Configuring IIS 6.0 Properties

Enabling ASP and FrontPage Server Extensions

Many Web sites hosted on IIS 6.0 generate dynamic content, which extends the site so that it is able to serve content beyond static Web pages. Specific types of code are required to provide dynamic content and other enhanced capabilities. ASP is one of the Web service extensions that provide the necessary code.

If you installed IIS 6.0 as described earlier in this chapter, all Web service extensions are disabled by default, so that IIS serves only static content. If you used another method to install IIS 6.0, such as using Manage Your Server, the configuration of IIS might be different.

For security reasons, you can enable or disable individual Web service extensions in IIS 6.0. However, enabling all of the Web service extensions creates a security risk because it increases the attack surface of IIS by enabling functionality that might be unnecessary for your server.

To configure the Web service extensions for your Web server, enable the predefined Web service extensions that you need based on the information in Table 6.5.

The following procedures explain how to configure Web service extensions.

To enable and disable a Web service extension

1. In IIS Manager, double-click the local computer, and then click Web Service Extensions .

2. In the details pane, click the Web service extension that you want to enable or disable. Figure 6.1 shows the list of Web service extensions.

   
   Figure 6.1: Enabling and Disabling Web Service Extensions

3. To enable a disabled Web service extension, click Allow .

4. To disable an enabled Web service extension, click Prohibit .

   A message box displays a list of applications that will be prevented from running on the IIS Web server.

5. Click OK to disable the Web service extension.

6. After enabling the appropriate Web service extensions, use a Web browser on a client computer to verify that the Web sites function correctly on the server.

Migrating Server Certificates for SSL

If you use Secure Sockets Layer (SSL) to encrypt confidential information exchanged between the Web server and the client, you must migrate the server certificate from the source server to the target server, install the certificate on the target server, and then configure the Web site to use the certificate.

Migrate the server certificate for SSL by completing the following:

1. Export the server certificate for the Web site from the source server.

   Web server certificates contain information about the server that allows the client to positively identify the server over a network before sharing sensitive information, in a process called authentication . SSL uses these certificates for authentication, and uses encryption for message integrity and confidentiality. SSL is a public key “ based security protocol that is used by Internet services and clients to authenticate each other and to establish message integrity and confidentiality.

   If you use SSL to protect confidential information exchanged between the Web server and the client, you must migrate or export the certificates and the associated private keys from the source server to the target server.

2. Install the server certificate to be used by the Web site on the target server.

   Web server certificates contain information about the server that allows the client to positively identify the server over a network before sharing sensitive information. This process is called authentication . If you use SSL to help protect confidential information exchanged between the Web server and the client and you have exported the certificates from the source server to the target server, the server certificate needs to be installed on the Web server before you can assign the server certificate to Web sites for use with SSL.

3. Assign the server certificate to the Web site.

   Server certificates contain information about the server that allows the client to positively identify the server before sharing sensitive information. After you obtain a server certificate from a trusted certification authority and install the server certificate on the Web server, you need to assign the server certificate to the Web site.

The following procedures explain how to migrate server certificates for SSL.

To export a server certificate from Windows NT Server 4.0

1. From the Start menu, point to Programs , click Windows NT 4.0 Option Pack , point to Microsoft Internet Information Server , and then click Internet Service Manager .

2. Double-click Internet Information Server , and then double-click the name of the computer hosting the Web site that contains the server certificate.

3. Right-click the Web site that contains the server certificate, and then click Properties .

4. On the Directory Security tab under Secure Communications , click Edit .

5. Under Secure Communications , click Key Manager .

6. In the Key Manager window , double-click WWW , and then click the key that you want to export.

7. On the Key Manager menu, click Key , click Export Key , and then click Backup File .

8. Read the warning, and then click OK .

9. Select a secure location on the target server to save the key, and then click Save .

To add the Certificates snap-in to MMC on the target server

1. In the Run dialog box, type mmc , and then click OK .

   The Microsoft Management Console appears.

2. On the File menu, click Add/Remove Snap-in .

3. On the Standalone tab, click Add .

4. In the Add Standalone Snap-in list box, click Certificates , and then click Add .

5. Click the Computer account option, and then click Next .

6. Click the Local computer (the computer this console is running on) option, and then click Finish .

7. Click Close , and then click OK .

To import a server certificate from the source server

1. In MMC, open the Certificates snap-in.

2. In the console tree, click the logical store where you want to import the certificate.

   The default location of the logical store for certificates is on the Console Root in the Certificates (Local Computer)/Personal/Certificates folder.

3. On the Action menu, point to All Tasks , and then click Import to start the Certificate Import Wizard.

   Important

   You should import certificates obtained only from trusted sources. Importing an altered or unreliable certificate could compromise the security of any system component that uses the imported certificate.

4. Click Next .

5. Type the name of the file that contains the certificate to be imported, or click Browse and navigate to the file.

   Certificates can be stored in several different file formats. The most secure format is Public-Key Cryptography Standard (PKCS) #12, an encryption format that requires a password to encrypt the private key. It is recommended that you send certificates using this format for optimum security.

   If the certificate file is in a format other than PKCS #12, skip to step 8.

   Figure 6.2 shows a certificate that uses the default format, X.509v3.

   
   Figure 6.2: Importing an SSL Certificate to the Target Web Server

   If the certificate file is in the PKCS #12 format, do the following:

   • In the Password box, type the password used to encrypt the private key. You must have access to the password that was originally used to secure the file.

   • (Optional) If you want to be able to use strong private key protection, select the Enable strong private key protection check box, if available.

   • (Optional) If you want to back up or transport your keys at a later time, select the Mark key as exportable check box.

6. Click Next .

7. In the Certificate Store dialog box, do one of the following:

   • If the certificate should be automatically placed in a certificate store based on the type of certificate, select Automatically select the certificate store based on the type of certificate .

   • If you want to specify where the certificate is stored, select Place all certificates in the following store , click Browse , and select the certificate store to use.

8. Click Next , and then click Finish .

The file from which you import certificates remains intact after you have completed importing the certificates. You can use Windows Explorer to delete the file if it is no longer needed.

To assign a server certificate to a Web site

1. In IIS Manager, double-click the local computer, and then double- click the Web Sites folder.

2. Right-click the Web site or file that you want, and then click Properties .

3. Depending on whether you are configuring a Web site or a file, select either the Directory Security or File Security tab, and under Secure communications , click Server Certificate .

   Figure 6.3 shows the Certificate Wizard, which enables you to assign a server certificate to a Web site.

   
   Figure 6.3: Using the Certificate Wizard to Assign a Server Certificate to a Web Site

4. In the Web Server Certificate Wizard, click Assign an existing certificate .

5. Follow the steps in the Web Server Certificate Wizard, which guides you through the process of installing a server certificate.

You can view the information about the certificate by clicking the View Certificate button on the Directory Security or File Security tab of the Web site s Properties page.

Migrating FrontPage Users and Roles

Accounts stored locally on the Web server are known as local user accounts . Local user accounts are valid only on the Web server where they exist, not on other Web servers. When you migrate your Web site to another server, these local user accounts must be re-created on the target server. Once the user accounts have been created, the roles that were assigned to the user accounts on the source server must be assigned to the user accounts on the target server.

You can manage roles from the Site Administration page for your Web site. On this page you can view a list of roles, change the rights that are included in a role, add a new role, and delete a role.

When the source server has Web sites that are FrontPage extended and FrontPage roles have been assigned to the Web site users, you need to migrate the FrontPage roles to the target server. FrontPage roles control the types of access that users have on FrontPage extended Web sites. FrontPage 2002 Server Extensions are administered through the Microsoft SharePoint Team Services HTML administration tool, which is installed with FrontPage 2002 Server Extensions.

The predefined FrontPage roles include the following:

• Administrator . Users assigned this role can view, add, and change all server content; and manage server settings and accounts.

• Advanced author . Users assigned this role can view, add, and change pages, documents, themes, and borders; and recalculate hyperlinks .

• Author . Users assigned this role can view, add, and change pages and documents.

• Contributor . Users assigned this role can view pages and documents, and view and contribute to discussions.

• Browser . Users assigned this role can view pages and documents.

In addition to the predefined FrontPage roles, custom FrontPage roles might be defined on the source server.

Migrate FrontPage users and roles by completing the following steps:

1. Identify the FrontPage roles on the source server and compare them to the FrontPage roles on the target server.

2. Create any FrontPage roles on the target server that exist on the source server but do not exist on the target server.

3. For each FrontPage user on the source server that is local to the source server, create a corresponding user on the target server, and then assign that user the same FrontPage roles that are assigned to the corresponding user on the source server.

4. For each FrontPage user on the source server that is in Active Directory, assign the user the same FrontPage roles on the target server.

The configuration of IIS and the Web sites on the source server might reference user accounts that are stored in the local account database on the source server.

The following procedures explain how to migrate FrontPage users and roles.

To add a user account and assign FrontPage server roles to it

1. Open Administrative Tools , and click Microsoft SharePoint Administration .

2. On the Server Administration page, click the name of the extended Web site for which you want to assign user roles.

3. On the Site Administration page for the Web site, click Manage users .

4. On the Manage Users page, click Add a user .

5. On the Add a User page, in the User section, click Add user or group name (For example, DOMAIN\name) , and enter a user name in the format LocalComputerName\UserAccountName .

6. In the User Role section, select the check boxes for all roles that apply to this user account, and then click Add User .

To assign FrontPage server roles to an existing user account

1. Open Administrative Tools , and click Microsoft SharePoint Administration .

2. On the Server Administration page, click the name of the extended Web site for which you want to assign user roles.

3. On the Site Administration page for the Web site, click Manage users .

4. On the Manage Users page, click the name of the user for which you need to change the roles.

5. On the Edit User Role Membership page, next to User Role , select the check box for every role that applies to this user, and then click Submit .

For more information about administering FrontPage 2002 Server Extensions, see the SharePoint Team Services Administrator s Guide link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources.