IIS Configuration
Internet Information Services (IIS) is a flexible, secure, and manageable Web server from Microsoft for building and delivering dynamic Web applications and services. Proper configuration is crucial for performance, security, and stability.
Core Configuration Concepts
IIS configuration is primarily managed through a hierarchical structure of configuration files, with the main configuration stored in applicationHost.config. This file, located in %WINDIR%\System32\inetsrv\config, contains settings for the entire IIS server.
Web.config Files
You can override or extend server-level settings at the site, application, or directory level using web.config files. These files follow the same schema as applicationHost.config and are inherited down the hierarchy.
web.config file in a specific directory only affect that directory and its subdirectories, unless explicitly overridden by a more specific configuration file.
Configuration Sections
IIS configuration is organized into various sections, each controlling a specific aspect of the Web server. Some common and important sections include:
system.webServer: Contains settings for the IIS Web server, such as request filtering, compression, authentication, and handler mappings.system.applicationHost: Manages global server settings, including sites, application pools, and virtual directories.
Key Configuration Areas
1. Sites and Bindings
A site in IIS is a collection of content and resources that are accessible from a unique address. Each site must have at least one binding, which associates it with an IP address, port, and optional host header.
Example: Binding Configuration
<sites>
<site name="Default Web Site" id="1">
<bindings>
<binding protocol="http" bindingInformation="*:80:" />
<binding protocol="https" bindingInformation="*:443:www.example.com" />
</bindings>
</site>
</sites>2. Application Pools
Application pools isolate Web applications from each other, improving security and stability. Each application pool has its own worker process (w3wp.exe) that runs its applications. Key settings include:
- .NET CLR Version: Specifies the version of the .NET Common Language Runtime to use.
- Managed Pipeline Mode: Classic or Integrated. Integrated mode is recommended for modern applications.
- Identity: The user account under which the worker process runs.
3. Request Filtering
Request filtering allows you to control which types of HTTP requests are allowed to reach your Web applications. This is a critical security feature to block potentially malicious requests.
Common settings include:
- URL restrictions: Block specific URL segments or patterns.
- File name restrictions: Block access to files with certain extensions (e.g.,
.config,.bak). - Header restrictions: Limit the size and content of HTTP headers.
- Verb restrictions: Allow only specific HTTP verbs (e.g., GET, POST).
4. Authentication and Authorization
IIS provides mechanisms to authenticate users and authorize access to resources.
- Authentication: Methods like Anonymous, Basic, Windows, and Forms Authentication.
- Authorization: Rules that specify which users or groups are allowed or denied access to resources based on roles or specific identities.
Managing Configuration
IIS configuration can be managed through:
- IIS Manager GUI: A graphical interface for configuring IIS settings.
appcmd.execommand-line tool: For scripting and automated configuration.- Configuration files: Directly editing
applicationHost.configandweb.configfiles (use with caution).
Example: Using appcmd.exe to set a binding
%systemroot%\system32\inetsrv\appcmd.exe set site "Default Web Site" /bindings:http/*:80:Best Practices
- Keep configurations minimal and only enable what is necessary.
- Use specific
web.configfiles for application-level settings. - Regularly review and update security configurations.
- Implement application pools for isolating applications.
- Use strong, unique identities for application pools.