by Azam A. Mirza
In Chapter 16, "The BackOffice I-Net Toolbox," you learned about the various server-based products that Microsoft BackOffice provides for implementing a comprehensive Web solution. The Internet Information Server (IIS) is the glue that brings together the power of all these components. In this chapter, you learn how to set up IIS on your enterprise network to provide Internet and intranet services for your users.
Detailed information is provided to help you set up an IIS server for your enterprise, configure services on your IIS server, and learn to use the Internet Service Manager for managing your enterprise IIS servers. You also learn about IIS security features and how to set up a secure IIS infrastructure. Finally, you learn how to create content for your IIS services and publish information for use by your enterprise users and the Internet community.
An important consideration in developing an Internet presence is the resources your organization is willing to invest in developing the infrastructure for running an effective IIS site. Running an IIS site requires the following types of resources (which are described in the following sections):
The amount of traffic your IIS machine will handle determines the kind of hardware platform you need. A check list of hardware items that you need for an IIS site includes the following:
The choices available in terms of the computing platform are numerous. The first choice to make is the kind of processor your IIS machine should use. IIS is available for the following processor systems:
Any one of the preceding systems would be a good choice for running your IIS site because IIS is equally supported on these platforms. Multiprocessor systems are also an option when considering a system for an IIS site because of their higher processing power. You can monitor the processor utilization of your IIS machine using the Performance Monitor tool included with Windows NT.
You should get as much memory as possible in your system for better performance. If you are going to be running a site that will handle many users and numerous simultaneous connections, you should start with at least 64M of RAM. If your server has additional services running on it (for example, SQL Server, Exchange Server, and so on), you should add at least an additional 16M for IIS. You can monitor the memory usage of your IIS machine using the Performance Monitor tool provided with Windows NT to see if your server would benefit from the addition of more memory.
See "Using the Performance Monitor," (Ch 48) in Special Edition Using Microsoft BackOffice, Volume 2
Another important consideration is the available hard disk space. World Wide Web files can take up a lot of disk space. If your site is going to use multimedia features, such as sound, images, and video clips, you will need a large amount of space to store multimedia filesóperhaps several gigabytes. Make sure that your machine has enough hard disk space and can be expanded easily in the future. You can monitor the hard disk usage and performance of your IIS machine using the Performance Monitor tool provided with Windows NT.
TIP: Get a hard disk subsystem that is as fast as possible. The most time-consuming aspect of running IIS services is the hard disk access while loading Web pages or transferring files using FTP. A hard disk subsystem based on the SCSI standard is usually the fastest option with the most flexibility for future storage expandability. A Fast/Wide SCSI system can provide throughput of 10ñ20 mb/s with the option of installing up to 15 SCSI drives in a single daisy chain.
Deciding whether you should buy a new machine for running IIS or use an existing system depends on your needs and the funds available for setting up your IIS machine.
The IIS software itself is a part of the BackOffice suite of applications. However, you will need other software to set up a complete IIS site. IIS provides all pieces for setting up WWW, FTP, and Gopher sites. Nonetheless, to create content for these sites, you need to acquire additional software packages. Content creation for your WWW service requires using such software packages as Microsoft Internet Studio, Microsoft FrontPage, or Internet Assistant for Microsoft Word. Other WWW content creation packages also are available.
In addition to the software already mentioned, you may need additional applications if you want to create a server that attracts attention and generates excitement by taking full advantage of multimedia data types and uses the latest techniques. If this is your goal, you should investigate applications for the following processes:
A multitude of choices is available in each of the preceding software categories; make your decisions based on available features, cost, and your own preference.
Operating an IIS site requires your organization to devote some human resources. You need a person or group of people to manage your various servers and services. Many options are available for deciding how you can allocate human resources to manage your Internet connectivity. The following guidelines help you estimate the number of people needed to operate your IIS site. Figure 18.1 shows how human expertise is utilized in putting together an IIS site.
Fig. 18.1
Expertise in various aspects of Internet and network administration is needed
to operate an IIS site.
It is not necessary to assign a different person to each of the jobs. For example, one person might be the Webmaster, FTP administrator, and Gopher administrator for your entire enterprise, or you might need separate people to do each of those jobs. The choice depends on how much activity is handled by your IIS site. The following is a list of the tasks that need to be performed to operate an IIS site:
If you are operating a site where the content stays static most of the time, you might be able to administer the entire suite of IIS services using one person. If you operate a site with a lot of published content that changes regularly, however, you might need more than one person to manage all your services. The choice depends on how much work there is to do.
See "Hypertext Markup Language," (Ch 17)
See "Common Gateway Interface (CGI)," (Ch 17)
See "ISAPI," (Ch 47) in Special Edition Using Microsoft BackOffice, Volume 2
An important part of planning your IIS configuration is the type of services you will be offering. IIS provides control over the services you can install, set up, and run as part of your Internet implementation plan. The type of services you offer depend on what your intent is in using IIS. If you want to run a server exclusively providing WWW services (without FTP and Gopher) to your enterprise and/or the Internet, then you can install just the WWW service. Many organizations are using IIS to implement WWW services only. The Web is a powerful and flexible system that provides a great deal of impact. However, WWW is probably the most complex and time consuming of the three services to set up, run, and maintain.
NOTE: The complexity in running a WWW site stems from its enormous flexibility and breadth of features. Creating attractive and useful content for Web sites demands much time and effort.
If your intent is to provide file transfer capability for your users, then you can implement the FTP service. It provides a fast and simple way of transferring files between remote machines. The FTP service included with IIS is very easy to set up and maintain. Setting up FTP, however, does require that you pay special attention to security concerns to safeguard your system against intruders.
FTP is also the only one of the three services that enables client machines to transfer files to your IIS machine. If you want to provide users with the capability to upload files to your system, then you must use the FTP service included with IIS.
The Gopher service is similar to FTP but provides enhancements, such as menu structures, hyperlinks, and richer content formatting capability. Gopher services are easy to set up under IIS. Gopher servers are most suited to publishing textual, static information that does not require the overhead involved in implementing HTML Web pages. The most widely used implementations of Gopher servers are for library catalogs, phone directories, and other text-based information stores. If you would like to build a fast and easy catalog system, then Gopher is the service of choice. For more information, see "Creating the Content for IIS Services" later in this chapter.
IIS provides an integrated set of services for managing all your Internet connectivity needs. The combination of popular Internet services with a centrally managed environment make IIS an ideal choice for your intranet or Internet servers.
The Internet Information Server (IIS) was designed from the ground up to be an integrated part of the Microsoft Windows NT Server platform. IIS runs as a set of integrated Windows NT Server services leveraging the built-in features of Windows NT Server (that is, Service Manager, Performance Monitor, and the Windows NT Server security features).
IIS offers a high-speed, secure, and robust means of publishing information on the Internet. The Internet security options, such as the Secure Sockets Layer (SSL), Secure Transaction Technology (STT), and the Cryptography Application Programming Interface (CAPI), also provide a method of conducting safe and secure transactions on the Internet. They provide for the building and deployment of Internet-enabled applications that use the latest in encryption and security technologies. (For information on security issues, see the section "Security for Your Internet Server" later in this chapter.)
The following sections describe the three services provided by Internet Information Server.
See "A Flexible Set of Services," (Ch 2)
The WWW service delivered within IIS provides a powerful mechanism for publishing information to a large user base. Furthermore, the functionality available in the WWW service provided by IIS is not limited to just creating static HTML pages.
The World Wide Web service in IIS enables users to immediately publish existing files, WWW documents, and other information for access by the Internet community or for local LAN access by the corporate network. The WWW service includes the following features:
Figure 18.2 depicts the IIS Server administration screen of the Internet Service Manager. The WWW service within IIS supports the capability to do the following:
Fig. 18.2
The IIS administration utility, called the Internet Service Manager, provides
a graphical interface for the administration of services.
Each of these features of the WWW service is discussed in the following sections.
See "Hypertext Markup Language," (Ch 17)
Server Applications
An important aspect of any well-designed WWW site is its capability to enable users to execute remote programs on the server using hypertext links. In addition, users can also trigger application execution by filling out an HTML form and submitting it for processing by the server. The WWW service within IIS fully supports the concept of running server-based applications by providing support for the standard called the Common Gateway Interface (CGI).
CAUTION: The capability to execute programs on your WWW server does increase the security risk involved by providing unauthorized users a chance to break in to your system using the application. Extra care should be taken to prevent users from gaining read/write access to your program executables and script files.
IIS also supports a new Application Programming Interface (API) for writing Internet-enabled applications called the Internet Server Application Programming Interface (ISAPI). Both the CGI and the ISPAI methods enable you to write applications that can do almost anything. You can use any language, such as C/C++ and Visual Basic, to write applications that can be run using the CGI or ISAPI interface.
Using the CGI method, you can execute operating system batch language scripts (for example, BAT or CMD files) to execute programs for your WWW service. The ISAPI method differs from CGI in one important aspect: ISAPI programs are compiled as dynamic-link libraries (DLLs) that are loaded by the WWW server at server startup. This provides ISAPI applications with a performance edge over CGI based scripts or applications. However, ISAPI DLLs are loaded as part of the inital IIS startup and increase startup times. In addition, ISAPI DLLs are loaded in the same memory space as IIS and a misbehaved DLL can cause the IIS service to hang.
See "Common Gateway Interface," (Ch 17)
Managing Directories
The WWW service enables you to organize the information you want to publish in directories in a manageable manner. By distributing information across multiple directories, you can divide information into logical collections. The WWW service can then be configured to enable users access to these directories, all their subdirectories, and the files stored in them.
NOTE: Whenever you install a new WWW server, IIS automatically creates a root directory for your server. The root directory, \InetPub\wwwroot by default, is given the alias Home. It is the starting point for all Web browsers to view the information published by your WWW server.
In addition to using the Home directory for publishing information, you can also use the concept of virtual directories, which enable you to distribute information across directories that are not subdirectories of the Home directory. They can also be used to place information on a different drive or a network drive. A discussion on creating virtual directories for WWW publishing is presented in the section titled "Directories" later in this chapter.
NOTE: All virtual directories used by your WWW service must reside within the same Windows NT domain.
Even though virtual directories might exist anywhere within your Windows NT domain, they are presented to the user as a single directory tree existing as subdirectories of the Home directory. The Home directory is the root of all directories being used by your WWW service. This makes it simple to present the information to the user in a manner that can be easily navigated.
Virtual Servers
Virtual servers enable you to create more than one WWW server on the same machine. By default, every machine has a single domain name and IP address (for example, www.mcp.com or 199.177.202.10). Virtual servers enable you to attach additional IP addresses and domain names to a server to make it appear that you are using multiple servers to service user information needs.
You might want to create WWW servers for different departments within your enterprise, for example, marketing and systems. You do not need to set up a different machine for each department's WWW server. You can use a single machine by creating virtual servers on that machine called marketing.mcp.com and systems.mcp.com.
By segmenting the same machine into multiple virtual servers, you can divide the information you publish into logical collections and use the same machine to hold the information content. Users wanting to connect to the marketing information will go directly to the marketing WWW site, and users wanting to connect to systems information will go directly to the systems WWW site.
See "Using Property Sheets to Configure Your Internet Information Server" later in this chapter for more information.
The FTP Service built into the Internet Information Server provides some powerful features for allowing FTP access to your site. The FTP server supports anonymous logon facility for providing access to the Internet community for file uploads and downloads for an IIS Server site. The virtual directories and virtual browsing functions of the IIS server enable administrators to provide fast, efficient access to the directories and files available on the network. The integrated security built into IIS enables the administrators to restrict access based on user IDs and passwords to files and directories.
The FTP service enables users to employ such tools as Internet Explorer to connect to your FTP server. You can also use other FTP client software, such as the Windows NT FTP client, to connect to the FTP server.
The WWW service has replaced or enhanced most of the functionality available through FTP. However, the WWW service cannot be used to copy files from the client to the server. FTP is the only service that provides this functionality.
CAUTION: Extreme care should be exercised when permitting users to copy files to your server. Make sure that you check all files for viruses. It is a good idea to limit incoming files to a single directory to facilitate the process of checking them.
FTP provides an easy, simple, and maintainable system for publishing a large number of files. FTP enables transfers of files no matter what format they are in. You can use FTP to transfer text, image, or executable files. Figure 18.3 shows the FTP Server Service administration screen of the Internet Information Server. (For more information, see "FTP" later in this chapter.)
Internet Service Manager is the tool used for administering IIS services such as the FTP service.
The Gopher service in IIS enables you to publish information from large file archives. The IIS Gopher service supports all features of the Gopher standard. In addition, the Gopher service in IIS supports the Gopher+ selector strings, which enable clients to obtain additional information from the server, such as the Gopher server administrator name. You can use tag files on your Gopher server to enable links to other Gopher servers across the enterprise or the Internet.
The Gopher service enables corporations to provide a graphical point-and-click interface for its users to access information stored in online databases. Figure 18.4 shows the Internet Information Server administration screen for the Gopher service.
Internet Service Manager is the central administration tool for all IIS services, such as the Gopher service.
The Gopher server in IIS can be used to set up corporate catalogs of employee information accessible only by the corporation's employees. It can be used to publish a catalog of company products for browsing by customers over the Internet. It can also be used as an online reference system for product user manuals. For more information, see "Gopher" later in this chapter.
In this section, you learn how to set up Internet Information Server (IIS). IIS enables you to set up services for running a WWW site, an FTP site, and a Gopher site. Before you can install IIS, you need to complete the following tasks:
NOTE: During the installation of Windows NT Server 4.0, you will get the option of installing IIS. You can install IIS at that point or use the Setup program later to install IIS. The two procedures are identical, and this chapter outlines the procedure for installing IIS on a pre-configured Windows NT Server 4.0 machine.
NOTE: Internet Information Server can only be installed on machines running Windows NT Server 4.0 with Service Pack 1a installed.
CAUTION: The Internet domain name should be the domain name provided by InterNIC if you have requested a registered domain name and IP addresses. If you are just creating an intranet server and you are not connected to the Internet, you can safely create your own domain name after checking with other network administrators to be sure that one isn't already in use. It should be a unique name, and should not match any existing Windows NT domain names.
Make sure that you have performed the preceding tasks before starting IIS installation.
To install IIS, follow these steps:
You can also open a command prompt and enter <path>:\inetstp.exe at the command line.
NOTE: During setup, you can click the Help button at any time to get help on installing IIS.
After you have started the Setup program for IIS, perform the following steps:
TIP: You might want to specify a different drive and location for your publishing directories to separate them from your IIS installation location. This is a particularly good idea if you will allow users to upload files to your server using FTP, or if you plan to run server-based applications from your Web pages. By separating the publishing directories from your IIS services, you can help avoid accidentally assigning improper permissions that could lead to corrupted system files. It is simply easier to manage your server with all published data on a separate drive.
CAUTION: The DNS domain name must be specified for the machine on which you are installing IIS. If a domain name is not specified, IIS Setup displays a warning message to inform you to do so.
Setup automatically starts all services you installed by default and creates a Start Menu group for IIS called Microsoft Internet Server. To make sure that everything has been installed properly, you should verify that all IIS services have been started and check the event log for possible errors. You can check the status of IIS services using the Services applet in the Control Panel. Check the event log using the Windows NT Event Viewer. IIS events appear in the Applications log.
NOTE: As part of the IIS installation process, a sample WWW tour of IIS features is set up automatically. Make sure that you navigate through the sample pages to get an idea of what a WWW, FTP, and Gopher site setup looks like.
Now that you have successfully installed IIS, you can configure your IIS services by using the Internet Service Manager. The next section discusses the Internet Service Manager in detail.
The Internet Service Manager is the graphical tool used for administering all IIS servers in an organization. Internet Service Manager enables the configuration and monitoring of all IIS services from a central location. By default, the icon for the Internet Service Manager is placed in the Microsoft Internet Server Start Menu Group during setup.
TIP: The Internet Service Manager is automatically installed on your IIS server during installation, but it can also be on machines other than the server. This enables remote administration of IIS servers from any Windows NT workstation or another Windows NT server.
The Internet Service Manager can be run from any computer running Windows NT Workstation or Windows NT Server that is connected to the same network as the IIS server. It can also be run from a computer connected to your enterprise network from the Internet. Internet Service Manager uses the Windows NT security protocol for user authentication and enables secure connections to IIS over the Internet and from remote administration computers (see Figure 18.8).
The Internet Service Manager main window shows a single server (named RAJA), which is running all three services available with IIS.
Internet Service Manager can be used to perform the following administration tasks on IIS servers:
Each of these tasks is explained in detail in the following sections.
Internet Service Manager can find all servers running IIS on your network. It uses one of two methods to find servers running IIS: Windows Internet Name Service (WINS) and TCP/IP broadcasts.
If WINS is used on your network, Internet Service Manager automatically finds any servers running IIS services. This is accomplished because servers running IIS services automatically register with WINS servers. Therefore, when an Internet Service Manager attempts to find servers running IIS services on its startup, WINS returns the addresses of registered servers.
However, if WINS is not being used on your network, then the Internet Service Manager uses TCP/IP broadcasts to find servers running IIS services.
CAUTION: Internet Information Server cannot find servers running IIS services across routers by using TCP/IP broadcasts. To find servers running across routers, you must use WINS.
You can query for servers running IIS on your network by choosing Properties,
Find All Servers. The Finding All Servers dialog box is displayed
while the system searches for IIS servers (see Figure 18.9).
The Properties, Find All Servers menu option
enables you to discover servers running IIS services on your network.
See "Windows Internet Name Service (WINS)," (Ch 9)
After you have used the Internet Service Manager to find the servers running IIS services on your network, you can connect to those servers for administrative purposes. To perform administrative tasks, you must be logged on with an account belonging to the Administrators group on the IIS server. To connect to a server running IIS services, perform the following steps:
Alternatively, perform these steps:
After you have connected to a server it will be added to your Internet Service Manager window. The stoplight icons representing the various services will indicate the status (started, stopped, or paused) of the services running on the server, and you will be able to open the properties sheets for the server to configure its services.
Internet Service Manager's simple and elegant graphical user interface provides a lot of flexibility for administrators. You can choose to view the information being displayed by Internet Service Manager in three different styles:
To switch between different views, choose the appropriate viewing option from
the View menu. Each of these views is discussed in the following
sections.
Reports View
Reports view is the default view used by the Internet Service Manager. It lists all the servers running IIS services in alphabetical order. One line is used for each installed service. The Reports view is the only view that enables you to sort information alphabetically. You can sort by server name, service type, service state, and comments. To sort, click the column headings in the Reports view. Figure 18.10 shows the Internet Service Manager running in Reports view.
TIP: You can use sorting to quickly find out the state of services running on your network. For example, by clicking the state column and sorting the listed servers by server state, you can determine which services are stopped or paused on your network.
When viewing servers running IIS services using the Reports view, you can sort the displayed information by clicking a column heading.
The Reports view is most useful when you only have one or two servers running IIS services. If many servers on your network are running IIS services, it is easier to view information using one of the other two views.
Servers View
The Servers view lists servers running IIS services on the network by computer name. You can double-click the plus sign next to a server name to display the IIS services running on that server. Figure 18.11 shows the Internet Service Manager running in Servers view.
The Internet Service Manager window is viewing a server running all IIS services using the Servers view.
Servers view is most useful when you are trying to determine the status of services on a particular computer running IIS services.
Services View
Services view displays the information by service type for computers running IIS services on your network (see Figure 18.12). You can double-click the plus sign next to the service name to display the servers running that service.
The Services view in the Internet Services Manager provides an easy way to determine which servers are running a particular service.
Services view is most useful for enterprises running multiple servers in distributed sites. It makes it easy to determine which servers are running a particular IIS service.
TIP: You can apply filters in any view by choosing the service filter commands from theView menu. For example, to view only WWW services, you can deselect the FTP and Gopher options in theView menu. ChooseAll to clear the filter and view all services.
You can install the Internet Service Manager on any computer running the Windows NT Workstation and Windows NT Server operating systems and administer any server running IIS services from a central administrative computer.
You can install Internet Service Manager over the network by creating a share to the \Admin$ directory on the Internet Information Server installation CD-ROM and connecting to it from the remote computer. You can then run the Setup program for the Internet Information Server remotely from the newly created share and install the Internet Service Manager component only on the remote machine.
Internet Service Manager can be used to administer servers running IIS services from the Internet also. IIS Setup includes a component for an HTML based Internet Service Manager for use across the Internet. The HTML Internet Service Manager is a collection of HTML pages designed specifically for administering IIS servers. The HTML Internet Service Manager uses Microsoft Internet Explorer to administer IIS servers remotely. Figure 18.13 shows the startup screen for the HTML Internet Service Manager.
The HTML-based Internet Service Manager component is actually a set of HTML files that can be accessed using Microsoft Internet Explorer to administer IIS services.
The HTML files for using Microsoft Internet Explorer as the HTML Internet Service Manager are installed in the <%winroot%\system32\InetSrv\iisadmin> directory. To connect to an IIS server for administration purposes, all you need is the URL address to the iisadmin directory (http://localhost/iisadmin/ in Figure 18.13.) However, to gain access, you must be logged on to the local machine using a logon ID and password that belongs to the Administrators group on the IIS server machine.
NOTE: A Start Menu icon is also created for the HTML Internet Service Manager under the Microsoft Internet Server group once the component is installed.
NOTE: You cannot use the HTML Internet Service Manager to start, stop, or pause IIS services on the machine you are administering.
Once connected, the options available for administration of IIS services are identical to the ones available through the regular Internet Service Manager. Figure 18.14 presents the Service Properties screen for the WWW service using the HTML Internet Information Server.
You can access the WWW Service Properties dialog box using the HTML Internet Service Manager.
The options available are identical to the WWW Service properties dialog box accessible through the regular Internet Service Manager. The properties dialog boxes for FTP and Gopher are also identical to their regular counterparts. Please refer to the section "Using Property Sheets to Configure Your Internet Information Server" later in this chapter for information on setting WWW, FTP, and Gopher service properties.
CAUTION: If you are going to use Internet Service Manager across the Internet, make sure that you are using a Windows NT Logon ID and password and the Windows NT Challenge/Response authentication protocol for user validation. Do not use the clear text method for sending passwords across the Internet.
You can use the Internet Service Manager to change the state of IIS services running on your network with a simple procedure. Services can be in one of three states:
To change the state of an IIS service running on a computer, follow these steps:
You can also use the appropriate toolbar button to start, stop, or pause a service.
The graphical view of the Internet Service Manager makes it easy to determine which services are started, stopped, or paused. For example, by using the sort option in Reports view, you can sort services by service state to get a quick snapshot of which services are running.
Internet Service Manager enables the configuration and management of IIS services by using property sheets. Property sheets are tabbed dialog boxes for configuring all options for a particular service. You can use property sheets to configure all three IIS services: WWW, FTP, and Gopher. The property sheet for each of these services is described in detail in the following sections.
WWW
To configure the WWW service running on a server, double-click the WWW service name or computer name in any of the views to bring up the WWW Service Properties dialog box (see Figure 18.15).
The WWW service is being configured in the Internet Service Manager.
The Service Properties dialog box displays tabs for each category that can be configured. The WWW property sheets can be used to configure the following categories (which are described in detail in the following sections):
The WWW Service tab is used to set various connection options for your WWW server (see Figure 18.16). To set Service options, click the Service tab on the WWW Service Properties dialog box and perform the following steps:
TIP: You can control the access allowed to the IUSR_computername anonymous account by changing its permission using the User Manager or by specifying another account on your network as the anonymous logon account.
- A
llow AnonymousóIf checked, the WWW service uses the anonymous logon ID and password set up in the preceding step for authenticating all user connections.
BasicóIf checked,Basic authentication uses clear text to verify user connections. If used in conjunction with the SSL security scheme, it enables the use of encrypted logon IDs and passwords. All browsers support the basic authentication mechanism.
CAUTION: Transmitting clear text passwords over the Internet can compromise your network security. It is possible to capture passwords over the network using protocol analyzers.
- Windows
NT Challenge/ResponseóIf checked, this uses the Windows NT Challenge/Response authentication method. This is the most secure form of user authentication. Internet Explorer 2.0 or higher supports this authentication method.
WWW Service and its properties can be configured using the Service tab on the WWW Service Properties dialog box.
The WWW Directories tab, as shown in Figure 18.17, is used to set up directories used by the server and set their properties.
IIS' default directories are listed on the Directories tab.
The Directory list box lists the current directories set up for the WWW service. It displays the following information:
IIS by default creates three directory mappings for your WWW service:
If checked, the Enable Default Document option enables you to
specify the default document that will be loaded if a user does not specify a file
name when connecting to your WWW service. By convention, if there is a default.html
file in the directory being accessed, that file is loaded as the initial document
when a user first accesses that directory. However, you can specify another file
as the initial document to load, such as home.html.
TIP: You can specify a default document in every directory to be displayed if the user does not specify a file when connecting to that directory.
If checked, the Directory Browsing Allowed option enables you
to provide access to the directories and files stored under your root WWW directory.
When this occurs, the user is presented with a hypertext listing of your directory
structure similar to the Windows File Manager format.
NOTE: Virtual directories are not displayed even if directory browsing is enabled. To view a virtual directory, users must know the URL address or use a hyperlink to get to them.
See "Uniform Resource Locator," (Ch 17)
You can use the Add, Remove, and Edit
Properties buttons to specify the directory structure for your WWW service. To add
a directory, follow these steps:
CAUTION: If you specify a directory name, you need to create that directory manually. Internet Service Manager does not automatically create the directory for you. If the directory does not exist, theDirectory list box displays an error message.
NOTE: The default directories created by IIS do not have IP addresses assigned to them. You must do so manually. To create virtual servers, you must assign IP addresses to the home directory and all virtual directories on an IIS machine for each virtual server you will create.
TIP: To bind additional IP addresses to your network card, use the Network applet in the Control Panel. Your computer will then be a multihomed host in TCP/IP terminology.
See "Installing and Configuring TCP/IP for Windows NT Server," (Ch 9)
CAUTION: For security reasons, you should never provide users with read access to directories containing executable programs and scripts because this may enable them to copy your program files.
If you want to remove a directory, simply select the directory in the Directory
Properties dialog box and click Remove. To edit properties for a
directory, select the directory in the Directory Properties dialog box and click
Edit Properties. The Directory Properties dialog box appears. Make
the appropriate changes and Click OK to return to the Directories tab.
The WWW Logging tab is used to specify logging options used by your WWW service (see Figure 18.19). Logging can be used to store information about those who accessed your WWW service and the information they accessed. Logging information can be stored in log files, or you can use an ODBC compatible database, such as Microsoft SQL Server, to store logging information.
WWW service Logging options can be used to record user activity on IIS machines.
TIP: You can use a single log file or a single Microsoft SQL Server database to store logging information from multiple IIS machines if you want to consolidate the information in one location.
To configure Logging options, click the Logging tab on the WWW Service Properties dialog box and follow these steps:
- Automati
cally Open New LogóThis creates a new log based on the options available. Specify a new log file logging interval by selectingDaily,Weekly,Monthly, or WhenFile Size Reaches.
- Whe
nthe File Size ReachesóThis specifies the file size in megabytes when a new file is to be created.
Log File DirectoryóThis specifies the directory name and path where all log files will be stored. Alternatively, you can use theBrowse button to specify a directory.
- Log File NameóThis displays the naming convention that will be used to store the log files. The yymmdd will be replaced with the two-digit year, month, and day numbers to create unique names for log files.
NOTE: If you do not use the Automatically Open New Log File option, the same log file will be used indefinitely. You must select an existing directory or manually create a new directory for log files using the File Manager or the MKDIR command.
- ODBC Da
ta Source Name (DSN)óSpecifies the name that will be used to connect to the database for logging
- Ta
bleóSpecifies the name of the table that will store the logging information
User NameóSpecifies the user name that will be used to connect to the database
PasswordóSpecifies the password that will be used to connect to the database
NOTE: You must use the ODBC Applet in the Control Panel to create the specified system ODBC data source.
CAUTION: Logging to an ODBC data source is slower than logging to a file. For sites with heavy traffic, you should consider logging to a file for performance reasons or adding processing power to the server to support the additional load. For example, you can add a processor and higher performance disk subsystem.
The WWW Advanced tab is used to specify access limits and to control the network traffic on your IIS machine (see Figure 18.20). You can choose a default access option that either grants access to all users or denies access to all users. Then you can specify individual computers or groups that are the exceptions to the default.
The WWW service Advanced tab can be used to specify access control properties and network usage limits.
For example, if you want to use an IIS server as an intranet server for your organization only, you would deny access by default and add the IP addresses of your computers as exceptions to be granted access. If many computers are on your network, you can specify one or more groups of computers by using a domain name or IP address and subnet mask corresponding to the groups. Your server must be configured to use DNS in order to employ this option. See Chapter 9, "Using TCP/IP with Windows NT Server," for more information.
In this section, the option of granting access by default and entering exceptions that will be denied access is described.
To configure Advanced options, click the Advanced tab on the WWW Service Properties dialog box and follow these steps:
The Deny Access On dialog box is used to deny access to selected computers when a default policy that grants access to everyone has been chosen.
FTP
To configure the FTP service running on a server, double-click the FTP service name or computer name in any of the views to bring up the FTP Service Properties dialog box, which displays tabs for each category that can be configured. The categories are as follows:
The Directories, Logging, and Advanced tabs are identical to those used for the WWW service. Refer to the earlier section "WWW" for more information on setting these options. The Service and Messages tabs, which are different for the FTP service, are outlined in the following sections.
The Service tab on the FTP Service Properties dialog box is used to set various connection options for your FTP server (see Figure 18.22). To set Service options, click the Service tab on the FTP service property sheets dialog box and follow these steps:
NOTE: Most FTP users use anonymous as their user names and their e-mail addresses as passwords to log in to FTP servers. In such instances, the IUSR_computername account is used for validating permissions for files and directories.
TIP: You can control the access given to the IUSR_computername anonymous account by changing its permissions using the File Manager. Alternatively, you can specify another account on your network as the anonymous logon account.
CAUTION: The FTP protocol uses clear text for transmitting passwords (which are not encrypted prior to transmission) and is not a secure method of communication. It is possible to capture information, including passwords, transmitted over the network using protocol analyzers. This is why FTP is mostly used to transfer files and information of a non-sensitive nature.
FTP Service connection options are set using the Service tab on the FTP Service Properties dialog box.
The FTP Messages tab is used to display messages to clients connected to your FTP server (see Figure 18.23). You can display a welcome message when they initially connect, perhaps to explain the services offered. You can also display an exit message when they disconnect and a maximum connections message to notify users that the FTP service is already supporting the maximum number of users for which the server is configured.
The Messages tab allows system administrators to setup greeting messages for users connecting to the FTP service.
To set Messages options, click the Messages tab on the FTP service property sheets dialog box and perform the following steps:
Gopher
To configure the Gopher service running on a server, double-click the Gopher service name or computer name in any of the views to bring up the Gopher Service Properties dialog box. You can then configure the following categories:
The Directories, Logging, and Advanced tabs are identical to those used for the WWW service. Refer to the earlier section "WWW" for more information on setting these options. The Service tab, which is different for the Gopher service, is outlined in this section.
The Gopher Service tab is used to set various connection options for your Gopher server (see Figure 18.24). To set Service options, click the Service tab on the Gopher service property sheets dialog box and follow these steps:
CAUTION: Make sure that the Service Administrator account name and e-mail address you specify is valid. Otherwise, mail sent by users will be bounced back to them.
Gopher service connection options can be set using the Service tab on the Gopher Service Properties dialog box.
Installing and operating an IIS server involves paying special attention to the security issues involved. If you are running a server being accessed by thousands of users from around the world, security of your server content and other computers on your enterprise network becomes an important issue. IIS was developed with security as one of the most important design goals. Microsoft fulfills the security needs of administrators by integrating security for IIS with the security model built into Windows NT.
Windows NT provides powerful security features for user authentication, access control, and auditing. IIS leverages these capabilities of the Windows NT operating system to provide security for its Internet-based services.
Windows NT uses a security model that handles security for all services using a single logon authentication mechanism. By creating user accounts and setting access permissions for those accounts, administrators can control what resources and services are available to users. You can minimize the chance of security problems for IIS machines by adopting the following standards:
NOTE: The IUSR_computername is created as part of the IIS installation process.
See "Setting Up Auditing," (Ch 5)
See "Setting Permissions on Shared Resources," (Ch 7)
In addition, the Internet Service Manager includes a tool for creating Secure Sockets Layer (SSL) security keys for your IIS server. Figure 18.25 shows this toolóthe Key Manageróthat is used for creating and installing SSL keys on your IIS server.
Key Manager can be used to create, setup, and manage security keys for SSL-based secure transactions on your IIS server.
NOTE: To complete installation of a newly created key, you must obtain a key certificate from a certificate issuing organization, such as VeriSign.
See "Implementing Internet Security," (Ch 25)
The most difficult and time-consuming task in your efforts to set up IIS services is to create content for your services. After you have configured your IIS machine, set configuration parameters using Internet Service Manager property sheets, created directory structures, and handled security issues, you will need to create the data files that constitute the content displayed to users accessing your IIS services.
The three services provided by IIS each require you to follow content creation guidelines that enable them to service user requests for information quickly and efficiently. The following sections discuss content creation and publishing issues for the three IIS services: WWW, FTP, and Gopher.
WWW content creation and information publishing requires you to create special files called HTML documents. HTML files are simple ASCII text files that can be created using any text editor, such as Notepad. However, using a text editor and writing HTML files requires you to know the scripting syntax used by the language. Most content creators use special tools designed expressly for the creation of HTML documents (for example, Microsoft Internet Studio and Microsoft FrontPage).
See "Hypertext Markup Language," (ch 17)
TIP: When creating your WWW service content files, make sure that your files do not take a long time to load. HTML files that include a lot of large images may take a long time to load over client connections with slow modems.
HTML files are a combination of text, links to other files, links to images, links to sound files, and so on. You must create the image files, sound files, and other file types that will be employed by your WWW service using tools that enable the creation of such files. For example, you can create sound files using the Sound Recorder utility included with Windows NT. After you have created the content files for your WWW service, you can copy the files to the appropriate directories for access by clients using browsers, such as Internet Explorer.
CAUTION: Make sure that you set appropriate permissions on your content files. Provide only read permissions for HTML files and Execute permissions for executable programs and scripts. You should set permissions through both the Internet Service Manager and the NTFS file system security.
In addition to the creation of HTML documents for Web browsing, you can also allow users to remotely execute applications on your WWW server to accomplish tasks. For example, a WWW server providing phone book directory assistance might require you to enter a search name on a HTML page and then click an execute button on the page to query an online phone database for the information. Such dynamic tasks are accomplished by creating executable programs that can receive data from Web pages, parse the information, and return the results back to the user.
IIS uses two methods for creating dynamic WWW content (which are discussed in the following sections):
Using CGI
To create CGI applications, you can use any programming language that enables you to create Windows executable programs. You can also use a scripting language, such as Perl for Windows NT, to create executable scripts.
After you have created your application, you can make it available to your users by simply placing it in the /Scripts directory. The /Scripts directory is a directory created by the IIS installation program for holding executable programs and scripts. By default, the /Scripts directory has only execute permissions to prevent users from copying or replacing your directory contents.
TIP: Use the File Manager to set appropriate permissions on all your /Scripts directory files.
After your application is created and appropriately set up in the /Scripts directory, clients can run your application in one of two ways.
If your application requires no data input, you can create a hypertext link on a page to execute your application. For example, a hypertext link to run an application that displays a quote of the day would look something like "Click Here to Get the Quote of the Day." Users can click this hyperlink on a Web page and get their quote of the day.
If your application requires data from the users to execute, you can create an HTML form that prompts them for input. For example, you might want users to register before accessing your WWW site. To do so, you can create a simple page that requires each user to enter a name and e-mail address. After entering the information, the user clicks a Submit button to start an application that stores the information in a server-based database file.
See "Common Gateway Interface," (Ch 17)
Using ISAPI
The ISAPI method uses the exact same concepts as CGI, but is different in one very important respect: ISAPI applications are created using the Microsoft BackOffice Software Developers Kit and are Windows NT DLLs. As such, ISAPI applications are loaded as server runtime DLLs at server startup. Only one instance of an ISAPI application is needed to service requests from multiple clients. By contrast, every request for a CGI application starts a new instance of the application.
See "ISAPI," (Ch 47) in Special Edition Using Microsoft BackOffice, Volume 2
Because ISAPI applications are loaded at server startup, they provide a significant performance boost over CGI applications that are loaded when a client request comes through. However, loading all ISAPI DLLs at server startup results in a longer startup time. And as mentioned previously, ISAPI DLLs are loaded in the same memory space as the IIS server and a misbehaved ISAPI DLL can hang the entire IIS subsystem.
IIS includes a powerful feature for creating database-enabled WWW content called the Internet Database Connector. The Internet Database Connector, in conjunction with ODBC, enables you to create Web pages to publish information contained in back-end databases, such as Microsoft SQL Server. The following section discusses the Internet Database Connector feature of IIS.
Using Internet Database Connector and ODBC
Using the Internet Database Connector interface and ODBC, you can create Web pages that enable you to retrieve and display information from databases, such as Microsoft SQL Server. The Internet Database Connector is an ISAPI application called HTTPODBC.DLL. This application is nothing more than an interface that uses ODBC to communicate with the database. The Internet Database Connector can be used to do the following
Creating the content for your FTP service is a straightforward and simple procedure. After you have decided what files need to be made accessible to users, you can copy those files to the appropriate FTP directories.
CAUTION: Make sure that you set appropriate permissions on your content files. Most FTP directories should only have read permissions. Provide a directory for user uploads with write permissions. You should set permissions through both the Internet Service Manager and the NTFS file system security using File Manager.
FTP directory structure is usually created to logically group files by function or topic. For example, you can have an FTP server that provides users access to software patches and online user guides. You can create a directory structure in which all software patches are stored under a directory called patches and user guides are stored under a directory called guides. This reduces directory clutter and provides users with an easy way to get to the files they are looking for.
Creating content for your Gopher server is similar to FTP. You can place Gopher files in the appropriate directories for browsing by users.
CAUTION: Make sure that you set appropriate permissions on your content files. Gopher directories should only have read permissions. You should set permissions through the NTFS file system security using File Manager.
Gopher enables you to create links to other Gopher servers using a technique called tag files. Tag files are special ASCII files stored in the Gopher directory, and they define links to other Gopher resources across the network and the Internet. Microsoft provides a utility called gdsset for creating tag files. Tag files are stored as hidden files. You can edit tag files using any text editor.
To get more information on creating tag files and the syntax for the gdsset utility, type gdsset at the Windows NT command line.
This chapter presents the features of Internet Information Server as well as instructions on setting up and installing IIS, securing your IIS installation, and creating content for your IIS services. For more information on these and related issues, see the following chapters:
© Copyright, Macmillan Computer Publishing. All rights reserved.