configuring application isolation on windows server 2003
TRANSCRIPT
-
8/7/2019 Configuring Application Isolation on Windows Server 2003
1/22
Microsoft.com Home | Site Map
Search Microsoft.com for:
Search for
TechNet Go
Addi ti ona l Re s our c e s
Windows Server
TechCenter
Technical Library
Downloads
Events & Errors
Script Center
Virtual Lab
Webcasts
International TechCenters
Windows Server R2
Release Candidate
TechNet Home
Product Support
Community
MSDN Developer Center
Windows 2000 Server
Windows Server System
TechNet Home > Windows Server TechCenter > Internet Information Services > Internet Information
Configuring Application Isolation on Windows Server 2003Internet Information Services (IIS) 6.0Published: April 1, 2003
O n Thi s P a ge
I ntr oduction
This paper discusses the general topic of application isolation as it relates to Web applications
Server 2003 servers with IIS 6.0 running in worker process isolation mode. Isolation refers to
separation between two Web applications running on a server. In this paper, the notion of a W
meant in a very broad sense; it includes the processes, files, and even users, serviced by the a
Applications are isolated from each other to the degree that one application is prevented from resources used by another application.
Benefits of I solation
Enterprises are increasingly interested in isolation because of the opportunity to reduce costs t
consolidation. As the capabilities of hardware increase dramatically over time, fewer servers a
deliver the same applications. While this decreases the costs of deployment and maintenance,
logistical difficulties when there is a vested interest in keeping clear boundaries between appli
consolidated to run on a single server.
In some scenarios, each Line of Business (LOB) for an organization is essentially a separate cu
group responsible for application infrastructure. For example, an organization that has been ac
compete with other parts of the acquiring organization. Consequently, theres a business requi
creating effective barriers between applications serving each LOB and protecting sensitive data
Another example of a clear need for high isolation is an ISP that hosts Web sites for many clie
customer should not be able to view the files or databases in use by other Web sites on the se
In other cases, a company may offer Web applications and other technical resources to busine
are in competition with each other. As a result, companies need to offer a high degree of isola
applications in use by their individual customers, partners, or business units using the same s
important, for example, to have the ability to configure one partner's software that accesses a
that the application could not access another partners database.
Introduction
Using Isolation for Increased Reliability
Using Isolation to Secure Applications
Using Isolation to Improve Performance
Considerations
Summary
Appendix
Related Links
Page Configuring Application Isolation using Windows Server 2003 and IIS 6.0
12/http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspx
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspxhttp://www.go2pdf.com/ -
8/7/2019 Configuring Application Isolation on Windows Server 2003
2/22
Another benefit of application isolation is that you can design the infrastructure of the applicat
network to improve the ability to distribute content and applications. For example, you may w
content on a remote file store so it can be shared by more than one server. Alternately, you m
each applications content on different file servers, to further isolate each LOB application, but
Web server as a front end.
The following sections discuss several approaches to obtaining a high level of isolation.
Physical I solation
The highest degree of isolation is achieved when applications are hosted on completely differe
Clearly, this offers the most isolation for applications but is also the most expensive, requiring
hardware and server licenses to support each application. Nevertheless, in mission critical LOB
where information is very sensitive or valuable, this may be the best choice.
V i r tua l I sol a ti on
You can also create isolated applications using virtual servers. Using software, such as Microso
VMware that allows you to create multiple virtual servers running as tasks on a single operatin
can create several servers that are functionally partitioned. Consequently, the applications can
isolated, yet run on the same hardware. Because virtualized systems do not perform as well a
computers, virtual isolation provides high isolation, but at the cost of performance. Another inc
software licenses for the virtual systems. In addition to the software licenses needed for the sevirtual systems, you must also acquire individual software licenses for the operating system a
on each virtual system as if each virtual system were an individual system.
Confi gur e d I s ola ti on
Isolation by configuration means taking advantage of natural isolation boundaries, such as pro
identities, Access Control Lists (ACLs), and namespaces that occur as a result of running the a
Web server. The degree of isolation achieved through this configured isolation is not as strong
virtual isolation. Nevertheless, configured isolation is often the most reasonable choice to bala
usage, simplicity of administration, and to leverage investments in hardware, software, and lic
features in Windows Server 2003 and IIS 6.0 make this option a more reliable, secure, and sc
than previously possible.
I solation Through Operating System Features
Microsoft Windows Server 2003 has a number of features that support creating isolated enviro
applications. Constrained Delegation and Prot ocol Transition allow you to pass through a users
to file servers, regardless of the protocol used to authenticate the user on IIS. Quality of Serv
improvements include a packet scheduler integrated with IIS that enables an administrator to
of bandwidth available to an application. Windows System Resource Manager (WSRM) is availa
Windows Server 2003, Enterprise Edition, and Windows Server 2003, Datacenter Edition. WSR
administrator to control exactly how much CPU an application pool can consume when the CPU
I solation Through I I S Configurat ion
IIS 6.0 was designed with application isolation as a primary component of the architecture. Ea
the capacity to host one or multiple applications that can be assigned to run in a named proceapplication pool. An application pool is served by one or more worker processes, can be indepe
configured for health-related settings, and can be assigned to run in the context of a designat
In configuring application isolation, there are several objectives:
Reliability. If one application fails, it shouldn't affect other applications. Additionally, it shoto specify unique recovery actions for different applications.
S e c ur i ty . If one application is running malicious code from an attacker (possibly even the a
author), other applications are insulated from the effects of the malicious code, and effectiv
Page Configuring Application Isolation using Windows Server 2003 and IIS 6.0
12/http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspx
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspxhttp://www.go2pdf.com/ -
8/7/2019 Configuring Application Isolation on Windows Server 2003
3/22
By combining the capabilities of IIS 6.0 with those of Windows Server 2003, you can effectivel
isolation and achieve these designated goals. Additionally, improvements in FTP and Microsoft
Server Extensions help enhance isolation and security of these applications.
The rest of this paper will address the capabilities of Microsoft Windows Server 2003 and IIS 6
highly isolated applications that run on a single server. There is no single technique or adminis
achieves this goal, but when using combinations of techniques, you can effectively implement
isolation.
Top of page
Using I solat ion for I ncreased Reliability
One of the core design goals for the IIS 6.0 architecture was to improve the isolation between
while minimizing the performance tradeoffs. This was accomplished by redesigning the IIS arc
increased reliability, security, and performance. The basics of the new architecture with regard
reliability include the following elements:
I mproved I solation w ith Application Pools
Technically, an application pool is a configuration object defined by a logical process boundary
the HTTP.sys namespace mapper to direct requests to the correct worker process. In practice,
to the rather simple administrative task of using the IIS Manager to create an application pool
Project32-HighlyRestricted, and then assigning the programs contained in Web sites and direc
that application pool, or other application pools as you require (see Figure 1).
place to keep the attacker from crossing into another applications space.
P e r f o r m a n c e . One application that over consumes resources should not affect the availabiapplications. On the other hand, applications that require additional resources should be ab
those resources on demand.
Creating an HTTP request handler, HTTP.sys that runs in the kernel of the operating systemthe task of listening for HTTP requests and queuing requests to a request queue for the app
retrieve. It does not load or execute any user-mode application code (such as ASP pages).
Running Web applications in configurable, multiple, isolated processes called worker procesunder the name W3wp.exe. This is similar to high isolation in IIS 5.0, or running out-of-pro
performance is much better because the process exchanges data directly with HTTP.sys rat
marshalling data through the IIS 5.0 main Web server process, Inetinfo.exe, as a go-betwe
Adding a new administrative process, WWW Service Administration and Monitoring compontwofold:
Creates the link between the HTTP request handler and the Web applications.
Monitors and maintains the health of worker processes.
Page Configuring Application Isolation using Windows Server 2003 and IIS 6.0
12/http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspx
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspxhttp://www.go2pdf.com/ -
8/7/2019 Configuring Application Isolation on Windows Server 2003
4/22
In effect, application pools allow you to combine or isolate applications according to your techn
administrative, and business requirements.
Us i ng Appl i ca ti on P ool s to I s ola te Custom e r Appl i ca ti ons or Bus ine s s Uni ts
Application pools create process boundaries between applications from different Web sites or d
This is ideal for businesses such as ISPs, where each customers applications need to be insula
or for the scenario used above where LOB applications need to be isolated from one another. S
section of this paper for details about how to use ACLs to enforce application isolation on the f
Us i ng Appl i ca ti on P ool s to I s ola te Unr e l i a bl e Appl i ca ti ons
The WWW Service Administration and Monitoring component of IIS provides recycling and hea
can automatically restart an application pool. These features have been shown to significantly
reliability. For example, consider an important application that you cannot afford to have offlin
occasionally hangs. By placing this application in its own application pool, you insulate other a
its effects. This increases overall reliability of other applications running on the server. Also, bapplication pools are individually monitored and can be configured to be automatically restarte
unresponsive, availability for unreliable applications is increased. Troubleshooting such an app
facilitated because the application can be configured to run in its own process.
Recycling
Recycling criteria can easily be administered through the Application Pools Properties dialog, a
2 below. Recycling can be triggered based on several parameters, such as application uptime,
requests, on a scheduled basis, based on memory consumption, or at will.
Figure 1: Assigning programs to application pools in I I S
6 .0
See full-sized image.
Page Configuring Application Isolation using Windows Server 2003 and IIS 6.0
12/http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspx
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspxhttp://www.go2pdf.com/ -
8/7/2019 Configuring Application Isolation on Windows Server 2003
5/22
Recycling can enhance application isolation and reliability by:
I mpa c ts of Appl i ca ti on Re c y cl i ng
When an application is recycled, any information stored in the worker process, such as session
optimize the performance and reliability of your applications with IIS 6.0, you'll want to design
recycled without losing ongoing transaction data. For example, you can preserve session state
process using the ASPState service in Microsoft ASP.NET or store the data in Microsoft SQL Se
Applications designed for recycling have an initialization time that is optimized to be as small a
Applications that require a long initialization procedure wont perform well with frequent recyc
work around this by scheduling recycling during low usage periods.
Finally, your applications should tolerate running side by side with other instances of the same
can configure recycling to be overlapping or non-overlapping. By default, recycling is configur
overlapping: the WWW Service Administration and Monitoring component creates a new worke
process any new requests for the application before the existing worker process is shut down.
process is kept alive until it has finished processing its existing requests or until a shutdown tim
eventwhichever occurs first. During this period, both instances of the application will need to s
If recycling is configured to non-overlapping, the WWW Service Administration and Monitoring
shuts down the worker process before starting a new one. For information about configuring o
non-overlapping recycling, see DisallowOverlappingRotation in the IIS 6.0 Help
(http://www.microsoft.com/resources/documentation/windowsserv/2003/datacenter/proddocs
us/ref_mb_disallowoverlappingrotation.asp).
H e a l t h
F ig u r e 2 : R e c y cl in g p a r a m e t e r s a v a i l a b l e w i t h I I S 6 . 0See full-sized image.
Refreshing applications with known degradation problems before they stop responding. In msort, through experience with the application, the IIS administrator knows that the applicat
run some period before it needs to be restarted.
Recycling applications that can potentially affect the performance of other applications runnserver. For example, if an application has a memory leak and consumes too much memory,
threshold of memory use that will trigger a recycle event for the application pool.
Page Configuring Application Isolation using Windows Server 2003 and IIS 6.0
12/http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspx
http://www.microsoft.com/resources/documentation/windowsserv/2003/datacenter/proddocs/en-http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspxhttp://www.go2pdf.com/http://www.microsoft.com/resources/documentation/windowsserv/2003/datacenter/proddocs/en- -
8/7/2019 Configuring Application Isolation on Windows Server 2003
6/22
The WWW Service Administration and Monitoring component also maintains the health of appl
periodically testing an application pool for responsiveness. Not to be confused with the Interne
Message Protocol (ICMP) ping command, this feature internally queries the application pool at
interval (every 30 seconds by default) and waits for a response.
If there is no response, the WWW Service Administration and Monitoring component shuts dow
process, publishes an event, and starts a new worker process. IIS can also be configured to no
failed worker process. In addition to keeping the failed worker process, you can specify a prog
when this event occurs to automatically instantiate troubleshooting or reporting tools.
For more information about isolating unhealthy worker processes, see Application Pool Health
(http://www.microsoft.com/resources/documentation/windowsserv/2003/datacenter/proddocs
us/ca_orphwrkrprocess.asp) and OrphanWorkerProcess
(http://www.microsoft.com/resources/documentation/windowsserv/2003/datacenter/proddocs
us/ref_mb_orphanworkerprocess.asp) in the IIS 6.0 Help.
Ra pi d-Fa i l P r ote c ti on
Rapid-fail protection can protect the server from a series of rapid worker process failures in th
application pool by disabling the application pool. When an application pool is disabled, IIS rem
service and places it in a mode where the kernel-mode driver immediately returns a 503 Serv
error message to any requests to for that application pool.
The number of failures and the interval in which they must occur are configurable per applicat
rapid-fail protection is enabled, the Startup time limit and Shutdown time limit settings are us
of application pool health (see Figure 3).
A worker process that fails to start up or shut down within the designated time is considered to
counts toward the number of failures required to take the application pool offline. By default, r
protection is configured to disable an application pool if five application failures occur in a five-
Func ti ona l Us e of Appl i ca ti on P ool s
In some cases, you will find that using an application pool is useful in order to separate applica
different technical requirements. For example, you may find it helpful to configure all applicati
Figure 3: Health options available in I I S 6.0See full-sized image.
Page Configuring Application Isolation using Windows Server 2003 and IIS 6.0
12/http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspx
http://www.microsoft.com/resources/documentation/windowsserv/2003/datacenter/proddocs/en-http://www.microsoft.com/resources/documentation/windowsserv/2003/datacenter/proddocs/en-http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspxhttp://www.go2pdf.com/http://www.microsoft.com/resources/documentation/windowsserv/2003/datacenter/proddocs/en-http://www.microsoft.com/resources/documentation/windowsserv/2003/datacenter/proddocs/en- -
8/7/2019 Configuring Application Isolation on Windows Server 2003
7/22
a particular COM component into a single application pool, if the COM component is known to
Also, as your applications undergo upgrades and improvements, it can be useful to create sep
pools for the new versions.
. NE T Fr a me w or k Appl i c a ti on Doma i ns
On Windows Server 2003, ASP.NET uses the application request-processing-model in worker p
and also maps one or more ASP.NET application domains to each worker process. The applicat
within a single worker process can be recycled independently and have private components, sand other private resources. This provides an additional layer and better granularity of isolatio
. NE T Fr a me w or k a nd S i de -by -S i de As s e mbl i e s
Traditionally, when a component or application is updated on a computer, the older version is
replaced with the newer version. If the new version is not compatible with the previous versio
breaks other applications that use the component or application. The .NET Framework provide
side-by-side execution, which allows multiple versions of an assembly or application to be inst
same computer, at the same time. Since multiple versions can be installed simultaneously, ma
applications can select which version to use without affecting other applications that use a diff
For example, applications can take advantage of side-by-side assemblies in order to allow app
installed on the same computer that require different versions of a DLL such as MDAC, MFS, M
MSXML. For more information about this topic, see the Appendix at the end of this paper.
Top of page
Using I solation to Secure Applications
One of the primary tools for configuring isolation is the use of Access Control Lists (ACLs), auth
process identities to create effective security boundaries between applications. While configure
doesn't equate to the degree of isolation provided by independent servers, you can effectively
prevent one application from accessing the files of another application inadvertently or malicio
example, a Web site administrator may create a script to browse the directory or change files
application using the file system object. The administrator could also write an ASP application
from files of another site such as a customer database. Proper use of ACLs and other authoriza
in Windows Server 2003 can prevent this scenario from occurring.
Configuring Application Pool I dentity
One of the most important rules to remember when securing a server is that all processes mu
or built-in account. In most cases, this requirement is transparent, because file system resour
or requested from an application are typically opened in the context of the user making the re
an application developer can choose to author an application in such a way that the file system
opened in the context of the account used to launch the parent process hosting an application
user.
Lets examine what happens when an anonymous user opens an application. The user makes a
application and is automatically assigned to the anonymous account (typically the IUSR_< Com
account). The requested file is opened and executed using the credentials of the anonymous u
proper permissions are in place in the IIS Manager and ACLs on the requested file. However, ithen invokes the Win32API Re v e r tToS e l f function, subsequent file accesses made from the a
as the Network Service user account. The Network Service user account is the built-in account
identity for application pools.
Bui lt- i n Ac c ounts
Even though the Network Service user account has limited rights on the server, application po
identity have rights to each others resources when ACLs are configured to allow access to this
You will want to give each application pool its own identity in order to effectively isolate applica
in Figure 4.
Page Configuring Application Isolation using Windows Server 2003 and IIS 6.0
12/http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspx
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspxhttp://www.go2pdf.com/ -
8/7/2019 Configuring Application Isolation on Windows Server 2003
8/22
Because an application can run as the application pool identity, when selecting an application p
should choose one with the least number of privileges required by your application. In the cas
worker process identity is set to an account with high privileges, like LocalSystem, the result m
application is given permissions beyond the scope of the authenticated user. Instead, consider
worker process identity to an account with low privileges to prevent an application from elevat
in this manner.
Assigning an Account
When configuring an individual user account as the application pool identity, you must make thmember of the IIS_WPG local group. The IIS_WPG group is created to simplify the process of
necessary authorizations and rights on all of the system resources that a worker process must
function properly, including launching application pools. When IIS is installed, or when new ap
are created, the IIS_WPG group is included in all ACLs of resources that the application pool m
However, it is not necessary to add IIS_WPG to a sites content directories and files. In fact, if
isolation between users, but configure ACLs that grant access to IIS_WPG, you may decrease
isolation because all applications whose user accounts are members of the IIS_WPG group wo
to each others content. Consequently, you will want to add accounts you create for each applic
identity to the IIS_WPG local group, but you should not use the IIS_WPG group in ACLs on con
directories.
Accounts used for application pool identity should also be distinct from anonymous accounts a
accounts for site authors and owners. Accounts used for anonymous access or for site authorsshould not be added to the IIS_WPG group because doing so would grant those accounts acce
that are shared among application pools such as the compression cache and ASP template cac
Additionally, if you configure application pools with an identity other than Network_Service an
applications launch CGI processes, you will need to assign the following user rights to account
application pool identities:
F ig u r e 4 : T h e d e f a u l t i d e n t i t y f o r a n a p p l ic a t i on p o o l i sthe Network Service user account
See full-sized image.
Adjust memory quotas for a process (SeIncreaseQuota)
Replace a process at token level (SeAssignPrimaryToken)
Page Configuring Application Isolation using Windows Server 2003 and IIS 6.0
12/http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspx
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspxhttp://www.go2pdf.com/ -
8/7/2019 Configuring Application Isolation on Windows Server 2003
9/22
Authentication Considerat ions
Authentication is the process of proving that you are a valid user to an application. Once prove
is then assigned an identity, which is used to limit access to resources. Part of building secure
between applications is to ensure that you have the identities for your applications and users o
a way that you can effectively manage the authorization of the application and the users acce
IIS 6.0 supports Anonymous, Basic, Digest, Advanced Digest, Client Certificate, Integrated Wi
and Kerberos), and Passport authentication. Additionally, applications may implement their owmethods, for example, forms-based authentication in ASP.NET. Remember that the method yo
authentication can impact the choices you have for implementing security.
For highly isolated applications, it is best to create a unique user account to be used for anony
the application, and then assign this user as the anonymous user in the Directory Security tab
for the Web site (see Figure 5). This allows you to configure authorization (see the Configuring
section) so that applications launched by the anonymous user are constrained to appropriate r
unique anonymous user identity combined with a designated account for the application pool i
two of the essential elements needed for constructing an effective security boundary for the ap
T o c on f i g u r e a u n i q u e a n o n y m o u s u s e r a c co u n t f o r a W e b s i t e
1. In IIS Manager, expand the local computer, expand the W e b S i t e s folder, right-click t
want to change, and then click P r ope r ti e s.
2. On the Di r e c tor y S e c ur i ty tab, under Authe nti c a ti on a nd a c c e s s c ontr ol, click the
shown in Figure 5.
Figure 5: Site properties Directory Security tab
See full-sized image.
3. In the A u t h e n t i ca t i o n M e t h o d s dialog, enter the U s e r n a m e and P a s s w or d of the a
anonymous access, as shown in Figure 6.
Page Configuring Application Isolation using Windows Server 2003 and IIS 6.0
12/http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspx
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspxhttp://www.go2pdf.com/ -
8/7/2019 Configuring Application Isolation on Windows Server 2003
10/22
Figure 6: Configuring a unique anonymous user account
See full-sized image.
4. Click OK
5. Click OK
When using Kerberos or Basic authentication, you can use UNC passthrough authentication to
credentials to be used for gaining access to a UNC share on a remote computer. Administrator
IIS to use a fixed set of credentials or to submit the users credentials, known as pass-through
to the file server or NAS device. By default, IIS is configured to use pass-through authenticati
Kerberos authentication when working in a Windows Server 2003 environment and running ap
with the Network Services identity. You can also configure Windows Server 2003 so pass-thro
authentication is possible for any authentication method.
N o t e : Use a domain-based account when assigning an application pool identity if you intend t
through authentication with Kerberos. For more information about this, see the Deploying and
Internet Information Services (IIS) 6.0 with Remotely Stored Content on UNC Servers and NA
paper
(http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/
ASP.NET applications using forms-based authentication rely primarily on the use of .config file
authentication. The application .config files may contain user names and passwords required t
applications or may reference a database (other than the local SAM or Microsoft Active Directo
users. Applications using forms-based authentication have enhanced application boundaries, s
authentication for a user is valid only in the authorizing application.
Configuring Authorization
The foundation for effectively enforcing application isolation lies in the proper use of authoriza
Page 1Configuring Application Isolation using Windows Server 2003 and IIS 6.0
12/http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspx
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/remstorg.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspxhttp://www.go2pdf.com/http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/remstorg.mspx -
8/7/2019 Configuring Application Isolation on Windows Server 2003
11/22
Authorization uses the authenticated identity of the user, including the anonymous user, to lim
resources. For our purposes, the concept of a user is also extended to the identity of applicatio
are authorized only to use resources required by the application.
Methods for enforcing authorization include configuring ACLs on content, share permissions, th
the registry. Additionally, other techniques, for example, URL authorization using Windows Se
Authorization manager and authorization in ASP.NET applications can be used.
Configuring ACLs on Content
When configuring ACLs, your task will be easier if you keep in mind two principles:
When implementing permissions, users often require flexibility that was not preconceived whe
applications were first configured. To preserve your options and ease administration, consider
contain application pool identities, then assign ACLs to the groups. For example, when configu
Application X, create a group, such as ApplicationX_Processes, and then assign application poo
Application X to this group. This allows you several conveniences:
Once you have assigned your application pool identity, you need to assign NTFS permissions tresources to allow permissions on a variety of locations, including folders used in databases, c
caching of scripts, logging directories for customized logging, or other file system locations wh
application pool identity requires access. Be careful not to unintentionally allow another applic
identity access to the same resources. For example, you would not want to assign permissions
the IIS_WPG group. Remember that if access is not specifically allowed, it is denied.
In addition to configuring ACLs for the proper access by the application pool identity, you need
permissions for users. This is facilitated by creating groups that designate functions, such as
ApplicationX_authors and ApplicationX_anonusers, then adding users to these groups and assi
permissions to the groups. Having a group for anonymous users is useful in that you may wish
some users for logging or auditing purposes, but still only allow them access to resources as if
anonymous users.
Confi gur i ng for Ac c e ss of UN C-ba s e d Conte nt
When accessing content on another server using UNC paths, you must consider both Share an
permissions. Often Share permissions are left fairly open and NTFS permissions are used to se
The degree to which you lock down your Share permissions is dependent on your specific secu
requirements.
For the majority of applications, Share and NTFS permissions on remote content will be assign
authenticated user that is requesting access. If you are using the default pass-through authen
be the individual user as authenticated by IIS. If you are specifying a user account for remote
required in IIS 4.0 and IIS 5.0, the specified user will require access rights for both Share and
Assign users to groups, and then assign ACL permissions based on those groups.
If permissions are not specifically allowed, access is denied.
If you change the application pool identity in the future, you only need to add the new ident
ApplicationX_Processes group. This avoids the labor-intensive, and perhaps error-prone tas
ACLs on all resources for the application.
You may add other applications in the future (ApplicationZ) that require access to the resouApplicationX, and at the same time limit ApplicationX from accessing specific resources use
ApplicationZ. In other words, the ApplicationX_Processes group would contain the user acco
application pool identities assigned to both ApplicationX and ApplicationZ, but the Applicatio
group only contains the application pool identity for ApplicationZ.
You may need to allow or deny access to resources for groups of application pools. For examwant to create an identity for AllASP.NETApps that has access to specific resources. This is f
application pool identities are ed from specific user accounts.
Page 1Configuring Application Isolation using Windows Server 2003 and IIS 6.0
12/http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspx
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspxhttp://www.go2pdf.com/ -
8/7/2019 Configuring Application Isolation on Windows Server 2003
12/22
permissions. If the user specified for accessing remote content is not a domain account, it is b
account is created with the same user name and password on the IIS server as well as the rem
This facilitates management of remote content in the IIS Manager console. For more informat
configuring authentication and authorization for UNC servers and NAS devices, see the Deploy
Configuring Internet Information Services (IIS) 6.0 with Remotely Stored Content on UNC Ser
Devices white paper
(http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/
Confi gur i ng ACLs on t he M e ta ba s e
In addition to setting ACLs on file system resources, you can set ACLs on metabase keys. Use
Explorer 1.6 or MetaEdit 2.2 to view and set ACLs on metabase keys. Metabase Explorer 1.6 c
downloaded from http://www.microsoft.com/downloads/details.aspx?FamilyID=56fc92ee-a71
ade629c89499&DisplayLang=en. MetaEdit 2.2 can be downloaded from
http://download.microsoft.com/download/iis50/Utility/5.0/NT45/EN-US/MtaEdt22.exe .
For Web sites and their contents that have corresponding keys with properties in the metabas
group is set to Allow for the permissions: Query, Query Unsecure Property, and EnumeratePro
default ACLs on application pools permit the IIS_WPG, Network_Service, and Local_System ac
to query metabase properties for all application pools.
Applications running in the context of the application pool do not have the ability to alter the m
the application can be run in the security context of the Administrator identity, which by defau
on the entire metabase. This can occur, for example, when the system administrator logs in o
the application using the Administrator credentials and the application assumes the credentials
impersonation. Consequently, these settings do not represent a serious security risk. However
increase application isolation by making the following adjustments to isolate a sites metabase
Confi gur i ng ACLs on Re gi s tr y Ke y s
On secure servers, it is recommended that permissions be tightened on certain registry keys.
provides several templates for tightening permissions, including those provided with the Secu
Guide (http://www.microsoft.com/technet/security/prodtech/win2000/secwin2k/default.mspx
security in general will increase the effectiveness of application isolation, but you may need to
restrict access to portions of the registry that contain information about COM objects used by
It should not be possible, for example, for a user to determine what objects are registered on
then write a script to invoke those objects.
COM + I s ola ti on
COM+ Partitions can be used to isolate Web applications into their own COM+ partitions. This
prevent one Web application from accessing the private COM+ applications, configuration infor
data of another Web application. COM+ partitions can hold different versions of your own cust
components. For example, if you host Web sites for two competing companies that both use C
Web applications, you can use COM+ partitions to ensure that one company's Web application
the COM+ components in the other company's Web applications. If one of those companies as
certain features in a COM+ application that they both use, you can isolate the new version of t
application in the partition that is linked to their Web application.
To enable COM+ partitions on the IIS side, set the As pUs e P a r ti t i on flag of the AspAppServic
property at the application level. The partition is identified by a GUID (created using the Comp
Manager snap-in), which can be set at the AspPartitionID metabase property. If no partition is
Remove entries for IIS_WPG
Assign the worker process identity: Read
Assign any Web site author or administrators: Read
Give the Administrators group and any other system administrators: Full Control
Page 1Configuring Application Isolation using Windows Server 2003 and IIS 6.0
12/http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspx
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/remstorg.mspxhttp://www.microsoft.com/downloads/details.aspx?FamilyID=56fc92ee-a71a-4c73-b628http://download.microsoft.com/download/iis50/Utility/5.0/NT45/EN-US/MtaEdt22.exe.http://download.microsoft.com/download/iis50/Utility/5.0/NT45/EN-US/MtaEdt22.exe.http://www.microsoft.com/technet/security/prodtech/win2000/secwin2k/default.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspxhttp://www.go2pdf.com/http://www.microsoft.com/technet/security/prodtech/win2000/secwin2k/default.mspxhttp://download.microsoft.com/download/iis50/Utility/5.0/NT45/EN-US/MtaEdt22.exe.http://www.microsoft.com/downloads/details.aspx?FamilyID=56fc92ee-a71a-4c73-b628http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/remstorg.mspx -
8/7/2019 Configuring Application Isolation on Windows Server 2003
13/22
default system partition is used. For more information, please see "Creating and Configuring C
in the COM+ SDK (http://go.microsoft.com/fwlink/?LinkId=2823).
I m p o r t a n t : Only one version of a COM+ component can be used in any application pool, even
feature is configurable at the application level. For example, if application App1 uses version 1
COM+ application called Shop.dll, and application App2 uses version 2.0 of Shop.dll, then App
should not be in the same application pool. If they are, the application that is loaded first has i
Shop.dll loaded, and the other application is forced to use it until the applications are unloade
URL Author i z a ti on
Authorization Manager and URL authorization are features of the .NET Framework that have be
into the operating system for Windows Server 2003. Consequently, these features are availab
other applications. Windows Server 2003 and IIS 6.0 provide the ability to use Authorization M
combination with URL authorization to create sets of rules that authorize access to URLs based
roles. Roles can be defined any number of ways, including Lightweight Directory Access Protoc
queries, custom user roles, and Authorization Manager scripts (BizRules). This is quite differen
ACLs to files, because role membership can be determined through a query at the time of the
example, you could authorize employees of a company, who have been employed for more th
access a specific URL. When an employee reaches the 91 day of employment, however that is
requirements, access is granted without the need to change ACLs, or local/domain group mem
better application isolation, you may define a rule so that all employees or customers of Compthe CompanyA application and all others are denied.
For more information about Authorization Manager, see Authorization Manager in the Windows
product documentation (http://www.microsoft.com/technet/prodtechnol/acs/proddocs/default
information about URL authorization, see URL Authorization in the IIS 6.0 Help
(http://www.microsoft.com/resources/documentation/windowsserv/2003/datacenter/proddocs
us/iiswelcome.asp).
FTP User I solation
IIS 6.0 also includes an FTP server to allow users to upload or download files. Where FTP is de
configuring your server so that FTP users cannot browse other users directories is an importan
security. IIS 6.0 provides for this capability with FTP user isolation. When enabled, a user cann
higher up the directory tree, because the user's top-level directory appears as the root of the Within the user's specific site, the user still has the ability to create, modify, or delete files and
FTP user isolation has three settings available for user restriction, as shown below in Figure 7.
I MPORTANT: FTP is not a secure protocol, so user names and passwords are sent across the
text. In addition, you cannot use SSL with FTP.
Page 1Configuring Application Isolation using Windows Server 2003 and IIS 6.0
12/http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspx
http://go.microsoft.com/fwlink/?LinkId=2823http://go.microsoft.com/fwlink/?LinkId=2823http://www.microsoft.com/technet/prodtechnol/acs/proddocs/default.mspxhttp://www.microsoft.com/resources/documentation/windowsserv/2003/datacenter/proddocs/en-http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspxhttp://www.go2pdf.com/http://www.microsoft.com/resources/documentation/windowsserv/2003/datacenter/proddocs/en-http://www.microsoft.com/technet/prodtechnol/acs/proddocs/default.mspxhttp://go.microsoft.com/fwlink/?LinkId=2823 -
8/7/2019 Configuring Application Isolation on Windows Server 2003
14/22
FTP user isolation has two modes to isolate users: Isolate users and Isolate users using Active
I sol a te Us e r s
This mode authenticates users against local or domain accounts before they can access the ho
that matches their user name. All user home directories are in a directory structure under a si
directory where each user is placed and restricted to their home directory. In this mode, the h
name is the same as the authenticated user name. When users authenticate, they are automa
into the directory that corresponds to their logon name and they are not permitted to navigate
home directory. If users need access to dedicated shared folders, you can also establish a virt
mode may use, but does not require, the Active Directory service.
I sol a te Us e r s us i ng Ac ti v e Di r e c tor y
When you set your FTP server to isolate users with Active Directory, each user's home directo
an arbitrary network path. In this mode, you have the flexibility to distribute user home direct
multiple servers, volumes, and directories, as is appropriate to the network configuration, and
directory name may be different from the authenticated user name. This is accomplished by us
the m sI I S-FTPDir and m sI I S-FTPRoot properties for the user object in Active Directory. Fo
information about setting these properties with the IISFTP.VBS scripts, see Setting Active Dire
Isolation in the IIS 6.0 Help
(http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/iis/default.ms
the IIS 6.0 Help incorrectly lists these attributes as FTPRoot and FTPDir. These properties are
the Active Directory Users and Computers console.
For step by step instructions on how to implement FTP user isolation, see Isolating FTP Users
Help (http://www.microsoft.com/resources/documentation/windowsserv/2003/datacenter/prous/iiswelcome.asp).
FrontPage 2002 Server Extensions Security
FrontPage 2002 Server Extensions make it simple for users to publish Web sites using FrontPa
Web applications from Microsoft Visual Interdev. You can create a FrontPage-enabled Web site
the Web site with the FrontPage Server Extensions.
T o c r e a t e a F r o n t P a g e - e n a b l e d W e b s it e
Figure 7: FTP User I solation allows three options to
restrict user access
See full-sized image.
Page 1Configuring Application Isolation using Windows Server 2003 and IIS 6.0
12/http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspx
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/iis/default.mspxhttp://www.microsoft.com/resources/documentation/windowsserv/2003/datacenter/proddocs/enhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspxhttp://www.go2pdf.com/http://www.microsoft.com/resources/documentation/windowsserv/2003/datacenter/proddocs/enhttp://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/iis/default.mspx -
8/7/2019 Configuring Application Isolation on Windows Server 2003
15/22
1. Install FrontPage Server Extensions on the computer.
2. Right-click the Web site you want to configure, and select Al l Ta s k s, Confi gur e S e r v e
2 0 0 2 . This launches the FrontPage Server Extensions 2002 administrative Web applica
3. Designate a user account as the virtual server administrator.
4. Click S ubmi t to install the extensions on the Web site.
FrontPage Server Extensions uses a distributed security model where the account specified as
administrator has the right to create users and assign roles resulting in permissions being cha
site. The Web administrator can do these tasks, but is not required to be an administrator on t
Consequently, you should configure the Web administrator to use an account that is not a mem
Administrators group.
When you install FrontPage Server Extensions on your server, a specialized application pool na
MSSharepointAppPool is created and is assigned to run in the security context of the Local Sys
The _vti_bin folder of any FrontPage-enabled Web site will run in this security context. The _vt
each FrontPage-extended Web or sub-Web is a virtual directory mapped to the same physical
containing the FrontPage Server Extensions binaries, so each application runs the same FrontP
Extensions code. Although the FrontPage Server Extensions share an application pool, applicat
configured in their own application pool, so that the user-written part of the application, and a
provided code, can be isolated.
How Fr ontP a ge M a na ge s ACLs
FrontPage Server Extensions 2002 will manage permissions on Web content without server ad
intervention, using roles-based authorization. Users are assigned roles such as browser, autho
and administrator. When you create a Web site and then extend the Web with FrontPage Serv
FrontPage Server Extensions adds certain users and groups to your Web content folders with s
permissions. These include the Network and Interactive built-in groups. This could represent a
as these groups are automatically maintained by the server. A user with a network logon type
the Network group (authenticated with NTLM, for example). A user with a local logon type (aut
Basic, for example), is a member of the Interactive group. Consequently, granting these group
to FrontPage Web content probably grants users from other Web sites and applications the sa
to the Network and Interactive groups, depending on how the users are authenticated. To impand security between applications, FrontPage Server Extensions on Windows Server 2003 allow
to be used for authorization.
Us i ng G r oup Ac counts t o I sol a te Ac ce s s to Fr ontP a ge W e bs
You can configure FrontPage Server Extensions so that they use group accounts instead of the
Network/Interactive groups. When properly configured, FrontPage Server Extensions will not a
and Interactive groups to ACLs on root Webs, but instead will authorize access to the Web usin
constructed by a prefix you provide (such as SecureWeb) and the Web site instance number. T
group name for the default Web site in this example would be SecureWeb_1. This group can th
configured manually to manage access to the Web site.
Details on implementing this feature should be read carefully at
http://www.microsoft.com/technet/prodtechnol/sppt/sharepnt/proddocs/admindoc/owsj03.ms
For more details on FrontPage Server Extensions 2002 and Microsoft SharePoint Team Service
http://www.microsoft.com/technet/prodtechnol/sppt/sharepnt/proddocs/default.mspx .
Disabling Shared File Caches
IIS and ASP use file caches to improve performance while serving Web content. On an isolated
caches should be disabled because the directories they use are shared by application pools wit
access to the IIS_WPG group. It is possible under some circumstances for a malicious site own
application running in one application pool to browse data stored by other applications in these
Page 1Configuring Application Isolation using Windows Server 2003 and IIS 6.0
12/http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspx
http://www.microsoft.com/technet/prodtechnol/sppt/sharepnt/proddocs/admindoc/owsj03.mspx.http://www.microsoft.com/technet/prodtechnol/sppt/sharepnt/proddocs/default.mspx.http://www.microsoft.com/technet/prodtechnol/sppt/sharepnt/proddocs/default.mspx.http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspxhttp://www.go2pdf.com/http://www.microsoft.com/technet/prodtechnol/sppt/sharepnt/proddocs/default.mspx.http://www.microsoft.com/technet/prodtechnol/sppt/sharepnt/proddocs/admindoc/owsj03.mspx. -
8/7/2019 Configuring Application Isolation on Windows Server 2003
16/22
While the likelihood and impact of this scenario are limited, disabling IIS compression, static fi
ASP template caching blocks such exposure in the first place. Conversely, on a server in which
owners are trusted or there is a single owner for multiple sites, this is not a problem.
To disable I I S compression
1. In IIS Manager, expand the local computer, right-click the W e b S it e s folder, and then
P r ope r ti e s.
2. On the Service tab, under HTTP c ompr e s s i on , clear the Comp r e s s s ta ti c f i l e s and
a ppl i ca ti on fi l e s check boxes.
3. Click Apply , and then click OK .
Alternatively, you can enable HTTP compression of static files by setting the Hc DoS ta ti c Com
Hc DoDy na mi c Compr e s s i on metabase properties to false .
To disable ASP file caching
1. In IIS Manager, expand the local computer, right-click the W e b S it e s folder, and then
P r ope r ti e s.
2. On the H o m e D i r e ct o r y tab, click Confi gur a ti on.
3. On the Ca c he O pti ons tab, select the Do not c a che AS P fi le s option.
4. Click OK twice to save your changes.
5. Restart IIS.
To di s a bl e s ta t i c f i l e c a chi ng
You need to restart IIS for this setting to take effect.
Top of page
U sing I sola t ion t o I m pr ov e Pe r f or m a nce
Another benefit of application isolation is the ability to limit the effects on other applications of
consumption by any individual application. There are a number of Windows Server 2003 and I
that help to assure that applications will have available to them the resources required when t
I I S 6 .0 Features f or Resource Availability
Application pools in IIS 6.0 allow better use of resources than with previous versions of IIS. Th
application pools allow you to configure a variety of parameters that effect resource use of the
Because these settings are available per application pool, you can optimize the configuration opool for the specific characteristics of the application, load, and resulting resources required. F
the Performance property tab for the Default Application Pool.
M e mor y Re c y c l i ng
Each application pool can be set to recycle when it uses too much shared (maximum virtual m
privately-allocated (maximum used memory) system memory. When memory use passes one
thresholds, recycling occurs without interfering with other applications, making the memory co
application available for other applications and system requirements. (See Figure 2, Recycling
Add the following value to the registry:
HKLM \ S y s te m\ Cur r e ntContr ol S e t\ S e r v i c e s \ I ne ti nfo\ P a r a me te r s
DisableMemoryCache: REG_DWORD: 1
Page 1Configuring Application Isolation using Windows Server 2003 and IIS 6.0
12/http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspx
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspxhttp://www.go2pdf.com/ -
8/7/2019 Configuring Application Isolation on Windows Server 2003
17/22
available with IIS 6.0, in the Recycling section above.)
Re que s t Q ue ue Li mi t
Because the request queue for an application pool resides in the kernel, if an application pool r
faster than it can respond, kernel memory is used to queue the requests. In order to keep que
growing too large, you can specify the maximum number of requests that can be queued for a
Subsequent requests will receive a 503 error and are logged to the HTTPERR log with a reason
QUEUE_FULL.
Ra pi d-Fa i l P r ote c ti on
This topic was discussed earlier in the Isolation for Increased Reliability section. This setting co
remove an application pool that contains a failing application from service, and place it in a mo
kernel-mode driver immediately returns a 503 Service Unavailable out-of-service message to
that application pool. Consequently, this helps prevent failing applications from interfering wit
applications running on the server, and system resources that may have been locked up by a
application are released.
N u m b e r o f Co n n e ct i o n s
On the Performance tab of the properties of a Web site, you can set the number of connection
Web site. This could be useful when you are offering Web sites that provide a number of connecondition of service, or when you are concerned about the number of connections overwhelmi
applications. Additionally, you may have non-critical, but popular Web sites you wish to constr
make resources available to other applications.
Windows Server 2003 Features for Resource Availability
Windows Server 2003 has several features that can be implemented to help assure resource a
Web applications. In some cases, enabling a feature in IIS invokes a process for installing the
server level. For example, configuring bandwidth throttling in IIS Manager automatically enab
Service Packet Scheduler for the server. In this way, server capabilities are more seamlessly i
IIS Manager than in previous versions of IIS.
W i n d o w s S y st e m R e so u r ce M a n a g e r
Windows System Resource Manager (WSRM) is available for use with Windows Server 2003, E
and Windows Server 2003, Datacenter Edition. WSRM enables you to manage CPU and memor
per process basis. An administrator sets targets for the amount of hardware resources that run
applications or users are allowed to consume. This means that you can allocate resources amo
applications on a server according to your business priorities.
When used to manage IIS performance, WSRM enables a system administrator to do the follow
WSRM maintains an updatable exclusion list of processes that shouldn't be managed because
system impact such management could create. WSRM does not manage address windowing ex
memory, large page memory, locked memory, or operating system pool memory.
B a n d w i d t h T h r o t t l in g
On the Performance tab of the properties of a Web site, you can enable bandwidth throttling a
maximum bandwidth consumption for a Web site. Unlike previous versions of IIS, bandwidth t
the Quality of Service Packet Scheduler to manage when data packets are sent. When you con
Set CPU and memory allocation policies on applications. This includes selecting processes toand setting resource usage targets or limits.
Manage CPU utilization (percent CPU in use).
Generate, store, view, and export resource utilization accounting records for management, agreement (SLA) tracking, and charge-back purposes.
Page 1Configuring Application Isolation using Windows Server 2003 and IIS 6.0
12/http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspx
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspxhttp://www.go2pdf.com/ -
8/7/2019 Configuring Application Isolation on Windows Server 2003
18/22
use bandwidth throttling using IIS Manager, Packet Scheduler is automatically installed, and I
sets bandwidth throttling to a minimum of 1024 bytes/second. You can configure this setting h
lower.
Using Resources Efficiently
Of course, if you have sufficient resources available for your applications, you do not need to s
time constraining applications and Web site use. Toward that end, application pools have seve
that optimize server resources.
I dl e Ti me -out
Idle Time-out is located on the Performance tab of application pool properties. When configure
process in an application pool will be terminated if it remains idle for the configured interval. T
memory-based resources for active applications. For ISPs that often have many Web sites on a
only a few active at any time, this permits a greater Web site density per server, without over
server resources.
D e m a n d S t a r t
Another feature of IIS 6.0 that helps with efficient use of resources is demand start. Applicatio
though configured and available, are not started until they are requested. In this way, applicat
loaded before they are required, which keeps resources available until the moment they are nethis also may intensify the performance impact of application startup time. If your applications
optimized to start up quickly, and you don't have a large number of applications in use, you m
disable Idle Time-out so that once applications are launched, their worker process remains act
resources acquired by the application are not released.
W e b G a r d e n s
A Web garden is an application pool that is serviced by more than one worker process simultan
enabled by setting the number of worker processes setting to more than one on the Performan
application pool. When requests for the application begin to queue, IIS 6.0 automatically creat
worker process for the same application pool and begins to route new requests to the new wo
When demand is reduced, the worker processes will eventually be spun down and resources re
gardens are useful in situations where there are a high number of concurrent connections and
locks and resources within a single process may limit request throughput.
CPU Affinity
Application pools can be assigned to run on a CPU. On an SMP system, this allows you to distr
resources among the application pools. For example, if you have an application pool that runs
application, assigning the application pool to a CPU could assist with performance by making c
enough CPU processing power is available to the application. This also leverages the caching te
into the processor. Other application pools can similarly be configured away from the dedicate
affinity is set in the metabase. For more information about configuring CPU affinity, see SMPA
IIS 6.0 help (http://www.microsoft.com/resources/documentation/windowsserv/2003/datacen
us/ref_mb_smpaffinitized.asp).
Top of page
Considerations
Performance and Scale
While high isolation achieves many benefits, it impacts scaling for the server. For example, Mi
show that you can run up to approximately 500 worker processes simultaneously. Assuming y
sites, you can configure your application pools so that applications share thema low isolation a
can give each application its own application pool, but set the application pool time-out aggres
Page 1Configuring Application Isolation using Windows Server 2003 and IIS 6.0
12/http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspx
http://www.microsoft.com/resources/documentation/windowsserv/2003/datacenter/proddocs/enhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspxhttp://www.go2pdf.com/http://www.microsoft.com/resources/documentation/windowsserv/2003/datacenter/proddocs/en -
8/7/2019 Configuring Application Isolation on Windows Server 2003
19/22
Numbe r of Appl i c a ti on P ool s Tha t Ca n Be Confi gur e d
In the default configuration, using Network_Service as the application pool identity, you can c
number of application pools without any difficulty. When you specify an identity for an applicat
given a set of resources, including a non-visible desktop. Interactive processes use desktops f
events or messages, such as a mouse click, to Windows applications. In this context, only a fe
ever required by an application. For server applications, such as IIS, there is no interactive us
COM applications running in a Single Threaded Apartment (STA) use the Windows message pu
to marshal data to COM components created within the process, and desktops are created eveapplication uses no COM components. Microsoft tests show that when configuring more than 6
pools with unique identities, a shared desktop should be used. This may be configured by sett
key HKLM \ S y s te m\ Cur r e ntContr ol S e t\ S e r v i c e s \ W 3 S V C\ P a r a me te r s \ Us e S ha r e dW P D
When this setting is enabled, application pools share a common desktop, thereby increasing sc
N u m b e r o f W e b S i t e s a n d A ct i v e W o r k e r P r o ce s se s
The number of application pool worker processes that can be simultaneously active on a serve
on a variety of factors, including hardware configuration, the specific language in use, number
of application pools, and how those application pools are configured. IIS supports up to 20,000
sites, although the number of concurrent sites varies in practice, depending on how they are c
application pools and the ratio of active to configured sites on a server.
Regarding non-ASP.NET applications, IIS 6.0 has been tested on a well-configured mainframe
up to 2,000 concurrent worker processes, each serving one application pool, but not using uni
practice, a design of up to 500 simultaneous application pools is achievable, depending on the
requirements and assuming hardware resources are not a significant constraint. It is importan
Us e S ha r e dW P De s k top registry setting mentioned above when using more than 60 applicatio
unique identities.
When running ASP in a hundred or more application pools, you will need to configure ASP to ru
a Multi-Threaded Apartment (MTA). To enable this capability, set the metabase property AspE
to 1 (it is set to 0 by default). When ASP is set to run in a MTA and the ASP application also us
Threaded Apartment (STA) objects, performance may be affected by the data marshalling that
ASP, running in an MTA, and the component, which runs in a STA in another process. If you a
components such as ADO, which use an apartment model of Both there should be no problems
this setting. For more information about enabling multi-threaded apartments, see AspExecute
6.0 Help.
ASP.NET applications require more resources than ASP. While 500 individual application pools
reasonable for ASP, it is aggressive for ASP.NET. You will need to study your server performan
added to determine a practical ceiling for the number of application pools running ASP.NET in
environment.
Top of page
S u m m a r y
In this white paper, we have reviewed the various techniques you can employ to increase appl
and the various benefits that isolation can offer. While clearly the most isolated design would
computer for each application, you can create effective application boundaries by correctly con
Windows Server 2003 and IIS 6.0. The ability to gather or isolate Web applications into an app
IIS 6.0 is perhaps the most significant component of application isolation. The built-in abilities
manage resources efficiently, monitor application health, recycle applications, and assign secu
application pools creates a centerpiece from which you can deploy isolated applications. Comb
abilities with proper use of authentication, ACLs on various resources, and constraining applica
required, creates an environment where applications can have an optimized set of resources av
on demand, as well as minimizing the impacts of poorly-performing or resource-intensive appl
server.
Page 1Configuring Application Isolation using Windows Server 2003 and IIS 6.0
12/http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspx
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspxhttp://www.go2pdf.com/ -
8/7/2019 Configuring Application Isolation on Windows Server 2003
20/22
When your Web sites require FrontPage Server Extensions 2002, you can configure the extens
defined local group for ACLs on Web content. This permits you to allow FrontPage authors and
to deploy content only on their assigned Web sites.
Finally, by deploying .NET applications that use isolated application design and side-by-side as
can strengthen application isolation and minimize versioning problems induced when multiple a
share the same code base.
Taken as a whole, some subset of the capabilities are more than sufficient, in most cases, to papplications to be deployed on a server, while assuring that those applications are independen
available.
Top of page
Appendix
The .NET Framework, which includes ASP.NET, has capabilities that can be used to enhance ap
isolation. These features are implemented by software engineers in the design and implement
applications and are not specifically related to IIS capabilities. The Windows Server 2003 platf
specifically to support .NET applications, making it an ideal choice for deploying highly reliable
Web-based applications.
Features of .NET Frame w ork an d ASP.NET That Can Be Used for I solation
When creating applications with the .NET Framework, you have additional capabilities that can
create by design applications that are more fully isolated, reliable, and manageable.
. NE T Appl i ca ti ons D e s i gne d to Be I s ola te d Appl ic a ti ons
.NET applications can be constructed such that they are considered isolated applications. In th
term isolated application has a specific meaning, which refers to a type of .NET application rat
of configured application isolation referred to in the rest of this paper.
When a .NET application is designed as an Isolated application, it is more stable and reliable s
unaffected by the installation, removal, or upgrading of other applications on the system. Isola
can be designed so that they always run using the same assembly versions with which they w
tested.
Isolated applications are self-describing applications installed with manifests. Isolated applicat
Microsoft Windows XP and later systems and can use both private assemblies and shared asse
Applications built with different versions of the same assembly may run simultaneously withou
other's execution. The installation, removal, or upgrading of other applications on the system
fully-isolated application. An application is fully isolated if all of its components are side-by-sid
is partially isolated if it uses some assemblies, and some shared components that are not side-
assemblies. Most applications will be partially isolated.
S i de -by -S i de As s e mbl i e s
A common problem with deploying DLL-based applications occurs when there are different ver
with the same name, and both versions are required by some part of the application. This versis resolved with the use of Side-by-Side Assemblies.
A side-by-side assembly contains a collection of resourcesa group of DLLs, windows classes, C
libraries, or interfacesthat are always provided to applications together. These are described in
manifest. A manifest describes the assemblys contents in XML format.
Because of the intrinsic information provided in an assembly and its manifest, an application c
version of an assembly it requires. And, two applications requiring different versions of the sam
together.
For more information about .NET application isolation and side-by-side assemblies, see
Page 2Configuring Application Isolation using Windows Server 2003 and IIS 6.0
12/http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspx
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspxhttp://www.go2pdf.com/ -
8/7/2019 Configuring Application Isolation on Windows Server 2003
21/22
http://msdn.microsoft.com/library/en-
us/sbscs/setup/about_isolated_applications_and_side_by_side_assemblies.asp .
N o t e : ASP.NET supports running multiple versions of the .NET Framework side-by-side but on
IIS in IIS 5.0 isolation mode.
Appl i c a ti on Doma i ns
The .NET Framework allows the deployment of multiple applications in the same application po
built-in application protection. Each .NET application running in the application pool has an app
and code from one domain cannot directly access objects in another domain. You can also sto
applications within a single application pool without halting the entire application pool. This pe
focus the enforcement of your application boundaries in the design of your application, rather
completely on server configuration.
Application domains provide a secure and versatile unit of processing that the common langua
use to provide isolation between applications. You can run several application domains in a sin
the same level of isolation that would exist in separate processes, but without incurring the ad
of making cross-process calls or switching between processes. The ability to run multiple appli
single process dramatically increases server scalability. In addition, code running in one applic
directly access code or resources from another application.
N o t e : You cannot unload individual assemblies or types; only a complete domain can be unloa
For more information on Application Domains, see http://msdn.microsoft.com/library/en-
us/cpguide/html/cpconapplicationdomainsoverview.asp .
Top of page
R e la t e d Link s
See the following resources for further information:
For the latest information about IIS, see the IIS Web site at
http://www.microsoft.com/WindowsServer2003/iis/default.mspx . For the latest information ab
Server 2003, see the Windows Server 2003 Web site at
http://www.microsoft.com/windowsserver2003/default.mspx .
Technical Overview of Internet Information Services (IIS) 6.0 athttp://www.microsoft.com/windowsserver2003/techinfo/overview/iis.mspx
IIS 6.0 Documentation at
http://www.microsoft.com/resources/documentation/windowsserv/2003/datacenter/proddo
us/iiswelcome.asp
How To Build and Service Isolated Applications and Side-by-Side Assemblies for Windows Xhttp://www.msdn.microsoft.com/library/en-us/dnwxp/html/sidexsidewinxp.asp
FrontPage 2002 Server Extensions Support Center at http://support.microsoft.com/default.US;fp10se
FrontPage 2002 Server Extensions Administrators Guide athttp://www.microsoft.com/technet/prodtechnol/sppt/sharepnt/proddocs/admindoc/ows000.
Welcome to the GotDotNet Home Page at http://gotdotnet.com/
Top of page
Page 2Configuring Application Isolation using Windows Server 2003 and IIS 6.0
12/http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspx
http://msdn.microsoft.com/library/en-http://msdn.microsoft.com/library/en-http://www.microsoft.com/WindowsServer2003/iis/default.mspx.http://www.microsoft.com/WindowsServer2003/iis/default.mspx.http://www.microsoft.com/windowsserver2003/default.mspx.http://www.microsoft.com/windowsserver2003/default.mspx.http://www.microsoft.com/windowsserver2003/techinfo/overview/iis.mspxhttp://www.microsoft.com/resources/documentation/windowsserv/2003/datacenter/proddocs/en-http://www.msdn.microsoft.com/library/en-us/dnwxp/html/sidexsidewinxp.asphttp://support.microsoft.com/default.aspx?scid=fh;ENhttp://www.microsoft.com/technet/prodtechnol/sppt/sharepnt/proddocs/admindoc/ows000.mspxhttp://gotdotnet.com/http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspxhttp://www.go2pdf.com/http://gotdotnet.com/http://www.microsoft.com/technet/prodtechnol/sppt/sharepnt/proddocs/admindoc/ows000.mspxhttp://support.microsoft.com/default.aspx?scid=fh;ENhttp://www.msdn.microsoft.com/library/en-us/dnwxp/html/sidexsidewinxp.asphttp://www.microsoft.com/resources/documentation/windowsserv/2003/datacenter/proddocs/en-http://www.microsoft.com/windowsserver2003/techinfo/overview/iis.mspxhttp://www.microsoft.com/windowsserver2003/default.mspx.http://www.microsoft.com/WindowsServer2003/iis/default.mspx.http://msdn.microsoft.com/library/en-http://msdn.microsoft.com/library/en- -
8/7/2019 Configuring Application Isolation on Windows Server 2003
22/22
Printer Friendly Version Send This Content Add To Favorites
H o w w o u l d y o u r a t e t h e u s e f u l n e ss o f t h i s co n t e n t ?
1 2 3 4 5
Poor mlkj mlkj mlkj mlkj mlkj Outstanding
T e l l u s w h y y o u r a t e d t h e c o n t e n t t h i s w a y . ( o p t i o n a l )
Submit
Manage Your Profile
2005 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks | Privacy Statement
Page 2Configuring Application Isolation using Windows Server 2003 and IIS 6.0