IIS Security, ISAPI extensions and filters

Hy and welcome back to our 5’th tutorial of IIS,
In this post we will talk about how are the security measures that have to be taken on a IIS server and also about ISAPI extensions and ISAPI filters.

Internet Server Application Programming Interface (ISAPI) is an a N-tier( application processing, and data management functions are logically separated) API (about API http://en.wikipedia.org/wiki/Application_programming_interface) that is build for IIS. ISAPI server extension is a DLL that can be loaded and called by an HTTP server to provide certain functionality. The only two ISAPI application that where developed are filters and extensions. ISAPI extensions can be integrated as modules and are used mainly to execute code when a certain extension is called. ISAPI filters are used to modify and provide more functionality to IIS. I made a drawing of how ISAPI extensions and filters integrate in IIS, I hope it will be helpful for you:

Security features in IIS are used to determine if a user has access to connect to a certain resource on the IIS server. For example imagine you are trying to obtain a fie from a server. When you’re first accessing the server, IIS authenticates you with the options that are enabled. If anonymous authentication is enabled than you will be authenticated as anonymous. After this step, IIS checks if you have any IP or domain restrictions. If the authorization rules permit your access than it’s all to the NTFS permissions (read more about NTFS permissions here http://technet.microsoft.com/en-us/library/cc754178.aspx). After passing this test IIS grants you access to your requested file. Anonymous authentication is used util you encounter or you access something that is not permitted by this type of authentication, at that point you have to authenticate by another authentication method that is active on the web server (Windows, Basic,Digest Authentication etc.). I created a picture of how security is implemented in IIS, I hope it will make you understand all the steps taken:
IIS request
I hope this post will help you understand better the functionality of ISAPI filters and extensions and also how to enhance IIS security, stay tuned for the next episodes. If you have enjoyed this post please leave a comment, have a nice day.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s