Configuring Application Isolation using Windows Server 2003 and IIS 6.

0 Page 1 of 22

Microsoft.com Home | Site Map

Search Microsoft.com for:

Go

Search for
TechNet Home > Windows Server TechCenter > Internet Information Services > Internet Information Services

TechNet Go Configuring Application Isolation on Windows Server 2003 and

Windows Server
Internet Information Services (IIS) 6.0
TechCenter Published: April 1, 2003
Technical Library
Downloads
On This Page
Events & Errors
Introduction
Script Center
Virtual Lab Using Isolation for Increased Reliability

Webcasts Using Isolation to Secure Applications

International TechCenters Using Isolation to Improve Performance
Windows Server R2 Considerations
Release Candidate
Summary
Additional Resources
Appendix
TechNet Home
Related Links
Product Support
Community
MSDN Developer Center Introduction
Windows 2000 Server This paper discusses the general topic of application isolation as it relates to Web applications run on W
Server 2003 servers with IIS 6.0 running in worker process isolation mode. Isolation refers to the degre
Windows Server System
separation between two Web applications running on a server. In this paper, the notion of a Web applic
meant in a very broad sense; it includes the processes, files, and even users, serviced by the applicatio
Applications are isolated from each other to the degree that one application is prevented from accessing
resources used by another application.

Benefits of Isolation
Enterprises are increasingly interested in isolation because of the opportunity to reduce costs through s
consolidation. As the capabilities of hardware increase dramatically over time, fewer servers are require
deliver the same applications. While this decreases the costs of deployment and maintenance, it can cre
logistical difficulties when there is a vested interest in keeping clear boundaries between applications th
consolidated to run on a single server.

In some scenarios, each Line of Business (LOB) for an organization is essentially a separate customer t
group responsible for application infrastructure. For example, an organization that has been acquired m
compete with other parts of the acquiring organization. Consequently, theres a business requirement fo
creating effective barriers between applications serving each LOB and protecting sensitive data.

Another example of a clear need for high isolation is an ISP that hosts Web sites for many clients. One
customer should not be able to view the files or databases in use by other Web sites on the server.

In other cases, a company may offer Web applications and other technical resources to business partne
are in competition with each other. As a result, companies need to offer a high degree of isolation for th
applications in use by their individual customers, partners, or business units using the same server. It i
important, for example, to have the ability to configure one partner's software that accesses a database
that the application could not access another partners database.

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspx 12/6/2005
Configuring Application Isolation using Windows Server 2003 and IIS 6.0 Page 2 of 22

Another benefit of application isolation is that you can design the infrastructure of the applications, serv
network to improve the ability to distribute content and applications. For example, you may want to pu
content on a remote file store so it can be shared by more than one server. Alternately, you may want
each applications content on different file servers, to further isolate each LOB application, but share the
Web server as a front end.

The following sections discuss several approaches to obtaining a high level of isolation.

Physical Isolation

The highest degree of isolation is achieved when applications are hosted on completely different compu
Clearly, this offers the most isolation for applications but is also the most expensive, requiring additiona
hardware and server licenses to support each application. Nevertheless, in mission critical LOB applicati
where information is very sensitive or valuable, this may be the best choice.

Virtual Isolation

You can also create isolated applications using virtual servers. Using software, such as Microsoft VPC or
VMware that allows you to create multiple virtual servers running as tasks on a single operating system
can create several servers that are functionally partitioned. Consequently, the applications can be highl
isolated, yet run on the same hardware. Because virtualized systems do not perform as well as individu
computers, virtual isolation provides high isolation, but at the cost of performance. Another incrementa
software licenses for the virtual systems. In addition to the software licenses needed for the server hos
virtual systems, you must also acquire individual software licenses for the operating system and applica
on each virtual system as if each virtual system were an individual system.

Configured Isolation

Isolation by configuration means taking advantage of natural isolation boundaries, such as processes, s
identities, Access Control Lists (ACLs), and namespaces that occur as a result of running the application
Web server. The degree of isolation achieved through this configured isolation is not as strong as physic
virtual isolation. Nevertheless, configured isolation is often the most reasonable choice to balance resou
usage, simplicity of administration, and to leverage investments in hardware, software, and licensing. N
features in Windows Server 2003 and IIS 6.0 make this option a more reliable, secure, and scalable sol
than previously possible.

Isolation Through Operating System Features

Microsoft Windows Server 2003 has a number of features that support creating isolated environments f
applications. Constrained Delegation and Protocol Transition allow you to pass through a users security
to file servers, regardless of the protocol used to authenticate the user on IIS. Quality of Service (QoS)
improvements include a packet scheduler integrated with IIS that enables an administrator to limit the
of bandwidth available to an application. Windows System Resource Manager (WSRM) is available for u
Windows Server 2003, Enterprise Edition, and Windows Server 2003, Datacenter Edition. WSRM allows
administrator to control exactly how much CPU an application pool can consume when the CPU is under

Isolation Through IIS Configuration

IIS 6.0 was designed with application isolation as a primary component of the architecture. Each Web s
the capacity to host one or multiple applications that can be assigned to run in a named process pool ca
application pool. An application pool is served by one or more worker processes, can be independently
configured for health-related settings, and can be assigned to run in the context of a designated user a

In configuring application isolation, there are several objectives:

• Reliability. If one application fails, it shouldn't affect other applications. Additionally, it should be po
to specify unique recovery actions for different applications.

•
Security. If one application is running malicious code from an attacker (possibly even the application
author), other applications are insulated from the effects of the malicious code, and effective barriers

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspx 12/6/2005
Configuring Application Isolation using Windows Server 2003 and IIS 6.0 Page 3 of 22

place to keep the attacker from crossing into another applications space.

• Performance. One application that over consumes resources should not affect the availability of oth
applications. On the other hand, applications that require additional resources should be able to alloc
those resources on demand.

By combining the capabilities of IIS 6.0 with those of Windows Server 2003, you can effectively implem
isolation and achieve these designated goals. Additionally, improvements in FTP and Microsoft FrontPag
Server Extensions help enhance isolation and security of these applications.

The rest of this paper will address the capabilities of Microsoft Windows Server 2003 and IIS 6.0 for cre
highly isolated applications that run on a single server. There is no single technique or administrative ta
achieves this goal, but when using combinations of techniques, you can effectively implement applicatio
isolation.

Top of page

Using Isolation for Increased Reliability

One of the core design goals for the IIS 6.0 architecture was to improve the isolation between applicati
while minimizing the performance tradeoffs. This was accomplished by redesigning the IIS architecture
increased reliability, security, and performance. The basics of the new architecture with regard to increa
reliability include the following elements:

• Creating an HTTP request handler, HTTP.sys that runs in the kernel of the operating system. HTTP.sy
the task of listening for HTTP requests and queuing requests to a request queue for the application p
retrieve. It does not load or execute any user-mode application code (such as ASP pages).

• Running Web applications in configurable, multiple, isolated processes called worker processes, whic
under the name W3wp.exe. This is similar to high isolation in IIS 5.0, or running out-of-process, exc
performance is much better because the process exchanges data directly with HTTP.sys rather than b
marshalling data through the IIS 5.0 main Web server process, Inetinfo.exe, as a go-between.

• Adding a new administrative process, WWW Service Administration and Monitoring component, whos
twofold:

• Creates the link between the HTTP request handler and the Web applications.

• Monitors and maintains the health of worker processes.

Improved Isolation with Application Pools

Technically, an application pool is a configuration object defined by a logical process boundary that is u
the HTTP.sys namespace mapper to direct requests to the correct worker process. In practice, this tran
to the rather simple administrative task of using the IIS Manager to create an application pool, such as
Project32-HighlyRestricted, and then assigning the programs contained in Web sites and directories to r
that application pool, or other application pools as you require (see Figure 1).

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspx 12/6/2005
Configuring Application Isolation using Windows Server 2003 and IIS 6.0 Page 4 of 22

Figure 1: Assigning programs to application pools in IIS

6.0
See full-sized image.

In effect, application pools allow you to combine or isolate applications according to your technical,
administrative, and business requirements.

Using Application Pools to Isolate Customer Applications or Business Units

Application pools create process boundaries between applications from different Web sites or directories
This is ideal for businesses such as ISPs, where each customers applications need to be insulated from
or for the scenario used above where LOB applications need to be isolated from one another. See the S
section of this paper for details about how to use ACLs to enforce application isolation on the file level.

Using Application Pools to Isolate Unreliable Applications

The WWW Service Administration and Monitoring component of IIS provides recycling and health featur
can automatically restart an application pool. These features have been shown to significantly improve
reliability. For example, consider an important application that you cannot afford to have offline, yet
occasionally hangs. By placing this application in its own application pool, you insulate other application
its effects. This increases overall reliability of other applications running on the server. Also, because
application pools are individually monitored and can be configured to be automatically restarted when t
unresponsive, availability for unreliable applications is increased. Troubleshooting such an application is
facilitated because the application can be configured to run in its own process.

Recycling

Recycling criteria can easily be administered through the Application Pools Properties dialog, as shown i
2 below. Recycling can be triggered based on several parameters, such as application uptime, number o
requests, on a scheduled basis, based on memory consumption, or at will.

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspx 12/6/2005
Configuring Application Isolation using Windows Server 2003 and IIS 6.0 Page 5 of 22

Figure 2: Recycling parameters available with IIS 6.0

See full-sized image.

Recycling can enhance application isolation and reliability by:

• Refreshing applications with known degradation problems before they stop responding. In most case
sort, through experience with the application, the IIS administrator knows that the application will ty
run some period before it needs to be restarted.

• Recycling applications that can potentially affect the performance of other applications running on th
server. For example, if an application has a memory leak and consumes too much memory, you can
threshold of memory use that will trigger a recycle event for the application pool.

Impacts of Application Recycling

When an application is recycled, any information stored in the worker process, such as session state, is
optimize the performance and reliability of your applications with IIS 6.0, you'll want to design them to
recycled without losing ongoing transaction data. For example, you can preserve session state details o
process using the ASPState service in Microsoft ASP.NET or store the data in Microsoft SQL Server.

Applications designed for recycling have an initialization time that is optimized to be as small as possibl
Applications that require a long initialization procedure won’t perform well with frequent recycling. You
work around this by scheduling recycling during low usage periods.

Finally, your applications should tolerate running side by side with other instances of the same applicati
can configure recycling to be overlapping or non-overlapping. By default, recycling is configured to be
overlapping: the WWW Service Administration and Monitoring component creates a new worker process
process any new requests for the application before the existing worker process is shut down. The old w
process is kept alive until it has finished processing its existing requests or until a shutdown time-out
eventwhichever occurs first. During this period, both instances of the application will need to share reso
If recycling is configured to non-overlapping, the WWW Service Administration and Monitoring compone
shuts down the worker process before starting a new one. For information about configuring overlappin
non-overlapping recycling, see DisallowOverlappingRotation in the IIS 6.0 Help
(http://www.microsoft.com/resources/documentation/windowsserv/2003/datacenter/proddocs/en-
us/ref_mb_disallowoverlappingrotation.asp).

Health

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspx 12/6/2005
Configuring Application Isolation using Windows Server 2003 and IIS 6.0 Page 6 of 22

The WWW Service Administration and Monitoring component also maintains the health of applications b
periodically testing an application pool for responsiveness. Not to be confused with the Internet Control
Message Protocol (ICMP) ping command, this feature internally queries the application pool at a configu
interval (every 30 seconds by default) and waits for a response.

If there is no response, the WWW Service Administration and Monitoring component shuts down the wo
process, publishes an event, and starts a new worker process. IIS can also be configured to not destroy
failed worker process. In addition to keeping the failed worker process, you can specify a program to la
when this event occurs to automatically instantiate troubleshooting or reporting tools.

For more information about isolating unhealthy worker processes, see Application Pool Health
(http://www.microsoft.com/resources/documentation/windowsserv/2003/datacenter/proddocs/en-
us/ca_orphwrkrprocess.asp) and OrphanWorkerProcess
(http://www.microsoft.com/resources/documentation/windowsserv/2003/datacenter/proddocs/en-
us/ref_mb_orphanworkerprocess.asp) in the IIS 6.0 Help.

Rapid-Fail Protection

Rapid-fail protection can protect the server from a series of rapid worker process failures in the same
application pool by disabling the application pool. When an application pool is disabled, IIS removes it f
service and places it in a mode where the kernel-mode driver immediately returns a 503 Service Unava
error message to any requests to for that application pool.

The number of failures and the interval in which they must occur are configurable per application pool.
rapid-fail protection is enabled, the Startup time limit and Shutdown time limit settings are used as me
of application pool health (see Figure 3).

Figure 3: Health options available in IIS 6.0

See full-sized image.

A worker process that fails to start up or shut down within the designated time is considered to have fa
counts toward the number of failures required to take the application pool offline. By default, rapid-fail
protection is configured to disable an application pool if five application failures occur in a five-minute p

Functional Use of Application Pools

In some cases, you will find that using an application pool is useful in order to separate applications tha
different technical requirements. For example, you may find it helpful to configure all applications that r

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspx 12/6/2005
Configuring Application Isolation using Windows Server 2003 and IIS 6.0 Page 7 of 22

a particular COM component into a single application pool, if the COM component is known to be proble
Also, as your applications undergo upgrades and improvements, it can be useful to create separate app
pools for the new versions.

.NET Framework Application Domains

On Windows Server 2003, ASP.NET uses the application request-processing-model in worker process is
and also maps one or more ASP.NET application domains to each worker process. The application doma
within a single worker process can be recycled independently and have private components, session va
and other private resources. This provides an additional layer and better granularity of isolation.

.NET Framework and Side-by-Side Assemblies

Traditionally, when a component or application is updated on a computer, the older version is removed
replaced with the newer version. If the new version is not compatible with the previous version, this us
breaks other applications that use the component or application. The .NET Framework provides support
side-by-side execution, which allows multiple versions of an assembly or application to be installed on t
same computer, at the same time. Since multiple versions can be installed simultaneously, managed
applications can select which version to use without affecting other applications that use a different ver

For example, applications can take advantage of side-by-side assemblies in order to allow applications t
installed on the same computer that require different versions of a DLL such as MDAC, MFS, MSVCRT, o
MSXML. For more information about this topic, see the Appendix at the end of this paper.

Top of page

Using Isolation to Secure Applications

One of the primary tools for configuring isolation is the use of Access Control Lists (ACLs), authenticatio
process identities to create effective security boundaries between applications. While configured isolatio
doesn't equate to the degree of isolation provided by independent servers, you can effectively use ACLs
prevent one application from accessing the files of another application inadvertently or maliciously. For
example, a Web site administrator may create a script to browse the directory or change files of anothe
application using the file system object. The administrator could also write an ASP application that read
from files of another site such as a customer database. Proper use of ACLs and other authorization bou
in Windows Server 2003 can prevent this scenario from occurring.

Configuring Application Pool Identity

One of the most important rules to remember when securing a server is that all processes must run as
or built-in account. In most cases, this requirement is transparent, because file system resources requi
or requested from an application are typically opened in the context of the user making the request. Ho
an application developer can choose to author an application in such a way that the file system resourc
opened in the context of the account used to launch the parent process hosting an application rather th
user.

Lets examine what happens when an anonymous user opens an application. The user makes a request
application and is automatically assigned to the anonymous account (typically the IUSR_<ComputerNam
account). The requested file is opened and executed using the credentials of the anonymous user, prov
proper permissions are in place in the IIS Manager and ACLs on the requested file. However, if the app
then invokes the Win32API RevertToSelf function, subsequent file accesses made from the application
as the Network Service user account. The Network Service user account is the built-in account assigned
identity for application pools.

Built-in Accounts

Even though the Network Service user account has limited rights on the server, application pools sharin
identity have rights to each others resources when ACLs are configured to allow access to this built-in a
You will want to give each application pool its own identity in order to effectively isolate applications, as
in Figure 4.

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspx 12/6/2005
Configuring Application Isolation using Windows Server 2003 and IIS 6.0 Page 8 of 22

Figure 4: The default identity for an application pool is

the Network Service user account
See full-sized image.

Because an application can run as the application pool identity, when selecting an application pool ident
should choose one with the least number of privileges required by your application. In the case where t
worker process identity is set to an account with high privileges, like LocalSystem, the result may be th
application is given permissions beyond the scope of the authenticated user. Instead, consider setting t
worker process identity to an account with low privileges to prevent an application from elevating its pr
in this manner.

Assigning an Account

When configuring an individual user account as the application pool identity, you must make the user a
member of the IIS_WPG local group. The IIS_WPG group is created to simplify the process of setting th
necessary authorizations and rights on all of the system resources that a worker process must access to
function properly, including launching application pools. When IIS is installed, or when new application
are created, the IIS_WPG group is included in all ACLs of resources that the application pool must acce
However, it is not necessary to add IIS_WPG to a sites content directories and files. In fact, if you requ
isolation between users, but configure ACLs that grant access to IIS_WPG, you may decrease the degre
isolation because all applications whose user accounts are members of the IIS_WPG group would have
to each others content. Consequently, you will want to add accounts you create for each application poo
identity to the IIS_WPG local group, but you should not use the IIS_WPG group in ACLs on content files
directories.

Accounts used for application pool identity should also be distinct from anonymous accounts and individ
accounts for site authors and owners. Accounts used for anonymous access or for site authors and own
should not be added to the IIS_WPG group because doing so would grant those accounts access to dire
that are shared among application pools such as the compression cache and ASP template cache.

Additionally, if you configure application pools with an identity other than Network_Service and your
applications launch CGI processes, you will need to assign the following user rights to accounts designa
application pool identities:

• Adjust memory quotas for a process (SeIncreaseQuota)

• Replace a process at token level (SeAssignPrimaryToken)

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspx 12/6/2005
Configuring Application Isolation using Windows Server 2003 and IIS 6.0 Page 9 of 22

Authentication Considerations
Authentication is the process of proving that you are a valid user to an application. Once proven valid, t
is then assigned an identity, which is used to limit access to resources. Part of building secure boundari
between applications is to ensure that you have the identities for your applications and users organized
a way that you can effectively manage the authorization of the application and the users access to reso

IIS 6.0 supports Anonymous, Basic, Digest, Advanced Digest, Client Certificate, Integrated Windows (N
and Kerberos), and Passport authentication. Additionally, applications may implement their own authen
methods, for example, forms-based authentication in ASP.NET. Remember that the method you use for
authentication can impact the choices you have for implementing security.

For highly isolated applications, it is best to create a unique user account to be used for anonymous acc
the application, and then assign this user as the anonymous user in the Directory Security tab of the pr
for the Web site (see Figure 5). This allows you to configure authorization (see the Configuring Authoriz
section) so that applications launched by the anonymous user are constrained to appropriate resources
unique anonymous user identity combined with a designated account for the application pool identity pr
two of the essential elements needed for constructing an effective security boundary for the application

To configure a unique anonymous user account for a Web site

1. In IIS Manager, expand the local computer, expand the Web Sites folder, right-click the Web si
want to change, and then click Properties.

2. On the Directory Security tab, under Authentication and access control, click the Edit butt
shown in Figure 5.

Figure 5: Site properties Directory Security tab

See full-sized image.

3. In the Authentication Methods dialog, enter the User name and Password of the account to
anonymous access, as shown in Figure 6.

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspx 12/6/2005
Configuring Application Isolation using Windows Server 2003 and IIS 6.0 Page 10 of 22

Figure 6: Configuring a unique anonymous user account

See full-sized image.

4. Click OK

5. Click OK

When using Kerberos or Basic authentication, you can use UNC passthrough authentication to determin
credentials to be used for gaining access to a UNC share on a remote computer. Administrators can con
IIS to use a fixed set of credentials or to submit the users credentials, known as pass-through authenti
to the file server or NAS device. By default, IIS is configured to use pass-through authentication for Bas
Kerberos authentication when working in a Windows Server 2003 environment and running application
with the Network Services identity. You can also configure Windows Server 2003 so pass-through
authentication is possible for any authentication method.

Note: Use a domain-based account when assigning an application pool identity if you intend to use pas
through authentication with Kerberos. For more information about this, see the Deploying and Configur
Internet Information Services (IIS) 6.0 with Remotely Stored Content on UNC Servers and NAS Devices
paper
(http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/remstorg

ASP.NET applications using forms-based authentication rely primarily on the use of .config files to contr
authentication. The application .config files may contain user names and passwords required to access
applications or may reference a database (other than the local SAM or Microsoft Active Directory) to va
users. Applications using forms-based authentication have enhanced application boundaries, since the
authentication for a user is valid only in the authorizing application.

Configuring Authorization
The foundation for effectively enforcing application isolation lies in the proper use of authorization.

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspx 12/6/2005
Configuring Application Isolation using Windows Server 2003 and IIS 6.0 Page 11 of 22

Authorization uses the authenticated identity of the user, including the anonymous user, to limit access
resources. For our purposes, the concept of a user is also extended to the identity of application pools,
are authorized only to use resources required by the application.

Methods for enforcing authorization include configuring ACLs on content, share permissions, the metaba
the registry. Additionally, other techniques, for example, URL authorization using Windows Server 2003
Authorization manager and authorization in ASP.NET applications can be used.

Configuring ACLs on Content

When configuring ACLs, your task will be easier if you keep in mind two principles:

• Assign users to groups, and then assign ACL permissions based on those groups.

• If permissions are not specifically allowed, access is denied.

When implementing permissions, users often require flexibility that was not preconceived when the
applications were first configured. To preserve your options and ease administration, consider using gro
contain application pool identities, then assign ACLs to the groups. For example, when configuring isola
Application X, create a group, such as ApplicationX_Processes, and then assign application pool identity
Application X to this group. This allows you several conveniences:

• If you change the application pool identity in the future, you only need to add the new identity to the
ApplicationX_Processes group. This avoids the labor-intensive, and perhaps error-prone task, of chan
ACLs on all resources for the application.

• You may add other applications in the future (ApplicationZ) that require access to the resources used
ApplicationX, and at the same time limit ApplicationX from accessing specific resources used by
ApplicationZ. In other words, the ApplicationX_Processes group would contain the user accounts for
application pool identities assigned to both ApplicationX and ApplicationZ, but the ApplicationZ_Proce
group only contains the application pool identity for ApplicationZ.

• You may need to allow or deny access to resources for groups of application pools. For example, you
want to create an identity for AllASP.NETApps that has access to specific resources. This is facilitated
application pool identities are ed from specific user accounts.

Once you have assigned your application pool identity, you need to assign NTFS permissions to file syst
resources to allow permissions on a variety of locations, including folders used in databases, compiling
caching of scripts, logging directories for customized logging, or other file system locations where the
application pool identity requires access. Be careful not to unintentionally allow another application poo
identity access to the same resources. For example, you would not want to assign permissions to the U
the IIS_WPG group. Remember that if access is not specifically allowed, it is denied.

In addition to configuring ACLs for the proper access by the application pool identity, you need to provi
permissions for users. This is facilitated by creating groups that designate functions, such as
ApplicationX_authors and ApplicationX_anonusers, then adding users to these groups and assigning
permissions to the groups. Having a group for anonymous users is useful in that you may wish to authe
some users for logging or auditing purposes, but still only allow them access to resources as if they wer
anonymous users.

Configuring for Access of UNC-based Content

When accessing content on another server using UNC paths, you must consider both Share and NTFS
permissions. Often Share permissions are left fairly open and NTFS permissions are used to secure the
The degree to which you lock down your Share permissions is dependent on your specific security
requirements.

For the majority of applications, Share and NTFS permissions on remote content will be assigned to the
authenticated user that is requesting access. If you are using the default pass-through authentication, t
be the individual user as authenticated by IIS. If you are specifying a user account for remote access, a
required in IIS 4.0 and IIS 5.0, the specified user will require access rights for both Share and NTFS

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspx 12/6/2005
Configuring Application Isolation using Windows Server 2003 and IIS 6.0 Page 12 of 22

permissions. If the user specified for accessing remote content is not a domain account, it is best if the
account is created with the same user name and password on the IIS server as well as the remote file s
This facilitates management of remote content in the IIS Manager console. For more information about
configuring authentication and authorization for UNC servers and NAS devices, see the Deploying and
Configuring Internet Information Services (IIS) 6.0 with Remotely Stored Content on UNC Servers and
Devices white paper
(http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/remstorg

Configuring ACLs on the Metabase

In addition to setting ACLs on file system resources, you can set ACLs on metabase keys. Use Metabase
Explorer 1.6 or MetaEdit 2.2 to view and set ACLs on metabase keys. Metabase Explorer 1.6 can be
downloaded from http://www.microsoft.com/downloads/details.aspx?FamilyID=56fc92ee-a71a-4c73-b6
ade629c89499&DisplayLang=en. MetaEdit 2.2 can be downloaded from
http://download.microsoft.com/download/iis50/Utility/5.0/NT45/EN-US/MtaEdt22.exe.

For Web sites and their contents that have corresponding keys with properties in the metabase, the IIS
group is set to Allow for the permissions: Query, Query Unsecure Property, and EnumerateProperty. Th
default ACLs on application pools permit the IIS_WPG, Network_Service, and Local_System accounts th
to query metabase properties for all application pools.

Applications running in the context of the application pool do not have the ability to alter the metabase
the application can be run in the security context of the Administrator identity, which by default has ful
on the entire metabase. This can occur, for example, when the system administrator logs in or authent
the application using the Administrator credentials and the application assumes the credentials via
impersonation. Consequently, these settings do not represent a serious security risk. However, you can
increase application isolation by making the following adjustments to isolate a sites metabase settings:

• Remove entries for IIS_WPG

• Assign the worker process identity: Read

• Assign any Web site author or administrators: Read

• Give the Administrators group and any other system administrators: Full Control

Configuring ACLs on Registry Keys

On secure servers, it is recommended that permissions be tightened on certain registry keys. Microsoft
provides several templates for tightening permissions, including those provided with the Security Opera
Guide (http://www.microsoft.com/technet/security/prodtech/win2000/secwin2k/default.mspx). Increas
security in general will increase the effectiveness of application isolation, but you may need to specifica
restrict access to portions of the registry that contain information about COM objects used by your appl
It should not be possible, for example, for a user to determine what objects are registered on the serve
then write a script to invoke those objects.

COM+ Isolation

COM+ Partitions can be used to isolate Web applications into their own COM+ partitions. This is useful
prevent one Web application from accessing the private COM+ applications, configuration information,
data of another Web application. COM+ partitions can hold different versions of your own custom COM
components. For example, if you host Web sites for two competing companies that both use COM+ in t
Web applications, you can use COM+ partitions to ensure that one company's Web application cannot a
the COM+ components in the other company's Web applications. If one of those companies asks you to
certain features in a COM+ application that they both use, you can isolate the new version of that COM
application in the partition that is linked to their Web application.

To enable COM+ partitions on the IIS side, set the AspUsePartition flag of the AspAppServiceFlags m
property at the application level. The partition is identified by a GUID (created using the Component Se
Manager snap-in), which can be set at the AspPartitionID metabase property. If no partition is specified

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspx 12/6/2005
Configuring Application Isolation using Windows Server 2003 and IIS 6.0 Page 13 of 22

default system partition is used. For more information, please see "Creating and Configuring COM+ Par
in the COM+ SDK (http://go.microsoft.com/fwlink/?LinkId=2823).

Important: Only one version of a COM+ component can be used in any application pool, even though
feature is configurable at the application level. For example, if application App1 uses version 1.0 of a cu
COM+ application called Shop.dll, and application App2 uses version 2.0 of Shop.dll, then App1 and App
should not be in the same application pool. If they are, the application that is loaded first has its versio
Shop.dll loaded, and the other application is forced to use it until the applications are unloaded.

URL Authorization

Authorization Manager and URL authorization are features of the .NET Framework that have been exten
into the operating system for Windows Server 2003. Consequently, these features are available to ASP
other applications. Windows Server 2003 and IIS 6.0 provide the ability to use Authorization Manager i
combination with URL authorization to create sets of rules that authorize access to URLs based on the u
roles. Roles can be defined any number of ways, including Lightweight Directory Access Protocol (LDAP
queries, custom user roles, and Authorization Manager scripts (BizRules). This is quite different from ap
ACLs to files, because role membership can be determined through a query at the time of the request.
example, you could authorize employees of a company, who have been employed for more than 90 day
access a specific URL. When an employee reaches the 91 day of employment, however that is defined b
requirements, access is granted without the need to change ACLs, or local/domain group memberships.
better application isolation, you may define a rule so that all employees or customers of CompanyA can
the CompanyA application and all others are denied.

For more information about Authorization Manager, see Authorization Manager in the Windows Server 2
product documentation (http://www.microsoft.com/technet/prodtechnol/acs/proddocs/default.mspx). F
information about URL authorization, see URL Authorization in the IIS 6.0 Help
(http://www.microsoft.com/resources/documentation/windowsserv/2003/datacenter/proddocs/en-
us/iiswelcome.asp).

FTP User Isolation

IIS 6.0 also includes an FTP server to allow users to upload or download files. Where FTP is deployed,
configuring your server so that FTP users cannot browse other users directories is an important part of
security. IIS 6.0 provides for this capability with FTP user isolation. When enabled, a user cannot navig
higher up the directory tree, because the user's top-level directory appears as the root of the FTP servic
Within the user's specific site, the user still has the ability to create, modify, or delete files and folders.

FTP user isolation has three settings available for user restriction, as shown below in Figure 7.

IMPORTANT: FTP is not a secure protocol, so user names and passwords are sent across the network
text. In addition, you cannot use SSL with FTP.

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspx 12/6/2005
Configuring Application Isolation using Windows Server 2003 and IIS 6.0 Page 14 of 22

Figure 7: FTP User Isolation allows three options to

restrict user access
See full-sized image.

FTP user isolation has two modes to isolate users: Isolate users and Isolate users using Active Directory

Isolate Users

This mode authenticates users against local or domain accounts before they can access the home direc
that matches their user name. All user home directories are in a directory structure under a single FTP
directory where each user is placed and restricted to their home directory. In this mode, the home dire
name is the same as the authenticated user name. When users authenticate, they are automatically pla
into the directory that corresponds to their logon name and they are not permitted to navigate out of th
home directory. If users need access to dedicated shared folders, you can also establish a virtual root.
mode may use, but does not require, the Active Directory service.

Isolate Users using Active Directory

When you set your FTP server to isolate users with Active Directory, each user's home directory can res
an arbitrary network path. In this mode, you have the flexibility to distribute user home directories acro
multiple servers, volumes, and directories, as is appropriate to the network configuration, and the hom
directory name may be different from the authenticated user name. This is accomplished by using ADS
the msIIS-FTPDir and msIIS-FTPRoot properties for the user object in Active Directory. For more
information about setting these properties with the IISFTP.VBS scripts, see Setting Active Directory Use
Isolation in the IIS 6.0 Help
(http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/iis/default.mspx). Not
the IIS 6.0 Help incorrectly lists these attributes as FTPRoot and FTPDir. These properties are not expos
the Active Directory Users and Computers console.

For step by step instructions on how to implement FTP user isolation, see Isolating FTP Users in the IIS
Help (http://www.microsoft.com/resources/documentation/windowsserv/2003/datacenter/proddocs/en
us/iiswelcome.asp).

FrontPage 2002 Server Extensions Security

FrontPage 2002 Server Extensions make it simple for users to publish Web sites using FrontPage and to
Web applications from Microsoft Visual Interdev. You can create a FrontPage-enabled Web site by exten
the Web site with the FrontPage Server Extensions.

To create a FrontPage-enabled Web site

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspx 12/6/2005
Configuring Application Isolation using Windows Server 2003 and IIS 6.0 Page 15 of 22

1. Install FrontPage Server Extensions on the computer.

2. Right-click the Web site you want to configure, and select All Tasks, Configure Server Extens
2002. This launches the FrontPage Server Extensions 2002 administrative Web application.

3. Designate a user account as the virtual server administrator.

4. Click Submit to install the extensions on the Web site.

FrontPage Server Extensions uses a distributed security model where the account specified as the Web
administrator has the right to create users and assign roles resulting in permissions being changed on t
site. The Web administrator can do these tasks, but is not required to be an administrator on the serve
Consequently, you should configure the Web administrator to use an account that is not a member of th
Administrators group.

When you install FrontPage Server Extensions on your server, a specialized application pool named
MSSharepointAppPool is created and is assigned to run in the security context of the Local System acco
The _vti_bin folder of any FrontPage-enabled Web site will run in this security context. The _vti_bin fold
each FrontPage-extended Web or sub-Web is a virtual directory mapped to the same physical directory
containing the FrontPage Server Extensions binaries, so each application runs the same FrontPage Serv
Extensions code. Although the FrontPage Server Extensions share an application pool, applications may
configured in their own application pool, so that the user-written part of the application, and any other
provided code, can be isolated.

How FrontPage Manages ACLs

FrontPage Server Extensions 2002 will manage permissions on Web content without server administrat
intervention, using roles-based authorization. Users are assigned roles such as browser, author, Web de
and administrator. When you create a Web site and then extend the Web with FrontPage Server Extens
FrontPage Server Extensions adds certain users and groups to your Web content folders with specific
permissions. These include the Network and Interactive built-in groups. This could represent a security
as these groups are automatically maintained by the server. A user with a network logon type is a mem
the Network group (authenticated with NTLM, for example). A user with a local logon type (authenticate
Basic, for example), is a member of the Interactive group. Consequently, granting these groups access
to FrontPage Web content probably grants users from other Web sites and applications the same rights
to the Network and Interactive groups, depending on how the users are authenticated. To improve isola
and security between applications, FrontPage Server Extensions on Windows Server 2003 allow group a
to be used for authorization.

Using Group Accounts to Isolate Access to FrontPage Webs

You can configure FrontPage Server Extensions so that they use group accounts instead of the built-in
Network/Interactive groups. When properly configured, FrontPage Server Extensions will not add the N
and Interactive groups to ACLs on root Webs, but instead will authorize access to the Web using a grou
constructed by a prefix you provide (such as SecureWeb) and the Web site instance number. The result
group name for the default Web site in this example would be SecureWeb_1. This group can then be
configured manually to manage access to the Web site.

Details on implementing this feature should be read carefully at

http://www.microsoft.com/technet/prodtechnol/sppt/sharepnt/proddocs/admindoc/owsj03.mspx.

For more details on FrontPage Server Extensions 2002 and Microsoft SharePoint Team Services, see
http://www.microsoft.com/technet/prodtechnol/sppt/sharepnt/proddocs/default.mspx.

Disabling Shared File Caches

IIS and ASP use file caches to improve performance while serving Web content. On an isolated server,
caches should be disabled because the directories they use are shared by application pools with ACLs a
access to the IIS_WPG group. It is possible under some circumstances for a malicious site owner to wri
application running in one application pool to browse data stored by other applications in these director

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspx 12/6/2005
Configuring Application Isolation using Windows Server 2003 and IIS 6.0 Page 16 of 22

While the likelihood and impact of this scenario are limited, disabling IIS compression, static file cachin
ASP template caching blocks such exposure in the first place. Conversely, on a server in which all of the
owners are trusted or there is a single owner for multiple sites, this is not a problem.

To disable IIS compression

1. In IIS Manager, expand the local computer, right-click the Web Sites folder, and then click
Properties.

2. On the Service tab, under HTTP compression, clear the Compress static files and the Comp
application files check boxes.

3. Click Apply, and then click OK.

Alternatively, you can enable HTTP compression of static files by setting the HcDoStaticCompression
HcDoDynamicCompression metabase properties to false.

To disable ASP file caching

1. In IIS Manager, expand the local computer, right-click the Web Sites folder, and then click
Properties.

2. On the Home Directory tab, click Configuration.

3. On the Cache Options tab, select the Do not cache ASP files option.

4. Click OK twice to save your changes.

5. Restart IIS.

To disable static file caching

• Add the following value to the registry:

HKLM\System\CurrentControlSet\Services\Inetinfo\Parameters

DisableMemoryCache: REG_DWORD: 1

You need to restart IIS for this setting to take effect.

Top of page

Using Isolation to Improve Performance

Another benefit of application isolation is the ability to limit the effects on other applications of over
consumption by any individual application. There are a number of Windows Server 2003 and IIS 6.0 fea
that help to assure that applications will have available to them the resources required when they need

IIS 6.0 Features for Resource Availability

Application pools in IIS 6.0 allow better use of resources than with previous versions of IIS. The proper
application pools allow you to configure a variety of parameters that effect resource use of the applicati
Because these settings are available per application pool, you can optimize the configuration of the app
pool for the specific characteristics of the application, load, and resulting resources required. Figure 6 s
the Performance property tab for the Default Application Pool.

Memory Recycling

Each application pool can be set to recycle when it uses too much shared (maximum virtual memory) o
privately-allocated (maximum used memory) system memory. When memory use passes one of these
thresholds, recycling occurs without interfering with other applications, making the memory consumed
application available for other applications and system requirements. (See Figure 2, Recycling paramete

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspx 12/6/2005
Configuring Application Isolation using Windows Server 2003 and IIS 6.0 Page 17 of 22

available with IIS 6.0, in the Recycling section above.)

Request Queue Limit

Because the request queue for an application pool resides in the kernel, if an application pool receives r
faster than it can respond, kernel memory is used to queue the requests. In order to keep queue size fr
growing too large, you can specify the maximum number of requests that can be queued for an applica
Subsequent requests will receive a 503 error and are logged to the HTTPERR log with a reason string of
QUEUE_FULL.

Rapid-Fail Protection

This topic was discussed earlier in the Isolation for Increased Reliability section. This setting configures
remove an application pool that contains a failing application from service, and place it in a mode where
kernel-mode driver immediately returns a 503 Service Unavailable out-of-service message to any reque
that application pool. Consequently, this helps prevent failing applications from interfering with other
applications running on the server, and system resources that may have been locked up by a non-respo
application are released.

Number of Connections

On the Performance tab of the properties of a Web site, you can set the number of connections allowed
Web site. This could be useful when you are offering Web sites that provide a number of connections as
condition of service, or when you are concerned about the number of connections overwhelming a Web
applications. Additionally, you may have non-critical, but popular Web sites you wish to constrain in ord
make resources available to other applications.

Windows Server 2003 Features for Resource Availability

Windows Server 2003 has several features that can be implemented to help assure resource availability
Web applications. In some cases, enabling a feature in IIS invokes a process for installing the capability
server level. For example, configuring bandwidth throttling in IIS Manager automatically enables the Qu
Service Packet Scheduler for the server. In this way, server capabilities are more seamlessly integrated
IIS Manager than in previous versions of IIS.

Windows System Resource Manager

Windows System Resource Manager (WSRM) is available for use with Windows Server 2003, Enterprise
and Windows Server 2003, Datacenter Edition. WSRM enables you to manage CPU and memory utilizat
per process basis. An administrator sets targets for the amount of hardware resources that running
applications or users are allowed to consume. This means that you can allocate resources among multip
applications on a server according to your business priorities.

When used to manage IIS performance, WSRM enables a system administrator to do the following:

• Set CPU and memory allocation policies on applications. This includes selecting processes to be mana
and setting resource usage targets or limits.

• Manage CPU utilization (percent CPU in use).

• Generate, store, view, and export resource utilization accounting records for management, service le
agreement (SLA) tracking, and charge-back purposes.

WSRM maintains an updatable exclusion list of processes that shouldn't be managed because of the neg
system impact such management could create. WSRM does not manage address windowing extensions
memory, large page memory, locked memory, or operating system pool memory.

Bandwidth Throttling

On the Performance tab of the properties of a Web site, you can enable bandwidth throttling and set th
maximum bandwidth consumption for a Web site. Unlike previous versions of IIS, bandwidth throttling
the Quality of Service Packet Scheduler to manage when data packets are sent. When you configure a s

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspx 12/6/2005
Configuring Application Isolation using Windows Server 2003 and IIS 6.0 Page 18 of 22

use bandwidth throttling using IIS Manager, Packet Scheduler is automatically installed, and IIS autom
sets bandwidth throttling to a minimum of 1024 bytes/second. You can configure this setting higher, bu
lower.

Using Resources Efficiently

Of course, if you have sufficient resources available for your applications, you do not need to spend as
time constraining applications and Web site use. Toward that end, application pools have several prope
that optimize server resources.

Idle Time-out

Idle Time-out is located on the Performance tab of application pool properties. When configured, a work
process in an application pool will be terminated if it remains idle for the configured interval. This frees
memory-based resources for active applications. For ISPs that often have many Web sites on a server w
only a few active at any time, this permits a greater Web site density per server, without over-committ
server resources.

Demand Start

Another feature of IIS 6.0 that helps with efficient use of resources is demand start. Application pools,
though configured and available, are not started until they are requested. In this way, applications are
loaded before they are required, which keeps resources available until the moment they are needed. Ho
this also may intensify the performance impact of application startup time. If your applications are not
optimized to start up quickly, and you don't have a large number of applications in use, you may wish t
disable Idle Time-out so that once applications are launched, their worker process remains active and t
resources acquired by the application are not released.

WebGardens

A Web garden is an application pool that is serviced by more than one worker process simultaneously. T
enabled by setting the number of worker processes setting to more than one on the Performance tab of
application pool. When requests for the application begin to queue, IIS 6.0 automatically creates anoth
worker process for the same application pool and begins to route new requests to the new worker proce
When demand is reduced, the worker processes will eventually be spun down and resources released. W
gardens are useful in situations where there are a high number of concurrent connections and contentio
locks and resources within a single process may limit request throughput.

CPU Affinity

Application pools can be assigned to run on a CPU. On an SMP system, this allows you to distribute CPU
resources among the application pools. For example, if you have an application pool that runs a CPU-in
application, assigning the application pool to a CPU could assist with performance by making certain tha
enough CPU processing power is available to the application. This also leverages the caching technology
into the processor. Other application pools can similarly be configured away from the dedicated process
affinity is set in the metabase. For more information about configuring CPU affinity, see SMPAffinitized
IIS 6.0 help (http://www.microsoft.com/resources/documentation/windowsserv/2003/datacenter/prodd
us/ref_mb_smpaffinitized.asp).

Top of page

Considerations
Performance and Scale
While high isolation achieves many benefits, it impacts scaling for the server. For example, Microsoft te
show that you can run up to approximately 500 worker processes simultaneously. Assuming you have 2
sites, you can configure your application pools so that applications share thema low isolation approach
can give each application its own application pool, but set the application pool time-out aggressively.

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspx 12/6/2005
Configuring Application Isolation using Windows Server 2003 and IIS 6.0 Page 19 of 22

Number of Application Pools That Can Be Configured

In the default configuration, using Network_Service as the application pool identity, you can create a la
number of application pools without any difficulty. When you specify an identity for an application pool,
given a set of resources, including a non-visible desktop. Interactive processes use desktops for dispatc
events or messages, such as a mouse click, to Windows applications. In this context, only a few deskto
ever required by an application. For server applications, such as IIS, there is no interactive user; IIS an
COM applications running in a Single Threaded Apartment (STA) use the Windows message pump in a d
to marshal data to COM components created within the process, and desktops are created even if the
application uses no COM components. Microsoft tests show that when configuring more than 60 applica
pools with unique identities, a shared desktop should be used. This may be configured by setting the re
key HKLM\System\CurrentControlSet\Services\W3SVC\Parameters\UseSharedWPDesktop t
When this setting is enabled, application pools share a common desktop, thereby increasing scalability.

Number of Web Sites and Active Worker Processes

The number of application pool worker processes that can be simultaneously active on a server is depen
on a variety of factors, including hardware configuration, the specific language in use, number of sites,
of application pools, and how those application pools are configured. IIS supports up to 20,000 configur
sites, although the number of concurrent sites varies in practice, depending on how they are configured
application pools and the ratio of active to configured sites on a server.

Regarding non-ASP.NET applications, IIS 6.0 has been tested on a well-configured mainframe server ru
up to 2,000 concurrent worker processes, each serving one application pool, but not using unique ident
practice, a design of up to 500 simultaneous application pools is achievable, depending on the applicati
requirements and assuming hardware resources are not a significant constraint. It is important to confi
UseSharedWPDesktop registry setting mentioned above when using more than 60 application pools w
unique identities.

When running ASP in a hundred or more application pools, you will need to configure ASP to run its thre
a Multi-Threaded Apartment (MTA). To enable this capability, set the metabase property AspExecuteI
to 1 (it is set to 0 by default). When ASP is set to run in a MTA and the ASP application also uses Single
Threaded Apartment (STA) objects, performance may be affected by the data marshalling that occurs b
ASP, running in an MTA, and the component, which runs in a STA in another process. If you are using
components such as ADO, which use an apartment model of Both there should be no problems with ena
this setting. For more information about enabling multi-threaded apartments, see AspExecuteInMTA in
6.0 Help.

ASP.NET applications require more resources than ASP. While 500 individual application pools may be
reasonable for ASP, it is aggressive for ASP.NET. You will need to study your server performance as poo
added to determine a practical ceiling for the number of application pools running ASP.NET in your
environment.

Top of page

Summary
In this white paper, we have reviewed the various techniques you can employ to increase application is
and the various benefits that isolation can offer. While clearly the most isolated design would be an ind
computer for each application, you can create effective application boundaries by correctly configuring
Windows Server 2003 and IIS 6.0. The ability to gather or isolate Web applications into an application p
IIS 6.0 is perhaps the most significant component of application isolation. The built-in abilities of IIS 6.
manage resources efficiently, monitor application health, recycle applications, and assign security ident
application pools creates a centerpiece from which you can deploy isolated applications. Combining thes
abilities with proper use of authentication, ACLs on various resources, and constraining applications as
required, creates an environment where applications can have an optimized set of resources available t
on demand, as well as minimizing the impacts of poorly-performing or resource-intensive applications o
server.

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspx 12/6/2005
Configuring Application Isolation using Windows Server 2003 and IIS 6.0 Page 20 of 22

When your Web sites require FrontPage Server Extensions 2002, you can configure the extensions to u
defined local group for ACLs on Web content. This permits you to allow FrontPage authors and administ
to deploy content only on their assigned Web sites.

Finally, by deploying .NET applications that use isolated application design and side-by-side assemblies
can strengthen application isolation and minimize versioning problems induced when multiple applicatio
share the same code base.

Taken as a whole, some subset of the capabilities are more than sufficient, in most cases, to permit
applications to be deployed on a server, while assuring that those applications are independent, secure
available.

Top of page

Appendix
The .NET Framework, which includes ASP.NET, has capabilities that can be used to enhance application
isolation. These features are implemented by software engineers in the design and implementation of th
applications and are not specifically related to IIS capabilities. The Windows Server 2003 platform is de
specifically to support .NET applications, making it an ideal choice for deploying highly reliable and secu
Web-based applications.

Features of .NET Framework and ASP.NET That Can Be Used for Isolation
When creating applications with the .NET Framework, you have additional capabilities that can be used
create by design applications that are more fully isolated, reliable, and manageable.

.NET Applications Designed to Be Isolated Applications

.NET applications can be constructed such that they are considered isolated applications. In this contex
term isolated application has a specific meaning, which refers to a type of .NET application rather than
of configured application isolation referred to in the rest of this paper.

When a .NET application is designed as an Isolated application, it is more stable and reliable since it is
unaffected by the installation, removal, or upgrading of other applications on the system. Isolated appli
can be designed so that they always run using the same assembly versions with which they were built a
tested.

Isolated applications are self-describing applications installed with manifests. Isolated applications can r
Microsoft Windows XP and later systems and can use both private assemblies and shared assemblies.

Applications built with different versions of the same assembly may run simultaneously without affectin
other's execution. The installation, removal, or upgrading of other applications on the system will not a
fully-isolated application. An application is fully isolated if all of its components are side-by-side assemb
is partially isolated if it uses some assemblies, and some shared components that are not side-by-side
assemblies. Most applications will be partially isolated.

Side-by-Side Assemblies

A common problem with deploying DLL-based applications occurs when there are different versions of a
with the same name, and both versions are required by some part of the application. This versioning pr
is resolved with the use of Side-by-Side Assemblies.

A side-by-side assembly contains a collection of resourcesa group of DLLs, windows classes, COM serve
libraries, or interfacesthat are always provided to applications together. These are described in the asse
manifest. A manifest describes the assemblys contents in XML format.

Because of the intrinsic information provided in an assembly and its manifest, an application can specify
version of an assembly it requires. And, two applications requiring different versions of the same DLL ca
together.

For more information about .NET application isolation and side-by-side assemblies, see

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspx 12/6/2005
Configuring Application Isolation using Windows Server 2003 and IIS 6.0 Page 21 of 22

http://msdn.microsoft.com/library/en-
us/sbscs/setup/about_isolated_applications_and_side_by_side_assemblies.asp.

Note: ASP.NET supports running multiple versions of the .NET Framework side-by-side but only when r
IIS in IIS 5.0 isolation mode.

Application Domains

The .NET Framework allows the deployment of multiple applications in the same application pool that h
built-in application protection. Each .NET application running in the application pool has an application d
and code from one domain cannot directly access objects in another domain. You can also stop and sta
applications within a single application pool without halting the entire application pool. This permits you
focus the enforcement of your application boundaries in the design of your application, rather than rely
completely on server configuration.

Application domains provide a secure and versatile unit of processing that the common language runtim
use to provide isolation between applications. You can run several application domains in a single proce
the same level of isolation that would exist in separate processes, but without incurring the additional o
of making cross-process calls or switching between processes. The ability to run multiple applications w
single process dramatically increases server scalability. In addition, code running in one application can
directly access code or resources from another application.

Note: You cannot unload individual assemblies or types; only a complete domain can be unloaded.

For more information on Application Domains, see http://msdn.microsoft.com/library/en-

us/cpguide/html/cpconapplicationdomainsoverview.asp.

Top of page

Related Links
See the following resources for further information:

• Technical Overview of Internet Information Services (IIS) 6.0 at

http://www.microsoft.com/windowsserver2003/techinfo/overview/iis.mspx

• IIS 6.0 Documentation at

http://www.microsoft.com/resources/documentation/windowsserv/2003/datacenter/proddocs/en-
us/iiswelcome.asp

• How To Build and Service Isolated Applications and Side-by-Side Assemblies for Windows XP at
http://www.msdn.microsoft.com/library/en-us/dnwxp/html/sidexsidewinxp.asp

• FrontPage 2002 Server Extensions Support Center at http://support.microsoft.com/default.aspx?scid

US;fp10se

• FrontPage 2002 Server Extensions Administrators Guide at

http://www.microsoft.com/technet/prodtechnol/sppt/sharepnt/proddocs/admindoc/ows000.mspx

• Welcome to the GotDotNet Home Page at http://gotdotnet.com/

For the latest information about IIS, see the IIS Web site at
http://www.microsoft.com/WindowsServer2003/iis/default.mspx. For the latest information about Wind
Server 2003, see the Windows Server 2003 Web site at
http://www.microsoft.com/windowsserver2003/default.mspx.

Top of page

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspx 12/6/2005
Configuring Application Isolation using Windows Server 2003 and IIS 6.0 Page 22 of 22

Printer Friendly Version Send This Content Add To Favorites

How would you rate the usefulness of this content ?

1 2 3 4 5
Poor mlkj mlkj mlkj mlkj mlkj Outstanding
Tell us why you rated the content this way. (optional)

Submit

Manage Your Profile

© 2005 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks | Privacy Statement

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspx 12/6/2005