20.3 Controlling Access with Microsoft IIS

20.3 Controlling Access with Microsoft IIS

Microsoft's Internet Information Services (IIS) is a web service that is shipped as part of the Windows NT 4, 2000, and XP operating systems. It is a full-featured web server that does just about anything that you could possibly want (other than run on Unix, that is).

20.3.1 Installing IIS

To install IIS, follow these steps:

1. Open the "Add/Remove Programs" control panel.

2. Select "Add/Remove Windows Components."

3. Check "Internet Information Services."

4. Click "Next."

IIS installs the following directories on your system:

\Inetpub

Root directory for your web server

\Inetpub\wwwroot

Root document directory for the web server

\systemroot\Help\iisHelp

Help files

\systemroot\system32\inetsrv

Program files

The directories containing user content will remain on your system after you completely uninstall IIS.

As soon as you install IIS, be sure that you go to the Microsoft Windows Update web site and download all relevant patches for IIS before you start the server. If possible, download the patches from behind a firewall. If you fail to install the IIS patches, your Windows server will almost certainly be broken into and compromised. This is true even if you are behind a corporate firewall or are otherwise "protected."

20.3.2 Downloading and Installing the IIS Patches

To install the patches, follow these steps:

1. Log into your Windows system using an account that has Administrator access.

2. Using Microsoft's Internet Explorer, open the URL http://windowsupdate.microsoft.com/. On most installations, you can easily open this URL by picking "Windows Update" from the Start menu.

3. You may be prompted as to whether or not you wish to run an ActiveX component that is signed by Microsoft Corporation. You must run this ActiveX applet in order to run the Windows Update feature.

4. Windows Update will search your system and identify which patches need to be updated. In all likelihood, you will need to install the Critical Updates Package. If a new service pack has come out, you will be advised to install that as well.

5. Select the updates you wish to download and click "Download" to download the software.

6. You will be prompted to accept the Supplemental Microsoft End User License Agreement ("Supplemental EULA"). Read the license agreement. You will note that "The entire risk arising out of use or performance of the OS components and any support services remains with you." You will also note that Microsoft disclaims all liability arising from its software for whatever damage that the software may cause, "even if Microsoft . . . has been advised of the possibility of such damages."

7. Click "Yes" to accept the Supplemental EULA.

8. Windows Update will download and install the necessary updates. In all likelihood, your computer will need to be rebooted when the updates are installed.

20.3.3 Controlling Access to IIS Web Pages

After your computer reboots, IIS will be running. If you go to the URL http://localhost/, you will be prompted to enter a valid username and password. Enter a username and password for a local administrative user and you will be presented with the IIS localstart.asp page. This page will give you information on how to start up the IIS console, how to view the online documentation, and how to create a document root.

Using the IIS snap-in component to the Windows Computer Management application, you can control many aspects of the IIS web and FTP server. To run the component, select "Adminstrative Tools" from the "Control Panel" window. Then double-click on "Computer Management." Expand the "Services and Applications" item in the tree (see Figure 20-4).

Figure 20-4. The Internet Information Services snap-in for the Windows Computer Management control panel allows you to control many aspects of IIS security.

To modify the properties of the web site, select "Default Web Site" and choose the "Properties" item from the Action menu.

Using this interface, you can enable or disable a variety of features, including:

• Whether or not accesses to the web site are logged, and if they are logged, where they are logged.

• The "home directory," or document root, of the web server.

• Whether the directory should be indexed.

• Whether anonymous access is allowed to the directory. (Default is yes.)

• If anonymous access is allowed, the local user that is used for granting anonymous access.

• Which authentication system is used for granting access.

• Whether visitors are allowed read and/or write access to the web server. (Default is read only.)

• Whether directory browsing is allowed. (Default is no.)

• Whether access is allowed to the source code of your scripts. (Default is no.)

• Whether additional headers should be sent with the web pages.

• What the PICS rating is for this web site.

If there are subdirectories in your wwwroot directory, you can select them and control their access on a directory-by-directory basis.

20.3.4 Restricting Access to IIS Directories

It is surprisingly easy to create a directory in your IIS web server that will be restricted to a specific set of users over the Internet. Windows IIS integrates with the Windows username directory and Windows directory permissions. Web users are generally users who have local accounts on your computer. For anonymous access, the default IIS installation creates an account named IUSR_computername (where computername is the name of your computer). If the IUSR_computername user has access to read a directory, then the directory can be read over the Internet.

In this example, we will create a directory called private and allow access only to a user named blue with a password blueboy.

1. Create a directory called private in the directory c:\InetPub\wwwroot.

2. Find the directory in the Computer Management application, select it, and examine its properties. This will display a window titled "private Properties."

3. Select the "Directory Security" tab of the "private Properties" window.

4. In the box titled "Anonymous access and authentication control," click the button labeled "Edit . . .".

5. Uncheck the box that says "Anonymous access."

6. Check the box that says "Basic Authentication" (the password is sent in cleartext). If you do not check this box, IIS will only use Microsoft's proprietary extensions to the HTTP protocol, which make Windows' challenge-response authentication system run over HTTP. (If you do not wish to have usernames and passwords sent in the clear over the Internet, simply use URLs that begin with https: instead of http:. See Figure 20-5.)

Figure 20-5. Using the Computer Management application to restrict access to a directory

7. Click "Yes" to indicate that you wish to use Basic Authentication.

8. Click "OK" to close the Authentication Methods window.

9. Click "Apply" to apply your changes to the directory.

10. In the Computer Management application, select on the "Local Users and Groups" element of the tree.

11. Choose "New User" from the Action menu.

12. Create a new user that has the username blue and the password blueboy.

The user that you have created will now have access to the directory.

Be sure to configure your system so that the users you create will not have undue access to your Windows computer. Specifically, you may wish to remove these users from the Users group and place them in a specific group for World Wide Web access. You should also firewall your Windows server so that users on the Internet only have access to ports 80 and 443.

If your wwwroot directory is on an NTFS partition, you can use the NTFS directory permissions to control which users have access to the private directory. If your wwwroot directory is on a FAT32 partition, all valid users will have access to all files.

For more information on IIS security, refer to the IIS Documentation under the section "Administration Server Administration Security."