I’ve recently started my own virtual infrastructure by renting some dedicated servers in the UK. One of those servers will run my soon to be re-developed ProcessWorks website, which will expand on the articles I write via this blog, but also include training material, downloads, one or two useful public web services and the details of a secret product still in development. But enough of the advertisement.
The other machine is my development server, which now hosts a full on Microsoft development environment. As Microsoft is clearly a commercial entity and a proportion of non Microsofter’s tend to moan about the fact you have to actually pay for enterprise software, this might surprise you. I managed to kit out my new virtual development server for the high price tag of… FREE… and with the following specification:
- .NET 4 Development Framework
- SQL Server 2008 R2 Web (includes database engine, reporting services, notification services etc) – Much more than Express edition.
- Visual Studio Professional 2010
- Sharepoint Foundation 2010
- Microsoft Expression Studio 4 Premium (includes Expression Web, Encoder, Design and Blend)
- BizTalk Server 2010 Developer Edition
In my case I already had Windows 2008 R2 Standard installed with the Web Server and Application Server roles turned on (but I’ll get to how you can download Windows Server 2008 R2 for free also).
This was all made possible via Microsoft’s continuing support of new start businesses and developers. Biztalk 2010 is available as a free full featured download for developers through this link. This is an amazing integration and process server and if you wish to learn Biztalk, this is what you need. The installer takes care of downloading the pre-requisites or allows you to load a pre-req .cab file and away you go. The available training material for Biztalk from Microsoft is plenty available. The rest of the software listed above was obtained via one of Microsoft’s ‘Spark’ programs.
- BizSpark is aimed at new small businesses and offers Microsoft software for free via their MSDN download portal. This is clearly a move to seed more expensive Microsoft infrastructures and companies expand, but it’s free and you can always decide to get smart and replace with free technology.
- DreamSpark is aimed at students, giving them access to software they can use to aid study. Provided you can prove you are a student, you get access to software such as Visual Studio 2010 Ultimate, Expression Studio 4 Premium, XBox SDK, SQL Server 2008 R2 and operating systems such as Windows Server 2012 / 2008 R2. A pretty neat deal.
- WebSiteSpark is aimed at small web development companies, like ProcessWorks. I have created a couple of ASP.NET web sites for clients and the software that has been made available has been so very useful. You simply sign in with your MSN/Hotmail credentials, provide the name of the your company and the address and then you are registered and have access to the Microsoft partner portal / MSDN downloads. You are granted several licensce keys for much the same product set as is given to students via DreamSpark. You are also given access to a free set of ASP.NET UI controls from a third party company and get a 1400 dollar voucher for using Microsoft’s Azure cloud service to deploy your applications (this is not a pre-requisite to signing up however).
So, in my case, I have a small company so I went with WebsiteSpark (for the choice of software I wanted). So unfortunately these support programs are not open to everyone, however if you are a student, small start-up or a one man ltd company, you can get access to what would normally be very expensive software, for free.
I’ve been setting up a new Windows 2008 R2 Server today and configuring the Web Server role. I had an unanswered question or two so went about ‘googling’ for some clarification. Forgetting that I’d set my local Evernote content to be shown as part of google searches, I found some of the answers from some reasonably old notes I’d made when Win Server 2008 R2 was first released. With these notes on screen and the fact that it’s Friday night and I’m thinking about beer more than posting a new article, I thought I’d take some of the usable content (minus my drivel and spelling errors) from the notes and post them up here. A little random, but hopefully some use in illustrating the evolution of the most recent editions of Internet Information Services.
IIS Feature History (Recent – since 6.0)
IIS 6.0 – Included with Win Server 2003 / Windows XP Pro
- Introduced application pools. These are boundaries that exist to seperate sets of applications / sites from each other. They have their own security context.
- Introduced worker processes (w3wp.exe, of which there can be many associated with an application pool.) The w3wp.exe is created when traffic is received and not is resident all of the time.)
- Introduced the HTTP.sys as the protocol listener for HTTP/S, which listens for HTTP requests on the network and hands them to the application pool queues
- Removed winsocks (windows sockets API) component which was previously used to listen and transfer HTTP requests
- Security Account – IUSR_NameOfServer / Group – IIS_WPG
- WWWService managed the application pools and worker processes
- Used the ‘metabase’ for server / site level configuration
IIS 7.0 – Included with Win Server 2008 / Windows Vista
- Complete re-write
- New modular design to reduce attack surface (feature modules must be turned on before use)
- Hierarchical configuration
- Greater .NET support
- Security Account – IUSRS / Group – IIS_IUSRS (no server name used now so easier to migrate)
- IIS_IUSRS group has access to wwwroot by default, meaning that access is open to anonymous users accessing wwwroot. In order to restrict access to a certain folder of the web service, you must remove NTFS permissions from the IIS_IUSRS group.
- You can create your own protocol listeners in WCF (which listen out for certain protocols)
- WAS (Windows process activation service… named as it activates/creates windows processes) now takes care of managing application pools and worker processes (WWW Service is now used to manage performance tokens). A protocol listener will pickup a request and ask WAS to determine whether an application pool and worker process is available. If there is no worker process available in the application pool, WAS will start (activate) a new one.
- Introduced the applicationHost.config XML configuration file in place of the ‘metabase’ (similar idea to having a machine.config for .NET applications). It contains the configuration/definitions of all sites, applications, application pools and global settings. It also contains the location of custom ‘modules’ written in .NET that you can implement in IIS and the native modules that ship with IIS. Config file is found in %winDir%system32inetsrvconfig
IIS 7.5 – Included with Win Server 2008 R2 / Windows 7
- Powershell support added
- Improved WebDev and FTP modules
- New management tools
- Configuration file logging. Enables auditing of access to config files.
- Hostable web core. This means the core web components can be hosted by other applications, meaning applications can accept and process HTTP requests.
IIS HTTP request handling
Request processing follows a similar model in IIS6/7/7.5. The below shows the processing model for HTTP requests. If another protocol was being used, the listener would be different but the processing would be the same.
- When a client browser initiates an HTTP request for a resource on the Web server, HTTP.sys intercepts the request.
- HTTP.sys contacts WAS to obtain information from the configuration store.
- WAS requests configuration information from the configuration store, applicationHost.config.
- The WWW Service receives configuration information, such as application pool and site configuration.
- The WWW Service uses the configuration information to configure HTTP.sys.
- WAS starts a worker process (w3wp.exe) for the application pool to which the request was made if one is not already available.
- The worker process processes the request by running through an ordered list of events that call different native and custom ‘managed’ modules (custom .net assemblies design to process web traffic)
- The worker process executes the server side logic in the context of the user identity configured in the application pool and then returns a response to HTTP.sys.
- The client receives a response.
IIS Server Modules
Unlike IIS 6.0, IIS 7.0 introduced a core web server engine (below in blue) that can have modules (functionality) added or removed from it. These modules are used by the core web engine to process requests. You can add or remove the native modules or create your own custom modules. This module based approach is more secure than IIS 6.0 because it reduces the attack surface and memory consumption footprint by letting you choose which modules to activate. It also makes the web server extensible in the form of custom managed modules (.dlls). The module types are:
- Native modules – These ship with IIS and can be found in the %winDir%system32inetsrv folder of the server. e.g. Cachhttp.dll is the http cache module.
- Managed modules – These are .NET based modules that come with the .NET framework and plug into the engine. e.g. System.Web.Security.UrlAuthorizationModule. You can create your own custom managed modules using the .NET Framework SDK.
The below image shows the ordering of events that a worker process carries out to process a request. It shows the modules that are invoked by the worker process. First native modules are called, then CLR hosted ‘managed’ modules in the form of .net assemblies installed to the server and registered in the applicationHost.config file.