Hands-On Microsoft Windows Server 2003 Administration Chapter 7 Administering Web Resources in Windows Server 2003

2 Objectives Install and configure Internet Information Services (IIS) Create and configure Web-site virtual servers and virtual directories Configure Web-site authentication Configure and maintain FTP virtual servers Update and maintain security for an IIS server Create and modify Web folders Install and use the Remote Administration (HTML) tools Troubleshoot Web client-browser connectivity

3 Installing and Configuring Internet Information Services Internet Information Services (IIS) 6.0 –Provides Web-related services to an organization –Four main components World Wide Web (HTTP) services –Provides the capability of hosting multiple Web sites accessible from the Internet or an intranet File Transfer Protocol (FTP) services –Provides the ability to copy files between the server and a remote location

4 Installing and Configuring Internet Information Services (Continued) Network News Transfer Protocol (NNTP) services –Used to provide a means of maintaining a list of topics and threaded conversations between users Simple Mail Transfer Protocol (SMTP) services –Provides capabilities to the other services of IIS

5 Installing Internet Information Services IIS 6.0 –Not installed by default during a standard installation of Windows Server 2003 –Individual IIS components can be manually installed via the Add or Remove Programs applet in Control Panel

6 Internet Information Services components

7 Installing Internet Information Services (Continued) Changes on the server after a successful installation of IIS –Additional folders on the hard drive %systemroot%\system32\inetsrv C:\Inetpub C:\WINDOWS\Help\iishelp –Additional user objects in Active Directory ISUSR_servername IWAM_servername IIS_WPG group

8 Installing Internet Information Services (Continued) Changes on the server after a successful installation of IIS (Continued) –Additional services installed within the operating system FTP Publishing Service IIS Admin Service Network News Transfer Protocol (NNTP) Simple Mail Transfer Protocol (SMTP) World Wide Web Publishing Service

9 Architectural Changes in IIS 6.0 Metabase –Central storage location for IIS configuration information –Stored in two standard Extensible Markup Language (XML) files MetaBase.xml –Contains the actual configuration settings for IIS 6.0 MBSchema.xml –Contains the XML schema that provides the default values of the various metabase properties

10 Architectural Changes in IIS 6.0 (Continued) A number of process management and administration features have been introduced in IIS 6.0

11 Configuring Web Server Properties IIS MMC snap-in –Primary tool used for configuration purposes –Available on the Administrative Tools menu –Initially displays the default sites and services: FTP Sites Application Pools Web Sites Web Service Extensions Default SMTP Virtual Server Default NNTP Virtual Server

12 Configuring Web Server Properties (Continued) Master properties –IIS parameters that are Configured at the site-folder level Inheritable by all Web or FTP sites hosted on the server –Benefit You can quickly set various common configurations on all Web or FTP sites at once –Configuration settings changed at the site, folder, or file level override the master properties

13 Creating and Configuring Web-Site Virtual Servers IIS can host a large number of Web sites or virtual servers on a single server –Virtual server A unique Web site that behaves as if it were on its own dedicated server Before creating a Web site –Identify the IP address to which the Web site responds –Identify the TCP port to which the Web site responds –If you have multiple virtual servers responding to the same IP address, identify the host header name to which your new Web site responds

14 Creating and Configuring Web-Site Virtual Servers (Continued) Each Web site on your server must have a way of being uniquely identified Ways to make sure that each Web site is unique –Use a separate IP address to distinguish each Web site –Use a single IP address with a specific port number for each Web site –Use a single IP address with multiple host headers representing each Web site

15 Creating and Configuring Web-Site Virtual Servers (Continued) Web Site Creation Wizard –Provides a simple, step-by-step method of creating and initially configuring Web sites iisweb.vbs script –Can be used to create new Web sites from the Windows Server 2003 command line

16 Modifying Web-Site Properties Once a Web site is created, a number of properties can be modified to fine-tune the parameters of the site Configuring the properties page for a specific Web site affects only that site and no others Any parameters configured at the Website level override the master properties that may have been set at the server level

17 Web site properties tabs

18 Creating Virtual Directories To include information stored on multiple servers in a Web site –Create a virtual directory that specifically points to the shared folder that stores the data An alias of the virtual directory can be used to –Hide the real directory name –Simplify the path that the server should use to access the information

19 Configuring Authentication for Web Sites All Windows Server 2003 servers require that any user who tries to access the server be authenticated to a valid user account Authentication –Determining whether or not a user has a valid user account with the proper permissions to access a resource

20 Configuring Authentication for Web Sites IIS provides five levels of authentication –Anonymous access –Basic authentication –Digest authentication –Integrated Windows authentication –.NET Passport authentication Authentication settings are configured from within the properties of a Web site in the Authentication and access control section of the Directory Security tab

21 Configuring Web site authentication options

22 Anonymous Access Allows users to access a Web site without having to provide a user name and password IUSR_servername user account –Used by IIS to provide the required authentication credentials to a user –Member of the Domain Users (on a domain controller) and Guests groups by default

23 Basic Authentication Prompts users for a user name and password to be able to access the Web resource Requirement –User needs to have a valid Windows Server 2003 user account to be able to gain access to the Web site Potential problem –User name and password are transmitted using Base64 encoding (not encryption) and can easily be captured and read by hackers

24 Digest Authentication Works the same way as Basic authentication Difference from Basic authentication –User name and password are hashed using the MD5 algorithm to prevent hackers from obtaining the information

25 Digest Authentication (Continued) Requirements –Users must Be running Internet Explorer 5.0 or higher Have an account in Active Directory or a trusted domain –An IIS server using Digest authentication must Be part of an Active Directory domain Running HTTP 1.1 and WebDAV

26 Integrated Windows Authentication Does not ask the user for a password Uses the client’s currently logged-on credentials to supply a challenge/response to the Web server Primarily used on internal intranets Once this choice has been enabled, it can only be used if –Anonymous access is disabled on the Web site –Windows file permissions have been set, requiring users to provide authentication to access the resources

27.NET Passport Authentication Allows a Web site to use the functionality of the.NET Passport service to authenticate user identities Requirements for authenticating users with a.NET Passport –The company must Carry out a variety of preproduction tests with Microsoft Go through a registration process

28.NET Passport Authentication (Continued) The following rules apply if multiple authentication methods are configured –If Anonymous authentication and one other method are selected, the other method only applies if Anonymous authentication fails –FTP sites cannot use Digest, Integrated Windows, or.NET Passport authentication –Both Digest and Integrated Windows authentication take precedence over Basic authentication

29 Configuring Server Certificates and Secure Sockets Layer Secure Sockets Layer (SSL) protocol –Used to encrypt Web traffic between a client and the Web server –Clients can access a secure server using SSL by using URLs that begin with instead of the prefix –Implemented using the Directory Security tab of a Web site

30 Configuring Server Certificates and Secure Sockets Layer (Continued) A server certificate –Needed to use SSL on a Web server –Can be Obtained from a certificate authority (CA) Created by the company itself for internal purposes

31 Configuring FTP Virtual Servers File Transfer Protocol (FTP) –Used to transfer files between two computers that are both running TCP/IP The FTP service included with IIS 6.0 enables users to transfer files to and from it using FTP client software such as –The command-line ftp utility –A Web browser

32 File Transfer Protocol FTP –An industry-standard method of transferring files between two hosts running TCP/IP –Uses two ports for connections during a single session TCP port 21 –Usually used to initiate the connection and for diagnostic functions TCP port 20 –Usually used to pass data

33 File Transfer Protocol (Continued) Transmission Control Protocol (TCP) –Used by FTP for file transfers –A connection-based protocol To use FTP to transfer files between two computers –One machine must be running FTP client software –Other machine must be running FTP server software

34 Configuring FTP Properties When multiple FTP sites are configured to run on a single IIS 6.0 server, each site –Behaves and operates independently –Appears to the client to be running on its own FTP server –Has its own set of property sheets Five tabs are available from the site properties window of an FTP site

35 FTP site property tabs

36 Creating an FTP Site Virtual Server New FTP sites can be created by: –Using the Internet Information Services tool –Scripting FTP sites allow you to create virtual directories that can be both local and remote to the IIS server

37 Updating and Maintaining Security for an IIS Server: Resource Permissions –Specify the types of access users are granted –Types of permissions NTFS permissions IIS permissions –To provide the most security for Web content Combine NTFS permissions and IIS permissions

38 IP Address and Domain Name Security To secure Web content –Administrators can grant or deny access to users based on their IP address –Administrators can grant or deny access to: »An individual IP address »A particular address range Domain name

39 Starting and Stopping Services At some point, administrators may need to stop and restart services related to IIS for administrative purposes IIS 6.0 allows services to be stopped and restarted through the Internet Information Services console

40 Backing Up the IIS Configuration Options for backing up the metabase –Use the backup utility in the IIS console to back up the database –Copy the contents of the backup directory to another folder to provide redundancy after an initial backup has been performed –Use the metabase editor tool to export the contents of the database to a text file –Use the iisback.vbs script –Use the Windows Server 2003 Backup utility or a third party utility and choose to backup System State data

41 Backing Up the IIS Configuration (Continued) Two common types of updates that can be applied to a IIS Server –Service packs –Hot fixes Microsoft Baseline Security Analyzer –Can be used to determine which IIS hot fixes are currently installed on the Web server

42 Creating and Modifying Web Folders A Web folder –Designed to be accessed from the Internet or an intranet using the HTTP or FTP protocols Web Sharing tab –Used to configure a folder to be shared over the Web Access permissions and application permissions can be configured for Web folders

43 Web folder access permissions and Application permissions

44 Installing and Using Remote Administration (HTML) Tools Remote Administration (HTML) tools –Can be used to remotely manage IIS 6.0 servers System elements, such as –Network settings –Disk quotas –Installation Must be added manually via the Add/Remove Windows Components feature of Add or Remove Programs in Control Panel

45 Troubleshooting Web Client Connectivity Problems: Client Access Problems Problem –Users unable to gain access to an IIS Server To troubleshoot –Verify the TCP/IP configuration settings that have been configured on the client –Check the proxy settings that have been configured through the client’s Web browser

46 Troubleshooting Web Client Connectivity Problems: Client Access Problems (Continued) –Check for obvious problems such as Whether the proxy server is available and online Whether the client is connected to the network –Enable or disable the Show friendly HTTP error messages options in the properties of Internet Explorer –Use a protocol analyzer to capture packets moving between the client and the Web server to determine where communications errors may be taking place

47 Troubleshooting Web Client Connectivity Problems: Client Access Problems (Continued) Problem –Users complaining that they are unable to gain access to a Web site or FTP site configured on an IIS server To troubleshoot –Check permissions assigned to the site –Check to see which authentication method has been configured for the site –Check to see what IP address and domain name restrictions have been applied to the site

48 Troubleshooting Web Client Connectivity Problems: Client Access Problems (Continued) –If there is a connection limit set for the site, make sure this limit has not been exceeded –If the service has been configured to use a port other than the default, make sure the client is specifying the correct port number –If you have not enabled Anonymous access, make sure the client has a valid user account –On the client computers, from the command prompt, type “ipconfig /flushdns” to clear the DNS cache

49 Summary Internet Information Services includes four main components –World Wide Web (HTTP) services –File Transfer Protocol (FTP) services –Network News Transfer Protocol (NNTP) services –Simple Mail Transfer Protocol (SMTP) services Master properties –IIS parameters that can be configured on the server and are inheritable by all Web and FTP sites hosted on the server

50 Summary (Continued) Multiple Web sites can be distinguished on a single Web server by –Configuring individual IP addresses for each site –Configuring individual port numbers for each site –Configuring a host header for each site A virtual directory –Can be used to include information that may be stored on a different server from the one on which the Web site home directory is located By default, Anonymous access is used to allow public access to a Web site

51 Summary (Continued) Five main authentication methods used in IIS –Anonymous –Basic –Digest –.NET Passport –Integrated Windows authentication Regular IIS maintenance tasks include –Backing up the IIS configuration –Starting or stopping services –Installing of hot fixes or service packs