Of all the components in Windows Server 2003, Internet Information Services 6.0 has received the most attention. It has been completely reworked so that it retains very little of the basic architecture from previous versions. The majority of the improvements have been in the following areas:
Installing Internet Information Services (IIS)In previous versions of Windows, IIS was installed and enabled by default. This vulnerability was displayed multiple times over the past few years as various viruses and exploits targeting IIS were distributed, and administrators who had applied only IIS patches to their "web servers" were presented with a rude awakening. Countless servers that were not intended to perform any web-serving role were brought to their knees, mainly because a lot of administrators did not realize that they had installed IIS on their servers. As part of the overall Microsoft Security Initiative, in Windows Server 2003, Microsoft has made IIS an optional component. It is no longer installed as a default component. In addition, even after it is installed, it presents only static pages. If your website requires the use of Active Server Pages (ASP) or other dynamic content, you must manually enable the support for each feature. Exam Alert: Active Server Pages Active Server Pages are web pages with the .ASP extension that utilize ActiveX scripting, typically VBScript or Jscript. When an ASP page is loaded, IIS uses the code in the ASP file to dynamically create an HTML page that is sent to the browser. ASP is similar to CGI scripting, except it enables programmers trained in Microsoft languages to create web pages. You will not need to know the workings of ASP pages for the exam. In addition, during an upgrade from a previous version of Windows, IIS is installed; however, the service is disabled, and you must start it manually. This prevents administrators from carrying over vulnerabilities from previous versions of Windows. Microsoft's intention is for administrators to run only IIS on those servers that require it, and only with the bare minimum of features, thereby reducing the overall vulnerability to attack. To install IIS, follow the procedure outlined in Step by Step 4.12.
The previous steps install the default components of IIS 6.0. As we discussed earlier, the default installation for IIS 6.0 is in "locked down" mode. In locked down mode, only pages containing static content are displayed. All other pages return a 404 error when they are accessed.
The following features can be enabled using the Web Service Extensions node in the IIS Manager snap-in:
Using IIS Manager, you can allow, prohibit, or add additional web service extensions to allow different types of dynamic content to be used on your websites. To enable the Web Service Extensions in IIS, follow the procedure outlined in Step by Step 4.13.
Web Service Extensions are just a group of EXE and DLL files that are required for the specific function being enabled. For example, for Active Server Pages to be used, the asp.dll file must be enabled. To get a list of the files required for each Web Service Extension, in the IIS Manager MMC, highlight the desired extension and click the Properties button. The files are displayed on the Required Files tab of the Properties page. If you need to add a custom extension, you can click the Add a New Web Service Extension link, which opens the New Web Service Extension dialog box. This dialog box allows you to enter a name for the extension, add the required files, and set the status of the extension to Allowed. ReliabilityIIS 6.0 allows you to run your web applications in either of two modes:
IIS 5.0 Isolation mode is used to run older IIS 5.0compatible applications that do not run natively in IIS 6.0. By default, a web server that is upgraded from a previous version of IIS is enabled in IIS 5.0 Isolation mode, to ensure that the application installed continues to run. IIS 5.0 Isolation mode manages applications in a similar manner to the way that they were managed in IIS 5.0: All in-process applications are run inside a single instance of inetinfo.exe, whereas all out-of-process applications are run in separate DLL hosts. Unfortunately, this mode brings along all the problems that were inherent in IIS 5.0, such as a single application bringing the entire web service down, and memory leaks that require the server to be restarted. These problems are fixed in the native mode of IIS 6.0, Worker Process Isolation mode. In this mode, applications and processes can be separated into application pools. An application pool is a set of one or more applications that are assigned to a set of one or more worker processes. An application pool can contain websites, applications, and virtual directories. Each application pool is isolated from the others. Because of this, a failure or memory leak affects only the processes running in that application pool and has no effect on any of the other functions in other application pools. In Windows Server 2003, you can run in either IIS 5.0 Isolation mode or Worker Process Isolation mode, but not both simultaneously on the same server. To change the application mode in IIS, follow the procedure outlined in Step by Step 4.14.
When IIS is running in the default Worker Process Isolation mode, all processes are assigned to the default pool, named DefaultAppPool. To take advantage of Worker Process Isolation mode, you should create multiple pools and separate your applications. To add application pools in IIS, follow the procedure outlined in Step by Step 4.15.
ManagementIIS 6.0 can be managed via the following four methods:
These management options give you greater flexibility in that you can use whatever method of administration makes sense for a particular environment. For example, if you are managing only one or two web servers, it might not be worth the trouble to write administrative scripts to make configuration changes. In this situation, either making a couple quick changes using the IIS Manager MMC or manually editing the configuration file might be the most efficient way to accomplish the changes. However, in a larger environment, possibly hosting 10 or more web servers, automating changes via scripting is the only way to go! IIS Management Using Administrative ScriptingIIS 6.0 installs with a selection of Visual Basicbased scripts that allow you to perform the following functions:
These scripts allow you to automate common tasks from the command line, and to even generate a new website from a backup so that a failed server can be replaced. These scripts are stored in the %systemroot%\System32 folder. All the scripts are ready to be used; just enter the name of the script on the command line to see the required parameters. For additional details on scripting, refer to the IIS online help. Exam Alert: Administrative Scripting Although the ability to perform administrative scripting is becoming more essential in most environments, you probably will not see it covered at length on the exam. IIS Management Through Manually Editing the MetabaseIn previous versions of IIS, the configuration information was stored in a binary file called the Metabase. Starting in IIS 6.0, this file is no longer stored in a binary format. It is now stored as an XML file that can be directly edited via Notepad or a similar text-editing program. This allows you to quickly make changes to the configuration of IIS, even when it is running. You no longer have to start and stop the WWW service to apply configuration changes. The Metabase.xml file is stored in the %systemroot%\System32\inetsrv folder. To edit the Metabase.xml file without stopping the IIS service, you must ensure that two items are enabled:
To make configuration changes in IIS by editing the Metabase.xml file, follow the procedure outlined in Step by Step 4.16.
Note: Manually Editing the Metabase Although Microsoft has made it easier to manually edit the Metabase, and even allows you to do it while your website is up and running, you should always use extreme caution when doing so. IIS Management Using the IIS Manager MMCThe IIS Manager MMC, first introduced with the Windows NT 4.0 Option Pack, is still with us, and although the basic operations haven't really changed that much, additional options have been added to support the new features in IIS 6.0. The IIS snap-in can be added to other MMCs using the methods covered in the beginning of this chapter. Exam Alert: Know IIS Manager All the configuration options available in IIS 6.0 can be configured via the IIS Manager MMC, so it is important to become very familiar with its operation, both for your day-to-day administration tasks and for the exam. You should already be somewhat familiar with the IIS Manager MMC because we have used it in previous examples in this chapter. In the field, the IIS Manager is the most commonly used administrative tool for IIS. It is still the quickest and easiest method of creating and configuring IIS in small-to-medium-sized environments. The IIS Manager MMC is just like the other MMCs covered in this chapter in that it can be used to configure either the local computer or a remote computer by right-clicking the Local Computer entry and selecting Connect from the pop-up menu. Managing the Default WebsiteUnlike previous versions of IIS, which were installed with multiple virtual directories and lots of sample pages that could be exploited by hackers, the default installation of IIS 6.0 is set up with a minimum of files. Basically only enough content is installed to present an Under Construction page, which you can see by entering http://localhost on your test server. From the IIS Manager MMC, you can set the properties for each website, or you can set the defaults for all websites hosted on the server. To view and set the defaults for all websites, right-click the Web Sites entry in the IIS Manager MMC, and then select Properties from the pop-up menu. Note: Scope of Settings Unless otherwise indicated, the settings shown on the Properties pages can be applied either globally to all websites or uniquely to each individual website. From the Web Site tab, shown in Figure 4.30, you can select the timeout settings, whether to log website activity, and the format and the location for the log files. Notice that certain settings, such as the IP Address field, are grayed out. This is because those settings are unique to each individual website. Figure 4.30. The Web Site tab.
Click the Performance tab (see Figure 4.31). From here you can adjust the settings that determine the overall performance of your web server. The Bandwidth Throttling setting, along with the Web Site Connections setting, is used to control the amount of bandwidth that is consumed by the web server, and it also limits the amount of memory that is preallocated to caching. This allows you to prioritize the amount of bandwidth consumed by each web server over a shared connection. This can be used to ensure that a higher availability website is granted more bandwidth than a less significant site. Figure 4.31. The Performance tab.
The ISAPI Filters tab allows you to add custom-written filters that respond to specific events during an HTTP request. The Home Directory tab, shown in Figure 4.32, allows you to specify the location of the files used for your websites. This tab is used for individual sites. Figure 4.32. The Home Directory tab.
The Home Directory tab allows you to assign content for your website from the following locations:
In addition to controlling access via NTFS or share permissions, the Home Directory tab allows you to specify what visitors to the site can do. The options are as follows:
The Execute Permissions field allows you to select what type of scripts or executable files can be invoked by a browser:
Note: Invitation to Disaster Allowing both Execute and Write access allows visitors to upload and execute any code that they want on your site. The Application Pool drop-down list allows you to specify the application pool the website is to be a member of. The Documents tab, as shown in Figure 4.33, is used to specify the default document that is sent to the browser when no specific document is requested. This can be either a home page or an index page. The Enable Document Footer option allows you to attach a footer to every document that is displayed. Figure 4.33. The Documents tab.
The Directory Security tab allows you to control the access to your website. This tab is covered at length later in this chapter. The HTTP Headers tab, shown in Figure 4.34, enables you to configure the values returned to the browser via the header included in the HTML page. These values include Content Expiration, which tells the browser when to refresh cached pages, Content Rating, which identifies the type of content provided by the site, and the Mime Types setting, which maps a file extension to a file type. Figure 4.34. The HTTP Headers tab.
The Custom HTTP Headers option allows you to send custom HTTP headers to a client browser. These can be used to support browser features that the website does not yet officially support. The Custom Errors tab allows you to define replacement error messages. Instead of the default numerical messages, you can define something more informative. The Service tab (see Figure 4.35) allows you to set the mode in which the web server is runeither IIS 5.0 Isolation mode or Worker Process Isolation mode. There are also settings for HTTP Compression. HTTP Compression mode allows you to compress static files or dynamic content, or both, to be sent to the browser. Sending compressed files consumes less bandwidth, and this feature can be very useful in limited-bandwidth situations. Figure 4.35. The Service tab.
However, compressing and uncompressing the files consumes additional processing cycles, both on the web server and the client, so the HTTP Compression options should not be enabled if the web server is already processor starved. Creating a WebsiteLike most other functions in Windows Server 2003, a wizard is supplied to make creating a website easier. To create a new website, follow the procedure outlined in Step by Step 4.17.
Hosting Multiple WebsitesIn the previous Step by Step, you learned how to add an additional website to a web server, but we left out one small detail. If a web server is hosting multiple websites, how do you determine which website is presented to the browser? When you're hosting multiple websites on a single server, each website must have a unique identity. This is accomplished by using the following identifiers:
By configuring one or more of these identifiers, you can uniquely identify each website on your server. When using multiple IP addresses to identify the websites on your server, you can either install multiple network interface cards (NICs), each with a unique IP address, or just assign multiple IP addresses to a single NIC. To identify a new website by IP address, use the procedure outlined in Step by Step 4.18.
With the explosion in popularity of the Internet and the slow adoption of IPv6, the number of available IP addresses is dwindling rapidly. This means that it's not always possible or feasible to lease multiple IP addresses from an ISP to host multiple websites. Fortunately, websites can also be configured to respond to a unique host header. A host header is nothing more than a unique DNS name that is used to identify one of the additional websites. The site that is using the host header shares the same port and IP address, but when the browser connects to the default website, it asks for the site using the host header entry. The server reads the request from the browser and directs it to the requested site. This allows you to host multiple sites at the same IP address; they just have to have unique header names, such as www.abc.com, www.xyz.com, and so on. Host headers require that you use a browser that supports HTTP 1.1 or later. If your browser does not support HTTP 1.1, you will be connected to the default website. To identify a website by host header, use the procedure outlined in Step by Step 4.19.
Note: Additional Security Because all the sites now have host headers, you will not be able to connect to the website by IP address, giving an additional layer of security. As noted in the previous procedure, the port number can be changed as well. When you're using a unique port number, it has to be entered in the URL as follows: www.abc.com:60 A port number can be any number from 1 to 65535. Port numbers are rarely used, except for testing purposes. Note: Port Numbers Although it is technically true that any port to 65K can be used, it is not the best idea to use any well-known ports for this purpose. Ports such as 25 (SMTP), 110 (POP), 3268 (LDAP), and 443 (SSL), among many others, would not make sense to serve web pages from. Exam Alert: SSL and Host Headers Don't Mix Host headers cannot be used with SSL because the domain name is encoded in the certificate, and the browser is able to see only the IP address. When using SSL, you must use a unique IP addresses.
Managing Security for IIS
As mentioned earlier in the chapter, IIS is probably the subsystem of Windows Server 2003 that has received the most attention, especially related to security. In IIS 6.0, the worker processes and most of the ASP functions run in the Network Service security context, which is a low-privileged context. In addition, each of these worker processes can exist in separate application pools, thereby isolating them from other processes. This lessens the exposure to poorly written code or of hackers inserting malicious code that would crash the entire web server. In addition, when a buffer overflow occurs, previously a favorite exploit, the worker processes automatically terminate. With these low-level changes and the refusal to accept requests for files with unknown extensions, in addition to preventing the execution of command-line tools, IIS 6.0 is far more secure than any previous version. We partially covered the contents of the Directory Security tab when configuring restrictions for access to the Remote Administration Console. We have already examined how to restrict access to a website by IP address and domain name. However, several other settings are important to IIS security. If you select the Edit button in the Authentication and Access Control section of the Directory Security tab, you open the Authentication Methods dialog box, shown in Figure 4.40. Figure 4.40. Multiple authentication methods are available from this dialog box.
When IIS is installed, two accounts are created: IUSR_servername and IWAM_servername. IWAM_servername is run in the Network Service security context and is used to start and run most applications. The IUSR_servername account is a member of the GUEST local group and is used to control anonymous access to published resources on IIS. For example, if you have a website that you want to publish so that anyone on the Internet can access it without authentication, you would use the IUSR_servername account to assign read access to the necessary resources. You have the ability to change the account used for anonymous access, or you can disable anonymous access completely. The second half of the dialog box controls authenticated access. Authenticated access is used to integrate the web server with Windows security. The user is required to present a user ID and password to access website resources. These user IDs and passwords are stored either as a local account on the web server or in the Active Directory domain database. When anonymous access is disabled, all users who attempt to access the website are prompted for a user ID and password. Authentication is also required when the website resources are protected via NTFS permissions. Four types of authenticated access are available:
The final two options available from the Authentication Methods dialog box are as follows:
As mentioned briefly in the previous paragraphs, NTFS can be used to control access to resources on the web server. For example, if anonymous access is enabled but there are sensitive areas on your web server, you can control access to those areas using NTFS security. You can simply exclude or deny access for those resources to the Anonymous user account. The user is prompted for a user ID and password when she attempts to access those resources. Another method of securing access to a web server is via Secure Sockets Layer (SSL). We mentioned SSL briefly in this chapter, but we haven't taken the time to explain it yet. SSL is used with HTTP to encrypt all traffic between the browser and the web server. This is especially critical for e-commerce sites because the last thing you want to do is to transmit your credit card number in clear text over the Internet! SSL works by using encryption keysin this case, certificates that are distributed by a trusted source. These certificates are used to encrypt the data that passes between the client and the web server. Certificates are issued by Certificate Authorities (CAs), of which VeriSign is the most prominent. Website administrators apply to the CA for a certificate, and they must provide the proper credentials to prove their identity. After the CA is satisfied that they are who they say they are, the CA issues the certificates and the website administrators install them on their web servers. This same process can be used by enterprises using their own CAs to issue certificates to employees or contractors wishing to access web content from outside the boundaries of these organizations' LANs. In this case, the CA issuing the certificates is not a public CA (like VeriSign) but rather a private one controlled internally. In many cases, organizations choose to run Microsoft Certificate Services to issue and manage these certificates. Other CA software vendors also exist, but Microsoft's CA is the most common because the software is included as part of Windows Server 2003 for no additional charge. When clients try to access the website, they might be presented with a prompt asking whether they trust the source of the certificate. This normally does not occur if the web server is using a certificate issued by VeriSign or one of the other common CAs. The client and the web server then negotiate a connection, and all traffic between them is encrypted. In addition to server certificates, clients can be issued certificates also. This enables a password-free logon because the certificate serves as both the user ID and the password. Three steps are involved in setting up SSL on a Web server:
To generate a certificate request, use the procedure in Step by Step 4.20.
After the request file has been created, it must be sent to the Certificate Authority for approval. After the CA has processed your request, you receive a certificate from the CA. To install the received certificate, follow the procedure outlined in Step by Step 4.21.
After the certificate is installed, the final step is to configure the settings on the website to use SSL. To configure the website to support SSL, follow the procedure outlined in Step by Step 4.22.
Managing security for IIS 6.0 is an important topic, especially in light of all the attention IIS has received as a favored target for hackers. It is important to understand that one of the best strategies to secure IIS is to enable only the minimal features required to support the applications being run on IIS. Also, never grant more authority to any users than they will ever possibly require. |