Successfully reported this slideshow.

IIS7 For Non IIS PFEs

0

Share

Loading in …3
×
1 of 24
1 of 24

IIS7 For Non IIS PFEs

0

Share

Download to read offline

IIS presenter for the 2012 GeekReady a Premier Field Engineer technical conference at Guarujá, Brasil.
GeekReady.

IIS presenter for the 2012 GeekReady a Premier Field Engineer technical conference at Guarujá, Brasil.
GeekReady.

More Related Content

Related Books

Free with a 14 day trial from Scribd

See all

IIS7 For Non IIS PFEs

  1. 1. IIS 1.0, Windows NT 3.51 available as a free add-on (30 May 1995) IIS 2.0, Windows NT 4.0 (29 July 1996) IIS 3.0, Windows NT 4.0 Service Pack 2 IIS 4.0, Windows NT 4.0 Option Pack IIS 5.0, Windows 2000 (17 February 2000) IIS 5.1, Windows XP Professional and Windows XP Media Center Edition (requires retail CD) (October 25,2001) IIS 6.0, Windows Server 2003 and Windows XP Professional x64 Edition (April 24, 2003) IIS 7.0, Windows Server 2008 and Windows Vista (Home Premium, Business, Enterprise and Ultimate editions) (February 4, 2008) IIS 7.5, Windows Server 2008 R2 and Windows 7 (Home Premium, Professional, Enterprise and Ultimate editions) (July 22, 2009) IIS 8.0 Windows Server 2012 and Windows 8 (September 4,2012) IIS 8.5 Windows Server 2012 R2 and Windows 8.1 (April, 2014) IIS 10 Windows Server 2016 and Windows10 (August 19,2015) • Apache- Apache • Apache- Tomcat • Nginx –Igor Sysoev • GWS- google • Resin – Caucho Technology • Lighttpd – ligttpd • Sun Java System Web Server- Oracle • Jigsaw • Klone • Abyss • X5 (Xitami) • Zeus • MacHTTP
  2. 2. More Reliable More Control More Secure More Choice Scalable Web Infrastructure Dynamic Caching and Compression Powerful Diagnostic Tools Centralized Web Management Delegated Remote Management Easy Application & Server Deployment Enhanced Server Protection Secure Content Publishing Improved Access Protection Built-in ASP.NET and PHP Support Modular & Extensible Web Server Intelligent Media Serving
  3. 3. Svchost.exeInetinfo.exe WWW Service (w3svc) IIS Admin Service metabase FTP Service SMTP Service NNTP Service LSASS.EXE HTTPAPI Web garden (w3wp.exe) Winsock TCPIP.SYS HTTP.SYS Application Pool (w3wp.exe) WAS Worker Process ISAPI Extensions ISAPI Filters Managed Mods Configuration (applicationhost.config) SSL Windows Auth User Kernel Worker Process ISAPI Extensions ISAPI Filters Managed Mods Worker Process ISAPI Extensions ISAPI Filters Managed Mods Worker Process ISAPI Extensions ISAPI Filters Managed Mods Worker Process ISAPI Extensions ISAPI Filters Managed Mods
  4. 4. Configuration Store 1 2 9 3 8 4 5 6 7 10 11 12 User Kernel
  5. 5. Fully Extensible – support custom modules Minimal installation by default Install and/or use only the modules you need Over 40 feature modules WindowsAuthModule IPSecurityModule ASP.NET HttpLoggingModule HTTPTracingModule FTPManagement HTTPDynamicCompression ManagementScripting ... ...
  6. 6. Use all administration tools Firewall-friendly ports HTTPS port 443 Restrict by IP, port, certificate, or log request
  7. 7. Admin Site Owner Dev Delegated users can: Manage unlocked settings for sites and applications View, but not modify, locked settings Add additional users
  8. 8. Error occurs Log is captured Define Custom Error Conditions Capture Traces when errors occur Helps resolve complex and intermittent problems
  9. 9. Enhanced IIS 7.5 Platform IIS 7.0 Platform Extensions Add Further Functionality Some Extensions Integrated Extensions Add Further Functionality
  10. 10. http://www.site.com/photos.aspx?user=ben&id=5 http://www.site.com/photos/ben/5/ Controller Primary Secondary

Editor's Notes

  • First we will see the new IIS architecture and how IIS is composed from inside
    The new and better configuration store and host it differs from the previos version of IIS
    Delegate Site Configuration: a powerfull feature that alow administrator to delagate changes and configurations of some IIS features to deparment administrators and even web developers
    Failed Request Tracing: a new addition to help you trobleshoout issues in applications running inside IIS. And we are talking about most common IIS problemns: Hangs, Crash, performance issues
    A series of native or manage modules that you can add to extend the posibilities of IIS: among others : dabatabse manager, web farm framework,advance loggin
  • First we will see the new IIS arquitecture and how IIS is composed from inside
    The new and better configuration store and hos it differs from the previos version of IIS
    Delegate Site Configuration: a powerfull feature that alow administrator to delagate changes and configurations of some IIS features to deparment administrators and even web developers
    Failed request tracing: a new addition to help you trobleshoout issues in applications running inside IIS. And we are talking about most common IIS problemns: Hangs, Crash, performance issues
    A series of native or manage modules that you can add to extend the posibilities of IIS: among others : dabatabse manager, web farm framework,advance loggin
  • IIS7.5

  • Title: Internet Information Services
     
    Talking Points:
    Internet Information Services (IIS) is the Web publishing platform in Windows Server® 2008 that enables organizations to deliver rich Web-based experiences. Extensible Web features in IIS provide easy-to-use tools to aid your customers in administration, diagnostics, and management. IIS is a customizable platform with .NET extensibility. It provides enhanced reliability, security, and failure recovery via efficient management and deployment tools.

    IIS provides a variety of benefits for your customers’ business managers, technical staff, and for Web hosting, including:

    More Reliable
    Increased availability through dynamic request handling, improved caching, and powerful troubleshooting tools
    Scalable Web Infrastructure
    Implement a scalable Web infrastructure with HTTP-based load balancing and intelligent request handling and routing
    URL Rewriter, Application Request Routing
    Dynamic Caching & Compression
    Improve performance by enabling high-speed dynamic caching and compression
    User-Mode Caching, Kernel-Mode Caching, Static and Dynamic Compression
    Powerful Diagnostic Tools
    Find and fix issues quickly and easily with powerful diagnostic tools
    Detailed Errors, Failed Request Tracing, [**Configuration Logging, Best Practice Analyzer]
     
    More Control
    Simplified, distributed management through set of customizable administrative tools with easier application deployment for developers
    Centralized Web Management
    Configure and manage your Web infrastructure from one place through a wide selection of administration tools
    IIS Manager, Database Manager, Windows PowerShell Snap-In, AppCmd, Shared Configuration, .NET Web Administration, WMI
    Delegated Remote Management
    Delegate site configuration management and publishing to remote users
    Feature Delegation, IIS Manager for Remote Administration
    Easy Application & Server Deployment
    Archive, package, migrate, and deploy complete applications and Web servers more easily
    Web Deployment Tool
     
    More Secure
    Improved security and server protection through reduced server footprint, enhanced publishing, and request filtering capabilities
    Enhanced Server Protection
    Maximize Web site security through reduced server footprint and automatic application isolation
    Server Core, Modular Architecture, Application Pool Isolation
    Secure Content Publishing
    Publish Web content more securely using standards-based protocols
    FTP, WebDAV
    Improved Access Protection
    Protect Web server and Web applications from malicious requests and unauthorized access
    Request Filtering, URL Scan, URL Rewriter, URL Authorization, Dynamic IP Restrictions
     
    More Choice
    Flexible platform with enhanced support for multiple application development platforms and media content delivery
    Built-in ASP.NET & PHP Support
    Develop and deploy ASP.NET and PHP applications together on a flexible Web platform
    Web Platform Installer, FastCGI, Integrated Pipeline
    Modular & Extensible Web Server
    Deploy a streamlined, modular, and extensible Web server
    Server Core, Modular Architecture, .NET Extensibility, ISAPI Extensions and Filters
    Integrated Media Platform
    Optimize bandwidth and set content delivery options through intelligent media serving in an integrated HTTP-based media delivery platform
    Smooth Streaming, Live Smooth Streaming, Advanced Logging, Bit Rate Throttling, Web Playlists
     
    **Configuration Logging and Best Practice Analyzer are available only in Windows Server 2008 R2
      

    Additional Information:
    IIS 7.0 online: http://learn.iis.net/
  • Talking Points:
    IIS 7.0 contains many features with easy-to-use options that let organizations simplify Web server management. Enhancements in IIS 7.0 include XML-based configuration, installing IIS 7.0 with Server Core, support for existing extensions and filters, modular components, enhanced administration tools, feature delegation, remote connection features, automatic pool isolation, extensive diagnostic and troubleshooting tools, FTP publishing, integrated pipeline, managing IIS 7.0 using scripting or the command line, and the ability to host PHP applications on IIS 7.0.

    [BUILD1]
    XML Configuration IIS 7.0 allows you to store IIS configuration settings in web.config files. The changes in configuration storage make it much easier to use Xcopy to deploy applications across multiple front-end Web servers to reduce costly, error-prone replication and manual synchronization issues.

    Server Core To further limit security exposure, administrators can choose to install a minimal environment with the Server Core installation option of Windows Server 2008. Server Core omits graphical services and most libraries, in favor of a stripped-down, command-line-driven system.

    Modular Components IIS 7.0 is made up of more than 40 separate feature modules. Installing only required modules helps reduce administrative overhead.

    Enhanced Tools IIS 7.0 extensibility includes a new managed administration application programming interface (API) that can be used to administer the Web server or build extensions to the IIS administration user interface. Configuration, scripting, event logging, and administration tools are also expanded.

    Remote Management IT staff can use the IIS Manager GUI to administer the server both locally and remotely. IIS Manager uses HTTPS for communication with the server if IIS Manager is used remotely.

    PHP Hosting Capable IT professionals can now host PHP and other Fast CGI-compliance applications on IIS 7.0. This change means that companies can consolidate Web application hosting on Windows Server 2008. With PHP support on Windows Server, IT administrators can host and manage multiple application frameworks on a single Windows operating system.

    Delegation of Administrative Control The delegation feature in IIS 7.0 enables those who host or administer Web sites or Windows Communication Foundation (WCF) services to delegate administrative control to developers or content owners. Delegation helps to reduce cost of ownership and administrative burden for server administrators. In a hosted scenario, hosters can provide customers with the ability to remotely manage their own sites and applications, without having administrative access to the server. In a datacenter environment, IT staff can delegate administration for portions of the corporate site to designated departmental site owners.

    Diagnostics and Troubleshooting IIS 7.0 provides a clear view of internal diagnostic information about IIS, and it collects and exposes detailed diagnostic events to aid troubleshooting for application code or configuration issues.

    Automatic Application Pool Isolation By default, IIS 7.0 assigns all worker processes a unique identity and separated configuration.

    Modern FTP Publishing FTP publishing support is provided in a new, enhanced version of the Microsoft FTP Server, FTP 7. It is available as a free download from www.iis.net. The downloadable FTP server includes secure publishing with FTP/SSL support as well as integrated Web publishing with support for the IIS 7.0 configuration system and administration tool. Using the new FTP makes it easy to set up FTP publishing points for a Web application and to use integrated authentication.

    Integrated Pipeline In IIS 7.0, both native and managed code requests are processed by default through an integrated pipeline. The integrated pipeline allows for different application frameworks to run within a single Web server request pipeline, offering built-in ASP.NET extensibility for all applications.

    Command-Line and Script Management IIS 7.0 provides extensive support for configuration and management using scripts and the command-line utility AppCmd.
  • - TCPIP.SYS protocol Driver for TCP, UDP, IP, ARP, ICMP, and IGMP, is located in the folder C:\Windows\System32\drivers
    - HTTP.SYS: The HTTP listener is implemented as a kernel-mode device driver called the HTTP protocol stack (HTTP.sys). IIS 6.0 uses HTTP.sys, which is part of the networking subsystem of the Windows operating system, as a core component.
    - Winsock: IIS5 use Windows Sockets API (Winsock), which is a user-mode component, to receive HTTP requests. Windows of the Berkeley UNIX sockets.
    - HTTPAPI: Es HTTPAPI.dll
    - LSASS.EXE: (Local Security Authority Subsystem Service): In IIS6 included SSL and windows Auth Movido al Kernel HTTP.sys en IIS7
    - Inetinfo.exe (IIS Admin Service): Enables this server to administer the IIS metabase. The IIS metabase stores configuration for the SMTP and FTP services. If this service is stopped, the server will be unable to configure - SMTP or FTP. If this service is disabled, any services that explicitly depend on it will fail to start.
    - W3svc (World Wide Web Publishing Service): Provides Web connectivity and administration through the Internet Information Services Manager
    - W3wp.exe:
    - WMSVC: C:\Windows\system32\inetsrv\wmsvc.exe: The Web Management Service enables remote and delegated management capabilities for administrators to manage for the Web server, sites and applications present on this machine.
    - WAS: Activations, resource management and health management of worker process. Allow the management of Http and no http sites


    Isapi Extensions: ISAPI extensions are implemented as DLLs that are loaded into a process that is controlled by IIS. ASP.dll
    Isapi Filter: ISAPI filters are DLL files that can be used to modify and enhance the functionality provided by IIS. ISAPI filters always run on an IIS server, filtering every request until they find one they need to process. The ability to examine and modify both incoming and outgoing streams of data makes ISAPI filters powerful and flexible for:

    Change request data (URLs or headers) sent by the client
    Control which physical file gets mapped to the URL
    Control the user name and password used with anonymous or basic authentication
    Modify or analyze a request after authentication is complete
    Modify a response going back to the client
    Run custom processing on "access denied" responses
    Run processing when a request is complete
    Run processing when a connection with the client is closed
    Perform special logging or traffic analysis.
    Perform custom authentication.
    Handle encryption and compression.

  • Request is picked up by HTTP.SYS
    HTTP.SYS lets W3SVC know of the request.
    W3SVC talks to WAS to let it know of the request.
    WAS talks to the configuration store to identify the application pool that would host the request.
    The Configuration Store sends that information to WAS.
    WAS (Windows Process Activation service) then creates the worker process:.
    Once the worker process is successfully up and running, it lets WAS know of its status.
    WAS lets the W3SVC know of the availability of the worker process
    W3SVC lets HTTP.SYS know about the worker process
    HTTP.SYS sends the request to the worker process
    Worker Process executes the request and sends the response to HTTP.SYS
    HTTP.SYS sends the response to the client.


    Non http Listener or request
    In the case of WCF, a listener adapter includes the functionality of a protocol listener. So, a WCF listener adapter, such as NetTcpActivator, is configured based on information from WAS. Once NetTcpActivator is configured, it listens for requests that use the net.tcp protocol. For more information about WCF listener adapters, see WAS Activation Architecture on MSDN.


  • Integrated application pool mode
    When an application pool is in Integrated mode, you can take advantage of the integrated request-processing architecture of IIS and ASP.NET. When a worker process in an application pool receives a request, the request passes through an ordered list of events. Each event calls the necessary native and managed modules to process portions of the request and to generate the response.
    There are several benefits to running application pools in Integrated mode. First the request-processing models of IIS and ASP.NET are integrated into a unified process model. This model eliminates steps that were previously duplicated in IIS and ASP.NET, such as authentication. Additionally, Integrated mode enables the availability of managed features to all content types.
    Classic application pool mode
    When an application pool is in Classic mode, IIS 7 and above handles requests in the same way as in IIS 6.0 worker process isolation mode. ASP.NET requests first go through native processing steps in IIS and are then routed to Aspnet_isapi.dll for processing of managed code in the managed runtime. Finally, the request is routed back through IIS to send the response.
    This separation of the IIS and ASP.NET request-processing models results in duplication of some processing steps, such as authentication and authorization. Additionally, managed code features, such as Forms authentication, are only available to ASP.NET applications or applications for which you have script mapped all requests to be handled by aspnet_isapi.dll.
    Be sure to test your existing applications for compatibility in Integrated mode before upgrading a production environment to IIS 7 and above and assigning applications to application pools in Integrated mode. You should only add an application to an application pool in Classic mode if the application fails to work in Integrated mode. For example, your application might rely on an authentication token passed from IIS to the managed runtime, and, due to the new architecture in IIS 7 and above, the process breaks your application.
  • IIS 7 uses a new XML-based configuration store that is modeled after the ASP.NET configuration. IIS configuration is stored in the ApplicationHost.config file and can also be distributed among Web.config files for sites, applications, and directories. Settings configured at one level are inherited automatically by lower levels, unless they have been locked to prevent changes. By default, the server administrator is the only user who has permission to view and edit the ApplicationHost.config file.

    Configuration Levels
    In IIS 7, you can configure settings at the following levels:
    - Web server
    - Site
    - Application
    - Virtual or physical directory
    - URL (also known as file-level configuration)

    NOTE: To configure settings at a child level, a configuration section must be unlocked (also known as delegated) at the parent level or levels. For example, to configure a feature at the application level, the related configuration section or sections must be delegated at both the server and the site levels.



  • DEMO
    =====
    1) Show where the applicationHost.config file is administration.config, redirection config, as well as the Machine.config and Root Web.config







    Show how we can change the behavior/configuration of the Web Sites, Applications and Directories by creating Web.config files


    Mostrar el directory browsing. Con el ejemplo de un album de fotos del cual quiero descargar una por una

    Explicar que es directorybrowsing, mostrar Livesysinternal.com
    Explicar que se necesita par a que directorybrosing funcione: - Directory browsing cuando funciona? cuando se habilita el checkbox "DirectoryBrowsing" y no hay pagina default en la aplicacion o esta desabilitada la opcion "Enable default content page" en el Tab document
    Asegurar primero que todo este bloqueado en IIS
    Probar que no puedo descargar fotos
    Eliminar via web.Config el default page
    Habilitar via web.Config file el directory Browsing
    Navegar y robar las fotos =) SOY UN HACKER!!!!
    Hacer la aclaratoria de que mas adelante veremos como impedir esto.

    Mostrar otras propiedades o mencionarlo al menos.
    Autenticacion anonima meter…


  • Reduce the memory footprint
    Recuce the Attack Surface on the server

    The IIS 7 Web server feature set is componentized into more than thirty independent modules.
    A module is either a Win32 DLL (native module) or a .NET 2.0 type contained within an assembly (managed module). Similar to a set of building blocks, modules are added to the server in order to provide the desired functionality for your applications. Likewise, all IIS modules can be removed, or replaced with custom modules developed using the new IIS 7 C++ APIs, or the familiar ASP.NET 2.0 APIs.


    In order to add a module to the server, you must perform two steps:
    1.Install a module on the server (native modules only).
    2.Enable the module in an application.

    Module description
    http://learn.iis.net/page.aspx/121/iis-modules-overview/

  • Ways to remove or enable modules
    1- Manually edit the IIS 7 configuration store, either globally to enable the module for all applications on the server, or in a particular web.config file located within each application for which you would like to enable this module. In IIS 7.5 you can use the Configuration Editor.
    2- Use the IIS Manager
    3- Use the AppCmd.exe command line tool (Appcmd.exe install module /name:MODULE_NAME /image:PATH_TO_DLL , Appcmd.exe uninstall module MODULE_NAME, Appcmd.exe list modules [/app.name:APPLICATION_NAME], Appcmd.exe add module /name:MODULE_NAME /type:MGD_TYPE, Appcmd.exe delete module MODULE_NAME [/app.name:APPLICATION_NAME])

    DEMO
    ====
    1. Show the different modules that are available through the installation wizard, show how there are some of them that have dependencies and are automatically selected

    2. Show the memory footprint when installing all of the modules, show how you can remove modules from the applicationHost.config file and how the memory footprint is reduced

    <globalModules>
    Remove the corresponding module entry from the <globalModules> configuration list, and the associated entry in the <modules> configuration list
    <add name="MyBasicAuthenticationModule" type="IIS7Demos.BasicAuthenticationModule" />

    3. Show how to include self-developed modules (http://learn.iis.net/page.aspx/170/developing-a-module-using-net/)

    a) A managed module is a .NET class that implements the System.Web.IHttpModule interface. The primary function of this class is to register for one or more events that occur within IIS 7.0 request processing pipeline, and then perform some useful work when IIS 7.0 invokes the module's event handlers for those events.
    b) Compile the module into an assembly, and drop this assembly in the /BIN directory of the application.PATH_TO_FX_SDK>csc.exe /out:BasicAuthenticationModule.dll /target:library BasicAuthenticationModule.cs
    c) Add the module via console or appcmd.exe or manually editing: applicationhost.config <add name="MyBasicAuthenticationModule" type="IIS7Demos.BasicAuthenticationModule" />


  • Title: Remote Management Through HTTPS

    Technical staff can enable remote connections, set credentials (Windows or IIS Manager), connection information (IP address, port, SSL certificate, and log requests), and IPv4 address restrictions. Type in the remote connection information, and then click the Allow, Deny, or Delete button to control the access or to remove the remote connection.

    Benefits of Remote Connections

    Talking Points:
    IIS 7.0 contains a feature that lets IT professionals connect to a server, Web site, or application remotely by using HTTPS.

    IIS 7.0 supports secure remote administration over HTTPS, allowing for integrated local, remote, even cross-Internet administration without requiring DCOM ports on the firewall. Using the remote connection features makes it easy for administrators to set up remote connections and to manage remote connections.

    This feature can save IT professionals time because they can access a server, Web site, or application from a remote site or their home. Administrators can download the IIS 7.0 Manager, InetMgr.exe, which allows them to connect remotely. The IIS 7.0 Manager is a standalone remote administration console. If an administrator is working on a computer that does not have IIS7 installed and wants to administer a computer that does have IIS7, the administrator would need to download and install the IIS 7.0 Manager.

    Click the InetMgr.exe icon to launch the tool and the IIS Start Page displays. To connect to a specific server, click the Connect to a server option in the Connect task pane.

    A dialog displays where the administrator enters the name of the server and its IP address, then clicks the Next button. A dialog box is displayed that prompts for credentials; the administrator enters a user name and password and clicks the Finish button to connect to the server and display the IIS Manager Graphical User Interface.

    1 - You can use the interface of your choosing - the interface you’re familiar with, be it IIS Manager, AppCMD, Windows PowerShell. Work the way you want.
    2- You can do that securely and remotely. Whether from your cube or from a remote location, whether managing servers in the data center or in a remote location.
    3 - Give them the spiel about how it works over firewall friendly ports. Tell them it is a secure, easier-to-use alternative to Secure Shell (SSH).
    4 - Combined with the ability to delegate, remote administration features allow customers, developers and site owners to manage their sites remotely.

    Number 4 requires that you cover Delegate before this slide, which you need to do.

    Download the IIS 7.0 Manager tool at:
    http://www.microsoft.com/downloads/details.aspx?FamilyID=32c54c37-7530-4fc0-bd20-177a3e5330b7&displaylang=en

    Remotely Connect to a Web Site or Application for Delegated Administration
    An administrator can delegate authorization to Web site owners or departments which gives the user non-administrator access to a specified Web site or application. In this scenario, the administrator has set up non-administrative delegated authority for a department Web site manager to allow that person to update information on the Web site or to change an application. For information on how an administrator sets up feature delegation, see the Controlling Access with Feature Delegation section.

    The administrator must first install InetMgr.exe on the workstation where the administrator is working. The Web site manager would then follow these steps to access the Web site or application remotely and have access to the IIS 7.0 Manager. The site manager will only have access to the IIS features assigned by the administrator.

    Click the Internet Information Services (IIS) Manager icon on the Windows Server 2008 desktop to display the IIS Start Page.

    To connect to a specific Web site, click the Connect to a site option in the Connect task pane. Enter the name of the Web site, click the Next button. Enter the user name and password on the Provide Credentials window and click the Finish button. The delegated user will be able to access the IIS Manager GUI and perform tasks to update the Web site.

    To connect to a specific application, click the Connect to an application option in the Connect task pane. Enter the name of the server where the application is located and the application name, click the Next button. Enter the user name and password on the Provide Credentials window and click the Finish button. The delegated user will be able to access the IIS Manager GUI and perform tasks to update the application.


    Additional Information:
    Remote Administration for IIS Manager: http://www.iis.net/articles/view.aspx/IIS7/Use-IIS7-Administration-Tools/IIS-Manager-Administration-Tool/Remote-Administration-for-IIS-Manager
  • Title: Controlling Access: Feature Delegation
     
    Talking Points: Controlling Access with Feature Delegation
    IIS 7.0 contains new Feature Delegation support that lets technical staff delegate administrative responsibility. The delegation can be very specific, allowing an administrator to decide exactly which functions to delegate, on an individual basis. This feature might be used by administrators to allow specific access to the site for Web developers providing content on a site or to provide limited management access to a customer or department. Delegated (non-administrative) access can also be set for configuration of individual sites and applications.

    Administrators can allow staff with non-administrator access to connect to a site or application and perform specific actions. The Administrator can set access so the non-administrator can:
    Manage unlocked configuration for their site or application
    View locked configuration settings without being able to modify them
    Add other administrators for their site or application

    Setting Up and Managing Feature Delegation
    Using IIS Manager, administrators can set up feature delegation to control non-administrative access. IIS 7.0 allows locking and unlocking configuration settings in various levels and scopes, which can be used to delegate and control access. Locking down configuration means that it cannot be overridden (or set at all) at lower levels in the hierarchy. Configuration locking is useful when creating different configurations for different sites or paths. Locking can be done at the section level or for specific elements, attributes, collection elements, and collection directives within sections.

    The Feature Delegation Dialog Box (graphic) displays features in IIS Manager and the delegation state for each feature (
    Read, Read/Write, or Configuration Read/Write:The administrator selects the desired feature and then chooses one of these options from the Action pane to apply to the feature:
    Read Only: Does not allow modification
    Not Delegated (lock the feature and hide in site and/or application settings): The feature cannot be delegated and is locked
    Reset to Inherited Values: Returns to the default inherited settings
    Reset All Delegation: Resets all delegated features to their non-delegated default settings
    Custom Application Delegation: Displays another window where you can set up delegation for applications

    Benefits of Feature Delegation
    Delegation in IIS 7.0 allows organizations to involve site owners and developers more in specific day-to-day management tasks, thereby reducing the administrative burden for server administrators. Using Feature Delegation can save time for both administrators and the users they support. Because Feature Delegation can be tightly controlled, the administrator can set the access allowed for delegated (non-administrative) users of individual sites and applications. This feature will be especially valuable for hosted or datacenter environments because content update or administration tasks can be delegated to site owners. For example, Feature Delegation could be used to let content developers change the content on their site or to let customers do some of their own site management. This could free developers from having to contact an administrator and wait for a response just to make a minor content change on a Web site, saving costs to Web site support. This would also allow the administrator to perform more critical business tasks.

    Download the IIS Manager for remote administration
    http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=2299

    Habilitando Remote Managment
    http://learn.iis.net/page.aspx/158/remote-administration-for-iis-manager/
  • Delegate Feature (LOCK y UNLOCK Features)

    Siguiendo el ejemplo anterior del hackeo de la foto
    Detener la delegacion del default document o del directory browsing y ver el comportamiento. Via Consola
    Luego Mostrar en el ApplicationHost.config que es Lock y Unlock y que se modifica (esto aun no lo entiendo)

  • Title: Automatic Failed Request Tracing

     
    Talking Points:
    The new Automatic Failed Request Tracing technology allows technical professionals to define error conditions which, when triggered, write detailed error information to log files. Failed Request Tracing is particularly useful in tracing intermittent or complex problems. In IIS 7.0, it is even possible to add tracing to custom modules. Error conditions can range from “slow” or “hung” requests, to the familiar status codes IIS sends back during error conditions, such as “Server 500 Error.” When configured, if IIS 7.0 detects one of these error conditions, it will automatically log detailed trace events of everything that happened during the request that led up to the error. This is called Failed Request Tracing.
    How Failed Request Tracing Works
    The tracing infrastructure in IIS 7.0 is very flexible. Both trace event providers and trace event consumers are simply modules, so it is easy to select which modules to use. For example, the technical professional could use Event Tracing for Windows (ETW) or Failed Request Tracing, which is the automatic fail request tracing infrastructure in IIS 7.0. In addition to choosing one of these existing modules, it is easy to create both consumer and provider modules and to plug them into the tracing infrastructure. This allows technical staff to use their own providers and consumers in any place that normally uses the built-in providers and consumers.
    Example: The technical professional uses the IIS Manager console to define a trace condition, such as a "404 File Not Found" error that may occur as a result of a request. This request is written to the Trace Configuration file. When the Web server processes a request, the pipeline modules read the trace configuration information for that provider. Then, when an event that matches the tracing configuration occurs, such as the "404 File Not Found" error defined earlier, the pipeline module raises a trace event. The trace event is then delivered back to the source consumer module that registered the trace event. That consumer module is responsible for doing something with that event, such as writing it to a log file.
    To set up a failed request tracing rule in IIS 7.0, do the following:
    In the IIS section of the Features View, click the Failed Request Tracing Rules icon, The Define Trace Conditions dialog box displays.

    In the Add Failed Request Tracing Rule dialog box, click an item in the list to indicate what you want to trace. Valid selections are: all content, ASP.NET (*.aspx), ASP (*.asp) or Custom (where you can enter a name such as tr*.aspx.) Click Next to display the next dialog box.
    In the Define Trace Conditions dialog box, indicate the conditions under which a request should be traced. You can enter a status code, time taken, and severity. When the trace information has been set, click Finish to complete the trace rule. Whenever a failed request meets the criteria you established, it will be traced.

    Benefits of Using Failed Request Tracing
    Large datacenters and hosting providers will appreciate the enhanced productivity leveraged by the new Automatic Failed Request Tracing capabilities of IIS 7.0. It is no longer necessary for administrators to try to reproduce problems that occur intermittently or only under certain circumstances. Once Failed Request Tracing is configured, it will automatically track the defined condition. Furthermore, it is not necessary to turn Automatic Failed Request Tracing on for every Web site and every URL on a server. It’s no longer necessary for administrators to spend time attempting to reproduce complex or intermittent problems. Not only does failed request tracing reduce the amount of tracing information that could be logged but it also ensures that this powerful feature has as little performance impact as possible on the server.
    With the small impact on performance and the significant gain in information retrieved by the Failed Request Trace, it is feasible to turn it on for newly deployed sites or as a means of verifying that sites are running error-free. Using Failed Request Tracing in IIS 7.0 helps pinpoint the cause of failures so that resolving the issue is quicker and easier.


    Additional Information:
    Troubleshooting Failed Requests Using Tracing in IIS7: http://learn.iis.net/page.aspx/99/troubleshooting-a-web-server-error/


  • Ejemplo con el

    401.2= Tengo que desabilitar la Autenticacion anima del fotovision40
    404.2= Tengo que desabilitar la Isapi de .Net 4.0 (corriendo en modo classic)via “ISAPI and restrictions”
  • With the release of IIS 7.0 in Windows Server 2008, IIS adopted a more modular architecture and a new extensibility model.

    This architecture means that you can choose which modules are installed to customize and streamline your Web server. In addition, new and custom modules can be added on top of those already available with IIS 7.0. The extensibility APIs are published on www.iis.net to allow developers to add or replace modules on the server with those they write themselves, and these same APIs are used by the IIS team in Microsoft to release Extensions for IIS that deliver further functionality and features.

    There have been many Extensions made available for IIS since the release of Windows Server 2008, and many of these are integrated right out of the box in Windows Server 2008 R2. These Extensions are in addition to further enhancements made to the underlying IIS technology. The IIS team will continue to release Extensions that can be installed on top of IIS in Windows Server 2008 R2 to ensure new innovation are made available on an ongoing basis.


  • http://www.iis.net/download/all
  • ×