MSDN Magazine: IIS
All MSDN Magazine Topics
Security: Safer Authentication with a One-Time Password Solution
Dan Griffin - May 2008
One-time passwords offer solutions to dictionary attacks, phishing, interception, and lots of other security breaches. Here's how it all works.
Performance: Scaling Strategies for ASP.NET Applications
Richard Campbell and Kent Alstad - April 2008
Performance problems can creep into your Web app as it scales up, and when they do, you need to find the causes and the best strategies to address them.
IIS 7.0: Enhance Your Apps with the Integrated ASP.NET Pipeline
Mike Volodarsky - January 2008
Mike Volodarsky demonstrates how IIS 7.0 lets you add performance and security upgrades to PHP apps without touching a line of PHP code.
IIS 7.0: Extend Your WCF Services Beyond HTTP With WAS
Dominick Baier, Christian Weyer, and Steve Maine - September 2007
Learn about a new IIS feature called the Windows Process Activation Service (WAS) that makes it possible to host Web services beyond HTTP.
IIS 7.0: Explore The Web Server For Windows Vista And Beyond
Mike Volodarsky - March 2007
Are You Protected?: Design and Deploy Secure Web Apps with ASP.NET 2.0 and IIS 6.0
Mike Volodarsky - November 2005
Ensuring the security of a Web application is critical and requires careful planning throughout the design, development, deployment, and operation phases. It is not something that can be slapped onto an existing application. In this article, Mike Volodarsky outlines best practices that allow you to take advantage of the security features of ASP.NET 2.0 and IIS 6.0 to build and deploy more secure Web applications.
Best Practices: Fast, Scalable, and Secure Session State Management for Your Web Applications
Mike Volodarsky - September 2005
ASP.NET provides a number of ways to maintain user state, the most powerful of which is session state. This article takes an in-depth look at designing and deploying high-performance, scalable, secure session solutions, and presents best practices for both existing and new ASP.NET session state features straight from the ASP.NET feature team.
Web Q&A: Locking Pop-Up Blocker, Mixed Authentication, and More
Edited by Nancy Michell - June 2005
Service Station: Run ASMX Without IIS
Aaron Skonnard - December 2004
When the Microsoft® . NET Framework first shipped, it introduced a breakthrough Web services framework known as ASMX. The motivation behind the ASMX design was to simplify the process of developing Web services as much as possible so that even if you're not an XML expert, you can get a Web service up and running.
Intrusion Prevention: Build Security Into Your Web Services with WSE 2.0 and ISA Server 2004
Dino Esposito - November 2004
Once you've addressed security in your code, it's time to look at the environment it runs in. Firewalls stop unauthorized traffic from getting into your network, and smart Web service-specific firewalls, like the one that comes with Internet Security and Acceleration (ISA) Server 2004, bring XML intrusion prevention to your system for that added layer of safety.
ISA Server 2004: Developing an Application Filter for Microsoft Internet Security and Acceleration Server 2004
Yigal Edery - March 2004
The beta version of Internet Security and Acceleration (ISA) Server 2004 is now publicly available. It includes a rich SDK with several extensibility mechanisms that allow third parties to integrate their specialized solutions on top of the ISA platform. In this article, the author explores the application filter extensibility mechanism, which enables you to add high-level application layer filtering capabilities to ISA Server and to provide rich content filtering solutions. He also highlights the new features of the ISA Server 2004 SDK, then moves on to describe how to develop a basic application filter that monitors all data going through the ISA Server, and how to integrate a filter into the ISA Server management console to create a seamless interface experience for your users.
The ASP Column: Web Services: ATL Server Versus ASP.NET
George Shepherd - February 2004
The ASP Column: ATL Server Versus ASP.NET
George Shepherd - November 2003
ASP.NET Pipeline: Use Threads and Build Asynchronous Handlers in Your Server-Side Web Code
Fritz Onion - June 2003
Fortunately for developers, threading in ASP.NET is a lot easier than it was in ASP. In this article, the author takes a look at threading in the ASP.NET HTTP pipeline, and explains how threads are managed efficiently without the involvement of the developer. The article considers how the common language runtime threadpool is used by ASP.NET to service requests, looks at the pooling mechanisms used for handlers, modules, and applications, and covers both IIS 5.0 and IIS 6.0 and how they differ in their approach to request processing and thread allocation. Finally, how and when to use asynchronous handlers is discussed for developers who still need to use threads in their own applications.
Cutting Edge: ASP. NET Client-side Hosting with Cassini
Dino Esposito - January 2003
In the September and October 2000 issues of MSDN® Magazine I discussed how to build a client-side environment for ASP applications; that is, a serverless environment to run ASP pages (see Cutting Edge: A Client-side Environment for ASP Pages and Cutting Edge: A Client-side Environment for ASP Pages—Part 2).
C++ and ATL: Use ATL Server Classes to Expose Your Unmanaged C++ Code as an XML Web Service
Kirk Fertitta and Chris Sells - December 2002
Throughout this issue, you'll read all about the promise of Web Services and how the .NET Framework enables Web Service development. Many people will also be building their Web Services atop C++ code and frameworks like ATL Server, particularly when performance is paramount. In this article, the authors show how fully functional Web Services are built using ATL Server and Visual Studio .NET. Beginning with unmanaged C++ classes, they add ATL attributes that make the code work over HTTP.
Web Q&A: Allowing ASP in IIS 6.0, Sorting XML Elements, SSL and Navigation, and More
Edited by Nancy Michell - October 2002
Security in IIS 6.0: Innovations in Internet Information Services Let You Tightly Guard Secure Data and Server Processes
Wayne Berry - September 2002
Security improvements have been a top priority in the evolution of IIS. IIS 6.0, which will be part of Windows .NET Server, has improved security features and a new approach to server configuration. New security-related tools for IIS, including IIS LockDown, make securing your server against attack easier than ever. The author explains how and why you can shut down services with IIS LockDown. He discusses limiting port access with TCP/IP filtering, controlling how files are served with extension mapping, what's new for Secure Sockets Layer, the use of URLScan, and more.
HTTP Pipelines: Securely Implement Request Processing, Filtering, and Content Redirection with HTTP Pipelines in ASP.NET
Tim Ewald and Keith Brown - September 2002
ASP.NET is a flexible and extensible framework for server-side HTTP programming. While most people think of ASP.NET in terms of pages served, there is a lower-level infrastructure sitting beneath this page model. The underlying plumbing is based on a pipeline of app, module, and handler objects. Understanding how this pipeline works is key if you want to get the most out of ASP.NET as an HTTP server platform, while making your process more efficient, and keeping your server secure. This article introduces the architecture of the pipeline and shows how you can use it to add sophisticated functionality to an ASP.NET-based app.
Tamper-Resistant Apps: Cryptographic Hash Algorithms Let You Detect Malicious Code in ASP.NET
Jason Coombs - September 2002
Cryptographic hash algorithms produce fixed-length sequences based on input of arbitrary length. A given input always produces the same output, called a hash code. Using these algorithms, you can compute and validate hash codes to ensure that code running on your machine has not been tampered with or otherwise changed. ASP.NET provides a software mechanism for validating hash code fingerprints for every page requested by a client. In this article, the author shows how to use hash codes with ASP.NET applications to detect tampering and prevent malicious code from running when tampering is detected.
ASP.NET: Intercept, Monitor, and Modify Web Requests with HTTP Filters in ISAPI and ASP.NET
Panos Kougiouris - August 2002
There can be many reasons to reroute incoming Web requests. For instance, sometimes it's necessary to redirect a browser to a page based on user criteria without passing long lists of parameters in the URL. In the past, the only way to intercept such page requests and send them elsewhere was with ISAPI. Now, in ASP.NET, the IHttpModule interface provides notification of server requests, and lets you easily reroute them based on criteria other than browser type or version. Here the author demonstrates the use of IHttpModule for interception and explains the use of ISAPI filters for anyone who isn't yet using ASP.NET.
ASP.NET Security: An Introductory Guide to Building and Deploying More Secure Sites with ASP.NET and IIS, Part 2
Jeff Prosise - May 2002
Forms authentication is one of the most compelling and useful new features of ASP.NET. It enables developers to declaratively specify which files on their site can be accessed and by whom, and allows identification of a login page. When an unauthenticated user attempts to retrieve a page protected by forms authentication, ASP.NET automatically redirects them to the login page and asks them to identify themselves. Included here is an overview of forms authentication and what you need to know to put it to work. Also included is hard-to-find information on the security of cookie authentication and on combining forms authentication with role-based URL authorizations.
The ASP Column: HTTP Modules
George Shepherd - May 2002
ASP.NET Security: An Introductory Guide to Building and Deploying More Secure Sites with ASP.NET and IIS
Jeff Prosise - April 2002
ASP.NET and Microsoft Internet Information Services (IIS) work together to make building secure Web sites a breeze. But to do it right, you have to know how the two interrelate and what options they provide for securing access to a Web site's resources. This article, the first in a two-part series, explains the ABCs of Web security as seen through the eyes of ASP.NET and includes a hands-on tutorial demonstrating Windows authentication and ACL authorizations. A range of security measures and authentication methods are discussed, including basic authentication, digest authentication, and role-based security.
IIS 6.0: New Features Improve Your Web Server's Performance, Reliability, and Scalability
George Shepherd - March 2002
As the Web evolves, so does the role that Internet servers play. The Internet has seen the growth of e-commerce, B2B business, collaboration, streaming and other new media, and these new applications require new features to meet increasingly complex needs. Microsoft Internet Information Services (IIS) has many of the features today's mature Web sites need. This article outlines the features in the upcoming version 6.0 and discusses how they promote better scalability, reliability, and performance. Features such as Remote administration, caching, and metabase improvements, as well as custom isolation and security enhancements, make IIS 6.0 the Web server of the future.
Security Briefs: ASP.NET Security Issues
Keith Brown - November 2001
ISAPI Extensions: Creating a DLL to Enable HTTP-based File Uploads with IIS
Panos Kougiouris - October 2001
The MIME-compliant content type, called multipart/form-data, makes writing HTML that uploads files almost trivial. On the server side though, ASP does not have a way to access data in the multipart/form-data format. The most flexible way to access the uploaded file is through a C++ ISAPI Extension DLL. This article describes a reusable ISAPI extension DLL that allows you to upload images and files without writing C++ code. It is coupled with a few COM components that make it readily reusable for ASP development. With .NET, this whole process is much easier, and this article shows preliminary code that uploads files using ASP.NET features.
ISAPI Filters: Designing SiteSentry, an Anti-Scraping Filter for IIS
Rodney Bennett - October 2001
The Microsoft Internet API for IIS, ISAPI, sits between the client and the Web server. Therefore, you can access the HTTP data stream before IIS gets to see it. The project in this article takes advantage of the ISAPI architecture to create a filter that monitors access to a Web site to determine if visits are from typical users or from automated processes designed to pilfer information from your site. The author tracks the regularity of visits to the site to determine the likely source. Once the determination is made, the app either redirects the user or continues to track information about those hits.
Server Farms: Application Center 2000 Offers World-Class Scalability
Panos Kougiouris - May 2001
Application Center 2000 simplifies the deployment of a Microsoft .NET-based application to clusters, which are shared-nothing, loosely coupled computers that appear as one virtual computer. This allows all the computers in Application Center 2000 clusters to provide the same service or Web application at the same time. This article explains network load balancing and component load balancing for COM+ components with Application Center 2000. Accessing the features of Application Center 2000 though the MMC snap-in interface and the command-line interface for batching administrative tasks is also covered.
Go Global: Localizing Dynamic Web Apps with IIS 5.0 and SQL Server
Jeremy Bostron and Doug Rothaus - May 2001
The success of a database-driven international Web site depends on how well the code and localized content work together with the software on the client and server. Localizing a dynamic Web site is more complicated than localizing a static one. The use of HTML and ASP code for static and dynamic content on IIS 4.0 or 5.0, coupled with Microsoft Data Access Components (MDAC) and SQL Server, enables Web sites to support as many languages as necessary. Choosing the right character sets and code pages, the variations in the Unicode support for IIS 4.0 and 5.0, as well as ways to avoid some common pitfalls are all discussed.
Secure Sockets Layer: Protect Your E-Commerce Web Site with SSL and Digital Certificates
John Papa - April 2001
Security is one of the most important factors in the future growth of e-businesses. Making sure that communications remain secure between customers and the Web server is a critical issue. Secure Sockets Layer (SSL) is the standard that secure Web sites are built upon today. This article presents an overview of SSL-based Web security, explaining such fundamental concepts as digital certificates and their distribution, encryption, and the proper configuration of Microsoft Internet Information Services (IIS). Acquiring a certificate, installing it, and configuring IIS for SSL are outlined in a step-by-step process.
Web Q&A: Printing from a Web Page, Screen Scraping, Origin of an HTTP Request, and More
Robert Hess - January 2001
ATL Server and Visual Studio .NET: Developing High-Performance Web Applications Gets Easier
Shaun McAravey and Ben Hickman - October 2000
When developing high-performance applications for the Web, developers often must choose between performance and ease of development. With ATL Server, new with Visual Studio .NET, developers get the best of both worlds. ATL Server uses a tag replacement engine written in C++, provides a simple programming model, and promotes enhanced performance and easy debugging. This article presents an overview of the ATL Server architecture, then creates a basic ATL Server project. It then goes on to explain processing SRF files, HTTP streams, forms, cookies, and header files. Managing session state is also discussed, along with file uploads and performance monitoring.
Shelley Powers: Migrating Your ASP Apps from Windows NT 4.0 to Windows 2000
Shelley Powers - August 2000
In order to take advantage of new features in Windows 2000 and IIS 5.0, you must first migrate your Windows NT 4.0-based ASP applications to Windows 2000. This article provides a multi-step migration plan. It discusses how to install and configure IIS 5.0, set up security, migrate MTS packages to COM+ applications, and handle differences in the ASP object models. Also included are guidelines for setting up Visual Basic and Visual C++ for development in Windows 2000 and information on what to expect when moving ASP components to the new OS.
Web Security: Part 2: Introducing the Web Application Manager, Client Authentication Options, and Process Isolation
Keith Brown - July 2000
This article, the second of two parts, continues coverage of Web security for Windows. It introduces the Web Application Manager in IIS that allows Web processes to be isolated, decreasing the security risk associated with running in a logon session. The article then picks up where Part One left off-it discusses authentication methods such as basic authentication, digest authentication, integrated Windows authentication, and anonymous logons, and the benefits and drawbacks of each.
Windows CE Web Server: Using Web Tools to Monitor and Manage Embedded Devices
Leonid Braginski and Matthew Powell - May 2000
When it ships, Windows CE 3.0 is expected to include Web services via the Windows CE Web Server. This new component of the Windows CE operating system will allow developers to share data or monitor and manage devices that are running Windows CE-whether they are handheld PCs or embedded in devices such as gas pumps or refrigerators. This article explains how the Windows CE Web Server component can be included in the operating system for a given device. We'll also show you how the Web server features you're familiar with from Microsoft Internet Information Services are implemented in the Windows CE Web Server.
New Directions in Redirection: Microsoft Internet Information Services 5.0 Provides Two New Methods
Ram Papatla - April 2000
Internet Information Services (IIS) 5.0 provides several enhancements to its support for ASP-based Web development, including two new server-side redirection methods: Server.Transfer and Server.Execute. Rather than redirecting requests with a round-trip to the client, these new methods can be used to transfer requests directly to an ASP file without ever leaving the server. While this functionality doesn't replace the Response.Redirect method used by IIS 4.0, you can take advantage of it to implement better application flow control mechanisms and to handle errors more efficiently. The different redirection options are described, along with some tips and tricks for implementing them on your own site.