Today’s post is about the extensible configuration system present in IIS 7.0. This extensibility is performed creating XML schemas to add configuration elements. Then you can add to the main configuration file (applicationHost.config) the elements your custom-made module or extension needs to work properly.

 

In the case of the official FTP module, the same thing occurs. The FTP module installs its own FTP configuration schema, which is installed in %windir%\system32\inetsrv\Config\Schema, with the name ftp_schema.xml. I’ll copy here an extract of this schema that we will use in the practical case of this post, later.

 

   1:    <sectionSchema name="system.ftpServer/caching">
   2:        <element name="credentialsCache">
   3:            <attribute name="enabled" type="bool" defaultValue="true" />
   4:            <attribute name="flushInterval" type="uint" defaultValue="900" 
      validationType="integerRange"  validationParameter="5,604800"/>
   5:            <method name="Flush" extension="Microsoft.
      ApplicationHostFtpConfigExtension"/>
   6:        </element>
   7:    </sectionSchema>

The real power of the new infrastructure of configuration can be seen in line 5 of the extract. This line adds a new method to the configuration. This method can be called programmatically using scripts, managed or native code. The functionality of the method is implemented by a COM component.

 

Practical case: FTP 7.0 credentials caching

IIS 7.0 uses a credential caching system to avoid continuous creation of security tokens for performance reasons. This system is not always precise in the flushing of user tokens, when using only the Windows Registry value UserTokenTTL (as described in http://support.microsoft.com/default.aspx/kb/152526). When configured to a value of X seconds, the flushing (and logoff of the user session) can have a delay of up to 5 minutes. This is not acceptable, because after changing the permissions for a user (moving from one security group with specific permissions to another, more restricted group), this user still can log on with the old permissions until its credentials have been flushed and its user session logged off.

The more accurate mechanism to flush credentials in IIS 7.0 and prevent this possible security hole is using the configuration elements present in the configuration store. Once identified the mechanism we have three options, on demand flush using a script, lowering the flush interval to a “safe” value and/or disabling completely the credentials cache.

Option 1 (on demand flush):

To accomplish an on demand flush of the credentials cache, one can use a script like the following to flush the credentials when the script is executed:

   1:  Dim adminManager, section, elements, element, method, flush, instance
   2:  Set adminManager = WScript.Createobject("Microsoft.ApplicationHost.
      WritableAdminManager")
   3:  Set section = adminManager.GetAdminSection("system.ftpServer/caching",
      "MACHINE/WEBROOT/APPHOST/")
   4:  Set elements = section.ChildElements
   5:  Set element = elements.Item(0)
   6:  WScript.Echo(element.Name)
   7:  Set method = element.Methods
   8:  Set flush = method.Item(0)
   9:  WScript.Echo(flush.Name)
  10:  flush.CreateInstance().Execute()
  11:  Set instance = flush.CreateInstance()
  12:  WScript.Echo("Cached credentials flushed")

One can also retrieve the elements by name in the lines 5 and 8, but as this is fixed by the schema, there should be no problem with retrieving them by position. This script executes the method present in the configuration schema, as effectively as calling the component itself but in a more compact way, being integrated with the rest of the configuration.

Option 2 (reducing flush interval):

To change the flush interval value, the third line has to be added to the applicationHost.config file, in the hierarchy specified for the rest of the lines.

   1:  <system.ftpServer>
   2:     <caching>
   3:         <credentialsCache enabled=”trueflushInterval="300" />
   4:     </caching>
   5:  </system.ftpServer>

This option could also incur in a delay, caused by the operating system handling of the tokens and logoff events.

Option 3 (disabling credentials cache):

The last option is to completely disable credentials cache, using the alternative third line as in this configuration file:

   1:  <system.ftpServer>
   2:     <caching>
   3:         <credentialsCache enabled=”false/>
   4:     </caching>
   5:  </system.ftpServer>

Disabling the cache produces an immediate logoff after the user has quit the FTP session.

Enjoy playing with this powerful administration facility present in IIS 7.0 and onwards. Leverage the Configuration Store. Until next time!