Recipe12.12.Configuring Web Site QoS Settings


Recipe 12.12. Configuring Web Site QoS Settings

Problem

You want to tune IIS performance by configuring quality of service (QoS) settings.

Solution

Using a graphical user interface

To limit the number of simultaneous incoming HTTP connections for a web site, do the following:

  1. Open Internet Information Services (IIS) Manager.

  2. In the left pane, expand the console tree to display your web site, right-click on the site, and select Properties.

  3. Select the Performance tab.

  4. Change the Web site connections setting from its default value of Unlimited to a value you specify.

  5. Click OK.

To configure the connection timeout value for a web site, do the following:

  1. Open Internet Information Services (IIS) Manager.

  2. In the left pane, expand the console tree to display your web site, right-click on the site, and select Properties.

  3. Select the Web Site tab.

  4. Make sure that Enable HTTP Keep-Alives is selected (which is the default).

  5. Change the value of Connection timeout as desired.

  6. Click OK.

To control the amount of network bandwidth used by a web site, do the following:

  1. Open Internet Information Services (IIS) Manager.

  2. In the left pane, expand the console tree to display your web site, right-click on the site, and select Properties.

  3. Select the Performance tab.

  4. Select the checkbox labeled Limit the total network bandwidth available to this web site.

  5. Specify the maximum desired bandwidth allowed in kilobytes per second.

  6. Click OK.

Using a command-line interface

The following command helps prevent attackers from consuming resources by unnecessarily keeping connections open on your IIS computer:

> cscript %systemroot%\inetpub\adminscripts\adsutil.vbs SET W3SVC/MinFileBytesPerSec 500

Using VBScript
' This code sets various QoS settings ' ------ SCRIPT CONFIGURATION ------ strComputer = "<ServerName>" ' ------ END CONFIGURATION --------- set objWS = GetObject("IIS://" & strComputer & "/W3SVC") objWS.Put "ConnectionTimeout", 120 objWS.Put "HeaderWaitTimeout", 2 objWS.Put "MinFileBytesPerSec", 240 objWS.Put "AllowKeepAlive", True objWS.Put "MaxBandwidth", &HFFFFFFFF objWS.Put "MaxEndpointConnections", &HFFFFFFFF objWS.SetInfo WScript.Echo "QoS settings configured for web site: " & objWS.ServerComment

Discussion

The main use for limiting connections is to deal with denial of service (DoS) attacks designed to overload your computer with bogus connection attempts. If the web site connections setting is left as Unlimited, it means IIS tries to handle all incoming requests even if it overloads the server until connections are refused. However, if a connection limit is specified and this limit is reached, an "HTTP 403.9 Forbidden: Too many users" error message is returned. You can also configure a connection limit globally for all web sites using the properties of the Web Sites node.

The main purpose of connection timeouts is to enable IIS to reclaim TCP resources from idle clients so other users can connect. Setting this value too high may result in fewer clients being able to connect, while a setting that is too low may result in disconnected client sessions. You can also configure this setting globally for all web sites using the properties of the Web Sites node.

The main use for bandwidth throttling is to ensure a web site has sufficient bandwidth for users to access it. This is particularly useful on a computer hosting multiple web sites. You can also configure this setting using the properties of the Web Sites node, but in this case (unlike the other QoS settings), only web sites that do not have bandwidth throttling enabled are affected by this global setting. In other words, global bandwidth throttling does not override bandwidth throttling configured at the site level.

By default, IIS drops any connection if its throughput rate falls below 240 bytes per second. But attackers exploit this by opening TCP connections with your computer and sending data at rates slightly higher than 240 bytes per sec, so setting the MinFileBytesPerSec metabase property to 500 or higher may help foil such attacks. But first test how this affects how your web applications work from a user's point of view before changing this setting in a production environment.

See Also

MS KB 332087 (QoS Is Not Installed When Bandwidth Throttling Is Enabled Directly in the IIS Metabase), MS KB 314402 (PRB: Slow Clients Disconnected When Server Uses Large Synchronous Write Methods), MS KB 238210 (HTTP Keep-Alive header sent whenever ASP Buffering is enabled), and MS KB 817439 (IIS 6.0 changes to the metabase property ConnectionTimeout affect other settings in IIS)



Windows Server Cookbook
Windows Server Cookbook for Windows Server 2003 and Windows 2000
ISBN: 0596006330
EAN: 2147483647
Year: 2006
Pages: 380
Authors: Robbie Allen

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net