A few months ago, I reported about the growth of sites running on IIS, which was edging closer and closer to Apache's market share. This month (July 2014), NetCraft's web server survey confirms that this has finally happened and IIS is now the market leader with close to 374 millions sites and a 37.5% share of the market.

To be fair, this specific statistic is only one out of many collected by Netcraft, and in some parameters, Apache still has a noticable lead because it is a solid product that gets the job doen for those who prefer it. What's important here for us at Microsoft is that fact that the growth shows that IIS is moving in the right direction, and that our customers are able to take advantage of the new features we have been introducing regularly (some specifically architected to cater to the need of high-end environments like hosters, enterprises and cloud providers).

Configuring websites can be a tedious task, especially if you have large systems to manage, such as hosting providers do. If you are tired of doing this sort of thing manually, Visual Studio Magazine has published a detailed guide on using .Net code to do this for you.

This allows creating new sites, creating app pools and customizing configuration, all from managed code, and can save a lot of time for developers and system administrators.

For more information, visit the article.

Logging the traffic coming into a website is very important, but on a busy site, the log can generates many gigabytes of data every day, making it hard to control disk-space and prevent the drives from filling up.

As a result, many users turn off logging completely, although this can make it impossible to track down suspicious or illegal activity. The good news is that there are multiple ways to keep a tight leash on log size without turning logging off. The following article by Jim Van De Erve discusses several methods, from simple disk compression to a 3rd party tool that trims the logs automatically.

Click here to read more

After my blog post on the topic, questions continue to flow about the effect it has on Windows, Azure and IIS. A lot of the question really show how confusing SSL technology is to many people. Much has been written about HeartBleed, and it wouldn't be right to just repeat it all, so for those seeking additional info, I recommend reading this article on WindowsIT Pro by Rod Trent. It covers the topic and summarizes it well, and also links to several posts (including mine) for further reading.

Most people think Azure’s portal is terrific, and especially the new version, but for those of us who have been using IIS Manager to operate their local servers, using the same familiar interface to manage their cloud has been high on the wishlist. Recently, we finally made it happen, and you can now control your server through the SCM (Site Control Management) extension.

To do this, you can use the IIS manager as-is, without any need for special installation. The trick is connecting to a special URL which exposes the properties and allows the console to connect remotely. For full details on doing this, read this blog post.

The Heartbleed vulnerability in OpenSSL (CVE-2014-0160) has received a significant amount of attention recently. While the discovered issue is specific to OpenSSL, many customers are wondering whether this affects Microsoft’s offerings, specifically Windows and IIS.  Microsoft Account and Microsoft Azure, along with most Microsoft Services, were not impacted by the OpenSSL vulnerability. Windows’ implementation of SSL/TLS was also not impacted.

We also want to assure our customers that default configurations of Windows do not include OpenSSL, and are not impacted by this vulnerability.   Windows comes with its own encryption component called Secure Channel (a.k.a. SChannel), which is not susceptible to the Heartbleed vulnerability.

This applies to all Windows operating systems and IIS versions, up to and including IIS 8.5 running on any of the following operating systems:

•             Windows Server 2003 and 2003R2
•             Windows Server 2008
•             Windows Server 2008R2
•             Windows Server 2012
•             Windows Server 2012R2

Customers running software on Windows that uses OpenSSL instead of SChannel (for example, running the Windows version of Apache), may be vulnerable.  We recommend that all customers who may be vulnerable follow the guidance from their software distribution provider.  For more information and corrective action guidance, please see the information from US Cert here.

Having been around for so long, and encompassing so many technologies, information about using IIS and solving problems is more than abundant. The IIS.Net website alone has thousands of article, which can make it challenging to find what you need.

To make things easier for IIS and other products, Microsoft support has setup a new blog resource called “Top Support Solutions”, which offers a hand-picked selection of links and information about Microsoft’s leading products.

Wei Zhao from Microsoft support in China has lent his time to collecting such a collection for IIS, and we’re sure you’ll find it useful. You can find it here. In addition, Jim Cheshire from Microsoft support in Las Colinas, Texas, has done a similar job of hand-picking solutions for Azure Web Sites.

On the main blog page, you can find other collections for 34 additional products, ranging from Windows 8.1 to Unified Access Gateway (UAG).

We hope these will make your day-to-day experience a healthy one!

Millions of people out there are using IIS to host their websites, but we all know it’s not the only product on the market. For many years, Apache was leading with a significant margin, but things are finally starting to change.

According to NetCraft, a research company from the UK which specializes in analyzing the web and hosting market, IIS has had a huge spike in market share recently. According to the report they released a few days ago, IIS had almost 50 million new sites during February, increasing it’s market share by 19%.

This is great news because it’s not only a large increase by itself, but also means that 32.8% of the websites in the world are running on Microsoft servers. This bring IIS close to a nose-to-nose with Apache (at 38% market share).

According to our own survey, IIS 7.5 is the most popular version, running on about 60% of the IIS Servers on the public internet. Neither this or NetCraft’s data include internal servers, such as those running SharePoint inside the corporate network of many companies, so the actual percentage is probably even higher.

The full details of the NetCraft survey: http://news.netcraft.com/archives/2014/02/03/february-2014-web-server-survey.html

Well…this isn’t really about any test, but keeping the massive range of things Azure web sites can do and how to do them in one’s head could be challenging. Luckily, Cory Fowler, one of Azure’s best evangelists has built this fantastic informational gold-mine!

Fowler’s http://windowsazurewebsitescheatsheet.info/ allows you to explore this in a friendly and intuitive interface, and get to the bottom line quickly and easily. It has info about features, as well as detailed reference info about our command-line interface.

Great stuff, Corey! Check it out, everyone!

For anyone who owns a website, a top-priority is usually driving traffic up. Whether it’s a content-based site like a blog or forum, or a sales-driven site like an online store, we all want as many people as possible to visit our sites. Most hosting solutions offer some kind of access to information about visitors and companies like WebTrends have made a fortune building advanced analysis mechanisms to help answer questions like “What websites are referring to my site” or “what are the most popular pages on my site” and so on.

As site owners do various things to try to draw more visitors, like doing SEO (Search Engine Optimization) or buying ads on other websites, we typically examine our traffic patterns over time, to see if these efforts are working, and this is also a good way to find out if there might be some problem with a site (for example, some application error that’s preventing visitors from using the site fully or partially). As we look at such trend reports, we sometimes find that traffic has decreased despite our efforts. This can be very frustrating, of course…but it’s important to know that sometimes, this trend is nothing more than seasonal fluctuations. Seasonal fluctuations are changes to traffic trends that are caused by normal seasonal human behavior, and have nothing to do with your content. For example, during Christmas, many people go on vacations and spend less time on the internet. If you measure your traffic over the period of October-January, you’re bound to see a decrease in traffic, no matter what you do to the site. Understanding these trends is very important, because it allows you to adjust your expectations, and see how you’re really doing despite these trends.

Trends are a game of numbers, and so I gathered some statistics that can help you understand these trends. Below you can find a trend-graph of visitors and changes over the year. I should note that these numbers represent the trends in the technical-content world, and not commercial site trends (which would be different, because during Thanks Giving, for example, people spend less time reading articles, but more time shopping online). The data below is for the year 2013, and based on data from several high-volume content websites with a total visitor count in the vicinity of 16 million visitors a month. I don’t claim that this represents the entire world, but I feel this is a pretty good and accurate sample, statistically. Use at your own risk…

Visitors trending

Below is the graph representing visitors from January (1) to December (12) of 2013:

The Y axis intentionally doesn’t contain the “real” numbers, because they don’t really matter…every site would have a different count, so treat these as a factor, rather than a hard number. If you plot your own visitor count on a graph like this, you should expect to have a similar graphic pattern. However, what really matters to us is not the bottom numbers, but the CHANGE over time. The change patterns I calculated are below, both in table form and graph:

Conclusion

I should say again that the numbers above are not absolute, and can be affected by many factors. For example, if your content focusses solely on Operating Systems, then something like a release of a new version of Windows could throw off the curve quite a bit. However, generally, the above values mean that it’s perfectly normal for your visitor count to drop by about 20% from October to November (where Thanks Giving happens) and then go back up by about 36% in January, as people finish their holiday vacations and go back to work.

To apply this to your own data, calculate your month-over-month change, and reduce the global change from it to see your “real” change. For example:

In the above example, when the change is adjusted, you can see that for most months, you have an average growth rate of about 2.7%. You can also see that there was a major dip in May and a major spike in October. This could be good news, if the October spike matches some action you took to improve your traffic. Another good news in the example above is that the major dip in visitors in August is not really 7%, but only 1.2%, as 5.8% are due to seasonal trends. The not so great news above is that something unusual happened in May. It might have been something going wrong with the site itself, or something else, like a global disaster. Either way, this gives you the data to know what’s going on.

Windows Azure has been growing and improving at a very rapid pace, and looks like our efforts are starting to get recognized and appreciated. The most recent sign of this is being classified as “leader” by Gartner in their Q1 2014 Magic Quadrant report. In fact, the Leader quadrant has only two companies – Azure and SalesForce, so we are definitely in good company!

The report by Yefim V. Natis, Massimo Pezzini, Mark Driver, David Mitchell Smith, Kimihiko Iijima and Ross Altman also lists Windows Azure Web Sites specifically as part of the report. For more info:

http://www.gartner.com/technology/reprints.do?ct=140108&id=1-1P502BX&st=sb

If you go into a Japanese bookstore, and browse the tech section, you might run into this title – WordPress on Windows Azure:

Who is this lovely lady, you might ask yourself…well, meet Claudia Madobe, the cloud girl (her last name means “Window-sill” in Japanese). Claudia was created by Tokura Aya, a tech evangelist from Microsoft Japan with the purpose of helping tell the story of Windows Azure. The book itself is about 160 pages of guidance on using Windows Azure Web Sites to quickly and easily create a WordPress site (if you noticed, Claudia is wearing Windows-themed earrings, and a WordPress necklace). It also has about 20 pages of Manga, telling about some of Claudia’s adventures helping others use cloud technology.

Here’s a picture of Tokura and Claudia…see any resemblance?

If you like it, and are fluent in Japanese, you can grab yourself a copy for about $18 on Amazon. You can also visit Claudia’s page on MSDN.

If you were looking for a great way to learn about Azure Web Sites, you’re going to love the new book by Tejaswi Redkar. Tejaswi is colleague of mine and serves as Director of business products at Microsoft. He’s been around for quite a bit and is a leading expert on many topics, and that reflects well in the book.

Tejaswi’s book was released a few weeks ago and is titled “Windows Azure Web Sites: Building Web Apps at a Rapid Pace”. It’s one of two books** available about Azure Web Sites, and is a very comprehensive resource for both beginners and experienced users. If you need to ramp up on this topic quickly, grab yourself a copy on Amazon.com – you won’t regret it.

** the other book is by James Chambers

Microsoft’s Application Request Router (ARR) IIS Extension is a complex piece of software which integrates with several other components to do its job. These components are URL Rewrite, Web Farm Framework and ARR’s External Cache module. For things to work correctly, not only do you need all components, but they must also be installed in a specific order, which can be confusing. Several years ago, Microsoft introduced the Web Platform Installer (WebPI) mechanism, which makes it easy to manage installed components. It’s used with many things nowadays, and is also a good way to install ARR and all its components properly and easily.

Occasionally, though, you might find yourself in a situation where you still prefer to avoid using the WebPI installation option. For example, one such scenario is when installing ARR on the Server Core edition of Windows, where WebPI cannot be used. If so, another option you have is installing it using our IExpress package, which includes all the components together. To use it, download it from this page and install.

Another option is to install the components by hand, which will require you to download the components separately. This is the procedure for doing so:

1. Stop IIS first by typing net stop was /y and net stop wmsvc /y on an elevated command-line window:

*** note that WMSVC is the IIS Web Management Service, which might not be enabled on your server. In such a case, trying to stop it will result with The Web Management Service service is not started. This is not unusual and should not be cause for alarm.

2. Download and install the Web Farm Framework module. It is currently available in version 1.1

3. Download and install the External cache module. It is currently available in version 1.0

4. Download and install the URL Rewrite module. It is currently available in version 2.0 

5. Download and install ARR itself. It is currently available in version 3.0

6. Start the IIS services back (or, simply reboot your server) and you should be good to go!

If you need to do this on an X86 server, like windows 2008, you can download the X86 version of these components here:

· Web Farm Framework X86

· External cache X86

· URL Rewrite X86

· ARR X86

Going fast is always fun, but when it comes to your hardware, it could mean saving a lot of money on hardware and stretching your budget to the max. Software developers usually spend a lot of time and energy on making their product run as lean and efficient as possible, but ultimately, every customer uses his systems differently, and so there’s no one-size-fits-all. For this reason, most products allow you to tweak some settings to squeeze a bit more performance out of your system.

A few days ago, the Windows Server team has produced a highly detailed and very comprehensive guide for performance tuning. It offers a whole bag of tricks and tips on choosing hardware, altering settings and adjusting parameters to get the most out of the various parts of your system.

Part of the guide pertains specifically to IIS, and this new version of the guide includes updates pertaining to the latest version of IIS – version 8.5 that’s bundled with Windows Server 2012 R2.

Take a look at the link below, and a big thanks to Daniel Straka from CSS for his tremendous efforts in making this happen!

Performance Tuning Guidelines for Windows Server 2012 R2

Introduction

Application Request Routing (ARR) is a proxy-based routing module that uses HTTP headers, server variables, and load balance algorithms to determine how to forward HTTP requests to content servers. The release of ARR 3.0 in July 2013 contains a few new features, as well as bug fixes. The following information describes the new features and how to use them, as well as general information about ARR 3.0

Support matrix

ARR 3.0 was tested and is supported on Windows Server 2008, 2008 R2, 2012 and 2012 R2. It’s available in an X86 version for Windows Server 2008, and an X64 version, which is supported on all the above platforms.

Installation

Microsoft recommends ARR to be install from within the Web Platform Installer module (WebPI). To install from WebPI, type ARR in the search box, and click the appropriate item to install it.

It’s also possible to install ARR by downloading the MSI package, but please note that installing it directly requires the administrator to perform several steps in a specific order (normally, WebPI manages that automatically). These steps are:

1. Stop IIS by running the commands net stop was and net stop wmsvc on an elevated command-prompt window

2. Install URL rewrite (v2)

3. Install Web Farm Framework (v1)

4. Install ARR (v3)

5. Install the External Cache module (v1)

6. Start the IIS services back, or reboot the server.

To download the ARR MSI, visit this page. To download the MSI for the other pieces, visit this page.

New features

ARR 3.0 was released in Beta in December of 2012, and included the following new features:

· Retries for URL Health Monitoring

· Web Socket Support

The final version (July 2013) also adds support for Session affinity opt-out. Here are the details about these features.

Retries for URL Health Monitoring

As part of normal farm management, ARR performs health-test for configured web servers, so that if a server in the farm becomes unavailable, ARR would not forward requests to it. Before version 3, health monitoring would mark a server as unavailable if it fails to respond a single time. This may impact availability in certain situations, because intermittent network or application errors could lead to a server being marked as unavailable when in fact it was.

To address that, health-monitoring can now be configured by the administrator to retry, and conclude that the server is unavailable only after a defined retry-count. By default, Health-monitoring will retry the check 3 times, and the administrator can change the value to a different one by editing the configuration in ApplicationHost.config.

The following article describes additional parameters that can be configured as part of health monitoring: http://blogs.iis.net/richma/archive/2010/12/14/application-request-routing-health-check-features.aspx

WebSocket Support

With the release of Windows Server 2012, IIS added support for using WebSockets. Since WebSockets requires special handling by proxies, ARR needed some changes to be able to support this feature. This allows ARR to distinguish between a regular HTTP request and a WebSockets request, and handle them correctly.

WebSocket support requires the WebSocket feature to be installed on IIS, but does not require any other configuration or action. Install the feature using the Server Manager Add Roles and Features, and once that is complete, ARR 3.0 will handle the requests appropriately. The new feature supports both plain (ws://) and secure WebSocket (wss://) requests and it can also provide SSL offloading for WSS requests.

Session affinity opt-out

An important part of load balancing is maintaining affinity. Maintaining affinity means that once ARR routes a request to a server, subsequent requests from the same client that are a part of the same session should go to the same server. To maintain affinity, ARR attaches a unique affinity session cookie to each new session, with the selected server stored in the cookie. Once a subsequent request from the same client arrives, ARR decodes the cookie, extracts the server name, and knows to route that request to the same server. Similar methods are employed by all commercial reverse proxies. Here’s an example of such a cookie:

The challenge with this mechanism is that a session cookie can exist indefinitely, and so if the client’s browser remains open, it will continue serving back the affinity cookie, and be continuously redirected to that same server. In an environment where many clients keep their browsers open for extended period of time, this could, over time, lead to an imbalance in client distribution.

To address this, ARR 3.0 allows web applications to opt-out of session affinity. To do this, an application would need to set a special response-header that signals to ARR to disable affinity for the application.

The special response header is Arr-Disable-Session-Affinity and the application would set the value of the header to be either True or False. If the value of the header is true, ARR would not set the affinity cookie when responding to the client request. In such a situation, subsequent requests from the client would not have the affinity cookie in them, and so ARR would route that request to the backend servers based on the load balance algorithm. Note that this behavior could have serious impact on session-sensitive application, so enabling this on a web application must be considered carefully.

Troubleshooting

To help troubleshoot potential issues, FREB (Failed Requests Tracing – formerly known as Failed Request Event Buffering) has specific events for WebSocket requests. The WebSocket protocol mandates that when a WebSocket connection is initiated by a client, the accepting server should reply with a 101 status code, along with a Sec-WebSocket-Accept key. In the event a connection is accepted, IIS’s WebSocket module will raise a FREB event titled WEBSOCKET_HANDSHAKE_SUCCESS. If there is a problem, a failed event will be raised. By setting the appropriate filters in FREB, you can capture and examine these events:

When enabling FREB, keep in mind that setting a trace for success-type events (such as 101 and 200 status codes) on a production server would result in a large number of events, which could increase the load on the server to unacceptable levels, and is therefore not recommended.

In addition, new performance counters that are specific for WebSockets have been added to Windows, and they are under the W3SVC_W3WP group in PerfMon:

Blog post by Erez Benari and Jenny Lawrance

When Christopher Bullock wrote about the certainties in life in his book The Political History of the Devil, he probably should have added a 3^rd certainty…that your certificates WILL expire and you’ll have to renew them. I think we can forgive that, as he wrote the book in 1726 and websites weren’t as popular as they are today. However, the topic of certificate renewal is one that certainly plagues the nightmares of every seasoned system administrator.

Ultimately, if you’re an efficient fellow, you can try to have all your certificate expire around the same date, or set reminders in Outlook to remind you about the upcoming expiration, but in reality, it’s the sort of things that tend to get missed even by the most experienced engineers. Even if you do get it right, or have your certificates automatically renew, there’s still the issue of certificate rebind. When an IIS site is configured for a certificate, it has to be re-bound when the certificate is renewed, and if you don’t perform this (by going to the site binding dialog, and selecting the new certificate from the certificate drop-down), you ARE going to get some nasty phone calls.

To make things easier, Microsoft has implemented a new helper mechanism in windows called Certificate Services Lifecycle Notifications. This mechanism is part of Windows 8 and Windows 2012, and it creates system events when certain certificate-related things happen. For example, when a certificate is about to expire (a day before expiration), an event with ID 1003 will be logged under /Applications and Services Logs/Microsoft/Windows/CertificateServicesClient-Lifecycle-System or /Applications and Services Logs/Microsoft/Windows/CertificateServicesClient-Lifecycle-User:

The details pane will show more info, such as the certificate’s subject name and thumbprint:

Other events that might be recorded as part of this mechanism are:

1. New certificate has been installed

2. Certificate has been renewed or replaced

3. Certificate has expired

4. Certificate has been deleted

5. Certificate has been archived

6. Certificate has been exported

Because these events are now logged, administrators can make use of them to help them take care of the other aspects of certificate management. For example, you can use Task Manager to trigger a task when one of these events occur, and the task can do whatever you need it to do, from a simple pop-up notification to the administrator all the way to complex code or scripts that can cure cancer on-queue. The following wiki article by Kurt Hudson details this mechanism and some of the things you can do with it:

http://social.technet.microsoft.com/wiki/contents/articles/14250.certificate-services-lifecycle-notifications.aspx

To take this a step further, the IIS team has implemented some new functionality in IIS 8.5, which is part of the upcoming Windows 2012 R2 release. This functionality is designed to take advantage of the same notification mechanism and automatically re-bind a certificate that has been renewed.

To make this happen, IIS can automatically register a task in the system’s Task Scheduler, and the task is keyed to trigger upon a certificate-renewal event (event ID 1001). When such an event happens (either when the administrator has manually renewed the certificate, or if it renews with Auto-enrollment), the scheduled task runs IIS’s command-line based tool APPCMD, and gives it the thumbprint of the old (expired) certificate and the thumbprint of the new one. Using these two parameters, APPCMD locates the websites which are bound to the old certificate and rebinds them to the new one.

As far as the user-interface goes, the IIS console now offers the following option, which allows the administrator to enable or disable this functionality:

The tasks created by this mechanism in Task Scheduler can be viewed by opening up Task Scheduler, and navigating to /Microsoft/Windows/CertificateServicesClient, and as you can see, it shows the parameters sent to APPCMD:

If you disable this function in IIS Manager, the task is deleted. This is a good opportunity to note that fiddling with the settings in this task or deleting it manually is not supported, and could have unpredictable results, so don’t do it.

With this feature, the process of certificate renewal can finally be put in the “fugget about it” pile. Simply setup your certificates to automatically renew with Autoenrollment, enable this feature on your IIS servers and go back to reading The Political History of the Devil.

While security is on everyone’s mind, some organization with higher than usual security requirements have had some concerns regarding the encryption used in web-based transactions. Everyone knows that SSL encryption is pretty much the default for any web-based connection that requires security, but SSL itself is about much more than simply “have it/don’t have it”.

Those who deal a lot with security know that encryption is comprised of multiple parts. There is the protocol, such as TLS version 1, version 1.1 or 1.2; there’s the Cipher, which can include DES, Triple DES, RC2, RC4 and others; there’s the hash, which could be MD5 or SHA. For the cipher itself, one could have preference for a key length, which could be as short as 40 bit, or much longer. In the world of security, we refer to a combination of the above as a “Cipher Suite”.

Any software that supports encryption comes with a pre-configured set of supported suites, and some support more than others. For example, Windows 2008 and Window Vista included a whole slew of new protocols, making them better-built for the security-conscious organization. One topic that has come up recently is related to Windows support for Perfect Forward Secrecy. Perfect Forward Secrecy, or PFS for short, is the ability of certain encryption protocols to provide better security by using unique session keys that are not derived from the server’s private key. I won’t go into detail here, as PFS is well documented (for example, Vincent Bernat’s blog discusses it in detail http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html ), but this brings up the question “How can I take advantage of this awesome thing?”

Before we answer that, we should clarify that just because it’s more secure doesn’t automatically make it “better”. More security, you see, has a price, because the more complex negotiation process takes a toll on the computer’s resources, and the toll can be as high as 30%. If your server is highly utilized, then enabling PFS might saturate your CPU and require you to add another server to your array or pay more for resource usage if you are using a cloud-based service such as Azure. Another potential challenge with enabling PFS is that some older clients may not support it, leaving potential users reading error messages instead of your words of wisdom.

As I said, Windows 2008 and Vista added support for new stuff, and PFS is one of them. However, that doesn’t mean that it will automatically come into play. When a web client (such as Internet Explorer) and a web server (such as IIS) use encryption, the first step is negotiating the protocol. This is invisible to the naked eye, but if you examine a connection with a tool such as Network Monitor, you will see this:

What you see above is the 1^st part of the security negotiation, and that’s a request coming from the client (the browser). In the bottom part you can see a list of Cipher Suites that the client supports, and this way it’s laying the ground rules for the server.

The server looks at this list, and selects the first protocol that it supports, and when it replies to the client (one packet later), we can see it like this:

This, by the way, is a standard SSL handshake for an IE10 browser talking to an IIS 8.5 server with an out-of-the-box configuration.

If we were to have a desire to limit this to only protocols that use PFS, we would need to either configure our clients to only support such suites, or configure our servers to only agree to use such suites. If you are a user who wants to enjoy the utmost security and does not mind that many websites will refuse to talk to your browser, you can do so using Steve Riley’s guide at http://blogs.technet.com/b/steriley/archive/2007/11/06/changing-the-ssl-cipher-order-in-internet-explorer-7-on-windows-vista.aspx . Here, however, we want to focus on the server side.

Before we go on, we should clarify that PFS is an encryption technology, and not a name of a specific protocol. The name of the actual protocol is Diffie-Hellman Ephemeral, or DHE for short (Diffie-Hellman refers to the encryption experts Bailey Diffie and Martin Hellman who have single-handedly developed some of the most important security and encryption technologies in history). As you might have noticed above, the list of suites supported by IE includes quite a few variations with DHE:

In the screenshot above, the bottom 7 suites all use DHE, and that’s good news! This list might seem short, but keep in mind that the encryption system in Windows (known as Schannel) actually supports much more. The above list is only items that have been specifically enabled. For a full list of supported suites, visit http://msdn.microsoft.com/en-us/library/windows/desktop/aa374757(v=vs.85).aspx

Since web browsers normally don’t prefer to use PFS, you might want to configure your server to enforce it. To do so, you can either tell your server to prefer suites with PFS, or you can go all-the-way and tell it to not accept any others. To do so, you can configure the list of supported protocols using the registry, as described in the following article: http://support.microsoft.com/kb/245030. Another option, which is quite easier, is to use IIS Crypto, a publicly available free tool by Nartac Software (https://www.nartac.com/Products/IISCrypto/Default.aspx). With IIS Crypto you can easily select which protocols, hashes, ciphers and key-exchanges are available for Schannel (and therefore IIS) to use, and you can also control the pecking order that affects the selection process:

Once you make changes to this, you can use Netmon to track the negotiation, and observe the suite that was used:

One last thing to keep in mind is that different clients, even if they do support PFS, may not support the same combination of encryption elements (that comprise a Cipher Suite, that is) and so if you are making changes to this configuration, make sure you test various browsers extensively, including various versions of these browsers. We’re sure you don’t want to get a nasty from that guy in accounting who still uses Internet Chameleon…right?!

My good buddy Mitch Tulloch just published a free eBook covering what’s new with Windows Server 2012 R2. The book has several pages covering IIS, and Mitch has done a terrific job covering it, as usual.

The book is available to download for free here, if you’d like to take a peek. IIS is covered in pages 79-84: http://blogs.msdn.com/b/microsoft_press/archive/2013/08/01/free-ebook-introducing-windows-server-2012-r2-preview-release.aspx

The book is specifically for MP, and a more extensive edition covering RTM is in the works.

Good news, everyone! After a long time in Beta, ARR 3.0 is finally out and about. Thanks to tremendous work done by Jenny Lawrance from the IIS Dev team and Pandian Ramakrishnan from the IIS Test team, Application Request Router is here, and has some terrific new features.

Head over to the blog post on IIS.NET to read more about it, and you can also find the direct download link there. If you’re a fan of WebPI (Web Platform Installer), you can use that to find it as well:

Like most settings in IIS, the options for deny-action settings in Dynamic IP restrictions can be adjusted from the IIS UI, or via PowerShell. In the UI, this is how it looks like:

However, if you tried to adjust this settings using PowerShell, you might find that the settings don’t appear to show up in the management console. For example, if you run this PowerShell command:

Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter "system.webServer/security/dynamicIpSecurity" -name "denyAction" -value "AbortRequest"

The command will complete successfully, and if you used the Get-WebConfigurationProperty command to query it, will return the value you have set, but the UI will still show the “old” value.

This might seem weird, but in reality, this is exactly the way its supposed to behave. You see, in the current version of IIS, the DenyAction property has two values. One is for DynamicIPSecurity, and another for ipSecurity. In the configuration file (AppicationHost.config), this looks like this:

If you change the configuration from the IIS manager UI, the configuration is adjusted for both, but with PowerShell, you need to adjust both using the following commands:

If you fail to do so, you will end up with an inconsistent configuration.

Cheers to Carl R for his help with this post!

Who doesn’t LOVE reading log files? Probably those who have really busy servers that generate hundreds of mega-bytes of logs every minute. Even though the log format of IIS is standardized and many tools can parse them easily, this still presents three challenges:

1. Even the best tools cannot process the logs in real time, because the server keeps updating the text files as long as requests are coming in.
2. Even if you only read the content of the log files, it still takes IIS some time to flush log lines to disk, so you’re at least a few seconds behind.
3. On a very busy server, processing the text-based logs can be too difficult to mine the information you need even with advanced text-processing tools.

With the new version of IIS in Windows Server 2012 R2, we have enabled the logs to use ETW (Event Tracing for Windows). ETW is a special hook that allows the logging to be tracked in real time with special tools. In IIS, here’s how you enable ETW logging:

Once a request is received by IIS, the event viewer will show it immediately (as opposed to text-file based logging, in which flushing to the log takes approximately 30 seconds). In addition to this, you can hook into the ETW provider directly using tools such as Message Analyzer. Message Analyzer, currently in Beta 3, can hook directly into ETW, capture events in real time and filter the output. By configuring your filters cleverly, you can easily find the information you need even on a server that handles thousands of requests per second.

To configure Message Analyzer to hook into ETW, follow these steps:

1. open Message Analyzer

2. Go to Capture/Trace

3. In the top-right corner, in the Search and add providers input box, type in Microsoft-windows-IIS-logging (you don’t have to type in the whole thing…just type “iis-l” to get to it fast

4. Optionally, add a capture filter. For example, if you are trying to track the access by a specific iPad to your Exchange server ActiveSync, you can create a filter for that specific device ID, which will appear in the URL. To do so find the device ID, and create a filter for it. A typical iPad request to ActiveSync will look like this:

http://www.contoso.com/Microsoft-Server-ActiveSync?User=sbbgpowl&DeviceId=ApplDLFHXGSG12DY&DeviceType=iPad&Cmd=Ping

Setting your filter to:

Contains==”ApplDLFHXGSG12DY”

Will show only requests from this device. Setting the filter to “iPad” will show requests from all iPad devices. Similarly, you can filter for any of the text in the custom fields you may have configured in IIS enhanced logging.

5. Click start-with to start the capture

Now, the analyzer will show any incoming requests to IIS that match your filter expression. Clicking on a request will show the details. For example:

As you can see, the details pane on the bottom-left shows the fields that were captured. The filtering abilities of Message Analyzer are very useful for servers that are handling a large amount of traffic. You can set your filters to run during capture, which is ideal, if you know what you’re looking for. You can also set the filters later, once you know you got what you need. For example, the Quick Filter button on the top-right allows you to filter for a specific time using a neat slider:

And beyond this…the things you can do are endless.

Like it? Download the Preview release of Windows Server 2012 R2 and enjoy!

Even before the day logs were just a piece of wood used to measure the speed of a ship, captains have looked for ways to know what’s going on under the deck, and with the new version of IIS in Windows Server 2012 R2 we have kicked the logging ability of IIS multiple notches up.

IIS’ logging abilities have always been above average and highly customizable, but now, it’s even better. We have introduced an ability for the administrator to configure IIS to log multiple fields that were previously available only with packet-level inspection. When configuring logging, the administrator can now add custom fields that store:

1. Request headers

2. Response headers

3. Server Variables

For example, until now, you could log the port the client was connecting to…but not the port it was connecting from. Now you can do this easily, as well as many other fields. To do so, you click on Logging (either at the server level, or site level) and click on Select Fields:

As you can see, this lists the fields that you are probably familiar from previous releases…but also the custom fields at the bottom. To add a field, click on Add Field, give your custom field a name, and select from the drop downs:

The other groups of items provide the following selection:

In addition to the pre-populated items, you can also type in your own custom field data. For example, a common challenge for security people and network administrator is the need to record the IP of connecting clients. On servers that are directly on the network, this is not a problem, but if the web server is front-ended by a load balancer, the logged IP will be the IP of the load balancer itself. Load balancers can usually be configured to forward the IP of the originating client in a custom HTTP Header named “X-FORWARDED-FOR” (http://en.wikipedia.org/wiki/X-Forwarded-For). The Load Balancer, before forwarding the request, would attach a custom request header by that name which contains the IP of the client this request was forwarded for. By adding a custom request-header field like this, we can record this in the IIS logs and use the data for whatever purpose we need:

Once you add in any additional fields, IIS will create log files with _x appended to the file name, which indicates that these are log files containing the extra fields:

The enhanced logging is managed by a new service in Windows 2012 R2 called “W3C Logging Service”. As opposed to previous generations of IIS, where the HTTP protocol stack would be doing the logging, the new service sits in-between, which allows it to collect the headers and put them in the log. This service is stopped by default and set to “manual” startup. When you add a field to enhanced logging and the site receives a request, the service will be started (although the startup mode remains on Manual) and logging the enhanced fields will commence.

Like it? Download the preview of Windows Server 2012 R2 here, and enjoy!

As I mentioned before, one of the things we had a particular interest in addressing with this release of IIS as part of Windows Server 2012 R2 was its scalability when handling a large number of sites. A key ingredient for this is what we call site “activation” or “registration”. This refers to the interaction between IIS and the Windows HTTP protocol stack (http.sys). When the system loads and the various services start, the HTTP stack and IIS work together to establish queues, which listen for incoming requests.

With Windows 2012 released last year, as well as earlier versions of Windows, IIS was designed to “activate” (create queues) all the sites that were configured on it on startup. This is no big-deal if you have just a few sites on your server, but if you have hundreds or thousands of websites, this takes a while and consumes a lot of memory and kernel resources. To be clear, this does NOT refer to the action of spinning up a worker-process for a site. Creating a worker process only happens when a request for a site is received.

If you are running a large number of sites on a single server, you will be happy to know that we have implemented a new feature called Dynamic Site Activation. When it is enabled, IIS doesn’t create queues and bindings for all sites in HTTP on startup. Instead, IIS creates one queue which listens for everything, and will create specific queues for specific sites only when a request actually arrives for it. This allows the IIS service to start much faster, and consume a lot less memory.

As I said, this feature is more relevant for servers running a large number of sites, and so we have configured this to have a threshold of 100 sites. On servers with less sites than that, this will be off by default. If the server does have 100 sites or more, it will not create the queues for them upon startup, and if you observe the kernel paged pool memory usage, it should be quite visible. It will also result in IIS taking noticeably less time to restart as it won’t need to release all of the registered queues and bindings with HTTP.

If you are running a lower number of sites, you can configure the threshold to a lower value, though I should note that the performance difference is lesser on a smaller number of sites, and at some point it may even be a tad slower.

To see this feature in action, run the command netsh http show servicestate on your server. This command shows a list of queues (sites that are “registered”). For example:

On a Windows 2012 server, you would see a list of all the site you have configured. On a Windows 2012 R2 server with DSA active (has a number of websites that is over the threshold), the number of queues will typically be lower, and the command will only show the registered queues. If you don’t have a lot of sites and you want to explore this, simply set the threshold to a number lower than your total number of sites, and restart IIS. The configure this:

1. In the IIS console, Go to Configuration Editor:

2. Go to weblimits

3. Change dynamicRegistrationThreshold value to one that suits your needs:

4. Restart IIS

Like this feature? Go ahead and download the preview of Windows Server 2012 R2 here. We here in the IIS Dev team hope you enjoy it!

In the next few weeks, I’ll be posting several additional posts about the new features in IIS 8.5, and we will be posting documentation on our main site http://www.iis.net, as well as on TechNet. We have also presented about the new features as part of TechEd, both in North America and Europe. If you are anxious to learn about the new features and see them in action, both presentations are available to view and download. The content is very similar in both, other than the personal style and preferences of the presenter, of course. Here are the links:

Session at TechEd North America, by Erez Benari and Ahmed ElSayed

Session at TechEd Europe, by Wade A. Hilmo