Is there a guideline or site in where I can information about best practices for configuring IIS 7 Application Pools?
Take a look at http://technet.microsoft.com/en-us/library/cc753734(WS.10).aspx for an IIS 7 overview but look at the Understanding Sites, Applications and Virtual Directories section http://learn.iis.net/page.aspx/150/understanding-sites-applications-and-virtual-directories-on-iis-7/
Hard to really put together best practices since each setup is different, however it usually comes down to performance vs security.
The short answer there is to group similar security requirements into the same app pools but don't be afraid to make additional app pools.
Related
I need of an information. I'm new in develop web application. I should use php and javascritp but it 's possible, in the future, I could use other languase like Java. During these days I'm following a course on the best practice to write secure code.
Is there any guide/book or any other valid resource, where I can find an explanation about the differrent kind of attaks on a web application and the ways to solve them?
Thanks
Luca
If you're looking for resources to secure your applications on the internet, the first thing to try is OWASP, or Open Web Application Security Project. Here are some useful articles about what you're looking for:
OWASP: Web Security Testing Guide
OWASP: Cheatsheets
OWASP: General Information
All of the resources above will show you the recommended ways to secure your web application against threats. I think it's more than enough for the first step in the security world.
Made a rather complex Asp.Net Core (2) App for a NGO, deployed on Azure, do we need WAF?
Thanks for your answer(s).
(Got the idea that most providers offer it for free. Money is a bit of an issue for the NGO).
I'm afraid that your question is not suitable for asking on StackOverflow, which seems to be not a technical issue about coding as my view. Infomation Security forum is more suited to ask for your needs, I think so.
However, Considering for reducing the cost for using some specifical secure services or features, such as WAF, you can directly realize some simple features by using Filters in ASP.NET Core as a simple secure middleware for your app, or search on GitHub to find some opensource components that features could satisfy your needs to integrate into your app.
As references, there are two GitHub repos which you can refer to.
dustinmoris/Firewall
saineshwar/Secure-ASP.NET-Core-MVC-Application
Hope it helps.
We have a legacy system which is build in classic ASP. As we move to asp.net, we find ourselves creating web applications as we migrate old stuff to .net and add new functionalities to the system. I would say maybe 30% of them would share the same library, loading the same dlls. (all applications share the same app pool)
My question would be, what's the pros and cons of this approach?
Would it be better to have one application root?
I am not really looking for a specific answer, just curious what you people do usually and why?
thanks a lot
I would place things that can be logically grouped together into its own app pool.
Example: Components needed for a website or webapp under IIS could be considered a single logical group, therefore it needs its own app pool.
Anything else that is separate should have its own domain with own app pool.
But, IMHO, i think it's a judgment call based on the nature of the app and if it has any dependencies... etc. You know the system better than anybody, so from a 20k foot view of it all, how should things be logically separted?
Example scenario:
If you have an app that needs to be reset via IIS, will it affect others (will others go down due to the one app that requires an IIS reset)? If it's not a big deal, then why not (lump it together with the other). If it is a big deal, then keep it separate so it's not dependent on any externals.
What is the limit of IIS 6.0? like for example if i need to host 100,000 or 200,000 websites on IIS 6.0, how many machines would i need? or is IIS7 would be a better choice in this case for some reason?
As mentioned in the comments above the scale isn't so much the number of websites you create in IIS, but how complex and how busy those sites are.
In IIS6 one website does not necessarily equate to one executing process on the server. Application pools can group multiple websites into a single executing process to group and/or isolate applications. Alternately a single app pool can spawn multiple executing processes to make better use of server hardware.
It might help if you were to provide more detail in your question about what exactly you're trying to accomplish. If you're going to be serving hundreds of thousands of sites it would probably be a good idea to partner with a hosting company, or get some assistance from someone who knows the ins and outs of IIS, or another platform in detail and has operational experience with working through large-scale hosting scenarios.
IIS7 is not radically different from IIS6 in any performance-related way; with one exception: you can run ASP.NET in a "native" pipeline mode that bypasses some processing steps. I prefer IIS7 (if I can choose) because of its manageability advantages. But like everyone else said here: the question is impossible to answer without more information.
Hosting that many websites with IIS will be cost-prohibitive in licensing fees. Most large scale web hosting is done on Linux using Apache.
I'm setting up an Internet-facing ASP.NET MVC application, on Windows 2008. It uses SQL Server 2008 for its database. I'm looking for best-practices for securing it.
I found this article, but it's a bit dated now. How much of that advice is still valuable?
Some background -- it's a personal site, behind my home NAT/firewall box; and I'll only forward ports 80 and 443 to it. The IIS server itself is a Windows 2008 host running on HyperV (I only have one physical box to spare).
One useful thing that's mentioned in that article (which had occurred to me already) is that the IIS box shouldn't be a member of the domain, so that an intruder can't easily get off the box. I'll be removing it from the domain in a moment :)
What other tips should I (and anyone deploying to a bigger environment) bear in mind?
I know that this isn't strictly a programming-related question (there's no source code in it!), but I guess that most programmers have to dabble in operations stuff when it comes to deployment recommendations.
You might take a look at these two tools:
Best Practices Analyzer for ASP.NET
SQL Server 2005 Best Practices Analyzer (even though you are using 2008, still might be of help)
I don't know about removing it from the domain, but I'd certainly disable LanMan hashes, keep the system fully patched, and use good password security. Make sure that any processes running in IIS run from least privileged accounts, i.e., don't run the worker processes under IDs that are in Local Administrators.
This will be of great help, certainly:
Microsoft Web Application Configuration Analyzer v2.0