IIS Application Pools for ASP.NET Apps

IIS Application Pools allow for grouping of similar or related applications to facilitate easy management and configuration. Each application assigned to an application pools (or app pool) is isolated from other apps so that issues in one pool do not impact apps in other pools. Applications which have similar performance profiles or which belong to the same department in the business can be grouped together.

IIS 7 automatically creates serveral application pools, including the default app pool which is used  when you create a new application. When you create  a new application, it is automatically  assigned to the default application pool (DefaultAppPool), and a previously deployed app can have its application pool changed (for a varierty of reasons such as to enable it to use a newer version of the .NET framework). Application pools can be created and managed  using IIS . In the IIS Management Console expand the server and select Application Pools. This lists the app pools currently set up on the server as shown below:

IIS Application Pools

Application pools set up in IIS

The application pool listing displays most of the key characteristics of each app pool:

  • Name : The name of the application pool which cannot be changed after it has been created.
  • Status : Whether the application pool is running or stopped.
  • .NET Framework Version : The .NET Framework version  which will  execute the code.
  • Managed Pipeline Mode : IIS  supports Integrated and Classic pipeline modes for handling requests.
  • Identity : The Windows account which runs the apps  in the pool.
  • Applications : The number of applications running in the pool.

Creating a New Application Pool

Create a custom application pool by  clicking the  Add Application Pool link from the right hand panel of the Application Pools screen.

Install an SSL Certificate using IIS 7

To install an SSL in IIS , you first  need to issue a certificate for your web server. For this purpose you have to select the webserver root node in the navigation tree of the management console, and select the Server Certificates feature, as shown below:

SSL Certificate IIS

After selecting Sever Certificates, the IIS management console lists all the server certificates installed on the web server (see below). The first thing to note is that  in IIS 7   you can install multiple server certificates on one web server, which can be used for multiple websites set up  on the web server (previous IIS versions allowed you to install only one server certificate per web server).

SSL Certificate IIS
In the Server Certificates feature details view in the IIS Management Console, the task pane on the right side  shows the necessary task(s) for installing server certificates. You can create a certificate request automatically that you can then use to requesting a new certificate at a CA. To create a new request, click the Create Certificate Request task link on the  pane,  this creates the same Base64-encoded request as  in previous versions of IIS. Use this Base64-encoded request file for submitting your request at the CA. After retrieving the certificate from the CA, you complete the running request by clicking the Complete Certificate Request  link. Thus you can both request and configure an SSL certificate for a standalone webserver. If you need to request an SSL  certificate for your own CA, use the Online Certification Authority wizard by clicking the Create Domain Certificate link. This certificate will then be configured in your own CA and will be used for signing certificates issued by this CA.

This process is quite laborious if you are a developer who just wants to test SSL with your own web apps. Therefore, IIS 7  ships with an additional option – creating a self-signed certificate for just your own machine. Just click the Create a Self-Signed Certificate link in the console and all you will need to specify  is a friendly name which will be displayed in the listing. The wizard creates a certificate by using the cryptographic functions of your local machine and automatically installs the certificate in your web server. 

IIS Express – Getting Started Tutorial

Note : The official name for the product is IIS Developer Express although it is often shortened to IIS Express (which is Microsoft’s internal code-name).

IIS Express is a new, lightweight version of IIS which is integrated into  WebMatrix (which is Mircosoft’s newly introduced web development environment, see WebMatrix Tutorial for an overview).  This tutorial introduces the user to the core features of IIS Express as well as it underlying technology. IIS Express does not ship with any management module such as the IIS Manager for IIS 7 and is managed from within WebMatrix or from the IIS Express icon in the task bar (integration with Visual Studio is planned for future releases).

IIS Express is a response to the issue of web developers having to master so many tools to build apps – Visual Studio, IIS Management Console, SQL Server Management Studio.  Microsoft’s plan is clearly to have a single simple tool which tightly integrates the coding tool, database management and web server management. Visual Studio does include an inbuilt web server which allows for quick testing of apps, however the inbuilt web server does not have any configuration options and is not fully compatible with IIS meaning that apps will need to be retested in the production environment. IIS Express promises a fully compatible and easy to configure testing environment for apps.

Under the Hood

An major difference between ‘classic’ IIS and IIS Developer Express is the that way worker processes are managed. In IIS   the  WAS (Windows Process Activation Service) silently activates and deactivates web apps and the admin has no direct control over this process. In IIS  Express, there is no automated WAS process and the user has full control and responsibility for  application activation and deactivation. Web sites can be launched from the  WebMatrix  development tool or from the command line (see below). Sites which are already running can be   terminated or relaunched using the IIS Express icon in the system tray.
IIS Express is actually just a thin wrapper around the  the Hostable Web Core (HWC) which is an IIS 7 API which can be used to run web applications and is essentially a web server without a user interface.

IIS Express Compatibility

IIS Express support all versions of the .NET framework from .NET 2.0 SP1 and up, the programming languages supported are Classic ASP, ASP.NET, and PHP (FastCGI is built in to IIS Express). In terms of OS’s supported it will work with any Windows operation system from XP onwards.

One key factor to note is that IIS Express is not intended for use on production servers (so it is not the IIS equivalent of the Windows Server Core). It is only intended for use on the local host and will not handle inbound traffic to the system (although it is possible in some scenarios to customize it for this purpose).

Installing IIS Express

Currently there is no separate download for IIS Express and it only comes as part of the installation of WebMatrix (which can be downloaded here). Simply install WebMatrix and IIS Express will be installed on your system.

Using IIS Express

Once WebMatrix has been installed, launch the tool and then either use a template or open a new site. Once you have a site loaded in WebMatrix, simply click the Run dropdown and select the browser to run the app in. IIS Express will then launch and run the app.

IIS Express

Once launched IIS Express is available in the system tray. There are only a limited number of options, primarily the ability to start and stop the apps:

Block IP Addresses in IIS

The IIS IP and Domain Restrictions role service enables admins to block IP addresses from accessing web apps.

To do this, open the IIS Manager, navigate to the required level (such as the site) and then click on IPv4 Address and Domain Restrictions :

Block IP Addresses in IIS

Next, select Deny Entry from the Actions menu at the top right:

Block IP Addresses in IIS

Automating IIS with PowerShell

As with most areas of Windows Server 2008 and 2008 R2 , Microsoft is emphasizing PowerShell as an important tool for managing IIS 7 and IIS 7.5. The IIS PowerShell snap-in provides many new cmdlets and enables admins to manage IIS properties in numerous different ways.

Select Windows PowerShell Modules from the Administrative Tools group and the system will load the modules included with Windows Server 2008 , including the WebAdministration module which provides the IIS functionality. You may also import the module manually from the Windows PowerShell prompt using the below command:

Import-Module WebAdministration

Once the IIS PowerShell snap-in is running, you can display all the cmdlets it contains using the below command:

Get-Command –pssnapin WebAdministration

The IIS PowerShell snap-in uses three types of cmdlets:

  • PowerShell provider cmdlets
  • Task-oriented cmdlets
  • Low-level configuration cmdlets

These cmdlet types relate to the three different methods of managing IIS from the   PowerShell prompt.

Using the IIS PowerShell Provider

The IIS PowerShell provider creates a hierarchical IIS namespace which admins can navigate similar to  a  standard directory structure. Type iis: and press Enter at the PowerShell prompt (with the WebAdministration module having been already imported) and the prompt changes to PS IIS:>  then typing the dir command displays, but the top level of the IIS namespace (not the file system) as below:


After moving to the Sites directory using  the cd Sites command, the dir command displays a list of the IIS sites on the server.

The Get-Item cmdlet allows you to show selected sites in the same format. By piping results of the Get-Item cmdlet to the Select-Object cmdlet, you can see all properties of a selected site.

Getting Started with the IIS Web Deployment Tool

The IIS Web Deployment Tool (formerly know as MS Deploy) is an IIS extension which allows admins to package an entire application plus platform (ie the website ,  web server, database, certificates and all separate apps) for deployment on another server. This tool is extremely useful for migration and backup.

The Web Deployment Tool can be downloaded from http://www.iis.net/extensions/WebDeploymentTool and installation is very straightforward. The simplest method is to first install the Web Platform Installer which will automatically install the tool and any prerequisites.

Once installed, a Deploy box will be added to  Action panel of the IIS Manager.

To export a site, select a server, site, or application in the IIS Manager and click Export Application to launch the export  wizard. The wizard allows you to select the components to export (see below) and then creates a Zip package which contains the original content plus additional configuration settings in XML.

The Zip package file  contains a complete copy of the server, site, or application you selected. The package file can be saved to act as a backup or archive of the app or it can be exported to another IIS server running the Web Deployment Tool using the Import Application… function.


IIS 7.5 and IIS 7.0 Security Best Practices – Part I

In this series of two articles, we will review some key hardening mechanisms for a corporate intranet hosted IIS 7.5 or IIS 7.0 web server running on Windows server 2008. These best practices would mitigate the risk of unauthorized access to the IIS 7.5 or IIS 7.0 installation.

Microsoft IIS 7 has an inherently stronger security design as compared to its predecessors. A default installation of IIS 7 , will only provide minimal functionality and any additional one, if needed, will have to be explicitly selected and installed by the user.

This ‘minimal installation by default’ approach reduces the ‘attack surface area’ of our website. The less functionality one installs, the less exposed one is to attack from hackers and malicious code.

Let’s dive into some of the key security best practices that we can implement to strengthen IIS 7 security:

Secure Windows Server Installation

If the underlying OS is vulnerable, it will also render the IIS web server installation vulnerable to unauthorized access. Therefore, for optimal security, and if viable, we may wish to run IIS 7 out of a secure Windows 2008 installation. In Windows Server 2008 or Windows Server 2008 R2 environment, this can be achieved by deploying Server Core Installation.

Essentially, the server core option installs only the minimal components which are required for running a specific server role. This is very important from reducing the ‘attack service area’ perspective that we discussed earlier. Apart from the security aspect, a minimal installation will also decrease overhead in administering and maintainance activities.

A server running a Server Core installation of Windows Server 2008 supports various server roles such as DNS server, Web server, File server etc. For an exhaustive list of supported roles, visit: http://go.microsoft.com/fwlink/?LinkId=99832

Note that the server core installation does not include the Graphical User Interface functionality .Therefore, to manage it locally you can use the command shell or do the same remotely through MMC ( Microsoft Management Console) installed on another system. Additionally, since ASP.NET and .NET Framework related features are not supported by the server core installation, therefore if any of your web applications use these features you should not go for this type of installation.

For detailed procedures on installing (IIS) web server role with a Windows Server 2008 Server Core installation, visit Server Core Installation Option of Windows Server 2008 Step-By-Step Guide.

Configuring The Authentication Mechanism

If you don’t need public access to your website, you can leverage Windows authentication mode to restrict access to authorized individuals. Configuring windows authentication on your web server integrates it with Windows and Active Directory Domain Services .Each individual who wishes to access to your website will need to authenticate to your web server/integrated Active directory first.