Web Server

oklahomaflockSecurity

Nov 3, 2013 (4 years and 1 month ago)

478 views

1


Web Server

Web Server

................................
................................
................................
................................
........

1

IIS e le sue strutture di supporto (IIS7.0)
................................
................................
.......................

3

L’architettura

................................
................................
................................
................................
..

3

Premessa: Wi ndows Services application

................................
................................
................

3

Descrizione strutturale delle componenti del sistema

................................
.............................

4

Protocol Listeners
................................
................................
................................
..................

4

Protocol L
isteners e Listener Adapter

................................
................................
................

5

Laboratorio

................................
................................
................................
.................

5

WAS: I Componenti

................................
................................
................................
..................

6

Configuration Manager (componente WAS)

................................
.........................

6

Listener Adapter Interface (componente WAS)
................................
....................

6

Process Manager (componente WAS)

................................
................................
..

7

Application Pool

................................
................................
................................
.................

7

Laboratorio

................................
................................
................................
...............
10

IIS Worker Process host (
w3wp.exe
) and Application pools

...............................
12

Laboratorio

................................
................................
................................
...............
13

Application Domains

................................
................................
................................
...
14

Application manager

................................
................................
................................
...
14

AppDomains ed
AppPool

................................
................................
............................
15

Premes
ssa: Protocol Handler
................................
................................
....................
17

Process Protocol Handler

................................
................................
..........................
17

Descrizioni funzionali del sistema
................................
................................
.............................
17

Le strutture necessarie per implementare l’
Http

Request Processi ng
..................
17

Descrizione dell’ Http Protocol Listener

................................
................................
...
17

Descrizione del Windows Process Activation Service (WAS) e dei suoi componenti
................................
................................
................................
................................
................
19

Servizi HTTP

................................
................................
................................
....................
21

HTTP Request Processi ng

................................
................................
........................
21

Descrizione funzionale dei Protocol Listeners

................................
................................
23

Descrizione funzionale del WAS
................................
................................
.......................
23

Windows Process Activation Service (http

tcp


pipe
-

msmq)

.............................
23

Laboratorio

................................
................................
................................
...................
27

2


HTTP Listener Adapter Service

................................
................................
................
27

Descrizione architetturale di un Worker Process (w3wp.exe)
................................
......
28

Non
-
Http request processing
................................
................................
................................
.
30

Listener Adapter Interface (componente WAS)
................................
................................
..
30

Configuration Manager

................................
................................
................................
...........
32

Listener Adapters

................................
................................
................................
........................
32

Laboratorio

................................
................................
................................
...............
35

How Listeners Know to Listen

................................
................................
.......................
36

Sharing Windows Service (smsvchost.exe)

................................
................................
........
36

Laboratorio

................................
................................
................................
...............
38

Generic IIS Work
er process Hosting (w3wp.exe)

................................
................................
..
40

Laboratorio

................................
................................
................................
...............
41

Application pool

................................
................................
................................
...........................
41

SID

................................
................................
................................
................................
.....
42

Process Model Settings f
or an Application Pool

................................
........................
44

File di configurazione di IIS
................................
................................
................................
........
46

Architettura di Wi ndows Communication Foundation (WCF).
................................
..............
46

Associating
with a ServiceHost

................................
................................
.............................
47

Estensione del WAS ai servizi WCF

................................
................................
....................
47

Servizi di networki ng WCF
................................
................................
.............................
51

Laboratorio

................................
................................
................................
...................
51

Riassunto

................................
................................
................................
..........................
52

Service Endpoints

................................
................................
................................
......................
52

La Pipelin
e

................................
................................
................................
................................
....
52

Managed Modules
................................
................................
................................
...................
52

Laboratorio

................................
................................
................................
...............
52

HTTPPipeline

................................
................................
................................
...........................
53

Endpoints

................................
................................
................................
..............................
54

ASP (Active Server

Pages)
................................
................................
................................
54

Il ruolo dell’execute handler nella server pipeline

................................
..........................
57

Intera Sequenza di eventi della Server Pipeline in risposta ad una request del client
................................
................................
................................
................................
................
57

Integrated Pipeline Mode versus Classic Pipeline Mode
................................
..............
59

Tools For Traci ng

................................
................................
................................
....................
60

3


Codice

................................
................................
................................
................................
.......
61

Forms authentication

................................
................................
................................
..............
61

Tipi di autenticazioni implementate nella server
pipeline
................................
..............
61

The Scope of Forms Authentication

................................
................................
.................
62

Delega della sicurezza: un esempio con web.config
................................
.........................
64

Laboratorio

................................
................................
................................
............

102


IIS

e le
sue
strutture d
i supporto
(IIS7.0)

L’a
rchitettura




Premessa: Windows Services application


http://www.developerfusion.com/article/3441/creati ng
-
a
-
windows
-
service
-
in
-
vbnet/2/


4


What is Windows Service

Previously called an NT service, the core function
of a Windows a

s
ervice is to run an application in the background.
There are few things that make them different from a Windows application. A Windows service starts much before any
user logs in to the system (if it has been setup to start at boot up proce
ss). A Windows service can also be setup in such
a way that it requires a user to start it manually


the ultimate customization!

Windows services have their own processes, and hence run very efficiently. Normally a Windows service will not have a
user in
terface for the simple reason that it can be run even if no one is logged into the system, but this is not a rule
--

you
can still have a Windows service with a user interface.


Descrizione
strutturale
delle c
omponenti
del sistema

Protocol Listeners

A prot
ocol listener is a software routine that listens on a predefined communication channel (and port), and
passes transmitted data (called messages) to and from the participating server service and communicating
client. IIS 7 includes five default protocol lis
teners: Http.sys, Net.tcp, Net.pipe, Net.p2p and Net.msmq; and
additional custom listeners can be created and used. IIS 6 had only one
-
Http.sys. The other new protocol
listeners support Microsoft's new Windows Communication Foundation web services. With th
e exception of
Http.sys, the other listeners require .NET Framework installation and the Windows Process Activation
Service (WAS), which runs in the same Svchost process as the WWW service. However, protocol listeners
can be implemented using WAS and not r
equire IIS.

Each listener runs in kernel mode
, directly interacting with the operating system. Microsoft has thoroughly
tested each protocol listener for security vulnerabilities, trying their best to ensure they are not susceptible to
buffer overflows and

other common security mistakes.
Although finding every security vulnerability is almost
impossible, Microsoft successfully defended IIS 6's Http.sys against every attacker for over 4 years, so they
have a leading example to follow.

Protocol listeners can
be activated in an XML configuration file called
ApplicationHost.config. To minimize possible attack vectors, only the protocol listeners needed should be
activated. The follow sections summarize each protocol listener.

Net.TCP

Net.Tcp is a protocol
listener supporting a new feature called Net.TCPPort Sharing, a part of the Windows
Communication Foundation (WCF). Like Http.sys, it allows multiple applications to share a single TCP
network port. Http.sys relies on the HTTP protocol, whereas Net.Tcp can

be used with any protocol over any
TCP port, and with any application. Not enabled by default, the Net.Tcp Port Sharing service accepts
inbound connections using the net.tcp protocol and forwards them to their destination application. URLs
utilizing Net.T
cp will look something like net.tcp://x.x.x.x/default.aspx, and will always use the TCP protocol.
The Net.Tcp Port Sharing Service service must be started for this protocol listener to work. The Net.Tcp
Listener Adapter service must be enabled for the Net.
Tcp listener to be able to forward to WAS.


Net.P2P

Peer
-
to
-
Peer (P2P) services were originally added to Windows XP Pro SP1 and later Windows operating
systems. Windows Vista offers up new native P2P services and networking transports. The Net.P2P protocol

listener can be used by clients by utilizing the URL moniker for the Net.P2P protocol listener of net.p2p:// (for
more information, see http://www.msdn2.microsoft.com/en
-
gb/library/system.servicemodel.netpeertcpbi nding.scheme.aspx).

Net.MSMQ

The Net.MSMQ
protocol listener is useful for advanced applications requiring message queuing. Microsoft
Windows includes a robust message queue handling service, which helps triage large amounts of incoming
data and to ensure the completeness of complex transactions. D
evelopers can create their own custom
5


message queuing protocol listeners as well. Custom MSMQ protocol listeners normally have the name of
msmq.<customname>. The URL moniker for the Net.Msmq protocol listener is net.msmq://. The Net.Msmq
Listener Adapter s
ervice must be started in order for the Net.MSMQ protocol listener or any msmq customer
listeners to be able to pass traffic to WAS.


--

http://msdn.microsoft.com/en
-
us/magazine/cc16335
7.aspx


T
he protocol listeners are in charge of opening the actual
transport and dispatching

the
connection to the application domain running the service.
These protocol listeners are
Windows NT services.


Protocol Listeners e Listener Adapter


I
P
rotocol Listeners sono programmi, che come indica il nome, hanno il compito di
attendere ed “ascoltare” di le
richieste di attivazione del servizio IIS
.


Ciascun Protocol
Listener è
sensibile
a specifiche richieste in base alla tipologia di pertinenza
.
Nel

modello
più ampio (Window
s

Comunicati
on

Foundation
) e
sse
sono:



HTTP



TCP



P2P



MSMQ

In questo modello
a ciascun

Protocol Listener
è associato un opportuno Listener Adapter
(
vedi a seguire
).
Il Listener Adapter
si interpone tra il Protocol Listener ed e le strutture che
vengono attivate successivamente, per cui
in questo genere di architetture si hanno
coppie del tipo (Protocol


Listener; Listener


Adapter).
Ciascun
Listener Adapter
può
essere opportunamente c
onfigurato dal
Protocol


Listener che gli compete.

Un listener adapter consente di
gestire le comunicazioni tra
il corrispondente

protocol listener

e
d

il
servizio WAS

(
vedi a seguire
)
, utilizzando un set di API comuni.
Protocol listener e protocol
adapte
r possono essere integrati in un unico componente, come

appunto è

nel caso dei protocolli
forniti da WCF
(
vedi a seguire
)
.

Laboratorio


6




WAS: I C
omponenti

Configuration Manager

(componente WAS)


The configuration manager is responsible for reading the
configuration information from the

ApplicationHost.config
configuration
file.




Reads information from applicationHost.config file and passes it to listener adapters.




When WAS is instantiated, it first reads the configuration data from the
ApplicationH
ost.config
configuration

file. Once the configuration information is read, it interacts with the configured protocol listener

adapters to pass to them the needed configuration information. Protocol listener adapters function as the

glue between the WAS and

the protocol listeners. For instance, the WAS passes the configuration information

into the WWW Service, the
http.sys
protocol listener adapter, which in turn configures
http.sys

to start listening for HTTP requests.

Listener A
dapt
er I
nterface

(componente WAS)

Once a new request comes in, the specific protocol listener communicates the request to the WAS through

the listener adapter interface, so that the request gets processed. Once a response is ready for the request,

WAS passes the response
back to the protocol listener responsible for delivering the response back to the

client. Again, WAS uses the listener adapter interface for the incoming and outgoing communication with

the protocol listeners.


listener adapter interface


The last
component of the WAS is the unmanaged listener adapter interface. This layer inside the WAS

defines how the external
listeners communicate the requests they receive into the WAS in order to process

them by the web server.



The w3svc service owns the commu
nication with kernel
-
level http.sys and communicates HTTP activation requests
to WAS across the listener adapter interface.

7


Process M
anager

(componente WAS)


The process manager maps application pools

(
vedi a seguire
),

to existing worker processes and is the one
responsible for spawning new
instances

of
IIS Worker
P
rocess


(
w3wp
)

to host new application pools in
response to activation requests.

Quindi si ha(
relazione tra
process manager
-

worker process
-
application pool
-

configuration manager
-

protocol listeners
):
The
process manager

is responsible for managing the application pools and worker processes

for both

HTTP and non
-
HTTP requests. It
manages the stat
e of the application pool by stopping, starting, and

recycling it. In addition, when WAS receives a new request from
one of the
configured

protocol listeners,

it determines to which application the request belongs. It then checks with the configuration
man
ager

for the application pool of the application that the current request belongs to. Once the application

pool is determined, it
checks to see if there is any worker process currently active. If it finds one, it sends

the request to the application pool t
o be processed
by the worker process. If there is no worker process

active inside the application pool, WAS instantiates a new one to process the
current and upcoming

requests.


Application Pool




A worker process in IIS 6 is a process wherein user developed Web application code runs.
A worker process is actually a host process, called w3wp.exe
. Worker processes process the user requests
received from the http.sys queues. The worker processes also r
eturns a static page or dynamic page to the requesting client through http.sys. A worker process can host the following:

o

ASP applications

o

ISAPI applications and filters

o

CGI

applications

o

Static content

An

application pool consists of the following components:

o

A kernel mode http.sys request queue

o

A single instance of or multiple instances of w3wp.exe
-

worker processes.

In IIS 6,
applications

can run in
different
configurations
:

o

An
application pool

has one worker process that hosts the single Web application which in turn is isolated from other applications through proces
s boundaries.

o

An
application pool

has one worker process hosting two or numerous Web applications.

o

An
application pool

has numerou
s worker processes hosting multiple Web applications. This configuration concept is called a Web garden and is a new IIS feat
ure.


Application Pool

(
motivazioni
)
:


This is one of the most important thing that you should create for your own application in
Production environment. Application pools used to separate sets of
IIS worker processes

that
share the same configuration. Application pools enable us to isolate our

web application for better
security, reliability, and availability
. The worker process serves as the process
boundary that separates each application pool so that when one worker process or application is
having an issue or recycles, other applications or

worker processes are not affected.

Application pools are used to separate set of IIS worker processes that share the
same configuration
.
Application pools enable us to isolate our web application for better security, reliability, and
availability. The wor
ker process serves as the process boundary that separates each application pool
8


so that when one worker process or application is having an issue, other applications or worker
processes are not affected.


What is an Application Pool

An application pool
provides you with a way of isolating Web sites from each other even though
they are being hosted on a common server. Each application pool is given its own set of server
resources. That way, if a Web site crashes, it won’t effect sites in other application

pools. A classic
example of this is a Web site with a memory leak. If all of the Web sites hosted on a particular
server were to share system resources, and one of the Web sites had a memory leak, it could
potentially take memory away from the other hoste
d sites. If the leaky site were in its own
application pool though, the memory leak would not effect any other site because each application
pool has its own server resources (including memory).


Application pool is the container of worker process
.


Applic
ation pools is used to separate sets
of IIS worker processes
that share the same configuration
.


Application pools enables

a better
security, reliability, and availability

for any web application.


The worker process serves as the
process boundary that separates each application pool so that when one worker process or
application is having an issue or recycles, other applications or worker processes are not
affected. This m
akes sure that

a particular

web application doesn't not impact other web
application as they are configured into different application pools.

--


Application Pools
An
application pool
corresponds to one request queue within HTTP.SYS

and the one or more
wor
ker processes that process these requests.


IIS
Application
Pool


An Internet Information Services (IIS) application pool is a grouping of URLs that is routed to one or
more worker processes. Because application pools define a set of Web applications that share one or
more worker processes, they
provide a convenient way
to administer a set of Web sites and
applications and their corresponding worker processes
. Process boundaries separate each worker
process; therefore, a Web site or application in one application pool will not be affected by
application problems in other
application pools.
Application pools significantly increase both the
reliability and manageability of a Web infrastructure.



9



Figure: Application Pool With Worker Process On IIS Server

In your IIS, there may be more on Web sites hosted and by creating
Application Pool, you can just
assign a Separate Worker Process to your application. I have already discussed how you can assign
Application Pool to your web application.





Application Pool with multiple worker process is called

“Web Garden”
.




Identify Worker Process in IIS 7.0


Problem starts when you have

multiple worker process running on IIS
.


If you have multiple sites hosted on IIS and each
site having their own application pool then you will see the list of all worker process in the Proce
ss Attach window.



From IIS 7.0 you need you to run IIS Command Tool (
appcmd

) .




Start > Run > Cmd

10




Go To
Windows > System32 > Inetsrv



Run
appcmd list wp

This will show you list worker process that is running on IIS 7.0



--

Laboratorio

Test per
l’individuazione di a
pplication pool:




Aggiungo una application pool e
d osservo il variare del numero di

istanze del host process IIS Worker
Process:



11









Lanciamo le
applicazioni
e conseguentemente otteniamo

due distinti

IIS working process Host,
ciascuno
istanziato

corrispondentemente

al suo

application pool:

12




Si può verificare che a
ltre request per Laboratorio01 o Laboratorio02 non determinano l’stanziarsi di
ulteriori processi IIS working process host

(ossia non
verificato l’istanziarsi di

un “web garden”)
.

Entrambi gli IIS working process Host terminano in seguito ad

un de
terminato intervallo di tempo: se ne
può constatare pertanto quindi la
successiva

e
conseguente assenza nell’elenco dei processi.

IIS Worker
P
rocess

host (
w3wp.exe
) and Application pools


What is Worker Process?

Worker Process (w3wp.exe)

runs the ASP.Net application in IIS. All the ASP.Net
functionality runs under the scope
of worker process.


When a request comes to the server from a
client worker process is responsible to generates the request and response. Its also maintain the
InProc session data. If we recycle the worker process we will lost the state of worker process.


For
more information read this article
A low
-
level Look at the ASP.NET Architecture


The
w3wp.exe

is a
IIS Worker Process
.

W
orker Process hosts the Web applications

(
si veda premessa

Windows Services application
).


Example of using
Application Hardening

to secure
Internet Information Services

6.0
:

IIS

6.0

consists of two relevant processes: the
inetinfo.exe

and
w3wp.exe
. The
inetinfo.exe

is a

common
process for many network services offered by the
IIS

and the
w3wp.exe

is a

specialized process handling just the
WWW

service.

Both processes are handling data from potentially insecure sources so the
Application Hardening

defenses should be
en
abled for both of them. That can be achieved by creating one rule for
inetinfo.exe
, another for
w3wp.exe

and
enabling all three defenses for both rules.

By enabling all three defenses, the
inetinfo.exe

and
w3wp.exe

processes will not be allowed to spawn ot
her
executables, modify executable files and modify OS sensitive areas neither. As a

result, hackers or worms deploying
these exploitation techniques will be stopped.

13


Application Hardening

also allows flexible definition of exceptions for situations when t
he protected process has
a

legitimate need to perform actions disallowed by the defenses. In the case of IIS, that can happen most likely in two
situations:

1.

Let's assume that the IIS is also hosting a

web application written in Perl programming language. I
n order to
process the web pages written in Perl, the
w3wp.exe

process needs the ability to spawn
perl.exe
. That can
be achieved by creating an exception for the
perl.exe

executable in the rule definition. With this exception
defined, the
w3wp.exe

will be
allowed to spawn
perl.exe
, but no other process.

2.

Another example concerns the executable file protection and the
IIS

FTP service (when the FTP service
enabled). The FTP service is implemented in the
inetinfo.exe

process. If the
inetinfo.exe

is not
allowed
to create or modify executable files, then the FTP users will not be allowed to upload executable files.
To solve that, the
inetinfo.exe

process can be allowed to create/modify executable files in specified
directories.



IIS Worker
Process


An Internet Information Services (IIS) worker process is a windows process (w3wp.exe) which runs
Web applications, and is responsible for handling requests se
nt to a Web Server for a specific
application pool.


Un app pool è grado di ospitare (come dice il nome), più processi
w3wp
.


In questo caso ci saranno diversi
processi w3wp.exe associati con un pool unico app.

I processi W3WP
, vengono creati solo quando c'è traffico in entrata.


E’

quindi necessaria una request per
avviare il processo (viceversa servizio NT partirebbe da solo).
w3wp.exe si ferma dopo un determinato
"timeout di inattività".
(vedi
laboratorio02
)


W3wp.exe
:
This file is part of Internet Information Services.
W3wp.exe is developed by Microsoft Corporation. It’s a
system and hidden file.

Worker Process

(
w3wp.exe
) runs the ASP.Net application in IIS. This process is responsible to
manage all the request and response that are coming from client system.


All the AS
P.Net
functionality runs under the scope of worker process.


When a request comes to the server
from a client worker process is responsible to generate the request and response. In a single
word we can say worker process is the heart of ASP.NET Web Applica
tion which runs on IIS.





Laboratorio


Dopo aver attivato un
a web application si
può individuare il

corrispondente w3wp che la
ospita:

14



App
lication
Domains



Activation Components

WAS consists of several architectural components:



Listener adapters.
Windows services that receive messages on specific network protocols and
communicate with WAS to route incoming messages to the correct worker process.



The generic worker process executable (w3wp.exe).



Application manager

(
vedi a seguire
)
.
Manages the creation and lifetime of
application domains

that
host applications within the worker process.



Protocol handlers. Protocol
-
specific components that run in the worker process and manage
communication between the worker process and the individual

listener adapters. Two types of protocol
handlers exist: process protocol handlers and AppDomain protocol handlers.

When WAS activates a worker process instance, it loads the process protocol handlers required into the worker
process and uses the applicat
ion manager to create an application domain to host the application. The application
domain loads the application’s code as well as the AppDomain protocol handlers that the network protocols used
by the application require.



Application manager


Applicati
on manager. Manages the creation and lifetime of application domains that
host applications

(
si veda
premessa

Windows Services application
)
within

the worker process.

15



Acronimo

significato

Scopo


PPH

Process Protocol Handlers

Implement protocol
-
specific
process initialization logic.

ADPH

Application Domain Protocol
Handlers

Reside in the activated
application domain and
perform protocol
-
specific
application domain
initialization.




Application Manager

When WAS activates a worker process instance, it loads the process protocol handlers required into the worker
process and uses the
application manager

to create an application domain to host the application. The
application domain loads the application’s c
ode as well as the AppDomain protocol handlers that the network
protocols used by the application require.


AppDomains
e
d

AppP
ool



FAQ
:

16


Q: What is the difference between an application and an Appdomain?


I understand from my
research so far that an
Appdomain is a container within which ASPX runs and that Apppool is a
process that starts the w3wp.exe worker process within which ASP applications run.

A: That's a good question.


Here are some key differences:



An application is an IIS term
, but it's one
that ASP.NET utilizes.


Essentially it creates a
sandbox, or a set of boundaries to separate different sites, or parts of sites, from the others.



An AppDomain is a .NET term.


(In IIS7, AppDomains play a larger role within IIS, but
for the most part it's a
n ASP.NET term)



An AppDomain contains InProc

session state (the default session state mode).


So if an
AppDomain is killed/recycled, all of your session state information will be lost.
(if you are
using the default InProc session state)



Applications can ha
ve multiple AppDomains in them although often times there is a one
-
to
-
one relationship between them.



In IIS6 and greater, there is the option of creating groups, or "pools" of applications that can
be bundled together or separated; however the server admin
ister decides.


These are called
Application Pools.


Each app pool runs under its own w3wp.exe worker process.




What is App Pool and App Domain? What is the difference between the two.

Answer

#
2

IIS process is w3wp;


Every application pool in IIS use it's own
process;

AppPool1 uses process 3784, AppPool2 uses
process 5044

Different applications in Asp.net will use
different

AppDomain;


AppTest2 and AppTest2 are in different
AppDomain, but in

the same process.



What's the point to use them?



Application pool and AppDomain , both of them
can provide

isolations, but use
different approches.
Application pool

use the process to isolate the applications
which works

without .NET. But AppDomain is another
isolation methods

provided by .NET.

If your server host thousands of web sites, you
wont use

thousands of the applicat
ion pool to isolate the
web sites,

just becuase, too many processes running will
kill the os.

However, sometime you need application pool. One
of the

advantages for application pool is that you can

17


config the

identity for application pool. Also you hav
e
more flexible

options to recyle the application pool. At least
right now,

IIS didnt provide explicit options to recyle the
appdomain.


Premesssa: Protocol Handler

Process Protocol Handler

Channels request through the service model of a particular
protocol for processing

Protocol handlers. Protocol
-
specific components that run in the worker process and manage
communication between the
worker process

and the individual
listener adapters
.

Two types

of protocol
handlers exist:

process protocol handlers and AppDomain protocol handlers.

Based on the information received from WAS, it pulls request from the application pool
queue and passes it to corresponding process protocol handler. However, if no
corresponding application pool
employed for the request, the WAS will initialize one.
Moreover, w3svc provides the
listener adapter

for HTTP request.


Descrizion
i

funzional
i

del sistema

Per ora focalizziamo il nostro studio per richieste e servizi http.








Le strutture
necessarie
per implementare l’

Http

Request Processing


Descrizione dell’ Http Protocol Listener




Hypertext Transfer Protocol Stack (HTTP.sys)






Generalità
:

The HTTP listener is part of the networking subsystem of Windows operating systems, and it is
implemented as a kernel
-
mode device driver called the HTTP protocol stack (HTTP.sys). HTTP.sys listens for
18


HTTP requests from the network, passes the requests ont
o IIS for processing, and then returns processed
responses to client browsers.





http
Protocol Listeners


Protocol listeners receive protocol
-
specific

requests, send them to IIS for processing, and then return responses to requestors. For
example, when a client browser requests a Web page from the Internet, the HTTP listener, HTTP.sys, picks up the request and s
ends
it to IIS for processing. Once IIS pro
cesses the request, HTTP.sys returns a response to the client browser.

By default, IIS 7 provides HTTP.sys as the protocol listener that listens for HTTP and HTTPS requests. HTTP.sys was introduce
d in
IIS 6.0 as an HTTP
-
specific protocol listener for HTTP

requests. HTTP.sys remains the HTTP listener in IIS 7, but includes support
for Secure Sockets Layer (SSL).

To support services and applications that use protocols other than HTTP and HTTPS, you can use technologies such as Windows
Communication Foundati
on (WCF). WCF has listener adapters that provide the functionality of both a protocol listener and a listener
adapter. Listener adapters are covered later in this document. For more information about WCF, see
Windows Communication
Foundation

on MSDN.

http
Protocol Listeners

Protocol listeners are services in which each service is configured to listen and process a specific

protocol request
(
Come vedremo
)

coming from the network on which the
machine hosting the web server resides. For

instance, one of the listeners installed on a
Windows machine keeps on waiting and listening for any

web request arriving on the machine. There are additional listeners also
present to listen to other, different

protocols. When a request is received by a listener, it forwards it to IIS 7.0 to be processed. Once a

request is processed by IIS 7.0, the response generated is sent back to the protocol listener that originally

sent the request. Finally, the response is
handed back to the requestor.

An example of a protocol listener is the HTTP listener called Hyper Text Protocol Stack. This is the main

protocol listener for all HTTP requests arriving on a Windows machine. When an HTTP request is first

received by Windows

Vista or Windows Server 2008, the initial handling is actually performed by the

kernel
-
mode HTTP driver:
http.sys
.


Descrizione dell’ HTTP Listener adapter (
World Wide Web Publishing Service
)



In generale:

L
istener adapters are Windows services that
receive messages on specific network protocols and
communicate with WAS

(
illustrato più avanti
)

to route incoming requests to the correct worker process

(
illustrato più avanti
).

Sinteticamente
:
Listener adapters. Windows services that receive messages on s
pecific
network protocols

and
communicate with
WAS

to route incoming messages to the correct worker process

(
illustrat
i

più avanti
)
.


Caso HTTP:

These tasks included HTTP

administration and configuration, process management, and performance
monitoring. In
IIS 7.0, this

has changed and the WWW Service now acts as a listener adapter for http.sys. A
listener adapter is

responsible for configuring the http.sys protocol listener with the IIS 7.0 configuration
information

stored in the ApplicationHost.config conf
iguration file. It then waits for changes in the
19


configuration information to reflect them into the http.sys, and finally notifies the Windows Process
Activation

Service (WAS)

illustrato più avanti

when a new HTTP request enters the local queue.

Listener a
dapters are individual Windows services

that
implement the network communication logic

used
to receive messages using the network protocol on which they listen.






World Wide Web Publishing Service (W3SVC)
:
This service acts as a
listener adapter

for the
HTTP.sys

protocol listener and monitors the HTTP requests.

Descrizione del Windows Process Activation Service (WAS) e dei suoi componenti




Windows Activation Service (WAS)
:

WAS is a new service in IIS 7.0 that manages application pool
configuration and worker processes.
The shift to a separate core component ensures that
developers can use the same process model and configuration for both HTTP and non
-
HTTP
based sites
. It is

possible to configure the other three protocol listeners (
NET.TCP
,
NET.MSMQ

and
NET.PIPE
) using WAS.

For example, when the
NET.TCP

protocol listener is configured it listens for TCP requests. WAS
can also be used to host a Windows Communication Foundation (WCF) based service.



20




The Windows service that manages the creation and
lifetime

of worker processes

(
vedi
laboratorio02
)
.

In IIS 7,
WAS

manages application pool

((
illustrat
i

più avanti
)
.
)

configuration and worker processes

(
illustrat
i

più
avanti
)
.


The WAS

is a new service that has three main parts. Figure 1
-
8 shows the architecture and main components of

the
WAS
.



21


Servizi
HTTP




HTTP Request Processing

IIS 7.0 has a similar HTTP request
-
processing flow as IIS 6.0. The diagrams in this section provide an overview of an HTTP request in process.

The following list describes the request
-
processing flow that is shown in figure 1:

1.

When a client browser initiates an HTTP request for a resource on the Web server, HTTP.sys intercepts the request.

22


2.

HTTP.sys contacts WAS to obtain information from the co
nfiguration store.

3.

WAS requests configuration information from the configuration store, applicationHost.config.

4.

WWW Service receives configuration information, such as application pool and site configuration.

5.

WWW Service uses the configuration information to configure HTTP.sys.

6.

WAS starts a worker process for the application pool to which the request was made.

7.

The worker process processes the request and returns a response to HTTP.sys.

8.

The client receives a
response.












In IIS 7.0, HTTP request processing consists of the following steps, as shown in Figure 2
-
2:

1.
An HTTP request from a client browser arrives to the server. HTTP.sys intercepts the

request.

2.
HTTP.sys checks if it has the
configuration information for an application the request is

sent to.



If HTTP.sys has the configuration information, it forwards the request to an

appropriate worker process (see step 7).



If HTTP.sys doesn’t have the configuration information, it
contacts W3SVC, which

passes the request for information to WAS.

3.
WAS obtains configuration information from the IIS global configuration file,

applicationHost.config.

4.
WAS checks the worker process in the application pool to which the request is made.

If

there is no worker process, WAS starts a worker process for that application pool.

5.
WAS passes configuration, including as application pool and application configuration

settings, to W3SVC.

6.
W3SVC uses configuration received from WAS to configure
and update HTTP.sys.

23


7.
HTTP.sys forwards the request to the worker process.

8.
The worker process begins a request processing pipeline to execute the request. A

request processing pipeline is an ordered list consisting of components that perform

specific
tasks to process a request. At the end of this processing, a response is generated

and returned to HTTP.sys.

9.
HTTP.sys sends a response to the client.



In definitiva:

Sequenza:
requests

Http.sys


HTTP listener process


appropriate worker process in w3svc


specific application.


D
escrizione funzionale dei
Protocol Listeners



A listener needs to receive messages.
For this, it needs to
open a socket

(or a pipe
handle, or start an MSMQ read, and so on).
However, in order
to receive the proper
messages, it needs to obtain the necessary addressing information from WAS
.
This is
accomplished during listener startup.

The
protocol's listener adapter calls a function

on the
WAS listener adapter interface
.

WAS also assigns to each

application a unique listener
channel ID used for associating requests with their destination applications.

Once the
listener service has connected to WAS and received configuration information, it can open
its network resource and begin listening for mes
sages.
For TCP, this causes
NetTcpActivator to trigger a
socket

to open and an asynchronous call to
Socket.Accept

to
be made, at which point the listener essentially goes to sleep until a message arrives.




Descrizione funzionale

del WAS

Windows
Process
Activation Service
(http

tcp


pipe
-

msmq)


On startup, WAS reads certain information from the
ApplicationHost.config

file, and passes that information to
listener adapters

on
the server.
Listener adapters

are components that establish communication between WAS and
protocol listeners
, such as HTTP.sys.
Once listener adapters receive configuration information, they configure their related protocol listeners and prepare the lis
teners to
listen for requests.


The following list describes the type of information that WAS reads from configuration:



Global configuration information



Protocol configuration information for both HTTP and non
-
HTTP protocols



Application pool configuration
, such as the process account
information



Site configuration, such as
bindings

and applications



Application configuration, such as the enabled protocols and the
application pools to which the applications belong


If ApplicationHost.config changes, WAS receives a notification and updates the listener adapters with the new information.


WAS supports multiple protocols through a
listener adapter
architecture

where
listeners
are abstracted from
the process management
function. By

defining an interface between WAS and the listeners, WAS can
support

multiple listeners

without introducing extra complexity into the system.

This way, WAS can
communicate over HTTP, TCP, MSMQ, and named

pipes using a consistent mechanism, the
reby improving
system reliability.


Figure 7.1 depicts the WAS architecture.

It’s possible to use WAS without installing IIS.

24





This topic itemizes and discusses the components of the Windows Process Activation Service (also known as WAS).



25





26



(o
anche Process Model)




WAS
Activation Components


Elements of the WAS Addressing Model

DEF
:

Applications have Uniform Resource Identifier (URI) addresses, which are the code units whose lifetime and
execution environment are managed by the server. A single can be home to many different applications. Servers
organize applications into groups calle
d
sites
.

Within a site, applications are arranged in a hierarchical manner that
reflects the structure of the URIs that serve as their external addresses.

Application addresses have two parts: a base URI prefix and an application
-
specific, relative addres
s (path), which
provide the external address for an application when joined together. The base URI prefix is constructed from the
site binding and is used for all the applications under the site. Application addresses are then constructed by
taking applica
tion
-
specific path fragments (such as, “/applicationOne”) and appending them to the base URI prefix
(for example, “net.tcp://localhost”) to arrive at the full application URI.

The WAS Runtime

Applications are organized into sites for the purposes of addre
ssing and management. At run time, applications
are also grouped together into application pools. An application pool can house many different applications from
many different sites.
All of the applications inside an application pool

share a common set of
run
-
time
characteristics. For example,
they all run under the same version of the common language runtime (CLR)

and
they all share a common process identity.

Each application pool corresponds to an instance of a worker
process (w3wp.exe)
.
Each managed application running inside of a shared application pool is isolated from other
applications by means of a
CLR AppDomain
.

27


Laboratorio





--




HTTP
L
istener
Adapter

Service



How the WWW Service works in IIS 7

T
he

WWW Service is the
listener

adapter

for the HTTP listener, HTTP.sys.
As the listener adapter, the WWW Service is primarily
responsible for configuring HTTP.sys, updating HTTP.sys when configuration changes, and notifying WAS when a request enters
the request queue.


FAQ

How is Appli
cation pool related to IIS w3wp.exe?

An
application pool

represents a
limited number of worker processes

that may host a potentially
larger number
of applications
. This is similar to how a SQL Connection Pool shares a
limited

number of connections among an
arbitrary number of requests.

By default, an Application Pool gets one Worker Process (w3wp.exe), and it's usually best to leave this setting alone
unless you know what you're doing. Still, an Application Pool can be
configu
red

to use any number of processes.

28


The Worker Process is actually the resource that's being pooled here,
not the AppDomain
.
There will always be
the same number of AppDomains as there are ASP.NET Applications

(unless one is in the middle of shutting
down, or an application creates its own AppDomains),
but the number of Worker Processes is independent
; an
Application Pool gives you a specific number of Worker Processes to handle requests for a specific number of

AppDomains.

A setting of 1 (the default) for the number of worker processes in an App Pool means that all
Applications/AppDomains in the pool share the same worker process.


Descrizione architetturale di un W
orker Process (
w3wp.exe
)

















Più
dettagliatamente

29








30





Non
-
Http request processing






Listener Adapter I
nterface

(componente WAS)


The

listener adapter interface

is used to communicate activation requests that are received over the

supported
non
-
HTTP protocols
. There
are several non
-
HTTP listener adapters, as follows:

31




NetTcpActivator

for TCP protocol



NetPipeActivator for Named Pipes



NetMsmqActivator for Message Queuing (also known as MSMQ)

If you do not need HTTP functionality, you can actually run WAS without
W3SVC.

Process

Service

Description

smsvchost.exe

Net.Tcp Port Sharing Service (itcppss)

Enables multiple listeners on the same port.

smsvchost.exe

Net.Tcp Listener Adapter Service (itcpas)

Processes TCP requests.

smsvchost.exe

Net.Pipe Listener Adapter
Service (inpas)

Processes named pipe requests.

smsvchost.exe

Net.Msmq Listener Adapter Service (imsmqas)

Processes MSMQ requests.



HTTP Listener (http.sys)

Forwards HTTP requests to the WAS.

svchost.exe

WWW Service (w3svc)
-

includes the HTTP Listener
Adapter

Processes HTTP requests.

svchost.exe

Windows Activation Service (WAS)

Provides configuration for protocol listeners and listener adapters, handles process activation for requests, provides health

monitoring and other
hosting features.















32





Configuration M
anager

The configuration manager is responsible for reading the configuration information from the

ApplicationHost.config
configuration
file. This manager reads global configuration information

and protocol configuration
information for both HTTP and non
-
HTTP
protocols in order to be able

to configure all protocol listeners installed on the web se
r
ver machine. It also reads application pool

configuration information to know what application pools are present when processin
g requests on

the server. It reads site
configuration information, including the different applications included in each

site together with the bindings defined on each
application, and finally, reads the application pool each

application belongs to. Such
information helps the WAS when processing a
request to know which

site and application the request belongs to so that it gets handled by the right application pool.

In addition, the configuration manager gets a notification when the
ApplicationHost.config
configuration

file changes so that it
updates its data with the new ones and reflects this on the available

protocol listeners.



Listener Adapters

The following table lists the listener adapters for Windows Communication Foundation (WCF) protocols.

Listener adapter service
name

Protocol

Notes

W3SVC

http

Common component that provides HTTP activation for both IIS
7.0 and WCF.

NetTcpActivator

net.tcp

Depends on the NetTcpPortSharing service.

NetPipeActivator

net.pipe


NetMsmqActivator

net.msmq

For use with WCF
-
based Message Queuing applications.

NetMsmqActivator

msmq.formatname

Provides backwards compatibility with existing Message
Queuing applications.


L
istener
Adapter



Windows Process Activation Services

By eradicating the dependency on HTTP, Windows Process Activation Service model
simplifies the Internet Information Services architecture. It is the process activation service
of IIS 7.0 to support both HTTP and non
-
HTTP transports, including TCP, Named Pi
pes,
and MSMQ. What is more, it provides management services of application pool
configuration and worker process in the entire IIS 7.0 request processing.

33





Figure 1. Windows Process Activation Services as a required feature for IIS 7.0.

In the entire request
-
processing
-
response servicing, IIS 7.0 takes benefit of several
components. These include Windows Process Activation Services, World Wide Web
Publishing Service (W3SVC), Listener Adapters, Protocol Listener, and Worker Process.

At th
is instant, to appreciate the enhancement made in IIS 7.0 through WAS, we will
initially give a glance on the process on IIS 6.0 in worker process isolation mode.

1.


Upon receipt, the HTTP protocol stack (HTTP.sys) validates the request. If valid, the
HTTP.sys verifies the requested content type. Else, it will notify the client.

2.


If the requested content is static, a response will immediately be served to t
he client.
Else, the HTTP.sys verifies the presence of response in the kernel
-
mode cache.

3.


If the response is in the cache, HTTP.sys will immediately provide the response.
Else,
the same request will be placed in queue.

4.


If the queue has no cor
responding worker process, the HTTP.sys informs the WWW
Service to initialize one.
With this, the worker process processes the request.

5.


The Worker Process sends the response to HTTP.sys, and the later sends it the
client.




With the birth of IIS 7
.0, however, the paradigm has sifted to WAS
-
centered architecture.
Below is the tabular presentation of the process:

34




A
listener adapter

is responsible for bridging requests between WAS and the worker process for a particular
protocol. There is a listene
r adapter for HTTP, named pipes, TCP, and MSMQ. WWW Service provides the
HTTP listener adapter. IIS provides Windows services for each of the other protocols, supplying a
protocol
listener

and
listener adapter

pair.

Continue to my previous
introductory post about AppFabric
, it is very fundamental to know the
architecture

IIS 7.0 and WAS.


So, this post.


In the above diagram, you can see two regions in Windows. The k
ernal mode and user mode, and you know
that processes in the kernal mode touches the CPU and other hardwares without any interface and have the
rights to access physical memory without any virtual address mapping. The user mode processes are our
own applic
ations along with Windowing Subsystem which also includes Windows Network Subsystem.


Processes in the user mode requires processes in the kernal mode such as thread scheduling, memory,
cache or IO related activities.
So, it would require a thread
context
switching

means that kernal model thread
has been created and the data in the user mode thread has been transferred into kernal mode thread.


Ahhh,
I’m explaining too much about

Windows processing.


Lets cut off.

35




Laboratorio


DEF

Message
-
based
activation

means that
idle

worker

processes

and
associated
ServiceHost

instances

can be
released

and
reconstructed on demand

preserving precious server resources.


The
listener adapter comprises
: a binding monitor configured to poll the message queue
cente
r to discover queues at the message queue center, the binding monitor further being
configured to correlate applications to queues at the message queue center by comparing
application paths with queue names, wherein the queue names include prefixes, and
wh
erein comparing application paths with queue names comprises correlating elements of
application paths with elements of queue name prefixes on an element basis; and a queue
monitor for each queue correlated to an application, wherein the queue monitor is
c
onfigured to monitor queues for new messages and to request activation of an application
correlated to a queue when new messages arrive in the queue correlated to the
application.


36


How Listeners Know to Listen

A listener needs to receive messages. For
this, it needs to open a socket (or a pipe handle, or start an MSMQ read,
and so on). However, in order to receive the proper messages, it needs to obtain the necessary addressing
information from WAS. This is accomplished during listener startup. The prot
ocol's listener adapter calls a function
on the WAS listener adapter interface and essentially says, "I am now listening on the net.tcp protocol; please use
this set of callback functions I'm handing you to tell me what I need to know." In response, WAS wi
ll call back with
any configuration it has for applications that are set up to accept messages over the protocol in question. For the
example above, the TCP listener would be informed that there were two applications (*:7777/Foo and *:7777/Bar)
configured
to use TCP. WAS also assigns to each application a unique listener channel ID used for associating
requests with their destination applications.

The listener process uses the configuration information provided by WAS to build up a routing table, which it w
ill
use to map incoming requests to listener channel IDs as they arrive. The mechanics of this mapping is an
implementation detail of the underlying protocol the listener is supporting. The important thing is that each
listener service must be able to look

at an incoming message, say, "Ah

this is destined for listener channel x," and
dispatch the request to WAS accordingly. It happens that WCF uses URIs to indicate the destination of messages
that arrive over TCP/MSMQ/named pipes, but other protocols could
conceivably implement this mapping in
whatever way is appropriate for them.

Once the listener service has connected to WAS and received configuration information, it can open its network
resource and begin listening for messages. For TCP, this causes NetTcpActivator to trigger a
socket

to open and an
asynchronous call to Socket.Ac
cept to be made, at which point the listener essentially goes to sleep until a
message arrives.


Sharing Windows Service (smsvchost.exe)



Configurazione del servizio di condivisione delle porte Net.TCP

I servizi indipendenti che utilizzano il trasporto Net.TCP possono controllare diverse impostazioni avanzate, quali
esempio
ListenBacklog

e
MaxPendingAccepts
, che regolano il comportamento del socket TCP sottostante
utilizzato per la comunicazione di rete.

Tuttavia, queste impostazioni per ogni socket si applicano solo al livello di
associazione, se l'associazione del trasporto ha disattivato la condivisione delle porte, che è attivata per
impostazione predefinita.

Quando un'associazione net.tcp attiva la c
ondivisione delle porte, impostando
portSharingEnabled =true

sull'elemento di associazione del trasporto, consente implicitamente a un processo esterno, ovvero SMSvcHost.exe,
che ospita il servizio di condivisione delle porte Net.TCP, di gestire il socket
TCP per suo conto. Ad esempio,
quando si utilizza TCP, specificare:


<tcpTransport


portSharingEnabled="true"

/>

Se configurate in questo modo, le impostazioni socket specificate sull'elemento di associazione del trasporto del
servizio vengono
ignorate a vantaggio delle impostazioni socket specificate da SMSvcHost.exe.

37


Per configurare SMSvcHost.exe, creare un file di configurazione XML denominato SmSvcHost.exe.config e
posizionarlo nella stessa directory fisica dell'eseguibile SMSvcHost.exe, ad
esempio
c:
\
Windows
\
Microsoft.NET
\
Framework
\
v3.0
\
Windows Communication Foundation.



The Scenario

The goal here is to set up reliable, asynchronous communication between a client application and a
service, which may be on different machines. We will be using MSMQ as a transport mechanism,
as it supports reliable queued communication. MSMQ will be deplo
yed on a third server (typically
clustered to eliminate a single point of failure). The client application will use WCF's
NetMsmqBinding to send messages to a private queue on the MSMQ server. The service will be
hosted in IIS 7, and will use Windows Activ
ation Services (WAS) to listen for new messages on the
message queue. This listening is done by a Windows Service called SMSvcHost.exe. When a
message arrives, it activates the service within an IIS worker process, and the service will process
the message.

The overall architecture is shown in the following diagram.


The Basics

38


Let's start simple by setting everything up on a single server, with no security or transactions to
complicate things. This first instalment is a bit of a recap of my
earlier post
, but I'm including it
again here as it will be an important foundation for the more complex steps shown in the next
instalments.

The WCF pl
umbing that actually receives requests over non
-
HTTP protocols is hosted inside of SMSvcHost.exe,
which hosts the following four
long
-
running Windows NT services
: NetTcpPortSharing, NetTcpActivator,
NetPipeActivator, and NetMsmqActivator

NetTcpPortSharing

is the WCF TCP port sharing service.
It implements a centralized TCP listener so that multiple
processes can listen on the same TCP port.
This service is available even if IIS 7.0 is not installed.

NetTcpActivator
is the WCF TCP Activation Service. It comm
unicates TCP activation requests to WAS.

NetPipeActivator

is the WCF
-
named pipe activation service which communicates named pipe activation requests
to WAS.

NetMsmqActivator

is the WCF MSMQ activation service; it communicates MSMQ activation requests to WA
S.

Although these services
all live in the same binary
, they are separate Windows NT services and can be stopped
and started individually to reduce both attack surface and overhead.

They are all examples of
listener services

and all behave in a similar manner.



Laboratorio


Con
Sysinternal Process Monitor:



--

39



Con
Sysinternal PsService.exe


Con Process Explorer

40





Generic IIS
Worker process

Hosting

(w3wp.exe)


worker process


W3wp.exe:

A worker process. IIS can have multiple W3wp.exe processes, one for each application pool. To support
Web
-
garden scenarios where one application is split in separate processes, you have multiple instances of the
same worker process.
This can provide addit
ional scalability and performance benefits.

41


Laboratorio


Process Monitor
-
> tools
-
> process t
ree



Process Explorer:


Application pool


Overview

The
<applicationPools>

element contains configuration settings for all application pools running on your
Internet Information Services (IIS) 7 server.

DEFINIZIONE:

An application pool defines a group of one or more worker processes, configured with common settings that serve
r
equests to one or more applications that are assigned to that application pool.



Because application pools allow a set of Web applications to share one or more similarly configured worker
processes, they provide a convenient way to isolate a set of Web
applications from other Web applications on the
server computer. Process boundaries separate each worker process; therefore, application problems in one
application pool do not affect Web sites or applications in other application pools. Application pools
significantly
increase both the reliability and manageability of your Web infrastructure.

You can choose to use the default application pool provided by IIS on install, or you can create your own
application pool. You can run as many application pools on y
our IIS 7 server as you need, though this can affect
server performance. Application pools can contain one or more worker processes. Each worker process represents
work being done for a Web site, Web application, or Web service. You can create a Web garden

by enabling
multiple worker processes to run in a single application pool.

42


Application Pools in Microsoft IIS

At a basic level, Application Pools are simply a way to isolate one or more applications into their
own process.


For example, if you have two ap
plications you are hosting on an IIS server, you can
isolate them into their own individual pools so that if one of application crashes, it does not impact
the other application.


Application pools also have their own memory space.


For each application
po
ol that you create in IIS, a new World Wide Web (W3) Worker Process (wp) w3wp.exe process
will run on your machine.


New in IIS 7
-

App Pool Isolation

In previous versions of IIS, it has sometimes been difficult to isolate web application pools from
each
other. If multiple web application pools are configured to run as the same identity (e.g.
Network Service) then code running inside one web application pool would be able to use File
System objects to access configuration files, web pages and similar resou
rces belonging to another
web application pool. This was because it was impossible to allow one process running as Network
Services access to a file, but prevent another process also running as Network Service access to the
same file.

In IIS 7.0 it is poss
ible, with some work, to prevent this from occurring. As part of IIS 7.0 inbuilt
functionality, each web application pool has an application pool configuration file generated on
-
the
-
fly when that application pool is started. These are stored, by default, i
n the
%systemdrive%
\
inetpub
\
temp
\
appPools folder.

SID

Each web application pool has an additional
SID (Security Identifier)

generated for it, and this in
injected into the relevant w3wp.exe process. The application pool's configuration file is ACLed to
al
low only that SID access. Since each w3wp.exe process has it's own SID, each application pool's
configuration file is ACLed to a different SID:


43


Using the icacls.exe tool it is possible to determine the SID applied to any given
application pool's configur
ation file. This can be done by using the command:

icacls.exe %systemdrive%
\
inetpub
\
temp
\
appPools
\
appPool.config /save output.txt

The actual SID always starts with the well
-
known identity prefix: S
-
1
-
5
-
8
-
82

followed by a hash of
the Application Pool's nam
e.

The retrieved SID can now be used to secure web site content in the same way. To do this:

Edit: Thomas Deml (from the IIS Product Group) has

shown me an easier way to perform Step 4
below

1.

Configure each website (or web application) to run in its own we
b application pool

2.

Configure anonymous authentication to use the application pool identity rather than
the IUSR account (this can be done by editing the Anonymous Authentication
properties for the website in question)

3.

Remove NTFS permissions for the IUSRS
group and the IUSR account from the
website's files and folders.

4.

Use the icacls.exe tool to permit the App Pool's individual SID Read (and optionally
Execute and Write) access to the web site's files and folders. You don't need to
initially

retrieve the
SID using iCacls. Instead simply use: IIS
APPPOOL
\
ApplicationPoolName as the user to grant read permissions to (see
screenshot below for an example for the Default App Pool)

After configuring these NTFS permissions, only the SID that has been injected into

a particular
w3wp.exe process will be able to read the contents of the website in question. All code running in
other w3wp.exe processes, even though the process identity may also be Network Service, will be
unable to read this particular website's conten
t. This technique may be most useful to web hosters or
similar administrators, that need to accept content from various external or untrusted parties.

Edit #2: Here's a screenshot of the dynamic SID injection in action for the Default App Pool (using
the
excellent
Process Explorer

tool). The username highlighted can be used with icacls.exe to ACL
your web content.

44




Process Mo
del Settings for an Application Pool

By using the
<processModel>

element, you can configure many of the security, performance, health, and
reliability features of application pools on Internet Information Services (IIS) 7.
These include the following
features:



Application pool identity, which is the name of the service or user account under which the application pool's
worker process runs. This is defined by the
identityType

attribute. By default, starting in IIS 7.5 an
application pool runs under the
built
-
in
ApplicationPoolIdentity

account, which is created dynamically by
the Windows Process Activation Service (WAS). (In IIS 7.0 the default identity was the
NetworkService

account.) You can change the
identityType

attribute value to the built
-
in
Networ
kService

account,
LocalService

account, the built
-
in
LocalSystem

account, or a custom account that you create. If you choose
a custom account, define the account credentials using the
userName

and
password

attributes. Be aware,
however, that the
NetworkSer
vice
,
LocalService

and
LocalSystem

accounts have more user rights than
the
ApplicationPoolIdentity

account. (
Warning
: It is a serious security risk to run an application pool using
high
-
level user rights.) Additionally, you can use the
logonType

attribute
to specify whether the process
identity should log on as a batch user or service. (For additional information about logon types, see the
LogonUser Function

topic on Mi
crosoft's MSDN Web site.)



Web gardening, which you can configure by setting the
maxProcesses

attribute to a value greater than one.



Idle time
-
out settings, which allows you to set how long a worker process remains idle before it shuts downs.
Edit the
idleTimeout

attribute to configure this setting.



Health monitoring by enabling pings against the worker process, the maximum time allowed for a worker
process to respond to a ping, and the frequency of pings sent to a worker process to monitor its health.
Edit
the
pingingEnabled
,
pingInterval
, and
pingResponseTime

attributes to configure these settings.



Worker process shutdown and startup time limits. The first limit is set by the
shutdownTimeLimit

attribute
and determines the interval that IIS 7 gives a wo
rker process to finish all requests before the WWW service
45


terminates the worker process. The second limit is set by the
startupTimeLimit

attribute and specifies the
amount of time IIS 7 allows an application pool to start.




--

46


File di c
onfigurazione

di

IIS





Architettura di
Windows Communication Foundation (
WCF
).


To support services and applications that use protocols other than HTTP and HTTPS, you
can use technologies such as Windows Communication Foundation (
WCF
). WCF has
47


listener adapters that
provide the functionality of both a protocol listener and a listener
adapter. Listener adapters are covered later in this document. For more information about
WCF, see Windows Communication Foundation on MSDN



Associating with a ServiceHost

Regardless of
the hosting environment, all WCF services must be associated with a
ServiceHost instance to be accessible at run time. ServiceHost is part of the
System.ServiceModel namespace, and is the centerpiece of the hosting story. A
ServiceHost instance is initiali
zed with information about the service type, one or more
service endpoints, optional base addresses, and behaviors that govern how the service
model processes requests to the service.




The WCF ServiceHost type features two events called Opening and Closi
ng. They are the only
proper ways to execute code at service startup and shutdown. The problem is that you have to wire
up the handlers for these events between creating a new instance of the ServiceHost and calling
Open on it. This is not possible when us
ing the @ServiceHost directive in .svc files as described
above. A viable option in this case is to host a custom service host factory. This gives you more
control and allows you to handle the aforementioned events.

To do this you have to derive from a cla
ss named ServiceHostFactoryBase and implement the
CreateServiceHost method. This method receives the service type name and the base addresses
from the hosting environment and returns an instance of ServiceHostBase. Now it is your
responsibility to create t
he appropriate ServiceHost, configure it according to your needs, and return
it to the WCF runtime.
Doing this then allows you to programmatically access the extensibility
model of WCF an
d wire up event handlers.


Estensione del WAS ai se
rvizi WCF


48





49




50





51




Servizi di networking WCF



1) The w3wp.exe process is running under NETWORK SERVICE user.


2) The Net.Msmq Listener Adapter service is running under Network Service user. (
However, the other
Listener Adapters are running under Local Service
,

including Net.Tcp Port Sharing,Net.Tcp and
Net.Pipe. The Windows Process Activation Service is running under Local System).


3) NETWORK SERVICE user is allowed to Receive, Peek and Send from the queue.


I believe my problem is related to the name of the q
ueues and the configured net.msmq:// URI's of the
service. Can you verify that I'm using correct naming here


My queue name (label) is: ottar
-
pc
\
private$
\
business/createtx


My service address URI is: net.msmq://localhost/private/business/createtx


The pro
blem with the traces is that I can't see any information related to activation of the service. The only
information I can see is the service publishing to the queue.




Laboratorio


Dal mio PC: Pannello di controllo
\
Strumenti di amministrazione
\
servizi:





The
host name and port configuration for

the
listener adapters

can be found in the WAS
configuration file applicationHost.config.

These settings,
called
bindings
, are done at the
site level
.

52



Riassunto


Q: What are the various ways of hosting a WCF service?


1. Self hosting:
-

The service code is embedded within the application code. An end point for the service is defined and an instance of SeriveHo
st is created. A method can be written then to
call the

service.


2. Managed Windows services:
-

here, some hosting code is written in the application code. It consists of registering the application domain as a windows se
rvice.


3. Internet Information Services:
-

Does not require any hosting code to be writ
ten in the application code. IIS host services can only use HTTP transport mechanism. IIS needs to be
installed and configured on the server.


4. Windows process activation service:
-

Does not require any hosting code to be written in the application code.
WAS needs to be installed and configured on the server. WCF uses the
listener adapter interface to communicate activation requests.
Requests are transported over non HTTP protocols.

Service
Endpoints


Non
-
HTTP
endpoints

do not pass the IIS processing pipeline and will get routed directly
to the WCF runtime. This means that you can't use an HttpModule to pre
-

or post
-
process
requests. In addition, the Application_Start and Application_End of the HttpApplication
class (glo
bal.asax) don't fire.



La