Related topics

Product name

Internet Information Services

Publisher page

[Microsoft|Microsoft]

Category

Application Server Software Platforms

Release

TKU 2023-May-1

More information

Publisher link

Microsoft

Product Description

Extended Discovery pattern which allows to model "Website", "FTP Server", "Web Application", "Virtual Directory" and "Application Pool" is available for this product.

Microsoft Internet Information Services (IIS, formerly called Internet Information Server) is a set of Internet-based services for servers using Microsoft Windows.

The servers currently include FTP, SMTP, NNTP, WebDAV and HTTP/HTTPS.

Software Pattern Summary

Product Component	OS Type	Versioning	Pattern Depth
Microsoft IIS Service	Windows	Registry and OS Inferences	Instance Based
Microsoft IIS Webserver
Microsoft FTP Server

Platforms Supported by Software Pattern

As the software is integrated within the Windows Operating System kernel, it cannot be run on any other Operating System - as such the patterns only identify Windows installations.

Identification

Software Instance Triggers

The following patterns will only run on Windows 2003 or earlier:

Pattern	Trigger Node	Attribute	Condition	Argument	False positive checking
IIS	DiscoveredProcess	cmd	matches	`(?i)\binetinfo\.exe$`
IISWebserver	DiscoveredProcess	cmd	matches	`(?i)\bsvchost\.exe$`
IISWebserver	DiscoveredProcess	args	matches	`(?i)-k.*iissvcs`
FTPServer	DiscoveredProcess	cmd	matches	`(?i)\bsvchost\.exe$`	{escapeall}%systemroot%\system32\inetsrv\Metabase.xml{escapeall} must contain regex '(?i)iisftpserver'. %systemroot% is a Windows environment variable
FTPServer	DiscoveredProcess	args	matches	`(?i)-k\s+iissvcs`

The following patterns will only run on Windows Vista or later:

Pattern	Trigger Node	Attribute	Condition	Argument
IISWebserver_7	DiscoveredProcess	cmd	matches	`(?i)\bsvchost\.exe$`
IISWebserver_7	DiscoveredProcess	args	matches	`(?i)-k.*iissvcs`
IISFTPServer_7	DiscoveredProcess	cmd	matches	`(?i)\bsvchost\.exe$`
IISFTPServer_7	DiscoveredProcess	args	matches	`(?i)-k\s+ftpsvc`
IIS_7	DiscoveredProcess	cmd	matches	`(?i)\bsvchost\.exe$`
IIS_7	DiscoveredProcess	args	matches	`(?i)-k.*iissvcs`

Simple Identification Mappings

The following processes are identified through the use of Simple Identifiers and are modeled within a full Software Instance for Microsoft Internet Information Services using the primary and associate relationships (See Application Model Produced by Software Pattern for more details about modeling this product).

Name	Command	Arguments
Microsoft IIS WebDAV Service	`(?i)\bdavcdata\.exe$`
Microsoft ASP.net Worker Process	`(?i)\baspnet_wp\.exe$`
Microsoft IIS Worker Process	`(?i)\bw3wp\.exe$`
Microsoft IIS Webserver - IIS 6.0 and above	`(?i)\bsvchost\.exe$`	`^.-k.iissvcs`
Microsoft IIS FTP Server	`(?i)\bsvchost\.exe$`	`^.-k.ftpsvc`
Microsoft IIS Service	`(?i)\binetinfo\.exe$`

Versioning

Version information for this product is currently collected using one of two possible methods, either checking the registry for an explicit version number or by checking the operating system for a version that we know maps 1:1 with a specific version of IIS.

Active Versioning

For Windows 2016 and later we can get active versioning from powershell command $PSVersionTable.BuildVersion

Registry Versioning

The primary manner in which we achieve versioning for IIS is by querying the registry for an appropriate version value.

Major Version:	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ MajorVersion
Minor Version:	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ MinorVersion

Major Version:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\InetStp
Minor Version:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\InetStp

The major and minor version numbers are retrieved and amalgamated together.

Operating System Inference

Due to the tight integration of IIS with the underlying Windows operating system a specific version of IIS can only be found in one lifecycle of a Windows release, IIS may be found in more than one version of Windows but you will not find more than one version of IIS available for a specific version of the operating system.

IIS Version	Windows Version
IIS 1.0	Windows NT 3.51
IIS 2.0	Windows NT 4.0
IIS 3.0	Windows NT 4.0 SP3
IIS 4.0	Windows NT 4.0 Options Pack
IIS 5.0	Windows 2000
IIS 5.1	Windows XP Professional x32
IIS 6.0	Windows Server 2003
	Windows Server 2003 R2
	Windows XP Professional x64
IIS 7.0	Windows Vista
	Windows 7
	Windows Server 2008
IIS 7.5	Windows Server 2008 R2
IIS 8.0	Windows Server 2012
IIS 8.5	Windows Server 2012 R2
IIS 10	Windows Server 2016
	Windows Server 2019
	Windows Server 2022

Due to the fact that older versions of IIS/NT are no longer used and that it is relatively difficult to tell the difference between Windows XP Pro x32 and x64 we have chosen to only provide mappings for a subset of the available IIS versions, this is to ensure that where we infer this information from the Operating System we are positive that we are providing the correct information and not providing misleading data.

Application Model Produced by Software Pattern

Product Architecture

The IIS services are integrated with the OS and started via the Windows Services manager.

Once started the software will run under a number of guises, different aspects of the service can be seen in different manners, for example the WWW .net worker process is a unique executable which handles ASP.net processes where as the actual web hosting functionality is ran using svchost.exe with the arguments "-k iissvcs".

All or some of these processes may be present on a given host, the only process that is always present on a running installation of IIS v6 is the Microsoft IIS Management Service represented by the process "inetinfo.exe". "inetinfo.exe" may or may not be running on IIS v7 and above, as only supplied for backwards compatibility purposes.

Application Model

The Software instances created by these patterns are based on the core IIS Service, the Web Hosting Service and the FTP hosting service. They create separate Software Instances for these services.

Dependency links are created between the Webserver and the IIS Service, and between the FTP Server and the IIS Service

So a typical installation might look like

Configuration Options

There is a configuration option for this product which allows to use Windows system root location (absolute path).

E.g.

sysroot_directories :=[ "C:\\Windows", "C:\\WINNT"];

SI Depth

As there can only be a single running installation of IIS on a specific host the pattern will always create a Deep/Instance Based Software Instance.

Listing of IIS Websites, Web Applications, Virtual Directories and Application pools

A separate pattern (IIS_Extended) has been created to query the IIS Websites, Web Applications, Virtual Directories and Application pools. For more information about this pattern, please refer to the relevant page

Database relationship discovery

Database relationship discovery is performed by IIS_Extended pattern, please refer to the relevant page for more details

Subject Matter Expertise

SME input would be appreciated to improve the model of IIS further.

Testing

This pattern has been tested against multiple running installations of IIS on a variety of Windows hosts.

Information Sources

A list of IIS 7.0 services is at http://blogs.iis.net/tomwoolums/archive/2009/02/13/the-services-behind-internet-information-services-7-0.aspx

http://blogs.iis.net/thomad/archive/2008/05/07/the-iis-process-model-features.aspx

Open Issues

TOP

Created by: [Rebecca Shalfield|User Rebecca Shalfield] 25 Mar 2009
Updated by: [Chris Blake|User Chris Blake] 18 July 2013
Reviewed by: [Nikola Vukovljak|User Nikola Vukovljak] 24 Oct 2012

Microsoft Internet Information Services