Punk Rock CTO

There are tons of great new features in IIS7 and the list continues to grow. We identify the top reasons people refuse to upgrade to IIS 7 and show you how a new tool from Microsoft, the Web Deployment Tool, makes the process nearly seamless. It is easier than you think. I warn you ahead of time, it is a long post…

So why are so many people still using IIS6? The common answers we hear are:
It is too difficult to migrate

I'm not sure my application will run on IIS7

If my site is not broken then why fix it?
 
It is too difficult to migrate
Below I will show you how you can use MS Deploy to remove this once cumbersome barrier.
 
I'm not sure my application will run on IIS7
While 99% of applications will run fine on IIS7 why not create another server to test the upgrade on rather than an in place upgrade?
What better way to find out than migrate it to a test server and find out if it does?

If my site is not broken then why fix it?
Performance -With IIS7 you can expect to handle 31% more requests per second. This is without ANY code rewriting! Want proof? Check out this Performance Analysis.
 
Stability - We have been happy with the stability of IIS 6 but we have had customers report about "Metabase corruption". In IIS7 there is no longer a metabase. It has been replaced with a brand new XML-based configuration store. Most of your IIS settings are stored in a file named ApplicationHost.config, which when you take a look at it looks a lot like a Web.config file.
 
Security - Before with IIS6 you had to be an administrator to manage pretty much any part of IIS. Now with IIS7 you are able to delegate role at the granular level.
In addition Windows 2008 now comes in a flavor called Server Core.
Core is a extremely secure, small footprint server that will run the minimum processes for only the applications you install.
 
Secure Publishing - Natively in Windows 2008 R2 (and as a separate download for Windows 2008) IIS supports FTP over SSL. This now allows secure publishing via FTP.
 
Extendable - Rather than wait for new versions of the operating system to see upgrades, the IIS team is releasing extensions what seems like every few weeks. If there is something they have not made you can even create your own! Just a few examples that have been released "out of band" are URL Rewrite, DB Management, and Bit Rate throttling.
 
Cheap - Now in Windows 2008 there is a Web edition that is half of the cost of Standard.
 
 
I know what you are thinking; Ok I am sold, so how do I do it EASILY?

Web Deployment Tool, also known as MS Deploy, is a great tool the IIS team has created to make it easier to manage, deploy, and migrate your web servers.
This can be done at a granular level where you are moving just a single application or website or thousands of them. This can include all the IIS settings, content, and even certificates. You can even create your own templates migrating specific sites, application pools, registry keys, GAC objects and a ton more. What I love most about MS Deploy is you can automate the replication or syncing of multiple servers in your datacenter. In this specific article I will show how to migrate a IIS6 server to IIS7 but you can see that is simply scraping the surface of what it can do.

Prerequisites
MS Deploy requires the following prerequisites:
• .NET Framework 2.0 SP1 or greater
• Web Deployment Tool
• IIS6 or greater
Note: Instructions for installing the Web Deployment Tool are below.

Web Deployment Tool Installation
The follow steps walk you through installing the Web Deployment Tool and what options will be available to you.
 
There are two methods for migration, offline and live.
Offline - This only requires the core Web Deployment Tool to be installed without the need for the Remote Agent Service. Offline migration creates a local copy or "snapshot" that can be archived as a backup or copied to the destination server and restored. Without installing an additional listener service this could also be viewed as a more secure method.
 
Live - Live migration allows you to connect to two servers in real time to sync the setup, configuration, and content. At a minimum this requires the Remote Agent Service to be installed on the server you will want to push to or pull from. By default this service is set to manual and would need to be started in order to run the sync. After the sync you can feel free to stop the service.
 
I am a big fan of the power of Live migration, for this reason the steps below will install the Remote Agent.

GUI Installation
1. Download the Web Deployment Tool from http://www.iis.net/extensions/WebDeploymentTool

2. Run the downloaded MSI file.

3. Select Custom installation to choose what to install.

4. Click on the remote service check box.

5. Finish the installation.

6. Start the Remote Agent service by going to Start > Run and typing services.msc. The service is listed as the Web Deployment Agent Service and you simply need to right click it and start it.
 
If you prefer to use the GUI over command line you will see these options available to you during the installation process.
Remote Agent Service - If you plan on allowing remote connection to perform operations you will want to install this feature. Communication happens over HTTP/HTTPS to only server administrators.
IIS Manager UI Module - IIS module that allows users a GUI interface to perform common deployment tasks such as Website/Application deployment and exportation. (This is an optional feature only seen during installations on IIS 7.0.)


Command line Installation
1. Download the Web Deployment Tool from http://www.iis.net/extensions/WebDeploymentTool

2. Open a command prompt on your server running as an Administrator.

3. Change directory to where you downloaded the install file

4. <Downloaded_filename> /passive ADDLOCAL=ALL LISTENURL=http://+/MSDEPLOYAGENTSERVICE/

For example WebDeploy_x86_en-US.msi /passive ADDLOCAL=ALL LISTENURL=http://+/MSDEPLOYAGENTSERVICE/

This will install the deployment service so that it listens on any IP on the server over port 80 for a specific directory, MSDeployAgentService, or For Example http://AllIps/MSDeployAgentService

This will not affect any of your other sites on the server but you do have the option to install it to a unique port or directory. To do this you would simply run:
msiexec /i <Downloaded_filename> /passive ADDLOCAL=ALL LISTENURL=http://+:8383/Foo/

5. Start the service by running the following command:
net start msdepsvc

Part 1 - Verifying dependencies on your Source Machine
1. First we need to know what the dependencies are for all the sites and applications we are going to be moving. On the server you want to migrate you need to find the dependencies by running:
c:\program files\iis\microsoft web deploy\msdeploy -verb:getDependencies -source:metakey=lm
You should see something like this:
<output>
 <dependencyInfo>
    <dependencies>
      <dependency name="FTPServer" />
      <dependency name="AnonymousAuthentication" />
      <dependency name="BasicAuthentication" />
      <dependency name="WindowsAuthentication" />
      <dependency name="ISAPIFilter" />
      <dependency name="AspNet1.1" />
      <dependency name="ASP" />
    </dependencies>
    <apppoolsInUse>
      <apppoolInUse name="DefaultAppPool" definitionIncluded="True" />
      <apppoolInUse name="Production Web Site" definitionIncluded="True" />
      <apppoolInUse name="Staging Web Site" definitionIncluded="True" />
    </apppoolsInUse>
 </dependencyInfo>
</output>

From this I can see the dependencies the old server has in this case:
FTP
Anonymous, Basic, and Windows Authentication
Isapi Filters
ASP.net
ASP
 
Also I can quickly see what AppPools are also being used.
 
2. To make the migration successful you will need to install the roles you discovered from step 1 on the destination server.
 
 
There are two methods for migration, offline and live.
Offline - This only requires the core Web Deployment Tool to be installed without the need for the Remote Agent Service. Offline migration creates a local copy or "snapshot" that can be archived as a backup or copied to the destination server and restored. Without installing an additional listener service this could also be viewed as a more secure method.
 
Live - Live migration allows you to connect to two servers in real time to sync the setup, configuration, and content. At a minimum this requires the Remote Agent Service to be installed on the server you will want to push to or pull from. By default this service is set to manual and would need to be started in order to run the sync. After the sync you can feel free to stop the service.


Part 2 – Offline Migration
1. Whenever you are making a change make sure to ALWAYS make an IIS backup of the server you are migrating to. Since we are migrating to an IIS 7 server this is as easy as: 
%windir%\system32\inetsrv\appcmd add backup “Backup”

2. Run the following command on the source server to take an archive of the server for migration:
msdeploy -verb:sync -source:metakey=lm -dest:archivedir=c:\migrate,encryptPassword=yourpassword >msdeployarchive.log

3. Copy the directory, in this case c:\migrate, to the destination server.
Xcopy c:\migrate \\Destination\c$\migrate /E /I

4. Run the following command on the destination server to run a check to verify what would happen if it executed:
msdeploy -verb:sync -source:archivedir=c:\Migrate,encryptPassword=yourpassword -dest:metakey=lm -whatif > msdeploymigrate.log

5. You can check what WOULD have happened by running:
Notepad msdeploymigrate.log

6. If there are no errors and everything looks good run it without the whatif:
msdeploy -verb:sync -source:archivedir=c:\Migrate,encryptPassword=yourpassword -dest:metakey=lm > msdeploymigrate.log
 
All the IIS setup, configuration, and content from your IIS6 server will now be setup on your IIS7 server.
 
Things to watch out for:
ISAPI Filters - Frontpage extensions and other applications may register themselves as ISAPI filters. You will need to make sure these are on the new server or removed after the migration if they are no longer needed.
Local User Anonymous Permissions - If you were using a local account on the old server obviously this user would not have permissions on this new server. You will need to either switch it to a domain user who has permissions or create a new anonymous login after the migration.


Part 3 – Live Migration
If you don't want to migrate from an archive, you can migrate using the remote service we installed. In previous instructions we installed and started the Web Deployment Agent (MSDEPSVC) but you really only need to install the service on either the source or the destination depending on whether you are pushing or pulling the information.

If you want to do a "push" migration:
1. The following command needs to be run from the local server to a remote server (IIS7 is my remote server):
msdeploy -verb:sync -source:metakey=lm -dest:metakey=lm,computername=IIS7 -whatif > msdeploysync.log

2. You can check what WOULD have happened by running:
Notepad msdeploymigrate.log

3. If there are no errors and everything looks good run it without the whatif:
msdeploy -verb:sync -source:metakey=lm -dest:metakey=lm,computername=IIS7 > msdeploysync.log
 
If you prefer a "pull" migration:
1. The following command needs to be run from your destination server (IIS6 is my remote server):
msdeploy -verb:sync -source:metakey=lm,computername=IIS6 -dest:metakey=lm -whatif > msdeploysync.log

2. You can check what WOULD have happened by running:
Notepad msdeploymigrate.log
 
3. If there are no errors and everything looks good run it without the whatif:
msdeploy -verb:sync -source:metakey=lm,computername=IIS6 -dest:metakey=lm > msdeploysync.log
 
All the IIS setup, configuration, and content from your IIS6 server will now be setup on your IIS7 server.
 
Things to watch out for:
ISAPI Filters - Frontpage extensions and other applications may register themselves as ISAPI filters. You will need to make sure these are on the new server or removed after the migration if they are no longer needed.
Local User Anonymous Permissions - If you were using a local account on the old server obviously this user would not have permissions on this new server. You will need to either switch it to a domain user who has permissions or create a new anonymous login after the migration.

IIS 7, MSDeploy iis 7, web deployment tool, iis

In this post I will walk you through the process of creating a URL rewrite rule to help curb SQL Injection attacks. While this is not the end all be all in preventing a SQL injection attack, it is a good first step. In addition to this I strongly suggest having a third party security team scan your website for potential vulnerabilities.

The following rules will rewrite a request for any of the typical SQL injection attacks to /404.html or whatever file you would like. You can add or remove from the rules as you see fit. With the large quantity of rules it is much easier to simply update your web.config with the code below. Whenever editing your Web.config make sure to create a backup first.

<system.webServer>
<rewrite>
<rules>
<rule name="SQL Injection - EXEC" stopProcessing="true">
<match url="^.*EXEC\(@.*$" />
<action type="CustomResponse" url="/404.html" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" />
</rule>
<rule name="SQL Injection - CAST" stopProcessing="true">
<match url="^.*CAST\(.*$" />
<action type="CustomResponse" url="/404.html" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" />
</rule>
<rule name="SQL Injection - DECLARE" stopProcessing="true">
<match url="^.*DECLARE.*$" />
<action type="CustomResponse" url="/404.html" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" />
</rule>
<rule name="SQL Injection - DECLARE%20" stopProcessing="true">
<match url="^.*DECLARE%20.*$" />
<action type="CustomResponse" url="/404.html" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" />
</rule>
<rule name="SQL Injection - NVARCHAR" stopProcessing="true">
<match url="^.*NVARCHAR.*$" />
<action type="CustomResponse" url="/404.html" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" />
</rule>
<rule name="SQL Injection - sp_password" stopProcessing="true">
<match url="^.*sp_password.*$" />
<action type="CustomResponse" url="/404.html" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" />
</rule>
<rule name="SQL Injection - xp" stopProcessing="true">
<match url="^.*%20xp_.*$" />
<action type="CustomResponse" url="/404.html" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" />
</rule>
</rules>
</rewrite>
</system.webServer>


After you upload the new web.config you can verify it by connecting to your site with the Remote IIS Management tool. If you have not installed this tool yet, download the IIS Remote Administration Tool for IIS 7.0 from IIS.net and install it. Once installed, connect to your site using your site by specifying your fully-qualified domain name (MyDomain.com) as the server name, and your site  (MySite) as the site name.  

Once connected click the URL Rewrite module. It should look something like this.

IIS 7, URL Rewrite url rewrite, iis 7

In this post I will walk you through the process of creating a URL rewrite rule to prevent Image Hotlinking. Image Hotlinking, also known as leeching, is the use of an image from one site into a web page belonging to a second site. Unauthorized image hotlinking from your site increases bandwidth use, even though the site is not being viewed as intended. There are other concerns with image hotlinking, for example copyrights or usage of images in an inappropriate context.

An example of this would be if I was hosting an image on my site www.Jelly.com, and someone outside my network tried to display it in their site.

 

Rather than strangers eating all my bandwidth up, with URL Rewrite I can replace any requested images with a place holder like the one below.

 

First you will need to connect to your site with the Remote IIS Management tool. If you have not installed this tool yet, download the IIS Remote Administration Tool for IIS 7.0 from IIS.net and install it. Once installed, connect to your site using your site by specifying your fully-qualified domain name (MyDomain.com) as the server name, and your site id (My Site) as the site name. Then use your control panel username and password to connect. 

Create URL Rewrite Rule
1. Click the URL Rewrite module.
2. Add Rules
3. Blank Rule
4. Name = Prevent image Hotlinking (Or whatever friendly name you would like)
5. Pattern = .*\.(gif|jpg|png)$
6. Add Condition
a. Condition Input = {HTTP_REFERER}
b. Input String = Does not Match the Pattern
c. Pattern = ^$
7. Add a second Condition
a. Condition Input = {HTTP_REFERER}
b. Input String = Does not Match the Pattern
c. Pattern = http://www.jelly.com/.*   (Replace www.jelly.com with your domain)
8. Action Type = Rewrite
9. Rewrite URL = /images/hotlinking.jpg    (Replace hotlinking.jpg with whatever image you would like to show)
10. Click Apply
10. Click Back to Rules

This rule will rewrite a request for any image file to /images/hotlinking.jpg only if the HTTP Referer header on the request is not empty and is not equal to the site’s domain. 

If you don't want to go through all those steps above through the GUI, you can include the following code in your web.config

<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="Prevent image hotlinking" enabled="true" stopProcessing="true">
  <match url=".*\.(gif|jpg|png)$" />
  <conditions>
                        <add input="{HTTP_REFERER}" negate="true" pattern="^$" />
                        <add input="{HTTP_REFERER}" negate="true" pattern="http://www.YourDomain.com/.*" />
  </conditions>
  <action type="Rewrite" url="/images/hotlinking.jpg" />
</rule>
            </rules>
        </rewrite>
    </system.webServer>

IIS 7, URL Rewrite url rewrite, hotlinking, leeching, iis 7

The Microsoft URL Rewrite Module for IIS 7.0 provides a flexible rules-based rewrite engine that can be used to perform broad spectrum of URL manipulation tasks, including, but not limited to:

Enabling user friendly and search engine friendly URL with dynamic web applications;
Rewriting URL’s based on HTTP headers and server variables;
Web site content handling;
Controlling access to web site content based on URL segments or request metadata;

In this KB I will walk you through the steps to route multiple domains to subfolders in your site. An example of this would be if you are hosting www.Peanutbutter.com and www.Jelly.com on the same website.

 

With URL Rewrite you can create rules to direct traffic to subfolders based on the URL.

 

In IIS7.5 (and also applicable to IIS7) you will first need to install the URL Rewrite Module. The download can be obtained from www.iis.net/extensions. Once you have done that you will now see a new Icon in IIS.

 

 

Create URL Rewrite Rule

1.       Click the URL Rewrite module.

2.       Add Rules

3.       Blank Rule

4.       Name = Virtual Director (Or whatever friendly name you would like)

5.       Pattern = .*

6.       Add Condition

a.       Condition Input = {MyDomains:{HTTP_HOST}}

b.      Input String = Matches the Pattern

c.       Pattern = (.+)

7.       Action Type = Rewrite

8.       Rewrite URL = {C:1}{REQUEST_URI}

9.       Click Apply

10.   Click Back to Rules

 

 

 

 

Create Domain Routes

1.       Click View Rewrite Maps

2.       Click Add Rewrite Map

3.       Rewrite map name = MyDomains

4.       Click Add Mapping Entry

5.       Original Value = Domain you want to route (i.e. Jelly.com)

6.       New Value = Folder you would like traffic routed to (i.e. Jelly)

7.       Repeat steps for any third level domains you also want to route (i.e. www.Jelly.com)

 

 

 

 

Now while both Jelly.com and Peanutbutter.com are both bound to the same site, traffic for Jelly.com gets routed to one folder down. If you look in the address bar it masks the folder /Jelly

 

 

 

You can do this for as many domains as you would like. Domains not listed in the Rewrite Maps will continue to load their pages from the root of your site.

 

 

If you wouldn't want to go through all those steps through the GUI you can include the following code in your web.config

 

 <system.webServer>

        <rewrite>

            <rules>

                <rule name="Virtual Director" enabled="true" stopProcessing="false">

                    <match url=".*" />

                    <conditions>

                        <add input="{MyDomains:{HTTP_HOST}}" pattern="(.+)" />

                    </conditions>

                    <action type="Rewrite" url="{C:1}{REQUEST_URI}" />

                </rule>

            </rules>

            <rewriteMaps>

                <rewriteMap name="MyDomains">

                    <add key="Jelly.com" value="/Jelly" />

                    <add key="www.Jelly.com" value="/Jelly" />

                </rewriteMap>

            </rewriteMaps>

        </rewrite>

  </system.webServer>

IIS 7, URL Rewrite url rewrite, iis 7

 

There is a ton of confusion about what smooth streaming actually is and what it does. I Figured I would try and write a quick breakdown.

 

 

An introduction to Smooth Streaming

 

What the heck is Smooth Streaming?

Smooth Streaming is an extension to IIS 7 that enables the streaming of media to Silverlight clients over the web via adaptive streaming. It makes true HD streaming a reality and is extremely scalable. This was put to the test during the 2008 Summer Olympics.

 

Ok so what is adaptive streaming and how is it different?

Adaptive Streaming is a delivery method of media where rather than having to download the entire file and play it, a series of short HTTP downloads are delivered to the client. With these short bursts a client can dynamically switch from higher and lower quality depending on available  bandwidth and CPU power.

 

Sounds great, how can I use it?

Clients viewing the media would require Silverlight 2 or greater. For Linux viewers Moonlight 2 also supports Smooth Streaming.

 

If your encoding software does not  support the Smooth Streaming format you will have to upgrade it. Personally I use and like Microsoft Expression Encoder 3, but there are others you could use.

 

On our Elastic Shared Product MaxESP Smooth Streaming is already installed and ready to use. For steps and a video showing it off on MaxESP take a look at the video at the bottom of this KB. If you are running your own IIS7 server you will need to install the extension for IIS7 .

 

What about my old content?

Unfortunately to take advantage of Smooth Streaming you would have to re-encode and upload your content.

 

 

IIS 7, Tech smooth streaming, iis 7