Monitor, Configure, Troubleshoot, and Control Access to Web Sites

As mentioned, Internet Information Services (IIS) version 5.0 is included as part of Windows 2000. IIS version 5.0 includes a number of improvements and features that are designed to provide highly secure, highly available Web services to users.

Web Site Performance and Reliability Features in IIS 5.0

As part of these improvements, IIS includes configuration options that are used to fine-tune Web site performance and increase service reliability. For example, IIS 5.0 has addressed an issue with servers running previous versions of IIS hosting multiple Web sites. When a server hosts multiple Web sites, each site requires a unique IP address to ensure that traffic is directed correctly. To do this, the server creates a protocol identifier called a socket , which is made up of the Web site's node address and the port number it is using.

Sockets are created when the server is started, and each socket requires a significant chunk of physical (non-paged) RAM. The number of sites a server could host is limited by the amount of memory that can be loaded on the system. IIS 5.0 has addressed this issue by allowing hosted sites that have different IP addresses, but are using the same socket, to share the sockets through socket pooling. This means that more sites could be hosted from a single server and that the performance of those sites would be better.

In addition, Microsoft has included process throttling and bandwidth throttling features in IIS 5.0. These are used to improve site performance. They allow administrators to specify the maximum percentage of a system's processor and network bandwidth that each site on the server is allowed to use. This helps to ensure that one site doesn't dominate the server's resources, resulting in poor performance for the other hosted sites. IIS 5.0's ability to host multiple sites has also improved. Each site on an IIS server is identified by a three-part address. This version is able to let sites share two of the three address parts to save resources and still ensure that the traffic is directed correctly.

Web Site Security Features in IIS 5.0

One of the biggest concerns for administrators today is having their Web site attacked . There are many ways that this can be done, and Microsoft has attempted to address them with IIS 5.0. One of the keys to this implementation of IIS is its ability to isolate the application from outside attack. Application protection is used to isolate each application process from the other processes in memory.

IIS 4.0 began to address these issues by allowing Web applications to be launched outside the IIS server process. In this configuration, if a Web application fails, it affects only the other applications launched in that environment. IIS 5.0 takes this further by pooling similar applications separately from the server service. Another significant improvement seen with IIS 5.0 is the way in which the service is restarted. Before this version of IIS, if there was a system failure, the computer would have to be restarted. In IIS 5.0, however, the service and all its components can be restarted without taking the server down.

IIS is installed by default during a new Windows 2000 Server installation and will be installed during an upgrade if an earlier version of IIS, Peer Web Services, or Personal Web Server is detected on the existing system. If IIS is not detected during an upgrade, however, it will not be installed.

IIS and its components can be installed and removed through the Add/Remove Windows Components Wizard in the Add/Remove Programs utility in Control Panel. If TCP/IP is not already installed before the installation, it will be installed automatically and configured to utilize DHCP for addressing. As part of the installation process, the Default Web Site, Administration Web site, Default SMTP Virtual Server, and Default FTP site are created.

Once installed, IIS can be managed through two versions of the same interface, each found in either Administrative Tools or in the Computer Management utility. When configuring IIS from the server console or from another Windows 2000 system, use the Internet Information Services utility in Administrative Tools. Like other MMC-based interfaces, the Internet Information Services tool can be used to remotely access and configure servers.

The same snap-in is included in the Computer Management utility under Services and Applications. It's important to note that earlier versions of the MMC utility were called Internet Services Manager. You may still see this name associated with IIS management, depending on the method used to install or upgrade the server.

As an alternative to the snap-in, IIS 5.0 includes support for securely accessing and managing the server across the Internet via a Web browser. Referred to as Internet Services Manager (HTML), it is a Web site that is automatically created when IIS is installed. You can launch the HTML version of the management tool from the snap-in by right-clicking on the Administration Web site link and selecting Browse. IIS 5.0 secures this site by randomly choosing a port number when it is created and by requiring authentication before granting access. To use the Internet Servers Manager (HTML) without launching it from the snap-in, you must have the port number assigned to the Administration Web site. Right-click on the site link and select Properties. Figure 3.9 shows the configuration properties for the Administration Web site on a newly created IIS server. To use Internet Services Manager (HTML) to manage the server, enter the Web site address and port in this format: http://<server address>:<port number>. You will be prompted to provide a login name and password.

Although the Internet Information Services utility and the Internet Services Manager (HTML) Web site offer nearly identical functions, not all options are available through Internet Services Manager (HTML). For example, both interfaces allow you the ability to stop, start, pause, and resume individual sites, but only the Internet Information Services utility lets you stop and start IIS itself.

Among the other enhancements seen with IIS 5.0 are the ability to delegate administration tasks to other users, process accounting to ensure Web site scripts are not consuming processor time, custom error messages for the sites, enhanced command-line utilities to allow for greater site automation, support for the FTP Restart protocol which lets interrupted file transmissions resume the partial download rather than start over, and support for HTTP compression, which increases transmission speeds over the Internet. From an administration standpoint, it is easier than ever to back up and restore the IIS server's configuration; it's an option in both management tools. To back up a server's configuration, select the server in the Internet Information Services snap-in and select Backup/Restore Configuration from the Action menu. In the (HTML) version of the manager, the link is at the bottom of the main page. In addition, because IIS integrates closely with Windows 2000, it can utilize Dfs to synchronize files among servers.

IIS Security

Discussed briefly earlier in the chapter, IIS 5.0 includes comprehensive internal security capabilities to keep intruders away and keep the information on Internet sites secure. This security structure is based on an extensive list of industry-standard security protocols and authentication methods .

One of the most stringent standards IIS 5.0 adheres to is Fortezza , which satisfies the very strict Defense Messaging System security architecture. Fortezza employs cryptography that ensures message confidentiality, integrity, and authenticity, while controlling access to the messages, components, and systems. Note, however, that the Fortezza standards are only used when IIS 5.0 is implemented on a server and PCMCIA hardware and browser software are on the client computer.

IIS also supports Secure Sockets Layer (SSL) 3.0 , which has been adopted as an industry standard for authentication over the Internet. SSL relies on certificates to provide the encryption algorithms. Transport Layer Security (TLS) is based on SSL, but it performs encryption at a lower level in the process, which improves performance, and in such a way that a programmer decrypting a message does not require the key code from the sender. It is expected to lay the groundwork for a truly secure public network. Public-Key Cryptography Standard (PKCS) #7 and PKCS #10 are enhanced security protocols that are also supported by IIS 5. They define the format for encrypted data (digital signatures are a good example) and for requests for certificates made to certification authorities.

IIS 5.0 Authentication Methods

IIS has supported two primary authentication methods for some time, Basic and Integrated Windows . As mentioned in the WebDAV discussion earlier in the chapter, Basic Authentication dictates that users provide a user name and password to access a site, but this information is not encrypted for transmission. Because Basic Authentication is part of the original HTTP 1.0 standard, it is supported by most Web-enabled products, which almost ensures that the client device will be able to respond to the request for authentication information. However, because the password is not encrypted, it could potentially be intercepted during transmission and used to gain unauthorized access to the site.

Integrated Windows Authentication, previously Windows NT Challenge/Response, uses NTLM to authenticate older browsers with IIS servers, and uses the industry standard Kerberos v5 for authentication with supported browsers. Integrated Windows Authentication should only be used if Anonymous access has been denied and the IIS server is not behind a proxy server.

Digest Authentication is a new process for ensuring secure transmission of the information between the client and server. It functions in much the same way as Basic Authentication, but the authentication credentials are passed through a one-way process called hashing. The result is a message digest (a hash) that masks the original text of the message. The server sends additional information with the password so that if it were intercepted it could not be used. Perhaps the biggest benefit, however, is that Digest Authentication is part of HTTP 1.1 and can be transmitted seamlessly across proxy servers.

Managing IIS Servers

As mentioned, IIS is managed through one of the Internet Information Services utilities, either the MMC snap-in or the HTML version. A Web or FTP site's configuration settings are accessed by selecting the site, then choosing Properties from the Action menu. The settings on the Home Directory tab, discussed in the earlier WebDAV section of this chapter, are of particular importance. Of note as well are the options available on the Directory Security tab, which is where the authentication control method is defined and IP address restrictions are enforced. Click Edit in the "Anonymous access and authentication control" section to specify whether to allow anonymous access, and define the authentication method for the site ”Basic, Digest, or Integrated Windows.

Virtual directories are used to link Web sites to folders outside the home directory. When a user accesses the Web site, the contents of the virtual directory are presented as though they were contained in the home directory. A virtual directory assigns an alias to the destination folder, allowing for a more secure Web site and easier administration. Virtual directories are more secure because the users cannot determine the actual location of the files in the virtual directory. Without virtual directories, moving files and folders that make up a Web site requires changing the URL links to the folders. Using virtual directories simplifies the process because it is no longer necessary to change the URL on the Web site, but merely to change the mapping between the alias and the folder.

Virtual directories are created through the Virtual Directory Creation Wizard, which is launched from the Internet Information Services snap-in by selecting the Web site, right-clicking and select New, and then selecting Virtual Directory. In Internet Services Manager (HTML), virtual directories are created through the IIS New Site Wizard. To launch the wizard, select the Web site, then click New in the left pane. Click Next, then select Virtual Directory from the list of options, then click Next again. Enter the alias for the virtual directory, click Next, and then enter the path for the virtual directory. Click Next, select the permissions to assign to the alias, and then click Finish.

Hosting Several Sites on One IIS 5.0 Server

IIS includes three features that allow hosting multiple sites on a single server: port number assignment , multiple network adapters with separate IP addresses, and multiple IP address/domain name combinations assigned to a single network adapter using host header names . The decision on which option to use depends on the server's hardware capabilities and the structure of the network. Even though the sites are hosted on the same server, they each have their own security configurations, which allows administrators greater flexibility in assigning management responsibility.

Although the properties for sites hosted on an IIS server can be configured individually, they are initially established based on the server's Master Properties values for the Web and FTP services. To configure the Master Properties for IIS, select the server in the Internet Information Services tool and choose properties. After sites have been established, their properties can be configured individually. Site components such as virtual directories or files can be configured to inherit the settings from the parent object. If a lower-level object is configured manually, updates made to the properties of the site will not be passed on to the component automatically; you will be prompted to choose whether to change the setting for the individual components affected.

Individual Site Management in IIS 5.0

Individual site management is assigned to a special group called Operators. By default, members of the local group Administrators are identified as Operators for IIS sites, but this can be changed for new sites at the Master Properties level, as well as within each of the individual site configurations. Although members of the Operators group have administrative control over their site, they cannot change settings that affect IIS functions or the Windows 2000 server itself.