Hands-On Microsoft Windows Server 2003

Administration

Chapter 7

Administering Web Resources in

Windows Server 2003

2

Objectives• Install and configure Internet Information

Services (IIS)• Create and configure Web-site virtual servers

and virtual directories• Configure Web-site authentication• Configure and maintain FTP virtual servers• Update and maintain security for an IIS server• Create and modify Web folders• Install and use the Remote Administration

(HTML) tools• Troubleshoot Web client-browser connectivity

3

Installing and Configuring Internet Information Services

• Internet Information Services (IIS) 6.0– Provides Web-related services to an organization– Four main components

• World Wide Web (HTTP) services– Provides the capability of hosting multiple Web sites

accessible from the Internet or an intranet• File Transfer Protocol (FTP) services

– Provides the ability to copy files between the server and a remote location

4

Installing and Configuring Internet Information Services (Continued)

• Network News Transfer Protocol (NNTP) services– Used to provide a means of maintaining a list of

topics and threaded conversations between users

• Simple Mail Transfer Protocol (SMTP) services– Provides e-mail capabilities to the other services of

IIS

5

Installing Internet Information Services

• IIS 6.0– Not installed by default during a standard

installation of Windows Server 2003

– Individual IIS components can be manually installed via the Add or Remove Programs applet in Control Panel

6

Internet Information Services components

7

Installing Internet Information Services (Continued)

• Changes on the server after a successful installation of IIS– Additional folders on the hard drive

• %systemroot%\system32\inetsrv• C:\Inetpub• C:\WINDOWS\Help\iishelp

– Additional user objects in Active Directory• ISUSR_servername• IWAM_servername• IIS_WPG group

8

Installing Internet Information Services (Continued)

• Changes on the server after a successful installation of IIS (Continued)– Additional services installed within the operating

system• FTP Publishing Service• IIS Admin Service• Network News Transfer Protocol (NNTP)• Simple Mail Transfer Protocol (SMTP)• World Wide Web Publishing Service

9

Architectural Changes in IIS 6.0

• Metabase– Central storage location for IIS configuration

information

– Stored in two standard Extensible Markup Language (XML) files

• MetaBase.xml– Contains the actual configuration settings for IIS 6.0

• MBSchema.xml– Contains the XML schema that provides the default

values of the various metabase properties

10

Architectural Changes in IIS 6.0 (Continued)• A number of process management and administration

features have been introduced in IIS 6.0

11

Configuring Web Server Properties

• IIS MMC snap-in– Primary tool used for configuration purposes

– Available on the Administrative Tools menu

– Initially displays the default sites and services:• FTP Sites• Application Pools• Web Sites• Web Service Extensions• Default SMTP Virtual Server• Default NNTP Virtual Server

12

Configuring Web Server Properties (Continued)

• Master properties– IIS parameters that are

• Configured at the site-folder level• Inheritable by all Web or FTP sites hosted on the

server

– Benefit• You can quickly set various common

configurations on all Web or FTP sites at once

– Configuration settings changed at the site, folder, or file level override the master properties

13

Creating and Configuring Web-Site Virtual Servers• IIS can host a large number of Web sites or

virtual servers on a single server– Virtual server

• A unique Web site that behaves as if it were on its own dedicated server

• Before creating a Web site– Identify the IP address to which the Web site

responds– Identify the TCP port to which the Web site responds– If you have multiple virtual servers responding to the

same IP address, identify the host header name to which your new Web site responds

14

Creating and Configuring Web-Site Virtual Servers (Continued)

• Each Web site on your server must have a way of being uniquely identified

• Ways to make sure that each Web site is unique– Use a separate IP address to distinguish each

Web site– Use a single IP address with a specific port

number for each Web site– Use a single IP address with multiple host

headers representing each Web site

15

Creating and Configuring Web-Site Virtual Servers (Continued)

• Web Site Creation Wizard– Provides a simple, step-by-step method of

creating and initially configuring Web sites

• iisweb.vbs script– Can be used to create new Web sites from the

Windows Server 2003 command line

16

Modifying Web-Site Properties

• Once a Web site is created, a number of properties can be modified to fine-tune the parameters of the site

• Configuring the properties page for a specific Web site affects only that site and no others

• Any parameters configured at the Website level override the master properties that may have been set at the server level

17

Web site properties tabs

18

Creating Virtual Directories

• To include information stored on multiple servers in a Web site– Create a virtual directory that specifically points to

the shared folder that stores the data• An alias of the virtual directory can be used to

– Hide the real directory name– Simplify the path that the server should use to

access the information

19

Configuring Authentication for Web Sites

• All Windows Server 2003 servers require that any user who tries to access the server be authenticated to a valid user account

• Authentication– Determining whether or not a user has a valid

user account with the proper permissions to access a resource

20

Configuring Authentication for Web Sites

• IIS provides five levels of authentication– Anonymous access

– Basic authentication

– Digest authentication

– Integrated Windows authentication

– .NET Passport authentication

• Authentication settings are configured from within the properties of a Web site in the Authentication and access control section of the Directory Security tab

21

Configuring Web site authentication options

22

Anonymous Access

• Allows users to access a Web site without having to provide a user name and password

• IUSR_servername user account– Used by IIS to provide the required authentication

credentials to a user

– Member of the Domain Users (on a domain controller) and Guests groups by default

23

Basic Authentication

• Prompts users for a user name and password to be able to access the Web resource

• Requirement– User needs to have a valid Windows Server 2003

user account to be able to gain access to the Web site

• Potential problem– User name and password are transmitted using

Base64 encoding (not encryption) and can easily be captured and read by hackers

24

Digest Authentication

• Works the same way as Basic authentication• Difference from Basic authentication

– User name and password are hashed using the MD5 algorithm to prevent hackers from obtaining the information

25

Digest Authentication (Continued)

• Requirements – Users must

• Be running Internet Explorer 5.0 or higher• Have an account in Active Directory or a trusted

domain

– An IIS server using Digest authentication must• Be part of an Active Directory domain

• Running HTTP 1.1 and WebDAV

26

Integrated Windows Authentication

• Does not ask the user for a password• Uses the client’s currently logged-on credentials

to supply a challenge/response to the Web server

• Primarily used on internal intranets• Once this choice has been enabled, it can only

be used if– Anonymous access is disabled on the Web site– Windows file permissions have been set,

requiring users to provide authentication to access the resources

27

.NET Passport Authentication

• Allows a Web site to use the functionality of the .NET Passport service to authenticate user identities

• Requirements for authenticating users with a .NET Passport– The company must

• Carry out a variety of preproduction tests with Microsoft

• Go through a registration process

28

.NET Passport Authentication (Continued)

• The following rules apply if multiple authentication methods are configured– If Anonymous authentication and one other

method are selected, the other method only applies if Anonymous authentication fails

– FTP sites cannot use Digest, Integrated Windows, or .NET Passport authentication

– Both Digest and Integrated Windows authentication take precedence over Basic authentication

29

Configuring Server Certificates and Secure Sockets Layer

• Secure Sockets Layer (SSL) protocol– Used to encrypt Web traffic between a client and

the Web server

– Clients can access a secure server using SSL by using URLs that begin with https:// instead of the http:// prefix

– Implemented using the Directory Security tab of a Web site

30

Configuring Server Certificates and Secure Sockets Layer (Continued)

• A server certificate– Needed to use SSL on a Web server

– Can be • Obtained from a certificate authority (CA)• Created by the company itself for internal purposes

31

Configuring FTP Virtual Servers

• File Transfer Protocol (FTP)– Used to transfer files between two computers that

are both running TCP/IP

• The FTP service included with IIS 6.0 enables users to transfer files to and from it using FTP client software such as– The command-line ftp utility

– A Web browser

32

File Transfer Protocol

• FTP– An industry-standard method of transferring files

between two hosts running TCP/IP

– Uses two ports for connections during a single session

• TCP port 21– Usually used to initiate the connection and for

diagnostic functions

• TCP port 20– Usually used to pass data

33

File Transfer Protocol (Continued)

• Transmission Control Protocol (TCP)– Used by FTP for file transfers– A connection-based protocol

• To use FTP to transfer files between two computers– One machine must be running FTP client

software– Other machine must be running FTP server

software

34

Configuring FTP Properties

• When multiple FTP sites are configured to run on a single IIS 6.0 server, each site– Behaves and operates independently

– Appears to the client to be running on its own FTP server

– Has its own set of property sheets

• Five tabs are available from the site properties window of an FTP site

35

FTP site property tabs

36

Creating an FTP Site Virtual Server

• New FTP sites can be created by:– Using the Internet Information Services tool

– Scripting

• FTP sites allow you to create virtual directories that can be both local and remote to the IIS server

37

Updating and Maintaining Security for an IIS Server: Resource Permissions

– Specify the types of access users are granted

– Types of permissions • NTFS permissions• IIS permissions

– To provide the most security for Web content• Combine NTFS permissions and IIS permissions

38

IP Address and Domain Name Security

• To secure Web content– Administrators can grant or deny access to users

based on their• IP address

– Administrators can grant or deny access to:» An individual IP address» A particular address range

• Domain name

39

Starting and Stopping Services

• At some point, administrators may need to stop and restart services related to IIS for administrative purposes

• IIS 6.0 allows services to be stopped and restarted through the Internet Information Services console

40

Backing Up the IIS Configuration

• Options for backing up the metabase– Use the backup utility in the IIS console to back

up the database– Copy the contents of the backup directory to

another folder to provide redundancy after an initial backup has been performed

– Use the metabase editor tool to export the contents of the database to a text file

– Use the iisback.vbs script– Use the Windows Server 2003 Backup utility or a

third party utility and choose to backup System State data

41

Backing Up the IIS Configuration (Continued)

• Two common types of updates that can be applied to a IIS Server– Service packs

– Hot fixes

• Microsoft Baseline Security Analyzer– Can be used to determine which IIS hot fixes are

currently installed on the Web server

42

Creating and Modifying Web Folders

• A Web folder– Designed to be accessed from the Internet or an

intranet using the HTTP or FTP protocols• Web Sharing tab

– Used to configure a folder to be shared over the Web

• Access permissions and application permissions can be configured for Web folders

43

Web folder access permissions and Application permissions

44

Installing and Using Remote Administration (HTML) Tools

• Remote Administration (HTML) tools– Can be used to remotely manage

• IIS 6.0 servers• System elements, such as

– Network settings

– Disk quotas

– Installation• Must be added manually via the Add/Remove

Windows Components feature of Add or Remove Programs in Control Panel

45

Troubleshooting Web Client Connectivity Problems: Client Access Problems

• Problem– Users unable to gain access to an IIS Server

• To troubleshoot– Verify the TCP/IP configuration settings that have

been configured on the client– Check the proxy settings that have been

configured through the client’s Web browser

46

Troubleshooting Web Client Connectivity Problems: Client Access Problems (Continued)

– Check for obvious problems such as• Whether the proxy server is available and online• Whether the client is connected to the network

– Enable or disable the Show friendly HTTP error messages options in the properties of Internet Explorer

– Use a protocol analyzer to capture packets moving between the client and the Web server to determine where communications errors may be taking place

47

Troubleshooting Web Client Connectivity Problems: Client Access Problems (Continued)

• Problem– Users complaining that they are unable to gain

access to a Web site or FTP site configured on an IIS server

• To troubleshoot– Check permissions assigned to the site– Check to see which authentication method has

been configured for the site– Check to see what IP address and domain name

restrictions have been applied to the site

48

Troubleshooting Web Client Connectivity Problems: Client Access Problems (Continued)

– If there is a connection limit set for the site, make sure this limit has not been exceeded

– If the service has been configured to use a port other than the default, make sure the client is specifying the correct port number

– If you have not enabled Anonymous access, make sure the client has a valid user account

– On the client computers, from the command prompt, type “ipconfig /flushdns” to clear the DNS cache

49

Summary

• Internet Information Services includes four main components – World Wide Web (HTTP) services

– File Transfer Protocol (FTP) services

– Network News Transfer Protocol (NNTP) services

– Simple Mail Transfer Protocol (SMTP) services

• Master properties– IIS parameters that can be configured on the

server and are inheritable by all Web and FTP sites hosted on the server

50

Summary (Continued)

• Multiple Web sites can be distinguished on a single Web server by– Configuring individual IP addresses for each site– Configuring individual port numbers for each site– Configuring a host header for each site

• A virtual directory– Can be used to include information that may be

stored on a different server from the one on which the Web site home directory is located

• By default, Anonymous access is used to allow public access to a Web site

51

Summary (Continued)

• Five main authentication methods used in IIS– Anonymous– Basic– Digest– .NET Passport– Integrated Windows authentication

• Regular IIS maintenance tasks include– Backing up the IIS configuration– Starting or stopping services– Installing of hot fixes or service packs