Working with IIS 6: What You Need to Know Right Now

As you’ve seen, IIS 6 is very different from its predecessors. IIS 6 has a new processing architecture, a new security architecture, and many other enhancements. As you might expect with all these changes, there are many things you should know right away about IIS 6 components, configuration, and services.

Installing Web and Application Server Components and Default Sites

IIS and Indexing Service are no longer installed during the installation of the operating system. You install these and other Web server components through the Windows Components Wizard, accessible through Add Or Remove Programs on the Control Panel. The key Web server components you might want to use include:

• Certificate Services Installs a certificate authority to issue public key certificates for use in authentication.

• E-mail Services Provides basic Post Office Protocol 3 (POP3) services so that POP3 mail clients can send and receive mail in the domain. Once you install this service, you define a default domain for mail exchange and then create and manage mailboxes. This basic service works well for datacenters and remote locations where e-mail exchange is needed but you don’t need the power and versatility of Exchange Server.

• Indexing Service Installs indexing service for fast full-text searching of Web documents.

• Web Application Server Provides IIS and ASP.NET services. You can install ASP.NET, COM+, Distributed Transaction Coordinator (DTC), IIS, Message Queuing, Microsoft Data Engine, and the Web Application Server Console.

By default, all subcomponents of certificate services, e-mail services, and indexing services are installed when the related option is selected in the Windows Components Wizard. For the Application Server component this isn’t the case. You’ll want to select this component and then click Details. Then, add components as necessary by selecting them. Some of these subcomponents have subcomponents of their own as well. The one you’ll want to check is IIS. In the Application Server dialog box, select Internet Information Services (IIS) and then click Details.

The IIS application server components include:

• Background Intelligent Transfer Service (BITS) Server Extensions Installs an extension that allows Web clients to use available bandwidth for data transfers and restart incomplete transfers.

• Common Files Installs common files required by IIS programs and documentation that covers server administration and publishing site content.

• File Transfer Protocol (FTP) Service Installs the FTP server service used to transfer files using FTP.

• FrontPage 2002 Server Extensions Installs extensions that allow Web site authoring and administration using Microsoft FrontPage and Microsoft Visual InterDev. If you elect to install these extensions, the Administration Web site isn’t installed. IIS is configured so that you can manage servers and applications using FrontPage or the Microsoft SharePoint Team Services.

• Internet Information Services (IIS) Manager Installs the MMC snap-in for the IIS administration tools.

  Note

  Throughout this book, we will refer to the Internet Information Services (IIS) Manager server component as the IIS snap-in.

• Internet Printing Installs extensions that allow Web-based printer management and printing to shared printers over the Internet, an extranet, or an intranet.

• NNTP Service Installs the Network News Transfer Protocol (NNTP) service used to create and manage newsgroups.

• SMTP Service Installs the Simple Mail Transfer Protocol (SMTP) service used for outgoing mail from a Web server.

• World Wide Web Server Installs the Web service used to publish and manage Web sites.

When you install Internet services, default sites are created on the computer. In most instances these default sites are active by default. If the default sites aren’t active, you can start them using the IIS snap-in. To start the snap-in, click Start, choose All Programs, Administrative Tools, and then Internet Information Services (IIS) Manager. Default sites you see might include:

• Default FTP Site The default site for FTP services—which is installed only when you elect to install this option as part of the IIS installation. By default, anonymous connections are allowed access to FTP sites. Disable this service if you don’t intend to use FTP for file transfers.

• Default Web Site The default site for Web services. By default, anonymous connections are allowed access to Web sites. Disable anonymous connections unless your site is ready to go public.

• Administration Web Site The default site for browser-based administration. By default, this site is only accessible from the local system. If you wish to use this service for remote administration, change the default IP filtering.

  Note

  When the administration Web site is stopped, you can’t manage sites using the Remote Administration tools. These tools are Web- based and depend on the administration Web site. This Web site isn’t enabled by default. You must enable ASP as a valid Web Server Extension, as discussed in Chapter 3, “Configuring Web Sites and Servers,” and also start the site. If you install the FrontPage Server Extensions on a Web server, you use the SharePoint tools for Web-based administration.

• Default SMTP Virtual Server The default site for SMTP services. If you don’t use pages that generate e-mail messages, don’t start SMTP services. By default, only servers that authenticate themselves in the domain can relay mail on the server. This denies permission to relay e-mail through the server and protects the server from being used to deliver unsolicited e-mail messages.

• Default NNTP Virtual Server The default site for NNTP services. The default configuration allows client posting and updates from news feeds and grants permission to other servers to pull articles from the server. If necessary, change these settings before starting an NNTP server.

If an IIS feature you want to use isn’t available in the IIS snap-in, you can install it using the Windows Components Wizard. To access and use this wizard, follow these steps:

1. Log on to the computer using an account with administrator privileges.

2. Click Add Or Remove Programs in the Control Panel. This displays the Add Or Remove Programs dialog box.

   Note

   Throughout this book, I refer to clicking or double-clicking, the most common techniques used for accessing folders and running programs. Through the Taskbar And Start Menu Properties dialog box, you can change the look and feel of the graphical interface. Some options, such as the Control Panel, can appear as menus with clickable menu items that run programs or as menu items that open dialog boxes. You can also change the mouse click options with the Folder Options utility in the Control Panel to allow either single-click open/run or double- click to open. Because of this, when I say click, you might actually have to double-click, or vice versa.

3. Click Add/Remove Windows Components to start the Windows Components Wizard, shown in Figure 1-1.

   
   Figure 1-1: Use the Windows Component Wizard to select components to add or remove.

4. Select Certificate Services, E-Mail Services, or Indexing Service as necessary.

5. Select Application Server. Click Details to add and remove individual components. You can now select subcomponents to install or uninstall them.

6. Select Internet Information Services (IIS). Click Details to add and remove individual components. You can now select subcomponents to install or uninstall them.

7. When ready to continue, click OK twice and then Next. The selected components are then installed (or uninstalled).

8. Click Finish when prompted.

Installing Internet Services and Service-Related Accounts

When you install Web and application server components, several services are installed on the computer. You can check for these services using the Services utility or Computer Management. Both utilities are found on the Administrative Tools menu. Services you might see include:

• ASP.NET State Service Provides support for out-of-process session states when using ASP.NET

• Background Intelligent Transfer Service Transfers files in the background using idle network bandwidth

• Certificate Services Provides services for creating, managing, and removing X.509 certificates

• COM+ Event System Provides system event notification services for COM components

• COM+ System Application Provides configuration and tracking for COM components

• Cryptographic Services Provides management services for certificate authorities

• Distributed Transaction Coordinator Coordinates transactions for Microsoft Distributed Transaction Coordinator (DTC)

• FTP Publishing Service Provides services for transferring files using FTP and also allows administration of an FTP server through the IIS snap-in

• HTTP SSL Enables SSL by providing the necessary services for Hypertext Transfer Protocol Secure (HTTPS)

• IIS Admin Service Allows administration of IIS through the IIS snap-in

• Indexing Service Indexes the contents and properties of files, providing quick access to files through a flexible query language

• Message Queuing Provides the necessary services for distributed messaging and message queuing

• Microsoft POP3 Service Provides POP3 service for mail transfer and retrieval

• MSSQL$UDDI Provides Web database services for the Microsoft Data Engine

• MSSQLServerADHelper Provides Active Directory helper services for the Microsoft Data Engine

• Network News Transport Protocol (NNTP) Provides network news services and allows administration of NNTP servers through the IIS snap-in

• Simple Mail Transport Protocol (SMTP) Provides mail transfer services and allows administration of SMTP sites through the IIS snap-in

• SQLAgent$UDDI Provides SQL Server Agent services for the Microsoft Data Engine

• Web Element Manager Provides access to user interface elements needed for the Remote Administration Web tools

• World Wide Web Publishing Service Provides services for transferring files using HTTP and also allows administration of an HTTP server

By default, most Web-related services run as the Local Service account. This allows the services to interact with the operating system. To tighten security, some services, such as the Microsoft POP3 service and the World Wide Web Publishing Service, run as the NetworkService account. This account has fewer privileges than the Local Service account.

When you install IIS, several accounts are created as well. These accounts are:

• IIS_WPG The IIS Worker Process Group account. All worker processes running under IIS use this group account. If this account is disabled or locked out, IIS won’t function normally.

• IUSR_ComputerName The Internet guest account used by anonymous users to access Internet sites. If this account is disabled or locked out, anonymous users can’t access Internet services. In a domain, this account is a member of the Domain Users and Guests groups. Otherwise, it’s only a member of the Guests group.

• IWAM_ComputerName An account used by IIS to run out-of-process applications. If this account is disabled or locked out, out-of-process applications can’t start. As all applications and sites configured under IIS 6 are technically out-of-process, IIS might not work properly if this account isn’t available. In a domain, this account is a member of the Domain Users and IIS_WPG groups. Otherwise, it’s only a member of the IIS_WPG groups.

  Tip

  The IUSR and IWAM accounts have a password that never expires and can’t be changed by users. You can, however, set and manage the password for these accounts as you would for any other account.

Other Web server and application components might cause additional accounts to be created, including the following:

• ASPNET An account used to run ASP.NET worker processes. This account is a member of the Domain Users group.

• Cert Publishers A group account that allows member users to publish X.509 public key certificates.