AL MA TE RI Initial Phases of a Web Request GH TE D Before the first line of code you write for an .aspx page executes, both Internet Information Services (IIS) and ASP.NET have performed a fair amount of logic to establish the execution context for a HyperText Transfer Protocol (HTTP) request. IIS may have negotiated security credentials with your browser. IIS will have determined that ASP.NET should process the request and will perform a handoff of the request to ASP.NET. At that point, ASP.
Chapter 1 IIS Request Handling The initial processing of an HTTP request on Windows Server 2003 occurs within both IIS and a supporting protocol driver. As a result, depending on the configuration for IIS, a request may never make it far enough to be processed by ASP.NET. The diagram in Figure 1-1 shows the salient portions of IIS and Windows Server 2003 that participate in request processing. Worker process w3wp.exe static content aspnet_isapi.dll asp.dll aspnet_filter.
Initial Phases of a Web Request Http.sys When an HTTP request is first received by Windows Server 2003, the initial handling is actually performed by the kernel-mode HTTP driver: http.sys. The kernel mode driver has several Registry switches that control the amount of information allowed in a request URL.
Chapter 1 The sequence 1234567890 is repeated 26 times in the URL. Because the path segment is exactly 260 characters though, http.sys does not reject the request. Instead, this URL results in a 404 from IIS because there is no foo.htm file on the system. However, if you add one more character to this sequence, thus making the path segment 261 characters long, an HTTP 400 - Bad Request error message is returned.
Initial Phases of a Web Request The character length and byte size restrictions enforced by http.sys can be modified by adding DWORD values underneath the following Registry key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters The specific Registry settings that govern the behavior just discussed are listed in the following table. Also, a server reboot is required after you change any of the following settings.
Chapter 1 You can see the set of all ISAPI filters that are registered in IIS by using the IIS MMC, right-clicking the Web Sites node, and then clicking on the ISAPI Filters tab in the dialog box that opens. In Figure 1-2, you can see that there is currently only one ISAPI filter registered by default — the ASP.NET filter. Depending on your machine, you may see additional filters that provide services such as compression or that support Front Page extensions. Figure 1-2 By default ASP.
Initial Phases of a Web Request ASP.NET reserves the path segment immediately after the application’s virtual root as the location on the URL where cookieless tickets are stored. In this example, the application was called inproc, so the next path segment is where ASP.NET stored the cookieless tickets. All cookieless tickets are stored within an outer pair of parentheses.
Chapter 1 Blocking Restricted Directories After the filter processes any cookieless tickets, the filter has IIS normalize the request URL’s representation. This is necessary because the filter enforces the restriction that browser users cannot request any type of content from the protected directories in ASP.NET 2.0. Because ASP.NET 2.
Initial Phases of a Web Request Registry Setting Value Name Description StopBinFiltering Set this value to 1 to stop the filter from blocking requests to paths that include /bin. This setting will affect all ASP.NET 1.1 and 2.0 applications on the server. StopProtectedDirectoryFiltering Set this value to 1 to stop the filter from blocking requests to reserved ASP.NET directories that include a path starting with /app_. Because this setting is new to ASP.NET 2.0, it will only affect all ASP.NET 2.
Chapter 1 Figure 1- 3 Right clicking the computer node and selecting Properties pulls up a dialog box that allows you to configure MIME types. Click the MIME Types button to access the Mime Types dialog box, where you can click the New button to add a new MIME type. For this example, the .xyz file extension was added as a being a text type. You need to iisreset for the changes to take affect. When the web server is running again, a request for http://localhost/foo.
Initial Phases of a Web Request You can see the list of ISAPI extensions that are mapped to a website with the following steps: 1. 2. 3. 4. Right-click the application’s icon in the IIS6 MMC. Select properties. In the Directory tab of the dialog box that pops up, click the Configuration button. In the Mappings tab of the dialog box that pops up, a list box shows all application extensions currently mapped for the web application. In Figure 1-4, the current application has mapped the .
Chapter 1 When IIS receives a request for a file, if the file extension for that request is mapped to an ISAPI extension, IIS routes the request to the mapped ISAPI extension instead of consulting the list of MIME types and serving the file as static content. In the case of the .aspx file extension, the request is routed to aspnet_isapi.dll, which contains the code that bootstraps the ASP.NET runtime and allows ASP.NET pages to run.
Initial Phases of a Web Request Figure 1-5 Aside from causing premature gray hair for developers and administrators wondering why a perfectly good ASP.NET application is dead in the water, the ISAPI extension lockdown capability does serve two useful purposes: ❑ If the web server is not intended to ever serve dynamic ASP.NET content, disabling ISAPI extensions is an easy and effective way to lock down the server. ❑ With the release of ASP.NET 2.0, you can use this feature to disable the ASP.NET 1.
Chapter 1 With IIS6, it is now possible to set up rules (aka wildcard application maps) that route all HTTP requests to one or more ISAPI extensions. The set of wildcard application mappings can be prioritized, so it is possible to have a chain of wildcard mappings. IIS6 also includes a new API for ISAPI extensions to route a request out of an extension and back to IIS6. The net result is that with IIS6 and ASP.NET 2.
Initial Phases of a Web Request Starting Up an Application Domain All managed code in the .NET Framework needs to run within an application domain. Before ASP.NET can start the HTTP pipeline and run a page, the ISAPI extension must ensure that an application domain has been instantiated and initialized. In ASP.NET, each application, as configured in the IIS MMC, maps to a separate application domain in the managed world.
Chapter 1 Establishing Identity Prior to the ISAPI extension performing any other initialization work, it ensures that the correct security identity is established. The identity used for initialization is one of the following: 1. If the application is running from a local disk, and there is no tag with an application impersonation identity, then the identity of the worker process is used. Under IIS6 this would be NT AUTHORITY\NETWORK SERVICE.
Initial Phases of a Web Request beyond just page classes. For example, ASP.NET 2.0 dynamically generates a class definition based on the configuration element and then compiles the resulting class definition. For all these types of activities, ASP.NET needs a default location for generated code as well as the compiled results of the auto-generated code. By default, during application domain initialization, ASP.
Chapter 1 be discussed in more detail. However, trust levels are introduced at this point of the discussion because application domain initialization is where ASP.NET loads and applies the appropriate trust level information. After you understand how ASP.NET trust levels work, the knowledge that an ASP.
Initial Phases of a Web Request administrator is guaranteed that a malicious configuration section handler cannot make calls into Win32 APIs that attempt to reformat the hard drive (granted this is an extreme example, but you get the idea). In Chapter 4 “Configuration System Security” the effects of ASP.NET trust levels on configuration will be discussed in more detail. Establishing Assembly Locations With the application domain policy set, ASP.NET performs some housekeeping that allows the .
Chapter 1 The actual logic for generating and confirming the existence of the auto-generated machine key has changed over various versions of ASP.NET and with the different process models for hosting ASP.NET inside of IIS. Originally, when only Windows 2000 was available, the ASP.NET ISAPI extension would always run as SYSTEM because in IIS5 (and for that matter IIS 5.1), ISAPI filters and extensions always ran with the security credentials of the inetinfo.exe process. As a result, for IIS 5 and IIS 5.
Initial Phases of a Web Request Figure 1-7 Although NETWORK SERVICE can store and retrieve the auto-generated machine key inside of the HKEY_USERS (HKU) area of the Registry, this technique will not work for local or domain accounts because accessing HKU requires that a user profile be loaded. Loading a user profile includes loading the portion of the Registry hive that is unique to a specific user. However, with IIS6 and ASP.
Chapter 1 Running aspnet_regiis with the ga switch ensures that the ACLs for a variety of ASP.NET directories (remember the Temporary ASP.NET Files directory discussed earlier?) as well as ACLs in the IIS metabase are configured properly to grant access to the desired user account. Another side effect of using the ga switch though is that ASP.NET will create an AutoGenKeys Registry key at the following Registry location: HKLM\SOFTWARE\Microsoft\ASP.NET\2.0.50727.
Initial Phases of a Web Request Assuming aspnet_regiis -ga has been used, when the ISAPI extension is initializing the application domain and is running as either a local or domain account, it will use neither LSA nor HKU and will instead create and access the auto-generated machine key information underneath: HKLM\SOFTWARE\Microsoft\ASP.NET\2.0.50727.0\AutoGenKeys\SID From all of this discussion, it should also be a bit clearer why using an auto-generated machine key in a web farm doesn’t work.
Chapter 1 ❑ A check is made to see if App_Offline.htm exists in the root of the website. If it does exist, requests are not served by the website ❑ The internal thread pools used by ASP.NET are set up based upon either the settings in configuration or using an heuristic if auto-configuration of thread settings was selected. ❑ Diagnostic and health related features are initialized. For example, ASP.
Initial Phases of a Web Request The Origins of App_Offline.htm If you are wondering where the idea for App_Offline.htm originated, the idea was actually developed to handle a problem having nothing to do with security or website operations. SQL Server 2005 Express ships with the various versions of Visual Studio and includes a special mode of operation called user instancing. A side effect of user instancing is that SQL Server will hold a lock on your MDF database files while an ASP.
Chapter 1 For example, one question that arises when running global.asax is what happens if client impersonation is in effect? To help frame this security problem, first a few terms should be discussed because using the shorthand for security contexts in ASP.NET is a lot faster than always calling out the element and its settings.
Initial Phases of a Web Request day and the first person in afterwards had lower network privileges, then code inside of Application _Start would mysteriously fail. Limiting the security decision to one of process, application impersonation, or UNC identity guarantees stable security credentials each and every time the application starts up. To highlight this behavior, use a simple ASP.
Chapter 1 Configured Impersonation Extra Security Configuration None or Client Because application initialization runs as the configured UNC identity, the UNC identity requires Modify access to the Temporary ASP.NET Files directory. However, it is also highly recommended that you configure the UNC identity with aspnet_regiis -ga .
Initial Phases of a Web Request After the application domain is up and running, ASP.NET performs a few last steps for the very first request that is made to an application. If you choose to run ASP.NET using local or domain accounts, make sure to run the aspnet_regiis utility with the -ga switch. Doing so will ensure that the necessary security rights have been granted and other setup tasks performed for these accounts to work properly. Throughout all of the ASP.
