This chapter concludes with a look at some of the basic administrative tasks you can perform on Web sites and FTP sites by using the Internet Information Services console. The next chapter takes a more detailed look at the various settings that you can configure for these sites. For now, the focus is on basic tasks like configuring permissions, stopping and starting services, and enabling Microsoft FrontPage extensions on the server.
Understanding permissions and how they are configured and applied on IIS 5 is a part of the larger picture of understanding IIS security in general. This section covers the various levels of security that you can use to control access to content in Windows 2000 Server Web sites and FTP sites—and looks at the order in which these layers are applied. You'll also learn a fast and easy way to secure your Web sites and FTP sites: by using the IIS 5 Permissions Wizard. (More detailed information on configuring individual aspects of IIS 5 security is covered in the next chapter.)
Administrators can control access to content on Web sites and FTP sites hosted on IIS 5 in four different ways. These methods are applied in order each time a user tries to access a Web or FTP resource (an HTML or other file) on the server. The four-stage access control model is presented below, and only when all four of these rules have been applied and passed is the user granted access to the requested resource.
If not, access is denied and no further rules are applied. You can configure IP address and domain name restrictions using the Directory Security tab of the Properties window for the Web site, FTP site, or virtual or physical directory, or on the File Security tab of the Properties window for a file. Note that the Properties windows referred to here and in the next two steps apply to those accessed from the Internet Information Services console window. (See the next chapter for more information on these Properties windows.)
If not, access is denied and no further rules are applied. You can configure authentication security settings on the Directory Security tab of the Properties window for a Web site or virtual or physical directory, on the File Security tab of the Properties window for a file, or on the Security Accounts tab of the Properties window for an FTP site. Note that you can't configure this level of security on virtual directories that are located within FTP sites, only on those within Web sites.
If not, access is denied and no further rules are applied. You can configure IIS access and application permissions on the Home Directory tab of the Properties window for a Web site or FTP site; on the Virtual Directory tab of the Properties window for a virtual directory; on the Directory tab of the Properties window for a physical directory; or on the File tab of the Properties window for a file.
If not, access to the resource is denied to the user. NTFS permissions are configured in the usual way by using the Security tab of the Properties window for the resource in My Computer.
NOTE
In the four-stage access control model, steps 2 and 4 are user-specific, while steps 1 and 3 apply regardless of the user's identity. In other words, IP address/domain name restrictions and IIS access/application permissions are global settings that apply uniformly for all users.
An easy way to configure permissions on Web sites and FTP sites, virtual and physical directories, and files in Internet Information Services is to use the Permissions Wizard. To see how the wizard works, follow these steps to configure permissions on the /sales virtual directory created earlier within the Scribes Ltd. Web site.
Figure 27-15. The Security Summary screen of the Permissions Wizard.
Figure 27-16. The Site Scenario screen of the Permissions Wizard.
This screen provides two different basic security templates that you can apply to the selected site or virtual directory. The two options here are
Obviously, the Permissions Wizard allows you to perform only a general configuration of IIS 5 security settings. For more granular security, you have to use the Internet Information Services Properties windows, discussed in the next chapter.
Remember that individual Web sites and FTP sites that are created on IIS 5 are actually virtual servers; that is, they act and behave as if they were separate Windows 2000 servers and had access to all the resources on the server. This allows Web sites for many different companies to be hosted on a single Windows 2000 Server machine. Sometimes you might need to stop, start, or pause IIS services on these machines, however. For example, when files are being modified on a Web site, it's usually smart to pause the site so that no new user connections can be established with the site and to allow users who are currently connected a grace period before they're disconnected.
Another example is when you're testing a Web application developed by using ASP—you might need to stop and then restart the site during the testing process if the application hangs or becomes unresponsive. The trouble is, if you have multiple sites running on your server, you don't want to bring them all down just to deal with the problems of a particular site.
To solve this problem, Windows 2000 Server allows you to use the Internet Service Manager to stop individual Web sites and FTP sites without having to stop the WWW and FTP Publishing Services for all sites on the server. To pause, stop, or start a site, simply select the node in the console tree that represents the site and do one of the following:
Alternately, you can start, stop, or restart all Web and FTP sites on your server by selecting the node representing the server in the console tree of Internet Services Manager; simply click the Action button on the toolbar and select Restart IIS from the drop-down menu. You might expect that you could stop all Web sites running on a machine by stopping the WWW Publishing Service using the Services node under System Tools in Computer Management. Don't do it this way. IIS services are implemented differently from other Windows 2000 services and should not be stopped or started in this fashion. Finally, if you want to restart IIS from the command line, you can type iisreset<Computer_Name>. You can also use this command in a batch file.
IIS 5 uses a set of proprietary server-side DLLs called FrontPage extensions to support many of the advanced FrontPage features, such as its ability to create navigation bars, search tools, discussion Webs, and so on. Finally, let's look at installing FrontPage server extensions on IIS 5.0. In IIS, this is a basic Web server administration task for networks where developers use the popular Web content creation tool, FrontPage. We won't get into content development at all but will simply examine how to enable the server to operate with FrontPage.
Even though the necessary software to support FrontPage is pre-installed, you still need to enable these extensions on the specific Web sites that your FrontPage content developers will be using. To illustrate, use the Scribes Ltd. Web site and follow these steps:
Figure 27-17. The Server Extensions Configuration Wizard.
CAUTION
Do not delete any of these FrontPage files or directories, or the server extensions might fail to work properly!
Figure 27-18. Directories created by enabling FrontPage server extensions on the site.