Configuring the Default Websites


Configuring the Default Websites

With the possible exception of the Companyweb website, most SBS administrators who work in the IIS Management Console spend their time within the scope of the Default Web Site. Because this is where the configuration for the main SBS web page, the Outlook Web Access (OWA) web interface, the Remote Web Workplace interface, the ConnectComputer and ClientHelp pages, and the Backup and Monitoring interfaces are all configured, a thorough understanding of how this site is configured by default is essential to maintaining the operation of the web services for SBS. Any changes made to the Default Web Site, no matter how well intentioned, could end up crippling the web services for the entire organization.

Settings for the Default Web Site

When a typical SBS installation is performed "by the book," all the web services that rely on the Default Web Site configuration are configured so that they work well with each other. This chapter looks at the basic settings for the website and some of the virtual directories hosted in the Default Web Site. Some of the directories, such as the OWA directories (Exadmin, Exchange, Exchange-oma, ExchWeb, and Public) and the Remote Web Workplace directory (Remote) will be covered in more detail in their respective chapters.

The Properties page of the Default Web Site is broken down into nine main tabs, described in Table 6.2.

Table 6.2. Descriptions of the Settings Tabs for the IIS Web Site Properties Page

Tab Name

Description

Web Site

Stores the main identifier information for the site and the logging settings

Performance

Stores settings for limiting bandwidth and number of connections

ISAPI Filters

Lists the ISAPI filters that have been loaded and their status

Home Directory

Stores the main content location for the site, the access allowed to that content, and the application settings used, if any

Documents

Lists the default content page names and footer information for each page displayed, if used

Directory Security

Stores the authentication, IP/domain restrictions, and secure communication settings for the site

HTTP Headers

Stores settings for content expiration, custom HTTP headers, content ratings, and MIME types for the site

Custom Errors

Lists the locations for the files displayed for each of the HTTP error types

Server Extensions 2002

Provides access to SharePoint and/or FrontPage server extension settings, if installed


The most commonly accessed tabs in the Properties page are the Web Site, Directory Security, and Home Directory tabs. This is where the key settings are stored, and where the most damage can be done if not used correctly, so this chapter focuses on these areas. A more detailed discussion of the IIS settings is beyond the scope of this book.

Web Site

Figure 6.5 shows the default settings for the Default Web Site properties. The website is set to listen on all unassigned IP addresses, which means that if multiple IP addresses are on the server and another website is set to specifically listen on one of those addresses, this site will respond for all other IP addresses. In general, this setting should not be changed. The TCP port and SSL port are set to 80 and 443, respectively, which are the web defaults for normal and secure web traffic.

Figure 6.5. The Default Web Site Properties page Web Site tab shows the basic communications settings for the site.


Figure 6.5 also shows the connection timeout to be 120 seconds and HTTP Keep-Alives are enabled. By default, logging is enabled, and clicking the Properties button next to the Active Log Format drop-down menu allows access to specific settings related to logging. Logging is set to create a new log file daily in the C:\WINDOWS\system32\LogFiles\W3SVC1 directory.

Directory Security

The Directory Security tab has three main sections: Authentication and Access Control, IP Address and Domain Name Restrictions, and Secure Communications. Figure 6.6 shows the settings for the Authentication Methods properties. The site is configured to allow anonymous access by default, and it does this by authenticating as the IUSR account for the server.

Figure 6.6. The default settings for Authentication Methods allow anonymous access to the site and use integrated Windows authentication in case authentication is needed or requested.


Note

The IUSR account, which is always named IUSR_servername, is one of several system-created accounts that allow access to certain areas of the server. These accounts have passwords assigned to them when they are created, but those passwords are not shared or accessible by normal methods. If the system is an OEM build, the IUSR account will be named based on the OEM image name and not the server name. This does not cause any performance issues, but might be confusing to the administrator on first glance.


As shown in Figure 6.6, if and when authentication is needed for the Default Web Site, integrated Windows authentication will be used. Because anonymous access to the site is enabled by default on this page, the only time authentication would be needed is if one of the web directories required it or if NTFS permissions deny access to the IUSR account. Other settings that could be used for authentication are the Digest authentication for Windows domain servers, Basic authentication, and .NET Passport authentication. Digest authentication works only with Active Directory accounts and will not likely be used in an SBS configuration. Basic authentication sends a username and password to the server in clear text format and should be used only if the site requires an SSL (HTTPS) connection. The .NET Passport authentication uses the Passport service to authenticate users and again is not likely to be used in an SBS environment because there are additional fees associated with using Passport for authentication.

Figure 6.7 shows the settings for the default IP Address and Domain Name Restrictions settings. The default action in this window is to allow or deny access to the site and then specify exceptions to the default action.

Figure 6.7. The IP Address and Domain Name Restrictions window shows only local addresses that can access the default website.


In this case, the only addresses allowed to connect to the Default Web Site are the localhost address, meaning that the server can connect to itself, and the local internal subnet. This is because when the Connect to the Internet Wizard (CEICW) was run, the Business website was set so that it was not published to the Internet. Had the Business website been selected to be available, the IP Address and Domain Name Restrictions window would have Granted Access selected, and the exceptions list would be empty.

In this configuration, if a computer from outside the local network attempted to access the main web page, IIS would return a 403.6 error, indicating that the IP address of the client had been rejected.

The real meat of the Directory Security tab lies in the Secure Communications section. This is where the SSL certificate created by the Connect to the Internet Wizard is stored and configured. Clicking on the View Certificate button in the Directory Security tab brings up a window showing the certificate created by the CEICW. Both the Issued To and Issued By fields have the public DNS name that was entered in the CEICW, meaning that this is a self-signed certificate.

Clicking the Edit button brings up the Secure Communications window, shown in Figure 6.8. Though there are several sections to this window, the only area that is of real interest to the SBS community is the Require Secure Channel (SSL) check box. If this check box is enabled, the website responds only to a page request over the SSL channel (port 443). If someone attempts to access the page with the standard web channel (port 80), IIS responds with a message that the page must be viewed over a secure channel and instructs the user to replace http:// with https:// instead.

Figure 6.8. The Default Web Site settings do not require a secure connection to access pages on the site.


If the Require Secure Channel (SSL) check box is enabled here, the entire site would need to be viewed over SSL, which is not what is wanted by default. Each of the directories and virtual directories under the website can override this setting, but in general, SSL should be turned off at the site level and enabled where needed at the virtual directory level.

Best Practice: Leave Defaults as Defaults

With few exceptions, the settings for Default Web Site should not be modified. When a change is made at the top level of the website, the user is prompted to apply the change to all subwebs that would be affected by the change. If the user agrees to the changes to the subwebs, many of the services running under IIS on the SBS server can be taken out of action.

If you absolutely, positively, must make a change to the Default Web Site configuration, make sure that you do not apply the changes to any of the subwebs. When prompted for the inheritance overrides, make sure that none of the child nodes are selected and click OK in both prompts.

The Microsoft SharePoint Administration and SharePoint Central Administration sites are also configured automatically during the SBS installation and, to borrow a phrase, have no user-serviceable parts inside. Under normal server operation, there is never a time you will need to manage or maintain these site definitions, except to back them up. If you feel you really must modify any settings in these sites, which you shouldn't, make a backup of the site configuration before proceeding.


Home Directory

The Home Directory tab tells IIS where the main source of the content for the site is located. As seen in Figure 6.9, the source files can be located on the local system, a share from another system, or a URL redirection. In a default SBS install the Default Web Site files are stored in c:\inetpub\wwwroot. Table 6.3 lists the NTFS permissions for this folder.

Figure 6.9. The Home Directory tab displays the path to the static files for the site as well as the application pool configuration.


Table 6.3. NTFS Permissions Assigned to Various Security Objects in the Website Root Folder

Security Object

NTFS Permissions

Administrators

Full Control

IIS_WPG

Read & Execute

 

List Folder Contents

 

Read

INTERACTIVE

List Folder Contents

Internet Guest Account

List Folder Contents

NETWORK

List Folder Contents

NETWORK SERVICE

List Folder Contents

SYSTEM

Full Control

Users

Read & Execute

 

List Folder Contents

 

Read


For security, only the Read permission should be applied at this level as per defaults. Enabling Script Source Access, Write, or Directory Browsing could open up your website to external users in unexpected ways. In addition, the Application Settings should not be modified. The Default Web Site should use the Default Application, the DefaultAppPool, and be set to execute Scripts Only, as shown in Figure 6.9.

Settings for the Companyweb Site

Although a more detailed outline of the settings for the Companyweb SharePoint site occurs Chapter 14, "SharePoint and the Companyweb Site," this section covers the basics of a default SBS installation for reference.

Web Site

The first of the key differences between the Default Web Site and the Companyweb website are in the Advanced Web Site Identification properties, shown in Figure 6.10. The Companyweb configuration uses host headers to differentiate traffic intended for this site from the other sites on the server. With this configuration, any web request destined for http://companyweb or http://companyweb.SmallBizCo.local is answered by this website on port 80.

Figure 6.10. The Advanced Web Site Identification tab lists all the host header values to which the site will respond.


The other key difference shown in Figure 6.10 is that Companyweb uses port 444 for SSL communications instead of 443. Because SSL web requests cannot use host headers to identify websites, the Companyweb website must listen on a different port number to allow incoming SSL access.

Directory Security

Unlike the Default Web Site, the Companyweb interface requires an authenticated connection. This is set in the Authentication and Access Control Settings of the Directory Security tab. As shown in Figure 6.11, the Enable Anonymous Access setting is disabled, and only Integrated Windows Authentication is enabled under Authenticated Access.

Figure 6.11. The Companyweb Directory Security Authentication Methods dialog shows that only authenticated users can access the site.


Under IP Address and Domain Name Restrictions, all computers are granted access. And although SSL connections to Companyweb are supported and recommended, they are not required under the Secure Communications properties of this tab.

Home Directory

Two settings differ in the Home Directory tab from the Default Web Site. First, the local path to the files for Companyweb is located in C:\Inetpub\companyweb. The NTFS security settings for that folder are listed inherited from C:\Inetpub. In addition, the application name used for Companyweb is root, even though it also uses the DefaultAppPool application pool.

Again, more detailed information about the configuration and use of the Companyweb interface can be found in Chapter 14.

Settings for the Microsoft SharePoint Administration Site

The Microsoft SharePoint Administration site is an admin site that manages the FrontPage Server Extensions installed with the default SBS installation. Table 6.4 lists the differences between the Microsoft SharePoint Administration site and other sites.

Table 6.4. Default Settings for the Microsoft SharePoint Administration Site

Setting

Location

Value

IP Address

Web Site

All Unassigned

TCP Port

Web Site

Random port above 6000

Local Path

Home Directory

C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\50\isapi\_vti_adm

Application Pool

Home Directory

None

Default Content Page(s)

Documents

fpadmdll.dll

Authenticated Access

Directory Security, Authentication and Access Control

Enable anonymous access Integrated Windows authentication No basic authentication


Settings for the SharePoint Central Administration Site

The SharePoint Central Administration site is the admin site for Windows SharePoint Services on the server, specifically for governing the Companyweb instance, but applying to other new SharePoint sites created on the server. Table 6.5 lists the differences between the SharePoint Central Administration site and other sites.

Table 6.5. Default Settings for the SharePoint Central Administration Site

Setting

Location

Value

IP Address

Web Site

All Unassigned

TCP Port

Web Site

8081

Local Path

Home Directory

C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\60\template\admin\1033

Application Pool

Home Directory

StsAdminAppPool

Application Name

Home Directory

Default App

Default Content Page(s)

Documents

default.aspx

Authenticated Access

Directory Security, Authentication and Access Control

No anonymous access Integrated Windows authentication No basic authentication