Recipe 12.12. Configuring Web Site QoS SettingsProblemYou want to tune IIS performance by configuring quality of service (QoS) settings. SolutionUsing a graphical user interfaceTo limit the number of simultaneous incoming HTTP connections for a web site, do the following:
To configure the connection timeout value for a web site, do the following:
To control the amount of network bandwidth used by a web site, do the following:
Using a command-line interfaceThe following command helps prevent attackers from consuming resources by unnecessarily keeping connections open on your IIS computer: > cscript %systemroot%\inetpub\adminscripts\adsutil.vbs SET W3SVC/MinFileBytesPerSec 500 Using VBScript' This code sets various QoS settings ' ------ SCRIPT CONFIGURATION ------ strComputer = "<ServerName>" ' ------ END CONFIGURATION --------- set objWS = GetObject("IIS://" & strComputer & "/W3SVC") objWS.Put "ConnectionTimeout", 120 objWS.Put "HeaderWaitTimeout", 2 objWS.Put "MinFileBytesPerSec", 240 objWS.Put "AllowKeepAlive", True objWS.Put "MaxBandwidth", &HFFFFFFFF objWS.Put "MaxEndpointConnections", &HFFFFFFFF objWS.SetInfo WScript.Echo "QoS settings configured for web site: " & objWS.ServerComment DiscussionThe main use for limiting connections is to deal with denial of service (DoS) attacks designed to overload your computer with bogus connection attempts. If the web site connections setting is left as Unlimited, it means IIS tries to handle all incoming requests even if it overloads the server until connections are refused. However, if a connection limit is specified and this limit is reached, an "HTTP 403.9 Forbidden: Too many users" error message is returned. You can also configure a connection limit globally for all web sites using the properties of the Web Sites node. The main purpose of connection timeouts is to enable IIS to reclaim TCP resources from idle clients so other users can connect. Setting this value too high may result in fewer clients being able to connect, while a setting that is too low may result in disconnected client sessions. You can also configure this setting globally for all web sites using the properties of the Web Sites node. The main use for bandwidth throttling is to ensure a web site has sufficient bandwidth for users to access it. This is particularly useful on a computer hosting multiple web sites. You can also configure this setting using the properties of the Web Sites node, but in this case (unlike the other QoS settings), only web sites that do not have bandwidth throttling enabled are affected by this global setting. In other words, global bandwidth throttling does not override bandwidth throttling configured at the site level. By default, IIS drops any connection if its throughput rate falls below 240 bytes per second. But attackers exploit this by opening TCP connections with your computer and sending data at rates slightly higher than 240 bytes per sec, so setting the MinFileBytesPerSec metabase property to 500 or higher may help foil such attacks. But first test how this affects how your web applications work from a user's point of view before changing this setting in a production environment. See AlsoMS KB 332087 (QoS Is Not Installed When Bandwidth Throttling Is Enabled Directly in the IIS Metabase), MS KB 314402 (PRB: Slow Clients Disconnected When Server Uses Large Synchronous Write Methods), MS KB 238210 (HTTP Keep-Alive header sent whenever ASP Buffering is enabled), and MS KB 817439 (IIS 6.0 changes to the metabase property ConnectionTimeout affect other settings in IIS) |