Condividi tramite


Customizing IIS 7.0 Roles and Modules

This article describes the specific Microsoft® Windows Server™ 2008 roles, role services, features and the associated Internet Information Services (IIS) version 7.0 modules that are required to run www.microsoft.com Web servers. It then demonstrates how the Microsoft.com Engineering Operations (MSCOM Ops) team installs the role services it requires by using the ServerManagerCmd.exe command line tool. It also demonstrates how to view and modify related applicationHost.config settings by using the appcmd.exe command line tool.

One of exciting new features in IIS 7.0 is the modular architecture that enables server administrators to customize exactly which features are installed on their Web servers. By installing only the features you need to run your site, you reduce the server footprint, thereby optimizing performance and increasing security. There are over 40 modules, each containing a specific set of features that you can independently install.

One of strengths of the new modular architecture is that you can extend the base IIS 7.0 functionality by creating custom modules to meet the requirements of your site. For example, when the MSCOM Ops team moved to a hardware load balancing solution, we lost the ability to track unique client IP (c-ip) information in our IIS logs. To work around this problem, we created a custom module that passes the client IPs from our hardware load balancer into each of our Web server IIS logs.

Installing Windows Server 2008 Role Services

Windows Server 2008 refers to the primary function of a server as a server role and the associated functional components that you install as role services. File server and Web server are examples of server roles. The role services that the MSCOM Ops Team installs on a Web server include static content and ASP.NET.

MSCOM Ops installs the Web Server (Web-Server) component on the www.microsoft.com site. Additionally, we install many of the other role services that are described in Tables 1 through 7.

Table 1 describes commonly used HTTP features, such as enabling static content (HTML, .jpeg files, and so on) or default documents.

Table 1. Common HTTP Features (Web-Common-Http Component)

Role Service

MSCOM installed

Component

applicationHost.config section

Module

Description

Static Content

Yes

Web-Static-Content

<system.webServer>
  <staticContent>

StaticFileModule
(static.dll)

Static content (such as .html, .css and .jpeg files) can be served by the Web server if this feature is enabled.

Default Document

Yes

Web-Default-Doc

<system.webServer>
  <defaultDocument>

DefaultDocumentModule
(defdoc.dll)

Allows users to be seamlessly directed to the default document defined for the Web site when they visit www.site.com, but do not provide a default document (such as default.aspx).

Directory Browsing

Yes

Web-Dir-Browsing

<system.webServer>
  <directoryBrowse>

DirectoryListingModule
(dirlist.dll)

Lists the contents of a directory.

HTTP Errors

Yes

Web-Http-Errors

<system.webServer>
  <httpErrors>

CustomErrorModule
(custerr.dll)

Allows error messages sent to a visitor’s browser to be customized and for the server administrator to view the new detailed errors on the local Web server.

HTTP Redirection

Yes

Web-Http-Redirect

<system.webServer>
  <httpRedirect>

HttpRedirectionModule
(redirect.dll)

Allows hosted customers to redirect requests for one URL to another URL.

 

Table 2 describes application development features, which allow applications (such as ASP.NET) to run on the server.

Table 2. Application Development Features (Web-App-Development Component)

Role Service

MSCOM installed

Component

applicationHost.config section

Module

Description

ASP.NET

Yes

Web-Asp-Net

Not applicable

Not applicable

ASP.NET ISAPI and modules for managed code applications (.aspx pages).

.NET Extensibility

Yes

Web-Net-Ext

Not applicable

Not applicable

Infrastructure required for ASP.NET. Allows developers to change and extend Web server functionality in the new request pipeline.

ASP

Yes

Web-ASP

<system.webServer>
  <asp>

IsapiModule
(isapi.dll)

Required if customers use classic ASP applications.

CGI

No

Web-CGI

<system.webServer>
  <cgi>

CgiModule
(cgi.dll)

Required for CGI applications (such as PHP) so that they can use the new FastCGI component.

ISAPI Extensions

Yes

Web-ISAPI-Ext

Not applicable

Not applicable

Required for ASP.NET and other ISAPI extensions.

ISAPI Filters

Yes

Web-ISAPI-Filter

<system.webServer>
  <isapiFilters>

IsapiFilterModule
(filter.dll)

Required for the ASP.NET 1.1 ISAPI filter.

Server Side Includes

No

Web-Includes

<system.webServer>
  <serverSideInclude>

ServerSideInclude
Module
(iis_ssi.dll)

Processes server-side includes code.

 

Table 3 describes health and diagnostics features, which provide the infrastructure for monitoring and troubleshooting the health of the Web server and sites.

Table 3. Health and Diagnostics Features (Web-Health Component)

Role Service

MSCOM installed

Component

applicationHost.config section

Module

Description

HTTP Logging

Yes

Web-Http-Logging

<system.webServer>
  <httpLogging>

HttpLoggingModule
(loghttp.dll)

Allows logging of Web site activity or traffic.

Logging tools

Yes

Web-Log-Libraries

Not applicable

Not applicable

IIS Logging tools

Request Monitor

Yes

Web-Request-Monitor

<system.webServer>
  <RequestMonitorModule>

RequestMonitorModule
(iisreqs.dll)

Allows requests to be monitored as they occur. This feature can be used to determine why a worker process is unresponsive or slow.

Tracing

Yes

Web-Http-Tracing

<system.webServer>
  <tracing>
    <traceFailedRequests>

<system.webServer>
  <tracing>
    <traceProvider
      Definitions>

FailedRequestsTracing
Module
(iisfreb.dll)

Infrastructure for diagnosing problems by using Event Tracing in Windows and Failed Request Tracing.

Custom Logging

No

Web-Custom-Logging

<system.webServer>
  <CustomLoggingModule>

CustomLoggingModule
(logcust.dll)

Loads custom logging modules.

 

Table 4 describes security features, which provide the infrastructure for securing requests and filtering incoming requests based on security rules.

Table 4. Security Features (Web-Security Component)

Role Service

MSCOM installed

Component

applicationHost.config section

Module

Description

Basic Authentication

No

Web-Basic-Auth

<system.webServer>
  <security>
    <basicAuthentication>

BasicAuthentication
Module
(authbas.dll)

Requires a user ID and password, and provides a low level of security. User credentials are sent in clear text across the network.

Windows Authentication

No

Web-Windows-Auth

<system.webServer>
  <security>
    <windows
      Authentication>

WindowsAuthentication
Module)
(authsspi.dll)

Sends user authentication information over the network as a Kerberos ticket, and provides a high level of security.

Digest Authentication

No

Web-Digest-Auth

<system.webServer>
  <security>
    <digestAuthentication>

DigestAuthentication
Module
(authmd5.dll)

Requires a user ID and password, provides a medium level of security, and may be used when you want to grant access to secure information from public networks.

Client Certificate Mapping Authentication

No

Web-Client-Auth

<system.web>
  <Serversecurity>
    <authentication>
      <clientCertificate
        Mapping
        Authentication>

CertificateMapping
AuthenticationModule
(authcert.dll)

Performs Certificate Mapping authentication using Active Directory.

IIS Client Certificate Mapping Authentication

No

Web-Cert-Auth

<system.web>
  <Serversecurity>
    <authentication>
      <iisClientCertificate
        Mapping
        Authentication>

IISCertificateMapping
AuthenticationModule
(authmap.dll)

Performs Certificate Mapping authentication using IIS certificate configuration.

URL Authorization

No

Web-Url-Auth

<system.webServer>
  <security>
    <authorization>

UrlAuthorizationModule
(urlauthz.dll)

Allows users to create rules that restrict access to content.

Request Filtering

Yes

Web-Filtering

<system.webServer>
  <security>
    <RequestFiltering>

RequestFilteringModule
(modrqflt.dll)

URLscan replacement in applicationHost.config. Screens incoming requests based on rules sets.

IP and Domain Restrictions

No

Web-IP-Security

<system.webServer>
  <ipSecurity>

IpRestrictionModule
(iprestr.dll)

Allows IIS to restrict access by IP and or Domain.

 

Table 5 describes performance features, which help improve Web server performance.

Table 5. Performance Features (Web-Performance Component)

Role Service

MSCOM installed

Component

applicationHost.config section

Module

Description

Static Content Compression

Yes

Web-Stat-Compression

<system.webServer>
  <httpCompression>

StaticCompression
Module
(compstat.dll)

Allows static content to be compressed and unlike dynamic responses, compressed static responses can be cached without degrading CPU resources.

Dynamic Content Compression

Yes

Web-Dyn-Compression

<system.webServer>
  <httpCompression>

DynamicCompression
Module
(compdyn.dll)

Allows dynamic compression, using bandwidth more efficiently, but may add a CPU load.

 

Table 6 describes management tool features, which provide IIS management-level capabilities.

Table 6. Management Tool Features (Web-Mgmt-Tools Component)

Role Service

MSCOM installed

Component

applicationHost.config section

Module

Description

IIS Management Console

Yes

Web-Mgmt-Console

Not applicable

Not applicable

Required for locally managing IIS 7.0. Provides a user interface for server management.

IIS Management Scripts and Tools

Yes

Web-Scripting-Tools

Not applicable

Not applicable

Required for scripting tasks. Allows programmatic management of the server using scripts.

Management Service

Yes

Web-Mgmt-Service

Not applicable

Not applicable

Required for remote management of IIS 7.0, and to allow delegated users to administer their sites using a remote management tool.

IIS 6.0 Management Compatibility

Yes

Web-Mgmt-Compat

Not applicable

Not applicable

Do not install unless compatibility with features, services, scripts and management tools for IIS 6.0 is required.

IIS 6 Metabase Compatibility

Yes

Web-Metabase

<system.applicationHost>
  <CustomMetadata>

Not applicable

Required for Microsoft SharePoint Services 3.0, ASP.NET 1.1, SMTP service and other features that require backwards capability with the metabase. Provides compatibility for scripts based on IIS 6.0 interfaces for ADSI (Active Directory Service Interface) and ABO (Admin Base Object).

IIS 6.0 WMI Compatibility

Yes

Web-WMI

Not applicable

Not applicable

Compatibility with WMI scripting

IIS 6.0 Scripting Tools

Yes

Web-Lgcy-Scripting

Not applicable

Not applicable

Compatibility layer required to run existing applications and scripts that use ABO or ADSI

IIS 6.0 Management Console

Yes

Web-Lgcy-Mgmt-Console

Not applicable

Not applicable

Compatibility layer required for IIS 6.0 Management Console

 

Table 7 describes FTP publishing service features, which provide FTP functionality.

Table 7. FTP Publishing Service Features (Web-Ftp-Publishing Component)

Role Service

MSCOM installed

Component

applicationHost.config section

Module

Description

FTP Server

No

Web-Ftp-Server

<system.ftpServer>

Not applicable

Only needed if users upload using FTP.
Note: This table refers to the built-in, legacy FTP server. It is highly recommended that you download and install the new FTP7.

FTP Management Console

No

Web-Ftp-Mgmt-Console

Not applicable

Not applicable

Only needed if users upload using FTP.

 

Roles versus Features

Roles are the primary functions of the server (Web server, File Server, and so on). Role services are the functional components that you customize to support the functionality of your server (Static Web server, ASP.NET support, and so on).

Features are different from roles in that they are support or enhance the functionality of the server (NLB, .NET Framework, SMTP, and so on).

Installing IIS 7.0 Components

As previously mentioned, you can customize how your server functions by installing only the components required for your Web server to run correctly. Each of these components is associated with a task-specific workload. Table 8 illustrates two examples of workloads associated with IIS 7.0, the components that comprise the workload, and roles, role services, and features that are enabled by installing the associated components.

Table 8. IIS 7.0 Examples of IIS 7.0 workloads, components, and related role services

Workload

Component

Role Services

Web server role

Web-Server

Static Content, Default Document, Directory Browsing, HTTP Errors, HTTP Logging, Logging Tools, Request Monitor, Request Filtering, Static Content Compression, IIS Management Console

ASP.NET role

Web-Server
Web-ASP-Net
Web-Net-Ext
Web-Filtering
Web-ISAPI-Filter
Web-ISAPI-Ext

Static Content, Default Document, Directory Browsing, HTTP Errors, HTTP Logging, Logging Tools, Request Monitor, Request Filtering, Static Content Compression, IIS Management Console, ASP.NET, NET Extensibility, ISAPI Filters, ISAPI Extensions

 

We only install the components (roles, role services and features) that are required to run the Microsoft.com Web sites. There are several ways to install and configure IIS 7.0 on your server. You can use IIS Manager, or command line tools such as ServerManagerCmd.exe, which is included with Windows Server 2008.

We use the new ServerManagerCmd.exe command line tool to install specific IIS 7.0 components on our servers. ServerManagerCmd.exe also has a query option that you can use to list which components are currently installed.

This section contains examples that demonstrate how to use ServerManagerCmd.exe switches that are required to install specific role services. These examples demonstrate how to:

1.     Install Web server role services.

2.     Install ASP.NET role services.

3.     Install www.microsoft.com-required role services.

4.     Validate the role features that are installed on your server.

ServerManagerCmd.exe is installed in the C:\Windows\System32 folder by default, but is not added to the system Path environment variable. It is assumed that you have used the command prompt to navigate to this folder, or that you have added a reference to this folder to the Path environment variable, prior to using the following examples.

If your server only serves static content as described for the Web workload in Table 8, you can use the ServerManagerCmd.exe Install command in the following example to install the associated role services.

To install Web server role services by using ServerManagerCmd.exe

At the command prompt, type

ServerManagerCmd –install Web-Server

and press Enter.

Similarly, if your site requires support of ASP.NET content as described for the ASP.NET workload in Table 8, you can use the ServerManagerCmd.exe Install command in the following example to install the associated role services.

To install ASP.NET role services by using ServerManagerCmd.exe

At the command prompt, type

ServerManagerCmd –install Web-Server;Web-ASP-Net;Web-Net-Ext;Web-Filtering;Web-ISAPI-Filter;Web-ISAPI-Ext

and press Enter.

The MSCOM Ops team uses ServerManagerCmd.exe to install all of the role services we require by using a single command. The following example demonstrates the ServerManagerCmd.exe command line syntax we use to configure our servers.

To install www.microsoft.com-required role services by using ServerManagerCmd.exe

At the command prompt, type

ServerManagerCmd -install Web-Server Web-Common-Http Web-Http-Redirect Web-Asp-Net Web-Net-Ext Web-ASP Web-ISAPI-Ext Web-ISAPI-Filter Web-Http-Logging Web-Log-Libraries Web-Request-Monitor Web-Http-Tracing Web-Filtering Web-Stat-Compression Web-Dyn-Compression Web-Mgmt-Console Web-Scripting-Tools Web-Mgmt-Service Web-Mgmt-Compat WAS

and press Enter.

After you run the install command, you can validate which components are installed on your server, as illustrated in the following example.

To validate the role features that are installed on your server

At the command prompt, type

ServerManagerCmd –query

and press Enter.

ServerManagerCmd.exe returns the following output:

[X] Web Server (IIS)  [Web-Server]

    [X] Web Server  [Web-WebServer]

        [X] Common HTTP Features  [Web-Common-Http]

            [X] Static Content  [Web-Static-Content]

            [X] Default Document  [Web-Default-Doc]

            [X] Directory Browsing  [Web-Dir-Browsing]

            [X] HTTP Errors  [Web-Http-Errors]

            [X] HTTP Redirection  [Web-Http-Redirect]

        [X] Application Development  [Web-App-Dev]

            [X] ASP.NET  [Web-Asp-Net]

            [X] .NET Extensibility  [Web-Net-Ext]

            [X] ASP  [Web-ASP]

            [ ] CGI  [Web-CGI]

            [X] ISAPI Extensions  [Web-ISAPI-Ext]

            [X] ISAPI Filters  [Web-ISAPI-Filter]

            [ ] Server Side Includes  [Web-Includes]

        [X] Health and Diagnostics  [Web-Health]

            [X] HTTP Logging  [Web-Http-Logging]

            [X] Logging Tools  [Web-Log-Libraries]

            [X] Request Monitor  [Web-Request-Monitor]

            [X] Tracing  [Web-Http-Tracing]

            [ ] Custom Logging  [Web-Custom-Logging]

            [ ] ODBC Logging  [Web-ODBC-Logging]

        [X] Security  [Web-Security]

            [ ] Basic Authentication  [Web-Basic-Auth]

            [ ] Windows Authentication  [Web-Windows-Auth]

            [ ] Digest Authentication  [Web-Digest-Auth]

            [ ] Client Certificate Mapping Authentication  [Web-Client-Auth]

            [ ] IIS Client Certificate Mapping Authentication  [Web-Cert-Auth]

            [ ] URL Authorization  [Web-Url-Auth]

            [X] Request Filtering  [Web-Filtering]

            [ ] IP and Domain Restrictions  [Web-IP-Security]

        [X] Performance  [Web-Performance]

            [X] Static Content Compression  [Web-Stat-Compression]

            [X] Dynamic Content Compression  [Web-Dyn-Compression]

    [X] Management Tools  [Web-Mgmt-Tools]

        [X] IIS Management Console  [Web-Mgmt-Console]

        [X] IIS Management Scripts and Tools  [Web-Scripting-Tools]

        [X] Management Service  [Web-Mgmt-Service]

        [X] IIS 6 Management Compatibility  [Web-Mgmt-Compat]

            [X] IIS 6 Metabase Compatibility  [Web-Metabase]

            [X] IIS 6 WMI Compatibility  [Web-WMI]

            [X] IIS 6 Scripting Tools  [Web-Lgcy-Scripting]

            [X] IIS 6 Management Console  [Web-Lgcy-Mgmt-Console]

    [ ] FTP Publishing Service  [Web-Ftp-Publishing]

        [ ] FTP Server  [Web-Ftp-Server]

        [ ] FTP Management Console  [Web-Ftp-Mgmt-Console]

 

For more information about how to use the ServerManagerCmd.exe command line tool, see “Server Manager Technical Overview Appendix”.

Configuring IIS 7.0 Modules

After you have installed the roles, roles services, and features required for your site to run correctly, you must configure the associated modules. Modules are individual components that the server uses to process requests. For example, IIS 7.0 uses the Static Content Compression (StaticCompressionModule) and Dynamic Content Compression (DynamicCompressionModule) modules to compress content to clients, and http cache module (HttpCacheModule ) to manage cache activity.

You can create and configure IIS Modules by:

·         Manually editing applicationHost.config.

·         Using the appcmd.exe command line tool.

·         Using IIS Manager.

This section contains examples that demonstrate how to create and configure modules by using appcmd.exe. These examples demonstrate how to:

1.     List all installed modules and their associated processes.

2.     List the configuration of a specific module.

3.     Display a list of Set command actions.

4.     Add a new default document to a site.

5.     Remove a default document from a site.

The appcmd.exe command line tool is installed in the %windir%\system32\inetsrv folder by default. It is assumed that you have used the command prompt to navigate to this folder, or that you have added a reference to this folder to the Path environment variable, prior to using the following examples.

The following example returns a list of installed global modules and their associated processes that are installed on the server.

To list installed modules by using appcmd.exe

At the command prompt, type

appcmd list config "www.microsoft.com" -section:globalmodules

and press Enter.

The global modules and their associated processes appear in applicationHost.config as follows:

<system.webServer>

    <globalModules>

      <add name="FileCacheModule" image="%windir%\System32\inetsrv\cachfile.dll" />

      <add name="TokenCacheModule" image="%windir%\System32\inetsrv\cachtokn.dll" />

      <add name="HttpCacheModule" image="%windir%\System32\inetsrv\cachhttp.dll" />

      <add name="DynamicCompressionModule" image="%windir%\System32\inetsrv\compdyn.dll" />

      <add name="StaticCompressionModule" image="%windir%\System32\inetsrv\compstat.dll" />

      <add name="DefaultDocumentModule" image="%windir%\System32\inetsrv\defdoc.dll" />

      <add name="ProtocolSupportModule" image="%windir%\System32\inetsrv\protsup.dll" />

      <add name="HttpRedirectionModule" image="%windir%\System32\inetsrv\redirect.dll" />

      <add name="ServerSideIncludeModule" image="%windir%\System32\inetsrv\iis_ssi.dll" />

      <add name="StaticFileModule" image="%windir%\System32\inetsrv\static.dll" />

      <add name="AnonymousAuthenticationModule" image="%windir%\System32\inetsrv\authanon.dll" />

      <add name="CertificateMappingAuthenticationModule" image="%windir%\System32\inetsrv\authcert.dll" />

      <add name="IISCertificateMappingAuthenticationModule" image="%windir%\System32\inetsrv\authmap.dll" />

      <add name="RequestFilteringModule" image="%windir%\System32\inetsrv\modrqflt.dll" />

      <add name="CustomLoggingModule" image="%windir%\System32\inetsrv\logcust.dll" />

      <add name="CustomErrorModule" image="%windir%\System32\inetsrv\custerr.dll" />

      <add name="HttpLoggingModule" image="%windir%\System32\inetsrv\loghttp.dll" />

      <add name="TracingModule" image="%windir%\System32\inetsrv\iisetw.dll" />

      <add name="FailedRequestsTracingModule" image="%windir%\System32\inetsrv\iisfreb.dll" />

      <add name="RequestMonitorModule" image="%windir%\System32\inetsrv\iisreqs.dll" />

      <add name="IsapiModule" image="%windir%\System32\inetsrv\isapi.dll" />

      <add name="IsapiFilterModule" image="%windir%\System32\inetsrv\filter.dll" />

      <add name="ManagedEngine" image="%windir%\Microsoft.NET\Framework\v2.0.50727\webengine.dll" preCondition="integratedMode,runtimeVersionv2.0,bitness32" />

      <add name="ConfigurationValidationModule" image="%windir%\System32\inetsrv\validcfg.dll" />

      <add name="ManagedEngine64" image="%windir%\Microsoft.NET\Framework64\v2.0.50727\webengine.dll" preCondition="integratedMode,runtimeVersionv2.0,bitness64" />

      <add name="HTTPHeaderLogger" image="%windir%\System32\HTTPHeaderLogger\IIS7NativeModule.dll" preCondition="bitness64" />

      <add name="DirectoryListingModule" image="%windir%\System32\inetsrv\dirlist.dll" />

    </globalModules>

  </system.webServer>

You can also list the configuration for a module that is located in applicationHost.config. The following example demonstrates how to list the configuration of the <DefaultDocument> section:

To list the configuration of a specific module by using appcmd.exe

At the command prompt, type

appcmd list config "www.microsoft.com" -section:defaultDocument

and press Enter.

The results of the query appear in applicationHost.config as follows:

  <system.webServer>

    <defaultDocument enabled="true">

      <files>

        <add value="default.aspx" />

        <add value="default.htm" />

        <add value="default.asp" />

        <add value="index.html" />

      </files>

    </defaultDocument>

  </system.webServer>

If you want to modify the configuration of the <DefaultDocument> section, you can use the appcmd.exe Set command. The following example demonstrates how to display a complete list of the actions you can perform by using the Set command with /? switch.

To display a list of Set command actions by using appcmd.exe

At the command prompt, type

appcmd set config "www.microsoft.com" -section:defaultDocument /?-files.[value='string'].value

and press Enter.

The following example demonstrates how we modify the configuration of the <DefaultDocument> section by using appcmd.exe Set command to add a new default document to our site.

To add a new default document by using appcmd.exe

At the command prompt, type

appcmd set config "www.microsoft.com" -section:defaultDocument  /+files.[value='newDefault.aspx']

and press Enter.

The new default document setting appears with other default document settings in applicationHost.config as follows:

  <system.webServer>

    <defaultDocument enabled="true">

      <files>

        <add value="newDefault.aspx" />

        <add value="default.aspx" />

        <add value="default.htm" />

        <add value="default.asp" />

        <add value="index.html" />

      </files>

    </defaultDocument>

  </system.webServer>

You can also remove a default document from the list by using the previous example, and by changing the -files.[value=’string’] switch.

To remove a default document by using appcmd.exe

At the command prompt, type

appcmd set config "www.microsoft.com" -section:defaultDocument  /-files.[value='newDefault.aspx']

and press Enter.

This change is reflected in applicationHost.config as follows:

  <system.webServer>

    <defaultDocument enabled="true">

      <files>

        <add value="default.aspx" />

        <add value="default.htm" />

        <add value="default.asp" />

        <add value="index.html" />

      </files>

    </defaultDocument>

  </system.webServer>

For more information about how to use the appcmd.exe command line tool, see “Getting Started with AppCmd.exe”.

Summary

In this article, we described the specific Windows Server 2008 roles, role services, features and the associated IIS 7.0 modules that are required to run www.microsoft.com Web servers. We then demonstrated how the Microsoft.com Engineering Operations team installs the role services it requires by using the ServerManagerCmd.exe command line tool. We also demonstrated how to view and modify related applicationHost.config settings by using the appcmd.exe command line tool.