We have a Windows Server 2008 R2 with IIS 7.5 running a small number of customer service/customer response web applications/services.
We have recently had some anecdotal feedback that some of these services are 'sometimes slow and unresponsive'. Our own usability testing has yet to experience such problems but we have reached a point where we feel we need to be a more professional/analytical about these services and the IIS service in general. All the sites are running application level error logging (Elmah).
Does anyone have an recommendations for an IIS monitoring/diagnostics/logging tool that would help us analyse things such as...
user traffic profiles (pages visited, duration per page) user
demographics (location, browser, OS)
average/maxima/minima page load performance by page
IIS workload
Any suggestions would be much appreciated.
Related
I'm trying to understand the options for hosting an asp.net core website on the internet today. I understand that HTTP.SYS based hosting is possible without having IIS on the webserver but I've not found clear information as to why you would do it (pros/cons) and what is today the most security way to host on the internet an asp.net core website. IIS was time back considered somehow an unsecure webserver and I don't know to what extent this is still true today. I'm leaving out of the discussion kestrel which I perceive more as a development-only option but not secure enough for direct internet hosting.
There are quite a few places of misunderstanding.
HTTP.sys can be considered a lite web server itself for web apps. Even Microsoft products like SQL Server Reporting Services hook to HTTP.sys directly.
IIS is built upon HTTP.sys but comes with more complex designs such as application pools and management APIs to enable a more desirable web server experience. It has hosted most of Microsoft sites for decades.
Kestrel started as a thin wrapper over libuv with limited features but now is also a full blown web server. YARP is built upon Kestrel and widely used in Azure today in production.
All three are secure and production ready.
However, an internet facing web site can be compromised easily because of other factors, such vulnerabilities in the OS (Windows/Linux), web frameworks (PHP/ASP.NET), or your own code. So, if your goal is to secure your web sites, you have to focus on a bigger picture and work with security professionals. "I've not found clear information" because detailed information on how to secure a specific web site requires extensive investigation of your setup and is rarely free.
HTTP.sys is a Windows-based web server for ASP.NET Core. It is an alternative to Kestrel Server and it has some features that are not supported by Kestrel. It is built on the HTTP.sys Kernel mode driver. It cannot be used with IIS Express or IIS due to it is incompatibility with the ASP.NET Core modules. HTTP.sys web server implementation in ASP.NET Core
IIS is a powerful, flexible and general-purpose Web server from Microsoft that runs on the Windows platform. It is bundled with Windows as a feature and can be turned on or off as needed. Even though IIS has been around for two decades, it still supports running applications developed 20 years ago as well as applications written in the last year using the latest .Net technologies.
You say that IIS was considered an insecure web server in the past and don't know to what extent this is still the case today. But I want to say that the security configuration and management of IIS is not only a technical issue, human factors are also very important, because in the end it is people who implement various settings and controls. Security is a systematic project, not only has the span of space, but also the span of time, the IIS system with security configuration and management is not absolutely safe, it can only be said that it is safe under certain circumstances and within a certain period of time, With continuous development, its security situation is also undergoing corresponding changes. Only by allowing security awareness, security technology and security management to run through the entire process can maximum security be achieved.
Is it applicable to have both SharePoint 2013 and Sitecore 8.2 installed on the same servers (sharing the same Infrastructure)? If yes, is there any drawbacks?
Thanks for your appreciated help in advance.
Technically speaking it is safe, but both will make usage of IIS infrastructure to deliver their websites, and the machine hosting will take its toll on memory and possibly disk I/O depending on how any of these products were configured to store their data.
I had the unfortunate "pleasure" to work with Sitecore 7 and 8, and I can guarantee you it is possible and somewhat safe, but there are conditions to meet, let me go over some possible red flags here and it will hopefully help you to make a more balanced decision on how to set up both products on the same infrastructure.
The first scenario and the safest: 3 SERVERS
SQL Server with two instances, segregating SharePoint and Sitecore
One server for SharePoint (assuming it is a single farm server)
One server for Sitecore (assuming you can handle search/indexing altogether)
This is the best and the safest, since IIS is the tug of war if both SharePoint and Sitecore reside on the same server, on the scenario above SQL Server can deal with both on the same instance if you don't mind access restrictions/security, but it is better to go on distinctive instances, will be safer and easier to administer
The second scenario: 2 SERVERS
SQL Server with two instances, segregating SharePoint and Sitecore
One server for SP + Sitecore
Yes you can have both but you will need to configure ports, sites, application pools and hardware requirements very carefully.
Some considerations:
Microsoft has made clear how SharePoint should be configured, you need a dedicated machine for SQL Server, anddifferent SharePoint servers according to their specific roles in a farm: Web Front End, Application Server, Search Server, etc. or if it is a very small "farm", you can cram all of them into one server but the SQL Server (this is where disk I/O is the king of the hill).
While Sitecore doesn't not need a farm like SharePoint it shares the same similarity, a dedicated server for SQL Server, one server for Sitecore and in some cases you will like to have another server for Search and Indexing.
The bottom line here is, all depends on how big is your project, and size here is measured in the number of factors: number of users, simultaneous users, volume of data stored.
I would not mix SharePoint and Sitecore on the same machine but I would not mind at all to mix them in the same SQL Server in different instances, the reason is simple, SharePoint is more likely to take a hold of IIS, assuming you are running SP 2010/2013, the User Profile Service and the FIM are a common cause of trouble in the SharePoint realm, and it is common for SP Admin to perform IISRESET -NOFORCE to troubleshoot cases like these.
If you are using Sitecore + MVC or MMVC, you might end up customizing the IIS Sites with some heavy loads and you will need to beef up the machine to not bring SharePoint down (assuming the SharePoint Central Admin and SharePoint Web Services + additional User Web Applications you have created) are all there installed on the same server.
I'm trying to not make this overly complicated but sharing some real world scenarios because it all boils down to the load on the server, you need to remember one thing, SharePoint is a beast and it is the one that will need more resources if you want a Single SharePoint Server + Sitecore living on the same place, got it?
The recommendation from both Microsoft and Sitecore is clear: dedicated servers, and anything beyond this is at your own risk.
I've mixed and placed both together, it worked for me but I wouldn't do this again, it is not worth if have the chance to keep them apart.
I agree with Dr. Sushi on all his points. One other thing to consider is the Sitecore licensing limitations. If you are using a persistent license (a.k.a. server license) most of them limit you to 8 cores on the server. If you are running both Sitecore and Sharepoint on the same server you might need to go beyond 8 cores to handle production load, which means now you have to buy multiple licenses for Sitecore for that single installation, or you have to switch to a subscription licensing model.
Hopefully my question is in the right forum here. I've just checked out the pricing model of windows azure and checked out the different configuration options:
http://www.windowsazure.com/de-de/pricing/calculator/
I have been working as a developer for almost two years now and worked a lot with IIS and the WPF technology. As a little private project I checked out HTML 5 and JS with MVC4 Web API and wondered what azure configuration I'd need to host a MVC 4 Web API project. Would it be rather a virtual machine or a full calculator? What benefits grants one over another?
I am going to start my studies soon, so I'd like the cheapest I can possibly get. I won't use it a lot (mainly for testing reasons), as well I think there won't be too much traffic either. Would a virtual machine also include the possibility of using IIS?
Could I also run a MVC project with something else than VM/full calculator?
And what would happen if for some reason my traffic just explodes? Would my services just be shut down until I increase the power of my machine? Or would I just get a huge bill and be surprised quite a lot?
Use websites.
You can start with 10 Web Sites absolutely free! So this is the cheapest. And it certainly supports MVC4 Web API.
For starter you can get a 3 month trial with enough credits to start. By default you'll have a spending limit on your account. This mean if you start to get too much traffic your services will shut down and you won't have to pay any extra. I think you can configure how much you are willing to pay but I never tried, it is still the default which is 0$.
You should start with Shared Web Sites and move to reserved instance, VM or web role later if you ever need to scale up or out.
I have been writing WCF services for internal use for quite a while (alongside WinForms and MVC web apps). However, I now need to expose one of the services to the great unwashed!
Since this is from a single source company I proposed the following:
Architecture
Company uses VPN to send request to our DMZ server over HTTPS/SSL
DMZ firewall only allows specific Company IP
DMZ IIS server passes request to our internal IIS server
Internal firewall only allows DMZ server INTERNAL FACING IP
Internal IIS WCF service consumes request and sends response back up the chain.
However, my IT manager wants more than this and more...in detail.
e.g.
What accounts to use or create, and what permissions to give them.
How to limit public facing IIS server from being DoS'd, hacked, etc.
How to stop public facing IIS server displaying "secure" details accidentally
What to turn off inside server/IIS
What files to restrict access to e.g. trace.axd
I can understand his reasons too - if it all goes ttsup, then he carries the can...whcih means ultimately I carry the can! From a background in mainframe and IBM/Websphere, all he hears about is how IIS is "not secure".
I suspect that what he really hears is "devs/admins are not securing IIS/WCF properly"...so I want to try to do it "properly" !
(for info, I am going through Troy Hunt's posts...but there's a lot in here! I've tried going through MSDN's reams of "kids drawing paper" and find oit very hard ot extract what I need to know from the endless "lets make this paragraph longer and sounds more important while hiding the salient facts" filler in there!)
Windows Server and IIS are secure. However, if you're going to use this for say credit card transactions or other items that you don't wan't fall into the wrong hands, then you'll need to secure the server further than the out of the box settings.
This is a guide I used to hammer down a Windows 2008 R2 server with IIS 7.5 (patched to current standards) recently. You don't have to use them all but it will help to secure the server at an extremely granular level. Also, the IIS link below is for 7.0 but it applies to 7.5 as well.
Windows Server 2008 r2
http://web.nvd.nist.gov/view/ncp/repository/checklistDetail?id=377
IIS
http://web.nvd.nist.gov/view/ncp/repository/checklistDetail?id=400
It will take some time to go through as you will soon see but you be able to show what needs to be done to secure the server and product from the out of the box settings. You will also be able to draw up a document to give to your boss in what is going to be needed to secure your server.
I'm setting up an Internet-facing ASP.NET MVC application, on Windows 2008. It uses SQL Server 2008 for its database. I'm looking for best-practices for securing it.
I found this article, but it's a bit dated now. How much of that advice is still valuable?
Some background -- it's a personal site, behind my home NAT/firewall box; and I'll only forward ports 80 and 443 to it. The IIS server itself is a Windows 2008 host running on HyperV (I only have one physical box to spare).
One useful thing that's mentioned in that article (which had occurred to me already) is that the IIS box shouldn't be a member of the domain, so that an intruder can't easily get off the box. I'll be removing it from the domain in a moment :)
What other tips should I (and anyone deploying to a bigger environment) bear in mind?
I know that this isn't strictly a programming-related question (there's no source code in it!), but I guess that most programmers have to dabble in operations stuff when it comes to deployment recommendations.
You might take a look at these two tools:
Best Practices Analyzer for ASP.NET
SQL Server 2005 Best Practices Analyzer (even though you are using 2008, still might be of help)
I don't know about removing it from the domain, but I'd certainly disable LanMan hashes, keep the system fully patched, and use good password security. Make sure that any processes running in IIS run from least privileged accounts, i.e., don't run the worker processes under IDs that are in Local Administrators.
This will be of great help, certainly:
Microsoft Web Application Configuration Analyzer v2.0