Managing Internet Information Services (IIS) 6.0

Objective:
Manage Internet Information Services (IIS)

Of all the components in Windows Server 2003, Internet Information Services 6.0 has received the most attention. It has been completely reworked so that it retains very little of the basic architecture from previous versions. The majority of the improvements have been in the following areas:

Security
Reliability
Management

Installing Internet Information Services (IIS)

In previous versions of Windows, IIS was installed and enabled by default. This vulnerability was displayed multiple times over the past few years as various viruses and exploits targeting IIS were distributed, and administrators who had applied only IIS patches to their "web servers" were presented with a rude awakening. Countless servers that were not intended to perform any web-serving role were brought to their knees, mainly because a lot of administrators did not realize that they had installed IIS on their servers.

As part of the overall Microsoft Security Initiative, in Windows Server 2003, Microsoft has made IIS an optional component. It is no longer installed as a default component. In addition, even after it is installed, it presents only static pages. If your website requires the use of Active Server Pages (ASP) or other dynamic content, you must manually enable the support for each feature.

Exam Alert: Active Server Pages

Active Server Pages are web pages with the .ASP extension that utilize ActiveX scripting, typically VBScript or Jscript. When an ASP page is loaded, IIS uses the code in the ASP file to dynamically create an HTML page that is sent to the browser. ASP is similar to CGI scripting, except it enables programmers trained in Microsoft languages to create web pages. You will not need to know the workings of ASP pages for the exam.

In addition, during an upgrade from a previous version of Windows, IIS is installed; however, the service is disabled, and you must start it manually. This prevents administrators from carrying over vulnerabilities from previous versions of Windows. Microsoft's intention is for administrators to run only IIS on those servers that require it, and only with the bare minimum of features, thereby reducing the overall vulnerability to attack.

To install IIS, follow the procedure outlined in Step by Step 4.12.

Step by Step

4.12 Installing Internet Information Services (IIS) 6.0

1.	Click Start, All Programs, Control Panel, Add or Remove Programs.
2.	Click the Add/Remove Windows Components button in the left pane of the Add or Remove Programs dialog box.
3.	The Windows Components Wizard appears. Select the Application Server check box, as shown in Figure 4.26. Click the Next button to continue. Figure 4.26. The Windows Components Wizard.
4.	The Configuring Components screen appears. When prompted, insert the Windows Server 2003 CD-ROM and then click the OK button to continue.
5.	When the Completing the Windows Component Wizard screen appears, click the Finish button.

The previous steps install the default components of IIS 6.0. As we discussed earlier, the default installation for IIS 6.0 is in "locked down" mode. In locked down mode, only pages containing static content are displayed. All other pages return a 404 error when they are accessed.

Default Installation of IIS 6.0

In the previous Step by Step, we covered a basic installation of IIS 6.0. If you click the Details button, as shown in Figure 4.26, you can select or deselect the various components of IIS, including the IIS Services Manager, FrontPage Server Extensions, and the FTP server.

The following features can be enabled using the Web Service Extensions node in the IIS Manager snap-in:

ASP Active Server Pages; dynamically created web pages based on ActiveX.
ASP.NET The update of ASP built on the Microsoft .NET Framework.
Server-Side Includes Typically used to paste the contents of one file inside another.
WebDAV Publishing Web-based Distributed Authoring and Versioning is a set of extensions that enables users to edit and manage files remotely on web servers.
FrontPage Server Extensions Additional code that enables IIS to support additional features provided by the Microsoft FrontPage website design package.
ISAPI Extensions Internet Server Application Programming Interface is an API used to extend the functionality of the web server.
CGI Extensions Common Gateway Interface is a protocol used to provide an interface between application software and the web server.

Using IIS Manager, you can allow, prohibit, or add additional web service extensions to allow different types of dynamic content to be used on your websites.

To enable the Web Service Extensions in IIS, follow the procedure outlined in Step by Step 4.13.

Step by Step

4.13 Enabling Web Service Extensions in IIS 6.0

1.	Click Start, Administrative Tools, Internet Information Services Manager.

2.	The IIS Manager MMC opens with the default status of the Web Service Extensions, as shown in Figure 4.27. Figure 4.27. The IIS Manager MMC, showing the default status of the Web Service Extensions. The list varies, depending on what extensions are installed.
3.	Highlight the desired extensions in the right pane of the MMC and then click the Allow button. The setting listed in the Status column for the extension is changed from Prohibited to Allowed.

Web Service Extensions are just a group of EXE and DLL files that are required for the specific function being enabled. For example, for Active Server Pages to be used, the asp.dll file must be enabled. To get a list of the files required for each Web Service Extension, in the IIS Manager MMC, highlight the desired extension and click the Properties button. The files are displayed on the Required Files tab of the Properties page.

If you need to add a custom extension, you can click the Add a New Web Service Extension link, which opens the New Web Service Extension dialog box. This dialog box allows you to enter a name for the extension, add the required files, and set the status of the extension to Allowed.

Reliability

IIS 6.0 allows you to run your web applications in either of two modes:

IIS 5.0 Isolation mode
Worker Process Isolation mode

IIS 5.0 Isolation mode is used to run older IIS 5.0compatible applications that do not run natively in IIS 6.0. By default, a web server that is upgraded from a previous version of IIS is enabled in IIS 5.0 Isolation mode, to ensure that the application installed continues to run. IIS 5.0 Isolation mode manages applications in a similar manner to the way that they were managed in IIS 5.0: All in-process applications are run inside a single instance of inetinfo.exe, whereas all out-of-process applications are run in separate DLL hosts. Unfortunately, this mode brings along all the problems that were inherent in IIS 5.0, such as a single application bringing the entire web service down, and memory leaks that require the server to be restarted.

These problems are fixed in the native mode of IIS 6.0, Worker Process Isolation mode. In this mode, applications and processes can be separated into application pools. An application pool is a set of one or more applications that are assigned to a set of one or more worker processes. An application pool can contain websites, applications, and virtual directories. Each application pool is isolated from the others. Because of this, a failure or memory leak affects only the processes running in that application pool and has no effect on any of the other functions in other application pools.

In Windows Server 2003, you can run in either IIS 5.0 Isolation mode or Worker Process Isolation mode, but not both simultaneously on the same server.

To change the application mode in IIS, follow the procedure outlined in Step by Step 4.14.

Step by Step

4.14 Changing the application mode in IIS 6.0

1.	Click Start, Administrative Tools, Internet Information Services Manager.
2.	The IIS Manager MMC opens with the current isolation mode indicated by the presence or absence of the Application Pools folder, as shown in Figure 4.28. Figure 4.28. The IIS Manager MMC, showing the current isolation mode. The server must be in Worker Process Isolation mode because the Application Pools folder is displayed.

3.	In the left pane of the MMC, right-click the Web Sites entry and then select Properties from the pop-up menu.
4.	From the Web Sites Properties dialog box, click the Service tab. From the Service tab, click the Run WWW Service in IIS 5.0 Isolation Mode check box.
5.	Click OK to save this setting.

When IIS is running in the default Worker Process Isolation mode, all processes are assigned to the default pool, named DefaultAppPool. To take advantage of Worker Process Isolation mode, you should create multiple pools and separate your applications.

To add application pools in IIS, follow the procedure outlined in Step by Step 4.15.

Step by Step

4.15 Adding application pools in IIS 6.0

1.	Click Start, Administrative Tools, Internet Information Services Manager.
2.	The IIS Manager MMC opens with the Worker Process Isolation mode indicated by the presence of the Application Pools folder. If the folder is not present, use the previous procedure to enable Worker Process Isolation mode.
3.	In the left pane of the MMC, expand the Application Pools entry and then right-click the DefaultAppPool entry. Select New, Application Pool from the pop-up menu.
4.	The Add New Application Pool dialog box appears, as shown in Figure 4.29. Select the configuration settings to use and then click the OK button to save them. Figure 4.29. The Add New Application Pool dialog box. You can use the system defaults or an existing application pool as a template for the configuration.
5.	The new application pool entry appears in the MMC.

Management

IIS 6.0 can be managed via the following four methods:

IIS Manager MMC
Administration scripting
Manually editing the configuration file
Remote Administration website

These management options give you greater flexibility in that you can use whatever method of administration makes sense for a particular environment. For example, if you are managing only one or two web servers, it might not be worth the trouble to write administrative scripts to make configuration changes. In this situation, either making a couple quick changes using the IIS Manager MMC or manually editing the configuration file might be the most efficient way to accomplish the changes. However, in a larger environment, possibly hosting 10 or more web servers, automating changes via scripting is the only way to go!

IIS Management Using Administrative Scripting

IIS 6.0 installs with a selection of Visual Basicbased scripts that allow you to perform the following functions:

Starting and stopping web services
Creating default websites
Backing up and restoring websites
Configuring web extensions
Managing FTP sites
Managing IIS configuration

These scripts allow you to automate common tasks from the command line, and to even generate a new website from a backup so that a failed server can be replaced. These scripts are stored in the %systemroot%\System32 folder. All the scripts are ready to be used; just enter the name of the script on the command line to see the required parameters. For additional details on scripting, refer to the IIS online help.

Exam Alert: Administrative Scripting

Although the ability to perform administrative scripting is becoming more essential in most environments, you probably will not see it covered at length on the exam.

IIS Management Through Manually Editing the Metabase

In previous versions of IIS, the configuration information was stored in a binary file called the Metabase. Starting in IIS 6.0, this file is no longer stored in a binary format. It is now stored as an XML file that can be directly edited via Notepad or a similar text-editing program. This allows you to quickly make changes to the configuration of IIS, even when it is running. You no longer have to start and stop the WWW service to apply configuration changes. The Metabase.xml file is stored in the %systemroot%\System32\inetsrv folder.

To edit the Metabase.xml file without stopping the IIS service, you must ensure that two items are enabled:

The Metabase History feature This feature saves the last 10 changes to the Metabase file. It is enabled by default.
The Enable Direct Metabase Edit feature This item is turned on via the Local Computer Properties dialog box in the IIS Manager.

To make configuration changes in IIS by editing the Metabase.xml file, follow the procedure outlined in Step by Step 4.16.

Step by Step

4.16 Configuring IIS 6.0 by editing the metabase file

1.	Click Start, Administrative Tools, Internet Information Services Manager.
2.	From the IIS Manager MMC, right-click the Local Computer entry and then select Properties from the pop-up menu.
3.	On the Local Computer Properties dialog box, select the Enable Direct Metabase Edit check box.
4.	Click OK to save this setting.
5.	Click Start, All Programs, Accessories, Notepad.
6.	Click File, Open and then navigate to the %systemroot%\System32\inetsrv folder and select the Metabase.xml file.

Note: Manually Editing the Metabase

Although Microsoft has made it easier to manually edit the Metabase, and even allows you to do it while your website is up and running, you should always use extreme caution when doing so.

IIS Management Using the IIS Manager MMC

The IIS Manager MMC, first introduced with the Windows NT 4.0 Option Pack, is still with us, and although the basic operations haven't really changed that much, additional options have been added to support the new features in IIS 6.0. The IIS snap-in can be added to other MMCs using the methods covered in the beginning of this chapter.

Exam Alert: Know IIS Manager

All the configuration options available in IIS 6.0 can be configured via the IIS Manager MMC, so it is important to become very familiar with its operation, both for your day-to-day administration tasks and for the exam.

You should already be somewhat familiar with the IIS Manager MMC because we have used it in previous examples in this chapter. In the field, the IIS Manager is the most commonly used administrative tool for IIS. It is still the quickest and easiest method of creating and configuring IIS in small-to-medium-sized environments.

The IIS Manager MMC is just like the other MMCs covered in this chapter in that it can be used to configure either the local computer or a remote computer by right-clicking the Local Computer entry and selecting Connect from the pop-up menu.

Managing the Default Website

Unlike previous versions of IIS, which were installed with multiple virtual directories and lots of sample pages that could be exploited by hackers, the default installation of IIS 6.0 is set up with a minimum of files. Basically only enough content is installed to present an Under Construction page, which you can see by entering http://localhost on your test server.

From the IIS Manager MMC, you can set the properties for each website, or you can set the defaults for all websites hosted on the server. To view and set the defaults for all websites, right-click the Web Sites entry in the IIS Manager MMC, and then select Properties from the pop-up menu.

Note: Scope of Settings

Unless otherwise indicated, the settings shown on the Properties pages can be applied either globally to all websites or uniquely to each individual website.

From the Web Site tab, shown in Figure 4.30, you can select the timeout settings, whether to log website activity, and the format and the location for the log files. Notice that certain settings, such as the IP Address field, are grayed out. This is because those settings are unique to each individual website.

Figure 4.30. The Web Site tab.

Click the Performance tab (see Figure 4.31). From here you can adjust the settings that determine the overall performance of your web server. The Bandwidth Throttling setting, along with the Web Site Connections setting, is used to control the amount of bandwidth that is consumed by the web server, and it also limits the amount of memory that is preallocated to caching. This allows you to prioritize the amount of bandwidth consumed by each web server over a shared connection. This can be used to ensure that a higher availability website is granted more bandwidth than a less significant site.

Figure 4.31. The Performance tab.

The ISAPI Filters tab allows you to add custom-written filters that respond to specific events during an HTTP request.

The Home Directory tab, shown in Figure 4.32, allows you to specify the location of the files used for your websites. This tab is used for individual sites.

Figure 4.32. The Home Directory tab.

The Home Directory tab allows you to assign content for your website from the following locations:

A Directory Located on This Computer This is the default. Enter a local path, or select one by clicking the Browse button and navigating to it.
A Share Located on Another Computer This option allows you to specify a server and share name where the necessary resources are stored. After entering the share name, you have the option of entering a specific user ID and password if needed to access the share by clicking the Connect As button.
A Redirection to a URL This option allows you to specify a website or virtual directory that will provide content.

In addition to controlling access via NTFS or share permissions, the Home Directory tab allows you to specify what visitors to the site can do.

The options are as follows:

Script Source Access If either Read or Write access is selected, this option allows visitors to see the source code of the pages that they are viewing. This option should be selected only for development sites.
Read This option allows visitors to view the web pages and to download files. If this option is not selected, the website cannot be viewed.
Write This option allows visitors to upload files to the website and to edit the content of a file that they have the necessary permissions for. This option requires a browser that supports HTTP 1.1 or later.
Directory Browsing This option allows users to see a listing of the files and subdirectories.
Log Visits This option allows you to select to log all user interaction with the site. This option requires logging to be enabled on the Web Site tab.
Index This Resource If the Indexing service was installed, this option allows the site to be indexed for faster searching.

The Execute Permissions field allows you to select what type of scripts or executable files can be invoked by a browser:

None With this option, only static HTML pages or image files will be displayed.
Scripts Only This option allows ASP scripts to run; however, executables such as ASAPI DLLs and CGIBIN applications cannot be run.
Scripts and Executables This option allows any file type to be run.

Note: Invitation to Disaster

Allowing both Execute and Write access allows visitors to upload and execute any code that they want on your site.

The Application Pool drop-down list allows you to specify the application pool the website is to be a member of.

The Documents tab, as shown in Figure 4.33, is used to specify the default document that is sent to the browser when no specific document is requested. This can be either a home page or an index page. The Enable Document Footer option allows you to attach a footer to every document that is displayed.

Figure 4.33. The Documents tab.

The Directory Security tab allows you to control the access to your website. This tab is covered at length later in this chapter.

The HTTP Headers tab, shown in Figure 4.34, enables you to configure the values returned to the browser via the header included in the HTML page. These values include Content Expiration, which tells the browser when to refresh cached pages, Content Rating, which identifies the type of content provided by the site, and the Mime Types setting, which maps a file extension to a file type.

Figure 4.34. The HTTP Headers tab.

The Custom HTTP Headers option allows you to send custom HTTP headers to a client browser. These can be used to support browser features that the website does not yet officially support.

The Custom Errors tab allows you to define replacement error messages. Instead of the default numerical messages, you can define something more informative.

The Service tab (see Figure 4.35) allows you to set the mode in which the web server is runeither IIS 5.0 Isolation mode or Worker Process Isolation mode. There are also settings for HTTP Compression. HTTP Compression mode allows you to compress static files or dynamic content, or both, to be sent to the browser. Sending compressed files consumes less bandwidth, and this feature can be very useful in limited-bandwidth situations.

Figure 4.35. The Service tab.

However, compressing and uncompressing the files consumes additional processing cycles, both on the web server and the client, so the HTTP Compression options should not be enabled if the web server is already processor starved.

Creating a Website

Like most other functions in Windows Server 2003, a wizard is supplied to make creating a website easier. To create a new website, follow the procedure outlined in Step by Step 4.17.

Step by Step

4.17 Creating a new website

1.	Click Start, Administrative Tools, Internet Information Services Manager.
2.	From the IIS Manager MMC, right-click the Web Sites entry and then select New, Web Site from the pop-up menu.
3.	On the Welcome to the Web Site Creation Wizard screen, click the Next button to continue.
4.	On the Web Site Description screen, type in a descriptive name for the website. Click the Next button to continue.
5.	The IP Address and Port Settings screen appears, as shown in Figure 4.36. From this screen, you can select the IP address, TCP port, or host header to which this website will respond. Make the appropriate choices, and then click the Next button to continue. Figure 4.36. Specify the IP or port settings for the new website.
6.	The Web Site Home Directory screen appears. From this screen, you can select the folder that contains the files for your website. You can also specify that you want to allow anonymous access to your site. Make the appropriate choices and then click the Next button to continue.
7.	The Web Site Access Permissions screen appears. From this screen, you can specify the permissions you are granting visitors to your website. You should always specify the minimum permissions needed. Make the appropriate choices and then click the Next button to continue.
8.	When the Finishing the Web Site Creation Wizard screen appears, click the Finish button to save your settings. The new website appears in the IIS Manager console, listed under the Default Web Site entry.

Hosting Multiple Websites

In the previous Step by Step, you learned how to add an additional website to a web server, but we left out one small detail. If a web server is hosting multiple websites, how do you determine which website is presented to the browser?

When you're hosting multiple websites on a single server, each website must have a unique identity. This is accomplished by using the following identifiers:

Unique IP address Unique IP addresses are used for each website hosted on the server. This method is commonly used for websites accessed over the Internet. Unique IP addresses are required when Secure Sockets Layer (SSL) is used.
Host header name Host header names are used to differentiate websites when a single IP address is used.
Nonstandard port number Nonstandard port numbers, such as TCP port numbers, are rarely used on production web servers.

By configuring one or more of these identifiers, you can uniquely identify each website on your server. When using multiple IP addresses to identify the websites on your server, you can either install multiple network interface cards (NICs), each with a unique IP address, or just assign multiple IP addresses to a single NIC.

To identify a new website by IP address, use the procedure outlined in Step by Step 4.18.

Step by Step

4.18 Identifying a new website by IP address

1.	Click Start, Control Panel, Network Connections, Local Area Connection.
2.	From the Local Area Connection Status dialog box, click the Properties button.
3.	From the Local Area Connection Properties dialog box, highlight the Internet Protocol (TCP/IP) entry and then click the Properties button.
4.	When the Internet Protocol (TCP/IP) Properties dialog box appears, click the Advanced button.
5.	From the Advanced TCP/IP Settings dialog box, click the Add button.
6.	From the Advanced TCP/IP Address dialog box, enter the new IP address and subnet mask. When you're finished, click the Add button. Repeat this process for additional addresses.
7.	Click OK twice and then click the Close button on the Local Area Connection Properties dialog box and the Local Area Connection Status dialog box to save your settings.
8.	Click Start, Administrative Tools, Internet Information Services Manager.

9.	From the IIS Manager MMC, right-click the Web Sites entry and then select New, Web Site from the pop-up menu.
10.	On the Welcome to the Web Site Creation Wizard screen, click the Next button to continue.
11.	On the Web Site Description screen, type in a descriptive name for the website. Click the Next button to continue.
12.	The IP Address and Port Settings screen appears, as shown in Figure 4.37. Notice that if you click the drop-down list for the IP Address field, the new IP address you entered in the previous steps is available. Select the new IP address for your website and then refer to the information in Step by Step 4.17 to complete the website configuration. Figure 4.37. Specify the IP address for the new website.

With the explosion in popularity of the Internet and the slow adoption of IPv6, the number of available IP addresses is dwindling rapidly. This means that it's not always possible or feasible to lease multiple IP addresses from an ISP to host multiple websites. Fortunately, websites can also be configured to respond to a unique host header.

A host header is nothing more than a unique DNS name that is used to identify one of the additional websites. The site that is using the host header shares the same port and IP address, but when the browser connects to the default website, it asks for the site using the host header entry. The server reads the request from the browser and directs it to the requested site. This allows you to host multiple sites at the same IP address; they just have to have unique header names, such as www.abc.com, www.xyz.com, and so on.

Host headers require that you use a browser that supports HTTP 1.1 or later. If your browser does not support HTTP 1.1, you will be connected to the default website.

To identify a website by host header, use the procedure outlined in Step by Step 4.19.

Step by Step

4.19 Identifying a website by host header

1.	Click Start, Administrative Tools, Internet Information Services Manager.
2.	From the IIS Manager MMC, right-click a website entry and then select Properties from the pop-up menu.
3.	From the Web Site tab of the Properties dialog box, click the Advanced button.
4.	This opens the Advanced Web Site Identification dialog box. To add an additional host header to the existing IP address, highlight the IP address entry and then click the Add button.
5.	This opens the Add/Edit Web Site Identification dialog box, shown in Figure 4.38. Enter the desired host header name and assign it to port 80. Then click the OK button to save your settings. Repeat this for any additional host headers. Figure 4.38. The Advanced Web Site Identification dialog box. Note that you can enter unique port numbers using this dialog box.

Note: Additional Security

Because all the sites now have host headers, you will not be able to connect to the website by IP address, giving an additional layer of security.

As noted in the previous procedure, the port number can be changed as well. When you're using a unique port number, it has to be entered in the URL as follows:

www.abc.com:60

A port number can be any number from 1 to 65535. Port numbers are rarely used, except for testing purposes.

Note: Port Numbers

Although it is technically true that any port to 65K can be used, it is not the best idea to use any well-known ports for this purpose. Ports such as 25 (SMTP), 110 (POP), 3268 (LDAP), and 443 (SSL), among many others, would not make sense to serve web pages from.

Exam Alert: SSL and Host Headers Don't Mix

Host headers cannot be used with SSL because the domain name is encoded in the certificate, and the browser is able to see only the IP address. When using SSL, you must use a unique IP addresses.

Challenge

When new websites and applications are added to a web server, by default they are placed in the DefaultAppPool application pool. To obtain the maximum benefit from running IIS 6.0, you should assign your applications to separate application pools.

In this scenario, you are required to create a new website and then assign it to a new application pool. You should do this using as few steps as possible.

How would you set this up?

You should try working through this problem on your own first. If you get stuck, or if you'd like to see one possible solution, follow these steps:

1.	Click Start, Administrative Tools, Internet Information Services Manager.
2.	From the IIS Manager MMC, right-click the Web Sites entry and then select New, Web Site from the pop-up menu.
3.	On the Welcome to the Web Site Creation Wizard screen, click the Next button to continue.
4.	On the Web Site Description screen, type in a descriptive name for the website. Click the Next button to continue.
5.	The IP Address and Port Settings screen appears. From this screen, you can select the IP address, TCP port, or host header to which this website will respond. Make the appropriate choices and then click the Next button to continue.
6.	The Web Site Home Directory screen appears. From this screen, you can select the folder that contains the files for your website. You can also specify that you want to allow anonymous access to your site. Make the appropriate choices and then click the Next button to continue.

7.	The Web Site Access Permissions screen appears. From this screen, you can specify the permissions you are granting visitors to your website. You should always specify the minimum permissions needed. Make the appropriate choices and then click the Next button to continue.
8.	When the Finishing the Web Site Creation Wizard screen appears, click the Finish button to save your settings.
9.	From the IIS Manager MMC, expand the Web Sites entry, right-click the name of the website you just created, and then select Properties from the pop-up menu.
10.	This opens the Web Sites Properties dialog box. Click the Home Directory tab.
11.	From the Home Directory tab, shown in Figure 4.39, select the application pool you want to assign the website to. Click the OK button to save this setting. Figure 4.39. The Home Directory tab, where you select the application pool for your website.
12.	The website is listed in the assigned application pool.

Managing Security for IIS

Objective:
Manage Security for IIS

As mentioned earlier in the chapter, IIS is probably the subsystem of Windows Server 2003 that has received the most attention, especially related to security. In IIS 6.0, the worker processes and most of the ASP functions run in the Network Service security context, which is a low-privileged context. In addition, each of these worker processes can exist in separate application pools, thereby isolating them from other processes. This lessens the exposure to poorly written code or of hackers inserting malicious code that would crash the entire web server.

In addition, when a buffer overflow occurs, previously a favorite exploit, the worker processes automatically terminate. With these low-level changes and the refusal to accept requests for files with unknown extensions, in addition to preventing the execution of command-line tools, IIS 6.0 is far more secure than any previous version.

We partially covered the contents of the Directory Security tab when configuring restrictions for access to the Remote Administration Console. We have already examined how to restrict access to a website by IP address and domain name. However, several other settings are important to IIS security.

If you select the Edit button in the Authentication and Access Control section of the Directory Security tab, you open the Authentication Methods dialog box, shown in Figure 4.40.

Figure 4.40. Multiple authentication methods are available from this dialog box.

When IIS is installed, two accounts are created: IUSR_servername and IWAM_servername. IWAM_servername is run in the Network Service security context and is used to start and run most applications. The IUSR_servername account is a member of the GUEST local group and is used to control anonymous access to published resources on IIS. For example, if you have a website that you want to publish so that anyone on the Internet can access it without authentication, you would use the IUSR_servername account to assign read access to the necessary resources. You have the ability to change the account used for anonymous access, or you can disable anonymous access completely.

The second half of the dialog box controls authenticated access. Authenticated access is used to integrate the web server with Windows security. The user is required to present a user ID and password to access website resources. These user IDs and passwords are stored either as a local account on the web server or in the Active Directory domain database. When anonymous access is disabled, all users who attempt to access the website are prompted for a user ID and password. Authentication is also required when the website resources are protected via NTFS permissions.

Four types of authenticated access are available:

Integrated Windows Authentication If the web server and the client are members of trusted domains, the browser passes the user ID and password to the web server automatically and the user is not prompted for a password. This method does not work through some firewalls, but it's fine for intranets. The password is transmitted as a hash value.
Digest Authentication This method is supported only if the client is using Internet Explorer 5 or later, in an Active Directory domain, and the password is stored in clear text. However, this method works through most firewalls. The password is transmitted as an MD5 hash value.
Basic Authentication This is the least secure method because it transmits the password as clear text. However, it is supported by just about any browser available. Basic Authentication is usually used in combination with SSL so that the passwords are encrypted.
.NET Passport Authentication This is a new feature in Windows Server 2003. This method uses the Passport Authentication system that Microsoft is marketing to e-commerce websites. It allows a user to create a single sign-on that is honored across various Passport-enabled sites. Authentication is performed by a central Passport Authentication server. When Passport Authentication is selected, a default domain must be specified.

The final two options available from the Authentication Methods dialog box are as follows:

Default Domain By entering the name of the default domain, users who are members of that domain will not need to enter the domain name when logging on to the website.
Realm This field allows you to specify the name of an alternative authentication service, such as a Remote Authentication Dial-Up User Service (RADIUS) server or Microsoft's Internet Authentication Server (IAS).

As mentioned briefly in the previous paragraphs, NTFS can be used to control access to resources on the web server. For example, if anonymous access is enabled but there are sensitive areas on your web server, you can control access to those areas using NTFS security. You can simply exclude or deny access for those resources to the Anonymous user account. The user is prompted for a user ID and password when she attempts to access those resources.

Another method of securing access to a web server is via Secure Sockets Layer (SSL). We mentioned SSL briefly in this chapter, but we haven't taken the time to explain it yet. SSL is used with HTTP to encrypt all traffic between the browser and the web server. This is especially critical for e-commerce sites because the last thing you want to do is to transmit your credit card number in clear text over the Internet!

SSL works by using encryption keysin this case, certificates that are distributed by a trusted source. These certificates are used to encrypt the data that passes between the client and the web server. Certificates are issued by Certificate Authorities (CAs), of which VeriSign is the most prominent. Website administrators apply to the CA for a certificate, and they must provide the proper credentials to prove their identity. After the CA is satisfied that they are who they say they are, the CA issues the certificates and the website administrators install them on their web servers.

This same process can be used by enterprises using their own CAs to issue certificates to employees or contractors wishing to access web content from outside the boundaries of these organizations' LANs. In this case, the CA issuing the certificates is not a public CA (like VeriSign) but rather a private one controlled internally. In many cases, organizations choose to run Microsoft Certificate Services to issue and manage these certificates. Other CA software vendors also exist, but Microsoft's CA is the most common because the software is included as part of Windows Server 2003 for no additional charge.

When clients try to access the website, they might be presented with a prompt asking whether they trust the source of the certificate. This normally does not occur if the web server is using a certificate issued by VeriSign or one of the other common CAs. The client and the web server then negotiate a connection, and all traffic between them is encrypted.

In addition to server certificates, clients can be issued certificates also. This enables a password-free logon because the certificate serves as both the user ID and the password. Three steps are involved in setting up SSL on a Web server:

1.	Generate a certificate request.
2.	Install the certificate.
3.	Configure the server to use certificates.

To generate a certificate request, use the procedure in Step by Step 4.20.

Step by Step

4.20 Generating a certificate request

1.	Click Start, Administrative Tools, Internet Information Services Manager.
2.	From the IIS Manager MMC, right-click the website entry, and then select Properties from the pop-up menu.
3.	From the Directory Security tab of the Properties dialog box, click the Server Certificate button.
4.	This opens the IIS Certificate Wizard. Click the Next button to continue.
5.	The Server Certificate screen appears, as shown in Figure 4.41. Select the Create a New Certificate radio button, and then click the Next button. Figure 4.41. The Server Certificate screen presents various options to use with certificates.
6.	The Delayed or Immediate Request screen appears. Select Prepare the Request Now, but Send It Later radio button. Click Next to continue.
7.	The Name and Security Settings screen appears. Enter a descriptive name for the website, and provide the length of the key. A long key is more secure. Click Next to continue.
8.	The Organization Information screen appears. Enter a descriptive name for your organization. Click Next to continue.
9.	The Site Common Name screen appears. Enter the DNS name for your website. Click Next to continue.
10.	The Geographical Information screen appears. Enter the appropriate information for your organization, and click Next to continue.
11.	The Certificate Request File Name screen appears. Enter the location where you want to save the certificate request file. Click Next to continue.

12.	The Request File Summary screen appears, as shown in Figure 4.42. Confirm that the settings are correct, and then click Next to continue. Figure 4.42. Verify the settings.
13.	Click Finish to save the request file.

After the request file has been created, it must be sent to the Certificate Authority for approval. After the CA has processed your request, you receive a certificate from the CA. To install the received certificate, follow the procedure outlined in Step by Step 4.21.

Step by Step

4.21 Installing a certificate

1.	Click Start, Administrative Tools, Internet Information Services Manager.
2.	From the IIS Manager MMC, right-click the website entry, and then select Properties from the pop-up menu.
3.	From the Directory Security tab of the Properties dialog box, click the Server Certificate button.
4.	This opens the IIS Certificate Wizard. Click Next to continue.

5.	The Pending Certificate Request screen appears, as shown in Figure 4.43. Select the Process the Pending Request and Install the Certificate radio button, and then click the Next button. Figure 4.43. The Pending Certificate Request screen enables you to process the request or delete it.
6.	The Process a Pending Request screen appears. Select the path and filename of the certificate, and click Next to continue.
7.	The certificate is loaded, and you are presented with the Certification Summary screen. If the displayed configuration is correct, click Next to continue.
8.	Click the Finish button.

After the certificate is installed, the final step is to configure the settings on the website to use SSL. To configure the website to support SSL, follow the procedure outlined in Step by Step 4.22.

Step by Step

4.22 Configuring the website to support SSL

1.	Click Start, Administrative Tools, Internet Information Services Manager.
2.	From the IIS Manager MMC, right-click the website entry, and then select Properties from the pop-up menu.
3.	From the Directory Security tab of the Properties dialog box, click the Edit button in the Secure Communications area.

4.	This opens the Secure Communications dialog box, shown in Figure 4.44. Select the Require Secure Channel (SSL) check box. Then click OK. Figure 4.44. SSL can be used with 40-bit encryption (the default) or 128-bit encryption.

Managing security for IIS 6.0 is an important topic, especially in light of all the attention IIS has received as a favored target for hackers. It is important to understand that one of the best strategies to secure IIS is to enable only the minimal features required to support the applications being run on IIS. Also, never grant more authority to any users than they will ever possibly require.

Installing Internet Information Services (IIS)

Step by Step

Figure 4.26. The Windows Components Wizard.

Default Installation of IIS 6.0

Step by Step

Figure 4.27. The IIS Manager MMC, showing the default status of the Web Service Extensions. The list varies, depending on what extensions are installed.

Reliability

Step by Step

Figure 4.28. The IIS Manager MMC, showing the current isolation mode. The server must be in Worker Process Isolation mode because the Application Pools folder is displayed.

Step by Step

Figure 4.29. The Add New Application Pool dialog box. You can use the system defaults or an existing application pool as a template for the configuration.

Management

IIS Management Using Administrative Scripting

IIS Management Through Manually Editing the Metabase

Step by Step

IIS Management Using the IIS Manager MMC

Managing the Default Website

Figure 4.30. The Web Site tab.

Figure 4.31. The Performance tab.

Figure 4.32. The Home Directory tab.

Figure 4.33. The Documents tab.

Figure 4.34. The HTTP Headers tab.

Figure 4.35. The Service tab.

Creating a Website

Step by Step

Figure 4.36. Specify the IP or port settings for the new website.

Hosting Multiple Websites

Step by Step

Figure 4.37. Specify the IP address for the new website.

Step by Step

Figure 4.38. The Advanced Web Site Identification dialog box. Note that you can enter unique port numbers using this dialog box.

Challenge

Figure 4.39. The Home Directory tab, where you select the application pool for your website.

Managing Security for IIS

Figure 4.40. Multiple authentication methods are available from this dialog box.

Step by Step

Figure 4.41. The Server Certificate screen presents various options to use with certificates.

Figure 4.42. Verify the settings.

Step by Step

Figure 4.43. The Pending Certificate Request screen enables you to process the request or delete it.

Step by Step

Figure 4.44. SSL can be used with 40-bit encryption (the default) or 128-bit encryption.