Configuring the Default Websites
With the possible exception of the Companyweb website, most SBS administrators who work in the IIS Management Console spend their time within the scope of the Default Web Site. Because this is where the configuration for the main SBS web page, the Outlook Web Access (OWA) web interface, the Remote Web Workplace interface, the ConnectComputer and ClientHelp pages, and the Backup and Monitoring interfaces are all configured, a thorough understanding of how this site is configured by default is essential to maintaining the operation of the web services for SBS. Any changes made to the Default Web Site, no matter how well intentioned, could end up crippling the web services for the entire organization.
Settings for the Default Web Site
When a typical SBS installation is performed "by the book," all the web services that rely on the Default Web Site configuration are configured so that they work well with each other. This chapter looks at the basic settings for the website and some of the virtual directories hosted in the Default Web Site. Some of the directories, such as the OWA directories (Exadmin, Exchange, Exchange-oma, ExchWeb, and Public) and the Remote Web Workplace directory (Remote) will be covered in more detail in their respective chapters.
The Properties page of the Default Web Site is broken down into nine main tabs, described in Table 6.2.
The most commonly accessed tabs in the Properties page are the Web Site, Directory Security, and Home Directory tabs. This is where the key settings are stored, and where the most damage can be done if not used correctly, so this chapter focuses on these areas. A more detailed discussion of the IIS settings is beyond the scope of this book.
Figure 6.5 shows the default settings for the Default Web Site properties. The website is set to listen on all unassigned IP addresses, which means that if multiple IP addresses are on the server and another website is set to specifically listen on one of those addresses, this site will respond for all other IP addresses. In general, this setting should not be changed. The TCP port and SSL port are set to 80 and 443, respectively, which are the web defaults for normal and secure web traffic.
Figure 6.5. The Default Web Site Properties page Web Site tab shows the basic communications settings for the site.
Figure 6.5 also shows the connection timeout to be 120 seconds and HTTP Keep-Alives are enabled. By default, logging is enabled, and clicking the Properties button next to the Active Log Format drop-down menu allows access to specific settings related to logging. Logging is set to create a new log file daily in the C:\WINDOWS\system32\LogFiles\W3SVC1 directory.
The Directory Security tab has three main sections: Authentication and Access Control, IP Address and Domain Name Restrictions, and Secure Communications. Figure 6.6 shows the settings for the Authentication Methods properties. The site is configured to allow anonymous access by default, and it does this by authenticating as the IUSR account for the server.
Figure 6.6. The default settings for Authentication Methods allow anonymous access to the site and use integrated Windows authentication in case authentication is needed or requested.
The IUSR account, which is always named IUSR_servername, is one of several system-created accounts that allow access to certain areas of the server. These accounts have passwords assigned to them when they are created, but those passwords are not shared or accessible by normal methods. If the system is an OEM build, the IUSR account will be named based on the OEM image name and not the server name. This does not cause any performance issues, but might be confusing to the administrator on first glance.
As shown in Figure 6.6, if and when authentication is needed for the Default Web Site, integrated Windows authentication will be used. Because anonymous access to the site is enabled by default on this page, the only time authentication would be needed is if one of the web directories required it or if NTFS permissions deny access to the IUSR account. Other settings that could be used for authentication are the Digest authentication for Windows domain servers, Basic authentication, and .NET Passport authentication. Digest authentication works only with Active Directory accounts and will not likely be used in an SBS configuration. Basic authentication sends a username and password to the server in clear text format and should be used only if the site requires an SSL (HTTPS) connection. The .NET Passport authentication uses the Passport service to authenticate users and again is not likely to be used in an SBS environment because there are additional fees associated with using Passport for authentication.
Figure 6.7 shows the settings for the default IP Address and Domain Name Restrictions settings. The default action in this window is to allow or deny access to the site and then specify exceptions to the default action.
Figure 6.7. The IP Address and Domain Name Restrictions window shows only local addresses that can access the default website.
In this case, the only addresses allowed to connect to the Default Web Site are the localhost address, meaning that the server can connect to itself, and the local internal subnet. This is because when the Connect to the Internet Wizard (CEICW) was run, the Business website was set so that it was not published to the Internet. Had the Business website been selected to be available, the IP Address and Domain Name Restrictions window would have Granted Access selected, and the exceptions list would be empty.
In this configuration, if a computer from outside the local network attempted to access the main web page, IIS would return a 403.6 error, indicating that the IP address of the client had been rejected.
The real meat of the Directory Security tab lies in the Secure Communications section. This is where the SSL certificate created by the Connect to the Internet Wizard is stored and configured. Clicking on the View Certificate button in the Directory Security tab brings up a window showing the certificate created by the CEICW. Both the Issued To and Issued By fields have the public DNS name that was entered in the CEICW, meaning that this is a self-signed certificate.
Clicking the Edit button brings up the Secure Communications window, shown in Figure 6.8. Though there are several sections to this window, the only area that is of real interest to the SBS community is the Require Secure Channel (SSL) check box. If this check box is enabled, the website responds only to a page request over the SSL channel (port 443). If someone attempts to access the page with the standard web channel (port 80), IIS responds with a message that the page must be viewed over a secure channel and instructs the user to replace http:// with https:// instead.
Figure 6.8. The Default Web Site settings do not require a secure connection to access pages on the site.
If the Require Secure Channel (SSL) check box is enabled here, the entire site would need to be viewed over SSL, which is not what is wanted by default. Each of the directories and virtual directories under the website can override this setting, but in general, SSL should be turned off at the site level and enabled where needed at the virtual directory level.
The Home Directory tab tells IIS where the main source of the content for the site is located. As seen in Figure 6.9, the source files can be located on the local system, a share from another system, or a URL redirection. In a default SBS install the Default Web Site files are stored in c:\inetpub\wwwroot. Table 6.3 lists the NTFS permissions for this folder.
Figure 6.9. The Home Directory tab displays the path to the static files for the site as well as the application pool configuration.
For security, only the Read permission should be applied at this level as per defaults. Enabling Script Source Access, Write, or Directory Browsing could open up your website to external users in unexpected ways. In addition, the Application Settings should not be modified. The Default Web Site should use the Default Application, the DefaultAppPool, and be set to execute Scripts Only, as shown in Figure 6.9.
Settings for the Companyweb Site
Although a more detailed outline of the settings for the Companyweb SharePoint site occurs Chapter 14, "SharePoint and the Companyweb Site," this section covers the basics of a default SBS installation for reference.
The first of the key differences between the Default Web Site and the Companyweb website are in the Advanced Web Site Identification properties, shown in Figure 6.10. The Companyweb configuration uses host headers to differentiate traffic intended for this site from the other sites on the server. With this configuration, any web request destined for http://companyweb or http://companyweb.SmallBizCo.local is answered by this website on port 80.
Figure 6.10. The Advanced Web Site Identification tab lists all the host header values to which the site will respond.
The other key difference shown in Figure 6.10 is that Companyweb uses port 444 for SSL communications instead of 443. Because SSL web requests cannot use host headers to identify websites, the Companyweb website must listen on a different port number to allow incoming SSL access.
Unlike the Default Web Site, the Companyweb interface requires an authenticated connection. This is set in the Authentication and Access Control Settings of the Directory Security tab. As shown in Figure 6.11, the Enable Anonymous Access setting is disabled, and only Integrated Windows Authentication is enabled under Authenticated Access.
Figure 6.11. The Companyweb Directory Security Authentication Methods dialog shows that only authenticated users can access the site.
Under IP Address and Domain Name Restrictions, all computers are granted access. And although SSL connections to Companyweb are supported and recommended, they are not required under the Secure Communications properties of this tab.
Two settings differ in the Home Directory tab from the Default Web Site. First, the local path to the files for Companyweb is located in C:\Inetpub\companyweb. The NTFS security settings for that folder are listed inherited from C:\Inetpub. In addition, the application name used for Companyweb is root, even though it also uses the DefaultAppPool application pool.
Again, more detailed information about the configuration and use of the Companyweb interface can be found in Chapter 14.
Settings for the Microsoft SharePoint Administration Site
The Microsoft SharePoint Administration site is an admin site that manages the FrontPage Server Extensions installed with the default SBS installation. Table 6.4 lists the differences between the Microsoft SharePoint Administration site and other sites.
Settings for the SharePoint Central Administration Site
The SharePoint Central Administration site is the admin site for Windows SharePoint Services on the server, specifically for governing the Companyweb instance, but applying to other new SharePoint sites created on the server. Table 6.5 lists the differences between the SharePoint Central Administration site and other sites.
Configuring the Default Websites