check it out on IIS.NET - http://learn.iis.net/page.aspx/208/fastcgi-with-php/ 

here are a couple of excerpts from the article that I strongly recommend:

-----------

PHP Security Recommendations

The following recommendations describe how to tighten security of PHP in shared hosting environment. To make the recommended changes locate and open php.ini file and edit it as described below:

1. Disable remote URL's for file handling functions:
   • Set allow_url_fopen=Off
   • Set allow_url_include=Off
2. Disable register_globals:
   • register_globals=Off
3. Restrict where PHP can read and write on a file system, e.g.:
   • open_basedir="c:\inetpub\"
4. Disable safe mode:
   • safe_mode=Off
   • safe_mode_gid=Off
5. Limit script execution time:
   • max_execution_time=30
   • max_input_time=60
6. Limit memory usage and file sizes:
   • memory_limit=16M
   • upload_max_filesize=2M
   • post_max_size=8M
   • max_input_nesting_levels=64
7. Configure error messages and logging:
   • display_errors=Off
   • log_errors=On
   • error_log="C:\path\of\your\choice"
8. Hide presence of PHP:
   • expose_php=Off

-----------
and how to ensure you can configure your own PHP.INI for each site:
-----------

Specifying php.ini location

When PHP process starts it determines the location of configuration php.ini file by using various settings. The PHP documentation provides detailed description of the PHP start up process. Note that one of the places where PHP process searches for php.ini location is the PHPRC environment variable. If PHP process finds a php.ini file in the path specified in this environment variable then it will use it, otherwise it will revert to default location of php.ini. This environment variable can be used to allow hosting customers to use their own versions of php.ini files.

For example if there are two websites: website1 and website2; located at the following file paths: C:\WebSites\website1 and C:\WebSites\website2 then the php-cgi.exe process pools in <fastCgi> section of applicationHost.config can be configured as below:

<fastCgi>
    <application fullPath="C:\PHP\php-cgi.exe" arguments="-d my.website=website1">
        <environmentVariables>
            <environmentVariable name="PHPRC" value="C:\WebSites\website1" />
        </environmentVariables>
    </application>
    <application fullPath="C:\PHP\php-cgi.exe" arguments="-d my.website=website2">
        <environmentVariables>
            <environmentVariable name="PHPRC" value="C:\WebSites\website2" />
        </environmentVariables>
    </application>
</fastCgi>

This way owner of website1 can place their own version of php.ini into the C:\WebSites\website1, while the owner of website2 can use their own version of php.ini located in C:\WebSites\website2. This configuration also ensures that if there is no php.ini found in location specified by PHPRC environment variable then PHP will fall back to using the default php.ini file located in the same folder where php-cgi.exe is located.
-----------

Check it out in more detail

- jorke

I had a few questions from an old colleague, Virgil, who had just built a 2008 server core machine and was having issues configuring FTP. Without asking I knew Virgil would be chasing an FTP server that would have some method of secure transport such as FTPS and pluggable authentication methods, I know this because he's an interoperable kind of guy :)

He'd already been trying to configure this with the default install of FTP that comes with Server 2008, but I recommended that he use the downloadable version from the iis.net website. Only issue here is that you have to uninstall the old FTP server before that will install, then configure the service all over again... so after about 30 minutes of furious IM conversations this is how we did it..

First we uninstalled the FTP Service that comes with 2008 :

start /w pkgmgr /uu:IIS-FTPPublishingService;IIS-FTPServer

Then downloaded the FTP publishing service for IIS 7, with the friendly name of FTP7;
- x86 - http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1619
- x64 - http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1620 

and installed it:

msiexec /i ftp7_x86_rtw.msi

Once that was in we simply had add the appropriate bindings to the site, like so (Make sure you close your quotes properly or it goes NUTS!) :

c:\windows\system32\inetsrv\appcmd.exe set site /site.name:"Default Web Site" /+bindings.[protocol='ftp',bindingInformation="*:21:"]

then we simply had to set an authorised user to the server:

c:\windows\system32\inetsrv\appcmd.exe set config "Default Web Site" /sectionystem.ftpserver/security/authorization /+[accessType='Allow',permissions='Read,Write',roles='',users='ftpuser'] /commit:apphost

And we were done! (or so we thought!).... On attempting to connect to the FTP server we ended up with the error :

534-Policy requires SSL.
Win32 error:   Access is denied.
Error details: SSL policy requires SSL for control channel.
534 End
Login failed.

ahh that's right - by default the FTP install is set to run as FTPS thus requiring a secure connection... to turn off this feature (it was a lab environment and didn't require secure transfer) resulted in a LOT of head scratching, eventually to save time we popped open the applicationhost.config file and and added theses lines in the <site /> tag..:

<ftpServer>
   <security>
      <ssl controlChannelPolicy="SslAllow" dataChannelPolicy="SslAllow" />
   </security>
</ftpServer>

Not very elegant but served the purpose - a bit more investigation I eventually fell upon the answer using the IIS7 Administration Pack, which allowed me to generate the correct script:

c:\windows\system32\inetsrv\appcmd.exe set config -section:system.applicationHost/sites /[name='Default Web Site'].ftpServer.security.ssl.controlChannelPolicy:"SslAllow" /[name='Default Web Site'].ftpServer.security.ssl.dataChannelPolicy:"SslRequire" /commit:apphost

And there we go, FTP7 configured on Windows Server 2008 Core - couldn't be easier to script...

- jorke

For those that have visited my session at the hosting days "Silverlight for Web Hosters" here are the example sites that I used in the presentation.

• Big Brother 08 - http://www.bigbrother.com.au/live-stream-sl.htm
• ABC - http://shop.abc.net.au/browse/product.asp?productid=752400 (click preview)
• Home Shopping Network - http://hsn.tv
• BBC radio Deep Zoom - http://bigweekend.external.bbc.co.uk/
• Hard Rock Cafe Memorabilia collection Deep Zoom - http://memorabilia.hardrock.com/
• Chinese tapestry with intergrated storyboard - http://demos.e-crusade.com/TNM/TNM_Web/
• Searching with Silverlight using a little know search engine :) - http://www.tabletpcpost.com/search/

If I find some more that demonstrate some interesting things, I'll make sure I add them.

- jorke

Another event down REMIX08 - two cities on week - what a blast. Check out Michael Kordahi's wrap up of the event -  Shane Morris doing the artwork, all seemed very Penn and Teller to me. err and excuse my shaky hands, i was TIRED!

Both venues were fantastic and kudos to Fin for an awesome job lining these up.

I actually came very close to missing my presentation in Melbourne as I was doing the Hosting Days in Brisbane - I jumped on a plane, landed at 4:15 and was at town hall by 4:45 thanks to some smart driving from my mate Mustafa - who picked me up from the door of the airport.. I stepped into town hall and pretty much walked straight on stage, opening line "I just flew in from Brisbane, boy are my arms tired..." ... <silence> (except for Nick Hodge giggling away) - I'm pretty sure it picked up from there as there were some great questions.

UPDATE: Here are my slides from the event via Skydrive!

Resources:

Bit Rate Throttling  - http://blogs.iis.net/vsood/archive/2008/03/17/dynamic-throttling-with-bit-rate-throttling.aspx 
Web Playlists  -http://blogs.iis.net/vsood/archive/2008/05/01/web-playlists-how-does-that-thing-work.aspx

-jorke

reMIX is back this year bigger and faster than ever. I know this is old news but I'm running a little behind at the moment.

Check out the website and Register now for a bargain price of $199 (Inc GST) - we are doing 1 day in 2 cities:

Sydney

Melbourne

   May 22
   Melbourne Town Hall
   Cnr Swanston & Collins
   Street, Melbourne

Shanemo and delicategenius are the content head honchos and have done an awesome job of pulling together great speakers and content - checkout the session list.

I've managed to land a speaking gig right before drinks!;

"Bringing Hosters and Developers together with IIS7"* - Come learn about all the great new features in Microsoft Internet Information Services 7 for hosters and web farm managers including creating a highly customizable environment for building scalable and reliable media applications.*

* subject to change!

Many exciting things happening leading up to this, check out your chance to win free tickets, a zune or a silverlight skateboard.

- jorke

via Christian

This years Hosting Days is "Fast Tracking Your Success with FastLane" in a city somewhere close to you, unless you are in Darwin or Alice Springs or Cameron's Corner....

Phil and I have the first track, which is the fun track all about the HOW of hosting.

Go to https://partner.microsoft.com/australia/40048707 to see the agenda and register

see you there!

- jorke

For the past few days a "Cyber attack" has been taking place and according to internetnews.com :

"number of infected IIS servers at 282,000. Less than a day later, security firm F-Secure wrote its own blog entry, putting the infestation at over 500,000"

and f-secure :

"Performing a Google search results in over 510,000 modified pages."

Without pointing out the reporting inconsistencies between servers and pages .... what is actually happening here..

First of all its not at all related to the security advisory that was released last week. Nor is it in fact related to any other security issue with IIS, ASP, ASP.NET or Windows. It's really important to understand that, its all to do with dodgy and insecure development practices.

Well very simply put its an age old SQL injection attack on a web site that modifies the return code adding a hidden link to a site that downloads malware to client viewing the web page. Nothing new technology wise here, just a new method of delivery - which really should not affect those who have kept their machines up-to-date.

In this case the attackers have chosen to target ASP/ASPX based web sites that have poorly written validation methods and deliver their code via a database content management system. The result being that pages on the site will return a hidden script tag that directs to one of the sites listed in the earlier articles - which picks on particular vulnerabilities available on the client machine, not just those related to software developed by Microsoft either.

Well that's all very nice you say - but "How do I protect myself against these kind of attacks?".

The way I see it, there are three areas of responsibility where lies the ability to protect the world against those few malicious people.

1. The Developer - FIX YOUR BROKEN CODE! Seriously - check your code for possible attack vectors and test, test test. I've seen heaps of web sites and web servers compromised due to poorly written or no validation checking. Incorrect security settings deploying to high risk environments. Don't always assume you know who is going to access your app. Don't assume that app will exist with everything local to it. Catch those errors - I could go on. There is heaps of guidance around this - here is a few to start you off:

• Web Development Best practices
• SQL injection mitigation

2.The Client - Keep your machine up-to-date - as Coatsy says "go to update.microsoft.com and Download the golden padlock of goodness" from Microsoft Update.

3. The System Admin / Hoster / Guy who has to run the web server - Hey I sympathise with you most (of course I would!) You have to get a site with poorly written code up and running, and now what? you have to check the thing isn't going to compromise your server? but of course the code supplied doesn't work in your standard low security settings to you need to bend the rules to allow that code to work.. Be Strong!

• ASP.NET trust levels
• Securing ASP.NET in Shared Server

But you may have been too late, and you have to clean this mess up on your server - how are you going to prevent this malicious code being delivered to and from your server, while keeping everything up and running?

Stop the attack coming in

If you are using IIS7 or URLScan on IIS6.0/5.1 you can filter the request to prevent the incoming attacks. In IIS7 This is what the configuration string looks like in your server wide applicationhost.config file (based on the info in articles):

<requestFiltering>
<denyUrlSequences>
  <add sequence="DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x440045004300" />
</denyUrlSequences>
</requestFiltering>

Stop it going out

This is a little trickier, but due to the awesome modularity of IIS7 (only going to look at this) you can very easily write a module that can look in all the requests scan for the URL sequence in the response and send it to null. More information on doing this is at the IIS.NET website. Hey, if I get enough comments I'll write one and post it up here!

Done and Dusted

What we all need to remember about these kind of attacks is that vulnerability in the web sites being targeted are not limited to just a particular operating system platform. SQL Injection attacks is rampant in many platform agnostic applications and its such a simple thing to prevent.

As you have probably guessed I'm pretty passionate about this subject, and when I see such misguided reports and irrational reactions to incorrect or misunderstood information, it inspires me to ensure that the truth of the issue is available. Speaking personally; In my short time at Microsoft, I have never seen such commitment behind ensuring that the Windows Operating System is the most versatile and secure operating system on earth.

- jorke

Note: Graphics "borrowed" from Microsoft Japan Security Bulletins

Important heads up with regards to a potential privilege escalation issue when running under NetworkService – which we all know is the IIS default.... But also note that it requires native code or full trust .NET.

Hosting Providers with Shared Hosting configurations should pay careful attention to this and ensure that they are running a customised version of medium trust at the very least - http://msdn2.microsoft.com/en-us/library/ms998341.aspx. Also be wary of any custom ISAPI extensions - i.e do a code review.

High level summary:

Processes running under Network Service identity can elevate to Local System on XP, Win2k3, Vista and Win2k8. Additionally, on Win2k3 any process running with an identity that has SeImpersonatePrivilege can elevate to Local System, and this privilege is required by IIS worker process identity. The Elevation of Privilege requires running native user code or full-trust managed code.

Our guidance is of course to move your app move WPI away from NetworkService to a windows account. Additionally on Win2k3, our guidance includes disabling Distributed Transaction Coordinator service (to close the hole where any identity with SeImpersonatePrivilege can elevate).

More information here: http://www.microsoft.com/technet/security/advisory/951306.mspx

Let me know if you have any further questions or require advice.

- jorke

UPDATE (6:23pm 18/4/08):

One of our local developers Dallas J Clark (Brisbane local) blogged about an article that shows PHP with a 130% performance increase on Windows Server 2008 - and of course there have been a few comments asking about the metrics of the comparison etc. So naturally I'm wading into to try and clear the water..

I have to agree that there are a lot of unknowns and its difficult to do a competitive comparison with such little comparative data. What needs to be understood as that the results are for a specific case that the customer experienced, see the case study right here.

The facts are that Microsoft has spent a lot of time working with Zend to ensure that PHP has been engineered to run well on Windows.

The key difference to understand here is that you need to understand the execution architecture differences between *nix vs Windows, respectively multi-process vs multi-threaded. As CGI is designed for multi-process execution this can give pretty ordinary performance on Windows due to the threads/cycles involved in spinning up processes every time a request is processed by the web server. Of course you could attempt multi-threading using the ISAPI filter but ask what the results were from anyone who has tried :) – especially when you are not using code you have written all yourself – thus the best way to ensure reliable performance on Windows is to run via CGI – which of course the performance is not optimal.

Now how has this changed; IIS 7 has a FastCGI module as part of its install which by its design will make anything CGI based run faster, the idea being that it allows you to process multiple requests in the one connection and once the script has been processed the FastCGI process will keep running, waiting for more requests until its spun down as part of the web server.  So in this case using PHP, it eliminates the constant overhead of loading PHP into memory each time a request needs to be processed or course increasing the speed of the request.

Also there are the “NTS” non thread safe windows binaries of PHP that are available off the php.net site - These binaries allow you to execute your code without needing to wait for thread synchronisation, meaning a HUGE performance increase. Couple this with FastCGI then you are you going to experiencing PHP running at a speed never before possible.

To test this I ran a little test, for metrics sake this is Windows Server 2008 Enterprise running in Virtual PC 2007 - allocated 512MB of RAM. The host machine is a HP Compaq Laptop

nc8430 Core 2 Duo @ 2.16Ghz and 4GB RAM, with a 7200 rpm disk, running Vista of course. My methodology was to grab a simple PHP site, run PHP with the standard CGI Module run a performance test, then change handler mapping to run the FastCGI Module and run the same performance test. The site I tested was on Qdig and performance tests were using the Web Capacity Analysis Tool (WCAT). The metric measured was Get Requests / second, because this is an indication of how long the requests are taking before they need to be queued by the web server.

On the left - NTS PHP with CGIModule - maximum approx 30 rps

On the right - NTS PHP with FastCGIModule - maximum approx 870 rps

Of course your mileage will vary, but you will have a comparable or better experience than on other platforms.

Questions?

-jorke

Attended a great presentation at MIX by Tito Leverette Web Platform Architect Evangelist aka Hosting Guy from Atlanta and Rob Cameron Developer Evangelist aka Dev Guy:

Bring Hosters and Developers together with IIS7

I thought they did a great job of pointing out the differences between what a Dev guy wants and what hoster guy is going to give them :) Tito did a great job of giving the classic "BUT NARRR" then explaining why - but then again I am hoster biased...

-jorke

So I'm in vegas at MIX08 and have spent ages typing a post about some awesome new media delivery technologies that have been released when I noticed Chris Knowlton - Senior Product Manager and the King of Windows Media Streaming had already done it! - check it out here - http://blogs.iis.net/chriskno/archive/2008/03/06/exciting-media-announcements-at-mix08.aspx 

I love that the bit rate throttling was demo'd in the keynote, and I love more I managed to show it off before MIX - last Tuesday at the Melbourne Heroes Launch!

-jorke

Launch of SQL 2008, Visual Studio 2008 and most importantly Windows Server 2008 !

I'm part of the launch event in the server track - presenting the session :

It's a click and go world { accelerate it! }

Where I spend my time looking at configuring Windows Server 2008 for web workloads.

This is a really awesome track that Michael Kleef has owned the design of, it shows the whole platform interacting, addressing major concerns that an IT pro has and how to integrate this into your environment. We have a kick-ass Hyper-V environment that runs on a HP server system with 16 cores - All our demos are run live of this platform.

In my session I really focus on the web workload and how you can take advantage of the number one reason people want Windows Server 2008 - IIS 7.0!

Follow the photos of the launch on Flickr and the twitter feed.

Here are the dates we're in town - I'll be there a day beforehand for setup, so if you to catch up, be sure to ping me.

Sydney: Thu 28 Feb
Melbourne : Tue 4 Mar
Las Vegas(MIX08): Wed 5 - Fri 7 - not part of the launch, but if you're there :)
Adelaide: Thu 13 Mar
Perth: Wed 19 Mar
Brisbane: Wed 26 Mar
Canberra: Wed 2 Apr

- jorke

and my brain is officially full - lots of awesome stuff to talk about. But straight back to work.

Now preparing for the Heroes Happen Launch - be sure to register @ http://www.heroeshappen2008.com.au/

here are the dates:

Sydney: Thu 28 Feb
Melbourne : Tue 4 Mar
Las Vegas(MIX08): Wed 5 - Fri 7
Adelaide: Thu 13 Mar
Perth: Wed 19 Mar
Brisbane: Wed 26 Mar
Canberra: Wed 2 Apr

its going to ROCK! Can't wait to see you all there

- jorke

the shear brain power of having 6000 geeks in one location with thousands of session on the coolest technology arround.. how to describe.. its amazing and my brain is now full! Had to take break last night so after a quick run around @ 'asking the experts' - Jeffa, Kleefy and myself went to the Seattle Supersonics vs Utah Jazz NBA.

The supersonics were smashed by the jazz, and looks like there will be a 1-1 basketball challenge on the upcoming Wave Launch between Jeffa and Kleefy :)

Meeting with some great people from all around the world, its great to hear that the problems we all have locally do reflect internationally.. its amazing that even Americans know our issues around our broadband infrastructure!

The food is pretty interesting too..

try and tell that isn't a deep fried rat.. was tasty though.

-jorke

Well I'm in Seattle for our internal tech conference, TechReady with heap of other aussie DPE folks; Jeffa, Kleefy, Barnesy, Coatesy(visiting before going to the Office Developers Conference), Rog, Nils and of course Frank is omnipresent :)

Really enjoying the weather (seriously) although compared to home is is officially brass monkeys..

Been a busy and exciting time already; Had a 2nd hand brush with fame; While dining at Ruth Chris,  Kleefy shook hands with Steve Ballmer, while steve was walking out of the bathroom... I've been hanging with all the web platform evangelists from around the world at our pre-summits. Even had a chance to catch up with Wardy to check out some of the cool projects he's been up to.

So if you're in town, shoot me a line and we'll catch up.

- jorke