configuring application isolation on windows server 2003

8/7/2019 Configuring Application Isolation on Windows Server 2003

1/22

Microsoft.com Home | Site Map

Search Microsoft.com for:

Search for

TechNet Go

Addi ti ona l Re s our c e s

Windows Server

TechCenter

Technical Library

Downloads

Events & Errors

Script Center

Virtual Lab

Webcasts

International TechCenters

Windows Server R2

Release Candidate

TechNet Home

Product Support

Community

MSDN Developer Center

Windows 2000 Server

Windows Server System

TechNet Home > Windows Server TechCenter > Internet Information Services > Internet Information

Configuring Application Isolation on Windows Server 2003Internet Information Services (IIS) 6.0Published: April 1, 2003

O n Thi s P a ge

I ntr oduction

This paper discusses the general topic of application isolation as it relates to Web applications

Server 2003 servers with IIS 6.0 running in worker process isolation mode. Isolation refers to

separation between two Web applications running on a server. In this paper, the notion of a W

meant in a very broad sense; it includes the processes, files, and even users, serviced by the a

Applications are isolated from each other to the degree that one application is prevented from resources used by another application.

Benefits of I solation

Enterprises are increasingly interested in isolation because of the opportunity to reduce costs t

consolidation. As the capabilities of hardware increase dramatically over time, fewer servers a

deliver the same applications. While this decreases the costs of deployment and maintenance,

logistical difficulties when there is a vested interest in keeping clear boundaries between appli

consolidated to run on a single server.

In some scenarios, each Line of Business (LOB) for an organization is essentially a separate cu

group responsible for application infrastructure. For example, an organization that has been ac

compete with other parts of the acquiring organization. Consequently, theres a business requi

creating effective barriers between applications serving each LOB and protecting sensitive data

Another example of a clear need for high isolation is an ISP that hosts Web sites for many clie

customer should not be able to view the files or databases in use by other Web sites on the se

In other cases, a company may offer Web applications and other technical resources to busine

are in competition with each other. As a result, companies need to offer a high degree of isola

applications in use by their individual customers, partners, or business units using the same s

important, for example, to have the ability to configure one partner's software that accesses a

that the application could not access another partners database.

Introduction

Using Isolation for Increased Reliability

Using Isolation to Secure Applications

Using Isolation to Improve Performance

Considerations

Summary

Appendix

Related Links

Page Configuring Application Isolation using Windows Server 2003 and IIS 6.0

12/http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspx
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspxhttp://www.go2pdf.com/


2/22

Another benefit of application isolation is that you can design the infrastructure of the applicat

network to improve the ability to distribute content and applications. For example, you may w

content on a remote file store so it can be shared by more than one server. Alternately, you m

each applications content on different file servers, to further isolate each LOB application, but

Web server as a front end.

The following sections discuss several approaches to obtaining a high level of isolation.

Physical I solation

The highest degree of isolation is achieved when applications are hosted on completely differe

Clearly, this offers the most isolation for applications but is also the most expensive, requiring

hardware and server licenses to support each application. Nevertheless, in mission critical LOB

where information is very sensitive or valuable, this may be the best choice.

V i r tua l I sol a ti on

You can also create isolated applications using virtual servers. Using software, such as Microso

VMware that allows you to create multiple virtual servers running as tasks on a single operatin

can create several servers that are functionally partitioned. Consequently, the applications can

isolated, yet run on the same hardware. Because virtualized systems do not perform as well a

computers, virtual isolation provides high isolation, but at the cost of performance. Another inc

software licenses for the virtual systems. In addition to the software licenses needed for the sevirtual systems, you must also acquire individual software licenses for the operating system a

on each virtual system as if each virtual system were an individual system.

Confi gur e d I s ola ti on

Isolation by configuration means taking advantage of natural isolation boundaries, such as pro

identities, Access Control Lists (ACLs), and namespaces that occur as a result of running the a

Web server. The degree of isolation achieved through this configured isolation is not as strong

virtual isolation. Nevertheless, configured isolation is often the most reasonable choice to bala

usage, simplicity of administration, and to leverage investments in hardware, software, and lic

features in Windows Server 2003 and IIS 6.0 make this option a more reliable, secure, and sc

than previously possible.

I solation Through Operating System Features

Microsoft Windows Server 2003 has a number of features that support creating isolated enviro

applications. Constrained Delegation and Prot ocol Transition allow you to pass through a users

to file servers, regardless of the protocol used to authenticate the user on IIS. Quality of Serv

improvements include a packet scheduler integrated with IIS that enables an administrator to

of bandwidth available to an application. Windows System Resource Manager (WSRM) is availa

Windows Server 2003, Enterprise Edition, and Windows Server 2003, Datacenter Edition. WSR

administrator to control exactly how much CPU an application pool can consume when the CPU

I solation Through I I S Configurat ion

IIS 6.0 was designed with application isolation as a primary component of the architecture. Ea

the capacity to host one or multiple applications that can be assigned to run in a named proceapplication pool. An application pool is served by one or more worker processes, can be indepe

configured for health-related settings, and can be assigned to run in the context of a designat

In configuring application isolation, there are several objectives:

Reliability. If one application fails, it shouldn't affect other applications. Additionally, it shoto specify unique recovery actions for different applications.

S e c ur i ty . If one application is running malicious code from an attacker (possibly even the a

author), other applications are insulated from the effects of the malicious code, and effectiv




3/22

By combining the capabilities of IIS 6.0 with those of Windows Server 2003, you can effectivel

isolation and achieve these designated goals. Additionally, improvements in FTP and Microsoft

Server Extensions help enhance isolation and security of these applications.

The rest of this paper will address the capabilities of Microsoft Windows Server 2003 and IIS 6

highly isolated applications that run on a single server. There is no single technique or adminis

achieves this goal, but when using combinations of techniques, you can effectively implement

isolation.

Top of page

Using I solat ion for I ncreased Reliability

One of the core design goals for the IIS 6.0 architecture was to improve the isolation between

while minimizing the performance tradeoffs. This was accomplished by redesigning the IIS arc

increased reliability, security, and performance. The basics of the new architecture with regard

reliability include the following elements:

I mproved I solation w ith Application Pools

Technically, an application pool is a configuration object defined by a logical process boundary

the HTTP.sys namespace mapper to direct requests to the correct worker process. In practice,

to the rather simple administrative task of using the IIS Manager to create an application pool

Project32-HighlyRestricted, and then assigning the programs contained in Web sites and direc

that application pool, or other application pools as you require (see Figure 1).

place to keep the attacker from crossing into another applications space.

P e r f o r m a n c e . One application that over consumes resources should not affect the availabiapplications. On the other hand, applications that require additional resources should be ab

those resources on demand.

Creating an HTTP request handler, HTTP.sys that runs in the kernel of the operating systemthe task of listening for HTTP requests and queuing requests to a request queue for the app

retrieve. It does not load or execute any user-mode application code (such as ASP pages).

Running Web applications in configurable, multiple, isolated processes called worker procesunder the name W3wp.exe. This is similar to high isolation in IIS 5.0, or running out-of-pro

performance is much better because the process exchanges data directly with HTTP.sys rat

marshalling data through the IIS 5.0 main Web server process, Inetinfo.exe, as a go-betwe

Adding a new administrative process, WWW Service Administration and Monitoring compontwofold:

Creates the link between the HTTP request handler and the Web applications.

Monitors and maintains the health of worker processes.




4/22

In effect, application pools allow you to combine or isolate applications according to your techn

administrative, and business requirements.

Us i ng Appl i ca ti on P ool s to I s ola te Custom e r Appl i ca ti ons or Bus ine s s Uni ts

Application pools create process boundaries between applications from different Web sites or d

This is ideal for businesses such as ISPs, where each customers applications need to be insula

or for the scenario used above where LOB applications need to be isolated from one another. S

section of this paper for details about how to use ACLs to enforce application isolation on the f

Us i ng Appl i ca ti on P ool s to I s ola te Unr e l i a bl e Appl i ca ti ons

The WWW Service Administration and Monitoring component of IIS provides recycling and hea

can automatically restart an application pool. These features have been shown to significantly

reliability. For example, consider an important application that you cannot afford to have offlin

occasionally hangs. By placing this application in its own application pool, you insulate other a

its effects. This increases overall reliability of other applications running on the server. Also, bapplication pools are individually monitored and can be configured to be automatically restarte

unresponsive, availability for unreliable applications is increased. Troubleshooting such an app

facilitated because the application can be configured to run in its own process.

Recycling

Recycling criteria can easily be administered through the Application Pools Properties dialog, a

2 below. Recycling can be triggered based on several parameters, such as application uptime,

requests, on a scheduled basis, based on memory consumption, or at will.

Figure 1: Assigning programs to application pools in I I S

6 .0

See full-sized image.




5/22

Recycling can enhance application isolation and reliability by:

I mpa c ts of Appl i ca ti on Re c y cl i ng

When an application is recycled, any information stored in the worker process, such as session

optimize the performance and reliability of your applications with IIS 6.0, you'll want to design

recycled without losing ongoing transaction data. For example, you can preserve session state

process using the ASPState service in Microsoft ASP.NET or store the data in Microsoft SQL Se

Applications designed for recycling have an initialization time that is optimized to be as small a

Applications that require a long initialization procedure wont perform well with frequent recyc

work around this by scheduling recycling during low usage periods.

Finally, your applications should tolerate running side by side with other instances of the same

can configure recycling to be overlapping or non-overlapping. By default, recycling is configur

overlapping: the WWW Service Administration and Monitoring component creates a new worke

process any new requests for the application before the existing worker process is shut down.

process is kept alive until it has finished processing its existing requests or until a shutdown tim

eventwhichever occurs first. During this period, both instances of the application will need to s

If recycling is configured to non-overlapping, the WWW Service Administration and Monitoring

shuts down the worker process before starting a new one. For information about configuring o

non-overlapping recycling, see DisallowOverlappingRotation in the IIS 6.0 Help

(http://www.microsoft.com/resources/documentation/windowsserv/2003/datacenter/proddocs

us/ref_mb_disallowoverlappingrotation.asp).

H e a l t h

F ig u r e 2 : R e c y cl in g p a r a m e t e r s a v a i l a b l e w i t h I I S 6 . 0See full-sized image.

Refreshing applications with known degradation problems before they stop responding. In msort, through experience with the application, the IIS administrator knows that the applicat

run some period before it needs to be restarted.

Recycling applications that can potentially affect the performance of other applications runnserver. For example, if an application has a memory leak and consumes too much memory,

threshold of memory use that will trigger a recycle event for the application pool.


http://www.microsoft.com/resources/documentation/windowsserv/2003/datacenter/proddocs/en-http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspxhttp://www.go2pdf.com/http://www.microsoft.com/resources/documentation/windowsserv/2003/datacenter/proddocs/en-


6/22

The WWW Service Administration and Monitoring component also maintains the health of appl

periodically testing an application pool for responsiveness. Not to be confused with the Interne

Message Protocol (ICMP) ping command, this feature internally queries the application pool at

interval (every 30 seconds by default) and waits for a response.

If there is no response, the WWW Service Administration and Monitoring component shuts dow

process, publishes an event, and starts a new worker process. IIS can also be configured to no

failed worker process. In addition to keeping the failed worker process, you can specify a prog

when this event occurs to automatically instantiate troubleshooting or reporting tools.

For more information about isolating unhealthy worker processes, see Application Pool Health


us/ca_orphwrkrprocess.asp) and OrphanWorkerProcess


us/ref_mb_orphanworkerprocess.asp) in the IIS 6.0 Help.

Ra pi d-Fa i l P r ote c ti on

Rapid-fail protection can protect the server from a series of rapid worker process failures in th

application pool by disabling the application pool. When an application pool is disabled, IIS rem

service and places it in a mode where the kernel-mode driver immediately returns a 503 Serv

error message to any requests to for that application pool.

The number of failures and the interval in which they must occur are configurable per applicat

rapid-fail protection is enabled, the Startup time limit and Shutdown time limit settings are us

of application pool health (see Figure 3).

A worker process that fails to start up or shut down within the designated time is considered to

counts toward the number of failures required to take the application pool offline. By default, r

protection is configured to disable an application pool if five application failures occur in a five-

Func ti ona l Us e of Appl i ca ti on P ool s

In some cases, you will find that using an application pool is useful in order to separate applica

different technical requirements. For example, you may find it helpful to configure all applicati

Figure 3: Health options available in I I S 6.0See full-sized image.


http://www.microsoft.com/resources/documentation/windowsserv/2003/datacenter/proddocs/en-http://www.microsoft.com/resources/documentation/windowsserv/2003/datacenter/proddocs/en-http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspxhttp://www.go2pdf.com/http://www.microsoft.com/resources/documentation/windowsserv/2003/datacenter/proddocs/en-http://www.microsoft.com/resources/documentation/windowsserv/2003/datacenter/proddocs/en-


7/22

a particular COM component into a single application pool, if the COM component is known to

Also, as your applications undergo upgrades and improvements, it can be useful to create sep

pools for the new versions.

. NE T Fr a me w or k Appl i c a ti on Doma i ns

On Windows Server 2003, ASP.NET uses the application request-processing-model in worker p

and also maps one or more ASP.NET application domains to each worker process. The applicat

within a single worker process can be recycled independently and have private components, sand other private resources. This provides an additional layer and better granularity of isolatio

. NE T Fr a me w or k a nd S i de -by -S i de As s e mbl i e s

Traditionally, when a component or application is updated on a computer, the older version is

replaced with the newer version. If the new version is not compatible with the previous versio

breaks other applications that use the component or application. The .NET Framework provide

side-by-side execution, which allows multiple versions of an assembly or application to be inst

same computer, at the same time. Since multiple versions can be installed simultaneously, ma

applications can select which version to use without affecting other applications that use a diff

For example, applications can take advantage of side-by-side assemblies in order to allow app

installed on the same computer that require different versions of a DLL such as MDAC, MFS, M

MSXML. For more information about this topic, see the Appendix at the end of this paper.

Top of page

Using I solation to Secure Applications

One of the primary tools for configuring isolation is the use of Access Control Lists (ACLs), auth

process identities to create effective security boundaries between applications. While configure

doesn't equate to the degree of isolation provided by independent servers, you can effectively

prevent one application from accessing the files of another application inadvertently or malicio

example, a Web site administrator may create a script to browse the directory or change files

application using the file system object. The administrator could also write an ASP application

from files of another site such as a customer database. Proper use of ACLs and other authoriza

in Windows Server 2003 can prevent this scenario from occurring.

Configuring Application Pool I dentity

One of the most important rules to remember when securing a server is that all processes mu

or built-in account. In most cases, this requirement is transparent, because file system resour

or requested from an application are typically opened in the context of the user making the re

an application developer can choose to author an application in such a way that the file system

opened in the context of the account used to launch the parent process hosting an application

user.

Lets examine what happens when an anonymous user opens an application. The user makes a

application and is automatically assigned to the anonymous account (typically the IUSR_< Com

account). The requested file is opened and executed using the credentials of the anonymous u

proper permissions are in place in the IIS Manager and ACLs on the requested file. However, ithen invokes the Win32API Re v e r tToS e l f function, subsequent file accesses made from the a

as the Network Service user account. The Network Service user account is the built-in account

identity for application pools.

Bui lt- i n Ac c ounts

Even though the Network Service user account has limited rights on the server, application po

identity have rights to each others resources when ACLs are configured to allow access to this

You will want to give each application pool its own identity in order to effectively isolate applica

in Figure 4.




8/22

Because an application can run as the application pool identity, when selecting an application p

should choose one with the least number of privileges required by your application. In the cas

worker process identity is set to an account with high privileges, like LocalSystem, the result m

application is given permissions beyond the scope of the authenticated user. Instead, consider

worker process identity to an account with low privileges to prevent an application from elevat

in this manner.

Assigning an Account

When configuring an individual user account as the application pool identity, you must make thmember of the IIS_WPG local group. The IIS_WPG group is created to simplify the process of

necessary authorizations and rights on all of the system resources that a worker process must

function properly, including launching application pools. When IIS is installed, or when new ap

are created, the IIS_WPG group is included in all ACLs of resources that the application pool m

However, it is not necessary to add IIS_WPG to a sites content directories and files. In fact, if

isolation between users, but configure ACLs that grant access to IIS_WPG, you may decrease

isolation because all applications whose user accounts are members of the IIS_WPG group wo

to each others content. Consequently, you will want to add accounts you create for each applic

identity to the IIS_WPG local group, but you should not use the IIS_WPG group in ACLs on con

directories.

Accounts used for application pool identity should also be distinct from anonymous accounts a

accounts for site authors and owners. Accounts used for anonymous access or for site authorsshould not be added to the IIS_WPG group because doing so would grant those accounts acce

that are shared among application pools such as the compression cache and ASP template cac

Additionally, if you configure application pools with an identity other than Network_Service an

applications launch CGI processes, you will need to assign the following user rights to account

application pool identities:

F ig u r e 4 : T h e d e f a u l t i d e n t i t y f o r a n a p p l ic a t i on p o o l i sthe Network Service user account


Adjust memory quotas for a process (SeIncreaseQuota)

Replace a process at token level (SeAssignPrimaryToken)




9/22

Authentication Considerat ions

Authentication is the process of proving that you are a valid user to an application. Once prove

is then assigned an identity, which is used to limit access to resources. Part of building secure

between applications is to ensure that you have the identities for your applications and users o

a way that you can effectively manage the authorization of the application and the users acce

IIS 6.0 supports Anonymous, Basic, Digest, Advanced Digest, Client Certificate, Integrated Wi

and Kerberos), and Passport authentication. Additionally, applications may implement their owmethods, for example, forms-based authentication in ASP.NET. Remember that the method yo

authentication can impact the choices you have for implementing security.

For highly isolated applications, it is best to create a unique user account to be used for anony

the application, and then assign this user as the anonymous user in the Directory Security tab

for the Web site (see Figure 5). This allows you to configure authorization (see the Configuring

section) so that applications launched by the anonymous user are constrained to appropriate r

unique anonymous user identity combined with a designated account for the application pool i

two of the essential elements needed for constructing an effective security boundary for the ap

T o c on f i g u r e a u n i q u e a n o n y m o u s u s e r a c co u n t f o r a W e b s i t e

1. In IIS Manager, expand the local computer, expand the W e b S i t e s folder, right-click t

want to change, and then click P r ope r ti e s.

2. On the Di r e c tor y S e c ur i ty tab, under Authe nti c a ti on a nd a c c e s s c ontr ol, click the

shown in Figure 5.

Figure 5: Site properties Directory Security tab


3. In the A u t h e n t i ca t i o n M e t h o d s dialog, enter the U s e r n a m e and P a s s w or d of the a

anonymous access, as shown in Figure 6.




10/22

Figure 6: Configuring a unique anonymous user account


4. Click OK

5. Click OK

When using Kerberos or Basic authentication, you can use UNC passthrough authentication to

credentials to be used for gaining access to a UNC share on a remote computer. Administrator

IIS to use a fixed set of credentials or to submit the users credentials, known as pass-through

to the file server or NAS device. By default, IIS is configured to use pass-through authenticati

Kerberos authentication when working in a Windows Server 2003 environment and running ap

with the Network Services identity. You can also configure Windows Server 2003 so pass-thro

authentication is possible for any authentication method.

N o t e : Use a domain-based account when assigning an application pool identity if you intend t

through authentication with Kerberos. For more information about this, see the Deploying and

Internet Information Services (IIS) 6.0 with Remotely Stored Content on UNC Servers and NA

paper

(http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/

ASP.NET applications using forms-based authentication rely primarily on the use of .config file

authentication. The application .config files may contain user names and passwords required t

applications or may reference a database (other than the local SAM or Microsoft Active Directo

users. Applications using forms-based authentication have enhanced application boundaries, s

authentication for a user is valid only in the authorizing application.

Configuring Authorization

The foundation for effectively enforcing application isolation lies in the proper use of authoriza

Page 1Configuring Application Isolation using Windows Server 2003 and IIS 6.0

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/remstorg.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspxhttp://www.go2pdf.com/http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/remstorg.mspx


11/22

Authorization uses the authenticated identity of the user, including the anonymous user, to lim

resources. For our purposes, the concept of a user is also extended to the identity of applicatio

are authorized only to use resources required by the application.

Methods for enforcing authorization include configuring ACLs on content, share permissions, th

the registry. Additionally, other techniques, for example, URL authorization using Windows Se

Authorization manager and authorization in ASP.NET applications can be used.

Configuring ACLs on Content

When configuring ACLs, your task will be easier if you keep in mind two principles:

When implementing permissions, users often require flexibility that was not preconceived whe

applications were first configured. To preserve your options and ease administration, consider

contain application pool identities, then assign ACLs to the groups. For example, when configu

Application X, create a group, such as ApplicationX_Processes, and then assign application poo

Application X to this group. This allows you several conveniences:

Once you have assigned your application pool identity, you need to assign NTFS permissions tresources to allow permissions on a variety of locations, including folders used in databases, c

caching of scripts, logging directories for customized logging, or other file system locations wh

application pool identity requires access. Be careful not to unintentionally allow another applic

identity access to the same resources. For example, you would not want to assign permissions

the IIS_WPG group. Remember that if access is not specifically allowed, it is denied.

In addition to configuring ACLs for the proper access by the application pool identity, you need

permissions for users. This is facilitated by creating groups that designate functions, such as

ApplicationX_authors and ApplicationX_anonusers, then adding users to these groups and assi

permissions to the groups. Having a group for anonymous users is useful in that you may wish

some users for logging or auditing purposes, but still only allow them access to resources as if

anonymous users.

Confi gur i ng for Ac c e ss of UN C-ba s e d Conte nt

When accessing content on another server using UNC paths, you must consider both Share an

permissions. Often Share permissions are left fairly open and NTFS permissions are used to se

The degree to which you lock down your Share permissions is dependent on your specific secu

requirements.

For the majority of applications, Share and NTFS permissions on remote content will be assign

authenticated user that is requesting access. If you are using the default pass-through authen

be the individual user as authenticated by IIS. If you are specifying a user account for remote

required in IIS 4.0 and IIS 5.0, the specified user will require access rights for both Share and

Assign users to groups, and then assign ACL permissions based on those groups.

If permissions are not specifically allowed, access is denied.

If you change the application pool identity in the future, you only need to add the new ident

ApplicationX_Processes group. This avoids the labor-intensive, and perhaps error-prone tas

ACLs on all resources for the application.

You may add other applications in the future (ApplicationZ) that require access to the resouApplicationX, and at the same time limit ApplicationX from accessing specific resources use

ApplicationZ. In other words, the ApplicationX_Processes group would contain the user acco

application pool identities assigned to both ApplicationX and ApplicationZ, but the Applicatio

group only contains the application pool identity for ApplicationZ.

You may need to allow or deny access to resources for groups of application pools. For examwant to create an identity for AllASP.NETApps that has access to specific resources. This is f

application pool identities are ed from specific user accounts.




12/22

permissions. If the user specified for accessing remote content is not a domain account, it is b

account is created with the same user name and password on the IIS server as well as the rem

This facilitates management of remote content in the IIS Manager console. For more informat

configuring authentication and authorization for UNC servers and NAS devices, see the Deploy

Configuring Internet Information Services (IIS) 6.0 with Remotely Stored Content on UNC Ser

Devices white paper

(http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/

Confi gur i ng ACLs on t he M e ta ba s e

In addition to setting ACLs on file system resources, you can set ACLs on metabase keys. Use

Explorer 1.6 or MetaEdit 2.2 to view and set ACLs on metabase keys. Metabase Explorer 1.6 c

downloaded from http://www.microsoft.com/downloads/details.aspx?FamilyID=56fc92ee-a71

ade629c89499&DisplayLang=en. MetaEdit 2.2 can be downloaded from

http://download.microsoft.com/download/iis50/Utility/5.0/NT45/EN-US/MtaEdt22.exe .

For Web sites and their contents that have corresponding keys with properties in the metabas

group is set to Allow for the permissions: Query, Query Unsecure Property, and EnumeratePro

default ACLs on application pools permit the IIS_WPG, Network_Service, and Local_System ac

to query metabase properties for all application pools.

Applications running in the context of the application pool do not have the ability to alter the m

the application can be run in the security context of the Administrator identity, which by defau

on the entire metabase. This can occur, for example, when the system administrator logs in o

the application using the Administrator credentials and the application assumes the credentials

impersonation. Consequently, these settings do not represent a serious security risk. However

increase application isolation by making the following adjustments to isolate a sites metabase

Confi gur i ng ACLs on Re gi s tr y Ke y s

On secure servers, it is recommended that permissions be tightened on certain registry keys.

provides several templates for tightening permissions, including those provided with the Secu

Guide (http://www.microsoft.com/technet/security/prodtech/win2000/secwin2k/default.mspx

security in general will increase the effectiveness of application isolation, but you may need to

restrict access to portions of the registry that contain information about COM objects used by

It should not be possible, for example, for a user to determine what objects are registered on

then write a script to invoke those objects.

COM + I s ola ti on

COM+ Partitions can be used to isolate Web applications into their own COM+ partitions. This

prevent one Web application from accessing the private COM+ applications, configuration infor

data of another Web application. COM+ partitions can hold different versions of your own cust

components. For example, if you host Web sites for two competing companies that both use C

Web applications, you can use COM+ partitions to ensure that one company's Web application

the COM+ components in the other company's Web applications. If one of those companies as

certain features in a COM+ application that they both use, you can isolate the new version of t

application in the partition that is linked to their Web application.

To enable COM+ partitions on the IIS side, set the As pUs e P a r ti t i on flag of the AspAppServic

property at the application level. The partition is identified by a GUID (created using the Comp

Manager snap-in), which can be set at the AspPartitionID metabase property. If no partition is

Remove entries for IIS_WPG

Assign the worker process identity: Read

Assign any Web site author or administrators: Read

Give the Administrators group and any other system administrators: Full Control


http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/remstorg.mspxhttp://www.microsoft.com/downloads/details.aspx?FamilyID=56fc92ee-a71a-4c73-b628http://download.microsoft.com/download/iis50/Utility/5.0/NT45/EN-US/MtaEdt22.exe.http://download.microsoft.com/download/iis50/Utility/5.0/NT45/EN-US/MtaEdt22.exe.http://www.microsoft.com/technet/security/prodtech/win2000/secwin2k/default.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspxhttp://www.go2pdf.com/http://www.microsoft.com/technet/security/prodtech/win2000/secwin2k/default.mspxhttp://download.microsoft.com/download/iis50/Utility/5.0/NT45/EN-US/MtaEdt22.exe.http://www.microsoft.com/downloads/details.aspx?FamilyID=56fc92ee-a71a-4c73-b628http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/remstorg.mspx


13/22

default system partition is used. For more information, please see "Creating and Configuring C

in the COM+ SDK (http://go.microsoft.com/fwlink/?LinkId=2823).

I m p o r t a n t : Only one version of a COM+ component can be used in any application pool, even

feature is configurable at the application level. For example, if application App1 uses version 1

COM+ application called Shop.dll, and application App2 uses version 2.0 of Shop.dll, then App

should not be in the same application pool. If they are, the application that is loaded first has i

Shop.dll loaded, and the other application is forced to use it until the applications are unloade

URL Author i z a ti on

Authorization Manager and URL authorization are features of the .NET Framework that have be

into the operating system for Windows Server 2003. Consequently, these features are availab

other applications. Windows Server 2003 and IIS 6.0 provide the ability to use Authorization M

combination with URL authorization to create sets of rules that authorize access to URLs based

roles. Roles can be defined any number of ways, including Lightweight Directory Access Protoc

queries, custom user roles, and Authorization Manager scripts (BizRules). This is quite differen

ACLs to files, because role membership can be determined through a query at the time of the

example, you could authorize employees of a company, who have been employed for more th

access a specific URL. When an employee reaches the 91 day of employment, however that is

requirements, access is granted without the need to change ACLs, or local/domain group mem

better application isolation, you may define a rule so that all employees or customers of Compthe CompanyA application and all others are denied.

For more information about Authorization Manager, see Authorization Manager in the Windows

product documentation (http://www.microsoft.com/technet/prodtechnol/acs/proddocs/default

information about URL authorization, see URL Authorization in the IIS 6.0 Help


us/iiswelcome.asp).

FTP User I solation

IIS 6.0 also includes an FTP server to allow users to upload or download files. Where FTP is de

configuring your server so that FTP users cannot browse other users directories is an importan

security. IIS 6.0 provides for this capability with FTP user isolation. When enabled, a user cann

higher up the directory tree, because the user's top-level directory appears as the root of the Within the user's specific site, the user still has the ability to create, modify, or delete files and

FTP user isolation has three settings available for user restriction, as shown below in Figure 7.

I MPORTANT: FTP is not a secure protocol, so user names and passwords are sent across the

text. In addition, you cannot use SSL with FTP.


http://go.microsoft.com/fwlink/?LinkId=2823http://go.microsoft.com/fwlink/?LinkId=2823http://www.microsoft.com/technet/prodtechnol/acs/proddocs/default.mspxhttp://www.microsoft.com/resources/documentation/windowsserv/2003/datacenter/proddocs/en-http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspxhttp://www.go2pdf.com/http://www.microsoft.com/resources/documentation/windowsserv/2003/datacenter/proddocs/en-http://www.microsoft.com/technet/prodtechnol/acs/proddocs/default.mspxhttp://go.microsoft.com/fwlink/?LinkId=2823


14/22

FTP user isolation has two modes to isolate users: Isolate users and Isolate users using Active

I sol a te Us e r s

This mode authenticates users against local or domain accounts before they can access the ho

that matches their user name. All user home directories are in a directory structure under a si

directory where each user is placed and restricted to their home directory. In this mode, the h

name is the same as the authenticated user name. When users authenticate, they are automa

into the directory that corresponds to their logon name and they are not permitted to navigate

home directory. If users need access to dedicated shared folders, you can also establish a virt

mode may use, but does not require, the Active Directory service.

I sol a te Us e r s us i ng Ac ti v e Di r e c tor y

When you set your FTP server to isolate users with Active Directory, each user's home directo

an arbitrary network path. In this mode, you have the flexibility to distribute user home direct

multiple servers, volumes, and directories, as is appropriate to the network configuration, and

directory name may be different from the authenticated user name. This is accomplished by us

the m sI I S-FTPDir and m sI I S-FTPRoot properties for the user object in Active Directory. Fo

information about setting these properties with the IISFTP.VBS scripts, see Setting Active Dire

Isolation in the IIS 6.0 Help

(http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/iis/default.ms

the IIS 6.0 Help incorrectly lists these attributes as FTPRoot and FTPDir. These properties are

the Active Directory Users and Computers console.

For step by step instructions on how to implement FTP user isolation, see Isolating FTP Users

Help (http://www.microsoft.com/resources/documentation/windowsserv/2003/datacenter/prous/iiswelcome.asp).

FrontPage 2002 Server Extensions Security

FrontPage 2002 Server Extensions make it simple for users to publish Web sites using FrontPa

Web applications from Microsoft Visual Interdev. You can create a FrontPage-enabled Web site

the Web site with the FrontPage Server Extensions.

T o c r e a t e a F r o n t P a g e - e n a b l e d W e b s it e

Figure 7: FTP User I solation allows three options to

restrict user access



http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/iis/default.mspxhttp://www.microsoft.com/resources/documentation/windowsserv/2003/datacenter/proddocs/enhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspxhttp://www.go2pdf.com/http://www.microsoft.com/resources/documentation/windowsserv/2003/datacenter/proddocs/enhttp://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/iis/default.mspx


15/22

1. Install FrontPage Server Extensions on the computer.

2. Right-click the Web site you want to configure, and select Al l Ta s k s, Confi gur e S e r v e

2 0 0 2 . This launches the FrontPage Server Extensions 2002 administrative Web applica

3. Designate a user account as the virtual server administrator.

4. Click S ubmi t to install the extensions on the Web site.

FrontPage Server Extensions uses a distributed security model where the account specified as

administrator has the right to create users and assign roles resulting in permissions being cha

site. The Web administrator can do these tasks, but is not required to be an administrator on t

Consequently, you should configure the Web administrator to use an account that is not a mem

Administrators group.

When you install FrontPage Server Extensions on your server, a specialized application pool na

MSSharepointAppPool is created and is assigned to run in the security context of the Local Sys

The _vti_bin folder of any FrontPage-enabled Web site will run in this security context. The _vt

each FrontPage-extended Web or sub-Web is a virtual directory mapped to the same physical

containing the FrontPage Server Extensions binaries, so each application runs the same FrontP

Extensions code. Although the FrontPage Server Extensions share an application pool, applicat

configured in their own application pool, so that the user-written part of the application, and a

provided code, can be isolated.

How Fr ontP a ge M a na ge s ACLs

FrontPage Server Extensions 2002 will manage permissions on Web content without server ad

intervention, using roles-based authorization. Users are assigned roles such as browser, autho

and administrator. When you create a Web site and then extend the Web with FrontPage Serv

FrontPage Server Extensions adds certain users and groups to your Web content folders with s

permissions. These include the Network and Interactive built-in groups. This could represent a

as these groups are automatically maintained by the server. A user with a network logon type

the Network group (authenticated with NTLM, for example). A user with a local logon type (aut

Basic, for example), is a member of the Interactive group. Consequently, granting these group

to FrontPage Web content probably grants users from other Web sites and applications the sa

to the Network and Interactive groups, depending on how the users are authenticated. To impand security between applications, FrontPage Server Extensions on Windows Server 2003 allow

to be used for authorization.

Us i ng G r oup Ac counts t o I sol a te Ac ce s s to Fr ontP a ge W e bs

You can configure FrontPage Server Extensions so that they use group accounts instead of the

Network/Interactive groups. When properly configured, FrontPage Server Extensions will not a

and Interactive groups to ACLs on root Webs, but instead will authorize access to the Web usin

constructed by a prefix you provide (such as SecureWeb) and the Web site instance number. T

group name for the default Web site in this example would be SecureWeb_1. This group can th

configured manually to manage access to the Web site.

Details on implementing this feature should be read carefully at

http://www.microsoft.com/technet/prodtechnol/sppt/sharepnt/proddocs/admindoc/owsj03.ms

For more details on FrontPage Server Extensions 2002 and Microsoft SharePoint Team Service

http://www.microsoft.com/technet/prodtechnol/sppt/sharepnt/proddocs/default.mspx .

Disabling Shared File Caches

IIS and ASP use file caches to improve performance while serving Web content. On an isolated

caches should be disabled because the directories they use are shared by application pools wit

access to the IIS_WPG group. It is possible under some circumstances for a malicious site own

application running in one application pool to browse data stored by other applications in these


http://www.microsoft.com/technet/prodtechnol/sppt/sharepnt/proddocs/admindoc/owsj03.mspx.http://www.microsoft.com/technet/prodtechnol/sppt/sharepnt/proddocs/default.mspx.http://www.microsoft.com/technet/prodtechnol/sppt/sharepnt/proddocs/default.mspx.http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspxhttp://www.go2pdf.com/http://www.microsoft.com/technet/prodtechnol/sppt/sharepnt/proddocs/default.mspx.http://www.microsoft.com/technet/prodtechnol/sppt/sharepnt/proddocs/admindoc/owsj03.mspx.


16/22

While the likelihood and impact of this scenario are limited, disabling IIS compression, static fi

ASP template caching blocks such exposure in the first place. Conversely, on a server in which

owners are trusted or there is a single owner for multiple sites, this is not a problem.

To disable I I S compression

1. In IIS Manager, expand the local computer, right-click the W e b S it e s folder, and then

P r ope r ti e s.

2. On the Service tab, under HTTP c ompr e s s i on , clear the Comp r e s s s ta ti c f i l e s and

a ppl i ca ti on fi l e s check boxes.

3. Click Apply , and then click OK .

Alternatively, you can enable HTTP compression of static files by setting the Hc DoS ta ti c Com

Hc DoDy na mi c Compr e s s i on metabase properties to false .

To disable ASP file caching

1. In IIS Manager, expand the local computer, right-click the W e b S it e s folder, and then

P r ope r ti e s.

2. On the H o m e D i r e ct o r y tab, click Confi gur a ti on.

3. On the Ca c he O pti ons tab, select the Do not c a che AS P fi le s option.

4. Click OK twice to save your changes.

5. Restart IIS.

To di s a bl e s ta t i c f i l e c a chi ng

You need to restart IIS for this setting to take effect.

Top of page

U sing I sola t ion t o I m pr ov e Pe r f or m a nce

Another benefit of application isolation is the ability to limit the effects on other applications of

consumption by any individual application. There are a number of Windows Server 2003 and I

that help to assure that applications will have available to them the resources required when t

I I S 6 .0 Features f or Resource Availability

Application pools in IIS 6.0 allow better use of resources than with previous versions of IIS. Th

application pools allow you to configure a variety of parameters that effect resource use of the

Because these settings are available per application pool, you can optimize the configuration opool for the specific characteristics of the application, load, and resulting resources required. F

the Performance property tab for the Default Application Pool.

M e mor y Re c y c l i ng

Each application pool can be set to recycle when it uses too much shared (maximum virtual m

privately-allocated (maximum used memory) system memory. When memory use passes one

thresholds, recycling occurs without interfering with other applications, making the memory co

application available for other applications and system requirements. (See Figure 2, Recycling

Add the following value to the registry:

HKLM \ S y s te m\ Cur r e ntContr ol S e t\ S e r v i c e s \ I ne ti nfo\ P a r a me te r s

DisableMemoryCache: REG_DWORD: 1




17/22

available with IIS 6.0, in the Recycling section above.)

Re que s t Q ue ue Li mi t

Because the request queue for an application pool resides in the kernel, if an application pool r

faster than it can respond, kernel memory is used to queue the requests. In order to keep que

growing too large, you can specify the maximum number of requests that can be queued for a

Subsequent requests will receive a 503 error and are logged to the HTTPERR log with a reason

QUEUE_FULL.

Ra pi d-Fa i l P r ote c ti on

This topic was discussed earlier in the Isolation for Increased Reliability section. This setting co

remove an application pool that contains a failing application from service, and place it in a mo

kernel-mode driver immediately returns a 503 Service Unavailable out-of-service message to

that application pool. Consequently, this helps prevent failing applications from interfering wit

applications running on the server, and system resources that may have been locked up by a

application are released.

N u m b e r o f Co n n e ct i o n s

On the Performance tab of the properties of a Web site, you can set the number of connection

Web site. This could be useful when you are offering Web sites that provide a number of connecondition of service, or when you are concerned about the number of connections overwhelmi

applications. Additionally, you may have non-critical, but popular Web sites you wish to constr

make resources available to other applications.

Windows Server 2003 Features for Resource Availability

Windows Server 2003 has several features that can be implemented to help assure resource a

Web applications. In some cases, enabling a feature in IIS invokes a process for installing the

server level. For example, configuring bandwidth throttling in IIS Manager automatically enab

Service Packet Scheduler for the server. In this way, server capabilities are more seamlessly i

IIS Manager than in previous versions of IIS.

W i n d o w s S y st e m R e so u r ce M a n a g e r

Windows System Resource Manager (WSRM) is available for use with Windows Server 2003, E

and Windows Server 2003, Datacenter Edition. WSRM enables you to manage CPU and memor

per process basis. An administrator sets targets for the amount of hardware resources that run

applications or users are allowed to consume. This means that you can allocate resources amo

applications on a server according to your business priorities.

When used to manage IIS performance, WSRM enables a system administrator to do the follow

WSRM maintains an updatable exclusion list of processes that shouldn't be managed because

system impact such management could create. WSRM does not manage address windowing ex

memory, large page memory, locked memory, or operating system pool memory.

B a n d w i d t h T h r o t t l in g

On the Performance tab of the properties of a Web site, you can enable bandwidth throttling a

maximum bandwidth consumption for a Web site. Unlike previous versions of IIS, bandwidth t

the Quality of Service Packet Scheduler to manage when data packets are sent. When you con

Set CPU and memory allocation policies on applications. This includes selecting processes toand setting resource usage targets or limits.

Manage CPU utilization (percent CPU in use).

Generate, store, view, and export resource utilization accounting records for management, agreement (SLA) tracking, and charge-back purposes.




18/22

use bandwidth throttling using IIS Manager, Packet Scheduler is automatically installed, and I

sets bandwidth throttling to a minimum of 1024 bytes/second. You can configure this setting h

lower.

Using Resources Efficiently

Of course, if you have sufficient resources available for your applications, you do not need to s

time constraining applications and Web site use. Toward that end, application pools have seve

that optimize server resources.

I dl e Ti me -out

Idle Time-out is located on the Performance tab of application pool properties. When configure

process in an application pool will be terminated if it remains idle for the configured interval. T

memory-based resources for active applications. For ISPs that often have many Web sites on a

only a few active at any time, this permits a greater Web site density per server, without over

server resources.

D e m a n d S t a r t

Another feature of IIS 6.0 that helps with efficient use of resources is demand start. Applicatio

though configured and available, are not started until they are requested. In this way, applicat

loaded before they are required, which keeps resources available until the moment they are nethis also may intensify the performance impact of application startup time. If your applications

optimized to start up quickly, and you don't have a large number of applications in use, you m

disable Idle Time-out so that once applications are launched, their worker process remains act

resources acquired by the application are not released.

W e b G a r d e n s

A Web garden is an application pool that is serviced by more than one worker process simultan

enabled by setting the number of worker processes setting to more than one on the Performan

application pool. When requests for the application begin to queue, IIS 6.0 automatically creat

worker process for the same application pool and begins to route new requests to the new wo

When demand is reduced, the worker processes will eventually be spun down and resources re

gardens are useful in situations where there are a high number of concurrent connections and

locks and resources within a single process may limit request throughput.

CPU Affinity

Application pools can be assigned to run on a CPU. On an SMP system, this allows you to distr

resources among the application pools. For example, if you have an application pool that runs

application, assigning the application pool to a CPU could assist with performance by making c

enough CPU processing power is available to the application. This also leverages the caching te

into the processor. Other application pools can similarly be configured away from the dedicate

affinity is set in the metabase. For more information about configuring CPU affinity, see SMPA

IIS 6.0 help (http://www.microsoft.com/resources/documentation/windowsserv/2003/datacen

us/ref_mb_smpaffinitized.asp).

Top of page

Considerations

Performance and Scale

While high isolation achieves many benefits, it impacts scaling for the server. For example, Mi

show that you can run up to approximately 500 worker processes simultaneously. Assuming y

sites, you can configure your application pools so that applications share thema low isolation a

can give each application its own application pool, but set the application pool time-out aggres


http://www.microsoft.com/resources/documentation/windowsserv/2003/datacenter/proddocs/enhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspxhttp://www.go2pdf.com/http://www.microsoft.com/resources/documentation/windowsserv/2003/datacenter/proddocs/en


19/22

Numbe r of Appl i c a ti on P ool s Tha t Ca n Be Confi gur e d

In the default configuration, using Network_Service as the application pool identity, you can c

number of application pools without any difficulty. When you specify an identity for an applicat

given a set of resources, including a non-visible desktop. Interactive processes use desktops f

events or messages, such as a mouse click, to Windows applications. In this context, only a fe

ever required by an application. For server applications, such as IIS, there is no interactive us

COM applications running in a Single Threaded Apartment (STA) use the Windows message pu

to marshal data to COM components created within the process, and desktops are created eveapplication uses no COM components. Microsoft tests show that when configuring more than 6

pools with unique identities, a shared desktop should be used. This may be configured by sett

key HKLM \ S y s te m\ Cur r e ntContr ol S e t\ S e r v i c e s \ W 3 S V C\ P a r a me te r s \ Us e S ha r e dW P D

When this setting is enabled, application pools share a common desktop, thereby increasing sc

N u m b e r o f W e b S i t e s a n d A ct i v e W o r k e r P r o ce s se s

The number of application pool worker processes that can be simultaneously active on a serve

on a variety of factors, including hardware configuration, the specific language in use, number

of application pools, and how those application pools are configured. IIS supports up to 20,000

sites, although the number of concurrent sites varies in practice, depending on how they are c

application pools and the ratio of active to configured sites on a server.

Regarding non-ASP.NET applications, IIS 6.0 has been tested on a well-configured mainframe

up to 2,000 concurrent worker processes, each serving one application pool, but not using uni

practice, a design of up to 500 simultaneous application pools is achievable, depending on the

requirements and assuming hardware resources are not a significant constraint. It is importan

Us e S ha r e dW P De s k top registry setting mentioned above when using more than 60 applicatio

unique identities.

When running ASP in a hundred or more application pools, you will need to configure ASP to ru

a Multi-Threaded Apartment (MTA). To enable this capability, set the metabase property AspE

to 1 (it is set to 0 by default). When ASP is set to run in a MTA and the ASP application also us

Threaded Apartment (STA) objects, performance may be affected by the data marshalling that

ASP, running in an MTA, and the component, which runs in a STA in another process. If you a

components such as ADO, which use an apartment model of Both there should be no problems

this setting. For more information about enabling multi-threaded apartments, see AspExecute

6.0 Help.

ASP.NET applications require more resources than ASP. While 500 individual application pools

reasonable for ASP, it is aggressive for ASP.NET. You will need to study your server performan

added to determine a practical ceiling for the number of application pools running ASP.NET in

environment.

Top of page

S u m m a r y

In this white paper, we have reviewed the various techniques you can employ to increase appl

and the various benefits that isolation can offer. While clearly the most isolated design would

computer for each application, you can create effective application boundaries by correctly con

Windows Server 2003 and IIS 6.0. The ability to gather or isolate Web applications into an app

IIS 6.0 is perhaps the most significant component of application isolation. The built-in abilities

manage resources efficiently, monitor application health, recycle applications, and assign secu

application pools creates a centerpiece from which you can deploy isolated applications. Comb

abilities with proper use of authentication, ACLs on various resources, and constraining applica

required, creates an environment where applications can have an optimized set of resources av

on demand, as well as minimizing the impacts of poorly-performing or resource-intensive appl

server.




20/22

When your Web sites require FrontPage Server Extensions 2002, you can configure the extens

defined local group for ACLs on Web content. This permits you to allow FrontPage authors and

to deploy content only on their assigned Web sites.

Finally, by deploying .NET applications that use isolated application design and side-by-side as

can strengthen application isolation and minimize versioning problems induced when multiple a

share the same code base.

Taken as a whole, some subset of the capabilities are more than sufficient, in most cases, to papplications to be deployed on a server, while assuring that those applications are independen

available.

Top of page

Appendix

The .NET Framework, which includes ASP.NET, has capabilities that can be used to enhance ap

isolation. These features are implemented by software engineers in the design and implement

applications and are not specifically related to IIS capabilities. The Windows Server 2003 platf

specifically to support .NET applications, making it an ideal choice for deploying highly reliable

Web-based applications.

Features of .NET Frame w ork an d ASP.NET That Can Be Used for I solation

When creating applications with the .NET Framework, you have additional capabilities that can

create by design applications that are more fully isolated, reliable, and manageable.

. NE T Appl i ca ti ons D e s i gne d to Be I s ola te d Appl ic a ti ons

.NET applications can be constructed such that they are considered isolated applications. In th

term isolated application has a specific meaning, which refers to a type of .NET application rat

of configured application isolation referred to in the rest of this paper.

When a .NET application is designed as an Isolated application, it is more stable and reliable s

unaffected by the installation, removal, or upgrading of other applications on the system. Isola

can be designed so that they always run using the same assembly versions with which they w

tested.

Isolated applications are self-describing applications installed with manifests. Isolated applicat

Microsoft Windows XP and later systems and can use both private assemblies and shared asse

Applications built with different versions of the same assembly may run simultaneously withou

other's execution. The installation, removal, or upgrading of other applications on the system

fully-isolated application. An application is fully isolated if all of its components are side-by-sid

is partially isolated if it uses some assemblies, and some shared components that are not side-

assemblies. Most applications will be partially isolated.

S i de -by -S i de As s e mbl i e s

A common problem with deploying DLL-based applications occurs when there are different ver

with the same name, and both versions are required by some part of the application. This versis resolved with the use of Side-by-Side Assemblies.

A side-by-side assembly contains a collection of resourcesa group of DLLs, windows classes, C

libraries, or interfacesthat are always provided to applications together. These are described in

manifest. A manifest describes the assemblys contents in XML format.

Because of the intrinsic information provided in an assembly and its manifest, an application c

version of an assembly it requires. And, two applications requiring different versions of the sam

together.

For more information about .NET application isolation and side-by-side assemblies, see




21/22

http://msdn.microsoft.com/library/en-

us/sbscs/setup/about_isolated_applications_and_side_by_side_assemblies.asp .

N o t e : ASP.NET supports running multiple versions of the .NET Framework side-by-side but on

IIS in IIS 5.0 isolation mode.

Appl i c a ti on Doma i ns

The .NET Framework allows the deployment of multiple applications in the same application po

built-in application protection. Each .NET application running in the application pool has an app

and code from one domain cannot directly access objects in another domain. You can also sto

applications within a single application pool without halting the entire application pool. This pe

focus the enforcement of your application boundaries in the design of your application, rather

completely on server configuration.

Application domains provide a secure and versatile unit of processing that the common langua

use to provide isolation between applications. You can run several application domains in a sin

the same level of isolation that would exist in separate processes, but without incurring the ad

of making cross-process calls or switching between processes. The ability to run multiple appli

single process dramatically increases server scalability. In addition, code running in one applic

directly access code or resources from another application.

N o t e : You cannot unload individual assemblies or types; only a complete domain can be unloa

For more information on Application Domains, see http://msdn.microsoft.com/library/en-

us/cpguide/html/cpconapplicationdomainsoverview.asp .

Top of page

R e la t e d Link s

See the following resources for further information:

For the latest information about IIS, see the IIS Web site at

http://www.microsoft.com/WindowsServer2003/iis/default.mspx . For the latest information ab

Server 2003, see the Windows Server 2003 Web site at

http://www.microsoft.com/windowsserver2003/default.mspx .

Technical Overview of Internet Information Services (IIS) 6.0 athttp://www.microsoft.com/windowsserver2003/techinfo/overview/iis.mspx

IIS 6.0 Documentation at

http://www.microsoft.com/resources/documentation/windowsserv/2003/datacenter/proddo

us/iiswelcome.asp

How To Build and Service Isolated Applications and Side-by-Side Assemblies for Windows Xhttp://www.msdn.microsoft.com/library/en-us/dnwxp/html/sidexsidewinxp.asp

FrontPage 2002 Server Extensions Support Center at http://support.microsoft.com/default.US;fp10se

FrontPage 2002 Server Extensions Administrators Guide athttp://www.microsoft.com/technet/prodtechnol/sppt/sharepnt/proddocs/admindoc/ows000.

Welcome to the GotDotNet Home Page at http://gotdotnet.com/

Top of page


http://msdn.microsoft.com/library/en-http://msdn.microsoft.com/library/en-http://www.microsoft.com/WindowsServer2003/iis/default.mspx.http://www.microsoft.com/WindowsServer2003/iis/default.mspx.http://www.microsoft.com/windowsserver2003/default.mspx.http://www.microsoft.com/windowsserver2003/default.mspx.http://www.microsoft.com/windowsserver2003/techinfo/overview/iis.mspxhttp://www.microsoft.com/resources/documentation/windowsserv/2003/datacenter/proddocs/en-http://www.msdn.microsoft.com/library/en-us/dnwxp/html/sidexsidewinxp.asphttp://support.microsoft.com/default.aspx?scid=fh;ENhttp://www.microsoft.com/technet/prodtechnol/sppt/sharepnt/proddocs/admindoc/ows000.mspxhttp://gotdotnet.com/http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspxhttp://www.go2pdf.com/http://gotdotnet.com/http://www.microsoft.com/technet/prodtechnol/sppt/sharepnt/proddocs/admindoc/ows000.mspxhttp://support.microsoft.com/default.aspx?scid=fh;ENhttp://www.msdn.microsoft.com/library/en-us/dnwxp/html/sidexsidewinxp.asphttp://www.microsoft.com/resources/documentation/windowsserv/2003/datacenter/proddocs/en-http://www.microsoft.com/windowsserver2003/techinfo/overview/iis.mspxhttp://www.microsoft.com/windowsserver2003/default.mspx.http://www.microsoft.com/WindowsServer2003/iis/default.mspx.http://msdn.microsoft.com/library/en-http://msdn.microsoft.com/library/en-


22/22

Printer Friendly Version Send This Content Add To Favorites

H o w w o u l d y o u r a t e t h e u s e f u l n e ss o f t h i s co n t e n t ?

1 2 3 4 5

Poor mlkj mlkj mlkj mlkj mlkj Outstanding

T e l l u s w h y y o u r a t e d t h e c o n t e n t t h i s w a y . ( o p t i o n a l )

Submit

Manage Your Profile

2005 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks | Privacy Statement


configuring application isolation on windows server 2003

Documents