IIS 6.0: Using FTP Security and FTP User Isolation

Download Report

Transcript IIS 6.0: Using FTP Security and FTP User Isolation

Disaster Recovery and IIS
6.0: Metabase Backups in
a Nutshell
Chris Adams
Web Platform Supportability Lead
Microsoft Corporation
Agenda

Part I:

Disaster Recovery and IIS



Part II:

Tools & Implementing Disaster Recovery


What constitutes a disaster?
Data points to consider if disaster occurs
Configuration: Capturing Backups
 Effectively backing up Operating System Data
 Backing up IIS with native IIS tools
 Using XCopy and other tools to backup Web
Content
Summary
Agenda

Part I:

Disaster Recovery and IIS



Part II:

Tools & Implementing Disaster Recovery


What constitutes a disaster?
Data points to consider if disaster occurs
Configuration: Capturing Backups
 Effectively backing up Operating System Data
 Backing up IIS with native IIS tools
 Using XCopy and other tools to backup Web
Content
Summary
Part I: Disaster Recovery and IIS
What constitutes a disaster?

Hardware Failures



Loss of Hard Disk(s) or Arrays
Boot Partitions being lost leads to loss of critical
data
Best Practice:



Always have system state backups current and available
Creating System State Backups in Windows 2000\2003:
http://support.microsoft.com/default.aspx?scid=kb;enus;315412
Use RAID 5 for redundancy preferrable with hot
swappable
Store web content on separate partition or remotely
Part I: Disaster Recovery and IIS
What constitutes a disaster?

Operating System crashes



Loses key data that is unavailable in subsequent (clean) installs
of IIS on new OS installs
Disasters can cause large amounts of overhead to re-establish
services
Labor requirements:


Very high if not well planned
Best Practice:



Always have system state backups current and available
Creating System State Backups in Windows 2003:
http://support.microsoft.com/default.aspx?scid=kb;en-us;315412
Store content on partitions separate from boot partition (aka –
where %windir% exists)
Store log files on separate partitions from boot partition or content
partitions
Part I: Disaster Recovery and IIS
Key Data Points

Operating System





IIS Metadata



Machine Keys
Certificates (and subsequent stores)
Users and\or Groups
Bindings (Optional)
IIS Schema (mbschema.xml)
IIS Metabase (metabase.xml)
Application Content

Web specific content such as static and dynamic
content
Part I: Disaster Recovery and IIS
Understanding Data Points and IIS

Operating System

Machine Keys



Unique to each Windows 2003 installation
Cannot be duplicated or copied to new
installations
IIS uses machine keys to secure all “secure data”
in the IIS metadata
Part I: Disaster Recovery and IIS
Understanding Data Points and IIS

Operating System

Certificates




Only pertinent to installations that use Secure
Socket Layer (SSL)
Certificates are stored within the operating system
IIS natively offers no built-in mechanism to backup
or restore certificates
Certificate Types: Only concerned in this disaster
scenario about Server Certificates (not Client
Certificates)
Part I: Disaster Recovery and IIS
Understanding Data Points and IIS

Operating System

Users and\or Groups




Key User:
 IUSR_Machinename (aka Anonymous Account)
Key Group:
 IIS_WPG (aka Worker Process Group)
 Who is a member, where do they exist (local or
domain accounts)
Web application specific users\groups
FrontPage Users
Part I: Disaster Recovery and IIS
Understanding Data Points and IIS

Operating System

Bindings





Only concern in large environments where 100’s or 1000’s of
web sites and bindings exist
Unique listen lists in HTTP.sys would require large amounts
of labor if not strategically thought out
Bindings are stored in the HTTP.sys configuration that
resides in the registry
Purpose:

Cause website bindings to listen on specific IP
addresses vs. all
Further details:
http://msevents.microsoft.com/CUI/EventDetail.aspx?EventI
D=1032240563&Culture=en-US
Part I: Disaster Recovery and IIS
Understanding Data Points and IIS

IIS Metadata

Schema



Schema’s are very important, but often are not unique hence
not typically a pain point
Schema’s need backing up only if the schema has been
extended
Metabase





Stores key, very key, data specific to your installation of IIS
All website, application configuration data stored in this
single entity
Often the missing link in disaster scenarios because stale or
out-dated backups are all that remain
History feature of IIS 6.0 is not a backup, but a running log of
changes – misunderstood!!!!
Backups of metabase are complete file backups including all
services which use it
Part I: Disaster Recovery and IIS
Understanding Data Points and IIS

Web & Application Content

Filters


Static Content


ISAPI filters are key to many applications, but if files are
corrupt or missing leads to IIS worker processes not starting
HTML, Images, CSS, and .js files
Dynamic Content


ISAPI based applications

ASP content
 COM+ dependencies

Extensions can be treated as files and just backed up
(.dll, .com, etc.)
CGI based applications are .exe’s and need no special
treatment except to be backed up via backup methods
Demonstration One
Finding Key Data Points
The goal is to demonstrate how to
locate the important data and scope
the task of successfully backing up
pertinent data
Agenda

Part I:

Disaster Recovery and IIS



Part II:

Tools & Implementing Disaster Recovery


What constitutes a disaster?
Data points to consider if disaster occurs
Configuration: Capturing Backups
 Effectively backing up Operating System Data
 Backing up IIS with native IIS tools
 Using XCopy and other tools to backup Web
Content
Summary
Part II: Tools


With respect to anything, knowing what
tools are available and how to use them is
the key
Breaking down the Data Points into Tools

OS related tools



IIS Metadata


System State Backups
Certificates MMC & IIsCertDeploy
IIsBack
Web & Application Content


Xcopy
Component Services & comrepl.exe
Part II: Tools & Implementing
Disaster Recovery

Operating System Tools

System State Backups (Windows Backup)




IISCertDeploy for Certificate Backups
IIS Metadata


Captures SAM database (users)
Captures Registry - Bindings
IIS Manager (graphical) & command-line tool(s)
IIsBack.vbs\IIsCNFG.vbs
Web & Application Content


Windows Backup
Component Services MMC
Part II: Tools
Operating System Tools (Cont.)

System State Backups

System State Components






Boot Files
Registry (including COM settings)
SysVol (not needed for IIS)
Active Directory NTDS.DIT (only for DC’s)
Certificate Store
Key pieces –

Registry (Bindings)
Part II: Tools
Operating System Tools (Cont.)
Part II: Tools
Operating System Tools (Cont.)

User and Group Accounts



These are tricky because the unique SID’s
are built using the machine’s SID + a
unique RID
Most effective means to correct issues with
anonymous user account is to save the
metabase to a xml file and editing it directly
to reflect the new anonymous user account
IIS_WPG should be easily resolved on new
machine because account name is
Universal although the group isn’t a well
known SID
Part II: Tools
Operating System Tools

Backing up SSL Certificates





To effectively backup certificates, do not use
System State backup
Use the Certificate MMC if small IIS and SSL
footprint
IIS 6.0 Resource Kit utility IIsCertDeploy.vbs is
designed to backup (export) and restore (import)
certificates
IIsCertDeploy.vbs uses programmatic interfaces to
the certificate store to access the certificate store
Process (for each certificate)


Export certificate to PFX file
Import certificate to appropriate store upon disaster
Part II: Tools
Using IIsCertDeploy

IIsCertDeploy Syntax and Usage
Exporting Certificates:
IISCertDeploy.vbs -e .pfx – I w3svc/# -p pfxpassword
Importing Certificates:
IISCertDeploy.vbs -c cert.pfx -p pfxpassword -i w3svc/1 -s iisserver1
-u Administrator -pwd aal34290
http://www.microsoft.com/downloads/details.aspx?FamilyID=56fc92ee-a71a-4c73-b628-ade629c89499&displaylang=en
Part II: Tools
IIS Metadata

IIS Manager




Good mechanism for doing “one off” backups
Backups are ALWAYS stored on boot partition %windir%\system32\inetsrv\metaback
Available in IIS 5.0 Internet Services Manager, but
not with ability to produce non-protected metabase
Backups in IIS 6.0 are available using a password
to protect the administrator password for the file
as well to protect the secure properties
Backup using IIS Manager -
Part II: Tools
IIS Metadata (Cont.)

Command-line utility



IIsBack.vbs
Can be used locally or remotely against any
server in an enterprise
Backs up all data –


Schema and Metabase are backed up
Backups are ALWAYS stored on boot partition %windir%\system32\inetsrv\metaback
Part II: Tools
IIS Metadata (Cont.)

Effective Backup Strategy


Build a batch file that backs up metabase AND copies
to secure location (different partition)
Make backup, Copy to secure Location
BACKUP.BAT
SET SERVER=MyServer
SET NAME=DATE-SERVER
iisback /backup /b NAME /e PASSWORD
Xcopy windir\system32\inetsrv\metaback\NAME.* \\mybackupserver\share$\SERVER
From IIS 6.0 Resource Guide
<insert URL>
Part II: Tools
Web & Application Content

Web & Application Content

Windows Backup


This is standard backup procedure for Windows
systems
All Programs  Accessories  System Tools  Backup
Part II: Tools
Web & Application Content

Using XCopy for Web Content Backups



Often used in Web Farms where applications such
as Application Center 2000 are not available
XCopy can be added to simple batch files such as
backup.bat to automate IIS Metadata & web content
backups
Good for static content such as htm, images, css,
and .js files
BACKUP.BAT
Xcopy /o /x /e /h /y /c c:\WEB \\mybackupserver\share$\SERVER
Part II: Tools
Web & Application Content



If using Active Server Pages, it might be necessary to
backup any pertinent Com+ applications
Backing up Com+ Applications
Use the Component Services MMC or comrepl.exe
/export
COM+ Export Wizard -
Implemention…

Scripting your Backups!
REM Enterprise Contoso Backup Script
SET SERVER=MyServer
SET NAME=DATE-SERVER
REM Get SSL Certificates
Iiscertdeploy.vbs -e .pfx – I w3svc/# -p pfxpassword
REM Get IIS Metadata
iisback /backup /b NAME /e PASSWORD
Xcopy windir\system32\inetsrv\metaback\NAME.* \\mybackupserver\share$\SERVER
REM Get Web Content
Xcopy /o /x /e /h /y /c c:\WEB \\mybackupserver\share$\SERVER\
Implemention…

Scripting your Backups!
REM Enterprise Contoso Backup Script
REM
Straight from the
IIS 6.0 Resource
Kit
SET SERVER=MyServer
SET NAME=DATE-SERVER
REM Get SSL Certificates
Iiscertdeploy.vbs -e .pfx – I w3svc/# -p pfxpassword
REM Get IIS Metadata
iisback /backup /b NAME /e PASSWORD
Xcopy windir\system32\inetsrv\metaback\NAME.* \\mybackupserver\share$\SERVER
REM Get Web Content
Xcopy /o /x /e /h /y /c c:\WEB \\mybackupserver\share$\SERVER
Demonstration Two
Disaster Recovery in
Action
The goal of this demo is to put it all
together and show how we pull
together all the pertinent data and
centralize it to a backup server
Agenda

Part I:

Disaster Recovery and IIS



Part II:

Tools & Implementing Disaster Recovery


What constitutes a disaster?
Data points to consider if disaster occurs
Configuration: Capturing Backups
 Effectively backing up Operating System Data
 Backing up IIS with native IIS tools
 Using XCopy and other tools to backup Web
Content
Summary
Summary: Making Disasters
“work for you”



Define disaster scenarios prior to them
occurring
Do not depend solely on offline
backups
Plan and Understand Backup Scenarios




What is in your environment
Capture key data points
Execute backup strategy to capture this
key data
Sit back…sleep well…be happy!
References and Resources

IIS 6.0 Help –
Backing up the Metabase
http://www.microsoft.com/resources/documentation/iis/6
/all/proddocs/en-us/gs_backupmetabase.mspx
How to Backup SSL Certificates
http://www.microsoft.com/resources/documentation/iis/6
/all/proddocs/en-us/gs_getcert.mspx
HOW TO: Use Windows Backup and Recovery Tools to
Make a Data Backup of Internet Information Services
http://support.microsoft.com/view/tn.asp?kb=301420
IIS 6.0 Resource Kit:
http://www.microsoft.com/resources/documentation/iis/6/all/proddocs/enus/gs_backupmetabase.mspx
Q&A