Managing Internet Information Services Web Server

Previous versions of Internet Information Services were installed by default on Windows NT Server and the Windows 2000 Server family. Furthermore, in earlier versions (that is, IIS 5.0), IIS servers were not locked down by default. Many unnecessary settings were on by default. This opened the door to widespread vulnerability and attacks. Locking down IIS server was tedious and had to be performed manually.

Installing any of the Windows Server 2003 family of products, except Windows 2003 Web Server Edition, does not install IIS 6.0 by default. Administrators must explicitly select and install IIS 6.0 on all but the Web Server Edition. Also note that IIS 6.0 is disabled by default when a Windows server is upgraded to Windows Server 2003. When IIS 6.0 is installed, it is configured by default in a locked-down state. After installation, IIS 6.0 accepts requests for static files only until you configure it to serve dynamic content.

IIS 6.0 is more reliable, easier to manage, and offers high performance and scalability along with being much more secure. New features and enhancements include server consolidation, lower total cost of ownership (TCO), and less planned and unplanned downtime.

The following section shows you how to install and configure IIS 6.0, install and manage ASP.NET, implement Web applications and application pooling, manage the metabase and remote locations, and how to monitor and optimize IIS 6.0.

Installing IIS 6.0

One of two methods is used to install IIS 6.0 on Windows Server 2003. Use either the Configure Your Server Wizard or the Add/Remove applet in the Control Panel. The following steps will install IIS 6.0 from the Add/Remove applet:

1. Click Start, Control Panel. Double-click the Add/Remove applet and then click the Add/Remove Windows Components button.

2. In the Windows Components dialog box, check the Application Server check box, and then click the Details button.

3. Click the Internet Information Services (IIS) check box and then click the Details button.

4. Notice that Common Files, Internet Information Services Manager, and World Wide Web Service (WWW) are the only items checked. Select World Wide Web Service and click the Details button. Notice that only the WWW service and Active Server Pages are selected by default. Click the Cancel button to return to the IIS dialog box. Click the Cancel button to return to the Application Server dialog box.

5. Because we will be learning about ASP.NET features, check the ASP.NET check box in the Application Server dialog box, and then click the OK button to continue.

6. Click the Next button in the Windows Components dialog box.

7. Click the Finish button to complete the installation.

Configuring IIS Authentication

Windows Server 2003 offers improved authentication and authorization. Although you're familiar with the Windows authentication process, you probably do not thoroughly understand what authorization is all about. Authorization allows or denies a user permission to perform a process or task. Windows Server 2003 now supports .NET Passport as a method to authenticate. Authorization in Windows 2000 IIS 5.0 has been enhanced in IIS 6.0 to include the use of a new authorization framework. Web applications can make use of URL authorization along with Authorization Manager to control user access. Domain administrators can make use of constrained, delegated authorization to delegate control to individual computers and services only.

To start IIS 6.0 Manager, click Start, All Programs, Administrative Tools, Internet Information Services (IIS) Manager. IIS opens. User authentication can be set up for your Web resources by configuring property sheets at the Web site, directory, or file level. Table 4.2 offers a summary of Web site authentication methods along with a brief description of each.

Table 4.2. Summary of Web Site Authentication Methods

Installing and Adding ASP.NET to Web Server Extensions

The .NET Framework and ASP.NET offer high functionality with rapid application development (RAD) and improved request-processor architecture integration with IIS 6.0. By default, ASP.NET is not installed. When you install ASP.NET, it adds the ASP.NET to the Web Server extensions list with the allowed status as shown in Figure 4.9.

The ASP.NET configuration system has great flexibility in defining configuration settings. You can define configuration settings when your applications are first deployed and later add or revise the configuration. Any standard text editor or XML parser can be used to create, edit, and manage configuration information because the configuration information is stored in XML-based text files.

An ASP.NET application server can store many configuration files, all named Web.config , in multiple directories. The Web.config file applies configuration settings to its own directory and all child directories below it. To protect the configuration information files, ASP.NET configures IIS to prevent direct browser access.

Command Line Administration

IIS 6.0 includes many new management tools to reduce time and management duties . For example, the XML configuration file can be modified while the server is still up and running. Command-line administration using supported scripts is designed to do most common Web management administration tasks from the command prompt. These scripts use the Windows Management Instrumentation (WMI) service to retrieve and write information to IIS's metabase. The following command-line scripts are included:

• IISweb.vbs Used to start, stop, create, delete, and list Web sites

• IISftp.vbs Used to start, stop, create, delete, and list file sites

• IISvdir.vbs Used to create, delete, and display virtual directories

• IISftpdr.vbs Used to create, delete, and display virtual directories under a root

• IISconfg.vbs Used to import and export IIS configuration to an XML file

• IISback.vbs Used to back up and restore IIS configuration

• IISapp.vbs Used to list application pool and process IDs for started worker processes

• IISweb.vbs Used to configure Web service extensions

Creating and Managing Web Applications

To create an application, you need to designate a directory (called the application root ) as a starting point. You can give it a friendly name that appears in IIS Manager.

By default, Web sites are root-level applications. When you create a Web site, a default application is created at the same time. You can use the default created application, delete it, or replace it with a new application.

You must be a member of the local Administrators group on the local computer to create Web applications. If you're logged on with only user permissions, you could use the runas command discussed earlier to log on with Administrative privileges to create a Web application.

To create a new Web site and the default application, perform the following steps:

1. Open IIS Manager, expand your local computer, right-click the Default Web Site, choose New, and then choose Web Site. The Web Site Creation Wizard opens. Click the Next button to continue.

2. Type a name for your Web site in the Web Site Description text box and then click the Next button to continue.

3. Select your IIS server's IP address for the Web site and then click the Next button.

4. Type or browse to the path for your home directory in the Path text box. Check or uncheck the Allow Anonymous Access to This Web Site check box and then click the Next button to continue.

5. Assign the appropriate Web site access permissions as shown in Figure 4.10 and click the Next button.

   Figure 4.10. You configure permissions via the Web Site Access Permissions dialog box.

   

6. Click the Finish button. The new Web site is created along with the default application.

7. Using IIS Manager, browse to the newly created Web site directory, right-click it, and choose Properties.

8. On the Web site Properties sheet, click the Home directory tab. Notice the default application is listed in the Application Name text box.

9. You can either accept the default application or click the Remove button to create a new application.

   If you see the Remove button instead of the Create button, an application is already created.

   
   

10. In the Execute Permissions list box, set your permissions by performing one of the following actions and then click the OK button:

    • Click None to prevent scripts from running.

    • Click Scripts Only to enable scripts to run.

    • Click Scripts and Executables to allow any application to run.

Implementing Application Pooling

Web sites and applications use self-contained units called application pools as part of their fault-tolerant process architecture. Application pools are separated by boundaries so that applications run unaffected with other applications.

After an application is created, you can isolate it to run in a process separate from the Web server and other applications. You isolate the application in one of the two following modes: worker process isolation mode or IIS 5.0 isolation mode. To isolate an application in worker process mode, perform the following steps:

1. In IIS Manager, right-click the application you want to isolate and choose Properties. Select the Home Directory tab.

2. Under the Application Settings section in the Application Pool list box, click an application pool. Click the Apply button and the OK button.

To create application pools, you must be running in work process isolation mode and be a member of the Administrators group.

To create application pools, perform the following steps:

1. In IIS Manager, expand the local computer, right-click Application Pools, select New, and then click Application Pool. Figure 4.11 shows the Add New Application Pool dialog box.

   Figure 4.11. Add New Application Pool dialog box.

   

2. Type in a name for the application pool in the application pool IIS text box.

3. Select either Use Default Settings for New Application Pool or Use Existing Application Pool as Template, and then click the OK button.

To assign an application to an application pool, perform the following steps:

1. Right-click the application you want to assign to an application pool and click Properties.

2. Click the Home Directory tab, verify that application name displays or create a new application.

3. In the Application Pool list box, select the application pool name (refer to Figure 4.11).

Managing the IIS 6.0 Metabase

The metabase configuration file, Metabase.xml , stores the IIS configuration settings in a hierarchical structure. When IIS starts, Metabase.xml configuration settings are read and copied into IIS cache memory, referred to as in-memory metabase . Metabase.xml is a plain-text file that is easily read and configured using a text editor like Notepad.

After your Web site and application are up and running, you can save the metabase configuration as a backup copy. Each time the metabase changes, IIS automatically creates a backup of the metabase configuration and schema files.

To create a manual metabase configuration backup, perform the following steps:

1. In IIS Manager, right-click your local computer, select All Tasks, and then click Backup/Restore Configuration.

2. Click Create Backup.

3. Type the name for your backup in the Configuration Backup Name text box. Optionally check the Encrypt Backup Using Password check box. Click OK, and then click Close.

Metabase backup files contain only configuration settings. They do not include content such as .asp files.

Managing an IIS Server Remotely

IIS 6.0 includes a new Web-based administration console called the Remote Administration tool for remotely managing other IIS servers. Using your Web browser on either your company's intranet or Internet connection, the Remote Administration tool enables you to remotely configure and manage a server from a remote client. You can configure network settings, set disk quotas, manage local user accounts, create and delete Web sites, and restart the remote Web server using the Web interface for Remote Administration tool. You can also use IIS Manager to remotely manage your company's intranet or Terminal Services to connect to your IIS Manager.

To install and add the Remote Administration tool, perform the following steps:

1. Click Start, Control Panel, click the Add or Remove Programs applet, and select Add/Remove Windows Components.

2. Select Application Server and click the Details button.

3. Select Internet Information Server (IIS) and click Details.

4. Select World Wide Web Publishing Service and click Details.

5. Select the Remote Administration (HTML) check box.

6. Click the OK button three times, click Next, and Finish.

To view the Remote Administration tool, expand your local computer, expand the Web Sites folder, right-click on the Administration Web Site folder, and click Browse.

To administer an IIS Web server using the Remote Administration tool, open your intranet site using your Web browser and type the following in the address bar: http:// hostname :8099 , where hostname is the name of the IIS computer you want to manage.

Monitoring IIS 6.0

The WWW Service Administration and Monitoring component pings worker processes periodically to determine whether they're blocked. If a process is completely blocked, the WWW service terminates the process and creates a new worker process to replace it. IIS 6.0 also periodically checks the status of application pools and will automatically restart the Web site and applications in the event of a failure. Web sites that fail to open in a short time period are automatically disabled, offering further stability and protection.

Introduced in Windows 2000, the Windows Management Instrumentation (WMI) tool provides access to important data and statistics such as performance counters and system configuration. IIS 6.0 now includes WMI for monitoring performance. Administrators can now manage query support and associations between objects using the WMI tool included with IIS 6.0.

To manage servers remotely, you need to be a member of the local Administrators group. The one exception is using the runas command.