Basic Administrative Tasks

[Previous] [Next]

This chapter concludes with a look at some of the basic administrative tasks you can perform on Web sites and FTP sites by using the Internet Information Services console. The next chapter takes a more detailed look at the various settings that you can configure for these sites. For now, the focus is on basic tasks like configuring permissions, stopping and starting services, and enabling Microsoft FrontPage extensions on the server.

Configuring Permissions

Understanding permissions and how they are configured and applied on IIS 5 is a part of the larger picture of understanding IIS security in general. This section covers the various levels of security that you can use to control access to content in Windows 2000 Server Web sites and FTP sites—and looks at the order in which these layers are applied. You'll also learn a fast and easy way to secure your Web sites and FTP sites: by using the IIS 5 Permissions Wizard. (More detailed information on configuring individual aspects of IIS 5 security is covered in the next chapter.)

Understanding IIS 5 Security

Administrators can control access to content on Web sites and FTP sites hosted on IIS 5 in four different ways. These methods are applied in order each time a user tries to access a Web or FTP resource (an HTML or other file) on the server. The four-stage access control model is presented below, and only when all four of these rules have been applied and passed is the user granted access to the requested resource.

  1. Is the user's IP address or domain name allowed access to the resource?
  2. If not, access is denied and no further rules are applied. You can configure IP address and domain name restrictions using the Directory Security tab of the Properties window for the Web site, FTP site, or virtual or physical directory, or on the File Security tab of the Properties window for a file. Note that the Properties windows referred to here and in the next two steps apply to those accessed from the Internet Information Services console window. (See the next chapter for more information on these Properties windows.)

  3. Has the user been properly authenticated for accessing the resource?
  4. If not, access is denied and no further rules are applied. You can configure authentication security settings on the Directory Security tab of the Properties window for a Web site or virtual or physical directory, on the File Security tab of the Properties window for a file, or on the Security Accounts tab of the Properties window for an FTP site. Note that you can't configure this level of security on virtual directories that are located within FTP sites, only on those within Web sites.

  5. Are the IIS access and application permissions configured to allow users access to the resource?
  6. If not, access is denied and no further rules are applied. You can configure IIS access and application permissions on the Home Directory tab of the Properties window for a Web site or FTP site; on the Virtual Directory tab of the Properties window for a virtual directory; on the Directory tab of the Properties window for a physical directory; or on the File tab of the Properties window for a file.

  7. Do NTFS permissions on the resource allow the user to access the resource?
  8. If not, access to the resource is denied to the user. NTFS permissions are configured in the usual way by using the Security tab of the Properties window for the resource in My Computer.

NOTE
In the four-stage access control model, steps 2 and 4 are user-specific, while steps 1 and 3 apply regardless of the user's identity. In other words, IP address/domain name restrictions and IIS access/application permissions are global settings that apply uniformly for all users.

Using the Permissions Wizard

An easy way to configure permissions on Web sites and FTP sites, virtual and physical directories, and files in Internet Information Services is to use the Permissions Wizard. To see how the wizard works, follow these steps to configure permissions on the /sales virtual directory created earlier within the Scribes Ltd. Web site.

  1. Right-click the /sales node under the Scribes Ltd. node in the console tree of Internet Information Services, point to All Tasks, and choose Permissions Wizard from the shortcut menu. This starts the Permissions Wizard.
  2. Click Next to move to the Security Settings screen of the wizard. You'll be asked if you want security settings for the selected node to be inherited from the parent node or whether new settings should be specified. Select the first option, Inherit All Security Settings, and click Next.
  3. Click Next once more. The Security Summary screen appears, indicating what security settings will be applied from the parent node—which in this case is the Scribes Ltd. Web site (Figure 27-15). Note that the four types of security settings that are listed on this screen agree with the four rules for access control discussed previously—except that they aren't listed in order here!
  4. Click Back twice to return to the previous Security Settings screen, and this time select the second option, Select New Security Settings From A Template. Click Next to move to the Site Scenario screen of the wizard (Figure 27-16).
  5. click to view at full size.

    Figure 27-15. The Security Summary screen of the Permissions Wizard.

    click to view at full size.

    Figure 27-16. The Site Scenario screen of the Permissions Wizard.

    This screen provides two different basic security templates that you can apply to the selected site or virtual directory. The two options here are

    • Public Web Site This template allows all users to browse static and dynamic content on the selected site or directory. Use this setting to configure security for public Internet sites.
    • Secure Web SiteThis template allows only users with a valid Windows 2000 account to view static and dynamic content on the selected site or directory. Use this setting to configure security for private intranet sites.

  6. Select the first option, Public Web Site, and click Next twice to display the Security Summary screen for this choice. Note that the only authentication method that will be configured is Anonymous Users Allowed.
  7. Click Back to return to the Site Scenario screen. Select the second option, Secure Web Site, and click Next twice to display the Security Summary screen for this choice. Note the variety of authentication methods allowed (discussed in the next chapter). Click Next and then click Finish to complete the wizard.

Obviously, the Permissions Wizard allows you to perform only a general configuration of IIS 5 security settings. For more granular security, you have to use the Internet Information Services Properties windows, discussed in the next chapter.

Stopping, Starting, and Pausing IIS Services

Remember that individual Web sites and FTP sites that are created on IIS 5 are actually virtual servers; that is, they act and behave as if they were separate Windows 2000 servers and had access to all the resources on the server. This allows Web sites for many different companies to be hosted on a single Windows 2000 Server machine. Sometimes you might need to stop, start, or pause IIS services on these machines, however. For example, when files are being modified on a Web site, it's usually smart to pause the site so that no new user connections can be established with the site and to allow users who are currently connected a grace period before they're disconnected.

Another example is when you're testing a Web application developed by using ASP—you might need to stop and then restart the site during the testing process if the application hangs or becomes unresponsive. The trouble is, if you have multiple sites running on your server, you don't want to bring them all down just to deal with the problems of a particular site.

To solve this problem, Windows 2000 Server allows you to use the Internet Service Manager to stop individual Web sites and FTP sites without having to stop the WWW and FTP Publishing Services for all sites on the server. To pause, stop, or start a site, simply select the node in the console tree that represents the site and do one of the following:

  • Click the appropriate control button on the toolbar.
  • Right-click the node and make the appropriate choice from the shortcut menu.
  • Click the Action button and select the appropriate choice from the drop-down menu.

Alternately, you can start, stop, or restart all Web and FTP sites on your server by selecting the node representing the server in the console tree of Internet Services Manager; simply click the Action button on the toolbar and select Restart IIS from the drop-down menu. You might expect that you could stop all Web sites running on a machine by stopping the WWW Publishing Service using the Services node under System Tools in Computer Management. Don't do it this way. IIS services are implemented differently from other Windows 2000 services and should not be stopped or started in this fashion. Finally, if you want to restart IIS from the command line, you can type iisreset<Computer_Name>. You can also use this command in a batch file.

Using FrontPage Server Extensions

IIS 5 uses a set of proprietary server-side DLLs called FrontPage extensions to support many of the advanced FrontPage features, such as its ability to create navigation bars, search tools, discussion Webs, and so on. Finally, let's look at installing FrontPage server extensions on IIS 5.0. In IIS, this is a basic Web server administration task for networks where developers use the popular Web content creation tool, FrontPage. We won't get into content development at all but will simply examine how to enable the server to operate with FrontPage.

Enabling FrontPage Extensions on a Web Site

Even though the necessary software to support FrontPage is pre-installed, you still need to enable these extensions on the specific Web sites that your FrontPage content developers will be using. To illustrate, use the Scribes Ltd. Web site and follow these steps:

  1. Right-click the Scribes Ltd. node in the Internet Service Manager console tree, point to All Tasks, and choose Configure Server Extensions from the shortcut menu. This opens the Server Extensions Configuration Wizard (Figure 27-17). Note that this wizard can't create a new Web site; it can configure a Web site only for FrontPage users.
  2. click to view at full size.

    Figure 27-17. The Server Extensions Configuration Wizard.

  3. Click Next to create local Windows groups that can be used to identify which users are FrontPage administrators, authors, and browsers for the selected Web site. These three groups can be described as follows:
    • Administrators Can create new FrontPage Webs, change settings on the Web site, control the site authoring process, author new content, and browse existing content in the site.
    • Authors Can author new content and browse existing content in the site.
    • Browsers Can browse only existing content in the site.

  4. Click Next and specify a Windows group or user account that will be the Web administrator for the selected site.
  5. Click Next and specify SMTP e-mail settings for the site (if necessary).
  6. Click Finish to enable and configure FrontPage extensions on the site.
  7. Click the Action button on the Internet Information Services toolbar and choose Refresh from the drop-down menu to refresh the window view. Suddenly your selected Web site has been populated with a whole series of virtual and physical subdirectories with their associated server extension files (Figure 27-18).

CAUTION
Do not delete any of these FrontPage files or directories, or the server extensions might fail to work properly!

click to view at full size.

Figure 27-18. Directories created by enabling FrontPage server extensions on the site.



Microsoft Windows 2000 Server Administrator's Companion, Vol. 1
Microsoft Windows 2000 Server Administrators Companion (IT-Administrators Companion)
ISBN: 1572318198
EAN: 2147483647
Year: 2000
Pages: 366

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net