IIS Best Practices

Published Mar 20 2020 06:20 AM 25.3K Views
Microsoft

It has been almost eight years since I first wrote a blog on IIS best practices. During this time, several new versions of IIS have arrived, some reached end of lifecycle; we were introduced a new development platform called .NET Core; a new HTTP version… And after eight more years of experience on a variety of customers and environments, finally I thought it was time for an update. Hope you enjoy it :)

 

See here for the old version.

 

For a very long time, I have been asked for a document on IIS best practices. There are some blogs/articles on the Internet, but I could not find a complete one. Actually, the main problem here is that there cannot be “best practices” for a web server. A web server is just a hosting platform for applications, and, each and every application has its own needs. Therefore, in many cases, you will not have one universal best practice.

 

Having these said, I tried to gather a list of things one should check while configuring an IIS server (and an application on IIS). I should say that these are my own thoughts based on my own experience. It may be possible that you will find some resources mentioning just the opposite of what I say. For such cases, consider your applications specific needs and decide accordingly.

 

Most of the below mentioned settings or recommendations apply to the web applications hosted on cloud solutions (like Azure Web Apps) and some will already be in-place. Especially some of the performance best practices listed below would help you keep your cloud costs as low as possible.

 

One more thing before we get to my recommendations: Keep in mind that web servers are just hosting platforms for your applications. They can only be as secure and as performant as your code. Therefore, do not expect the below list to address and resolve all your problems.

 

Application pool configuration

  • Create one application pool for each application. You might consider grouping applications to pools if there are too many applications and/or sites (hundreds, thousands) hosted, for administration and management purposes only.
  • Use Integrated mode. If your application does not work in Integrated mode, use Classic mode until you resolve the issue.

Application Pools <applicationPools>

https://docs.microsoft.com/en-us/iis/configuration/system.applicationhost/applicationpools/#overview
 

  • Use 64bit application pools if you do not have a limitation by any of the modules your application uses. Even if you have such a limitation, try to resolve it.

enable32BitAppOnWin64

https://docs.microsoft.com/en-us/iis/configuration/system.applicationhost/applicationpools/applicati...
 

  • Use ApplicationPoolIdentity as identity

Application Pool Identities

http://learn.iis.net/page.aspx/624/application-pool-identities/

 

  • If your server is domain-joined and if your application needs to access resources over network, consider using "group managed service accounts" (gMSA):

Group Managed Service Accounts Overview

https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-manage...

 

What's New for Managed Service Accounts

https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/what-s-new-f...
 

  • Do not leave recycling configuration as default:
    • Idle Time-out (minutes):
      • Either set this to 0 (zero)
      • Or set "Idle time-out action" to "Suspend"
    • Regular time interval (minutes): 0 (set to zero)
    • Specific Times: Set to the least used time of the day:

Recycling Settings for an Application Pool <recycling>
https://docs.microsoft.com/en-us/iis/configuration/system.applicationHost/applicationPools/add/recyc...

If you are confident that your application does not have any resource leak issues and if your application pool is recycled during deployments every now and then, you might consider totally disabling recycling.
 

  • Set "logEventOnRecycle" for all reasons: Time, Requests, Schedule, Memory, IsapiUnhealthy, OnDemand, ConfigChange, and PrivateMemory:

logEventOnRecycle

https://docs.microsoft.com/en-us/iis/configuration/system.applicationhost/applicationpools/add/recyc...
 

  • Do not set any private memory limit unless troubleshooting specific scenarios. If you do set it, turn it off as soon as possible.
     
  • Do not ever set virtual memory limit. Reserved memory usage is meant with "virtual bytes" and especially in 64bit environments, processes reserve huge amounts of memory (that is not an actual reservation, but it is a different story).
     
  • Consider increasing "Maximum Worker Processes" (web gardening) number - with caution:
    • Make sure that your application is sessionless or uses "out-of-process" session state
    • Make sure that your application does not cache too much data (as it would be cached in each process which would then cause performance degradation)
       
  • Keep "Rapid-fail protection" enabled, but makes changes according to application pool settings, i.e. "Maximum Worker Processes"
    • Make sure that your load balancer, if there is one, and "Service Unavailable Response type" setting of your application pools are set accordingly.

Failure Settings for an Application Pool <failure>

https://docs.microsoft.com/en-us/iis/configuration/system.applicationhost/applicationpools/add/failu...
 

Logging

  • Do not ever turn logging off, and:
    • Keep your log files (IIS, HttpErr and any application log you might have) on a non-system disk/partition
    • Turn on as many fields as possible (at least defaults + sc-bytes and cs-bytes)

HTTP Logging <httpLogging>

https://docs.microsoft.com/en-us/iis/configuration/system.webserver/httplogging
 

  • Monitor disk usage as the logs might grow quite fast
    • Schedule scripts to archive older logs
       
  • Use "custom fields" if you need to log extra fields. If you have an NLB  device which NATs (causing the client IP to be hidden from IIS servers), add the real client IP as a custom field:
    • Do not use "advanced logging" module as it is a very old module and there may be some issues with it, like memory leaks.
    • If you are hosting service applications (web services or WCF) consider adding method names to headers (like SOAPAction header) and log them in IIS logs using custom fields.

Adding Custom Fields to a Log File for a Site <add>

https://docs.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/site/logfile/customf...

 

  • IIS logs provide us with invaluable data on general health and performance of our applications. Periodically analyze them to have an idea on the performance baseline and trends.
    • Although the latest version was released in 2005, Log Parser is still a very powerful tool for log analysis

Log Parser 2.2

https://www.microsoft.com/en-us/download/details.aspx?id=24659
 

  • You can use Azure Monitor to collect and analyze IIS logs

Collect IIS logs in Azure Monitor

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources-iis-logs
 

  • Also, keep an eye on HttpErr logs as they might contain some details on some specific problems:

Error logging in HTTP APIs

https://support.microsoft.com/en-us/help/820729/error-logging-in-http-apis

 

  • Configure Windows Error Reporting to collect full user dumps when worker processes (w3wp.exe) crash:
    • Note that WER might sometimes not be able to collect memory dumps of .NET applications, but for most scenarios, it would be best to have this setting

Collecting User-Mode Dumps

https://docs.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps

 

Content

  • Keep your content on a non-system disk, if possible, on a disk/partition other than the one you keep your logs.
     
  • Configure static and dynamic compression - if CPU usage and content types permit

HTTP Compression <httpCompression>
https://docs.microsoft.com/en-us/iis/configuration/system.webServer/httpCompression/
 

  • Configure antivirus applications to exclude at least:
    • Content folders
    • Temporary ASP.NET Files folder (C:\Windows\Framework[64]\vX.X.XXXXX\)
    • Any temp folder if used

Configure Windows Defender Antivirus exclusions on Windows Server

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/confi...
 

  • Use "Output caching" whenever possible (be careful doing this as it might cause users to access each other's sessions)

Caching <caching>

https://docs.microsoft.com/en-us/iis/configuration/system.webserver/caching/
 

  • Remove any unused "default document" setting and keep only the one you will use

Default Document <defaultDocument>

https://docs.microsoft.com/en-us/iis/configuration/system.webserver/defaultdocument/
 

Security

  • Use end-to-end encryption
    • If you have reverse proxy and/or load balancer in front of your web servers, prefer to use SSL-bridging instead of SSL-offloading
    • Disable older SSL/TLS versions than TLS 1.2
    • Disable weak cypher suits
    • SSL/TLS and cypher suit settings are server-wide settings, and IIS supports whatever the OS supports. However, for .NET applications check the below article:

Transport Layer Security (TLS) best practices with the .NET Framework

https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls

 

  • Add security headers to your applications:

Content Security Policy (CSP)

https://docs.microsoft.com/en-us/microsoft-edge/extensions-chromium/store-policies/csp

 

HSTS Settings for a Web Site <hsts>

https://docs.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/site/hsts

 

X-Frame-Options

https://tools.ietf.org/html/rfc7034

 

OWASP Secure Headers Project

https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#tab=Headers

 

  • Configure "Request Filtering":
    • “Allow unlisted file name extensions": Uncheck (allow only the extensions you will use; add "." to allow extensionless requests)
    • “Allow unlisted verbs": Uncheck (allow only the verbs you will use) 
    • Lower "request limits" if possible

Request Filtering <requestFiltering>

https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/requestfiltering/

 

  • Remove HTTP headers which identifies the server and application. These headers are believed to cause security vulnerability:

removeServerHeader

https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/requestfiltering/#new-i...

 

Remove Unwanted HTTP Response Headers

https://techcommunity.microsoft.com/t5/iis-support-blog/remove-unwanted-http-response-headers/ba-p/3...

 

  • Set NTFS permissions on the content folders as needed:
    • Do not give unnecessary permissions to unnecessary users. Remove permissions of Users and other groups. You should consider authentication and impersonation configurations to do this.
    • The content folder should only need "read" and "read and execute" permissions. If your application needs to write something (like logs or temp files) write them to a separate folder (one for each application on the server) and give "write" permission only to that specific folder.
    • Make sure that the folders with write permissions cannot be accessed through HTTP protocol. i.e. make sure that access to that folder is denied by Request Filtering module.

  • If using anonymous authentication, set the user to "Application pool identity" to be able to isolate your sites and applications

 

  • Do not store sensitive information in configuration files. Encrypt such fields if you need to have them:

Protecting Connection Strings and Other Configuration Information (C#)

https://docs.microsoft.com/en-us/aspnet/web-forms/overview/data-access/advanced-data-access-scenario...

 

  • Remove any unused modules to reduce attack surface. For example, if you do not specifically need WebDAV, do not install it.

  • Consider adding the host names of your web sites to Hosts file to point 127.0.0.1, so that you can test your applications locally on the servers in a web farm environment. This would be the first and the easiest test to eliminate network issues.

 

Application Performance

  • If your .NET/.NET Core application gets burst loads or for some reason you need to recycle your application or application pool during work hours, consider increasing minWorkerThreads and minIoThreads settings:

processModel Element (ASP.NET Settings Schema)

https://docs.microsoft.com/en-us/previous-versions/dotnet/netframework-4.0/7w2sway1%28v%3dvs.100%29

 

ProcessModelSection.MinWorkerThreads Property

https://docs.microsoft.com/en-us/dotnet/api/system.web.configuration.processmodelsection.minworkerth...

 

runtimeconfig.json

https://docs.microsoft.com/en-us/dotnet/core/run-time-config/#runtimeconfigjson

 

ASP.NET Thread Usage on IIS 7.5, IIS 7.0, and IIS 6.0

https://docs.microsoft.com/en-us/archive/blogs/tmarq/asp-net-thread-usage-on-iis-7-5-iis-7-0-and-iis...

 

  • For .NET Core applications, choose to run it "in-process":

In-process hosting model

https://docs.microsoft.com/en-us/aspnet/core/host-and-deploy/aspnet-core-module?view=aspnetcore-2.2#...

 

  • If your server has many CPU cores (like more than 16, for instance) consider making changes on GC settings:
    • Consider setting GC heap count to a lower number than the number of CPU core. While deciding heap count, take the number of applications hosted on the server into consideration

<GCHeapCount> element

https://docs.microsoft.com/en-us/dotnet/framework/configure-apps/file-schema/runtime/gcheapcount-ele...

 

Middle Ground between Server and Workstation GC

https://devblogs.microsoft.com/dotnet/middle-ground-between-server-and-workstation-gc/

 

  • Depending on the number of CPU cores on your server, consider setting CPU affinity of your application pools. For very high CPU consumption issues, leave at least one CPU core unused, so that you can access the server to collect logs to troubleshoot and be able to take actions towards resolution.

smpAffinitized and smpProcessorAffinityMask

https://docs.microsoft.com/en-us/iis/configuration/system.applicationhost/applicationpools/add/cpu

 

  • If your hardware or virtualization environment has NUMA support, consider setting "Maximum number of processes" to zero:

IIS 8.0 Multicore Scaling on NUMA Hardware

https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-8/iis-80-multicore-scaling-on-numa...

 

  • For ASP.NET applications, confirm that they are built in release mode, and that they do not have debug="true" in any web.config file in production

Debug Mode in ASP.NET Applications (the article is very old, but it is still valid for all .NET versions)

https://support.microsoft.com/en-us/help/2580348/debug-mode-in-asp-net-applications

 

  • Make sure tracing is installed (you never know when you would need it) but keep it disabled at both application and IIS level (Failed Request Tracing)

Troubleshooting Failed Requests Using Tracing in IIS 8.5

https://docs.microsoft.com/en-us/iis/troubleshoot/using-failed-request-tracing/troubleshooting-faile...

 

Trace Failed Requests Logging for a Site <traceFailedRequestsLogging>

https://docs.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/site/tracefailedrequ...

 

  • Set the applications' timeout values as low as technically possible

Set Timeouts Aggressively
https://docs.microsoft.com/en-us/previous-versions/msp-n-p/ff647787(v=pandp.10)?redirectedfrom=MSDN#...

 

  • Make settings to make use of HTTP/2:

How do I use HTTP/2?

https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-10/http2-on-iis#how-do-i-use-http2

 

  • Install/copy these tools on the server as you never know when you will need them

PerfView

https://github.com/Microsoft/perfview

 

Debug Diagnostics Tool

https://www.microsoft.com/en-us/download/details.aspx?id=58210

 

ProcDump

https://docs.microsoft.com/en-us/sysinternals/downloads/procdump

 

ProcMon

https://docs.microsoft.com/en-us/sysinternals/downloads/procmon

 

  • Monitoring is the most important thing about performance. Know your applications performance baseline and monitor for any changes:

Azure Monitor overview

https://docs.microsoft.com/en-us/azure/azure-monitor/overview

 

What is Application Insights?

https://docs.microsoft.com/en-us/azure/azure-monitor/app/app-insights-overview

 

  • Save the performance counters one should monitor in case of an issue to the desktop or somewhere. The following might be a starting point for ASP.NET applications:

   \Processor Information(_Total)\% Processor Time
   \.NET CLR Exceptions(w3wp)\# of Exceps Thrown / sec
   \.NET CLR Memory(w3wp)\# Gen 0 Collections
   \.NET CLR Memory(w3wp)\# Gen 1 Collections
   \.NET CLR Memory(w3wp)\# Gen 2 Collections
   \.NET CLR Memory(w3wp)\# Induced GC
   \.NET CLR Memory(w3wp)\Process ID
   \.NET CLR Memory(w3wp)\#Bytes In All Heaps 
   \ASP.NET\Application Restarts
   \ASP.NET\Request Execution Time
   \ASP.NET\Requests Current
   \ASP.NET\Requests Queued

   \ASP.NET Applications(*)\Requests Executing
   \ASP.NET Applications(*)\Requests/Sec
   \Memory\Available MBytes
   \Process(w3wp)\% Processor Time
   \Process(w3wp)\ID Process
   \Process(w3wp)\Private Bytes

  \WAS_W3WP(*)\Total Health Pings.

8 Comments
Senior Member

Thank you @Cenk_Iscan 
The post is very clear and direct.
Good Job, with that information we can support better the IIS configurations.

Occasional Visitor

Hi @Cenk_Iscan 

Thanks for the article. I have a question when you connect SQL server database using IIS and have application pool identity set through a domain user account for all application pools.

The user will be having permissions on database.

So is the recommendation is to use one user for all the applications or one application should connect to database using one user only?

Microsoft

Hi @ghamandipp 

Running each application on its own application pool with a different user is one of the isolation steps which is strongly recommended. For your scenario, using one gMSA user for each application would be a good idea.

Occasional Visitor

Hi @Cenk_Iscan ,

So if we have 100 different applications, we can have 100 different isolated application pools. But having 100 different users to run each application would be a difficult task.

How it can be achieved?

Regular Visitor

Hi @Cenk_Iscan,

Have you compared best practices to STIG settings for IIS? There are some things that align with what you have stated and some that do not. For the most part most of the configuration settings mentioned can be done for us, however the application pool settings do give us fits based on application. Also the STIG settings do want these set:

  • private memory limit 
  • virtual memory limit

I do like this write up as it gives me a guideline to start from.

Microsoft

@marto871 Yes, there are some recommendations out in the wild that do not align with mine. And STIG has a few of them which do not align. But I will stick with my recommendations on application pool recycling settings; and especially about giving memory limits. If you check "virtual bytes" of any 64bit worker process at any random time, you would see terabytes. This makes giving a limit to virtual memory unnecessary, and even harmful - causing the pool to recycle too often. For both virtual and private memory limits, since they are not actually limits but recycle triggers, that does not make any sense.

 

There might be some exceptions for private memory limit (like known memory leak issues in the application), but I cannot think of any scenario one would need to set limit to virtual memory.

Regular Visitor

@Cenk_Iscan,

Thanks for the reply!

Regular Visitor

Hi! I've actually ran into issue this week related to this topic.  I haven't found a solution yet and the testing is still ongoing.  I work in an environment where our IIS servers have to be configured according to what is put forth by DISA STIGS for IIS, specifically the part about having to use memory values other than 0 for both private and memory limits.  The problem we are running into is something I caught during a migration going from on-prem to DISA cloud.  The on-prem IIS web server is built in a VMWARE hypervisor.  The IIS web server on the cloud is built in a KVM hypervisor.  Both IIS web servers are hosting the same application and using the same IIS configuration settings, and same RAM and app pool memory limits.  However, the difference is that the IIS web server that is using the KVM hypervisor is posting every minute for all app pools event ID 5077 in the system log that states the application pool has requested a recycle because it has reached its virtual memory limit.  The only conclusion I can come up with is that KVM manages memory differently than VMWARE. I did notice that the IIS application pools in VMWARE have a NUMA field that has a value of "maxavailablememory" in the CPU section.  The IIS app pool in KVM do not have this field. 

 

On the IIS VM that uses the KVM hypervisor, all of my applications have dedicated app pools and the only memory value that eliminates the issue is 0.  We've tried increasing all of the memory values.  

 

Has anyone ran into an issue like this before with a successful outcome, or have any suggestions that I could try to resolve the issue causing the 5077 events that are continuously posting? 

%3CLINGO-SUB%20id%3D%22lingo-sub-1242109%22%20slang%3D%22en-US%22%3ERe%3A%20IIS%20Best%20Practices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1242109%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F522909%22%20target%3D%22_blank%22%3E%40Cenk_Iscan%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3EThe%20post%20is%20very%20clear%20and%20direct.%3CBR%20%2F%3EGood%20Job%2C%20with%20that%20information%20we%20can%20support%20better%20the%20IIS%20configurations.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1241577%22%20slang%3D%22en-US%22%3EIIS%20Best%20Practices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1241577%22%20slang%3D%22en-US%22%3E%3CP%3EIt%20has%20been%20almost%20eight%20years%20since%20I%20first%20wrote%20a%20blog%20on%20IIS%20best%20practices.%20During%20this%20time%2C%20several%20new%20versions%20of%20IIS%20have%20arrived%2C%20some%20reached%20end%20of%20lifecycle%3B%20we%20were%20introduced%20a%20new%20development%20platform%20called%20.NET%20Core%3B%20a%20new%20HTTP%20version%E2%80%A6%20And%20after%20eight%20more%20years%20of%20experience%20on%20a%20variety%20of%20customers%20and%20environments%2C%20finally%20I%20thought%20it%20was%20time%20for%20an%20update.%20Hope%20you%20enjoy%20it%20%3A)%3C%2Fimg%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESee%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Farchive%2Fblogs%2Fcenkiscan%2Fiis-best-practices%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E%20for%20the%20old%20version.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20a%20very%20long%20time%2C%20I%20have%20been%20asked%20for%20a%20document%20on%20IIS%20best%20practices.%20There%20are%20some%20blogs%2Farticles%20on%20the%20Internet%2C%20but%20I%20could%20not%20find%20a%20complete%20one.%20Actually%2C%20the%20main%20problem%20here%20is%20that%20there%20cannot%20be%20%E2%80%9Cbest%20practices%E2%80%9D%20for%20a%20web%20server.%20A%20web%20server%20is%20just%20a%20hosting%20platform%20for%20applications%2C%20and%2C%20each%20and%20every%20application%20has%20its%20own%20needs.%20Therefore%2C%20in%20many%20cases%2C%20you%20will%20not%20have%20one%20universal%20best%20practice.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHaving%20these%20said%2C%20I%20tried%20to%20gather%20a%20list%20of%20things%20one%20should%20check%20while%20configuring%20an%20IIS%20server%20(and%20an%20application%20on%20IIS).%20I%20should%20say%20that%20these%20are%20my%20own%20thoughts%20based%20on%20my%20own%20experience.%20It%20may%20be%20possible%20that%20you%20will%20find%20some%20resources%20mentioning%20just%20the%20opposite%20of%20what%20I%20say.%20For%20such%20cases%2C%20consider%20your%20applications%20specific%20needs%20and%20decide%20accordingly.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMost%20of%20the%20below%20mentioned%20settings%20or%20recommendations%20apply%20to%20the%20web%20applications%20hosted%20on%20cloud%20solutions%20(like%20Azure%20Web%20Apps)%20and%20some%20will%20already%20be%20in-place.%20Especially%20some%20of%20the%20performance%20best%20practices%20listed%20below%20would%20help%20you%20keep%20your%20cloud%20costs%20as%20low%20as%20possible.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOne%20more%20thing%20before%20we%20get%20to%20my%20recommendations%3A%20Keep%20in%20mind%20that%20web%20servers%20are%20just%20hosting%20platforms%20for%20your%20applications.%20They%20can%20only%20be%20as%20secure%20and%20as%20performant%20as%20your%20code.%20Therefore%2C%20do%20not%20expect%20the%20below%20list%20to%20address%20and%20resolve%20all%20your%20problems.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1384108296%22%20id%3D%22toc-hId--1384108301%22%20id%3D%22toc-hId--1384108301%22%20id%3D%22toc-hId--1384108301%22%20id%3D%22toc-hId--1384108301%22%20id%3D%22toc-hId--1384108301%22%20id%3D%22toc-hId--1384108301%22%20id%3D%22toc-hId--1384108329%22%3EApplication%20pool%20configuration%3C%2FH2%3E%0A%3CUL%3E%0A%3CLI%3ECreate%20one%20application%20pool%20for%20each%20application.%20You%20might%20consider%20grouping%20applications%20to%20pools%20if%20there%20are%20too%20many%20applications%20and%2For%20sites%20(hundreds%2C%20thousands)%20hosted%2C%20for%20administration%20and%20management%20purposes%20only.%3C%2FLI%3E%0A%3CLI%3EUse%20Integrated%20mode.%20If%20your%20application%20does%20not%20work%20in%20Integrated%20mode%2C%20use%20Classic%20mode%20until%20you%20resolve%20the%20issue.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3EApplication%20Pools%20%3CAPPLICATIONPOOLS%3E%3C%2FAPPLICATIONPOOLS%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fiis%2Fconfiguration%2Fsystem.applicationhost%2Fapplicationpools%2F%23overview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fiis%2Fconfiguration%2Fsystem.applicationhost%2Fapplicationpools%2F%23overview%3C%2FA%3E%3CBR%20%2F%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EUse%2064bit%20application%20pools%20if%20you%20do%20not%20have%20a%20limitation%20by%20any%20of%20the%20modules%20your%20application%20uses.%20Even%20if%20you%20have%20such%20a%20limitation%2C%20try%20to%20resolve%20it.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3Eenable32BitAppOnWin64%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fiis%2Fconfiguration%2Fsystem.applicationhost%2Fapplicationpools%2Fapplicationpooldefaults%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fiis%2Fconfiguration%2Fsystem.applicationhost%2Fapplicationpools%2Fapplicationpooldefaults%2F%3C%2FA%3E%3CBR%20%2F%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EUse%20ApplicationPoolIdentity%20as%20identity%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3EApplication%20Pool%20Identities%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CA%20style%3D%22font-family%3A%20inherit%3B%20background-color%3A%20%23ffffff%3B%22%20href%3D%22http%3A%2F%2Flearn.iis.net%2Fpage.aspx%2F624%2Fapplication-pool-identities%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttp%3A%2F%2Flearn.iis.net%2Fpage.aspx%2F624%2Fapplication-pool-identities%2F%3C%2FA%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EIf%20your%20server%20is%20domain-joined%20and%20if%20your%20application%20needs%20to%20access%20resources%20over%20network%2C%20consider%20using%20%22group%20managed%20service%20accounts%22%20(gMSA)%3A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3EGroup%20Managed%20Service%20Accounts%20Overview%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fsecurity%2Fgroup-managed-service-accounts%2Fgroup-managed-service-accounts-overview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fsecurity%2Fgroup-managed-service-accounts%2Fgroup-managed-service-accounts-overview%3C%2FA%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3EWhat's%20New%20for%20Managed%20Service%20Accounts%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fsecurity%2Fgroup-managed-service-accounts%2Fwhat-s-new-for-managed-service-accounts%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fsecurity%2Fgroup-managed-service-accounts%2Fwhat-s-new-for-managed-service-accounts%3C%2FA%3E%3CBR%20%2F%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EDo%20not%20leave%20recycling%20configuration%20as%20default%3A%3CUL%3E%0A%3CLI%3EIdle%20Time-out%20(minutes)%3A%3CUL%20class%3D%22lia-list-style-type-circle%22%3E%0A%3CLI%3EEither%20set%20this%20to%200%20(zero)%3C%2FLI%3E%0A%3CLI%3EOr%20set%20%22Idle%20time-out%20action%22%20to%20%22Suspend%22%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3ERegular%20time%20interval%20(minutes)%3A%200%20(set%20to%20zero)%3C%2FLI%3E%0A%3CLI%3ESpecific%20Times%3A%20Set%20to%20the%20least%20used%20time%20of%20the%20day%3A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3ERecycling%20Settings%20for%20an%20Application%20Pool%20%3CRECYCLING%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fiis%2Fconfiguration%2Fsystem.applicationHost%2FapplicationPools%2Fadd%2Frecycling%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fiis%2Fconfiguration%2Fsystem.applicationHost%2FapplicationPools%2Fadd%2Frecycling%2F%3C%2FA%3E%3C%2FRECYCLING%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3EIf%20you%20are%20confident%20that%20your%20application%20does%20not%20have%20any%20resource%20leak%20issues%20and%20if%20your%20application%20pool%20is%20recycled%20during%20deployments%20every%20now%20and%20then%2C%20you%20might%20consider%20totally%20disabling%20recycling.%3CBR%20%2F%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ESet%20%22logEventOnRecycle%22%20for%20all%20reasons%3A%20Time%2C%20Requests%2C%20Schedule%2C%20Memory%2C%20IsapiUnhealthy%2C%20OnDemand%2C%20ConfigChange%2C%20and%20PrivateMemory%3A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3ElogEventOnRecycle%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fiis%2Fconfiguration%2Fsystem.applicationhost%2Fapplicationpools%2Fadd%2Frecycling%2F%23attributes%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fiis%2Fconfiguration%2Fsystem.applicationhost%2Fapplicationpools%2Fadd%2Frecycling%2F%23attributes%3C%2FA%3E%3CBR%20%2F%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EDo%20not%20set%20any%20private%20memory%20limit%20unless%20troubleshooting%20specific%20scenarios.%20If%20you%20do%20set%20it%2C%20turn%20it%20off%20as%20soon%20as%20possible.%3CBR%20%2F%3E%26nbsp%3B%3C%2FLI%3E%0A%3CLI%3EDo%20not%20ever%20set%20virtual%20memory%20limit.%20Reserved%20memory%20usage%20is%20meant%20with%20%22virtual%20bytes%22%20and%20especially%20in%2064bit%20environments%2C%20processes%20reserve%20huge%20amounts%20of%20memory%20(that%20is%20not%20an%20actual%20reservation%2C%20but%20it%20is%20a%20different%20story).%3CBR%20%2F%3E%26nbsp%3B%3C%2FLI%3E%0A%3CLI%3EConsider%20increasing%20%22Maximum%20Worker%20Processes%22%20(web%20gardening)%20number%20-%20with%20caution%3A%3CUL%3E%0A%3CLI%3EMake%20sure%20that%20your%20application%20is%20sessionless%20or%20uses%20%22out-of-process%22%20session%20state%3C%2FLI%3E%0A%3CLI%3EMake%20sure%20that%20your%20application%20does%20not%20cache%20too%20much%20data%20(as%20it%20would%20be%20cached%20in%20each%20process%20which%20would%20then%20cause%20performance%20degradation)%3CBR%20%2F%3E%26nbsp%3B%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EKeep%20%22Rapid-fail%20protection%22%20enabled%2C%20but%20makes%20changes%20according%20to%20application%20pool%20settings%2C%20i.e.%20%22Maximum%20Worker%20Processes%22%3CUL%3E%0A%3CLI%3EMake%20sure%20that%20your%20load%20balancer%2C%20if%20there%20is%20one%2C%20and%20%22Service%20Unavailable%20Response%20type%22%20setting%20of%20your%20application%20pools%20are%20set%20accordingly.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3EFailure%20Settings%20for%20an%20Application%20Pool%20%3CFAILURE%3E%3C%2FFAILURE%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fiis%2Fconfiguration%2Fsystem.applicationhost%2Fapplicationpools%2Fadd%2Ffailure%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fiis%2Fconfiguration%2Fsystem.applicationhost%2Fapplicationpools%2Fadd%2Ffailure%3C%2FA%3E%3CBR%20%2F%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1103404537%22%20id%3D%22toc-hId-1103404532%22%20id%3D%22toc-hId-1103404532%22%20id%3D%22toc-hId-1103404532%22%20id%3D%22toc-hId-1103404532%22%20id%3D%22toc-hId-1103404532%22%20id%3D%22toc-hId-1103404532%22%20id%3D%22toc-hId-1103404504%22%3ELogging%3C%2FH2%3E%0A%3CUL%3E%0A%3CLI%3EDo%20not%20ever%20turn%20logging%20off%2C%20and%3A%3CUL%3E%0A%3CLI%3EKeep%20your%20log%20files%20(IIS%2C%20HttpErr%20and%20any%20application%20log%20you%20might%20have)%20on%20a%20non-system%20disk%2Fpartition%3C%2FLI%3E%0A%3CLI%3ETurn%20on%20as%20many%20fields%20as%20possible%20(at%20least%20defaults%20%2B%20sc-bytes%20and%20cs-bytes)%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3EHTTP%20Logging%20%3CHTTPLOGGING%3E%3C%2FHTTPLOGGING%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fiis%2Fconfiguration%2Fsystem.webserver%2Fhttplogging%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fiis%2Fconfiguration%2Fsystem.webserver%2Fhttplogging%3C%2FA%3E%3CBR%20%2F%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EMonitor%20disk%20usage%20as%20the%20logs%20might%20grow%20quite%20fast%3CUL%3E%0A%3CLI%3ESchedule%20scripts%20to%20archive%20older%20logs%3CBR%20%2F%3E%26nbsp%3B%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EUse%20%22custom%20fields%22%20if%20you%20need%20to%20log%20extra%20fields.%20If%20you%20have%20an%20NLB%26nbsp%3B%20device%20which%20NATs%20(causing%20the%20client%20IP%20to%20be%20hidden%20from%20IIS%20servers)%2C%20add%20the%20real%20client%20IP%20as%20a%20custom%20field%3A%3CUL%3E%0A%3CLI%3EDo%20not%20use%20%22advanced%20logging%22%20module%20as%20it%20is%20a%20very%20old%20module%20and%20there%20may%20be%20some%20issues%20with%20it%2C%20like%20memory%20leaks.%3C%2FLI%3E%0A%3CLI%3EIf%20you%20are%20hosting%20service%20applications%20(web%20services%20or%20WCF)%20consider%20adding%20method%20names%20to%20headers%20(like%20SOAPAction%20header)%20and%20log%20them%20in%20IIS%20logs%20using%20custom%20fields.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3EAdding%20Custom%20Fields%20to%20a%20Log%20File%20for%20a%20Site%20%3CADD%3E%3C%2FADD%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fiis%2Fconfiguration%2Fsystem.applicationhost%2Fsites%2Fsite%2Flogfile%2Fcustomfields%2Fadd%23configuration-sample%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fiis%2Fconfiguration%2Fsystem.applicationhost%2Fsites%2Fsite%2Flogfile%2Fcustomfields%2Fadd%23configuration-sample%3C%2FA%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EIIS%20logs%20provide%20us%20with%20invaluable%20data%20on%20general%20health%20and%20performance%20of%20our%20applications.%20Periodically%20analyze%20them%20to%20have%20an%20idea%20on%20the%20performance%20baseline%20and%20trends.%3CUL%3E%0A%3CLI%3EAlthough%20the%20latest%20version%20was%20released%20in%202005%2C%20Log%20Parser%20is%20still%20a%20very%20powerful%20tool%20for%20log%20analysis%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3ELog%20Parser%202.2%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3Fid%3D24659%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3Fid%3D24659%3C%2FA%3E%3CBR%20%2F%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EYou%20can%20use%20Azure%20Monitor%20to%20collect%20and%20analyze%20IIS%20logs%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3ECollect%20IIS%20logs%20in%20Azure%20Monitor%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fdata-sources-iis-logs%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fdata-sources-iis-logs%3C%2FA%3E%3CBR%20%2F%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EAlso%2C%20keep%20an%20eye%20on%20HttpErr%20logs%20as%20they%20might%20contain%20some%20details%20on%20some%20specific%20problems%3A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3EError%20logging%20in%20HTTP%20APIs%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F820729%2Ferror-logging-in-http-apis%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F820729%2Ferror-logging-in-http-apis%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EConfigure%20Windows%20Error%20Reporting%20to%20collect%20full%20user%20dumps%20when%20worker%20processes%20(w3wp.exe)%20crash%3A%3CUL%3E%0A%3CLI%3ENote%20that%20WER%20might%20sometimes%20not%20be%20able%20to%20collect%20memory%20dumps%20of%20.NET%20applications%2C%20but%20for%20most%20scenarios%2C%20it%20would%20be%20best%20to%20have%20this%20setting%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3ECollecting%20User-Mode%20Dumps%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fwin32%2Fwer%2Fcollecting-user-mode-dumps%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fwin32%2Fwer%2Fcollecting-user-mode-dumps%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--704049926%22%20id%3D%22toc-hId--704049931%22%20id%3D%22toc-hId--704049931%22%20id%3D%22toc-hId--704049931%22%20id%3D%22toc-hId--704049931%22%20id%3D%22toc-hId--704049931%22%20id%3D%22toc-hId--704049931%22%20id%3D%22toc-hId--704049959%22%3EContent%3C%2FH2%3E%0A%3CUL%3E%0A%3CLI%3EKeep%20your%20content%20on%20a%20non-system%20disk%2C%20if%20possible%2C%20on%20a%20disk%2Fpartition%20other%20than%20the%20one%20you%20keep%20your%20logs.%3CBR%20%2F%3E%26nbsp%3B%3C%2FLI%3E%0A%3CLI%3EConfigure%20static%20and%20dynamic%20compression%20-%20if%20CPU%20usage%20and%20content%20types%20permit%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3EHTTP%20Compression%20%3CHTTPCOMPRESSION%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fiis%2Fconfiguration%2Fsystem.webServer%2FhttpCompression%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fiis%2Fconfiguration%2Fsystem.webServer%2FhttpCompression%2F%3C%2FA%3E%3CBR%20%2F%3E%26nbsp%3B%3C%2FHTTPCOMPRESSION%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EConfigure%20antivirus%20applications%20to%20exclude%20at%20least%3A%3CUL%3E%0A%3CLI%3EContent%20folders%3C%2FLI%3E%0A%3CLI%3ETemporary%20ASP.NET%20Files%20folder%20(C%3A%5CWindows%5CFramework%5B64%5D%5CvX.X.XXXXX%5C)%3C%2FLI%3E%0A%3CLI%3EAny%20temp%20folder%20if%20used%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3EConfigure%20Windows%20Defender%20Antivirus%20exclusions%20on%20Windows%20Server%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fwindows-defender-antivirus%2Fconfigure-server-exclusions-windows-defender-antivirus%23web-server-exclusions%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fwindows-defender-antivirus%2Fconfigure-server-exclusions-windows-defender-antivirus%23web-server-exclusions%3C%2FA%3E%3CBR%20%2F%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EUse%20%22Output%20caching%22%20whenever%20possible%20(be%20careful%20doing%20this%20as%20it%20might%20cause%20users%20to%20access%20each%20other's%20sessions)%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3ECaching%20%3CCACHING%3E%3C%2FCACHING%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fiis%2Fconfiguration%2Fsystem.webserver%2Fcaching%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fiis%2Fconfiguration%2Fsystem.webserver%2Fcaching%2F%3C%2FA%3E%3CBR%20%2F%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ERemove%20any%20unused%20%22default%20document%22%20setting%20and%20keep%20only%20the%20one%20you%20will%20use%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3EDefault%20Document%20%3CDEFAULTDOCUMENT%3E%3C%2FDEFAULTDOCUMENT%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fiis%2Fconfiguration%2Fsystem.webserver%2Fdefaultdocument%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fiis%2Fconfiguration%2Fsystem.webserver%2Fdefaultdocument%2F%3C%2FA%3E%3CBR%20%2F%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1783462907%22%20id%3D%22toc-hId-1783462902%22%20id%3D%22toc-hId-1783462902%22%20id%3D%22toc-hId-1783462902%22%20id%3D%22toc-hId-1783462902%22%20id%3D%22toc-hId-1783462902%22%20id%3D%22toc-hId-1783462902%22%20id%3D%22toc-hId-1783462874%22%3ESecurity%3C%2FH2%3E%0A%3CUL%3E%0A%3CLI%3EUse%20end-to-end%20encryption%3CUL%3E%0A%3CLI%3EIf%20you%20have%20reverse%20proxy%20and%2For%20load%20balancer%20in%20front%20of%20your%20web%20servers%2C%20prefer%20to%20use%20SSL-bridging%20instead%20of%20SSL-offloading%3C%2FLI%3E%0A%3CLI%3EDisable%20older%20SSL%2FTLS%20versions%20than%20TLS%201.2%3C%2FLI%3E%0A%3CLI%3EDisable%20weak%20cypher%20suits%3C%2FLI%3E%0A%3CLI%3ESSL%2FTLS%20and%20cypher%20suit%20settings%20are%20server-wide%20settings%2C%20and%20IIS%20supports%20whatever%20the%20OS%20supports.%20However%2C%20for%20.NET%20applications%20check%20the%20below%20article%3A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3ETransport%20Layer%20Security%20(TLS)%20best%20practices%20with%20the%20.NET%20Framework%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdotnet%2Fframework%2Fnetwork-programming%2Ftls%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdotnet%2Fframework%2Fnetwork-programming%2Ftls%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EAdd%20security%20headers%20to%20your%20applications%3A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3EContent%20Security%20Policy%20(CSP)%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-edge%2Fextensions-chromium%2Fstore-policies%2Fcsp%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-edge%2Fextensions-chromium%2Fstore-policies%2Fcsp%3C%2FA%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3EHSTS%20Settings%20for%20a%20Web%20Site%20%3CHSTS%3E%3C%2FHSTS%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fiis%2Fconfiguration%2Fsystem.applicationhost%2Fsites%2Fsite%2Fhsts%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fiis%2Fconfiguration%2Fsystem.applicationhost%2Fsites%2Fsite%2Fhsts%3C%2FA%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3EX-Frame-Options%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CA%20href%3D%22https%3A%2F%2Ftools.ietf.org%2Fhtml%2Frfc7034%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Ftools.ietf.org%2Fhtml%2Frfc7034%3C%2FA%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3EOWASP%20Secure%20Headers%20Project%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CA%20href%3D%22https%3A%2F%2Fwww.owasp.org%2Findex.php%2FOWASP_Secure_Headers_Project%23tab%3DHeaders%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fwww.owasp.org%2Findex.php%2FOWASP_Secure_Headers_Project%23tab%3DHeaders%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EConfigure%20%22Request%20Filtering%22%3A%3CUL%3E%0A%3CLI%3E%E2%80%9CAllow%20unlisted%20file%20name%20extensions%22%3A%20Uncheck%20(allow%20only%20the%20extensions%20you%20will%20use%3B%20add%20%22.%22%20to%20allow%20extensionless%20requests)%3C%2FLI%3E%0A%3CLI%3E%E2%80%9CAllow%20unlisted%20verbs%22%3A%20Uncheck%20(allow%20only%20the%20verbs%20you%20will%20use)%26nbsp%3B%3C%2FLI%3E%0A%3CLI%3ELower%20%22request%20limits%22%20if%20possible%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3ERequest%20Filtering%20%3CREQUESTFILTERING%3E%3C%2FREQUESTFILTERING%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fiis%2Fconfiguration%2Fsystem.webserver%2Fsecurity%2Frequestfiltering%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fiis%2Fconfiguration%2Fsystem.webserver%2Fsecurity%2Frequestfiltering%2F%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ERemove%20HTTP%20headers%20which%20identifies%20the%20server%20and%20application.%20These%20headers%20are%20believed%20to%20cause%20security%20vulnerability%3A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3EremoveServerHeader%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fiis%2Fconfiguration%2Fsystem.webserver%2Fsecurity%2Frequestfiltering%2F%23new-in-iis-100%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fiis%2Fconfiguration%2Fsystem.webserver%2Fsecurity%2Frequestfiltering%2F%23new-in-iis-100%3C%2FA%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3ERemove%20Unwanted%20HTTP%20Response%20Headers%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fiis-support-blog%2Fremove-unwanted-http-response-headers%2Fba-p%2F369710%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fiis-support-blog%2Fremove-unwanted-http-response-headers%2Fba-p%2F369710%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ESet%20NTFS%20permissions%20on%20the%20content%20folders%20as%20needed%3A%3CUL%3E%0A%3CLI%3EDo%20not%20give%20unnecessary%20permissions%20to%20unnecessary%20users.%20Remove%20permissions%20of%20Users%20and%20other%20groups.%20You%20should%20consider%20authentication%20and%20impersonation%20configurations%20to%20do%20this.%3C%2FLI%3E%0A%3CLI%3EThe%20content%20folder%20should%20only%20need%20%22read%22%20and%20%22read%20and%20execute%22%20permissions.%20If%20your%20application%20needs%20to%20write%20something%20(like%20logs%20or%20temp%20files)%20write%20them%20to%20a%20separate%20folder%20(one%20for%20each%20application%20on%20the%20server)%20and%20give%20%22write%22%20permission%20only%20to%20that%20specific%20folder.%3C%2FLI%3E%0A%3CLI%3EMake%20sure%20that%20the%20folders%20with%20write%20permissions%20cannot%20be%20accessed%20through%20HTTP%20protocol.%20i.e.%20make%20sure%20that%20access%20to%20that%20folder%20is%20denied%20by%20Request%20Filtering%20module.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EIf%20using%20anonymous%20authentication%2C%20set%20the%20user%20to%20%22Application%20pool%20identity%22%20to%20be%20able%20to%20isolate%20your%20sites%20and%20applications%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EDo%20not%20store%20sensitive%20information%20in%20configuration%20files.%20Encrypt%20such%20fields%20if%20you%20need%20to%20have%20them%3A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3EProtecting%20Connection%20Strings%20and%20Other%20Configuration%20Information%20(C%23)%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Faspnet%2Fweb-forms%2Foverview%2Fdata-access%2Fadvanced-data-access-scenarios%2Fprotecting-connection-strings-and-other-configuration-information-cs%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Faspnet%2Fweb-forms%2Foverview%2Fdata-access%2Fadvanced-data-access-scenarios%2Fprotecting-connection-strings-and-other-configuration-information-cs%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ERemove%20any%20unused%20modules%20to%20reduce%20attack%20surface.%20For%20example%2C%20if%20you%20do%20not%26nbsp%3Bspecifically%20need%20WebDAV%2C%20do%20not%20install%20it.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLI%3E%0A%3CLI%3EConsider%20adding%20the%20host%20names%20of%20your%20web%20sites%20to%20Hosts%20file%20to%20point%20127.0.0.1%2C%20so%20that%20you%20can%20test%20your%20applications%20locally%20on%20the%20servers%20in%20a%20web%20farm%20environment.%20This%20would%20be%20the%20first%20and%20the%20easiest%20test%20to%20eliminate%20network%20issues.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--23991556%22%20id%3D%22toc-hId--23991561%22%20id%3D%22toc-hId--23991561%22%20id%3D%22toc-hId--23991561%22%20id%3D%22toc-hId--23991561%22%20id%3D%22toc-hId--23991561%22%20id%3D%22toc-hId--23991561%22%20id%3D%22toc-hId--23991589%22%3EApplication%20Performance%3C%2FH2%3E%0A%3CUL%3E%0A%3CLI%3EIf%20your%20.NET%2F.NET%20Core%20application%20gets%20burst%20loads%20or%20for%20some%20reason%20you%20need%20to%20recycle%20your%20application%20or%20application%20pool%20during%20work%20hours%2C%20consider%20increasing%20minWorkerThreads%20and%20minIoThreads%20settings%3A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3EprocessModel%20Element%20(ASP.NET%20Settings%20Schema)%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fprevious-versions%2Fdotnet%2Fnetframework-4.0%2F7w2sway1%2528v%253dvs.100%2529%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fprevious-versions%2Fdotnet%2Fnetframework-4.0%2F7w2sway1%2528v%253dvs.100%2529%3C%2FA%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3EProcessModelSection.MinWorkerThreads%20Property%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdotnet%2Fapi%2Fsystem.web.configuration.processmodelsection.minworkerthreads%3Fview%3Dnetframework-4.8%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdotnet%2Fapi%2Fsystem.web.configuration.processmodelsection.minworkerthreads%3Fview%3Dnetframework-4.8%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3Eruntimeconfig.json%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdotnet%2Fcore%2Frun-time-config%2F%23runtimeconfigjson%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdotnet%2Fcore%2Frun-time-config%2F%23runtimeconfigjson%3C%2FA%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3EASP.NET%20Thread%20Usage%20on%20IIS%207.5%2C%20IIS%207.0%2C%20and%20IIS%206.0%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Farchive%2Fblogs%2Ftmarq%2Fasp-net-thread-usage-on-iis-7-5-iis-7-0-and-iis-6-0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Farchive%2Fblogs%2Ftmarq%2Fasp-net-thread-usage-on-iis-7-5-iis-7-0-and-iis-6-0%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EFor%20.NET%20Core%20applications%2C%20choose%20to%20run%20it%20%22in-process%22%3A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3EIn-process%20hosting%20model%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Faspnet%2Fcore%2Fhost-and-deploy%2Faspnet-core-module%3Fview%3Daspnetcore-2.2%23in-process-hosting-model-1%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Faspnet%2Fcore%2Fhost-and-deploy%2Faspnet-core-module%3Fview%3Daspnetcore-2.2%23in-process-hosting-model-1%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EIf%20your%20server%20has%20many%20CPU%20cores%20(like%20more%20than%2016%2C%20for%20instance)%20consider%20making%20changes%20on%20GC%20settings%3A%3CUL%3E%0A%3CLI%3EConsider%20setting%20GC%20heap%20count%20to%20a%20lower%20number%20than%20the%20number%20of%20CPU%20core.%20While%20deciding%20heap%20count%2C%20take%20the%20number%20of%20applications%20hosted%20on%20the%20server%20into%20consideration%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CGCHEAPCOUNT%3E%20element%3C%2FGCHEAPCOUNT%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdotnet%2Fframework%2Fconfigure-apps%2Ffile-schema%2Fruntime%2Fgcheapcount-element%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdotnet%2Fframework%2Fconfigure-apps%2Ffile-schema%2Fruntime%2Fgcheapcount-element%3C%2FA%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3EMiddle%20Ground%20between%20Server%20and%20Workstation%20GC%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CA%20href%3D%22https%3A%2F%2Fdevblogs.microsoft.com%2Fdotnet%2Fmiddle-ground-between-server-and-workstation-gc%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdevblogs.microsoft.com%2Fdotnet%2Fmiddle-ground-between-server-and-workstation-gc%2F%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EDepending%20on%20the%20number%20of%20CPU%20cores%20on%20your%20server%2C%20consider%20setting%20CPU%20affinity%20of%20your%20application%20pools.%20For%20very%20high%20CPU%20consumption%20issues%2C%20leave%20at%20least%20one%20CPU%20core%20unused%2C%20so%20that%20you%20can%20access%20the%20server%20to%20collect%20logs%20to%20troubleshoot%20and%20be%20able%20to%20take%20actions%20towards%20resolution.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3EsmpAffinitized%20and%20smpProcessorAffinityMask%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fiis%2Fconfiguration%2Fsystem.applicationhost%2Fapplicationpools%2Fadd%2Fcpu%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fiis%2Fconfiguration%2Fsystem.applicationhost%2Fapplicationpools%2Fadd%2Fcpu%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EIf%20your%20hardware%20or%20virtualization%20environment%20has%20NUMA%20support%2C%20consider%20setting%20%22Maximum%20number%20of%20processes%22%20to%20zero%3A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3EIIS%208.0%20Multicore%20Scaling%20on%20NUMA%20Hardware%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fiis%2Fget-started%2Fwhats-new-in-iis-8%2Fiis-80-multicore-scaling-on-numa-hardware%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fiis%2Fget-started%2Fwhats-new-in-iis-8%2Fiis-80-multicore-scaling-on-numa-hardware%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EFor%20ASP.NET%20applications%2C%20confirm%20that%20they%20are%20built%20in%20release%20mode%2C%20and%20that%20they%20do%20not%20have%20debug%3D%22true%22%20in%20any%20web.config%20file%20in%20production%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3EDebug%20Mode%20in%20ASP.NET%20Applications%20(the%20article%20is%20very%20old%2C%20but%20it%20is%20still%20valid%20for%20all%20.NET%20versions)%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F2580348%2Fdebug-mode-in-asp-net-applications%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F2580348%2Fdebug-mode-in-asp-net-applications%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EMake%20sure%20tracing%20is%20installed%20(you%20never%20know%20when%20you%20would%20need%20it)%20but%20keep%20it%20disabled%20at%20both%20application%20and%20IIS%20level%20(Failed%20Request%20Tracing)%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3ETroubleshooting%20Failed%20Requests%20Using%20Tracing%20in%20IIS%208.5%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fiis%2Ftroubleshoot%2Fusing-failed-request-tracing%2Ftroubleshooting-failed-requests-using-tracing-in-iis-85%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fiis%2Ftroubleshoot%2Fusing-failed-request-tracing%2Ftroubleshooting-failed-requests-using-tracing-in-iis-85%3C%2FA%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3ETrace%20Failed%20Requests%20Logging%20for%20a%20Site%20%3CTRACEFAILEDREQUESTSLOGGING%3E%3C%2FTRACEFAILEDREQUESTSLOGGING%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fiis%2Fconfiguration%2Fsystem.applicationhost%2Fsites%2Fsite%2Ftracefailedrequestslogging%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fiis%2Fconfiguration%2Fsystem.applicationhost%2Fsites%2Fsite%2Ftracefailedrequestslogging%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ESet%20the%20applications'%20timeout%20values%20as%20low%20as%20technically%20possible%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3ESet%20Timeouts%20Aggressively%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fprevious-versions%2Fmsp-n-p%2Fff647787(v%3Dpandp.10)%3Fredirectedfrom%3DMSDN%23set-timeouts-aggressively%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fprevious-versions%2Fmsp-n-p%2Fff647787(v%3Dpandp.10)%3Fredirectedfrom%3DMSDN%23set-timeouts-aggressively%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EMake%20settings%20to%20make%20use%20of%20HTTP%2F2%3A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3EHow%20do%20I%20use%20HTTP%2F2%3F%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fiis%2Fget-started%2Fwhats-new-in-iis-10%2Fhttp2-on-iis%23how-do-i-use-http2%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fiis%2Fget-started%2Fwhats-new-in-iis-10%2Fhttp2-on-iis%23how-do-i-use-http2%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EInstall%2Fcopy%20these%20tools%20on%20the%20server%20as%20you%20never%20know%20when%20you%20will%20need%20them%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3EPerfView%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FMicrosoft%2Fperfview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FMicrosoft%2Fperfview%3C%2FA%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3EDebug%20Diagnostics%20Tool%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3Fid%3D58210%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3Fid%3D58210%3C%2FA%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3EProcDump%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsysinternals%2Fdownloads%2Fprocdump%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsysinternals%2Fdownloads%2Fprocdump%3C%2FA%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3EProcMon%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsysinternals%2Fdownloads%2Fprocmon%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsysinternals%2Fdownloads%2Fprocmon%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EMonitoring%20is%20the%20most%20important%20thing%20about%20performance.%20Know%20your%20applications%20performance%20baseline%20and%20monitor%20for%20any%20changes%3A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3EAzure%20Monitor%20overview%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Foverview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Foverview%3C%2FA%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3EWhat%20is%20Application%20Insights%3F%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fapp%2Fapp-insights-overview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fapp%2Fapp-insights-overview%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ESave%20the%20performance%20counters%20one%20should%20monitor%20in%20case%20of%20an%20issue%20to%20the%20desktop%20or%20somewhere.%20The%20following%20might%20be%20a%20starting%20point%20for%20ASP.NET%20applications%3A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%26nbsp%3B%26nbsp%3B%20%5CProcessor%20Information(_Total)%5C%25%20Processor%20Time%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%20%5C.NET%20CLR%20Exceptions(w3wp)%5C%23%20of%20Exceps%20Thrown%20%2F%20sec%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%20%5C.NET%20CLR%20Memory(w3wp)%5C%23%20Gen%200%20Collections%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%20%5C.NET%20CLR%20Memory(w3wp)%5C%23%20Gen%201%20Collections%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%20%5C.NET%20CLR%20Memory(w3wp)%5C%23%20Gen%202%20Collections%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%20%5C.NET%20CLR%20Memory(w3wp)%5C%23%20Induced%20GC%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%20%5C.NET%20CLR%20Memory(w3wp)%5CProcess%20ID%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%20%5C.NET%20CLR%20Memory(w3wp)%5C%23Bytes%20In%20All%20Heaps%26nbsp%3B%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%20%5CASP.NET%5CApplication%20Restarts%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%20%5CASP.NET%5CRequest%20Execution%20Time%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%20%5CASP.NET%5CRequests%20Current%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%20%5CASP.NET%5CRequests%20Queued%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%26nbsp%3B%26nbsp%3B%20%5CASP.NET%20Applications(*)%5CRequests%20Executing%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%20%5CASP.NET%20Applications(*)%5CRequests%2FSec%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%20%5CMemory%5CAvailable%20MBytes%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%20%5CProcess(w3wp)%5C%25%20Processor%20Time%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%20%5CProcess(w3wp)%5CID%20Process%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%20%5CProcess(w3wp)%5CPrivate%20Bytes%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%26nbsp%3B%20%5CWAS_W3WP(*)%5CTotal%20Health%20Pings.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1241577%22%20slang%3D%22en-US%22%3E%3CP%3EIt%20has%20been%20almost%20eight%20years%20since%20I%20first%20wrote%20a%20blog%20on%20IIS%20best%20practices.%20During%20this%20time%2C%20several%20new%20versions%20of%20IIS%20have%20arrived%2C%20some%20reached%20end%20of%20lifecycle%3B%20we%20were%20introduced%20a%20new%20development%20platform%20called%20.NET%20Core%3B%20a%20new%20HTTP%20version%E2%80%A6%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1241577%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECenkIscan%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2184451%22%20slang%3D%22en-US%22%3ERe%3A%20IIS%20Best%20Practices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2184451%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F522909%22%20target%3D%22_blank%22%3E%40Cenk_Iscan%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20the%20article.%20I%20have%20a%20question%20when%20you%20connect%20SQL%20server%20database%20using%20IIS%20and%20have%20application%20pool%20identity%20set%20through%20a%20domain%20user%20account%20for%20all%20application%20pools.%3C%2FP%3E%3CP%3EThe%20user%20will%20be%20having%20permissions%20on%20database.%3C%2FP%3E%3CP%3ESo%20is%20the%20recommendation%20is%20to%20use%20one%20user%20for%20all%20the%20applications%20or%20one%20application%20should%20connect%20to%20database%20using%20one%20user%20only%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2187903%22%20slang%3D%22en-US%22%3ERe%3A%20IIS%20Best%20Practices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2187903%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F986405%22%20target%3D%22_blank%22%3E%40ghamandipp%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERunning%20each%20application%20on%20its%20own%20application%20pool%20with%20a%20different%20user%20is%20one%20of%20the%20isolation%20steps%20which%20is%20strongly%20recommended.%20For%20your%20scenario%2C%20using%20one%20gMSA%20user%20for%20each%20application%20would%20be%20a%20good%20idea.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2192443%22%20slang%3D%22en-US%22%3ERe%3A%20IIS%20Best%20Practices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2192443%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F522909%22%20target%3D%22_blank%22%3E%40Cenk_Iscan%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%3CP%3ESo%20if%20we%20have%20100%20different%20applications%2C%20we%20can%20have%20100%20different%20isolated%20application%20pools.%20But%20having%20100%20different%20users%20to%20run%20each%20application%20would%20be%20a%20difficult%20task.%3C%2FP%3E%3CP%3EHow%20it%20can%20be%20achieved%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2262526%22%20slang%3D%22en-US%22%3ERe%3A%20IIS%20Best%20Practices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2262526%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1020987%22%20target%3D%22_blank%22%3E%40marto871%3C%2FA%3E%26nbsp%3BYes%2C%20there%20are%20some%20recommendations%20out%20in%20the%20wild%20that%20do%20not%20align%20with%20mine.%20And%20STIG%20has%20a%20few%20of%20them%20which%20do%20not%20align.%20But%20I%20will%20stick%20with%20my%20recommendations%20on%20application%20pool%20recycling%20settings%3B%20and%20especially%20about%20giving%20memory%20limits.%20If%20you%20check%20%22virtual%20bytes%22%20of%20any%2064bit%20worker%20process%20at%20any%20random%20time%2C%20you%20would%20see%20terabytes.%20This%20makes%20giving%20a%20limit%20to%20virtual%20memory%20unnecessary%2C%20and%20even%20harmful%20-%20causing%20the%20pool%20to%20recycle%20too%20often.%20For%20both%20virtual%20and%20private%20memory%20limits%2C%20since%20they%20are%20not%20actually%20limits%20but%20recycle%20triggers%2C%20that%20does%20not%20make%20any%20sense.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThere%20might%20be%20some%20exceptions%20for%20private%20memory%20limit%20(like%20known%20memory%20leak%20issues%20in%20the%20application)%2C%20but%20I%20cannot%20think%20of%20any%20scenario%20one%20would%20need%20to%20set%20limit%20to%20virtual%20memory.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Version history
Last update:
‎Apr 17 2020 01:21 AM
Updated by: