Administering Web Resources in

1
Chapter 7

• Administering Web Resources in
• Windows Server 2003

2
Objectives

• Install and configure Internet Information
  Services (IIS)
• Create and configure Web-site virtual servers and
  virtual directories
• Configure Web-site authentication
• Configure and maintain FTP virtual servers
• Update and maintain security for an IIS server
• Create and modify Web folders
• Install and use the Remote Administration (HTML)
  tools
• Troubleshoot Web client-browser connectivity

3
Installing and Configuring Internet Information
Services

• Internet Information Services (IIS) 6.0
• Provides Web-related services to an organization
• Four main components
• World Wide Web (HTTP) services
• Provides the capability of hosting multiple Web
  sites accessible from the Internet or an intranet
• File Transfer Protocol (FTP) services
• Provides the ability to copy files between the
  server and a remote location

4
Installing and Configuring Internet Information
Services (Continued)

• Network News Transfer Protocol (NNTP) services
• Used to provide a means of maintaining a list of
  topics and threaded conversations between users
• Simple Mail Transfer Protocol (SMTP) services
• Provides e-mail capabilities to the other
  services of IIS

5
Installing Internet Information Services

• IIS 6.0
• Not installed by default during a standard
  installation of Windows Server 2003
• Individual IIS components can be manually
  installed via the Add or Remove Programs applet
  in Control Panel

6
Internet Information Services components
7
Installing Internet Information Services
(Continued)

• Changes on the server after a successful
  installation of IIS
• Additional folders on the hard drive
• systemroot\system32\inetsrv
• C\Inetpub
• C\WINDOWS\Help\iishelp
• Additional user objects in Active Directory
• ISUSR_servername
• IWAM_servername
• IIS_WPG group

8
Installing Internet Information Services
(Continued)

• Changes on the server after a successful
  installation of IIS (Continued)
• Additional services installed within the
  operating system
• FTP Publishing Service
• IIS Admin Service
• Network News Transfer Protocol (NNTP)
• Simple Mail Transfer Protocol (SMTP)
• World Wide Web Publishing Service

9
Architectural Changes in IIS 6.0

• Metabase
• Central storage location for IIS configuration
  information
• Stored in two standard Extensible Markup Language
  (XML) files
• MetaBase.xml
• Contains the actual configuration settings for
  IIS 6.0
• MBSchema.xml
• Contains the XML schema that provides the default
  values of the various metabase properties

10
Architectural Changes in IIS 6.0 (Continued)

• A number of process management and administration
  features have been introduced in IIS 6.0

11
Configuring Web Server Properties

• IIS MMC snap-in
• Primary tool used for configuration purposes
• Available on the Administrative Tools menu
• Initially displays the default sites and
  services
• FTP Sites
• Application Pools
• Web Sites
• Web Service Extensions
• Default SMTP Virtual Server
• Default NNTP Virtual Server

12
Configuring Web Server Properties (Continued)

• Master properties
• IIS parameters that are
• Configured at the site-folder level
• Inheritable by all Web or FTP sites hosted on the
  server
• Benefit
• You can quickly set various common configurations
  on all Web or FTP sites at once
• Configuration settings changed at the site,
  folder, or file level override the master
  properties

13
Creating and Configuring Web-Site Virtual Servers

• IIS can host a large number of Web sites or
  virtual servers on a single server
• Virtual server
• A unique Web site that behaves as if it were on
  its own dedicated server
• Before creating a Web site
• Identify the IP address to which the Web site
  responds
• Identify the TCP port to which the Web site
  responds
• If you have multiple virtual servers responding
  to the same IP address, identify the host header
  name to which your new Web site responds

14
Creating and Configuring Web-Site Virtual Servers
(Continued)

• Each Web site on your server must have a way of
  being uniquely identified
• Ways to make sure that each Web site is unique
• Use a separate IP address to distinguish each Web
  site
• Use a single IP address with a specific port
  number for each Web site
• Use a single IP address with multiple host
  headers representing each Web site

15
Creating and Configuring Web-Site Virtual Servers
(Continued)

• Web Site Creation Wizard
• Provides a simple, step-by-step method of
  creating and initially configuring Web sites
• iisweb.vbs script
• Can be used to create new Web sites from the
  Windows Server 2003 command line

16
Modifying Web-Site Properties

• Once a Web site is created, a number of
  properties can be modified to fine-tune the
  parameters of the site
• Configuring the properties page for a specific
  Web site affects only that site and no others
• Any parameters configured at the Website level
  override the master properties that may have been
  set at the server level

17
Web site properties tabs
18
Creating Virtual Directories

• To include information stored on multiple servers
  in a Web site
• Create a virtual directory that specifically
  points to the shared folder that stores the data
• An alias of the virtual directory can be used to
• Hide the real directory name
• Simplify the path that the server should use to
  access the information

19
Configuring Authentication for Web Sites

• All Windows Server 2003 servers require that any
  user who tries to access the server be
  authenticated to a valid user account
• Authentication
• Determining whether or not a user has a valid
  user account with the proper permissions to
  access a resource

20
Configuring Authentication for Web Sites

• IIS provides five levels of authentication
• Anonymous access
• Basic authentication
• Digest authentication
• Integrated Windows authentication
• .NET Passport authentication
• Authentication settings are configured from
  within the properties of a Web site in the
  Authentication and access control section of the
  Directory Security tab

21
Configuring Web site authentication options
22
Anonymous Access

• Allows users to access a Web site without having
  to provide a user name and password
• IUSR_servername user account
• Used by IIS to provide the required
  authentication credentials to a user
• Member of the Domain Users (on a domain
  controller) and Guests groups by default

23
Basic Authentication

• Prompts users for a user name and password to be
  able to access the Web resource
• Requirement
• User needs to have a valid Windows Server 2003
  user account to be able to gain access to the Web
  site
• Potential problem
• User name and password are transmitted using
  Base64 encoding (not encryption) and can easily
  be captured and read by hackers

24
Digest Authentication

• Works the same way as Basic authentication
• Difference from Basic authentication
• User name and password are hashed using the MD5
  algorithm to prevent hackers from obtaining the
  information

25
Digest Authentication (Continued)

• Requirements
• Users must
• Be running Internet Explorer 5.0 or higher
• Have an account in Active Directory or a trusted
  domain
• An IIS server using Digest authentication must
• Be part of an Active Directory domain
• Running HTTP 1.1 and WebDAV

26
Integrated Windows Authentication

• Does not ask the user for a password
• Uses the clients currently logged-on credentials
  to supply a challenge/response to the Web server
• Primarily used on internal intranets
• Once this choice has been enabled, it can only be
  used if
• Anonymous access is disabled on the Web site
• Windows file permissions have been set, requiring
  users to provide authentication to access the
  resources

27
.NET Passport Authentication

• Allows a Web site to use the functionality of the
  .NET Passport service to authenticate user
  identities
• Requirements for authenticating users with a .NET
  Passport
• The company must
• Carry out a variety of preproduction tests with
  Microsoft
• Go through a registration process

28
.NET Passport Authentication (Continued)

• The following rules apply if multiple
  authentication methods are configured
• If Anonymous authentication and one other method
  are selected, the other method only applies if
  Anonymous authentication fails
• FTP sites cannot use Digest, Integrated Windows,
  or .NET Passport authentication
• Both Digest and Integrated Windows authentication
  take precedence over Basic authentication

29
Configuring Server Certificates and Secure
Sockets Layer

• Secure Sockets Layer (SSL) protocol
• Used to encrypt Web traffic between a client and
  the Web server
• Clients can access a secure server using SSL by
  using URLs that begin with https// instead of
  the http// prefix
• Implemented using the Directory Security tab of a
  Web site

30
Configuring Server Certificates and Secure
Sockets Layer (Continued)

• A server certificate
• Needed to use SSL on a Web server
• Can be
• Obtained from a certificate authority (CA)
• Created by the company itself for internal
  purposes

31
Configuring FTP Virtual Servers

• File Transfer Protocol (FTP)
• Used to transfer files between two computers that
  are both running TCP/IP
• The FTP service included with IIS 6.0 enables
  users to transfer files to and from it using FTP
  client software such as
• The command-line ftp utility
• A Web browser

32
File Transfer Protocol

• FTP
• An industry-standard method of transferring files
  between two hosts running TCP/IP
• Uses two ports for connections during a single
  session
• TCP port 21
• Usually used to initiate the connection and for
  diagnostic functions
• TCP port 20
• Usually used to pass data

33
File Transfer Protocol (Continued)

• Transmission Control Protocol (TCP)
• Used by FTP for file transfers
• A connection-based protocol
• To use FTP to transfer files between two
  computers
• One machine must be running FTP client software
• Other machine must be running FTP server software

34
Configuring FTP Properties

• When multiple FTP sites are configured to run on
  a single IIS 6.0 server, each site
• Behaves and operates independently
• Appears to the client to be running on its own
  FTP server
• Has its own set of property sheets
• Five tabs are available from the site properties
  window of an FTP site

35
FTP site property tabs
36
Creating an FTP Site Virtual Server

• New FTP sites can be created by
• Using the Internet Information Services tool
• Scripting
• FTP sites allow you to create virtual directories
  that can be both local and remote to the IIS
  server

37
Updating and Maintaining Security for an IIS
Server Resource Permissions

• Specify the types of access users are granted
• Types of permissions
• NTFS permissions
• IIS permissions
• To provide the most security for Web content
• Combine NTFS permissions and IIS permissions

38
IP Address and Domain Name Security

• To secure Web content
• Administrators can grant or deny access to users
  based on their
• IP address
• Administrators can grant or deny access to
• An individual IP address
• A particular address range
• Domain name

39
Starting and Stopping Services

• At some point, administrators may need to stop
  and restart services related to IIS for
  administrative purposes
• IIS 6.0 allows services to be stopped and
  restarted through the Internet Information
  Services console

40
Backing Up the IIS Configuration

• Options for backing up the metabase
• Use the backup utility in the IIS console to back
  up the database
• Copy the contents of the backup directory to
  another folder to provide redundancy after an
  initial backup has been performed
• Use the metabase editor tool to export the
  contents of the database to a text file
• Use the iisback.vbs script
• Use the Windows Server 2003 Backup utility or a
  third party utility and choose to backup System
  State data

41
Backing Up the IIS Configuration (Continued)

• Two common types of updates that can be applied
  to a IIS Server
• Service packs
• Hot fixes
• Microsoft Baseline Security Analyzer
• Can be used to determine which IIS hot fixes are
  currently installed on the Web server

42
Creating and Modifying Web Folders

• A Web folder
• Designed to be accessed from the Internet or an
  intranet using the HTTP or FTP protocols
• Web Sharing tab
• Used to configure a folder to be shared over the
  Web
• Access permissions and application permissions
  can be configured for Web folders

43
Web folder access permissions and Application
permissions
44
Installing and Using Remote Administration (HTML)
Tools

• Remote Administration (HTML) tools
• Can be used to remotely manage
• IIS 6.0 servers
• System elements, such as
• Network settings
• Disk quotas
• Installation
• Must be added manually via the Add/Remove Windows
  Components feature of Add or Remove Programs in
  Control Panel

45
Troubleshooting Web Client Connectivity Problems
Client Access Problems

• Problem
• Users unable to gain access to an IIS Server
• To troubleshoot
• Verify the TCP/IP configuration settings that
  have been configured on the client
• Check the proxy settings that have been
  configured through the clients Web browser

46
Troubleshooting Web Client Connectivity Problems
Client Access Problems (Continued)

• Check for obvious problems such as
• Whether the proxy server is available and online
• Whether the client is connected to the network
• Enable or disable the Show friendly HTTP error
  messages options in the properties of Internet
  Explorer
• Use a protocol analyzer to capture packets moving
  between the client and the Web server to
  determine where communications errors may be
  taking place

47
Troubleshooting Web Client Connectivity Problems
Client Access Problems (Continued)

• Problem
• Users complaining that they are unable to gain
  access to a Web site or FTP site configured on an
  IIS server
• To troubleshoot
• Check permissions assigned to the site
• Check to see which authentication method has been
  configured for the site
• Check to see what IP address and domain name
  restrictions have been applied to the site

48
Troubleshooting Web Client Connectivity Problems
Client Access Problems (Continued)

• If there is a connection limit set for the site,
  make sure this limit has not been exceeded
• If the service has been configured to use a port
  other than the default, make sure the client is
  specifying the correct port number
• If you have not enabled Anonymous access, make
  sure the client has a valid user account
• On the client computers, from the command prompt,
  type ipconfig /flushdns to clear the DNS cache

49
Summary

• Internet Information Services includes four main
  components
• World Wide Web (HTTP) services
• File Transfer Protocol (FTP) services
• Network News Transfer Protocol (NNTP) services
• Simple Mail Transfer Protocol (SMTP) services
• Master properties
• IIS parameters that can be configured on the
  server and are inheritable by all Web and FTP
  sites hosted on the server

50
Summary (Continued)

• Multiple Web sites can be distinguished on a
  single Web server by
• Configuring individual IP addresses for each site
• Configuring individual port numbers for each site
• Configuring a host header for each site
• A virtual directory
• Can be used to include information that may be
  stored on a different server from the one on
  which the Web site home directory is located
• By default, Anonymous access is used to allow
  public access to a Web site

51
Summary (Continued)

• Five main authentication methods used in IIS
• Anonymous
• Basic
• Digest
• .NET Passport
• Integrated Windows authentication
• Regular IIS maintenance tasks include
• Backing up the IIS configuration
• Starting or stopping services
• Installing of hot fixes or service packs