Lesson 2: Administering a Web Environment

When IIS is installed, a default Web site is created, allowing you to quickly and easily implement a Web environment. However, you can modify that Web environment to meet your specific needs. In addition, you can implement Web Distributed Authoring and Versioning (WebDAV), which allows you to share documents over the Internet or an intranet. This lesson covers several aspects of administering a Web environment: Web site management, FTP site management, and WebDAV publishing. Administering Web and FTP sites is very similar and, as a result, are discussed together. This is followed by a discussion of WebDAV publishing.


After this lesson, you will be able to

  • Administer Web and FTP sites
  • Manage WebDAV publishing

Estimated lesson time: 35 minutes


Administering Web and FTP Sites

Originally, each domain name, such as www.microsoft.com, represented an individual computer. With IIS 5.0, multiple Web sites or FTP sites can be hosted simultaneously on a single computer running Windows 2000 Server. Each Web site can host one or more domain names. Because each site mimics the appearance of an individual computer, sites are sometimes referred to as virtual servers.

Web Sites and FTP Sites

Whether your system is on an intranet or the Internet, you can create multiple Web sites and FTP sites on a single computer running Windows 2000 in one of three ways:

  • Append port numbers to the IP address
  • Use multiple IP addresses, each having its own network adapter card
  • Assign multiple domain names and IP addresses to one network adapter card by using host header names

The example in Figure 23.13 illustrates an intranet scenario where the system administrator has installed Windows 2000 Server with IIS on the company's server, resulting in one default Web site: http://CompanyServer. The system administrator then creates two additional Web sites, one for each of two departments: marketing and human resources.

Figure 23.13 An intranet with multiple Web sites

Though hosted on the same computer, CompanyServer, Marketing, and HumanResources each appears to be a unique Web site. These departmental sites have the same security options as they would if they existed on separate computers because each site has its own access and administration permission settings. In addition, the administrative tasks can be distributed to members of each department.

NOTE


When creating a very large number of sites, be sure to consider computer hardware and network limitations and upgrade these resources as necessary.

Properties and Inheritance of Properties on Sites

Properties are values that can be set on your Web site. For example, you can use the Internet Information Services snap-in to change the TCP port assigned to the default Web site from the default value of 80 to another port number. Properties for a site are displayed in the Properties dialog box (Figure 23.14) for that site and stored in a database called the metabase.

Figure 23.14 Properties dialog box for the default Web site

During the installation of IIS, default values were assigned to the various properties. You can use the default settings in IIS, or you can customize these settings to suit your Web publishing needs. You may be able to provide additional value, better performance, and improved security by making adjustments to the default settings.

NOTE


In the first Practice in this chapter, "Accessing the Administration Web Site," you adjusted the properties of the Administration Web site to increase security to this sensitive area.

Properties can be set on the site level, directory level, or on the file level. Settings on higher levels (such as the site level) are automatically used, or inherited, by the lower levels (such as the directory level) but can still be edited individually at the lower level as well. Once a property has been changed on an individual site, directory, or file, later changes to the master defaults do not automatically override the individual setting. Instead, you receive a warning message asking whether you want to change the individual site, directory, or file setting to match the new defaults.

Some properties have a value that takes the form of a list. For instance, the value of the default document can be a list of documents to be loaded when users do not specify a file in a URL. Custom error messages, TCP/IP access control, script mappings, and Multipurpose Internet Mail Extensions (MIME) mappings are other examples of properties stored in a list format. Although these lists have multiple entries, IIS treats the entire list as a single property. If you edit a list on a directory and then make a global change on the site level, the list at the directory level is completely replaced with the new list from the site level; the lists are not merged. Also, properties with list values display their lists only at the master level, or on a site or directory that has been changed from the default value. List values are not displayed if they are the inherited defaults.

Master properties, server extensions, bandwidth throttling, and MIME mapping for a site's services are viewed from the properties of a computer node appearing in the Internet Information Services snap-in or in the Internet Services Manager (HTML) interface. Figure 23.15 shows the WWW Service master properties accessed from the first Edit button appearing in the Properties screen of a computer node.

Figure 23.15 WWW Service Master Properties for Server01

On the Internet Services Manager (HTML) interface there is a Master Properties link and drop-down list box on the left frame of the home page (Figure 23.2).

ISAPI filters are displayed in a list format, but they are not treated as a list. If you add filters at the site level, the new filters are merged with the list of filters from the master level. If two filters have the same priority setting, the filter from the master level is loaded before the filter from the site level. Installed ISAPI filters and their priority are viewed from the ISAPI Filters tab contained in the WWW Service Master Properties, and on the properties page of each Web site.

If the default property values need to be modified and you are creating several Web or FTP sites, you can edit the default values so that each site you create inherits your custom values.

Operators Group

Operators are a special group of users who have limited administrative privileges on individual Web sites. Members of the Operators group can administer properties that affect only their respective sites. They do not have access to properties that affect IIS, the Windows server computer hosting IIS, or the network.

For example, an ISP who hosts sites for a number of different companies can assign delegates from each company as the operators for each company's Web site. This method of distributed server administration has the following advantages:

  • Each member of the Operators group can act as the site administrator and can change or reconfigure the Web site as necessary. For example, the operator can set Web site access permissions, enable logging, change the default document or footer, set content expiration, and enable content ratings features.
  • The Web site operator is not permitted to change the identification of Web sites, configure the anonymous user name or password, throttle bandwidth, create virtual directories or change their paths, or change application isolation.
  • Because members of the Operators group have more limited privileges than Web site administrators, they are unable to remotely browse the file system and therefore cannot set properties on directories and files, unless a universal naming convention (UNC) path is used.

Administering Sites Remotely

Because it may not always be convenient to perform administrative tasks on the computer running IIS, two remote administration options are available. If you are connecting to your server over the Internet or through a proxy server, you can use the browser-based Internet Services Manager (HTML) to change properties on your site. If you are on an intranet, you can use either the Internet Services Manager (HTML) or the Internet Information Services snap-in. Although Internet Services Manager (HTML) offers many of the same features as the snap-in, property changes that require coordination with Windows utilities, such as certificate mapping, cannot be made with Internet Services Manager (HTML).

NOTE


In previous releases the Internet Information Services snap-in was called the Internet Services Manager. The Internet Information Services snap-in appears on the Administrative Tools menu as Internet Services Manager.

Internet Services Manager (HTML) uses a Web site listed as Administration Web site to access IIS properties. When IIS is installed, a port number between 2,000 and 9,999 is randomly selected and assigned to this Web site. The site responds to Web browser requests for all domain names installed on the computer, provided the port number is appended to the address. If Basic authentication is used, the administrator is asked for a user name and password when the site is reached. Only members of the Administrators group and Operators group can use the site.

NOTE


Although the HTML version of Internet Services Manager (HTML) has much of the same functionality of the Internet Information Services snap-in, the HTML version is designed along the lines of a Web page. Accessing context menus on interface objects is not supported. Many of the familiar toolbar buttons or tab headings are displayed as links in the left frame. Because of these differences, instructions in the documentation may not always precisely describe the steps performed in Internet Services Manager (HTML).

You can also use Terminal Services over a network connection (such as local area network [LAN], Point-to-Point Tunneling Protocol [PPTP], or dial-up) to remotely administer IIS. Terminal Services does not require you to install Microsoft Management Console (MMC) or the Internet Information Services snap-in on the remote computer.

The IIS 5.0 online documentation is available for you to use when you are performing remote administration tasks. To reach the documentation, start the Administration Web site and then click the book icon in the top right corner of the home page. This link opens a new window to the following URL http://<servername>/iishelp/iis/misc/default.asp , where <servername> is an identifying name (IP address, computer name, or fully qualified domain name [FQDN]) of the computer running IIS.

The IIS documentation search function is dependent on the Indexing Service. The Indexing Service is installed in Windows 2000 Server by default but is set to manual startup. The Indexing Service is configured from the Computer Management snap-in under the Services and Applications node. So that the IIS 5.0 documentation is indexed for searches, add the physical path to the iisHelp folder to the Web Directories folder for the Indexing Service. After configuring the Indexing Service, startup can be set to Automatic by using the Services snap-in.

NOTE


The Indexing Service can be processor intensive, particularly if a significant amount of material must be indexed. Consider running Indexing Service functions on a computer with enough resources to accommodate this function.

FTP Restart

FTP Restart addresses the problem of losing a network connection while downloading files. Clients that support FTP Restart need only re-establish their FTP connection, and the file transfer automatically picks up where it left off.

NOTE


The IIS 5.0 implementation of FTP Restart is not enabled when using FTP to download wildcard requests (MGET), uploading files to a server (PUT), or downloading files larger than 4 gigabytes.

Managing Sites

The process of managing sites includes a number of tasks, such as starting and stopping sites, adding sites, naming sites, and restarting IIS.

Starting and Stopping Sites

By default, sites start automatically when your computer restarts. Stopping a site stops Internet services and unloads Internet services from your computer's memory. Pausing a site prevents Internet services from accepting new connections but does not affect requests that are already being processed. Starting a site restarts or resumes Internet services.

To start, stop, or pause a site, use the Internet Information Services snap-in. Select the site you want to start, stop, or pause, and then click the Start Item, Stop Item, or Pause Item button on the toolbar.

NOTE


If a site stops unexpectedly, the Internet Information Services snap-in may not correctly indicate the state of the server. Before restarting, click Stop, and then click Start to restart the site.

Adding Sites

You can add new sites to a computer by launching the Web Site Creation wizard, the FTP Site Creation wizard, or the SMTP Virtual Server wizard in the Internet Information Services snap-in. Select the computer or a site, click the Action menu, click New, and then click Web Site, FTP Site, or SMTP Virtual Server to launch the corresponding wizard.

NOTE


The SMTP Virtual Server wizard is beyond the scope of this training kit and is therefore not explained any further.

Follow the on-screen directions to assign identification information to your new site. You must provide the port address and the home directory path. If you are adding additional sites to a single IP address by using host headers, you must assign a host header name.

NOTE


The All Unassigned option in the Enter The IP Address To Use For This Web Site drop-down list of the Web Site Creation wizard (or in the IP Address drop-down list in the FTP Site Creation wizard) refers to IP addresses that are assigned to a computer but not assigned to a specific site. The default Web site uses all of the IP addresses that are not assigned to other sites. Only one site can be set to use unassigned IP addresses.

Naming Web Sites

Each Web site (virtual server) has a descriptive name and can support one or more host header names. Host header names make it possible to host multiple domain names on one computer. Not all browsers support the use of host header names. Internet Explorer 3.0, Netscape Navigator 2.0, and later versions of both browsers support the use of host header names; earlier versions of the browsers do not.

If a visitor attempts to connect to your site with an older browser that does not support host headers, the visitor is directed to the default Web site assigned to that IP address (if a default site is enabled), which may not necessarily be the site requested. Also, if a request from any browser is received for a site that is currently stopped, the visitor receives the default Web site instead. For this reason, carefully consider what the default Web site displays. Typically, ISPs display their own home page as the default, and not one of their customers' Web sites. This prevents requests for a stopped site from reaching the wrong site. Additionally, the default site can include a script that supports the use of host header names for older browsers.

You can use the Internet Information Services snap-in to name a site. Select the Web site and open its Properties dialog box. On the Web Site tab, type a descriptive name for the site in the Description box (Figure 23.14).

Stop, Start, Restart, or Reboot in IIS

In IIS 5.0, you can stop, start, or reset (restart option) all of your Internet Services or reboot the server from within the Internet Information Services snap-in. The stop, start, and restart functions makes it less likely that you will need to reboot the server when applications misbehave or become unavailable.

The restart function conveniently stops and starts Internet Services, effectively resetting the service. To restart IIS, select the Computer node in the console tree, click the Action menu, and then select Restart IIS. Figure 23.16 shows the resulting Stop/Start/Reboot dialog box.

Figure 23.16 Restarting Internet Services on Server01

The drop-down list box shown in Figure 23.16 also contains start and stop IIS options and the Reboot Server option.

IMPORTANT


Restarting stops all Drwtsn32.exe, Mtx.exe, and Dllhost.exe processes in order to restart Internet services. You cannot stop or start IIS or reboot the server by using browser-based Internet Services Manager (HTML). However, both the snap-in and the HTML interface can be used to individually start, stop, pause, and resume individual sites.

You should use the Internet Information Services snap-in to restart Internet services, not the Services snap-in in Computer Management. Because several Internet services run in one process, Internet services shut down and restart differently from other Windows services.

Backing Up and Restoring IIS

You can back up your IIS configuration so that it is easy to return to a previous state. The steps to restore a configuration differ depending upon whether you removed and reinstalled IIS.

You can use the Internet Information Services snap-in to back up your IIS configuration. Select the Computer node in the console tree, click the Action menu, and then select Backup/Restore Configuration.

This backup method provides a way to restore only your IIS settings, not your content files. Also, this method will not work if you reinstall your operating system, and Backup files cannot be used to restore an IIS configuration on other Windows 2000 computers.

NOTE


You can back up IIS using the Internet Services Manager (HTML) interface, but you must use the Internet Information Services snap-in to restore your configuration. The Backup Configuration link appears in the left pane of the Internet Services Manager (HTML) interface (Figure 23.2).

To restore your IIS configuration in the Internet Information Services snap-in, select the Computer node in the console tree, click the Action menu, and then click Backup/Restore Configuration. Select a backup file and click the Restore button. When asked whether to restore your configuration settings, click Yes.

Managing WebDAV Publishing

WebDAV extends the HTTP/1.1 protocol to allow clients to publish, lock, and manage resources on the Web. WebDAV is integrated into IIS and allows clients to do the following:

  • Manipulate resources in a WebDAV publishing directory on your server. For example, with this feature, users with the apporpriate permissions can copy and move files around in a WebDAV directory.
  • Modify properties associated with certain resources. For example, a user can write to and retrieve a file's property information.
  • Lock and unlock resources so that multiple users can read a file concurrently, but only one person at a time can modify the file.
  • Search the content and properties of files in a WebDAV directory.

Setting up a WebDAV publishing directory on your server is as straightforward as setting up a virtual directory. Once you have set up your publishing directory, users with the appropriate permissions can publish documents to the server and manipulate files in the directory.

WebDAV Clients

You can access a WebDAV publishing directory through one of the Microsoft products described in the following list, or through any other client that supports the industry-standard WebDAV protocol.

  • Windows 2000 connects to a WebDAV server through the Add Network Place wizard and displays the contents of a WebDAV directory as if it were part of the same file system on your local computer. Once connected, you can drag and drop files, retrieve and modify file properties, and do many other file-system tasks.

    For example, if you create a virtual directory named WebDAV under the Default Web site on server01.microsoft.com, you can access it from the following address: http://server01.microsoft.com/webdav/.

  • Internet Explorer 5.0 connects to a WebDAV directory and lets you do the same file-system tasks as you can through Windows 2000.

    Make sure to enable the Directory Browsing permission in the properties of the virtual directory in order to access the virtual directory using Internet Explorer 5.0.

  • Office 2000 creates, publishes, edits, and saves documents directly into a WebDAV directory through any application in Office 2000.

Searching in WebDAV

Once connected to a WebDAV directory, you can quickly search the files on that directory for content as well as properties. For example, you can search for all files that contain the word table or for all files written by a user named Fred.

Integrated Security

Because WebDAV is integrated with Windows 2000 and IIS 5.0, it borrows the security features offered by both. These features include the IIS permissions specified in the Internet Information Services snap-in and the discretionary access control lists (DACLs) in the NTFS file system.

Because clients with proper permissions can write to a WebDAV directory, it is vital that you can control who is accessing your directory at all times. To help control access, IIS 5.0 has reinforced Integrated Windows authentication by building in support for the Kerberos 5 authentication protocol. By selecting Integrated Windows authentication, you can make sure that only clients with permission can access and write to the WebDAV directory on your intranet.

In addition, IIS 5.0 introduces a new type of authentication called Digest authentication. This type of authentication was created for Windows domain servers and offers tighter security for passwords and for transmitting information across the Internet.

Creating a Publishing Directory

To set up a publishing directory, create a physical directory below Inetpub. For example, if you call the directory WebDAV, the path to this directory might be C:\Inetpub\WebDAV.

You can actually put this directory anywhere, except under the Wwwroot directory. (Wwwroot is an exception because its default DACLs are different from those on other directories).

In the Internet Information Services snap-in, create a new Web site or use an existing site and then create a virtual directory beneath it. Type WebDAV, or any other convenient name, as the alias for this virtual directory, and link it to the physical directory you just created. Grant Read, Write, and Browsing access permissions for the virtual directory.

You are granting users the right to publish documents on this virtual directory and to see a list of the files in it. Although not recommended for security reasons, you can grant the same access to your entire Web site and allow clients to publish to your entire Web server.

NOTE


Granting Write access does not enable clients to modify ASP or any other script-mapped files. To allow these files to be modified, you must grant Write permission and Script source access after creating the virtual directory.

Once you finish setting up a WebDAV virtual directory, you can allow clients to publish to it.

Managing WebDAV Security

To protect your server and its content, you must coordinate three different aspects of security into an integrated whole: authenticating clients, controlling access, and denying service.

Authenticating Clients

IIS 5.0 offers the following levels of client authentication:

  • Anonymous. Anonymous access grants anyone access to the directory, and therefore, you should turn it off for a WebDAV directory. Without controlling who has access, your directory could be vandalized by unknown clients.
  • Basic. Basic authentication sends passwords over the connection in clear text. Because clear text can easily be intercepted and read, you should turn on Basic authentication only if you encrypt data through SSL.
  • Integrated Windows. Integrated Windows authentication works best when you are setting up a WebDAV directory on an intranet.
  • Digest. Digest authentication is the best choice for publishing information on a server over the Internet and through firewalls.

The best way to configure a WebDAV directory depends on the kind of publishing you want to do. When you create a virtual directory through IIS 5.0, Anonymous and Integrated Windows authentication are both turned on. Although this default configuration works well for clients connecting to your server, reading content on a Web page, and running scripts, it does not work well with clients publishing to a directory and manipulating files in that directory.

Controlling Access

You can control access to your WebDAV directory by coordinating IIS 5.0 and Windows 2000 permissions.

Setting Up Web Permissions

How you configure Web permissions is based on the purpose of the material you are publishing. These purposes may include the ability to do the following.

  • Read, Write, Directory Browsing enabled. Turning on these permissions lets clients see a list of resources, modify them (except for those resources without Write permission), publish their own resources, and manipulate files.
  • Write enabled, Read and Directory Browsing disabled. If you want clients to publish private information on the directory, but do not want others to see what has been published, set Write permission, but do not set Read or Directory browsing permission. This configuration works well if clients are submitting ballots or performance reviews. Note that disabling Directory Browsing permission denies access to browser clients attempting to access the WebDAV directory.
  • Read and Write enabled, Directory browsing disabled. Set this configuration if you want to rely on obscuring file names as a security method. However, be aware that "security by obscurity" is a low-level precautionary method, because a vandal could easily guess file names by trial and error.
  • Index This Resource enabled. Be sure to enable Indexing Service if you plan to let clients search directory resources.

Controlling Access with DACLs

When setting up a WebDAV publishing directory on an NTFS file system drive, Windows 2000 Server gives everyone Full Control by default. Change this level of permission so that everyone has Read permission only. Then grant Write permission to certain individuals or groups.

Protecting Script Code

If you have script files in your publishing directory that you do not want to expose to clients, you can easily deny access to these files by making sure Script source access is not granted. Scripts include files with extensions that appear in the Applications Mapping list. All other executable files will be treated as static HTML files, including files with .exe extensions, unless Scripts and Executables is enabled for the directory.

To prevent .exe files from being downloaded and treated as if they were HTML files, select the Scripts and Executables option from the Execute Permissions drop-down list, which is located on the Virtual Directory tab of the publishing directory's Properties dialog box (Figure 23.17).

Figure 23.17 Selecting the Scripts and Executables option from the Execute Permissions drop-down list box

This level of permission makes all executable files subject to the Script source access setting. In other words, if Script source access is selected, clients with Read permission can see all executables, and clients with Write permission can edit them as well as run them. This configuration is a security risk because programs can then be published to the directory and run against the site.

With the following permissions, clients can write to an executable file that does not appear in the Application Mapping:

  • Write permission
  • Execute Permissions set to Scripts only

With the following permissions, clients can also write to an executable file:

  • Script source access granted
  • Execute Permissions set to Scripts and Executables

Denying Service

Dragging and dropping extremely large files into a WebDAV directory can take up a large amount of disk space. To limit the amount of space that can be used, consider setting quotas on disk usage.

Publishing and Managing Files

Users can connect to a WebDAV publishing directory, publish documents by dragging them from their computers to the publishing directory, and manipulate files in the directory.

NOTE


Even if users connect from behind a firewall, they can still publish on a WebDAV directory if they have the correct permissions and if the firewall is configured to allow publishing.

From a Windows 2000 computer, you can connect to a WebDAV publishing directory on another server through My Network Places.

You can also connect to a WebDAV directory through Internet Explorer 5.0 on the Windows 2000, Windows NT 4.0, Windows 98, or Windows 95 operating systems. Once connected, you can manipulate files and publish to that directory just as you could after connecting through Windows 2000. In addition you can create, publish, or save documents in a WebDAV directory through any Office 2000 application.

Lesson Summary

In this lesson you learned that Multiple Web site or FTP sites can be hosted simultaneously on a single computer running Windows 2000 Server. This gives the appearance of being several computers. Each Web site can host one or more domain names. Managing sites includes a number of tasks, such as starting and stopping sites, adding sites, naming sites, and restarting IIS.

You also learned that you can back up your IIS configuration so that it is easy to return to a previous state, and you can administer IIS remotely. WebDAV extends the HTTP/1.1 protocol to allow clients to publish, lock, and manage resources on the Web. Once connected to a WebDAV directory, you can quickly search the files on that directory for content as well as properties. You can place a WebDAV directory anywhere you want, except under the Wwwroot directory. You can protect your server and content by coordinating different aspects of security (authenticating clients, controlling access, and denying service) into an integrated whole. Once you have created a WebDAV publishing directory, you can configure your directory to allow users to search for content and file properties. From Windows 2000, you can connect to a WebDAV publishing directory on another server. You can connect to a WebDAV directory through Internet Explorer 5.0 on the Windows 2000, Windows NT 4.0, Windows 98, or Windows 95 operating systems.



MCSE Training Kit(c) Microsoft Windows 2000 Accelerated 2000
MCSE Training Kit(c) Microsoft Windows 2000 Accelerated 2000
ISBN: N/A
EAN: N/A
Year: 2004
Pages: 244

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net