One feature of ASP.NET configuration files and the new configuration files for IIS 7.0 is an attribute known as configSource.  For the elements that support this you will have a few different options for dealing with configuration.  This value in this attribute can point to any file path that is lower in hierarchy, but may not be higher or on a different disk.

With this feature you can manage configuration sections in separate files.  Also, in IIS 7.0 you can include another attribute to flag the configuration not to cause an application restart when the configSource file changes.  Perhaps that will be in ASP.NET 2.0, but I have not discovered it yet.  By default it will cause a restart of the application just as web.config changes do.

22.April.2005 Update: I have changed my feature request concerning delegated administration.  I would like to be able to delegate that site and application owners both be able to create new applications within their physical folder hierarchy.  The creation of virtual directories can remain a server administrator function.

Today the focus of the IIS 7.0 DevLabs centered around new monitoring and diagnostics features as well as security.

Monitoring and Diagnostics apparently is an expansion of some new things that have been released with Windows 2003 Service Pack 1.  I was not aware of any new monitoring features in this service pack so I now have some new things to explore that I can use today!  I am told the best place to start to get a handle on the new features is the webcast: IIS 6.0 Service Pack 1 Tracing: Inside and Out.  In addition to this I imagine that some of the new performance and health monitoring features in ASP.NET 2.0 will also be merged in.  This area of IIS and ASP.NET development is something I have not spent much time, but it is certainly needed.  It has been far too difficult to troubleshoot IIS hosted applications.

IIS 7.0 is going to allow us to get information on the state of all running sites, application pools, worker processes, and application domains.  Additionally it looks like we will get programmatic control of starting and stopping some of these services at levels that are lower than the site.  The ability to drill into the currently executing requests through the Admin Tool and WMI is going to finally enable us to easily see which applications are hogging the CPU and memory.

The ASP.NET tracing model has made its way into IIS and both can actually be combined into a single log.  Essentially IIS becomes and ASP.NET trace listener if you want to configure it that way.  By merging the tracing we get a complete picture into the request/response cycle with all trace details in order and in context.  A fantastic feature that will be included with IIS is the ability to automatically log tracing details for failed requests.  For example, if the application does not respond, is too slow to respond, or responds with an error, the auto-tracing feature can take care of guranteeing that the trace details get recorded. There is an admin service that runs outside of the IIS server itself, so even if the application fails completely, trace data still gets written, which apparently is not the case with ASP.NET alone.  Modules participating in the IIS pipeline can be both providers and consumers of tracing output.  Administrators will appreciate the ease with which they can enable or disable tracing through the admin tool.

Security has been greatly enhanced as I have previously alluded to.  Today we dove deeper into some of the scenarios and looked at how to start with totally locked down server and slowly add functionality to it as needed.  This differs greatly for current defaults where most IIS functionality is enabled out of the box.  IIS 6 certainly improved on this over IIS 5, but the modular architecture of IIS 7 takes this idea to the extreme.  Limiting the installed modules reduces the attack surface and patch requirements to only those features that are installed.  For example, if you plan to only server static content you would not need to worry about attacks and patches for ASP or ASP.NET.

Wearing my site and server administrator hat I get very excited about the new security delegation features as I mentioned yesterday.  An additional and very helpful aspect of this includes the ability to delegate administration to non-Windows users.  That will be fantastic for hosting scenarios.  Delegation follows the standard hierarchy of site and application. Hmm, I wonder if non-Windows uses can be configured as server admins?  Comments IIS team?  Currently only server admins are able to create virtual directories and applications.  Personally I see this as a huge mistake.  As a consumer of hosting services I have to have the ability to create IIS applications within my hosting space so that I can run applications like dasBlog and others in a sub folder of my site.  If you agree then join me in asking for delegated administration of virtual directories and applications.  At the moment this is my 2nd biggest request for the IIS team.

Putting my ASP.NET developer hat (favorite) back on I'd like to buy Scott Guthrie at least a case of beer (or whatever his favorite beverage is) for merging the authentication an authorization of IIS and ASP.NET.  (Share it with the team doing the work!)  Finally the authentication options are all configured in only 1 place.  In addition I can just interact with the reuesting User in the context and not be concerned about how that user was authenticated.  Further we finally have a solution the problem of applications that want to first check for a Windows user and then fail over to forms authentication.  Today that scenario requires configuring a page to use Windows authentication in IIS and then handling a security exception and and it gets messier from there.

Good stuff abounds in the IIS 7.0 security picture:

• Impersonation has been improved so that is not so confusing about which account the application is running under.
• All authentication mechanisms can be applied to all content, including ASP.NET 2.0 membership authentication solutions.

Note to self: Research ADFS (Active Directory Federated Services) and how it may tie into a custom SSO solution.

URLScan and some of the other tools currently available to tighten security and assist with URL authorization have been replaced by, as one would imagine by now, powerful new configuration elements and of course corresponding modules.

• The features of URL Scan have been built in and enhanced.
• System policy can enforce authorization and serving rules.
• There are 12 new 404 error sub status codes to help determine the rules blocking access.
• Authorization is granular all the way down to the URL level.
• Rules can be deployed with the application as expected when using config files.
• File extensions can be restricted.
• Verbs can be restricted. (POST, GET, etc)
• Specific files and folders can be protected from being served. This can be accomplished with "hidden namespaces" or sequences.  Sequences are string patterns that allow you to block say all URI's that contain "bin" or something like that.  This enables easy blocking of specific patterns that may exploit vulnerabilities as they come up.

Tomorrow the DevLab will wrap up and I will head home.  Stay tuned for the final post in the series.

20.April.2005 Update:  IIS PM Shai Kariv informed me that the managed configuration API will allow for interaction against remote machines on the network.  Previously I had stated that only WMI made this possible programmatically.  Of course this is disabled by default.  To enable it run aspnet_regiis -config+ on the remote machine to enable remote access to configuration.

Today the fact that IIS 7 centers around configuration files was driven home.  We had opportunity to learn about and experiment with the new IIS Admin tool and the WMI scripting interfaces.  By the end of the day I was asking questions about the different features each of the administrative tools provides.  I still have much to learn, but I do have a bit to begin thinking over.  Here are the highlights.

IIS Admin Tool has been completely redesigned and architected.  At this point the classic tree view we are used to does not even exist.  I and others are asking that it be brought back for rapid navigation of servers, sites and applications.  There is a strong move in the tool toward specific administration roles.  For those that focus on a specific area in the configuration hierarchy you will find that the tool nicely limits your interaction with the server to appropriate areas.  To further enhance this limited administration there is a new delegated security model.  This is probably my favorite new feature of the tool.  My second favorite feature is the ability to administer sites remotely over the Internet.  Of course it can use SSL to keep the data secure and also requires credentials to administer a remote machine.  I think the combination of delegated security and remote administration will make this tool popular for hosters and very helpful for application developers as well.  Developers are simply going to love IIS 7 because they finally will have the ability to configure the setting they need without having to request them from an administrator.  Admins, don't worry, developers will not have more access than they should not.

A few more take aways on the IIS Admin Tool:

• It is fully extensible.  Microsoft uses the public extensibility scheme themselves for the tools they have built in.
• New or updated modules are synced up with the admin tool when it connects to the server.
• Creating new modules for your custom configuration sections is relatively painless.  I imagine it will get even better be the time we see the first beta.

WMI and Scripting have been enhanced.  The WMI programming model has been cleaned up to make it easier to use and consistent between the different objects that are exposed for IIS.  Having never worked with WMI I discovered a whole world of automation that I have been missing out on.  I look forward to working more with WMI now and into the future with IIS 7.0.  WMI turns out to be the only programmable interface that works against remote servers on a network.  The .NET managed APIs for configuration are great against a local machine, but only WMI will let you hit a remote machine from code.  I asked around and learned that WMI uses traditional COM and DCOM to remote the calls to the remote machines.  Apparently both WMI and the GUI Admin Tool ultimately use the .NET configuration API to get their work done.

Some additional new features offered up through WMI include:

• Enumeration of Application Domains and Worker Processes
• Access to custom configuration sections (using new tools to automatically update the required MOF)

At the end of the day I had opportunity to continue on my soap box with the request to de-couple IIS from the operating system.  This time I made the request to Scott Guthrie.  I told him that I am going to keep requesting it right on up to Steve Balmer.  I suppose I could take it Bill Gates, but I probably should reserve any requests to Bill for things of slightly more importance.  Not that I will ever have an audience with Steve or Bill (notice the first name basis I ave with people I don't know), but it is fun to talk about.  Please join in this request if you also would like to see IIS removed from the Operating System beginning with IIS 7.0.  Perhaps if we make enough noise about we can get the right people to respond.  Anyone want to start a new site for the De-coupling campaign?  Perhaps something like decoupleiis.com (it's available at the moment).

Speaking of new domains, I registered IISSeven.com last night.  I plan to dump information about IIS 7.0 there.  To begin with I will aggregate my IIS 7.0 blog category and start linking to IIS team member blogs as well.  I guess I had better do some work tomorrow getting those team blog URL's.

For those of you who are following the back ported Membership API I have some news.  Tonight I had opportunity to visit with Scott Guthrie and I asked him when we might see the download return.  He indicated that it was likely not to return.  Currently DotNetNuke and Community Server are both licensed to use it.  Others can request it and will likely be granted license, but the issues around supporting it are apparently causing Microsoft to hold back on releasing it openly.  For those wanting to check it out you probably should plan on following the steps I outlined when it first appeared.  I will leave the latest changes in implementation to you for now.  Those who really want it will need to find a way to request it from the ASP.NET team.

Scott Guthrie, here is a thought.  Perhaps you could give it to a 3rd party like myself or someone else who could maintain it in an open source model.  That would free Microsoft from supporting it and still allow the community to begin writing against it to prepare for .NET 2.0 and gain its advantages today.  I would be happy to rebuild it under a new namespace to remove Microsoft from responsibility for support and updates.

A couple other news items from Scott.  Sharepoint 2006 or whatever the next version is called will support forms authentication for Internet sites.  He has updated his VirtualPathProvider sample code for Beta 2 of VS 2005.  See the download for the March 20, 2005 talk from VS Connections in Orlando.

This week I was given the opportunity to learn first hand about IIS 7.0 from the product team. I plan to share a few details here to let everyone know what I have seen and what sounds exciting to me. I currently admin 3 web farms totalling about 15 servers running both IIS 5.0 and IIS 6.0. Between those servers there are about 20 sites and 50 applications. By no means do I consider this a huge installation, but it will definitely benefit from many of the new IIS 7.0 features. As the number of sites and applications continue to grow I am very much looking forward to IIS 7.0.

Today we were introduced to 2 aspects of IIS 7.0 know as Configuration and Core Server.

Configuration has changed significantly for the better. With IIS 6.0 the metabase was moved into an XML file. IIS 7.0 enhances this by using a new applicationHost.config file that incorporates a full hierarchy of settings just like .NET uses in its config files. ASP.NET is further enhanced by IIS 7.0 as the configuration of the web server, sites, and applications are fully merged with ASP.NET application configuration and follow a similar hierarchy of application. This will allows application developers to deploy the necessary settings for their application along with the application itself. That feature alone should save a lot of configuration management headaches as applications move from development and testing into production. The best part about the merging of configuration is that it is coupled with a merger of the processing pipeline. Gone will be the need to configure both IIS and ASP.NET for duplicate settings like Windows authentication. The ASP.NET 2.0 configuration API will also fully support the entire IIS 7.0 configuration files and settings.

Some other things I picked up today that I am looking forward to in terms of configuration.

• Configuration sections support a new attribute called configSource. This attribute allows you to put specific configuration sections into external files. This works much like the external appSettings files work today.
• There is a new attribute that allows external config file changes to trigger an application reset.
• Configuration elements and attributes can be locked from inheritance at a very granular level.
• Encrypting configuration is very simple to prevent it from being human readable.
• ASP.NET developers will now have as much access to the pipeline as ISAPI developers have always had. This means that all IIS extensions can now be written in managed code!
• One item I found a nice little ISAPI filter for allows you to set a specific cookie with a string that could be inserted into the IIS logs. This was useful for logging the userID with the request for example. (Windows auth automatically did it) In IIS 7.0 this now happens no matter which authentication mechanism you choose because the value comes from the User in the httpContext. The big thing is that now we have the ability to do things like this easily from managed code.
• For compatibility with existing IIS tools and scripts the metabase can be installed in addition to the new IIS 7.0 configuration. Those items in IIS 7.0 that also existed in IIS 5/6 are kept in sync between the metabase and the config files. This should allow full backwards compatibility with existing scripts and tools. Of course new features in IIS 7.0 are now synced with the metabase as they would not be understood by the metabase consumers anyhow.

Core Server has gone fully modular. What this means is that instead of IIS installations supporting everything out of the box they can instead support nothing. Each feature you want to add can be added as needed. New features can be added to the entire server or just to an individual site or application following configuration hierarchy. This creates a totally modular approach to IIS hosting. The big take away here is that ASP.NET httpModules and httpHanders are both things that you will want to get an understanding of if you plan to do any IIS extensibility. Of course Microsoft will be providing all the current IIS functionality through the 44+ modules and handlers that will come out of the box.

More benefits from the IIS core server:

• Patch management can now be done at the module level instead of the server level.
• Improved performance by scaling back the services and processing of requests to only what is needed.
• Improved security by reducing the attack surface.
• Ability to easilly extend through managed code. (Native code still an option for you ISAPI lovers)
• Full processing pipeline available to ASP.NET for all requested file types.

SMTP and FTP both are getting little or no attention in IIS 7.0 and at present are not being re-written. I have notcied that STMP settings can be configured in APS.NET 2.0 so at least you can set things up for sending Email from applications inside your ASP.NET apps without messing any SMTP server defaults in the IIS admin tool.

Complaints

My biggest wish that currently is not answered by IIS 7.0 is that it be decoupled from the operating system. Apache doesn't force you to run on a server SKU and each new version does not have to wait for the next server release. As an ASP.NET developer I want to be able to run the same hosting environment on my development machine that I will have on the production server. XP Home and Pro should both support IIS 7.0 as should Windows 2003 Server. Please, Microsoft, do not force us to upgrade to Longhorn for a product that has nothing to do with the operating system. Also, please only include operating system specific features in http Modules so that they can be added for customers who chose to run on Longhorn. I love IIS, but it's tight coupling to Server OS's is not necessary or appreciated!

Well, that about does it for the features I was exposed to today. I hope to complete this series on IIS 7.0 over the next few days.

I just got notice that the Boise Idaho chapter of ISSA will be holding the 3rd Annual Information Security Conference May 4th and 5th.  There is no cost and the quality of the speakers is top notch.  Where else can you hear this lineup and get a free lunch to boot!  I have attended this conference in the past and I believe it is well worth the time.

Howard Schmidt,
Vice President and CISO, eBay

Enterprise Security Incident Management - Can we run any faster?
The volume, severity and frequency of IT security incidents has increased dramatically in the past few years resulting in increasing risk to enterprises. Traditional incident response programs are failing to keep up. Effective proactive and reactive programs must be established to manage these threats. This session will outline steps taken by one organization to develop a comprehensive incident management program and bring order where there was chaos.

Peter Coffee,
Technology Editor, eWeek

State of Technology
Peter Coffee, Technology Editor of the national enterprise newsweekly, eWEEK, has twenty years' experience in evaluating leading-edge information technologies and practices. In addition to writing product reviews, technical analyses and his weekly Port Scans column on IT issues and practices, Peter has appeared on CBS, NBC, CNN, Fox, and PBS TV newscasts addressing system and network security, the Microsoft antitrust case, and other eBusiness issues. He chaired the four-day Web Security Summit conference in Boston during the summer of 2000, and has been a keynote speaker or moderator at technical conferences throughout the U.S. and in England.

Sherry Ryan,
CISO, HP

Getting Governance Right - Aligning IT Security with the Business
Hewlett-Packard has developed organizational linkages and established a number of practices designed to engage HP's business units with IT Security governance and implementation. This session outlines the key elements of these practices and covers the challenges associated a broad approach to integrate security into business processes.

Dave Cullinane,
CISO, Washington Mutual

Secure Application Development - Where do you start?
Security assurance in software development environments requires building security in from the start. This session will describe the approach taken by one company to embed security throughout the lifecycle including lessons learned and cover tools and techniques for enabling and empowering developers.

John Wylder,
Strategic Security Advisor, Microsoft

TBA
TBA

Ira Winkler,
CISSP, CISM is President of the Internet Security Advisors Group

TBA
TBA

I absolutely love the movie Napoleon Dynamite.  Apparently some folks in the Idaho State Legislature also love it.  I wonder if any of them do glamour shots with Deb?  Take a look at House concurrent resolution No. 29.  The resolutions are certainly a stretch.  I mean come on, do we really want uncle Rico's football to represent Idaho athletics (Line 18)?  At the same time this resolution is probably the most enjoyable government produced document ever.  Like anyone can know that!

Affinity boondoggle key chains to the Idaho House!  Pedro offers you his protection!

The Boise .NET Developers User Group in cooperation with INETA is thrilled to announce that Rocky Lhotka will be visiting Boise, Idaho.  On July 21st he will be the featured speaker at our regular user group meeting.  Then on July 22nd we will have a full day with Rocky as we dive deep in the CSLA.NET framework.  I personally am on about page 250 of the Expert C# Business Objects book and I can't wait to put it to good use.  If you can please plan on joining us for both days of this this special event.

Get a free second shot at any Microsoft Certification exam:

Register for this offer by May 31, 2005, before taking any Microsoft Certification exam.

If you don’t pass on your first try, you can take it again for free. 

Click HERE to visit the website.

Offer expires May 31, 2005. See registration site for full details.

When I was a kid we had bracelets and such with colored beads to help us learn and share the truth about Jesus.  Today's “Chrisitian“ kids unfortionately are bombared with an explosion of trash.  Shame on their parents for suppoting this industry.  I refer to this stuff as Jesus Junk!  You may know some well intentioned folks who litter their lives with this stuff.  Come on people, be serious.  No wonder so many think that Chirstians are idiots.  We prove them right when we put the message of the cross on Jelly Bean bags!  Personally I prefer to buy my Bible's other Christian materials from retailers who do not carry this stuff.

If you are interested in the truth without the trite sugar rush you can find my favorite presentation at www.DesiringGod.org.