In-depth analysis of IIS 6.0 (two)

W3SVC is perhaps the least noticeable component of the IIS 6.0 architecture, but it doesn't mean it's not important. The task of W3SVC is to create and monitor the worker thread according to the settings of the configuration data, and the web site application is run by the worker thread. In IIS 5.0, the closest thing to the IIS 6.0 W3SVC component is the IIS management service. The IIS management service is part of Inetinfo; therefore, if there is a problem with Inetinfo, the IIS management service will also have problems, and the IIS management service can no longer be used. Restart Inetinfo or other failed applications. In IIS 6.0, W3SVC runs as a stand-alone process, and Web application failures are unlikely to affect W3SVC because there is no third-party code running within W3SVC. W3SVC is always running, so it can monitor the health of web applications and take action when necessary. Because of this strategy, the server is able to monitor and restart applications based on user-specified parameters.

■ http.sys

The most significant change in the design of the IIS 6.0 system is the addition of the http.sys driver. The task of the http.sys driver is to handle HTTP requests, and it is in the kernel. Perform the operation in mode. Don't underestimate this change. Changing the task of handling HTTP requests from the user mode of IIS 5.0 and IIS 4.0 to the kernel mode of IIS 6.0 marks the birth of a new generation of IIS servers.

In Win 2K and NT 4.0, IIS runs in user mode. Applications running in user mode do not communicate directly with the hardware. They directly call standard procedures that either pass data into kernel-mode components (such as NIC drivers, graphics subsystems) or call kernel mode. A function of the component to accomplish tasks such as saving files, setting IP addresses, and sending HTML files to the network.

The conversion between user mode and kernel mode is a very expensive operation. The server first passes the incoming HTTP request from the kernel mode TCP/IP stack to the user mode Winsock, which will be Winsock. The request is passed to IIS. Switching from kernel mode to user mode occurs very quickly, but inevitably brings an immediate delay to the process. When the load is large, this delay is accumulated, and since this conversion is indispensable, there is no way for the administrator to optimize the process.

The https.sys kernel mode driver for IIS 6.0 greatly reduces the number of switchovers between user mode and kernel mode. Http.sys listens for HTTP requests, determines which user-mode process handles the request, or whether the driver itself returns the content requested by the user.

IIS 6.0 runs in user mode and relies entirely on kernel mode http.sys as the server engine that receives user requests. Therefore, http.sys must be able to respond at all times and must be extremely reliable. User code can cause process errors, so Microsoft designed http.sys to not execute any user code, so that even if the application fails, it will not affect IIS 6.0 itself, and IIS 6.0 can still listen for HTTP requests as usual.

If you want to return a static response from a kernel-mode buffer, a high-speed, kernel-mode HTTP processor that does not allow running application code is ideal, which reduces the switch to user mode. Expensive overhead to quickly return replies from kernel mode buffers. IIS 6.0's http.sys manages such a buffer and uses a highly optimized heuristic buffer algorithm to determine what to put into the buffer. For example, http.sys may only buffer those requests that occur more than once. content.

Since http.sys extracts static content directly from the response buffer, there is no need to switch to user mode, so the overall performance of IIS 6.0 has improved significantly compared to the performance of IIS 5.0. According to Microsoft's data, the WebBench benchmark test shows that IIS 6.0 returns static content 150% faster than IIS 5.0. Even running IIS 6.0 servers in IIS 5.0 isolation mode (when IIS 6.0 architecture is similar to IIS 5.0) can also benefit from the http.sys driver's response buffer and other improvements.

In addition, Microsoft has adopted many optimized algorithms in the http.sys driver to enable it to forward requests directly to the appropriate worker process. In IIS 4.0 and IIS 5.0, multiple steps must be taken to determine which instance of the process has a web application that should receive the current request, but in IIS 6.0, http.sys registered all IIS 6.0 applications, giving each process A handle that IIS internally uses to identify one or more namespaces used by the registered application. Therefore, when http.sys receives an HTTP request, it can quickly pass the request from kernel-mode http.sys to the correct user-mode web application.

The http.sys driver also performs other tasks, including:

(1) Compare incoming URLs with rules of various lengths and formats.

(2) Manage the queue of incoming requests.

(3) Responsible for recording the log information of the IIS Web site (thus improving the performance of the log).

(4) Implement bandwidth limitation policies and support TCP/IP level management.

(5) Implement client certificate request service (but does not support Secure Sockets Layer - SSL).
Since http.sys is an operating system driver, not an IIS component, the driver configuration is done in the registry instead of the IIS configuration data. Currently, there are many http.sys registry settings that do not yet have a formal documentation. It may mean that Microsoft does not encourage users to modify these settings, as these settings may change in the future. The registry settings for the http.sys driver are located under HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\HTTP, where various registration keys can be added (the registration keys are not included in the default configuration), such as:
(1) EnableNonUTF8: If Add the EnableNonUTF8 subkey and set its value to 0. http.sys only accepts UTF-8 encoded URLs. The full name of UTF-8 is Universal Character Set (UCS) Transformation Format 8, which is a character set standard, the standard full text http://www.ietf.org/rfc/rfc2279.txt, which allows the use of multi-language character sets. . By default, the value of EnableNonUTF8 is 1, indicating that IIS accepts UTF-8, ANSI, double-byte character set (DBCS) encoded URLs.

(2) PercentUAllowed: When this subkey is set to 1 (the default), http.sys recognizes those URLs whose partial characters are represented by %uNNNN, where NNNN is a set of numbers representing the actual characters. When PercentUAllowed is set to 0, IIS 6.0 will reject URLs whose partial characters are represented in this way.

%uNNNN is a less common Unicode symbol, don't confuse it with the usual UTF-8 representation. In the UTF-8 representation, %20 represents a space, for example http://www.iisanswers.com/new article.htm is equivalent to http://www.iisanswers.com/new%20article.htm, between the two The conversion is done automatically by IE browser, regardless of the value set by EnableNonUTF8 and PercentUAllowed, IIS 6.0 will accept.

These two settings, along with other setup items that can be found in the IIS 6.0 documentation, reflect IIS 6.0 improvements in URL resolution from one side. In IIS 5.0, some major security issues are closely related to how Web servers parse URLs. Now Microsoft has finally solved the original flaws and made some improvements, allowing administrators to more clearly define IIS 6.0 parsing URLs. rule. These improvements are especially important on the Internet, which is inherently international in character, with multiple languages ​​coexisting.

For more information on Unicode, see http://www.unicode.org; for more information on IIS 5.0 defects, see http://www.wiretrip.net/rfp/p/Doc.asp/i5/d57.htm. A tool to help configure http.sys can be found in the Windows Server 2003 Resource Kit.

■ W3Core

By default, IIS 6.0 runs in worker process isolation mode, as shown in Figure 5. In this mode, for each web application, IIS 6.0 runs it with a separate instance of w3wp.exe. Workers also referred w3wp.exe

Thus, worker process isolation mode exists within the process (In-Process) application is not a problem, effectively improving the reliability and security. The improvement in reliability is because the failure of a web application does not affect other web applications, nor does it affect http.sys. Each web application is individually monitored by W3SVC for its health. The increase in security is due to the fact that the application is no longer running under the System account like the in-process applications of IIS 5.0 and IIS 4.0. By default, all instances of w3wp.exe run under a limited network service account. As shown in Figure 6, you can also configure the worker process to run with a different user account if necessary.

Figure VI

If the buffer overflow attack is successful invasion of a Web application, an attacker can only access resources when the account runs the worker process has access, the default network service account can not write Into the Inetpub folder, the execution permissions are extremely limited, so attacks like the CodeRed worm are simply not possible.

Some web applications, especially some Internet Server API (ISAPI) filters, may encounter problems when running out of process. In IIS 5.0 and IIS 4.0, ISAPI filters are always run inside Inetinfo, and their design goals are not running out of process. For this reason, some filters are in IIS 6.0 worker process isolation mode. Problems can occur at runtime - in particular, filters that call SF_READ_RAW_DATA or SF_SEND_RAW_DATA are especially noticeable. To this end, IIS 6.0 also provides a second mode of operation called IIS 5.0 isolation mode. If the ISAPI filter does not work properly in worker process isolation mode, there should be no problem in IIS 5.0 isolation mode. In this second mode of operation, the application still benefits from many improvements in IIS 6.0, such as the performance and reliability improvements of the http.sys driver.

In the IIS 6.0 documentation, you can see a new feature called "application pool." An application pool contains one or a set of worker processes, and the application pool is named. The application pool can be understood from the following perspective: In IIS 5.0, we can set the application protection to low level (IIS process), intermediate (buffer pool), advanced (isolation). This function is useful, but if we want Running two applications in one pool (an instance of dllhost.exe) and running two other applications in another pool (an instance of dllhost.exe?), what should I do? IIS 5.0 does not provide a way to name an instance of dllhost.exe, so it is not possible to put two specific applications into a pool. The application pool for IIS 6.0 allows you to specify a name, as shown in Figure 7. You can easily put a Web site or directory into an application pool through the Home Directory page of the Properties dialog box.