1

Chapter Overview

Creating Web Sites and FTP Sites Creating Virtual Directories Managing Site Security Troubleshooting IIS

2

Creating Web Sites and FTP Sites

By default, Microsoft Windows 2000 Server installs a basic Microsoft Internet Information Services (IIS) configuration during the operating system installation.

You can modify this configuration during installation of Windows 2000 or by using Add/Remove Programs after the installation is completed.

3

Installing IIS When a clean installation of Windows

2000 Server is performed, IIS is installed, by default, with these components: Common Files Documentation Microsoft FrontPage 2000 Server Extensions Internet Information Services Snap-In Internet Services Manager (HTML) SMTP Service World Wide Web Server

4

Installing IIS (Cont.) When you upgrade from Microsoft Windows NT,

Microsoft Windows 98, or Microsoft Windows 95 to Windows 2000, the Setup program attempts to detect a previous version of IIS.

If it detects a previous version, Setup installs IIS version 5.

IIS requires Transmission Control Protocol/Internet Protocol (TCP/IP).

If TCP/IP is not installed, Setup automatically installs it. To install IIS on a computer running Windows

2000 Server, or to install additional components to IIS (such as FTP Server, which is not installed by default), use Add/Remove Programs.

5

The Windows Components Page in the Windows Components Wizard

6

The Subcomponents Of Internet Information Services (IIS) List

7

IIS Snap-In Components After installing IIS, when you launch the

IIS snap-in, three components are added to the console tree: Default Web Site: represents the primary

public Web site hosted by the server Administration Web Site: represents a

protected site you can use to configure IIS from a remote computer

Default SMTP Virtual Server: represents the e-mail forwarding server hosted by the server

8

Getting Started Web content is published by placing Web

files in folders on the server so that users can establish a Hypertext Transfer Protocol (HTTP) connection with the server and view the Web files.

The first step in deploying a Web site is determining how to organize the files you want to publish.

Next, use the IIS snap-in (in the Internet Services Manager console) to specify the folders that are part of the site.

9

Getting Started (Cont.) You can publish documents by copying

them into the home folder of the default Web site, C:\Inetpub\Wwwroot by default.

Users can access files in this folder by using any of these URLs: http:// computer_name/ file_name http:// fully_qualified_domain_name/file_name

http:// IP_address/file_name (where computer_name, fully_qualified_domain_name, and IP_address identify the Web server)

10

Creating Sites IIS can host multiple Web or File Transfer

Protocol (FTP) sites on a single computer. Because each site appears as an individual

computer to Web clients, the sites are sometimes called virtual servers.

You can create multiple Web and FTP sites on a computer running Windows 2000 Server in three ways:

Use a nonstandard port number with the Internet Protocol (IP) address.

Use multiple IP addresses. Assign multiple Web sites to one network adapter card

by using host header names.

11

An Intranet Web Server with Multiple Sites

12

Creating a Web Site Use the IIS snap-in to create a Web site. To create a Web site, right-click the

server in the console tree, point to New, and then select Web Site to launch the Web Site Creation Wizard.

You specify the following information for the site:

Site name IP address TCP port number Host header name

(optional)

Path to the site’s home directory (folder)

Permissions you want to grant users to the files in the home directory

13

The IP Address And Port Settings Page in the Web Site Creation Wizard

14

Creating an FTP Site Before you can use the IIS snap-in to create

an FTP site, the FTP Server component must be installed on the Windows 2000 IIS server.

To create an FTP site, in the IIS console tree, right-click the server, point to New, and then select FTP Site to launch the FTP Site Creation Wizard.

You specify the following information for the site:

Site name IP address TCP port number

Path to the site’s home directory

Permissions you want to grant usersto the files in the home directory

15

The IP Address And Port Settings Page in the FTP Site Creation Wizard

16

Administering Web Sites and FTP Sites During IIS installation, default values are

assigned to various properties of the server and its sites.

You can modify the values of these properties at the site level, the folder level, or the file level.

You can access the master properties, server extensions, bandwidth throttling, and Multipurpose Internet Mail Extensions (MIME) mapping for an IIS server from the Properties dialog box for the server in the IIS snap-in.

17

The WWW Service Master Properties Dialog Box for an IIS Server

18

Starting and Stopping Services and Sites By default, IIS services and sites are

configured to start automatically with Windows 2000.

To use the IIS snap-in to start, stop, or pause a site, select a site in the console tree, and then click the Start Item, Stop Item, or Pause Item button on the toolbar.

To use the IIS snap-in to stop, start, or restart all of the IIS services or reboot the server, right-click the server in the console tree, and then select Restart IIS to display the Stop/Start/Reboot dialog box.

19

Restarting Internet Services

20

Defining Home Directories Each Web and FTP site must have a home

directory, which is the central location for published pages.

If you have both a Web site and an FTP site on the same computer, each service should have its own home directory.

To change a home directory for a Web site or an FTP site, in the IIS snap-in, right-click the site in the console tree, click Properties, and then click the Home Directory tab.

21

The Home Directory Tab in a Web Site’s Properties Dialog Box

22

Defining a Default Document When a client connects to a Web site, the Web

server typically transmits a home page, called the default document, for the site.

By default, an IIS Web site’s default documents are Default.htm and Default.asp.

To configure default documents for a Web site, in the IIS snap-in, open the site’s Properties dialog box, and then click the Documents tab.

When the default document list contains more than one document, IIS attempts to transmit the first document in the list.

23

The Documents Tab in a Web Site’s Properties Dialog Box

24

Lesson Summary

IIS 5 is installed with Windows 2000 Server by default.

You can install additional IIS components by using Add/Remove Programs.

Use the IIS snap-in to create, configure, and administer Web and FTP sites.

25

Creating Virtual Directories

The simplest possible IIS Web site or FTP site is one in which all of the site’s files are located in the home directories of the site.

IIS allows you to add files from other locations to your sites without moving them.

These added files are called virtual directories.

26

Creating Virtual Directories A virtual directory is not contained in the

site’s home directory but appears to client browsers as though it were.

A virtual directory has an alias, a name that Web browsers use to access the directory.

An advantage of using virtual directories is that you can publish files from various locations without having to move the files.

Aliases provide a measure of security, because users do not know where the files are physically located.

27

Creating Virtual Directories (Cont.)

To use the IIS snap-in to create a virtual directory on an IIS Web site or FTP site, in the console tree, right-click the site, point to New, and then select Virtual Directory to launch the Virtual Directory Creation Wizard.

You specify the following information: The alias for the virtual directory The path to the folder containing the files you want

to publish The permissions you want to grant users to the files

in the virtual directory

28

Using Web Sharing Another method for creating a virtual directory

on a Web site is to configure a folder for Web Sharing in Windows Explorer.

Only folders on the Windows 2000 IIS Web server itself can be shared in this way—you cannot create a virtual directory out of a folder on a remote computer by using this method.

When you configure Web Sharing in Windows Explorer, you specify an alias for the folder and the access and application permissions for users of the folder.

29

The Edit Alias Dialog Box

30

Redirecting Requests

When you move a page on a Web site, you can instruct the Web server to give browsers the new URL of the page when they request that page by its old URL.

This process is called redirecting a browser request, or redirecting, to another URL.

You use the IIS snap-in to redirect requests to a Web site, a virtual directory, or a directory.

31

The Home Directory Tab in a Web Site’s Properties Dialog Box

32

A Home Directory Tab with URL Redirection Controls

33

Options for Redirecting Requests When you redirect a site, virtual directory,

or directory in the IIS snap-in, you specify the URL that you want the site, virtual directory, or directory to be redirected to.

You can select one or more options that further define how the redirection to the new URL will be handled: The Exact URL Entered Above A Directory Below This One A Permanent Redirection For This Resource

34

Lesson Summary A virtual directory is not contained in the site’s home

directory but appears to client browsers as though it were.

Virtual directories are identified by aliases, which appear as subdirectories beneath a Web site’s home directory or an FTP site’s home directory.

You can use the IIS snap-in to create a virtual directory. You can configure Web Sharing for a folder on the

Windows 2000 IIS Web server by using Windows Explorer.

You can use the IIS snap-in to redirect requests to a Web site, a virtual directory, or a directory to a different URL.

35

Managing Site Security

Security is an important part of IIS administration.

IIS can use a variety of security mechanisms, including port assignments, authentication, IP address and domain name restrictions, access permissions, and Secure Sockets Layer (SSL).

36

Using Port Assignments One of the simplest and weakest forms of site

protection is to use an alternate port number for the site.

Standard port for Web (HTTP) communications: 80 Standard port for FTP communications: 21

You can configure IIS to use a nonstandard port number for a Web site or FTP site, but standard requests for site access will fail unless clients specify the correct port number.

To view or configure a site’s port number, in the IIS snap-in, use the Web Site tab in the site’s Properties dialog box.

37

The Web Site Tab in the Default Web Site’s Properties Dialog Box

38

Using Authentication

Authentication is the most common mechanism used to restrict access to a Web site or FTP site.

IIS supports four types of authentication: Anonymous authentication Basic authentication Digest authentication Integrated Windows authentication

39

Anonymous Authentication Most Web and FTP sites are public and

provide free access to all users. Windows 2000 uses a special account,

IUSR_computername, and a randomly chosen password to provide anonymous users with limited access to resources.

By default, IIS Web and FTP sites permit anonymous access.

To control anonymous access for a Web site, configure the Directory Security tab of the Web site’s Properties dialog box.

40

The Directory Security Tab in a Web Site’s Properties Dialog Box

41

The Authentication Methods Dialog Box

42

Basic Authentication Basic authentication provides more protection

for a site than anonymous authentication. With basic authentication, every client must

have a user account on the Web server and must supply a user name and password.

The advantage of basic authentication is that it is supported by all browsers running on any operating system.

The disadvantage is that the user’s name and password are transmitted in clear text and can be compromised.

43

Basic Authentication (Cont.)

To configure basic authentication for a Web site on a Windows 2000 IIS server, select the Basic Authentication check box in the Authentication Methods dialog box, which is accessed from the Directory Security tab in the Web site’s Properties dialog box.

During this process, you can specify that users authenticate to a different domain than the one where the IIS server resides.

44

The Internet Service Manager Message Box

45

The Basic Authentication Domain Dialog Box

46

Digest Authentication

Digest authentication lets Web clients send logon credentials to the IIS server with the password encrypted.

Digest authentication can be used with a proxy server.

47

IIS Server Requirements for Digest Authentication The accounts that clients use to authenticate must

be located in an Active Directory domain. Each user account must have the Store Password

Using Reversible Encryption option enabled in its user object properties.

Configure this option in the Account tab of the user’s object’s Properties dialog box in the Active Directory Users And Computers console.

IIS sites must be configured to use digest authentication.

In the IIS snap-in, select the Digest Authentication For Windows Domain Servers check box in the Authentication Methods dialog box, which is accessed from the Directory Security tab in the Web site’s Properties dialog box.

48

Selecting the Store Password Using Reversible Encryption Option for a User Account

49

Integrated Windows Authentication

Integrated Windows authentication is best suited for clients and servers on the same intranet.

The Web client uses the credentials that the user logged on to the domain with to authenticate itself to the IIS server.

To configure this type of authentication, select the Integrated Windows Authentication check box in the Authentication Methods dialog box, which is accessed from the Directory Security tab in the Web site’s Properties dialog box.

50

Using IP Address and Domain Name Restrictions Another method for restricting access to

IIS sites is to specify the IP addresses and domain names that are to be granted or denied access.

To create IP address and domain name restrictions, use the IIS snap-in to configure the IP Address And Domain Name Restrictions dialog box, which is accessed from the Directory Security tab in the Web site’s Properties dialog box.

51

The IP Address And Domain Name Restrictions Dialog Box

52

The Grant Access On Dialog Box

53

Using Access Permissions IIS permissions specify what users

connected to a Web site or FTP site are permitted to do.

IIS permissions can be set at any level of the IIS site hierarchy: the site level, the virtual directory level, or the directory level.

To set IIS permissions, open the Properties dialog box for a site, virtual directory, or directory; and then click the Home Directory, Virtual Directory, or Directory tab, respectively.

54

Using Access Permissions (Cont.)

You can select the following IIS permissions: Script Source Access Read Write Directory Browsing

In addition, in the Execute Permissions drop-down list, you can set the permission that specifies whether users can execute scripts only, scripts and executables, or neither.

55

Using SSL The Secure Sockets Layer (SSL) protocol lets

you configure IIS sites not only to authenticate users but also to encrypt data transferred between client browsers and the IIS server.

SSL is commonly used on Web sites, such as banking and e-commerce sites, that require clients to transmit sensitive data.

To use SSL on Windows 2000 IIS sites, you must first obtain a server certificate, either from a third-party vendor or by using Windows 2000 Certificate Services and the Web Server Certificate Wizard in IIS.

56

Lesson Summary Using a nonstandard port number provides weak

security. Authentication is the most common mechanism used

to control access to a Web site or FTP site. IIS supports anonymous, basic, digest, and integrated Windows authentication.

You can specify the IP addresses and domain names that are to be granted or denied access to an IIS site.

You can assign IIS permissions to specify what users connected to a Web site or FTP site are permitted to do.

SSL lets you encrypt data transferred between client browsers and the IIS server.

57

Troubleshooting IIS

An administrator must be familiar with common problems that can prevent clients from connecting to a Windows 2000 IIS Web server.

58

Common Client Connection Problems and Solutions Symptom: Clients fail to connect to a

Web site. Cause: A network communications

problem is preventing the connection. Solution: Check communications

between the client and server by using Ping and by checking the name resolution mechanism used to resolve the computer or Domain Name System (DNS) name in the URL to an IP address.

59

Common Client Connection Problems and Solutions (Cont.)

Symptom: Clients fail to connect to a Web site. (Cont.)

Cause: The site is configured to use a TCP port number other than the default (80).

Solution: Append the correct port number to the domain or computer name in the browser URL (as in http://www.microsoft.com:82).

60

Common Client Connection Problems and Solutions (Cont.)

Symptom: Clients fail to connect to a Web site. (Cont.)

Cause: The Web site is not configured to use anonymous access.

Solution: Activate anonymous access in the site’s Properties dialog box, or supply the user with the credentials needed to connect to the site by using another type of authentication.

61

Common Client Connection Problems and Solutions (Cont.) Symptom: Clients fail to connect to a Web

site. (Cont.) Cause: The anonymous access account is

improperly configured. Solution: Make sure that the account used

for anonymous access exists in the server’s account database or in Active Directory with the correct password, and that the account used for anonymous access has the Log On Locally and Access This Computer From The Network user rights.

62

Common Client Connection Problems and Solutions (Cont.) Symptom: Clients fail to connect to a Web

site. (Cont.) Cause: The client does not have an

appropriate user account for the authentication type the site is configured to use.

Solution: If the site is configured to use digest authentication or integrated Windows authentication only, the client must have a Windows 2000 user account. In the case of digest authentication, the client must have an Active Directory user account.

63

Common Client Connection Problems and Solutions (Cont.) Symptom: Clients fail to connect to a Web

site. (Cont.) Cause: The site, virtual directory, or

directory containing the requested file is not configured with the correct permissions.

Solution: If the default document or the requested file is a script or a program, the site, virtual directory, or directory must be configured with either the Scripts Only or Scripts And Executables permission, in addition to the Read permission.

64

Common Client Connection Problems and Solutions (Cont.)

Symptom: Clients fail to connect to a Web site. (Cont.)

Cause: The site requires an SSL connection.

Solution: If the site is configured to require a secured connection using SSL, the URL in the browser must use the https:// prefix instead of http:// and must include the appropriate SSL port number (as in https://secure.microsoft.com:5000).

65

Lesson Summary When troubleshooting Web site connection problems,

check for network communication and networking hardware failures.

The type of authentication that a site is configured to use is a frequent source of logon failures.

Digest and integrated Windows authentication require all Web client users to have Windows 2000 user accounts.

Sites that use scripts or programs must be configured with the appropriate permissions for clients to be able to run those scripts or programs.

To connect to a site that requires an SSL connection, the URL must specify both the https:// prefix and the correct SSL port number.