Advanced Louis Aguila & Matt Burt
Class Objectives To explore Microsoft Internet Information Services (IIS) use and troubleshooting Basic E-Commerce site setup in IIS Use of Application Pools and settings in IIS SSL Certificates Minimizing risks without compromising E-Commerce functionality Performance improvements on the site 2
What is Internet Information Services (IIS)? IIS is Microsoft s web server application which includes support for HTTP, HTTPS, FTP, FTPS, SMTP, and NNTP. June 2013 Web Server Survey shows 17.22% of web sites are hosted using IIS. Up from 14.62% June 2012. IIS 1.0 was introduced with Windows NT 3.51 (May 1995) and IIS 8 became available starting with Server 2012. 3
What does IIS do? Provides a platform for serving content to the Internet or an Intranet using industry standard protocols Provides an environment for software written on various web platforms (ASP, ASP.Net, PHP, Ruby, etc) to run and serve content Provides security for applications to run while keeping processes and visitors separate from the rest of the operating system and/or network. 4
Ok, I get IIS. What does it have to do with E-Commerce? Siriusware s E-Commerce is an ASP.Net application that needs to run on IIS. E-Commerce cannot be hosted on other popular platforms like Apache or nginx. E-Commerce was designed to be used in a Microsoft environment (like the rest of Siriusware s software) Microsoft IIS Siriusware E-Commerce Happiness 5
End of Life Notice Server 2003 SP2, also known as old reliable Mainstream support End Date was 07/13/2010 Non Security hot fix support no longer available No charge incident support no longer available Paid support available Extended Support End Date is 07/14/2015 Security update support available until end date Paid support available A reminder, Siriusware will only provide support to Microsoft products that have not reached complete End of Life 6
New (4.2x) vs Old (< 4.0.58) E-Commerce We no longer use Com+ Application Pooling, we now use IIS Application Pools E-Commerce application now runs on.net 4.0 Install packages for ww.dll take care of almost everything wwservice is now highly recommended to be installed and used always even if your pages are hosted internally 7
Typical E-Commerce setup in IIS Things to look for: Windows Server Roles are configured correctly (In other words, make sure all appropriate checkboxes are checked) Hint: All settings you need to look for are in the documentation 8
Typical E-Commerce setup in IIS Things to look for: Application Pools in IIS are also configured correctly Hint: All settings you need to look for are in the documentation 9
Typical E-Commerce setup in IIS Things to look for: Should the site live on the root or in it s own folder? For example: https://tickets.siriusware.com OR https://tickets.sirisuware.com/e-commerce If your web server is hosting multiple sites, it is recommended to use folders, but not required If your web server is only hosting E-Commerce, you can set it up on the root directory. 1 0
Typical E-Commerce setup in IIS Site hosted on the Default Web Site root https://tickets.siriusware.com Site hosted in a folder https://tickets.sirisuware.com/e-commerce 1 1
Typical E-Commerce setup in IIS Application Pools Your E-Commerce site will utilize two Application Pools running on.net 4.0. One pool will be used for the main E-Commerce site to run on. One pool will be used for wwservice New Requirement. E-Commerce Site wwservice You should only have one application running per Application Pool 1 2
Typical E-Commerce setup in IIS SSL Certificates Required if you plan to take credit cards on E-Commerce Available from a variety of vendors including GoDaddy, Network Solutions, VeriSign, and Thawte. Minimum of 128 bit certificate should be installed. Higher is better, but older browsers may not support it A great SSL installation how-to install site is http://www.digicert.com/ssl-certificate-installation-microsoft-iis- 7.htm 1 3
Keeping E-Commerce Secure Server Security Hosted external server or internal server? External server lives outside of your network and domain External server can be hacked, but it will not affect your internal network and no information can be obtained Information between your hosted server and internal network is passed through wwservice securely External server can have a monthly or annual cost 1 4
Keeping E-Commerce Secure Server Security Hosted external server or internal server? Concerned about Security? Consider moving your E-Commerce site to a hosting provider. Siriusware recommends DiscountASP.net About $100 / year or $200 / year with SSL Certificate Ability to host.net 4.0 application in full trust mode You will need to setup wwservice on your ww.dll machine You will also need to configure your firewall to have an external IP point to your wwservice computer 1 5
Externally Hosted Pages wwservice is the key component to making this work wwservice resides in your internal network alongside the ww.dll Public facing IP is directed to the wwservice server wwservice transmits information to/from the hosting provider to the ww.dll The hosting provider hosts the site to the public Internal Network wwservice Hosting Provider E-Commerce site Firewall Firewall has a public facing IP directed to wwservice server E-Commerce: For IT 1 6
Keeping E-Commerce Secure Server Security Additional points to consider If using an external server, use a VPN between your external server and your internal network for an extra layer of security If using an internal server, dedicate a server to be used for web hosting purposes Make sure all Windows updates, patches, and service packs are applied Install a real firewall and only open external ports if needed. Best Buy Linksys router is not a real firewall! E-Commerce requires port 80 to be open for HTTP and 443 for HTTPS Schedule an intrusion test on your E-Commerce site to make sure everything is secure. Use an outside vendor, not your cubicle neighbor! 1 7
Keeping E-Commerce Secure IIS Security Only install necessary services in the Server Role (don t check everything) Don t use virtual directories across servers, the virtual directory should be local Put the virtual directory on a different drive than the OS Require the site to be run in HTTPS Configure the default website with secure settings (a common hacker decoy) Remove all write permissions 1 8
Keeping E-Commerce Secure E-Commerce Pages Use regular expressions to enforce passwords Did you know expressions can be changed in DynamicControls.xml? Expressions available online in sites such as www.regexlib.com Use password authentication instead of zip code or birthdate Used when logging in as a pass holder or member Required if credit cards are on file for the guest Enforce Authentication with Member Log Ins, In-House Cards, etc Remove the test card (5454) when you are done testing Ensure site.config setting AllowedAdminIPs is not set to * 1 9
Performance Issues Look at SQL Load in task manager Check resource utilization on MSSQLSERVER process If memory or CPU is exceptionally high, it could be ww.dll Stop IIS and see if resource utilization drops Consider adding additional memory or CPU (if virtual) Change SQL connection string on ww.dll to IP address instead of DNS name 2 0
Performance Issues E-Commerce Pages Increase worker processes on the Application Pool You must be using a SQL State Server in order to increase worker process 2 1
Performance Issues E-Commerce Pages Look at Memory and CPU utilization in ww.dll computer Ensure you only have one application using the Application Pool Consider separating out all components IIS, ww.dll, SalesHost so each component runs on a dedicated computer Three options to consider 2 2
All in One Server 1 IIS ww.dll SalesHost Performance Issues Component Options IIS Separated Server 1 IIS Server 2 ww.dll SalesHost One server per component Server 1 IIS Server 2 ww.dll Server 3 SalesHost You can free up a server by hosting the site externally Recommended for high volume sites 2 3
Take Away IIS Security Make sure you start to consider migrating any Server 2003 instances Run a network intrusion test Make sure all servers are up to date with Windows Updates Consider moving your site to a hosting provider Look at Memory and CPU utilization on all related servers Consider installed performance alerts on all servers 2 4
2 5
Please fill out the course evaluations provided. Your opinion matters and helps us provide the best seminar experience possible. Louis Aguila & Matt Burt