Special Edition, Using Microsoft BackOffice, Ch. 11

11 - Implementing Internet Information Server

by Azam A. Mirza

  • How to set up Internet Information Server - Learn how to set up and install the Internet Information Server. Issues relating to TCP/IP configuration are discussed.

  • Services provided by Internet Information Server - Learn about the services provided by the Internet Information Server and the features they support.

  • How to use the Internet Service Manager - Learn about administering Internet Information Server services using the Internet Service Manager. Features of the Internet Service Manager are explored.

  • Internet Information Server security - Learn about setting up security for the Internet Information Server and how the security features of Windows NT Server can be used to secure your Internet connectivity infrastructure. Also discussed are techniques used for conducting secure communications over the Internet.

  • Creating content for Internet Information Server services - See how to create and publish content for your Internet Information Server services for internal enterprise use and external Internet community. Learn how to create dynamic Web pages and provide access to information stored on database servers such as Microsoft SQL Server.


In Chapter 10, "Preparing for Internet Information Server," you learned why the Internet Information Server (IIS) is so vital to your enterprise and what it can do for your enterprise. In this chapter, you learn how to set up IIS on your enterprise network to provide Internet and intranet services for your users.

Detailed information is provided to help you set up an IIS server for your enterprise, configure services on your IIS server, and learn to use the Internet Service Manager for managing your enterprise IIS servers. You also learn about IIS security features and how to set up a secure IIS infrastructure. Finally, you learn how to create content for your IIS services and publish information for use by your enterprise users and the Internet community.

Setting Up Your Internet Information Server

In this section, you learn how to set up Internet Information Server (IIS). IIS allows you to set up services for running a WWW site, an FTP site, and a Gopher site. Before you can install IIS, you need to complete the following steps:

  • Set up and configure a computer with Windows NT Server 3.51 or higher.


    Internet Information Server can only be installed on machines running Windows NT Server 3.51 with Service Pack 3 or higher applied.

  • Make sure that you have the logon ID and password for an administrator account with full permissions on the new IIS server computer.

  • Disable or remove any previous versions of IIS, especially beta versions.

  • Make sure that TCP/IP is installed on your computer. (See Chapter 8, "Using TCP/IP With Windows NT Server," for more information.)

  • If you have any other WWW, FTP, or Gopher services running on your computer, you must disable them. For example, the FTP service included with Windows NT Server must be disabled.

  • Using the Control Panel Network applet, make sure that an Internet domain name is defined for your machine under the DNS configuration option.


    This should be the domain name provided by InterNIC if you have requested a registered domain name and IP addresses. If you are just creating an intranet server and you are not connected to the Internet, you can safely create your own domain name after checking with other network administrators to be sure that one isn't already in use. It should be a unique name, and should     not match any existing Windows NT domain names.

  • Plan your directory structure for your WWW, FTP, and Gopher publishing files.

Make sure that you have performed the preceding steps before starting IIS installation.

Installing the Internet Information Server

To install IIS, follow these steps:

  1. From the Program Manager or File Manager, choose File, Run.

  2. In the Run dialog box, enter <path>:\setup.exe for the command line where <path> refers to the location where the setup file is located. For example, D:\IIS\SETUP.EXE.

  3. Click OK.

You can also open a command prompt and enter <path>:\setup.exe at the command line.


During setup, you can click the Help button at any time to get help on installing IIS.

After you have started the Setup program for IIS, take the following steps:

  1. Read the Welcome Screen shown in figure 11.1.

    Fig. 11.1 The Internet Information Server Setup Welcome Screen provides information about running the Setup program.

  2. Click OK. The Installation Options dialog box appears, as shown in figure 11.2.

    Fig. 11.2 The IIS Setup Installation Options dialog box offers the opportunity to select specific services you want to install or to select all of them, as shown here.

  3. Check all options that you want to install. By default, all available options are installed automatically.

  4. By default, IIS is installed in the c:\inetsrv directory. Click the Change Directory button if you want to change the installation directory for IIS. The Change Directory dialog box appears.

  5. Type in the IIS installation directory path or select it from the directory list box and click OK. Click Cancel to return without changing the installation directory.

  6. If the installation directory you specified does not exist, you will be prompted by the system prior to its creation. Click Yes to create the directory and continue with the installation.

  7. When the installation directory is created, the Publishing Directories dialog box appears, as shown in figure 11.3.

    Fig. 11.3 The Publishing Directories dialog box allows you to specify the root directory for the published content that will be offered by each of the three services.

  8. Publishing directory locations for WWW, FTP, and Gopher services are displayed. By default, all publishing directories are installed as subdirectories under the IIS installation directory. You can accept the default location, click the appropriate Browse button to select new locations for each service, or type in the directory locations manually. Click OK when finished.


    You might want to specify a different drive and location for your publishing directories to separate them from your IIS installation location. This is a particularly good idea if you will allow users to upload files to your server using FTP, or if you plan to run server-based applications from your Web pages. By separating the publishing directories from your IIS services, you can help to avoid accidentally assigning improper permissions that could lead to corrupted system files. It is simply easier to manage your server with all published data on a separate drive.

  9. If the publishing directories you specified do not exist, the Setup program asks if you want to create them. Click Yes.

  10. IIS Setup now completes installation of all components by copying files to the installation directories. The IIS Setup Progress dialog box appears to confirm that the Setup program is still active and display its current progress.


    The DNS domain name must be specified for the machine on which you are installing IIS. If a domain name is not specified, IIS Setup displays a warning message during setup to inform you to do so.

  11. If you selected the ODBC drivers option from the Installation Options dialog box, Setup displays the ODBC Driver installation dialog box. Select the drivers you want to install and click OK.

  12. After the setup is completed, the setup success dialog box appears.

  13. Click OK to end the installation process.

Setup automatically starts all services you installed by default and creates a Program Manager group for IIS called Microsoft Internet Server. To make sure that everything has been installed properly, you should verify that all IIS services have been started and check the event log for possible errors. You can check the status of IIS services using the Services applet in Control Panel. Check the event log using the Windows NT Event Viewer. IIS events appear in the Applications log.

The Setup program for IIS also installs the Microsoft Internet Explorer client browser software if the appropriate setup option is selected. However, you also can install the client software by using the setup.exe program from the appropriate directory under the client subdirectory on the IIS installation CD. This allows the installation of the client software on workstations across the enterprise.


IIS includes Microsoft Internet Explorer 2.0 for Windows 95 and Microsoft Internet Explorer 1.5 for Windows NT, Windows 3.1, and Windows for Workgroups 3.11.

Internet Explorer 1.5 for Windows 3.1 and Windows for Workgroups 3.11 require Win32s. If Win32s is not installed on a target machine, it is installed as part of the Internet Explorer setup process.

As part of the IIS installation process, a sample WWW tour of IIS features is set up automatically. Make sure that you navigate through the sample pages to get an idea of what a WWW, FTP, and Gopher site setup looks like.

Now that you have successfully installed IIS, you may configure your IIS services by using the Internet Service Manager. The next section discusses the Internet Service Manager in detail.

Using the Internet Service Manager

The Internet Service Manager is the graphical tool used for centrally administering all IIS servers in an organization. Internet Service Manager allows for the configuration and monitoring of all IIS services from a central location. By default, the icon for the Internet Service Manager is placed in the Microsoft Internet Server during setup.


The Internet Service Manager is automatically installed on your IIS server during installation, but it can also be installed (using a separate Setup program) on machines other than the server. This allows remote administration of IIS servers from any Windows NT workstation or another Windows NT server.

The Internet Service Manager can be run from any computer running Windows NT Workstation or Windows NT Server that is connected to the same network as the IIS server. It can also be run from a computer connected to your enterprise network from the Internet. Internet Service Manager uses the Windows NT security protocol for user authentication and allows secure connections to IIS over the Internet and from remote administration computers. The Internet Service Manager is shown in figure 11.4.

Fig. 11.4 The Internet Service Manager main window shown in this figure is managing a single server (named RAJA), which is running all three services available with IIS.

Internet Service Manager can be used to perform the following administration tasks on IIS servers:

  • Find all Internet Information Servers connected to a network

  • Connect to individual Internet Information Servers

  • View Internet Information Server data as a report, by service, or by server

  • Start, stop, or pause Internet Information Servers

  • Use property sheets, tabbed dialog boxes that allow you to configure the services on Internet Information Servers

Each of these tasks is explained in detail in the following sections.

Finding Internet Information Servers

Internet Service Manager can find all servers running IIS on your network. It uses one of two methods to find servers running IIS:

  • Windows Internet Name Service (WINS)

  • TCP/IP broadcasts

If WINS is used on your network, Internet Service Manager automatically finds any servers running IIS services. This is accomplished because servers running IIS services automatically register with WINS servers. Therefore, when an Internet Service Manager attempts to find servers running IIS services on its startup, WINS returns the addresses of registered servers.

However, if WINS is not being used on your network, then the Internet Service Manager uses TCP/IP broadcasts to find servers running IIS services.


Internet Information Server cannot find servers running IIS services across routers by using TCP/IP broadcasts. To find servers running across routers you must use WINS.

You can query for servers running IIS on your network by choosing Properties, Find All Servers in the menu, as shown in figure 11.5.

Fig. 11.5 Using the Properties, Find All Servers menu option provides the capability to discover servers running IIS services on your network.

See "Windows Internet Name Service (WINS)," (Ch. 8)

Connecting to Internet Information Servers

After you have used the Internet Service Manager to find the servers running IIS services on your network, you can connect to those servers for administrative purposes. To perform administrative tasks, you must be logged on with an account belonging to the Administrators group on the IIS server To connect to a server running IIS services, perform the following steps:

  1. Choose Properties, Connect to Server from the menu.

  2. In the server name dialog box, type in the name of the server you want connect to.

or

  1. Choose Properties, Find All Servers.

  2. When the list of found servers is displayed, double-click the server name you want to connect to.

After you have connected to a server it will be added to your Internet Service Manager window. The stoplight icons representing the various services will indicate the status (started, stopped, or paused) of the services running on the server, and you will be able to open the properties sheets for the server to configure its services.

Viewing Internet Information Servers

Internet Service Manager's simple and elegant graphical user interface provides a lot of flexibility for administrators. You can choose to view the information being displayed by Internet Service Manager in three different styles based on your preference:

  • Reports view

  • Servers view

  • Services view

To switch between different views, choose the appropriate viewing option from the View menu.

Each of these views is discussed in the following sections.

Reports View

Reports view is the default view used by the Internet Service Manager. It lists all the servers running IIS services in alphabetical order. One line is used for each installed service. The Reports view is the only view that allows you to sort information alphabetically. You can sort by server name, service type, service state, and comments. To sort, click the column headings in the Reports view.


You can use sorting to quickly find out the state of services running on your network. For example, by clicking the state column, you can determine which services are stopped or paused on your network.

Figure 11.6 shows the Internet Service Manager running in Reports view.

Fig. 11.6 When viewing servers running IIS services using the Reports view, you can sort the displayed information by clicking on a column heading.

The Reports view is most useful when you only have one or two servers running IIS services. If many servers on your network are running IIS services, it is easier to view information using one of the other two views.

Servers View

The Servers view lists servers running IIS services on the network by computer name. You can double-click the plus sign next to a server name to display the IIS services running on that server. Figure 11.7 shows the Internet Service Manager running in Servers view.

Fig. 11.7 This figure depicts the Internet Service Manager window viewing a server running all IIS services using the Servers view.

Servers view is most useful when you are trying to determine the status of services on a particular computer running IIS services.

Services View

Services view displays the information by service type for computers running IIS services on your network. You can double-click the plus sign next to the service name to display the servers running that service. Figure 11.8 shows the Internet Service Manager running in Services view.

Fig. 11.8 The Services view in the Internet Services Manager provides an easy way to determine which servers are running a particular service.

Services view is most useful for enterprises running multiple servers in distributed sites. It makes it easy to determine which servers are running a particular IIS service.


You can apply filters in any view by choosing the service filter commands from the View menu. For example, to view only WWW services, you can deselect the FTP and Gopher options in the View menu. Choose All to clear the filter and view all services.

Administering Internet Information Servers Remotely

You can install the Internet Service Manager on any computer running the Windows NT Workstation and Windows NT Server operating systems and administer any server running IIS services from a central administrative computer.

You can install Internet Service Manager over the network by creating a share to the \Admin directory on the Internet Information Server installation CD-ROM and connecting to it from the remote computer. You can then run the setup.exe program for the Internet Service Manager remotely from the newly created share.


Internet Service Manager can be used to administer servers running IIS services from the Internet also.


If you are going to use Internet Service Manager across the Internet, make sure that you are using a Windows NT Logon ID and password and the Windows NT Challenge/Response authentication protocol for user validation. Do not use the clear text method for sending passwords across the Internet.

Starting, Stopping, and Pausing Services

You can use the Internet Service Manager to change the state of IIS services running on your network with a simple procedure. Services can be in one of three states:

  • Running (Started)

  • Paused

  • Stopped

To change the state of an IIS service running on a computer follow these steps:

  1. Select the service you want to start, stop, or pause in the Internet Service Manager.

  2. Choose Properties, Start Service, Stop Service, or Pause Service.

You can also use the appropriate toolbar button to start, stop, or pause a service.

The graphical view of the Internet Service Manager makes it easy to determine which services are started, stopped, or paused. For example, by using the sort option in Reports view, you can sort services by service state to get a quick snapshot of which services are running.

Using Property Sheets to Configure Your Internet Information Server

Internet Service Manager allows configuration and management of IIS services by using property sheets. Property sheets are tabbed dialog boxes for configuring all options for a particular service. You can use property sheets to configure all three IIS services:

  • WWW

  • FTP

  • Gopher

The property sheets for each of these services are described in detail in the following sections.

WWW

To configure the WWW service running on a server, double-click the WWW service name or computer name in any of the views to bring up the WWW Service Properties for <servername> dialog box, as shown in figure 11.9.

Fig. 11.9 This figure shows the WWW service being configured using the Service Properties dialog box in the Internet Service Manager.

The Service Properties dialog box displays tabs for each category that can be configured. The WWW property sheets can be used to configure the following categories:

  • Service

  • Directories

  • Logging

  • Advanced

Each of these categories is discussed in detail in the following sections.

Service
The WWW Service tab is used to set various connection options for your WWW server. Figure 11.9 shows the WWW Service tab. To set Service options, click the Service tab on the WWW Service Properties dialog box and follow these steps:

  1. In the Connection Timeout box, specify the number of seconds before a user is disconnected from your IIS machine. The default value is 900 seconds (15 minutes). You can increase or decrease this value based on your preference. Idle users will be disconnected after the specified time period to free up server resources.

  2. The Maximum Connections box is used to limit the number of users that can simultaneously connect to the WWW service. The default value is 1,000 connections. The setting for this field depends on your network bandwidth, available resources, and the speed of your server running IIS.

  3. The Anonymous Logon options allow you to specify the user name and password that will be used by the WWW service to facilitate anonymous connections to your server. By default, IIS creates and uses the account IUSR_computername to facilitate anonymous logons. Most Internet sites allow anonymous logons for user connections.


    You can control the access allowed to the IUSR_computername anonymous account by changing its permission using the User Manager or by specifying another account on your network as the anonymous logon account.

  4. The Password Authentication options allow you to specify the method used for authenticated logons. If your server does not allow anonymous logons, or the client software requests user validation, the authentication schemes specified will be used. Three authentication options are available:

    • Allow Anonymous. If checked, the WWW service uses the anonymous logon ID and password setup in the preceding step for authenticating all user connections.

    • Basic. If checked, Basic authentication uses clear text to verify user connections. If used in conjunction with the SSL security scheme, it allows the use of encrypted logon IDs and passwords. All browsers support the basic authentication mechanism.


      Transmitting clear text passwords over the Internet can compromise your network security. It is possible to capture passwords over the network using protocol analyzers.

    • Windows NT Challenge/Response. If checked, uses the Windows NT Challenge/Response authentication method. This is the most secure form of user authentication. Internet Explorer 2.0 or higher supports this authentication method.

  5. The Comments box is used to specify the comment displayed by the Internet Service Manager in the Reports view.

  6. Click OK to continue, or click Apply to immediately enforce the changes.

Directories
The WWW Directories tab is used to set up directories used by the server and set their properties. Figure 11.10 shows the WWW service Directories tab.

Fig. 11.10 WWW Directories and their properties can be configured using the Directories tab on the WWW Service Properties dialog box.

The Directory list box lists the current directories set up for the WWW service. It displays the following information:

  • Directory. The path to the directory being used

  • Alias. The path name used by users to get to the physical directory location.

  • Address. The IP address of the virtual server if the directory resides on a virtual server

  • Error. System errors with the directory mapping, such as unable to read directory contents

IIS by default creates two directory mappings for your WWW service:

  • Home. The home directory points to the root directory set up by IIS for your WWW service. It has an alias of <Home>. There can be only one home directory for every IIS machine.

  • Scripts. The scripts directory with an alias of /Scripts.

If checked, the Enable Default Document option allows you to specify the default document that will be loaded if a user does not specify a file name when connecting to your WWW service.


You can specify a default document in every directory to be displayed if the user does not specify a file when connecting to that directory.

If checked, the Directory Browsing Allowed option allows you to provide access to the directories and files stored under your root WWW directory. When this occurs, the user is presented with a hypertext listing of your directory structure similar to the Windows File Manager format.


Virtual directories are not displayed even if directory browsing is enabled. To view a virtual directory, users must know the URL address or use a hyperlink to get to them.

See "Uniform Resource Locator," (ch. 9)

You can use the Add, Remove, and Edit Properties buttons to specify the directory structure for your WWW service. To add a directory, follow these steps:

  1. Click Add on the Directories tab. The Directory Properties dialog box appears (see fig. 11.11).

    Fig. 111.11 Add new directories to your WWW service using the Directory Properties dialog box.

  2. Specify a new directory name in the Directory box or use the Browse button to select a directory.


    If you specify a directory name, you need to create that directory manually. Internet Service Manager does not automatically create the directory for you. If the directory does not exist, the     Directory list box displays an error message.

  3. Select the Home Directory option button or the Virtual Directory option button. If you select Virtual Directory, specify the alias to use for the directory.

  4. If the directory you specified is a network share name (for example, \\Servername\Path), you can use the Account Information options to specify a user name and password to use to connect to the network share. The Account Information options are only available for directories specified using the network share name method.

  5. If the directory you are adding points to a virtual server, check the Virtual Server option and specify a Virtual Server IP Address. Virtual servers and virtual directories make it appear that more than one WWW server is available to users using the same machine.


    The default directories created by IIS do not have IP addresses assigned to them. You must do so manually. To create virtual servers, you must assign IP addresses to the home directory and all virtual directories on an IIS machine for each virtual server you will create.


    To bind additional IP addresses to your network card, use the Network applet in Control Panel. Your computer will then be a "multihomed" host in TCP/IP terminology. See "Installing and Configuring TCP/IP for Windows NT Server" in Chapter 8 for more details.

  6. The Access check boxes allow you to specify user access permission for the directory. Click the Read check box to allow users read access to a directory.

  7. Click the Execute check box if this is a directory for storing executable programs. The option is enabled by default for the Scripts directory created by IIS, which stores program executables.


    For security reasons, you should never allow users Read access to directories containing executable programs and scripts because this may allow them to copy your program files.

  8. The Require Secure SSL channel option allows you to use SSL security for accessing the contents of this directory.

  9. Click OK to return to the Directories tab.

If you want to remove a directory, simply select the directory in the Directory Properties dialog box and click Remove. To edit properties for a directory, select the directory in the Directory Properties dialog box and click Edit Properties. The Directory Properties dialog box appears. Make the appropriate changes and Click OK to return to the Directories tab.

Logging
The WWW Logging tab is used to specify logging options used by your WWW service. Logging can be used to store information about who accessed your WWW service and what information they accessed. Logging information can be stored in log files, or you can use an ODBC compatible database such as Microsoft SQL Server to store logging information. Figure 11.12 shows the WWW service Logging tab.

Fig. 11.12 WWW service Logging options can be used to record user activity on IIS machines.


You can use a single log file or a single Microsoft SQL Server database to store logging information from multiple IIS machines if you want to consolidate the information in one location.

To configure Logging options, click the Logging tab on the WWW Service Properties dialog box and follow these steps:

  1. Click the Enable Logging check box to start logging for the WWW service.

  2. Choose the Log to File or Log to SQL/ODBC Database option button.

  3. If you choose the Log to File option, you have the following choices:

    • Automatically Open New Log. Creates a new log based on the options available. Specify a new log file logging interval by selecting Daily, Weekly, Monthly, or When File Size Reaches.

    • When the File Size Reaches. Specify the file size when a new file should be created in megabytes.

    • Log File Directory. Specify the directory name and path where all log files will be stored or use the Browse button to specify a directory.

    • Log File Name. Displays the naming convention that will be used to store the log files. The yymmdd will be replaced with the two digit year, month, and day numbers to come up with unique names for log files.


    If you do not use the Automati    cally Open New Log File option, the same log file will be used indefinitely. As stated earlier, you must select an existing directory or manually create a new directory for log files using the File Manager or the MKDIR command.

  4. If you chose the Log to SQL/ODBC Database option, you must configure the following options:

    • ODBC Data Source Name (DSN). Specifies name that will be used to connect to the database for logging.

    • Table. Specifies name of table that will store the logging information.

    • User Name. Specifies user name that will be used to connect to the database.

    • Password. Specifies password that will be used to connect to the database.


    You must use the ODBC Applet in the Control Panel to create the specified system ODBC data source.

  5. Click OK to continue, or click Apply to immediately implement the changes.


Logging to an ODBC Datasource is slower than logging to a file. Sites with heavy traffic should consider logging to a file for performance reasons or adding processing power to the server to support the additional load such as adding a processor and higher performance disk subsystem.

Advanced
The WWW Advanced tab is used to specify access limits and to control the network traffic on your IIS machine. You can choose a default access option that either will grant access to all users or deny access to all users. Then you can specify individual computers or groups that are the exceptions to the default.

For example, if you want to use this IIS server as an intranet server for your organization only, you would deny access by default and add the IP addresses of your computers as exceptions to be granted access. If many computers are on your network, you can specify one or more groups of computers by using a domain name or IP address and subnet mask corresponding to the group(s). Your server must be configured to use DNS in order to employ this option. See Chapter 8, "Using TCP/IP with Windows NT Server" for more information.

In this section, the option of granting access by default and entering exceptions that will be denied access is described. Figure 11.13 shows the Advanced tab on the WWW Service Properties dialog box.

Fig. 11.13 The WWW service Advanced tab can be used to specify access control properties and network usage limits.

To configure Advanced options, click the Advanced tab on the WWW service property sheets dialog box and follow these steps:

  1. Select the Granted Access option for access control on your IIS machine. By default, all computers are granted access to your IIS machine.

  2. To exclude computers from having access to your IIS machine, specify computers that will be excluded using the Add button. Figure 11.14 shows the Deny Access On dialog box.

    Fig. 11.14 The Deny Access On dialog box is used to deny access to selected computers when a default policy that grants access to everyone has been chosen.

  3. In the Deny Access On dialog box, specify the computer or the group of computers that will be excluded using the IP addresses for those computers. For a group of computers, you must also specify a subnet mask used by the group of computers.

  4. Click OK to return to the Advanced tab.

  5. The specified computer or group of computers will show up in the excluded list. You can specify more computers to exclude or remove computers from the list by selecting them and clicking Remove. Use the Edit button to change the Deny Access On properties for a computer from the list.

  6. Click the Limit Network Use by all Internet Services on This Computer option button to place a limit on network bandwidth usage by your IIS machine. This controls the amount of outbound information the IIS services on this server can send to clients on the network. The Maximum Network Use box allows you to enter a limit. The default is 4,096 kilobytes per second (KBps). Enter a value suited to your network usage needs.

  7. When finished, click OK to continue, or click Apply to immediately enforce the changes.

FTP

To configure the FTP service running on a server, double-click the FTP service name or computer name in any of the views to bring up the FTP Service Properties For <servername> dialog box. The FTP Service Properties dialog box displays tabs for each category that can be configured. The categories are as follows:

  • Service

  • Messages

  • Directories

  • Logging

  • Advanced

The Directories, Logging, and Advanced tabs are identical to those used for the WWW service. Refer to the section for the WWW service earlier in this chapter for more information on setting these options. The Service and Messages tabs, which are different for the FTP service, are outlined in the following sections.

Service
The Service tab on the FTP Service Properties dialog box is used to set various connection options for your FTP server. Figure 11.15 shows the FTP Service tab.

Fig. 11.15 FTP Service connection options can be set using the Service tab on the FTP Service Properties dialog box.

To set Service options, click the Service tab on the FTP service property sheets dialog box and follow these steps:

  1. In the Connection Timeout box, specify the number of seconds before a user is disconnected from your IIS machine. The default value is 900 seconds (15 minutes). You can increase or decrease this value based on your preference. Idle users will be disconnected after the specified time period to free up server resources.

  2. The Maximum Connections box is used to limit the number of users that can simultaneously connect to the FTP service. The default value is 1,000 connections. The setting for this field depends on your network bandwidth, available resources, and the speed of your server running IIS.

  3. The Allow Anonymous Connections options allows you to specify the user name and password that will be used by the FTP service to facilitate anonymous connections to your server. By default, IIS creates and uses the account IUSR_computername to facilitate anonymous logons.


    Most FTP users use the 'anonymous' user name and their e-mail address as the password to log in to FTP servers. In such instances, the IUSR_computername account is used for validating permissions for files and directories.


    You can control the access allowed to the IUSR_computername anonymous account by changing its permissions using the File Manager or, alternatively, you can specify another account on your network as the anonymous logon account.

  4. The Allow Only Anonymous Connections check box disables logon permissions for all users except anonymous logons. This is used to prevent users with administrative privileges from gaining access to additional resources beyond those for which the anonymous FTP account has been granted permissions. This can be a useful method for ensuring that only selected resources are available through the FTP service.


    The FTP protocol uses clear text for transmitting passwords (they are not encrypted prior to transmission) and is not a secure method of communications. It is possible to capture information, including passwords, transmitted over the network using protocol analyzers. This is why FTP is mostly used to transfer files and information of a non-sensitive nature.

  5. The Comment box is used to specify the comment displayed by the Internet Service Manager in the Reports view.

  6. Click the Current Session button to display users currently connected to your FTP server.

  7. On the FTP User Sessions screen, you can view the users currently connected to your FTP Server. You can disconnect a user by selecting them from the list and clicking the Disconnect button. You can disconnect all connected users by clicking the Disconnect All button. They will be immediately disconnected, and any transfers in progress will be aborted.

  8. Click Close to return to the Service tab.

  9. Click OK to continue, or click Apply to immediately enforce the changes.

Messages
The FTP Messages tab is used to display messages to clients connected to your FTP server. You can display a welcome message when they initially connect, perhaps to explain the services offered. You can also display an exit message when they disconnect, and a maximum connections message to notify users that the FTP service is already supporting the maximum number of users for which this server is configured. Figure 11.16 shows the FTP service Messages tab.

Fig. 11.16 You can set up display messages for connected clients by using the Messages tab.

To set Messages options, click the Messages tab on the FTP service property sheets dialog box and perform the following steps:

  1. In the Welcome Message text box, enter the text to be displayed to clients when they first connect to your FTP server.

  2. In the Exit Message text box, enter the text to be displayed when connected clients log off your FTP server.

  3. In the Maximum Connections Message text box, enter text to be displayed when the maximum number of allowed client connections has been reached.

Gopher

To configure the Gopher service running on a server, double-click the Gopher service name or computer name in any of the views to bring up the Gopher Service Properties dialog box.

The Gopher Service Properties dialog box can be used to configure the following categories:

  • Service

  • Directories

  • Logging

  • Advanced

The Directories, Logging, and Advanced tabs are identical to those used for the WWW service. Refer to the section for the WWW service earlier in this chapter for more information on setting these options. The Service tab, which is different for the Gopher service, is outlined in this section.

The Gopher Service tab is used to set various connection options for your Gopher server. Figure 11.17 shows the Gopher Service tab.

Fig. 11.17 Gopher Service connection options can be set using the Service tab on the Gopher service property sheets.

To set Service options, click the Service tab on the Gopher service property sheets dialog box and follow these steps:

  1. In the Connection Timeout box, specify the number of seconds before a user is disconnected from your IIS machine. The default value is 900 seconds (15 minutes). You can increase or decrease this value based on your preference. Idle users will be disconnected after the specified time period to free up server resources.

  2. The Maximum Connections box is used to limit the number of users that can simultaneously connect to the Gopher service. The default value is 1,000 connections. The setting for this field depends on your network bandwidth, available resources, and the speed of your server running IIS.

  3. The Service Administrator Name and Email information is used by the Gopher server to supply clients with information about who to contact in case of problems.


    Make sure that the Service Administrator account name and e-mail address you specify is valid. Otherwise, mail sent by users will be bounced back to them.

  4. The Anonymous Logon option allows you to specify the user name and password that will be used by the Gopher service to facilitate anonymous connections to your server. By default, IIS creates and uses the account IUSR_computername to facilitate anonymous logons.

  5. The Comment box is used to specify the comment displayed by the Internet Service Manager in the Reports view.

  6. Click OK to continue, or click Apply to immediately enforce the changes.

Security for Your Internet Information Server

Installing and operating an IIS machine involves paying special attention to the security issues involved. If you are running a server being accessed by thousands of users from around the world, security of your server content and other computers on your enterprise network becomes an important issue. IIS was developed with security as one of the most important design goals. Microsoft accomplishes the security needs of administrators by integrating security for IIS with the security model built into Windows NT.

Windows NT provides powerful security features for user authentication, access control, and auditing. IIS leverages these capabilities of the Windows NT operating system to provide security for its Internet-based services.

Windows NT uses a security model that handles security for all services using a single logon authentication mechanism. By creating user accounts and setting access permissions for those accounts, administrators can control what resources and services are available to users.

You can minimize the chance of security problems for IIS machines by adopting these standards:

  • User Accounts. User accounts allow you to control who is allowed access to your resources. By restricting IIS access to valid user accounts, you can minimize the chances of security problems.

  • IUSR_Computername Account. The IUSR_computername account is created expressly for the purpose of allowing anonymous connections to your IIS services. IUSR_computername accounts only have the capability to access resources managed by the IIS server and thus cannot gain access to network resources such as network shares. By using the IUSR_computername account for all your Internet client connections, you can manage all user permission and security issues more easily.


    The IUSR_computername is created as part of the IIS installation process.

  • File System Security. Make sure that you secure all your content files by setting the appropriate permissions on your WWW, FTP, and Gopher files. Use the NTFS file system to store your files. Using NTFS, you can set permissions to determine what users and groups have permissions to access files and directories. Make sure that the appropriate access rights are granted to the IUSR_computername account for accessing the WWW, FTP, and Gopher files.

  • Access Control. If necessary, use the Internet Service Manager property sheets Advanced tab for WWW, FTP, and Gopher services to configure which computers or groups of computers have access to your IIS services. If you are going to be operating an intranet, it is a good idea to only grant access to computers that are a part of your enterprise.

  • Auditing. Use the auditing features of Windows NT in conjunction with the NTFS file system to keep records of file access and user activity. You can regularly check the audit logs to guard against unauthorized access.

See "Using Windows NT Security," (Ch. 5)

See "Setting Permissions on Shared Resources," (Ch. 6)

Creating the Content for IIS Services

The most difficult and time-consuming task in your efforts to set up IIS services will be to create content for your services. After you have configured your IIS machine, set configuration parameters using Internet Service Manager property sheets, created directory structures, and handled security issues, you will need to create the data files that will comprise the information content displayed to users accessing your IIS services.

The three services provided by IIS each require you to follow content creation guidelines that enable them to service user requests for information quickly and efficiently.

The following sections discuss content creation and publishing issues for the three IS services:

  • WWW publishing

  • FTP publishing

  • Gopher publishing

WWW Publishing

WWW content creation and information publishing requires you to create special files called HTML documents. HTML files are simple ASCII text files that can be created using any text editor such as Notepad. However, using a text editor and writing HTML files requires you to know the scripting syntax used by the language. Most content creators use special tools designed expressly for the creation of HTML documents (for example, Microsoft Internet Studio or Microsoft FrontPage).

See "HyperText Markup Language," (Ch. 9)


When creating your WWW service content files, make sure that your files do not take a long time to load. HTML files that include a lot of large images may take a long time to load over slow modem-based client connections.

HTML files are a combination of text, links to other files, links to images, links to sound files, and so on. You must create the image files, sound files, and other file types that will be used by your WWW service using tools that allow the creation of such files. For example, you can create sound files using the Sound Recorder utility included with Windows NT.

After you have created the content files for your WWW service, you can copy the files to the appropriate directories for accessing by clients using browsers such as Internet Explorer.


Make sure that you set appropriate permissions on your content files. Provide only Read permissions for HTML files and Execute permissions for executable programs and scripts. You should set permissions through both the Internet Service Manager and the NTFS file system security using File Manager.

In addition to the creation of HTML documents for WWW browsing, you can also allow users to remotely execute applications on your WWW server to accomplish tasks. For example, a WWW server providing phone book directory assistance might require you to enter a search name on a HTML page and then click an execute button on the page to query an online phone database for the information. Such dynamic tasks are accomplished by creating executable programs that can receive data from Web pages, parse the information, and return the results back to the user.

IIS uses two methods for creating dynamic WWW content:

  • Common Gateway Interface (CGI)

  • Internet Server API (ISAPI)

These methods are discussed in the following sections.

Using CGI

To create CGI applications, you can use any programming language that allows you to create Windows executable programs. You can also use a scripting language such as Perl for Windows NT to create executable scripts.

After you have created your application, you can make it available to your users by simply placing it in the /Scripts directory. The /Scripts directory is a directory created by the IIS installation program for holding executable programs and scripts. By default, the /Scripts directory only has execute permissions to prevent users from copying or replacing your directory contents.


Use the File Manager to set appropriate permissions on all your /Scripts directory files.

After your application is created and appropriately set up in the /Scripts directory, clients can run your application in one of two ways.

If your application requires no data input, you can create a hypertext link on a page to execute your application. For example, a hypertext link to run an application that displays a quote of the day would look something like http://www.company.com/Scripts/quote.exe. Users can click this hyperlink on a Web page and get their quote of the day.

If your application requires data from the user to execute, you can create an HTML form that will prompt them for input. For example, you might want users to register before they can use your WWW site. To do so, you can create a simple page that requires them to enter a name and e-mail address. They can enter the information and click a Submit button to start an application that stores that information in a server-based database file.

Using ISAPI

The ISAPI method uses the exact same concepts as CGI, but is different in one very important respect. ISAPI applications are created using the Microsoft BackOffice Software Developers Kit and are Windows NT Dynamic Link Libraries (DLLs). As such, ISAPI applications are loaded as server run-time DLLs at server startup. Only one instance of an ISAPI application is needed to service requests from multiple clients. By contrast, every request for a CGI application starts a new instance of the application.

Because ISAPI applications are loaded at server startup, they provide a significant performance boost over CGI applications that are loaded when a client request comes through.

IIS includes a powerful feature for creating database-enabled WWW content called the Internet Database Connector. The Internet Database Connector, in conjunction with ODBC, allows you to create Web pages that allow you to publish information contained in back-end databases such as Microsoft SQL Server. The following section discusses the Internet Database Connector feature of IIS.

Using Internet Database Connector and ODBC

Using the Internet Database Connector interface and ODBC, you can create Web pages that allow you to retrieve and display information from databases such as Microsoft SQL Server.

The Internet Database Connector is an ISAPI application called HTTPODBC.DLL. This application is nothing more than an interface that uses ODBC to communicate with the database.

The Internet Database Connector can be used to do the following:

  • Retrieve rows from a database and display it to users using Web pages

  • Insert, update, and delete rows from a database based on user input from a Web page

  • Perform other database commands supported by your database such as executing stored procedures on Microsoft SQL Server

FTP Publishing

Creating the content for your FTP service is a straightforward and simple procedure. After you have decided what files need to be made accessible to users, you can copy those files to the appropriate ftp directories.


Make sure that you set appropriate permissions on your content files. Most FTP directories should only have Read permissions. Provide a directory for user uploads with Write permissions. You should set permissions through both the Internet Service Manager and the NTFS file system security using File Manager.

FTP directory structure is usually created to logically group files by function or topic. For example, you may have an FTP server that provides users access to software patches and online user guides. You can create a directory structure where all software patches are stored under a directory called "patches," and user guides are stored under a directory called "guides." This reduces directory clutter and provides users with an easy way to get to the files they are looking for.

Gopher Publishing

Creating content for your Gopher server is similar to FTP. You can place Gopher files in the appropriate directories for browsing by users.


Make sure that you set appropriate permissions on your content files. Gopher directories should only have Read permissions. You should set permissions through the NTFS file system security using File Manager.

Gopher allows you to create links to other Gopher servers using a technique called Tag files. Tag files are special ASCII files stored in the Gopher directory and define links to other Gopher resources across the network and the Internet. Microsoft provides a utility called gdsset for creating tag files. Tag files are stored as hidden files. You can edit tag files using any text editor.

To get more information on how to create tag files and the syntax for the gdsset utility, type gdsset at the Windows NT command line.

From Here...

This chapter presented the features available in IIS, how to set up and install IIS, how to secure your IIS installation, and how to create content for your IIS services.

Table of Contents

10 - Preparing for Internet Information Server

12 - Understanding Exchange Server