Transcript chap07 - Home - KSU Faculty Member websites

Hands-On Microsoft
Windows Server 2003
Administration
Chapter 7
Administering Web Resources in
Windows Server 2003
Objectives
• Install and configure Internet Information
Services (IIS)
• Create and configure Web-site virtual servers
and virtual directories
• Configure Web-site authentication
• Configure and maintain FTP virtual servers
• Update and maintain security for an IIS server
• Create and modify Web folders
• Install and use the Remote Administration
(HTML) tools
• Troubleshoot Web client-browser connectivity
2
Installing and Configuring Internet
Information Services
• Internet Information Services (IIS) 6.0
– Provides Web-related services to an organization
– Four main components
• World Wide Web (HTTP) services
– Provides the capability of hosting multiple Web sites
accessible from the Internet or an intranet
• File Transfer Protocol (FTP) services
– Provides the ability to copy files between the server
and a remote location
3
Installing and Configuring Internet
Information Services (Continued)
• Network News Transfer Protocol (NNTP) services
– Used to provide a means of maintaining a list of
topics and threaded conversations between users
• Simple Mail Transfer Protocol (SMTP) services
– Provides e-mail capabilities to the other services of
IIS
4
Installing Internet Information
Services
• IIS 6.0
– Not installed by default during a standard
installation of Windows Server 2003
– Individual IIS components can be manually
installed via the Add or Remove Programs applet
in Control Panel
5
Internet Information Services
components
6
Installing Internet Information
Services (Continued)
• Changes on the server after a successful
installation of IIS
– Additional folders on the hard drive
• %systemroot%\system32\inetsrv
• C:\Inetpub
• C:\WINDOWS\Help\iishelp
– Additional user objects in Active Directory
• ISUSR_servername
• IWAM_servername
• IIS_WPG group
7
Installing Internet Information
Services (Continued)
• Changes on the server after a successful
installation of IIS (Continued)
– Additional services installed within the operating
system
•
•
•
•
•
FTP Publishing Service
IIS Admin Service
Network News Transfer Protocol (NNTP)
Simple Mail Transfer Protocol (SMTP)
World Wide Web Publishing Service
8
Architectural Changes in IIS 6.0
• Metabase
– Central storage location for IIS configuration
information
– Stored in two standard Extensible Markup
Language (XML) files
• MetaBase.xml
– Contains the actual configuration settings for IIS 6.0
• MBSchema.xml
– Contains the XML schema that provides the default
values of the various metabase properties
9
Architectural Changes in IIS 6.0
(Continued)
• A number of process management and administration
features have been introduced in IIS 6.0
10
Configuring Web Server Properties
• IIS MMC snap-in
– Primary tool used for configuration purposes
– Available on the Administrative Tools menu
– Initially displays the default sites and services:
•
•
•
•
•
•
FTP Sites
Application Pools
Web Sites
Web Service Extensions
Default SMTP Virtual Server
Default NNTP Virtual Server
11
Configuring Web Server Properties
(Continued)
• Master properties
– IIS parameters that are
• Configured at the site-folder level
• Inheritable by all Web or FTP sites hosted on the
server
– Benefit
• You can quickly set various common
configurations on all Web or FTP sites at once
– Configuration settings changed at the site, folder,
or file level override the master properties
12
Creating and Configuring Web-Site
Virtual Servers
• IIS can host a large number of Web sites or
virtual servers on a single server
– Virtual server
• A unique Web site that behaves as if it were on its
own dedicated server
• Before creating a Web site
– Identify the IP address to which the Web site
responds
– Identify the TCP port to which the Web site responds
– If you have multiple virtual servers responding to the
same IP address, identify the host header name to
which your new Web site responds
13
Creating and Configuring Web-Site
Virtual Servers (Continued)
• Each Web site on your server must have a way
of being uniquely identified
• Ways to make sure that each Web site is unique
– Use a separate IP address to distinguish each
Web site
– Use a single IP address with a specific port
number for each Web site
– Use a single IP address with multiple host
headers representing each Web site
14
Creating and Configuring Web-Site
Virtual Servers (Continued)
• Web Site Creation Wizard
– Provides a simple, step-by-step method of
creating and initially configuring Web sites
• iisweb.vbs script
– Can be used to create new Web sites from the
Windows Server 2003 command line
15
Modifying Web-Site Properties
• Once a Web site is created, a number of
properties can be modified to fine-tune the
parameters of the site
• Configuring the properties page for a specific
Web site affects only that site and no others
• Any parameters configured at the Website level
override the master properties that may have
been set at the server level
16
Web site properties tabs
17
Creating Virtual Directories
• To include information stored on multiple servers
in a Web site
– Create a virtual directory that specifically points to
the shared folder that stores the data
• An alias of the virtual directory can be used to
– Hide the real directory name
– Simplify the path that the server should use to
access the information
18
Configuring Authentication for Web
Sites
• All Windows Server 2003 servers require that
any user who tries to access the server be
authenticated to a valid user account
• Authentication
– Determining whether or not a user has a valid
user account with the proper permissions to
access a resource
19
Configuring Authentication for Web
Sites
• IIS provides five levels of authentication
–
–
–
–
–
Anonymous access
Basic authentication
Digest authentication
Integrated Windows authentication
.NET Passport authentication
• Authentication settings are configured from
within the properties of a Web site in the
Authentication and access control section of the
Directory Security tab
20
Configuring Web site authentication
options
21
Anonymous Access
• Allows users to access a Web site without
having to provide a user name and password
• IUSR_servername user account
– Used by IIS to provide the required authentication
credentials to a user
– Member of the Domain Users (on a domain
controller) and Guests groups by default
22
Basic Authentication
• Prompts users for a user name and password to
be able to access the Web resource
• Requirement
– User needs to have a valid Windows Server 2003
user account to be able to gain access to the
Web site
• Potential problem
– User name and password are transmitted using
Base64 encoding (not encryption) and can easily
be captured and read by hackers
23
Digest Authentication
• Works the same way as Basic authentication
• Difference from Basic authentication
– User name and password are hashed using the
MD5 algorithm to prevent hackers from obtaining
the information
24
Digest Authentication (Continued)
• Requirements
– Users must
• Be running Internet Explorer 5.0 or higher
• Have an account in Active Directory or a trusted
domain
– An IIS server using Digest authentication must
• Be part of an Active Directory domain
• Running HTTP 1.1 and WebDAV
25
Integrated Windows Authentication
• Does not ask the user for a password
• Uses the client’s currently logged-on credentials
to supply a challenge/response to the Web
server
• Primarily used on internal intranets
• Once this choice has been enabled, it can only
be used if
– Anonymous access is disabled on the Web site
– Windows file permissions have been set,
requiring users to provide authentication to
access the resources
26
.NET Passport Authentication
• Allows a Web site to use the functionality of the
.NET Passport service to authenticate user
identities
• Requirements for authenticating users with a
.NET Passport
– The company must
• Carry out a variety of preproduction tests with
Microsoft
• Go through a registration process
27
.NET Passport Authentication
(Continued)
• The following rules apply if multiple
authentication methods are configured
– If Anonymous authentication and one other
method are selected, the other method only
applies if Anonymous authentication fails
– FTP sites cannot use Digest, Integrated
Windows, or .NET Passport authentication
– Both Digest and Integrated Windows
authentication take precedence over Basic
authentication
28
Configuring Server Certificates and
Secure Sockets Layer
• Secure Sockets Layer (SSL) protocol
– Used to encrypt Web traffic between a client and
the Web server
– Clients can access a secure server using SSL by
using URLs that begin with https:// instead of the
http:// prefix
– Implemented using the Directory Security tab of a
Web site
29
Configuring Server Certificates and
Secure Sockets Layer (Continued)
• A server certificate
– Needed to use SSL on a Web server
– Can be
• Obtained from a certificate authority (CA)
• Created by the company itself for internal purposes
30
Configuring FTP Virtual Servers
• File Transfer Protocol (FTP)
– Used to transfer files between two computers that
are both running TCP/IP
• The FTP service included with IIS 6.0 enables
users to transfer files to and from it using FTP
client software such as
– The command-line ftp utility
– A Web browser
31
File Transfer Protocol
• FTP
– An industry-standard method of transferring files
between two hosts running TCP/IP
– Uses two ports for connections during a single
session
• TCP port 21
– Usually used to initiate the connection and for
diagnostic functions
• TCP port 20
– Usually used to pass data
32
File Transfer Protocol (Continued)
• Transmission Control Protocol (TCP)
– Used by FTP for file transfers
– A connection-based protocol
• To use FTP to transfer files between two
computers
– One machine must be running FTP client
software
– Other machine must be running FTP server
software
33
Configuring FTP Properties
• When multiple FTP sites are configured to run
on a single IIS 6.0 server, each site
– Behaves and operates independently
– Appears to the client to be running on its own
FTP server
– Has its own set of property sheets
• Five tabs are available from the site properties
window of an FTP site
34
FTP site property tabs
35
Creating an FTP Site Virtual Server
• New FTP sites can be created by:
– Using the Internet Information Services tool
– Scripting
• FTP sites allow you to create virtual directories
that can be both local and remote to the IIS
server
36
Updating and Maintaining Security
for an IIS Server: Resource
Permissions
– Specify the types of access users are granted
– Types of permissions
• NTFS permissions
• IIS permissions
– To provide the most security for Web content
• Combine NTFS permissions and IIS permissions
37
IP Address and Domain Name
Security
• To secure Web content
– Administrators can grant or deny access to users
based on their
• IP address
– Administrators can grant or deny access to:
» An individual IP address
» A particular address range
• Domain name
38
Starting and Stopping Services
• At some point, administrators may need to stop
and restart services related to IIS for
administrative purposes
• IIS 6.0 allows services to be stopped and
restarted through the Internet Information
Services console
39
Backing Up the IIS Configuration
• Options for backing up the metabase
– Use the backup utility in the IIS console to back
up the database
– Copy the contents of the backup directory to
another folder to provide redundancy after an
initial backup has been performed
– Use the metabase editor tool to export the
contents of the database to a text file
– Use the iisback.vbs script
– Use the Windows Server 2003 Backup utility or a
third party utility and choose to backup System
State data
40
Backing Up the IIS Configuration
(Continued)
• Two common types of updates that can be
applied to a IIS Server
– Service packs
– Hot fixes
• Microsoft Baseline Security Analyzer
– Can be used to determine which IIS hot fixes are
currently installed on the Web server
41
Creating and Modifying Web Folders
• A Web folder
– Designed to be accessed from the Internet or an
intranet using the HTTP or FTP protocols
• Web Sharing tab
– Used to configure a folder to be shared over the
Web
• Access permissions and application permissions
can be configured for Web folders
42
Web folder access permissions and
Application permissions
43
Installing and Using Remote
Administration (HTML) Tools
• Remote Administration (HTML) tools
– Can be used to remotely manage
• IIS 6.0 servers
• System elements, such as
– Network settings
– Disk quotas
– Installation
• Must be added manually via the Add/Remove
Windows Components feature of Add or Remove
Programs in Control Panel
44
Troubleshooting Web Client
Connectivity Problems:
Client Access Problems
• Problem
– Users unable to gain access to an IIS Server
• To troubleshoot
– Verify the TCP/IP configuration settings that have
been configured on the client
– Check the proxy settings that have been
configured through the client’s Web browser
45
Troubleshooting Web Client
Connectivity Problems:
Client Access Problems (Continued)
– Check for obvious problems such as
• Whether the proxy server is available and
online
• Whether the client is connected to the network
– Enable or disable the Show friendly HTTP error
messages options in the properties of Internet
Explorer
– Use a protocol analyzer to capture packets
moving between the client and the Web server to
determine where communications errors may be
taking place
46
Troubleshooting Web Client
Connectivity Problems:
Client Access Problems (Continued)
• Problem
– Users complaining that they are unable to gain
access to a Web site or FTP site configured on
an IIS server
• To troubleshoot
– Check permissions assigned to the site
– Check to see which authentication method has
been configured for the site
– Check to see what IP address and domain name
restrictions have been applied to the site
47
Troubleshooting Web Client
Connectivity Problems:
Client Access Problems (Continued)
– If there is a connection limit set for the site, make
sure this limit has not been exceeded
– If the service has been configured to use a port
other than the default, make sure the client is
specifying the correct port number
– If you have not enabled Anonymous access,
make sure the client has a valid user account
– On the client computers, from the command
prompt, type “ipconfig /flushdns” to clear the DNS
cache
48
Summary
• Internet Information Services includes four main
components
–
–
–
–
World Wide Web (HTTP) services
File Transfer Protocol (FTP) services
Network News Transfer Protocol (NNTP) services
Simple Mail Transfer Protocol (SMTP) services
• Master properties
– IIS parameters that can be configured on the
server and are inheritable by all Web and FTP
sites hosted on the server
49
Summary (Continued)
• Multiple Web sites can be distinguished on a
single Web server by
– Configuring individual IP addresses for each site
– Configuring individual port numbers for each site
– Configuring a host header for each site
• A virtual directory
– Can be used to include information that may be
stored on a different server from the one on which
the Web site home directory is located
• By default, Anonymous access is used to allow
public access to a Web site
50
Summary (Continued)
• Five main authentication methods used in IIS
–
–
–
–
–
Anonymous
Basic
Digest
.NET Passport
Integrated Windows authentication
• Regular IIS maintenance tasks include
– Backing up the IIS configuration
– Starting or stopping services
– Installing of hot fixes or service packs
51