Section 8.5. Managing Web Services

8.5. Managing Web Services

In this section, I'll walk through creating a new site, configuring it, modifying its properties, and securing it using certificates. I'll also assume you're creating a new web site as well, though if you want to use the Default Website already created in IIS, you can follow along through the explanation, too.

8.5.1. Creating a Site

First, open IIS Manager, and expand the tree in the left pane. Right-click the Websites folder, and from the New menu, select Website. The Website Creation Wizard appears. Click Next to continue, and then follow the procedure outlined here:

On the Website Description screen, enter some helpful text that represents the purpose or content of the web site you're creating. This is just for your or another administrator's reference. Click Next to continue.
The IP Address and Port Settings screen appears. Here, choose the IP address on which IIS will listen for requests addressed to this web site. You also can select All Unassigned to indicate to IIS to monitor all IP addresses that aren't reserved for the exclusive use of other web sites. Also, enter the TCP port number that requests to this web site will use. (The default is port 80.) Finally, enter the host header for this site if needed. I'll cover port numbers and host headers a bit later in this chapter. Click Next to continue.
On the Website Home Directory page, indicate where the pages you want to serve are located on your machine. You also can point IIS to a network location if you want your pages to be served from another machine. Windows by default creates a directory called C:\Inetpub\wwwroot that you can use as a starting point. Also, check the anonymous access checkbox if you want anonymous web users to be able to browse to your site. If you uncheck this checkbox, users will need to authenticate to IIS before viewing the site. Click Next to continue.
The Website Access Permissions page appears. On this page, you can define what kinds of permissions users who access your web site will have on a general basis. If you disallow running scripts and executing files, for example, you'll be limited to serving static pages. The permissions you define here will trickle down to subdirectories and other files you create within the web site, though you can, of course, edit these permissions more granularly from IIS Manager or through the filesystem. Click Next once you've selected the appropriate set of permissions.
The confirmation screen appears. Click Finish to complete the process.

Now you need to add some web pages to the directory you specified in step 3from here I'll call this your web rootso that your web site actually has content. You also can set filesystem permissions on the web root directory. This step deserves a bit of commentary: when an anonymous user connects to your web site, he or she actually does authenticate to your IIS machine; his or her browser automatically connects to the account named IUSR_machinename, which is created when you install IIS onto any machine. Anonymous users always use this user account, so if you want to deny anonymous access to a certain file in your web root, simply use the NTFS file permission modification utilities to deny the IUSR_machinename account read permissions.

8.5.2. Adjusting Server-Wide Site Properties

Much like you can configure global options for all sites in regard to direct metabase editing and MIME options, you also can set master properties for all web sites. The options that you set as master will trickle down to all web sites that currently exist, unless they have custom settings that were specified earlier, and to all new web sites as they're created. To access this functionality in IIS Manager, expand the computer name in the left pane, right-click Websites, and select Properties from the menu. The screen in Figure 8-3 will appear.

What you see is a replicated version of the property sheet for individual web sites, with properties that are appropriate to those specific sites grayed out. I'll cover most of these options when I discuss setting individual web site properties later in this chapter, but two properties, available only here, deserve some mention.

One is on the Service tab where you can configure the method in which IIS operates: either in worker process isolation mode, which I covered in the introductory section of this chapter, or in IIS 5 isolation mode, in which IIS emulates its previous version's behavior for legacy application compatibility. You need to use IIS 5 isolation mode if you have applications that are designed to be loaded by multiple worker processes and to be run simultaneously, if you have applications that delegate work to other processes, or if you have an application that manages state within a process. If you change this option from the default to IIS 5 mode, you will lose the security and stability benefits that IIS 6 brings you. You'll also need to restart IIS.

Figure 8-3. Default properties for all new IIS web sites

Alert your developers: ASP.NET is but one example of code that might not work on IIS 6 without some adjustment.

Those of you familiar with the venerable open source web server, Apache, might be familiar with its GZIP feature. GZIP is a plug-in for Apache that compresses data from the host machine to the client machine's browser before it is sent over the wire to reduce transfer time and make more efficient use of bandwidth. This functionality was available in IIS 5, although you had to write an ISAPI filter to use it. Fortunately, Microsoft has exposed this feature in IIS 6 directly through the UI so that you don't need to do any custom programming to use it. Under the HTTP Compression section, you can enable compression of either or both application files and static pages, and specify the location where these pages are cached temporarily. You also can restrict the size of that cache.

Finally, on the Directory Security tab, you can select to enable the Windows Directory Service Mapper. For IIS servers residing inside an Active Directory domain, this enables you to use client certificate mapping rather than one-to-one or many-to-one mapping (coverage of which is coming up later in this chapter), which would be required with traditional certificates.

8.5.3. Hosting Multiple Sites on One Physical Machine

It can be cost-efficient to host multiple web sites on a single machine. But the software gets in the way in this scenario: how does the web server sort and differentiate the requests for multiple sites , all coming to the same machine? IIS 6 provides three different methods by which you can host multiple virtual web sites on one set of physical hardware:

Multiple IP addresses: A "low-tech" solution is to configure Windows for several different IP addresses, and configure the individual web sites inside IIS to listen on each distinct address respectively. However, in recent times, the organizations that control the assignment of IP addresses worldwide have cracked down on issuing multiple IP addresses for this purpose, so you'll find it increasingly difficult to obtain multiple addresses from either your provider or directly from each organization. But if you have addresses to spare, this method certainly works.
Host headers: Using host headers, modern browsers will detect the name of the site to which a user wants to go, encapsulate that name inside the HTTP request's header, and send it on to the appropriate web server. Then, IIS will open the header, look for the name of the site for which the packet was intended, and serve up the pages from the designated virtual site. This is the easiest way, and the least costly service-wise, to provide multiple-site support, and the performance hit is negligible. You can configure this within the properties for a particular site.
Distinct port numbers: Much like the multiple IP addresses method, all virtual sites share a single hard-wired IP address on a physical machine, but the individual sites are listening on different TCP port numbers. This is a bit clunky on the users' side because they often need to remember a specific port number when surfing to a site that's configured like this, but for intranet use, it's a good way to conserve hardware. Some might argue that it is also a decent security improvement because the hackers have to search for the web service to crack it, instead of simply assuming it's on the standard port 80. Hackers commonly use port scanners, though, so you succeed only in keeping out the people interested in the easiest targets. You also can implement redirection solutions so that public-facing users don't have to enter a port number, although those programs and boxes are beyond the scope of this discussion.

During the process of setting up these new web sites with the wizard I stepped through earlier in this chapter, if you accidentally configure two distinct web sites to listen on the same ports and/or IP addresses, IIS will raise an error message alerting you to this.

8.5.4. Adjusting Individual Site Properties

Let's take a closer look at the configuration options for individual web sites and how you can adjust them. To look at the properties for one specific web site on your IIS machine, open IIS Manager, expand the node in the left pane that corresponds to your machine, expand the Websites tree, and right-click the appropriate web site. Select Properties from the menu and the properties sheet for that web site will appear.

8.5.4.1. Web Site

Figure 8-4 shows the Web Site tab.

Figure 8-4. The Web Site tab

Under "Web site identification," you can enter a short description of the purpose of the site, the appropriate IP address for the site to listen on, and the port for normal and secure web requests. If you click the Advanced button, you can easily configure multiple identities for your site, each on different IP addresses and port numbers, and each with different host header values. You can do the same for the secure certificate-protected version of your site as well.

In the Connections section, you can configure how long a server will wait for a user and keep his connection alive while he is inactive. This serves to protect the server from multiple opened connections that clients have abandoned. You also can determine whether to enable keepalive functionality, a processor- and bandwidth-saving addition to the HTTP protocol standard. By using a keepalive, a client's browser has no need to redownload static images and content from a site as long as the browser can request to the server that the current session stay active. Most modern browsers are able to take advantage of this functionality, and it's enabled by default upon IIS installation. I recommend you leave it enabled, since disabling HTTP keepalives can degrade server performance and increase bandwidth usage significantly.

Finally, the Enable logging checkbox enables you to indicate whether IIS should record information about connections to the server in a file. Logs can include information on the origin of visitors to your site, the times they visit (in UTC formGreenwich Mean Time), and information on the date of last viewing of certain contentall useful statistics for online marketing. You also can select the format in which you want the log to be written. Choose from the following:

Microsoft IIS Log Format

A fixed ASCII format. With this format, a single transaction can have multiple log file entries. A sample log file line might look like the following:

     10.123.12.3, Nwtraders.com, 8/18/97, 13:17:37, SMTPSVC1, MAIL01,     10.200.200.1, 90, 42, 0, 250, 0, MAIL FROM,     -,FROM:<mariab@Nwtraders.com>,     10.123.12.3, Nwtraders.com, 8/18/97, 13:17:37, SMTPSVC1, MAIL01,     10.200.200.1, 0, 32, 0, 250, 0, RCPT TO, -, TO:<address@MSN.com>,     10.123.12.3, Nwtraders.com, 8/18/97, 13:17:37, SMTPSVC1, MAIL01,     10.200.200.1, 270, 480, 101, 250, 0, DATA, -, 0019E3517201287MAIL01,     10.123.12.3, Nwtraders.com, 8/18/97, 13:17:37, SMTPSVC1, MAIL01,     10.200.200.1, 81, 4, 52, 0, 541, QUIT, -, MAIL01,

NCSA Common Log Format

A fixed ASCII format. This format stores the following information for one web request/transaction: remote host; remote user identity (often found via a reverse DNS lookup); the authenticated user; the current date; the URL requested; the status of the request; and the number of bytes actually transferred.

ODBC Logging

A fixed format that has a connection to an external database and that writes data to that database. You design the fields that will be written to the database, and the location of the database that stores the information.

W3C Extended Log File Format

A user-modifiable ASCII format that supports process accounting. An example log file line might be:

     #Version: 1.0     #Fields: date time c-ip sc-bytes time-taken cs-version     2004-05-01 02:10:57 192.0.0.2 6340 3 HTTP/1.0

Click the Properties button beside the log format selection box. On the General tab, you can select how often logs are rolled overthat is, how often IIS stops writing to one file and begins writing to a new fileand where to store the logs. On the Advanced tab, you can select exactly which fields of data will be stored in the log file for each entry. The names of the fields are fairly self-explanatory. Click OK to exit the dialog box when you've finished making selections.

8.5.4.2. Performance

Figure 8-5 shows the Performance tab.

Figure 8-5. The Performance tab

The Performance tab contains settings that enable you to manage and restrict the bandwidth and physical connections that your IIS server uses in processing HTTP requests. The Bandwidth throttling section enables you to limit the sustained bandwidth allowed to an individual site so that you can retain a certain amount of bandwidth for the rest of the sites on a servera cheap but effective method of load balancing. When you enable bandwidth throttling, IIS takes advantage of the native Windows Packet Scheduler service to determine when packets are transmitted over the wire. If the Packet Scheduler is not installed, IIS will install it the first time you enable bandwidth throttling. It also will default to a minimum transmission speed of 1KB per second. Adjust the actual restriction using the up and down arrows in the box on the sheet.

In the "Web site connections" section, you can restrict the number of incoming physical HTTP connections to an individual site, or you can allow an unlimited number of connections to a web site. This is a good way of managing load and keeping traffic and bandwidth usage patterns stable over an extended period of time. Simply enter the number of connections you want to allow using the up and down arrows. This value can vary largely based on the available bandwidth, the speed of your connection to the network, and the other duties your web server might be performing. The best way to determine a good value for your implementation is through trial and error.

8.5.4.3. ISAPI Filters

Figure 8-6 shows the ISAPI Filters tab.

Figure 8-6. The ISAPI Filters tab

An ISAPI filter is a piece of executable code that is triggered by certain events inside a request to an IIS web server. On the ISAPI Filters tab, you can configure which of these filters are active for a particular web site, the order in which they'll be executed, and where the actual executable code resides in the filesystem. It's important to note that any change made on this tab at the server-wide (global) level requires a complete restart of IIS through IIS Manager on the affected machine. If you're managing filters on an individual web site, any filters added on the property sheet won't be activated until the first appropriate HTTP request is received.

You can use the Add, Remove, Edit, Disable, and Move Up/Down buttons to adjust the presence and priority of ISAPI filters .

8.5.4.4. Home Directory

Figure 8-7 shows the Home Directory tab.

Figure 8-7. The Home Directory tab

On the Home Directory tab, you can configure the physical location where IIS will go to find content for a web site. You can use the three options under "The content for this resource should come from:" to locate home directory content in a folder on the current computer, on a file share somewhere over the network, or via a redirection from the current site to a completely different site. You can type the directory path in the Local Path box just beneath the radio buttons. If you're connecting via a network, you can click the Connect As button to enter credentials if they're required. If you need to redirect requests to another web site, type the name of the destination web site into the Redirect To box.

If your content is located on a directory on the IIS machine itself, you can select different permissions, outlined here:

Script source access: Enables users to view the source code to scripts and applications within the selected directory, assuming they have read or write permissions to that directory.
Read: Enables users to view or download files or directories, along with their individual properties.
Write: Enables users to upload files to the selected directory. It also enables them to change existing files within that directory. Browsers must support the PUT feature, implemented in HTTP Version 1.1, to take advantage of write access to a directory.
Directory browsing: Enables users to view an HTML page listing the contents of the selected directory, including any subdirectories. Note that the subdirectories listed in this view are physical filesystem directories, not IIS virtual directories. To access a virtual directory, a user will need to know its name.
Log visits: Specifies whether log entries should be created for visits to this directory. For this option to be functional, logging must be turned on for at least the current web site.
Index this resource: Allows the Microsoft Indexing Service to index the content of this web site. You'll need to enable the Indexing Service (through Add/Remove Programs inside the Control Panel) to begin using this feature.

You also have some options regarding web applications and how this individual web site should handle their behavior. You can safely ignore these settings if this web site is serving only static content, but if you have a complex web application, this is the place to customize it for IIS. In the Application name box, specify the name of the root directory that holds the files for the application. The Starting Point field shows where IIS thinks it should execute the applicationusually this is where the application currently resides. You can set the level at which the program's application can actually execute within the server as well with the Execute permissions list box. Setting this to None renders any dynamic content unusable; setting this to Scripts allows only ASP scripts and other runtime noncompiled files to run; and setting this to Scripts and Executables allows scripts and application programs to run within IIS. Finally, the Application Pool option enables you to specify which pool of worker processes will serve this application.

The Remove or Create button enables you to delete an application from a web site or add an application to the current site. The Configuration page enables you to further customize an application's settings, including its own ISAPI filter mappings, how error pages are displayed, the default scripting languages, how session states are enabled and supported, and the like. The options under Application Configuration are beyond the scope of this overview and relate more to the programmatic side of web applications, so let's continue.

8.5.4.5. Documents

Figure 8-8 shows the Documents tab.

Figure 8-8. The Documents tab

This tab specifies the default page to be used when no page is specified in an HTTP request. You can specify the names of the default pages that will be returned, and you can configure the order in which IIS should search for a default page. All these files should be located in the web root. Click Add and Remove to add files to the list, and then use the Move Up and Move Down buttons to adjust their priority.

The Documents tab also enables you to configure a preformatted HTML footer to be inserted into every web page served by IIS, perfect for a disclaimer. Simply enter the path to the file that contains the footer, which should consist of enough HTML tags to describe the appearance and content of your footer, not an entire HTML document. An example disclaimer, with sufficient HTML coding, might look like this:

     <p>This content does not necessarily represent the views of     <b>XYZ Corporation</b>. Please contact us with questions     at <a href="mailto:info@xyzcorp.com"> info@xyzcorp.com</a>.</p>

8.5.4.6. Directory Security

Figure 8-9 shows the Directory Security tab.

On the Directory Security tab, you can restrict the availability of content to certain users via a number of different methods.

First, you can enable or disable anonymous access and configure how IIS will authenticate nonanonymous (authenticated) users to the web site. Click the Edit button under the Authentication and access control section of the tab. You'll see a screen, called Authentication Methods, similar to that in Figure 8-10.

Figure 8-9. The Directory Security tab

Anonymous access to your web site is enabled here. You also can configure the user account under which anonymous users will automatically connect. Remember that there isn't a general open door for anonymous users to browse your IIS web sites: anonymous users actually use a real user account, to which you can grant NTFS filesystem permissions.

In the bottom part of the box, you can specify the method by which non-anonymous users will authenticate. These methods will be activated if anonymous access is not enabled for an individual web site, or if NTFS file or folder permissions prevent anonymous access to its contents. The four types of authentication are as follows:

Integrated Windows authentication

Encrypts the username and password and sends it between the client and the server. This uses either the local SAM accounts database on the IIS server machine or Active Directory accounts.

Digest authentication

This sends a hash of the password for an account, not the entire password, over the wire. The user's computer will then compute an identical hash, and the server will verify the two. This is available only when using Active Directory-based

Figure 8-10. Authentication and access control in IIS

accounts, and the passwords must be available in clear text within the directory. You also can use it on proxy servers, firewalls, and WebDAV server machines. Note that you must identify a realm to use digest authentication.

If your IIS machine also functions as a Windows Server 2003 domain controller, you can store the MD5 hash of passwords within Active Directory and not the entire clear-text password by editing the UseDigestSSP metabase key, which will enable a mode called advanced digest authentication.

Basic authentication

This is the most fundamental level of authentication, with the username and password traveling in clear text, unencrypted, across the wire. This is really suitable only on internal networks in this day and age unless you have a secure sockets layer (SSL)-encrypted connection in use. There is a great risk in letting passwords travel over the Internet in clear text.

.NET Passport authentication

This method uses the Microsoft .NET Passport identity management service to authenticate users. Using the .NET Passport service, a client can create a single sign-on ID and password to use across all sites that use the Passport authentication service. Although the Passport authentication service will verify a user's authenticity, it will not maintain lists of authorized files, folders, and resources on individual sites. So it's only a guard at the door; you must decide through NTFS permissions what Passport users can do once they're authenticated. You must enter a default domain when using .NET Passport authentication.

Enter a default Windows domain under which to authenticate users. You can click Select to browse the network for various available domains. Enter the default domain or another authentication control system in the Realm box. You can click the Select button here as well to select the appropriate machine. Click OK when you're finished configuring the authentication controls.

Next, you can grant or deny access to a site based on the client's IP address. This is useful if you have an abusive group of hosts that perhaps have been compromised, or if you want to restrict users of a site to only internal hosts. Click the Edit button under IP Address and Domain Name Restrictions, and you'll be greeted with a window of the same name, as shown in Figure 8-11.

Figure 8-11. IP address and domain name restrictions in IIS

You first select whether all users will be granted or denied access to the site by using the radio buttons at the top of the window. Then you can configure individual exceptions to the rule you defined in the white list box. Click Add to include an address in the exceptions list. You'll be prompted with a box asking whether you want to exempt a single computer, a group of computers (an IP subnet), or an entire domain (DNS-based domain, that is).

Restricting or allowing access based on a DNS domain name is a very expensive operation because each HTTP request must be accompanied by a reverse lookup on the part of the IIS server. This can slow response time considerably and cause processor utilization to increase significantly. Enable this only if you're sure of the consequences or if you have a relatively lightly traveled web site to restrict.

Select the appropriate response, and then type in the actual IP address, network number and subnet, or domain name. You can click the DNS lookup button to perform a reverse lookup on a certain domain name to obtain its appropriate IP numbers.

If you want to restrict a web site to members in your organization only when they're at the office, and you have a proxy server, simply enter the proxy server's IP address in this box. All requests coming from a network behind a proxy server will display the proxy server's IP address.

When you're finished, click OK, and you'll be returned to the restrictions box. Now keep in mind that if you've configured default access for everyone to your site, the excepted addresses will be denied access. Conversely, if you've denied access by default to all IP addresses, the excepted addresses will be allowed access. This might seem obvious, but during a quick change it's easy to become a little confused at the quasi-backward logic. Click OK once you're finished.

The next section, Secure Communications, provides a way to ensure that data transmission sessions between a host and a client are made under proof that the server is who it says it is. This is done with certificates. If your server doesn't have a certificate yet, you'll need to create a request for one. Click the Server Certificate button to begin a wizard that will help you do this, and follow through this procedure as a guide:

Once the wizard starts, click Next to move on from the welcome screen.
You'll be prompted to create a new certificate, import one from a number of backup formats, or migrate a certificate from another computer onto the current one. For the purposes of this example, let's create a new certificate, so select that option and click Next.
On the Delayed or Immediate Request screen, choose whether to prepare the certificate signing request and save it for later transmission and purchase, or to prepare the request and immediately transmit it to a certification authority. In this example, we'll save the request and send it later. Click Next.
The Name and Security Settings page appears. Type a friendly, easy-to-identify name for the certificate. Also, select the bit length of the certificate. A shorter bit length results in faster transmission and decryption but has weaker security overall; a longer bit length is significantly more robust but involves a lot of transmission and computing time during decryption. You also can choose to select a cryptographic service provider (CSP) for this certificate. Click Next to continue.
On the Organization Information page, enter the name of your organization and the division under which this server resides. It's best to get this information from your main corporate office, as identifying information corroborating what you enter here will most likely be required of you by the certifying authority. Click Next once you've entered the necessary information.
The Your Site's Common Name page is next. Here, enter the valid DNS domain name for your site (such as order.enablehosting.com) assuming it is visible to the Internet. If it's an internal site, simply enter the NetBIOS name of the computer (for example, LEAVETRACKER), but it's really better to hedge your bets and use a full DNS name even for an internal site. Click Next to continue.
Enter your country of residence, state or province, and city or locality. Do not use abbreviations. Click Next.
On the Certificate Request File Name page, specify a name for the certificate signing request and a location for the file. You can click the Browse button to create a new directory or to pick one graphically. Click Next.
The Request File Summary page appears. All your choices through the wizard are summarized here. Click Back to correct any information that's wrong, or click Next to create the signing request.
Click Finish on the acknowledgment screen.

The generated request will look something like this:

     -----BEGIN NEW CERTIFICATE REQUEST-----     MIIGZjCCBE4CAQAwgYUxCzAJBgNVBAYTAlVTMRcwFQYDVQQIEw5Ob3J0aCBDYXJv     bGluYTEQMA4GA1UEBxMHUmFsZWlnaDEmMCQGA1UEChMdSm9uYXRoYW4gSGFzc2Vs     bCBUZWNobm9sb2dpZXMxETAPBgNVBAsTCE8nUmVpbGx5MRAwDgYDVQQDEwdzaG90     MS1kMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4ACGd+bYrJ3koanc     OqWOSHhHj6HGU2cMWmFjxA9EEVsWrPZtdJ6IGvqZThxEB7uPQW3ywoEWBSegmceg     p3XzsPTC4LbqAgmymz/gE4ULRvCJNR3oP0RaAQk3uJxdHNEDgIW3D2I+WeWk14Dq     BzoFPbVJb/pO92LZI4KDyDElloCs4QRSquf6Th8Bn9m2f2IRNx49xKGsVS7aP831     JVMoUaiT5LKkB7VHqT5QokJ69vPwPGG+PfyBRqPu5A8kdfHgiBhNpIei/mOPW7kn     oNpcVMvQNtnxePqJOBgx+J5ODPgVxg12Fuaa2DXvYFj0f4jHjGgXqyo3kuoo3RbM     knszTt+30EvU3hBBk5M2dCTkcWQJxL3NuAbzVjIe6RPbOO7XUufUjznBdbl8dVVP     kOL9TgOZNA8VIRTteZhD8XGatSGrC95EI/lnr1UOpXqm6zLyjJVZbbJUacVjewNU     ptjSmGFKWdp608udUfVQslotMypraV0WaDFmA6acNcFFM7aI9SQEE6oQHVfQ9k11     q5bUPQG/RNiCfYwMas63BGzUzq2dslF40AbLJQfkGTTKVOZ6rUU3eT8WQr1IO7yA     1lqJJMng6hQDgOKqeIcLztIRP0IJvsDWK5L9YmoAXyOwFdfZSpnDQ95HUJ8N8rMr     BygxL8QHAkt4xQJdGtpMEbSeDU8CAwEAAaCCAZkwGgYKKwYBBAGCNw0CAzEMFgo1     LjIuMzc5MC4yMHsGCisGAQQBgjcCAQ4xbTBrMA4GA1UdDwEB/wQEAwIE8DBEBgkq     hkiG9w0BCQ8ENzA1MA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAwBwYF     Kw4DAgcwCgYIKoZIhvcNAwcwEwYDVR0lBAwwCgYIKwYBBQUHAwEwgf0GCisGAQQB     gjcNAgIxge4wgesCAQEeWgBNAGkAYwByAG8AcwBvAGYAdAAgAFIAUwBBACAAUwBD     AGgAYQBuAG4AZQBsACAAQwByAHkAcAB0AG8AZwByAGEAcABoAGkAYwAgAFAAcgBv     AHYAaQBkAGUAcgOBiQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA     AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA     AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA     AAAAAAAAMA0GCSqGSIb3DQEBBQUAA4ICAQBFTI2csvyAMgm6qerhdLQD92KfiP4k     mXU8o0s7oQy1ohpkRIDeXtEPXiD5o2wSSwFe8X3+mmG/HqWfeXqILAfdxRZUQlCJ     bTPB8tFW+ex0DFzIzBpzrpzn1RVIgH35e8x/a9kZ9jZYy+uHtwcnumK1kvoG7Uwc     9uXdEA44GLkSpdQX4HUhw8T1D7KiwfXLycFVBtBp0LEI2VhpVo0gm8O+hILpYSom     8dGtdKzgPTOsN//wu1SRU9L7m9cAGo13Qc4KtmI/kDdNpfLGtyA460bHNKJeL6Lo     gSgJmc5Npsfr4jZWqVuL9rxuE+fS/hHUQ6QLJ0bwKfYrconMoaWkpqgh2pYafl6Z     YdyGM/aBTycO2L2EXbP97g5XQvKg0jfFL4gb1xn4kHbjfXk0oqDXZqnm8TmyzYaw     8p/3/YWNywB7u3mA/9MChlx+P6sueHrMeyW4nu5oFYvt01e/GMTJ1ieqhY/Cfm4y     oaVuEhLqxN/1eCElG82TKtl6SodjZ52KFw85/Ke30HS2RFMeiWEB6VU1JmOacmDn     b3cDQS+nNWflAnt2Vn3vdHt5bFHBiElDJpbmZFRZKjZ9gg76bhEbPOv/4GUkVkeg     EnbEggH59mwEKCl2nlxsw5d2wZ/2prAjdJFwWnf96bHxdBb1VPQmTeNMmSgr/ssT     S9iTaY4ii2FaAg= =     -----END NEW CERTIFICATE REQUEST-----

You'll then submit this CSR to your certification authority, and receive a certificate after your submission and identification information has been verified. (All that material is covered in Chapter 11, so if you're not familiar with certificates and the associated processes, that's where to look.) When you receive the certificate, run the wizard again. It will detect an existing request and will ask you to match up your CSR with the actual certificate you were provided by the authority. You'll then have the certificate installed, and communications over SSL will be enabled.

Once your certificate is installed, you can adjust the behavior of IIS when it comes to client sessions over SSL. Click the Edit button under the Secure Communications section of the Directory Security tab. The Secure Communications dialog box appears, which is shown in Figure 8-12.

Figure 8-12. SSL and certificate behavior in IIS

First you can choose whether to require secure communications for a particular site. If you do require it, you can further secure communications by mandating 128-bit encryption of data exchanges between the client and the server. All data sent is encrypted using the web server's certificate. Under the client certificates section, you can choose whether to ignore certificates that clients present (to identify themselves to a server), to accept them without a mandate, or to require them. Depending on how security-conscious your organization is, I recommend either accepting them or requiring them.

You also can elect to enable client certificate mapping. In this scenario, you can map a client computer's certificates to actual Windows accountsat that point, you can have more granular control over access to resources. Consider it almost a "grouping" of computers with their respective users, all configured to share one certificate. Click the Edit button to define these mappings. This will open the Account Mappings screen, shown in Figure 8-13.

Figure 8-13. The client certificate mapping configuration screen

You can define two types of mappingsa one-to-one mapping, which maps one certificate to one Windows account, or a many-to-one mapping, in which you can match individual criteria about a client certificate to map to a group of Windows accounts. You could, for example, identify the division field of client certificates and log users in to a specific account because of their individual divisions. Each tab of the Account Mappings screen handles one of these types of mappings.

Let's look at a one-to-one mapping first. To create these mappings, IIS needs a text (ASCII) copy of the user's client certificate. IIS compares this copy of the certificate it has on file with the copy presented by the client during the initial HTTP request. The two must be absolutely identicalthey cannot differ in any wayfor the mapping to be successful. Certificates that are reissued to the client, even if they contain entirely the same information, must be remapped with IIS.

Some client certificates need to be exported using Internet Explorer for use in one-to-one mapping with IIS.

Click the Add button to create a new mapping. You'll need to locate a copy of the client certificate, and select a Windows user account to which to map the certificate. You can then edit an existing mapping by clicking the Edit button, or delete a mapping by clicking Remove.

A many-to-one mapping is a little different. As I explained previously, many-to-one mapping employs sets of rules that match certain criteria within a client certificate, such as issuer or subject. With a many-to-one mapping, IIS doesn't actually compare any certificates. You don't even have to have a certificate on file for each client, which means exporting certificates is hassle-free. Instead, IIS simply accepts any certificate meeting a rule. New or reissued client certificates, as long as they still contain enough information to match an existing map rule, will still work. Of course, this method is a bit less secure because the extra step of certificate verification which is present in one-to-one mapping isn't built into the many-to-one mapping process.

Click the Add button to create a new many-to-one mapping. You can adjust the priority of existing rules using the Move Up and Move Down boxes. IIS will process rules in the order listed until a match is found; at that point, it will stop processing. If two rules conflict, the rule with the higher priority will be processed and the other will simply be ignored. Click OK when you're finished defining mappings and their priority.

If the Windows Directory Service Mapperthe piece that connects certificates with Active Directory accountsis enabled on a server-wide basis, you won't be able to configure one-to-one or many-to-one mappings.

Finally, you can enable or disable a certificate trust list (CTL) that IIS will look at to determine if it will treat a client certificate as valid. You can create a new CTL, which will involve importing certificates from root certifying authorities, or you can edit an existing store. The wizard for creating a new store is self-explanatory, so I won't cover it here.

8.5.4.7. HTTP Headers

Figure 8-14 shows the HTTP Headers tab.

Figure 8-14. The HTTP Headers tab

On the HTTP Headers page, you can customize the attributes and values of HTTP pages returned to a client's browser. (You can adjust these settings on a server-wide level; if an individual web site's settings conflict with the global header settings, the individual web site will win the conflict.) On this tab you also can rate your content so that users taking advantage of the corresponding feature in Internet Explorer will know the suitability of your content for viewing, and you can define additional MIME types that IIS can serve.

First, you can elect to have content expire after a set period of time, immediately after delivery, or on a certain date. Set this option by choosing the appropriate radio button and adjusting the date or length of time.

Next, customize the HTTP headers sent in a response to a client's request. You can use custom headers to send instructions that modify the behavior of the client browser from the IIS machine to the client, especially those that are not yet supported in the current revision of the HTTP protocol spec. Click Add, and enter the attribute and the value to be transmitted. Use the Edit button to modify an existing custom header, and the Remove button to delete it from the server.

Use the ratings modification tool to adjust the Recreational Software Advisory Council (RSAC) content rating of the material presented in your web site. RSAC-compliant browserswhich are prevalent in today's computing worldcan detect this rating information and present it to the user before pages are loaded, enabling the client to specify whether he wants to see what Microsoft calls "potentially objectionable" web content. To edit the ratings for this web site, click the Edit button. Select the area of ratings, and drag the slider to adjust the actual score on that area. Enter your email address so that people who have questions about the suitability of the content can contact you, select a date on which these ratings will expire, and then click OK. If your organization is hosting a site that family-oriented surfers will browse to, it's to your advantage to configure these settings; many content-filtered browsers and proxy servers (NetNanny, anyone?) will look at RSAC ratings to determine if content is suitable for display.

Finally, define supported MIME types for this web site. MIME mappings register the types of files that IIS serves to client machines and browsers. IIS will serve only the types of files registered in this list. If a client requests a file with an extension that isn't mapped, an error page, specifically 404.3, will be returned. To add an extension, click the MIME Types button. Then click New, and define the attribute and its corresponding value. You also can modify existing mappings using the Edit button, and remove mappings using the Remove button.

If you want IIS to serve all pages, regardless of their extension, input an asterisk as a wildcard in a MIME mapping.

8.5.4.8. Custom Errors

Figure 8-15 shows the Custom Errors tab.

On the Custom Errors tab, you can define the location and content of custom error pages, which are pages that are returned when you misspell a filename, or give out a bad link, or request a page for which you don't have adequate permissions. You can choose whether to use standard HTTP 1.1 error messages, the default IIS error pages (which give a bit more information about each error and some basic but useful troubleshooting information for the client), or completely custom error pages that you create on your own. You can also set these options on a server-wide level.

Server errors and messages are coded via four different strata of status types:

Codes 200-299

These codes indicate successful HTTP transactions.

Codes 300-399

These codes indicate that a protocol-based redirection to another site has occurred.

Figure 8-15. The Custom Errors tab

Codes 400-499

These are definite errors. Some of the most common include a 400 (a "bad request," used when the server can't decipher a message sent by a client), a 401 (an "unauthorized" error, whereby the user has no permissions to access a site), a 403 (a "forbidden" error, used when something other than a user's credentials prevents him from accessing a site), and a 404 (a "file not found" error, used when the file a client requests can't be located on the server).

These codes are errors to indicate there is a problem on the server side.

Table 8-1 lists some of the most common HTTP errors and what they mean.

Table 8-1. Common HTTP errors
Error number	Description
400 Bad Request	A syntax error has occurred in the URL, or the browser has sent a malformed HTTP request.
401 Unauthorized	You haven't submitted the proper credentials to access a certain site.
403 Forbidden	You lack read privileges to the requested file, or you are not allowed to have access to that file.
404 Not Found	The page no longer exists at that location.
500 Internal Error	The server malfunctioned and was thus unable to send the requested file.
501 Not Implemented	Typically found with forms, this indicates a configuration error on the server side where new features are not fully set up.
502 Service Temporarily Overloaded	There is a high load on the server.
503 Gateway Time-Out	A routing error has occurred between the client and server computer.

To modify an error page, select the error from the list and click Edit. Then, define a custom location, set the error to its default behavior (using IIS's default error pages), or specify a new URL for the error. You also can select multiple error pages by holding down the Shift key and selecting the errors with your mouse. Use the Set to Default button to return custom mappings to their native state, as installed by IIS.

8.5.5. Virtual Directories

Virtual directories are great ways to make a site's structure easy to navigate for your users, even if the actual content stored on physical disks is located in several different locations or on several different computers. Not only does a well-formed virtual directory structure make a site easy to use for a web surfer, but it increases the flexibility of management for the web developer. It also provides a layer of security through obscurity because the virtual directory need not correspond directly to a physical directory on a hard disk.

To create a virtual directory, follow these steps:

Open IIS Manager and click the appropriate web site.
Right-click the web site and select Virtual Directory from the New menu. The Virtual Directory Creation Wizard will appear.
Enter a name for the alias that users will specify to refer to this virtual directory. This is the text that comes after the / in the URL.
Next, specify the location of the content that will populate this virtual directory. You can enter either a local path or a UNC network path, depending on whether you're mapping a local or remote path.
On the Security Credentials screen, specify the account and password used to authenticate to the network resources that hold the content for the virtual directory if necessary.
The Virtual Directory Access Permissions screen appears. Specify all the permissions you'd like to grant to the directory (the choices are the standard ones covered earlier in this chapter: read, run scripts, execute, write, and browse).
Click Finish to confirm the creation of the virtual directory.

You can adjust the properties of a virtual directory much like a web site itself: right-click the virtual directory inside IIS Manager and select Properties. You'll be presented with dialogs functionally equivalent to the ones covered earlier in this chapter, pertaining to web sites themselves.

8.5.6. FrontPage Server Extensions

Microsoft created the FrontPage Server Extensions as a way of ensuring that its Office-based web editor, Microsoft FrontPage, would become the de facto standard for web design in small and medium-size business. The extensions reside on a web server and make various web elements easier to include in a web site: such features as form design, a search engine, indexing service, and automated assistants called bots make life a tad easier for those with less web hosting experience. The extensions aren't required if you want to use FrontPage on a plain-vanilla site, but they do function as value-added bits.

To use the extensions with a site, you must, of course, install the extensions on the serveryou can do this from the Add/Remove Programs applet in the Control Panel. Doing so creates a virtual server called Microsoft SharePoint Administration. Other requirements: the site that you want to enable FP extensions for must be its own virtual server, and you must explicitly enable extensions on the site, a process known as "extending" the web site.

To begin extending a site, follow these steps:

Open IIS Manager, and select the web site for which you want to enable the extensions.
Right-click the site, and from the All Tasks menu, select Configure Server Extensions 2002.
Your browser will open the Microsoft SharePoint Administration web site and prompt you to confirm the web site that you want the extensions installed on, and also the username of the administrator that will manage the web site.
Click Submit to acknowledge the extension of the web site.

When you install the extensions on a site, the procedure creates a tab on the properties of each web site, called Server Extensions 2002. On the tab is a button labeled Settings that will open a browser to the main administrative pages for the FrontPage Server Extensions. This page is shown in Figure 8-16.

Figure 8-16. The main configuration page for Server Extensions 2002

Let's step through each configuration option on the page, broken down by section:

Enable authoring: Check or uncheck this box to allow people to create or edit pages or scripts, using FrontPage, on this web site.
Mail settings: Here, indicate the outgoing SMTP server to use subscriptions, invitations, and other email-based features. You can also customize the From and Reply To fields, and specify which mail-encoding scheme and character set should be used for the emails.
Performance tuning: Specify the estimated traffic to the web site in the Tune For box. This will prepopulate the individual settings in the Tuning Properties section, and you can change the cache limits and size of the search indices as needed for your specific implementation.
Client scripting: Here, you can indicate whether to allow users to use JavaScript, VBScript, to disallow scripting altogether, or to allow the default listed for the web site in IIS Manager.
Security settings: You can indicate whether to write to the event log every time someone uses an authoring privilege, whether to mandate SSL for administration and authoring, and whether to allow authors to upload executable files.

8.5.7. Using Application Pools

As I discussed earlier in this chapter, application pools provide a measure of stability and reliability for high-volume web applications hosted with IIS 6. Although they provide greater predictability in behavior and several other side benefits, each application pool takes up a minimum of about 4MB of memory on your IIS machine, so it's best to accurately configure your application pools if you're to have multiple pools on one machine. In this section, I'll show you how to do that. Let's take a look at the application pool options available out of the box and then examine how to create custom application pools for your own services.

To examine the default settings for the "catch-all" existing application pool, open IIS Manager, right-click the Application Pools node, and select Properties from the context menu. Figure 8-17 shows the properties sheet that is opened.

Figure 8-17. Default application pools properties

This page comprises four tabs, each with several different functions.

8.5.7.1. Recycling

Figure 8-18 shows the Recycling tab.

Figure 8-18. The Recycling tab

On this tab you can configure how IIS will handle the recycling of processes and memory. As discussed in the introduction, process recycling is how IIS ensures responsive processes by killing off old processes when they finish handling their requests and starting new ones to listen. You can configure how often this recycling occurs, whether at a certain cycle of time or at specific times throughout the day, and at what memory usage level (in terms of either total used memory or virtual used memory) a recycling will be triggered.

8.5.7.2. Performance

Figure 8-19 shows the Performance tab.

On this tab you can specify options to prevent your IIS machine from becoming overloaded with requests and worker processes. The first option, "Idle timeout," instructs IIS to kill off worker processes that have been sitting inactive for whatever period of time is specified. The Request queue limit option allows IIS to monitor the number of requests and place a restriction on the maximum number that can wait in line for servicing and distribution by the kernel. (When you reach this maximum, users see an HTTP 503 error, which indicates the server is too busy to handle the request.) The CPU monitoring section enables you to specify limits on the amount of processor time a specific application pool should get, how often these measurements should be taken, and what happens when the limits are exceeded by an application.

Figure 8-19. The Performance tab

Web gardens are basically application pools that are assigned more than one worker process. Adjust the number of worker processes assigned to this application pool here.

8.5.7.3. Health

Figure 8-20 shows the Health tab.

You can set various metrics to check the well-being of your server on the Health tab. These metrics are inspected by the WAS, which goes into the application pool, checks these parameters, and enforces any limits you set.

You can specify the default interval between pings to your worker process to tell if it's still alive. You also can configure a failure thresholdwhat Microsoft calls rapid-fail protection. In essence, you tell IIS that if a certain worker process fails x times within x minutes, shut it down for good so as to create less instability on the server. Lastly, you can specify a startup and shutdown time limit: if worker processes take too long to start or stop, they are assumed to be hung and are subsequently killed.

8.5.7.4. Identity

Figure 8-21 shows the Identity tab.

Figure 8-20. The Health tab

Figure 8-21. The Identity tab

On the Identity tab, you can configure the security context under which this application pool will run. You'll note the default is the Network Service account which doesn't grant very many permissions: only Read and Execute, List Folder Contents, and Reada beneficial by-product of Microsoft's recent emphasis on security. You can specify a different account from the machine's local SAM database or from Active Directory, but the account must be in the IIS_WPG group on the local machine. The IIS_WPG group contains all worker process accounts and already contains the necessary permissions to interact with worker processes.

8.5.7.5. Creating a new application pool

If you need to create a new application pool and not host your worker processes in the existing DefaultAppPool, it's a two-step process: first you need to actually create the pool, and then assign your web sites to work inside the various pools.

To create a new pool, open IIS Manager, select the Application Pools node in the left pane, and right-click to select Application Pool from the New menu. The Add New Application Pool dialog box will be raised, as shown in Figure 8-22.

Figure 8-22. Adding a new application pool

Enter an identification tag for the new pool, and then specify whether to clone an existing pool's settings or to use IIS default settings. Click OK when you're finished, and the new pool will be displayed in IIS Manager.

The next step is to assign your web sites to the new pool. Right-click the appropriate web site within IIS Manager, select Properties, and then navigate to the Home Directory tab. At the bottom of the sheet, pull down the Application Pool menu, and select the pool in which this web site should operate. Click OK when you're finished. You don't need to restart or reboot anything; IIS will automatically migrate the site to the new pool itself seamlessly.

8.5.8. Using the Web Services Extensions Node

The Web Services Extensions node enables you to selectively enable and disable dynamic content based on the type of handlers for that content. By default, IIS 6 will serve only static content, which means that ASP.NET, server side includes, and FrontPage Server Extensions simply won't work unless they're enabled. You can tweak these settings using the Web Services Extensions node under IIS Manager.

When you click the Web Services Extensions node by default, it lists several different handlers for dynamic content and their current status on the server (allowed or prohibited). You can change the status by selecting the specific handler, and then clicking the Allow or Prohibit button on the left side of the righthand pane, depending on which action you prefer. If you want more information on a particular handler, you can right-click it and select Properties. The General tab will give you information on which services use the particular pages handled by that handler, and the Required Files tab delves down into more detail, enabling you to specifically enable or disable certain handler DLLs to enable the functionality.

You also can add new web service extensions by selecting the "Add a new Web service extension" link and filling in the extension name and its required files. In addition, you can specify which handlers will be enabled on an application-by-application basis by clicking the Allow all Web service extensions for a specific application link. And finally, you can turn all dynamic content off again by clicking the Prohibit all Web service extensions link.