MCSE Guide to Managing a Microsoft

Download Report

Transcript MCSE Guide to Managing a Microsoft

70-290: MCSE Guide to Managing
a Microsoft Windows Server 2003
Environment
Chapter 13:
Administering Web
Resources
Objectives
• Install and configure Internet Information Services
(IIS)
• Create and configure Web-site virtual servers and
virtual directories
• Configure Web-site authentication
• Configure and maintain FTP virtual servers
• Update and maintain security for an IIS server
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
2
Objectives (continued)
• Create and modify Web folders
• Install and use the Remote Administration
(HTML) tools
• Install and configure Web-based printing and
printer management
• Troubleshoot Web client-browser connectivity
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
3
Installing and Configuring
Internet Information Services
• Current version is Internet Information Services
(IIS) 6.0
• IIS provides Web-related services that can be
implemented to host a corporate intranet or to
provide an Internet presence
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
4
Installing and Configuring
Internet Information Services
(continued)
• IIS has four main components:
•
•
•
•
World Wide Web (HTTP) services
File Transfer Protocol (FTP) services
Network News Transfer Protocol (NNTP) services
Simple Mail Transfer Protocol (SMTP) services
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
5
Installing Internet Information
Services
• IIS 6.0 is not installed by default
• Individual IIS components can be manually
installed through the Add or Remove Programs
applet in the Control Panel
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
6
Installing Internet Information
Services (continued)
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
7
Activity 13-1: Installing
Internet Information Services
• Objective: To install IIS components
• Start  Control Panel  Add or Remove
Programs  Add/Remove Windows Components
• Select and install individual components as
directed
• Note changes on the server, folders created during
IIS installation, new accounts in Active Directory,
operating system services, Web sharing feature
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
8
Activity 13-2: Viewing System
Changes after Installing IIS
• Objective: To view the changes made to Windows
Server 2003 after installing IIS
• Open Active Directory and browse for the new
accounts that have been added:
• 2 new user accounts and 1 new group account
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
9
Activity 13-2 (continued)
• Browse various folders that contain files needed
for IIS services and open the Services utility:
•
•
•
•
•
FTP Publishing Service
IIS Admin Service
Network News Transfer Protocol (NNTP)
Simple Mail Transfer Protocol (SMTP)
World Wide Web Publishing Service
• Browse properties of a service
• Stop a service and configure its startup options
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
10
Architectural Changes in IIS
6.0
• IIS 6.0 is similar to IIS 5.0 with Windows 2000
• Changes relate to how processes are managed and
maintained and updated metabase files
• Metabase now stored in 2 standard XML files
• MetaBase.xml and MBSchema.xml
• Human-readable
• Better read performance
• Industry-standard data representation
• Found in %systemroot%\system32\inetsrv
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
11
Architectural Changes in IIS
6.0 (continued)
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
12
Configuring Web Server
Properties
• Primary tool used for configuration of Web Server
properties is IIS MMC snap-in
• Available on Administrative Tools menu
• Default sites and services include:
•
•
•
•
•
•
FTP Sites
Application Pools
Web Sites
Web Service Extensions
Default SMTP Virtual Server
Default NNTP Virtual Server
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
13
Activity 13-3: Exploring the
Internet Information Services
MMC Snap-in
• Objective: To explore the basic MMC snap-in
console and navigation
• Start  Administrative Tools  Internet
Information Services (IIS) Manager
• Explore the FTP Sites, Application Pools, Web
Sites, Web Service Extensions, Default SMTP
Virtual Server, and Default NNTP Virtual Server
nodes
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
14
Activity 13-3 (continued)
• Using the IIS tool, master properties can be
configured for Web and FTP sites from site-folder
level
• If an individual site is pre-configured when master
properties are set, you are prompted whether or
not to change the site settings
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
15
Activity 13-4: Viewing and
Configuring the Master
Properties of the WWW Service
• Objective: To explore the use of master properties
through the configuration of the WWW service
• From the open IIS Manager window, open the
Web Sites folder properties
• Configure the folder properties as directed
• Test setting inheritance by viewing the Default
Web Site properties
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
16
Creating and Configuring
Web-Site Virtual Servers
• A virtual server is a unique Web site that behaves
as if it were on a dedicated server
• IIS can support many virtual servers on a single
server
• Configuration conflicts are avoided by identifying
the IP address, TCP port, and host header name of
each Web site and ensuring that the site is
uniquely identified through these features
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
17
Activity 13-5: Creating a New
Web Site Using the Web Site
Creation Wizard
• Objective: To become familiar with the Web Site
Creation Wizard
• Change the port number of the Default Web Site
as directed and verify the change
• Create a new Web site using the Web Site Creation
Wizard
• Create a default HTML index page for the new
site
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
18
Activity 13-6: Creating a New
Web Site Using the
IISWEB.VBS Script
• Objective: To explore using the IISWEB.VBS
script as an alternative to the IIS tool for Web site
creation
• Start  Run  type cmd  OK
• Make a new Web site home directory as directed
• Run the IISWEB.VBS script as directed
• Verify that the Web site has been created and
configured correctly
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
19
Modifying Web-Site Properties
• Individual Web site parameters can be modified
and fine-tuned through the site’s properties
• Modifying an individual site’s properties does not
affect any other sites
• Modifying an individual site’s properties overrides
any configurations set in the master properties at
the server level
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
20
Modifying Web-Site Properties
(continued)
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
21
Activity 13-7: Configuring
Web-Site Properties
• Objective: To explore and configure the available
properties for an individual Web site
• Open IIS and the Properties of the site to be
configured
• Configure settings as directed
• Create an html file and configure it as a footer
• Customize an error message
• Verify the configured settings
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
22
Creating Virtual Directories
• A virtual directory points to a shared folder on
the server
• An alias name can be created
• Hides the real directory name
• Can simplify the path to the folder
• Clients can access a virtual directory by appending
the alias name to the Web-site host name
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
23
Activity 13-8: Creating and
Configuring a Virtual
Directory
• Objective: To familiarize students with the process
of creating and configuring a virtual directory
• Create and configure a new shared folder
• Create a new index file for the Web site
• Open and use the Virtual Directory Creation
Wizard to create a virtual directory with an alias
• Explore Properties and verify proper configuration
of the site
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
24
Configuring Authentication for
Web Sites
• Authentication is the determination of whether or
not a user account has the proper permissions to
access a resource such as a Web site
• IIS provides five levels of authentication:
•
•
•
•
•
Anonymous access
Basic authentication
Digest authentication
Integrated Windows authentication
.NET Passport authentication
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
25
Anonymous Access and Basic
Authentication
• Anonymous access
• Users do not need to provide a user name and password
• Uses the IUSR_servername user account to provide
authentication credentials
• Basic authentication
• User is prompted to supply a user name and password
• User needs a valid Windows Server 2003 user account
• One drawback is that information is transmitted using
unencrypted Base64 encoding (easy to hack)
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
26
Digest Authentication and Integrated
Windows Authentication
• Digest authentication
• Similar to basic authentication but hashes user name
and password using MD5 algorithm
• Has specific software and Active Directory
requirements
• Integrated Windows authentication
• Does not prompt for password
• Uses client’s logged on credentials
• Used primarily for internal intranets, has specific
permissions requirements
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
27
.NET Passport Authentication
and Multiple Authentications
• .NET Passport authentication
• New method currently in testing to use the .NET
Passport service
• Will require preproduction tests and a registration
process
• If multiple authentication methods are configured,
specific rules apply concerning precedence and
applicability
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
28
Activity 13-9: Configuring and
Testing Web-Site
Authentication Options
• Objective: To configure and compare two of the
Web-site authentication options
• Discover the current configuration using the IIS
Manager tool
• Explore the effect of the current configuration on
Web-site access
• Change the configuration and explore the effect of
the change
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
29
Configuring Server Certificates
and Secure Sockets Layer
• The Secure Sockets Layer (SSL) protocol
encrypts Web traffic between a client and a Web
server
• Configured from the Directory Security tab of the
properties of a Web site
• Users access a secure server using https:// prefix
• SSL requires a server certificate from a certificate
authority or from installed certificate services
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
30
Configuring FTP Virtual
Servers
• The File Transfer Protocol (FTP) is used for file
transfers between computers running TCP/IP
• FTP service is included with IIS 6.0
• FTP uses two ports (TCP ports 20 and 21)
• Port 21 carries connection initiation and diagnosis
information
• Port 20 carries data
• FTP uses Transmission Control Protocol (TCP)
• Connection-based protocol, session precedes data
transfer
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
31
File Transfer Protocol
• Features of TCP include:
• Sending computer waits for an acknowledgement and
retransmits data if it is not received
• Packets are assigned a sequence number
• Packets contain a checksum for ensuring integrity
• FTP requires a server running FTP server software
and clients must run FTP client software
• There are many free and shareware utilities that
can be downloaded for running FTP
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
32
Configuring FTP Properties
• Multiple FTP sites can be configured on a single
IIS 6.0 server
• Each site operates independently and runs
transparently
• Each site has property sheets that can be
customized independently
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
33
Configuring FTP Properties
(continued)
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
34
Activity 13-10: Configuring
and Testing the Default FTP
Site
• Objective: To become familiar with the process of
configuring and testing an existing Web site
• Open the IIS Manager tool and the Properties of
the Default FTP Site
• Browse and configure various settings of the site
• Log on as an anonymous user to test the site
configuration
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
35
Activity 13-11: Creating and Testing a
New FTP Site and Configuring a Virtual
Directory
• Objective: To create an FTP site that includes a
virtual directory located on a different server
• Create new folders for FTP site and configure
permissions and IP address as directed
• Use the FTP Site Creation Wizard to create a site
• Use the Virtual Directory Creation Wizard to
create a new virtual directory
• Test the site by logging on and transferring a file
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
36
Updating and Maintaining
Security for an IIS Server
• Sensitivity to security issues is always important
for information published on the Internet
• Issues of importance in security and maintenance
for an IIS server:
•
•
•
•
Alternatives to securing access to information
Performing backups
Stopping and starting IIS related services
Applying updates
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
37
Resource Permissions
• Two types of permissions to secure Web resources
• NTFS permissions
• IIS permissions
• The effective permission is always the most
restrictive of configured permissions
• NTFS permissions
• Normal NTFS file permissions can be applied to Web
pages and virtual directories
• Can be assigned to users and groups individually
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
38
Resource Permissions
(continued)
• IIS permissions
• Always global
• Can be configured for Web sites and FTP virtual
servers, virtual directories, physical directories, files
• Can set Read and/or Write permissions
• Can set Execute permission if site contains scripts or
executables
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
39
Activity 13-12: Configuring IIS
and NTFS Permissions
•
•
•
•
•
Objective: To explore the use of both IIS and
NTFS permissions for protecting Web content
Open the IIS Manager tool and access the
Properties of a Web site to configure IIS
permissions
Test the IIS permissions as directed
Open the Properties of the Web content folder to
configure NTFS permissions
Test the NTFS permissions as directed
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
40
IP Address and Domain Name
Security
• Can secure Web content by controlling access
based on the IP address of the client
• Access can be explicitly granted or denied
• Access can be controlled for a specific IP address
or a range of IP addresses
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
41
Activity 13-13: Testing IP
Address Restrictions
• Objective: To explore securing Web content using
restrictions on IP addresses
• Open the IIS Manager tool and the Properties of
the Web site
• From the Directory Security tab, edit the IP
Address and Domain Name Restrictions to deny
access to a specific IP address
• Test the restrictions as directed
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
42
Starting and Stopping Services and
Backing UP the IIS Configuration
• IIS 6.0 allows you to start and stop services
through the IIS console
• IIS 6.0 stores configuration settings in the IIS
metabase that can be backed up
•
•
•
•
•
Using the Backup utility in the IIS console
By copying contents of the backup directory to a folder
By exporting contents using the metabase editor
By using the IISBACK.VBS script
By backing up System State data using Backup utility
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
43
Activity 13-14: Backing Up the
IIS Configuration
• Objective: To explore the use of the backup and
restore facilities of IIS
• Open the IIS Manager tool and Backup/Restore
Configuration facility for the server
• Create a backup as directed
• Verify the backup
• Restore the metabase from the backup as directed
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
44
Updating IIS 6.0
• Common updates to IIS are service packs and hot
fixes
• Before updating, perform a full backup of server
• Updates are often released to fix security issues
• Microsoft Baseline Security Analyzer helps
determine which IIS hot fixes are installed
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
45
Creating and Modifying Web
Folders
• A Web folder is a shared folder designed to be
accessed using HTTP or FTP
• Use the Web Sharing tab of the folder Properties
to configure the folder
• Web folders can use an alias name
• The Edit Alias dialog box allows you to set the name,
access permissions, and application permissions
• Network clients can open a Web-based file using
• Internet Explorer, My Network Places, Microsoft
Office XP
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
46
Activity 13-15: Configuring Web
Folders and Exploring Access
Methods
• Objective: To become familiar with configuring
and accessing a Web shared folder
• Create a new folder and file
• Configure the folder using the Web Sharing tab of
the folder’s Properties
• Open the IIS Manager tool and verify that the
virtual directory appears
• Open Internet Explorer to examine the folder and
file
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
47
Installing and Using Remote
Administration (HTML) Tools
• Remote Administration (HTML) tools support the
ability to manage IIS servers remotely via a Web
browser interface
• On Windows Server 2003, these tools are not
installed by default
• Tools must added manually via the Add/Remove
Windows Components feature of Control Panel
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
48
Activity 13-16: Install and Explore the
Remote Administration (HTML) Tools
• Objective: To explore the installation process and
to examine various settings from Internet Explorer
• Start  Control Panel  Add or Remove
Programs  Add/Remove Windows Components
• Install the tools as directed
• Open Internet Explorer, configure the site, and
connect to the Remote Administration Web site
• Browse the site as directed
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
49
Installing and Configuring
Internet Printing
• Internet Printing Protocol (IPP)
• Allows printers to be managed via a Web browser
• Allows clients to send print jobs using HTTP
• Requires the installation of IIS and the Internet
Printing component
• Internet Printing requires that the Internet Printing
Web Service Extension and the Active Server
Pages Extension be explicitly enabled
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
50
Activity 13-17: Configuring and
Managing Internet Printing
• Objective: to explore Internet Printing settings,
manage printers from IE, and install a printer to
use Internet Printing
• Use the IIS Manager tool to configure Internet
Printing on the server
• Use Internet Explorer to view printers and their
properties
• Install a printer to use Internet Printing and verify
that the printer port is configured correctly
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
51
Troubleshooting Web Client
Connectivity Problems
• Client access problems are not uncommon
• If a user is unable to access an IIS Server
• Check TCP/IP configuration settings, proxy settings,
connections, set up error messages, use a protocol
analyzer
• If a user is unable to access a Web or FTP site
• Check permissions, authentication methods, IP address
and domain name restrictions, connection limits, port
numbers, user accounts, invalid cached DNS
information
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
52
Summary
• Internet Information Services (IIS) 6.0 is an
application in Windows Server 2003 used to
develop and host Web- and FTP-based services
• Four main components to IIS: World Wide Web
(HTTP), File Transfer Protocol (FTP), Network
News Transfer Protocol (NNTP), and Simple
Main Transfer Protocol (SMTP) services
• IIS components must be manually installed
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
53
Summary (continued)
• IIS configuration information is stored in two
XML files known as the metabase
• The IIS MMC snap-in (the IIS Manager tool) is
the primary tool for IIS configuration
• Virtual servers are unique Web or FTP sites that
behave as though they are on dedicated servers
• IIS provides five levels of authentication to
validate users trying to access a Web site
• Web communications can be encrypted using the
Secure Sockets Layer (SSL) protocol
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
54
Summary (continued)
• To maintain an IIS server, an administrator should
use security features, perform backups, start and
stop IIS services, and apply updates
• Remote Administration (HTML) tools are used to
manage IIS 6.0 servers remotely
• The Internet Printing Protocol (IPP) allows
printers to be managed via Web browser and
allows clients to sent print jobs using HTTP
• Configurations can cause user access problems to
either an IIS Server or a Web or FTP site, note the
things to check first
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
55