIS Temporary Compresse d Files"> <staticTypes> <add mimeType="text/*" enabled="true" /> <add mimeType="message/*" enabled="true" /> <add mimeType="application/javascript" enabled="true" /> <add mimeType="application/atom+xml" enabled="true" /> <add mimeType="application/xaml+xml" enabled="true" /> <add mimeType="*/*" enabled="false" /> </staticTypes> <dynamicTypes> <add mimeType="text/*" enabled="true" /> <add mimeType="message/*" enabled="true" /> <add mimeType="application/x-javascript" enabled="true" /> <add mimeType="application/javascript" enabled="true" /> <add mimeType="*/*" enabled="false" /> </dynamicTypes> <scheme name="gzip" dll="%Windir%\system32\inetsrv\gzip.dll" /> <scheme name="xpress" doStaticCompression="false" doDynamicCompression="true " dll="C:\Program Files\Update Services\WebServices\suscomp.dll" staticCompressi onLevel="10" dynamicCompressionLevel="0" /> </httpCompression> </system.webServer>
As you can see, the “xpress” section references a dll path that will no longer exist after WSUS is uninstalled. Since this is not present, all the web sites fail.
I ran appcmd set config -section:system.webServer/httpCompression /-[name=’xpress’]
You should get the following in response to the command:
Applied configuration changes to section “system.webServer/httpCompression” for “MACHINE/WEBROOT/APPHOST” at configuration commit path “MACHINE/WEBROOT/APPHOST”
Running the list config as above now shows:
<system.webServer> <httpCompression directory="%SystemDrive%\inetpub\temp\IIS Temporary Compresse d Files"> <staticTypes> <add mimeType="text/*" enabled="true" /> <add mimeType="message/*" enabled="true" /> <add mimeType="application/javascript" enabled="true" /> <add mimeType="application/atom+xml" enabled="true" /> <add mimeType="application/xaml+xml" enabled="true" /> <add mimeType="*/*" enabled="false" /> </staticTypes> <dynamicTypes> <add mimeType="text/*" enabled="true" /> <add mimeType="message/*" enabled="true" /> <add mimeType="application/x-javascript" enabled="true" /> <add mimeType="application/javascript" enabled="true" /> <add mimeType="*/*" enabled="false" /> </dynamicTypes> <scheme name="gzip" dll="%Windir%\system32\inetsrv\gzip.dll" /> </httpCompression> </system.webServer>
This indicates the xpress section is now gone, and no longer looking for WSUS related files.
I ran iisreset after the change to reset all the iis services, and now my web pages work fine. I can access the default site as well as http://<server name>/connect.
To enable remote connections and allow connections from Windows users and IIS Manager users:
- In IIS Manager, in the Connections pane, click the server node in the tree.
- Double-click Management Service to open the Management Service feature page.
References
- http://www.iis.net/learn/manage/remote-administration/configuring-remote-administration-and-feature-delegation-in-iis-7
- IIS_IUSR user: https://docs.microsoft.com/en-us/iis/get-started/planning-for-security/understanding-built-in-user-and-group-accounts-in-iis