IIS Insider - July 2002
By Brett Hill
Resolving to Correct IP Address Without Using DNS
Q: We have a small company with an IIS server I have a two NIC's on our Windows 2000 Server. One is the public network that connects IIS to the internet and the other for our private network. When you type http://servername, the name resolves to the public IP address instead of the private IP address. How can we configure the server so that the server name is associated with the private network without using DNS?
A: When you type in http://servername, the first thing that occurs is the checking of the name of the server if a match is made. If so, then the first interface bound to the Client for Microsoft Networks is used as the IP address for the server. You can control which IP address is used by setting the binding order found in My Network Places | Properties | Advanced | Advanced Settings. In the Connections box, move the Connection representing the internal network to the top of the list. I also strongly recommend that you disable File and Print Sharing for Microsoft Networks, as well as the Client for Microsoft Networks on the public network card. In addition, it is essential to properly protect your server and internal networks with a firewall such as the Microsoft Internet Security and Acceleration Server.
Which ISAPI Filters Can Be Removed?
Q: In the Master Properties of the WWW service accessed from the Internet Information Services snap-in, there are several ISAPI filters listed that are installed by default with IIS. While it is a common security practice to remove application mappings that are not required, there is not much information available about the default ISAPI filters and what services they perform on the server. Can you explain what they do and if it is safe to remove them?
A: For background information on ISAPI filters, see "Can ISAPI Filters Run in a Separate Process Space" in the May 2002 IIS Insider. As for removing ISAPI filters, that is generally not a problem as you can simply add them back to the listing should you require it. You will need to stop and restart IIS in order for the changes to take effect.
The default filters are as follows:
- Sspifilt Provides support for SSL
- Compression Used when the Compression feature is enabled
- Md5filt Digest authentication
- Fpexedll.dll Allows for compatibility with FrontPage 97
In most cases, you can safely remove all of these filters except for sspifilt.dll. The presence of these filters does not represent a significant performance penalty and there are no known security vulnerabilities with any of them. However, it is often considered a "Best Practice" to remove or disable any feature you do not require.
How To Install the .NET Framework (for IIS Servers)
Q: How can I install the .net Framework on my Servers? We have IIS 4 and IIS 5 servers; can we still use the framework?
A: You can install the .NET Framework for Windows NT 4 (IIS 4) and Windows 2000 (IIS 5), as well as Windows XP Professional (IIS 5.1) and Windows 98 (PWS). The .NET redistributable framework and the .NET Framework Service Pack 1 (SP1) can be downloaded from http://msdn.microsoft.com/netframework/downloads/updates/default.aspx.
Before you install the software on your system, it's a good idea to perform a complete backup. You should have a known good backup before you install the .NET Framework just in case there's a natural or digital disaster during the install. Installing the .NET Framework is straightforward - just launch the installer package, and it does the rest.
After the installation completes, you will notice several differences about your web server. We'll take a moment to walk through some of the key differences using IIS 5 as an example.
In the Services console, you'll find there is an ASP.NET State Service with a startup state set to Manual. This service is set to run under the user account of ASPNET. The ASPNET account is a new account created during the installation and is used to run the ASP.NET state service as well as ASP.NET worker processes (more on that in a moment). The ASPNET user account is created with a non-expiring strong password and is a member of the Users group.
When you run an ASP.NET application, a "worker process" is launched that runs the application. A worker process is simply a process that does the work of the web application, much like dllhost.exe on IIS 5 and MTX on IIS 4.
You can configure ASP.NET to run in process inside Inetinfo. Most developers and administrators will want to use the .NET Worker Process model in order to take advantage of the server health and other features available. The process is called ASPNET.WP.EXE and will run either under the user context of System, the ASPNET user account, or any other user account you specify. This and many other configurable settings are specified in config files that control the parameters used to manage ASP.NET applications. It is well beyond the scope of this column to cover these options. Some reading time at http://msdn.microsoft.com/library/en-us/vsent7/html/vxoriDistributedApplicationSecurityRecommendations.asp is recommended.
In the IIS snap-in at the web site master properties, you'll find that you now have a new ISAPI Filter installed. This filter, apsnet_filter.dll, controls cookie-less session state. In addition, you will find a set of Application extensions installed (as shown in Figure 1). This does not show all the extensions added and as you can see, there are quite a few.
If your browser does not support inline frames, click here to view on a separate page.
Figure 1 Application extensions installed
Some of these new extensions such as .aspx and .asax are readily identifiable as extensions commonly used with ASP.NET. Others are intended for use with Visual Studio.
This information is only visible from an administrator's point of view in terms of what the installation of the .NET Framework changes on IIS 5. There is a great deal more to know about how ASP.NET is configured to control security and performance parameters for web applications.
Submit your questions to the IIS Insider. Selected questions along with the answers will be posted in a future IIS Insider column.
For a list of previous months questions and answers on IIS Insider columns, click here.
We at Microsoft Corporation hope that the information in this work is valuable to you. Your use of the information contained in this work, however, is at your sole risk. All information in this work is provided "as is," without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Microsoft Corporation. Microsoft Corporation shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.