IIS Community Newsletter – May / June 2011 Edition

The May / June combined newsletter has been published.

http://www.iisnewsletter.com/archive/mayjune2011.html

Steve Schofield
Windows Server MVP – ASP.NET / IIS
http://www.iislogs.com/steveschofield

http://www.IISLogs.com
Log archival solution
Install, Configure, Forget

Questions on Microsoft SMTP Service – visit http://www.smtp.ws
IIS Community Newsletter – visit http://www.iisnewsletter.com

IISLogs.com upgraded to Orchard 1.2

I’m excited to announce IISLogs (and my blog) upgraded to Orchard 1.2.   The upgrade process wasn’t too painful, I’d suggest using WinMerge to compare folders, files.  This came in handy when comparing my Modules and Themes folders.  One thing I found extremely useful detecting errors was using the IIS SEO Toolkit to scour my site looking for errors.

If you find any errors, please let me know

Cheers,

Steve Schofield

Blogs has officially moved. Please update your links

After 7 1/2 years, my blog and all content has been moved to my own domain!  I’ve worked with the admins who run http://weblogs.asp.net to implement a 301 redirect.  Old links should redirect to the corresponding link on my new blog.  It’s been quite an adventure.  Check out the post related to standing up Orchard, here is the link  I’ve been really impressed with the performance of Orchard. I’ve been testing a VPS at GoDaddy (1 proc, 2 GB, 30 GB of ram) for $40 / per month.  So far so good. Stay tuned on this, more updates to come. 

Here are the URL Rewrite rules I implemented.  I used appcmd migrate config “iislogs.com/r” to update so the “r” folder, which handles all the redirects, would work in a ASP.NET 4.0 integrated app pool.

<?xml version=”1.0″ encoding=”UTF-8″?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
        <rule name=”Redirect archive Article” stopProcessing=”true”>
            <match url=”archive/(.*)/(.*)/(.*)/(.*)\.” />
            <action type=”Redirect” url=”http://www.iislogs.com/steveschofield/{R:4}” appendQueryString=”false” redirectType=”Permanent” />
        </rule>
        <rule name=”Redirect default.aspx” stopProcessing=”true”>
            <match url=”(default.aspx)” />
            <action type=”Redirect” url=”http://www.iislogs.com/steveschofield/” appendQueryString=”false” redirectType=”Permanent” />
        </rule>
                <rule name=”Redirect Everything Else” stopProcessing=”true”>
                    <match url=”.*” />
                    <action type=”Redirect” url=”http://www.iislogs.com/steveschofield/” appendQueryString=”false” redirectType=”Permanent” />
                </rule>
            </rules>
        </rewrite>
        <caching enabled=”false” enableKernelCache=”false” />
        <modules>
            <remove name=”ServiceModel” />
            <add name=”ErrorHandlerModule” type=”System.Web.Mobile.ErrorHandlerModule, System.Web.Mobile, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a” preCondition=”managedHandler” />
            <add name=”ServiceModel” type=”System.ServiceModel.Activation.HttpModule, System.ServiceModel.Activation, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35″ preCondition=”managedHandler” />
            <add name=”WarmupHttpModule” type=”Orchard.WarmupStarter.WarmupHttpModule, Orchard.WarmupStarter, Version=1.0.20, Culture=neutral” preCondition=”managedHandler” />
        </modules>
        <handlers>
            <remove name=”svc-Integrated” />
            <remove name=”xoml-Integrated” />
            <add name=”*_*” path=”*” verb=”*” type=”System.Web.HttpNotFoundHandler” preCondition=”integratedMode,runtimeVersionv2.0″ />
        </handlers>
        <validation validateIntegratedModeConfiguration=”false” />
    </system.webServer>
</configuration>

PS – I ran into a kernel mode cache issue so for redirects I don’t want them cached. 

Thank you,

Steve Schofield
Windows Server MVP – IIS
http://www.iislogs.com/steveschofield

http://www.IISLogs.com
Log archival solution
Install, Configure, Forget

Security best practices using Active Directory for server, process identity in a public facing web application

I received a post on the forums that I was suggested to make a blog post.   Here is the original post : http://forums.iis.net/t/1178739.aspx

Question:
We have an asp.net public facing web solution. The solution users SqlMembershipProvider to authenticate users and includes the following servers:

· Two Load balanced web servers in the DMZ

· Sql Server Database Server with many SSIS packages transfer files between the web server and database server

Traditionally, the web servers stay standalone servers and not part of any domain. We are thinking to use active directory.

We are thinking to have an AD server dedicated to this solution only (it is different than the company’s operational AD). The AD server in the server environment helps us to have webserver’s application pool be authenticated against the SQL server to prevent the requirement of having SQL server UID/PWD in the web.config files.

From the security bets practices approach, which one of the following options is recommended?

· Option 1) Public facing web servers stay standalone, SQL server authentication is used

· Option 2) Public facing web servers are part of an AD domain (different than company operational domain) and database server authenticates the web servers against their application pool identity.

The AD server won’t be used to authenticate web application users.

Response:

I can make an argument for both solutions.

1) For stand-alone boxes, you could encrypt the connections strings to protect creds. Having AD introduces more expertise and administration. If you AD locally and some expertise, then it’s not too bad. Having DC’s costs more, administration more, more hardware to support. More licensing. The downside of stand-alone you have to manage each box as a stand-alone entity, depending on how many boxes, this is a BIG drawback. Yes, you can have the same user id and password if you have scripting.

2) For an AD environment, you get group policy, centralized administration, both are HUGE wins IMO. With group policy you can manage all kinds of settings including folder, registry security, auditing, distribute certificates along with 100’s of other settings. Preferences is my favorite. Most of the negative for #2 is mentioned in #1. AD helps with administration / management however has overhead. I like using windows accounts vs. sql because of the integrated security, no passwords stored and needed to be managed in config files.

Over my years of experience, I tend to have a blend of security with administration. I’ve implemented AD in my environment and haven’t looked back. The benefits out way the risks and additional administration. Once AD is setup, it kind of runs itself if not tinkered with. You need a very stable DNS infrastructure to support AD. Your applications would need to blend with the AD DNS (or BIND DNS that supports SRV records). If you have some type of solution like Altiris that is agent based and can go across forest (last I knew), management of apps, packages might be easier. I hope there is some advice and things to think about. PS – AD is really a core technology a lot of other MS solutions integrate with, it’s worth having IMO.

Here is an article published by the AD team at MS

http://www.microsoft.com/downloads/en/details.aspx?displaylang=en&FamilyID=c1d0fd00-bf31-4b20-95c6-279a4ce7c2b4

“Old school” is right, I’ve been using AD since w2k in a public facing environment. AD is the foundation of which many things can help provide a consistent, secure and stable environment. I use group policy extensively to lockdown servers with windows firewall. The only real opening is a few management / utility servers that are trusted. You can honestly lockdown them down hard but you still have to manage, monitor and deploy code to them. I’ve managed stand-alone machines (not since w2k3 / w2k) so my perspective is a bit aged on that front, however AD provides more benefit than hassle I probably could write a really long article on the topic of how I used, why and such. This is one of those topics near to my heart. 🙂

Here is a post I did on ActiveDir regarding w2k8 r2 firewall management and GPO’s that relates to this post.

I’ve used GPO’s to manage windows firewall on w2k8 and above. I hear Forefront enhancements management and functionality. This requires SCCM.

Here is how a description of what I’ve found effective.

1) Have a base settings policy, this applies at a higher and applies to ALL servers (No firewall polices, things like dns suffix search order, auditing, other base settings that apply to ALL boxes)
2) Have a base firewall policy storing all firewall polices that apply to all servers. Exceptions like backup servers, monitoring servers,AV etc..
3) Lastly, have your servers in different OU’s based on Server Roles, each server role has their own GPO and rules. If you have rules specific to these servers, open the rules at this GPO level.
4) What I have found is to have a separate policy for WMI and File and Print sharing that are applied separately from the ‘base’ firewall policy mentioned in #2.

Base OU
   ServersOU
      AppRole1
      AppRole2
      AppRole3

Based on the example above, #1 and #2 would be linked at the ServersOU. The Base WMI and File and Print Sharing GPO’s are linked at AppRole1, AppRole2, AppRole3. There would be a GPO for each AppRole1,AppRole2,AppRole3. If a particular role has unique File And Print Sharing or WMI, you create another GPO for File And Print Sharing for that role and link at the AppRole level. You remove the original File And Print Sharing GPO link. This is the architecture I’ve found the most manageable and running Windows Firewall. Personally, I like having the extra layer, it can depend on your environment.

This example would have the following polices

BaseSettingsPolicy
BaseFirewallPolicy (doesn’t contain WMI or File and Print sharing rules) BaseFilePrintSharing BaseWMI
AppRole1
AppRole2
AppRole3

Enjoy,

Steve Schofield
Windows Server MVP – IIS
http://www.iislogs.com/steveschofield

http://www.IISLogs.com
Log archival solution
Install, Configure, Forget

Adventure setting up Orchard with my site and blog.

I’ve been blogging for years, mainly with community server.  I’ve had a desire to switch my blog over to my own domain, which currently is www.iislogs.com (the domain which sells IIS Logs program).   I selected Orchard as it seemed different, fresh and challenging.  Plus it was built on top of the MVC framework, has an up and coming community.   I came from the days when I tried to be a web developer using Classic ASP and lets say Classic ASP.NET.   Enough reflecting Smile 

My first challenge was to get my blogs and comments exported out.  Community server allowed me to export them using BlogsML standard. This was real handy, my first challenge Internet Explorer wasn’t useful, Google Chrome didn’t work.  I ended up going using Opera to get the proper formatted XML file from my old blog. 

The next phase was to import into Orchard.  The process was pretty straight forward.  My first attempt imported without an issue.  The only thing the default data store was SqlCE.   I prefer to use SQL Server as the backend.  After a few days of trying to migrate from SqlCE to SQL Server.  I gave up.  My content has a lot of references to PowerShell, which uses the dollar sign ($) for variables.  There was a bug preventing stuff from migrating cleanly.  I tried to use WebMatrix to migrate.   I started from scratch setting up Orchard again and setting the back end to SQL Server.  It only took a couple hours to get the pages re-entered and the import wouldn’t work. Make sure to upgrade to the latest BlogML module.

The next challenge was Orchard is entirely database driven.   My existing site has content on disk with articles, help files for IISLogs.  It took a bit of tweaking to find the right web.config settings to work within sub-directories.  I used AppCMD to convert sections for me.  For example, http://www.iislogs.com/help and http://www.iislogs.com/articles/23 (for example) need an additional web.config on a per directory basis.  This took some additional testing.  I used the Microsoft IIS SEO module to crawl my site and find things.  Although I’ve not completely cleared all errors.  From what I can tell, everything is displaying properly. 

One thing I did after I got all the kinks worked out.  I used WAST (web application stress tool) to perf test my website.  I have a copy before it was removed my Microsoft from the web.  That is another blog post, but this is an excellent tool.  I took 4 months of my actual web traffic, created a single log file and replayed it testing my site.  The performance was acceptable. 

The last adventure was setting up an RSS feed.  As I type, the RSS feed itself works, the icon doesn’t show up.  The community response to questions has been top-notch.  So for a Classic ASP spaghetti coder and ASP.NET days, working in Orchard is like starting completely over.  Here are some reference links. 

http://weblogs.asp.net/bleroy/archive/2010/04/07/rss-feeds-in-orchard.aspx (real doozie, didn’t understand much there)

http://www.orchardproject.net/docs/rss-atom.ashx

http://orchard.codeplex.com/discussions/242274

http://devhammer.net/blog

As I type this, it’s my first blog post ever with Windows Live Writer.  Orchard comes with a functional WYSIWYG editor, it’s hard to enter links and such.  Windows Live writer is just like working in a traditional word processing program.    I’ll share other thoughts, ramblings as I continue to completely relearn how the web is done within MVC. 

Steve Schofield

Microsoft MVP – IIS