IIS Insider - July 2001

Top 5 Questions and Answers on Internet Information Services

Maximize Data Throughput Setting for Performance

Q: We have a high traffic web site and are fine tuning the server for performance. Some of our staff claim that the server should be set to Maximize data throughput for file sharing and others are saying we should set the server to Maximize data throughput for network applications. A web server is basically a file server and we do not run web based applications so which setting is appropriate for us?

A: I certainly understand the confusion on this point. IIS obviously functions like a file server and as a network application server. The hybrid nature of IIS makes it a bit of a challenge to set up the server correctly. The server on which IIS runs should be set up as an application server. By default, Windows 2000 Server installs as a file server, but you will see better performance when set up as an application server. This allows you to take advantage of better SMP scalability, improved networking performance, and support for more physical memory for your Web applications. Here's how you can configure your server as an application server:

1. Click Start, point to Settings, and click Network and Dial-up Connections.
2. Select Local Area Connection and open its properties. Note that the name for this connection may have been changed.
3. Select File and Printer Sharing for Microsoft Networks and open its properties.
4. On the Server Optimization tab, select Maximize data throughput for network applications (see Figure 1).

If your browser does not support inline frames, click here to view on a separate page.

Figure 1 Server Optimization tab

Other performance enhancing tips are:

1. Add RAM. For many servers, this is the least expensive way to get the greatest benefit.
2. Add paging files and increase the size. When you add more paging files and distribute them across drives, the server is able to more efficiently access the frequently used paging files. Additionally, if you use a fixed paging file size, the paging file will not become fragmented, resulting in even greater access efficiencies.
3. Use a RAID 0 drive array (disk striping without parity) for maximum performance of your disk drive subsystem. Be sure to use a hardware based RAID controller rather than the built in RAID controller capabilities of Windows 2000 or NT 4. While software based RAID works fine, you don't want to burden the operating system with this task when performance is an issue.
4. Defragment your hard drives regularly.
5. Avoid using CGI based web applications. Convert any EXE files you use into ASP or even better, ISAPI applications.

Of course, there is a great deal to know about performance tuning for web servers., but these basic suggestions are where you start. Also remember that it is often better to add a new server for performance and scalability than to enhance a single server. Microsoft's Network Load Balancing built into Windows 2000 Advanced Server makes adding a second server feasible to many sites due to it's ease of implementation and resulting performance/reliability improvements.

For more information on these topics see:

• The Art and Science of Web Server Tuning with Internet Information Services 5.0
• Maximizing IIS Performance
• Building a Highly Available and Scalable Web Farm

Securing a Web Server from Defacements

Q: I was quite surprised to come into work and find that our website had been defaced. Are there any tools or techniques to make sure this can't happen again?

A: This is of course a very big topic that cannot sufficiently be addressed in the context of a Q&A;, but due to the number of questions submitted to IIS Insider of this sort, I felt it ought to be at least mentioned and a few tips provided.

The very first thing to remember is that the majority of successful exploits on web server involve known and fixed vulnerabilities. Most of the attacks that have made headlines in the past few months involving involved vulnerabilities that had been fixed months before. The recent sadmind/IIS worm has been the cause of many web site defacements. It exploits a known IIS 4 and IIS 5 vulnerability that has been fixed since October, 2000.

Securing a web server can be a complex topic, but you can go a long way with just a few procedures.

1. Make sure you're server is up to date. This means you have installed all related service packs and hotfixes. You can find them at https://www.microsoft.com/technet/security/default.mspx. Some hotfixes require action on your part and cannot simply be patched. The RDS Data Factory Object vulnerability is one key example.
2. Subscribe to the Microsoft Security Announcement email list.
3. Have a written Security Plan that includes details about who will be called in the event of a breach, whose task it is to review each announcement and make implementation decisions, and what monitoring systems are to be used.
4. Review NTFS! Even if you're completely up to date on your server patches and service packs, it won't mean much if anonymous users can upload and execute content. Be sure to included virtual directory content in your review that may point to content outside of your web root folder. Pay particular attention to any folder where the anonymous user has write permissions.
5. Implement the IIS Security checklist located at https://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/iis/tips/iis5chk.mspx for IIS 5.
6. Remove unnecessary services and applications. This will vary from server to server. For example, if you are not using Index Server on your server, remove it from IIS 4 or disable the Indexing Service in IIS 5.

Just these steps will block the majority of attacks because the most are automated systems looking for easy targets.

You can find more information on securing web servers at:

• Windows NT Configuration Guidelines
• Hardening Windows 2000 by Phillip Cox
• Securing Windows 2000 Workstations, Servers, and Networks
• Of particular interest is a new document by non-other than the NSA Guide to the Secure Configuration of Internet Information Service 5.0

Maintaining NTFS Permissions for Your Web Servers

Q: Is there any way to return a web servers NTFS permissions to it's default settings?

A: There is no built-in utility to do this per se. No menu item exists such as "Return to Default Permissions". If you think about it, this would be an almost impossible task since the web servers' file structure may be distributed among various drives, folders, and even other servers, and it is likely you have installed a few things on your server since it was deployed.

Difficulties aside, there are some tools that can help you document and maintain NTFS permissions.

The CALCS command can capture a listing of NTFS permissions for your server. This can be used to identify the starting state of the server permissions should you need to compare at a later date.

IIS 5 contains a useful feature called the IIS Permissions Wizard that will standardize not only NTFS permissions, but authentication and web-based permissions (read, write, and Execute permissions set in the IIS snap-in), for a web site. This is quite in standardizing the settings for a website should you not know the configuration of an inherited modified site. The Windows 2000 Server Resource Kit contains a tool that allows you to create your own templates to suite your needs.

Another tool bears mentioning called Security Explorer by Small Wonders Software. This program does allow you to take a snapshot of your NTFS and Share permissions, store them in a database, and restore them if necessary.

\\"Failed to Generate Certificate Request\\" Error Message

Q: We are trying to issue certificates using the IIS 5 Web Server Certificate Wizard, but continually receive the error "Failed to Generate Certificate Request". The wizard has worked flawlessly on other websites, but not this one.

A: Since your system has issued certificates for other servers, we will presume that Certificate Services is working correctly. That leaves us to examine the specifics of the certificate you are requesting. When you create a certificate request, there are a set of standards that apply as to what can and can't be contained in the various fields contained in the certificate. For example, when you designate the City and State for the organization to whom the certificate is issued, you are supposed to spell the complete names and not use abbreviations. This is not rigidly enforced by most systems, but technically, the certificate is not formatted correctly if the City or State is abbreviated.

Other rules, however, are rigidly enforced. A successful Certificate Request can only contain the characters A through Z and/or 0 through 9 in the fields of the request. You can use a period (.) in the common name of the key request to specify a Fully Qualified Domain Name (FQDN). Your certificate will be issued, presuming certificate services is working correctly and your Certificate Request contains only valid characters.

See the following Microsoft Knowledge Base articles for more information:

• Q293485 - Error Message: Failed to Generate the Certificate Request
• Q228821 - Generating a Certificate Request File Using the Certificate Wizard in IIS 5.0

Programs Not Being Prompted to be Saved to Your Computer

Q: We would like to deliver programs to our clients using Internet Explorer by having a web page with links to the programs. When the user clicks on the links, we would like them to be prompted to save the files to their computers. Currently, when they click on a link to a program, for example, newrelease.exe, nothing happens.

A: A link to an executable file will behave one of two ways: What you are seeing is what occurs when the website, folder, or virtual directory that contains the executable has Execute Permissions marked as Scripts and Executable in IIS 5, or Permissions set to Execute (including Scripts) in IIS 4. Both of these are on the Home Directory tab of the website, Virtual Directory tab of a Virtual Directory, or Directory tab of a Directory - in the IIS snap-in.

If you switch that setting to have None or Scripts execute permissions, the user will be asked if they want to download the file.

Submit your questions for the IIS Insider. Selected questions along with the answers will be posted in a future IIS Insider column.

For a list of previous months questions and answers on IIS Insider columns, click here.

We at Microsoft Corporation hope that the information in this work is valuable to you. Your use of the information contained in this work, however, is at your sole risk. All information in this work is provided "as is," without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Microsoft Corporation. Microsoft Corporation shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.