windows 2000 internet information server
TRANSCRIPT
-
8/9/2019 Windows 2000 Internet Information Server
1/8
Windows 2000 Internet Information Server
IIS Components
File transfer Protocol (FTP) Server World Wide Web (WWW) Server
Simple Mail Transfer Protocol (SMTP) Service
Network News Transport Protocol (NNTP) Service
FrontPage 2000 Server Extensions
Internet Services Manager (HTML) Internet Information Services Snap-in
Visual InterDev RAd Remote Deployment Support
Indexing Service
Certificate Services
Windows 2000 Professional can only support 10 network connections and Windows 2000Servers support an unlimited number of connections. Windows 2000 Professional includes
the Personal Web Manager package (a web site administration tool) not included on Windows2000 servers. The HTML Internet Services Manager and the NNTP Service are not available on
Windows 2000 Professional.
Most IIS components are installed when Windows 2000 is installed. The "Add/Remove
Programs" applet in the control panel may be used to add any additional IIS components. Select"Add/Remove Windows Components", click on "Internet Information Services (IIS)', then click
details.
Created at Installation of IIS
Default Web Site located in c:\Inetpub\wwwroot
Security Enhancements
Security of the WWW server can be increased by:
Obtaining a certificate for the web server
Enable IP address or domain name access restrictions.
Disable anonymous access and specify a secure authentication method.
Configure the web server to send encrypted communication. Place all content on an NTFS file system.
Set up home directory security settings. Use firewalls to protect the server.
Web Site Management
-
8/9/2019 Windows 2000 Internet Information Server
2/8
The "Internet Services Manager" is used to manage web sites on thecomputer. This can be done locally or remotely.
The Web Site Properties dialog box can be displayed by starting the "InternetServices Manager", click on the + next to the server to be configured, then
right click the web site to configure, and select "Properties". The Web SiteProperties dialog box tabs are:
Web Site - Web site properties window with an IIS 3.0 Admin taballowing selection of the web site to be administered if a user connectswith the IIS 3 administration tool. Only one web site may be managedwith the IIS 3 administration tool. This tab is used to configure Web siteID, Connections, and Logins. The following may be set:
o Description - Identifies the site in the Microsoft ManagementConsole.
o IP Addresso Advanced button brings up a window:
Multiple Identities - A text list box set of entries including IPaddress, port and host header the site responds to. Defaultport is 80 and SSL port is 443.
Multiple SSL Identities - The site and port number secureconnections are made over (default 443).
o TCP Port - Default is 80.o SSL Port - Port for SSL communications. Default is 443.o Connections limited or unlimited - Default limited connections is
1000.o Connection Timeout - Default is 900 seconds.o Enable Logging checkbox and specify "Active log format". Format
types: Microsoft IIS Log Format NCSA Common Log Fromat ODBC Logging - For database, very resource intensive. W3C Extended Log File Format - The most flexible
o Log "Properties" button and window:
General Properties - Set log file creation frequency andlocation where log files are stored. The New Log Time Option - Causes new file creation,
set to daily, weekly, monthly, unlimited, or when thelog file gets to a specific size. The default is daily.
Directory path the log file is stored in.
-
8/9/2019 Windows 2000 Internet Information Server
3/8
Extended Logging Options list items that can be in thelogging file:
Date Time - default Client IP Address - default User Name Service Name Server IP Server Port Method - default URL Stem - default URL Query HTTP Status - default Win32 status Bytes Sent Bytes Received Time Taken Protocol Version User Agent Cookie Referrer
ODBC Properties - Set the data source name (DSN), logdata table. The user name and password used to store datain the database is set.
Extended Properties - Use checkboxes to select fields to beput in the log file. Time, client IP address, method, URIstem, and HTTP status are saved by default.
Operators - Configure what users may manage the web site. In theWeb Site tab, operators cannot set IP Address, Port, SSL Port, or usethe Advanced button. In the performance tab, operators can't use theBandwidth throttling. In the home directory, operators cannot setDirectory Source, read setting, write setting, and application settings.
Performanceo Performance Tuning - Sliding bar used to adjust server resources
to he held in reserve to service requests quickly. This can be setdepending on the number of hist per day that are expected. Fewerthan 10,000, fewer than 100,000, or more than 100,000.
o Enable Bandwidth Throttling - Limits the bandwidth use of oneweb site. It is enabled (default) or disabled.
o Maximum Network Use - The value in Kbps of maximumbandwidth the website may use.
-
8/9/2019 Windows 2000 Internet Information Server
4/8
o HTTP Keep-alive Enabled - Requires more resources, but keepsthe connection to the web browser open for quicker response.Turning off keep-alives or setting a short timeout can improve theperformance of an IIS server that is low on memory andbandwidth.
ISAPI Filters - Add ISAPI filters to modify IIS performance for the website. They are Internet Server Application Prrogramming interfaces andhave global and site filters. Global filters are not be displayed, althoughthey are applied. The web server must be restarted after adding ormodifying global filters but, site filters are effective immediately. Globalfilters are run prior to Site filters.
Home Directory - Enter username and password who has access to aremote directory where that username and password is used for theaccess. Select where home files are:
o Content comes from "A directory located on this computer" radiobutton.
o Content comes from "A share located on another computer" radiobutton.
o Content comes from "A redirection to a URL". This option is usedto redirect to another web site, when that web site has beenmoved.
o "Local Path" or "Network Directory".o Access Permissions checkboxes ofRead, Write (The browser
may update files with the PUT command is Write access is
allowed), andScript source access".o Content Control checkboxes of "Log visits" (Access is logged),
"Directory browsing" allowed (A directory listing is sent to thebrowser), and "Index this resource" (A searchable index isgenerated)).
o Application Settings Name Starting point Execute Permissions:
None
Scripts only - Files with appropriate extensions arerun as scripts without execute permission set.
Scripts and Executables - Files with properextensions are run as scripts or ISAPI DLLs or CGIexecutables.
Application Protection
-
8/9/2019 Windows 2000 Internet Information Server
5/8
Documents - Specifies the default document to be returned by thebrowser if no document on the web page is specified. A footer for allHTML pages on the web site may also be specified. Options:
o Enable default document - The page to show if a specific page isnot requested. Several documents may be listed with thedocument at the top of the list being the default document.
o Enable document footer - Can be used to add footer informationto each page.
Directory Security - Three buttons:o Anonymous Access and Authentication Control - Any account
using the anonymous logon or basic authentication must have thelog on locally privilege configured in User Manager for Domains.
Allow Anonymous Access checkbox - Allows any webbrowser to access without a username or password. Used
rather than basic or Windows NT Challenge/Responseauthentication if this is on also. Account Used for Anonymous Access button - Specification
of the anonymous access account. Basic Authentication checkbox - Allows uses with web
browsers that don't support Windows Authentication to givea username and password for restricted web page access.The account name and password are not encrypted. Used ifanonymous access is disabled or file permission does notpermit anonymous access requiring a domain user account.
This requires a domain user account. Default Domain for Basic Authentication "Edit" button - The
domain the user using basic authentication is assumed tobelong in.
Digest authentication for Windows domain servers. - Useraccounts must store passwords with reversible encryption.
Integrated Windows Authentication - Required for requiringSSL communications to the web. Required to connect to theadministration web site for this site (To perform remoteadministration). This requires a domain user account. Used
under these conditions: Anonymous access is disabled or denied due to file
permissions requiring an NT user account. Secure Communications - The "Server Certificate" button
starts the IIS server certificate wizard.o IP Address and Domain Name Restrictions - Set all computers to
either be granted access (radio button) or denied access (radio
-
8/9/2019 Windows 2000 Internet Information Server
6/8
button) except those listed in the textbox. The textbox lists the IPand station address or internet names.
o Assign a certificate to the web site HTTP Headers
o Enable Content Expiration checkboxo Content should (radio buttons) - Sets when the content will expire
in the web browser cache by sending expiration headers with theweb page.
Expire Immediately. Expire after Days(textbox) and minutes (textbox). Default is
30 minutes. Expire on Date (boxes).
o Custom HTTP Headerso Content Rating (Edit Ratings button) - Voluntary classification of
subject matter. Rating Service - Tab containing buttons to display a public
web site with rating classification information. Ratings - Set ratings from 0 to 4 for violence, sex, language,
and nudity. An e-mail address of the rating person andrating expiration date is set.
o MIME Map (File Types button) - Associate file types on the webpage with MIME types. Multipurpose Internet Mail Extensions(MIME) types are sent to the web browser.
Custom Errors - What to do if an error is encountered in serving the
requested web page. Can specify an HTML file to be sent when an erroroccurs and use one of the following to specify where the file is:o File patho URL
Server Extensions - Can be used after the web server is configured touse FrontPage server extensions.
Publication Methods
Copy web pages into the default web site's home folder in
c:\Inetpub\wwwroot. Virtual Directories - Causes directories on other servers to appear as
though they are on your server. The Web Services Manager orWindows Explorer can be used to create virtual directories
Virtual Servers - A single server is made to appear as though it is morethan one server. They only work on Windows 2000 Servers, not onWindows 2000 Professional. Requirements:
-
8/9/2019 Windows 2000 Internet Information Server
7/8
1. One of: An IP address is required for the primary server and
each virtual server. IP addresses must be on one NIC.Multiple IP addresses can be assigned to one NIC using the"Network Dial-up Connections" folder.
A different TCP port number to be used. A different FQDN to be used to access the new site in
the Host Header for this site: text box.2. A home directory must be assigned to each IP address using
the directories tab.
Web Services Manager Menu Selections
Selections when the web site is selected:
Newo Virtual directoryo Web Site - Used to create additional virtual web servers.
Personal Web Manager
Accessed from Administrative Tools, Personal Web Manager is for novices.
Indexing Service
This service indexes web site content by creating two databases of words,one based on web server HTML files and the other based on other documenttypes. The database take about 40% of the amount of room the original datatakes. The Indexing Service works on all Windows 2000 operating systemsand must be configured to start automatically if desired.
Search Tools:
Windows Explorer search tool.
Start menu search tool. The "Computer Management" Index Service search tool. Computer
Management is started by right clicking on "My computer" and selecting"Manage".
Certificate Services
-
8/9/2019 Windows 2000 Internet Information Server
8/8
Used to manage and issue security certificates which are used for providingsecure web connections between the web client and the web server. The"Add/Remove Programs" applet in the control panel may be used to addCertificate Services.
Terms:
Certificate Authority (CA) - An organization that is trusted to issuecertificates.
o Enterprise root CA - The first and most trusted CA on the networkrequires the use of Active Directory.
o Enterprise subordinate CA - Subordinate to the enterprise root CArequires the use of Active Directory.
o Stand-alone root CA - A root for the certificate hierarchy and doesnot require Active Directory.
o Stand-alone subordinate CA - Subordinate to the stand-alone rootCA and does not require Active Directory.
Public Key Infastructure (PKI) - Implemented when certificates are used. Public Key Private Key
After Certificate Authorities are created, certificates can be set up fro use thselecting the administrative tool, "Certification Authority". Selections:
Actiono New
Certificate to Issue - Display certificates the CA cannotissue yet. This is where the CA can be authorized to issuethese various certificates.
How users get Certificates
Windows 2000 users can use the MMC Certificate snap-in commandline utility by typing "mmc" on the command line.
Access http://CA_server_name/certsrv with a web browser. Administrators can set group policy so computers request certificates
automatically when they are required using the administrative tool"Active Directory Users and Computers".