Internet Information Services (IIS) 6.0

1
(Skill 6)
Introducing Internet Information Services 6.0

• Internet Information Services (IIS) 6.0
• Web server for Windows Server 2003
• Using IIS, you can publish Web pages and deploy
  scalable and reliable Web sites
• Optionally installed components
• Background Intelligent Transfer Service (BITS)
  server extension
• Common IIS program files
• File Transfer Protocol Service
• FrontPage 2002 Server Extensions
• Internet Information Services Manager
• Internet Printing
• NNTP Service
• SMTP Service
• World Wide Web Publishing Service

2
(Skill 6)
Introducing Internet Information Services 6.0 (2)

• The IIS Admin Service (also referred to as the
  IIS metabase) is the parent process for all IIS
  services
• When you stop the IIS Admin Service, all other
  services are also stopped
• IIS Admin also supplies the interface that is
  used to administer IIS and all of its components
• In IIS 6.0, the FTP, NNTP, and SMPT services as
  well as the IIS Admin service run in
  Inetinfo.exe, while the WWW service is hosted by
  the service host (Svchost.exe)

3
(Skill 6)
Introducing Internet Information Services 6.0 (3)

• Features
• Automatic restart Will automatically restart in
  the event of a system failure or when a Web
  application becomes unavailable
• Easy access to Web sites Each Web site has a
  unique socket that consists of an IP address and
  a port number to identify it
• Scalability You can assign different ports, IP
  addresses, or host header names to each Web site
• Bandwidth management The network or Internet
  connection used by a Web server is generally also
  used by multiple services running on the server
  such as an e-mail service
• Reliability The newly designed
  request-processing architecture in IIS 6.0 allows
  Web-based applications to run in an environment
  in which they are protected from the malfunctions
  of other applications

4
(Skill 6)
Iisrest.exe is configured to run by default
Figure 15-35 The IIS Admin Service Properties
dialog box
5
(Skill 6)
You can assign different ports, IP addresses, or
host header names to each Web site so that you
can host multiple Web sites on the same Web
server
Figure 15-36 The Add/Edit Web Site Identification
dialog box
6
(Skill 6)
Introducing Internet Information Services 6.0 (4)

• WebDAV (Web-based Distributed Authoring and
  Versioning)
• Is an extension of the HTTP protocol that is used
  to access files on a Web server through an HTTP
  connection
• The HTTP connection enables users to add, modify,
  and delete data from Web pages to facilitate Web
  page authoring

7
(Skill 6)
Used to limit the bandwidth used by IIS if the
bandwidth approaches or exceeds this limit,
bandwidth throttling delays or ejects IIS service
requests until more bandwidth becomes available
Figure 15-37 The Performance tab in the Default
Web Site Properties dialog box
8
(Skill 6)
Figure 15-38 Configuring an Application Server
9
(Skill 6)
Figure 15-39 Installing dynamic content tools
10
(Skill 6)
Figure 15-40 Enabling additional dynamic content
tools
11
(Skill 7)
Examining IIS Configuration Changes

• New accounts
• The IUSR_ltserver_namegt account is the account
  used for Anonymous access to the IIS server
• The IWAM_ltserver_namegt account is the user
  account used to start out-of-process applications
• The IIS_WPG group account is the worker process
  group
• New services (depending on components installed)
• FTP Publishing service
• Network News Transfer Protocol service
• Simple Mail Transfer Protocol service
• World Wide Web Publishing service
• Newl folders
• Inetpub
• Inetsrv
• Iishelp

12
(Skill 7)
Figure 15-41 IIS user and group accounts
13
(Skill 7)
Figure 15-42 The World Wide Web Publishing Service
14
(Skill 7)
Figure 15-43 Inetpub
15
(Skill 7)
Figure 15-44 The Inheritance Overrides dialog box
16
(Skill 8)
Managing IIS

• Internet Information Services (IIS) Manager is
  the main management tool for your Web server
• You can configure properties for an individual
  site or for all sites on the server
• You can tune Web site performance based on the
  number of visitors expected per day
• The default setting is to accept an unlimited
  number of connections
• To conserve bandwidth, you can limit the number
  of connections

17
(Skill 8)
Managing IIS (2)

• Security options and authentication methods
• Integrated Windows authentication is the default
  selection
• It uses either Kerberos or NTLM (also referred to
  as Windows NT Challenge/Response authentication)
• In NTLM, the user name and password are hashed
  before they are sent
• .NET Passport authentication method
• A user can create a single sign-in name and
  passport to access numerous Web sites
• The sites are configured to use the Passport
  single sign-on service (SSI)

18
(Skill 8)
Managing IIS (3)

• Tabs in the Default Web Site Properties dialog
  box you can use to configure options
• HTTP Headers
• Custom Errors
• Documents
• Home Directory
• ISAPI Filters

19
(Skill 8)
By default, the Enable Logging check box and W3C
Extended Log File Format are selected this
includes logging for the Time Taken, Client IP
Address, Method, URI Stem, and HTTP Status fields
Figure 15-45 The Web Site tab
20
(Skill 8)
Use to limit the bandwidth of your Web server
You can limit the number of connections your IIS
server will accept in order to conserve bandwidth
and memory and to protect your Web server from
overload attacks
Figure 15-46 The Performance tab
21
(Skill 8)
Click to disable anonymous access or edit the
authentication method
Click to start the Web Server Certificate Wizard
Figure 15-47 The Directory Security tab
22
(Skill 8)
Clear to disable anonymous access
Select to have users credentials sent as an MD5
message digest hash
Figure 15-48 The Authentication Methods dialog box
23
(Skill 8)
Figure 15-49 .NET Passport Authentication
24
(Skill 8)
Figure 15-50 The Deny Access dialog box
25
(Skill 8)
Figure 15-51 The HTTP Headers tab
26
(Skill 8)
Figure 15-52 The Content Ratings dialog box
27
(Skill 8)
Managing IIS (4)

• IIS backups
• Can be used to restore only the IIS
  configurations, not the content files or Registry
  settings
• Create copies of the metabase configuration file
  (MetaBase.xml) and the metabase schema file
  (MBschema.xml
• The metabase files are stored in the folder
  systemroot\system32\inetsrv

28
(Skill 8)
Figure 15-53 The Custom Errors tab
29
(Skill 8)
Figure 15-54 The Edit Custom Error Properties
dialog box
30
(Skill 8)
Figure 15-55 The ISAPI Filters tab
31
(Skill 8)
Automatic Backups
Figure 15-56 The Configuration Backup/Restore
dialog box
32
(Skill 9)
Configuring IIS Security

• You can use two types of permissions to control
  access to the resources on your Web server
• Web permissions apply to all HTTP clients and
  determine the level of access to server resources
  
• NTFS permissions detail the level of access
  individual users or groups can have for files and
  folders on the Web server
• Auditing allows you to monitor Web site usage to
  maintain the security of the Web server and to
  track the activities users perform on the site

33
(Skill 9)
Use if the directory has no executable files so
the server will not run scripts or executable
files in the directory
Use if only scripts such as .asp files can run on
the server the server will be able to execute
only the script types you have defined
Use when other types of executable files can run
on the server the types of applications that can
be run will not be limited to the Application
Mappings list as they are for the Scripts only
permission
Figure 15-57 Setting Execute permissions
34
(Skill 9)
When you use the Scripts only Execute permission,
the server will be able to execute only those
script types you have defined on the Application
Mappings list
Figure 15-58 The Application Configuration dialog
box
35
(Skill 9)
Configuring IIS Security (2)

• Certificates
• In IIS, digital identification files called
  certificates can be used to authenticate both the
  client and the server
• You use the Web Server Certificate Wizard to
  request certificates, apply certificates, and to
  remove them from a Web site
• Client certificates Optionally, part of the SSL
  Handshake Protocol can include client
  authentication to the server to validate users
  who are asking for data from your Web site
• Client Certificate mapping Another method is to
  map client certificates to Windows user accounts
  on the Web server

36
(Skill 9)
Figure 15-59 The Logging Properties dialog box
37
(Skill 9)
Figure 15-60 The Web Server Certificate Wizard
38
(Skill 9)
Figure 15-61 The location of SSL within the
TCP/IP Protocol suite
39
(Skill 9)
Figure 15-62 SSL Protocol layers
40
(Skill 9)
Figure 15-63 How SSL authenticates the server to
the client
41
(Skill 9)
Configuring IIS Security (3)

• Encryption
• Encryption is essential if sensitive data such as
  credit card information and personal data,
  including addresses and phone numbers, is being
  transmitted
• The SSL 3.0 protocol is the basis for IIS
  encryption
• The default secure communication settings for an
  IIS Web server requires that the users Web
  browser support a session key strength of 40 bits
  or above

42
(Skill 9)
This is the Windows Server 2003 default for SSL
secure communication sessions users must have a
browser that supports a 128-bit session key in
order to create an encrypted channel with your
server
Figure 15-64 The Secure Communications dialog box
43
(Skill 9)
Click to select all of the child nodes and apply
the site setting to the directories
Figure 15-65 Allowing directory settings to
override Web site settings
44
(Skill 10)
Administering the Web Environment

• IIS supports the hosting of multiple Web sites on
  a single Web server, so you can add new Web and
  FTP sites in addition to the defaults
• By default, the home directory for the WWW
  service is systemroot\Inetpub\wwwroot
• The default FTP service home directory is
  systemroot\InetPub\Ftproot
• A virtual directory is used to make a directory
  appear to be within the home directory, when it
  really isnt

45
(Skill 10)
Figure 15-66 Default WWW service home directory
46
(Skill 10)
Figure 15-67 Default FTP service home directory
47
(Skill 10)
Figure 15-68 The Web Site Creation Wizard
48
(Skill 10)
Figure 15-69 The Web Site Description screen
49
(Skill 10)
Figure 15-70 The IP Address and Port Settings
screen
50
(Skill 10)
Figure 15-71 The Web Site Home Directory screen
51
(Skill 10)
Figure 15-72 Specifying the path to the virtual
directory
52
(Skill 10)
Figure 15-73 Setting Virtual Directory Access
Permissions
53
(Skill 10)
Figure 15-74 Viewing the new Web site
54
(Skill 10)
Administering the Web Environment (2)

• The MetaBase.xml file is a text file that can be
  edited in any text editor such as Notepad
• IIS 6.0 also includes new logging functionality,
  UTF-8 (Uniform Transformation Format-8-bit)
  logging
• MIMES
• MIME types are used to prevent attackers from
  sending malicious files
• In IIS, only static files that have extensions on
  the MIME (Multipurpose Internet Mail Extensions)
  types list can be served to users
• A default global list of MIME types is installed
  with IIS 6.0

55
(Skill 10)
Figure 15-75 Enabling Direct Metabase Edit
56
(Skill 10)
Figure 15-76 The metabase History folder
57
(Skill 10)
Figure 15-77 The MIME Types dialog box
58
(Skill 11)
Creating Application Pools

• When you are running IIS 6.0 in worker process
  isolation mode, you can group Web applications
  into application pools
• You can assign any Web directory or virtual
  directory to an application pool
• Improves the efficiency of your IIS server
• Ensures that other Web applications will not have
  their service interrupted when the applications
  in the new application pool stop
• Guidelines for creating application pools
• Create an application pool for each Web site
• Configure a user account (process identity) for
  each application pool
• Create a unique application pool for applications
  that you want to run with their own unique set of
  properties

59
(Skill 11)
Figure 15-78 The Add New Application Pool dialog
box
60
(Skill 11)
Figure 15-79 Assigning an application to an
application pool
61
(Skill 11)
Figure 15-80 The Identity tab on the Properties
dialog box for an application pool
62
(Skill 12)
Troubleshooting the Web Environment

• IIS 6.0 has two modes
• Worker process isolation mode
• The default (and preferred) mode for IIS 6.0
• Capable of separating applications into isolated
  pools
• Identifies unhealthy processes, resources that
  are being overtaxed, and memory leaks
• IIS 5.0 isolation mode
• Should be used if you are running legacy Web
  applications that may not be compatible with
  worker process isolation mode
• Not as secure as worker process isolation mode

63
(Skill 12)
IIS 6.0 runs in one of two modes Worker process
isolation mode or IIS 5.0 isolation mode, which
provides backward compatibility with older
applications
Figure 15-81 Running the WWW service in IIS 5.0
isolation mode
64
(Skill 12)
Figure 15-82 Changing IIS modes
65
(Skill 12)
Figure 15-83 Enabling Web service extensions
66
(Skill 12)
Troubleshooting the Web Environment (2)

• IIS problems
• Applications are denied access to resources
• Users request dynamic content and receive error
  404
• Users request static content and receive error
  404
• The application session state is dropped by
  worker process recycling
• Clients receive error 503 (Service Unavailable
  message)

67
(Skill 12)
Clear to disable worker process recycling
Figure 15-84 Disabling worker process recycling
68
(Skill 12)
Figure 15-85 Increasing the application pool
queue length limit
69
(Skill 12)
Figure 15-86 Configuring rapid-fail protection