Chapter 17 PowerPoint Slides
Download
Report
Transcript Chapter 17 PowerPoint Slides
Chapter Overview
Creating Web Sites and FTP Sites
Creating Virtual Directories
Managing Site Security
Troubleshooting IIS
1
Creating Web Sites and FTP Sites
By default, Microsoft Windows 2000 Server
installs a basic Microsoft Internet Information
Services (IIS) configuration during the
operating system installation.
You can modify this configuration during
installation of Windows 2000 or by using
Add/Remove Programs after the installation is
completed.
2
Installing IIS
When a clean installation of Windows 2000
Server is performed, IIS is installed, by
default, with these components:
Common Files
Documentation
Microsoft FrontPage 2000 Server Extensions
Internet Information Services Snap-In
Internet Services Manager (HTML)
SMTP Service
World Wide Web Server
3
Installing IIS (Cont.)
When you upgrade from Microsoft Windows NT,
Microsoft Windows 98, or Microsoft Windows 95 to
Windows 2000, the Setup program attempts to
detect a previous version of IIS.
IIS requires Transmission Control Protocol/Internet
Protocol (TCP/IP).
If it detects a previous version, Setup installs IIS version 5.
If TCP/IP is not installed, Setup automatically installs it.
To install IIS on a computer running Windows 2000
Server, or to install additional components to IIS
(such as FTP Server, which is not installed by
default), use Add/Remove Programs.
4
The Windows Components Page in
the Windows Components Wizard
5
The Subcomponents Of Internet
Information Services (IIS) List
6
IIS Snap-In Components
After installing IIS, when you launch the IIS
snap-in, three components are added to the
console tree:
Default Web Site: represents the primary public
Web site hosted by the server
Administration Web Site: represents a protected
site you can use to configure IIS from a remote
computer
Default SMTP Virtual Server: represents the e-mail
forwarding server hosted by the server
7
Getting Started
Web content is published by placing Web files
in folders on the server so that users can
establish a Hypertext Transfer Protocol
(HTTP) connection with the server and view
the Web files.
The first step in deploying a Web site is
determining how to organize the files you
want to publish.
Next, use the IIS snap-in (in the Internet
Services Manager console) to specify the
folders that are part of the site.
8
Getting Started (Cont.)
You can publish documents by copying them
into the home folder of the default Web site,
C:\Inetpub\Wwwroot by default.
Users can access files in this folder by using
any of these URLs:
http:// computer_name/ file_name
http:// fully_qualified_domain_name/ file_name
http:// IP_address/file_name
(where computer_name,
fully_qualified_domain_name, and IP_address
identify the Web server)
9
Creating Sites
IIS can host multiple Web or File Transfer Protocol
(FTP) sites on a single computer.
Because each site appears as an individual computer
to Web clients, the sites are sometimes called virtual
servers.
You can create multiple Web and FTP sites on a
computer running Windows 2000 Server in three
ways:
Use a nonstandard port number with the Internet Protocol
(IP) address.
Use multiple IP addresses.
Assign multiple Web sites to one network adapter card by
using host header names.
10
An Intranet Web Server with Multiple
Sites
11
Creating a Web Site
Use the IIS snap-in to create a Web site.
To create a Web site, right-click the server in
the console tree, point to New, and then select
Web Site to launch the Web Site Creation
Wizard.
You specify the following information for the
site:
Site name
IP address
TCP port number
Host header name
(optional)
Path to the site’s home
directory (folder)
Permissions you want to
grant users to the files in
the home directory
12
The IP Address And Port Settings
Page in the Web Site Creation Wizard
13
Creating an FTP Site
Before you can use the IIS snap-in to create an
FTP site, the FTP Server component must be
installed on the Windows 2000 IIS server.
To create an FTP site, in the IIS console tree,
right-click the server, point to New, and then
select FTP Site to launch the FTP Site Creation
Wizard.
You specify the following information for the site:
Site name
IP address
TCP port number
Path to the site’s home directory
Permissions you want to grant users
to the files in the home directory
14
The IP Address And Port Settings
Page in the FTP Site Creation Wizard
15
Administering Web Sites and FTP
Sites
During IIS installation, default values are
assigned to various properties of the server
and its sites.
You can modify the values of these properties
at the site level, the folder level, or the file
level.
You can access the master properties, server
extensions, bandwidth throttling, and
Multipurpose Internet Mail Extensions (MIME)
mapping for an IIS server from the Properties
dialog box for the server in the IIS snap-in.
16
The WWW Service Master Properties
Dialog Box for an IIS Server
17
Starting and Stopping Services and
Sites
By default, IIS services and sites are
configured to start automatically with
Windows 2000.
To use the IIS snap-in to start, stop, or pause
a site, select a site in the console tree, and
then click the Start Item, Stop Item, or Pause
Item button on the toolbar.
To use the IIS snap-in to stop, start, or
restart all of the IIS services or reboot the
server, right-click the server in the console
tree, and then select Restart IIS to display
the Stop/Start/Reboot dialog box.
18
Restarting Internet Services
19
Defining Home Directories
Each Web and FTP site must have a home
directory, which is the central location for
published pages.
If you have both a Web site and an FTP site
on the same computer, each service should
have its own home directory.
To change a home directory for a Web site or
an FTP site, in the IIS snap-in, right-click the
site in the console tree, click Properties, and
then click the Home Directory tab.
20
The Home Directory Tab in a Web
Site’s Properties Dialog Box
21
Defining a Default Document
When a client connects to a Web site, the
Web server typically transmits a home page,
called the default document, for the site.
By default, an IIS Web site’s default
documents are Default.htm and Default.asp.
To configure default documents for a Web
site, in the IIS snap-in, open the site’s
Properties dialog box, and then click the
Documents tab.
When the default document list contains
more than one document, IIS attempts to
transmit the first document in the list.
22
The Documents Tab in a Web Site’s
Properties Dialog Box
23
Lesson Summary
IIS 5 is installed with Windows 2000 Server
by default.
You can install additional IIS components by
using Add/Remove Programs.
Use the IIS snap-in to create, configure, and
administer Web and FTP sites.
24
Creating Virtual Directories
The simplest possible IIS Web site or FTP site
is one in which all of the site’s files are
located in the home directories of the site.
IIS allows you to add files from other
locations to your sites without moving them.
These added files are called virtual
directories.
25
Creating Virtual Directories
A virtual directory is not contained in the
site’s home directory but appears to client
browsers as though it were.
A virtual directory has an alias, a name that
Web browsers use to access the directory.
An advantage of using virtual directories is
that you can publish files from various
locations without having to move the files.
Aliases provide a measure of security,
because users do not know where the files
are physically located.
26
Creating Virtual Directories (Cont.)
To use the IIS snap-in to create a virtual directory
on an IIS Web site or FTP site, in the console tree,
right-click the site, point to New, and then select
Virtual Directory to launch the Virtual Directory
Creation Wizard.
You specify the following information:
The alias for the virtual directory
The path to the folder containing the files you want to
publish
The permissions you want to grant users to the files in the
virtual directory
27
Using Web Sharing
Another method for creating a virtual
directory on a Web site is to configure a
folder for Web Sharing in Windows Explorer.
Only folders on the Windows 2000 IIS Web
server itself can be shared in this way—you
cannot create a virtual directory out of a
folder on a remote computer by using this
method.
When you configure Web Sharing in Windows
Explorer, you specify an alias for the folder
and the access and application permissions
for users of the folder.
28
The Edit Alias Dialog Box
29
Redirecting Requests
When you move a page on a Web site, you
can instruct the Web server to give browsers
the new URL of the page when they request
that page by its old URL.
This process is called redirecting a browser
request, or redirecting, to another URL.
You use the IIS snap-in to redirect requests
to a Web site, a virtual directory, or a
directory.
30
The Home Directory Tab in a Web
Site’s Properties Dialog Box
31
A Home Directory Tab with URL
Redirection Controls
32
Options for Redirecting Requests
When you redirect a site, virtual directory, or
directory in the IIS snap-in, you specify the
URL that you want the site, virtual directory,
or directory to be redirected to.
You can select one or more options that
further define how the redirection to the new
URL will be handled:
The Exact URL Entered Above
A Directory Below This One
A Permanent Redirection For This Resource
33
Lesson Summary
A virtual directory is not contained in the site’s home
directory but appears to client browsers as though it
were.
Virtual directories are identified by aliases, which
appear as subdirectories beneath a Web site’s home
directory or an FTP site’s home directory.
You can use the IIS snap-in to create a virtual
directory.
You can configure Web Sharing for a folder on the
Windows 2000 IIS Web server by using Windows
Explorer.
You can use the IIS snap-in to redirect requests to a
Web site, a virtual directory, or a directory to a
34
different URL.
Managing Site Security
Security is an important part of IIS
administration.
IIS can use a variety of security mechanisms,
including port assignments, authentication, IP
address and domain name restrictions, access
permissions, and Secure Sockets Layer (SSL).
35
Using Port Assignments
One of the simplest and weakest forms of site
protection is to use an alternate port number for
the site.
Standard port for Web (HTTP) communications: 80
Standard port for FTP communications: 21
You can configure IIS to use a nonstandard port
number for a Web site or FTP site, but standard
requests for site access will fail unless clients
specify the correct port number.
To view or configure a site’s port number, in the
IIS snap-in, use the Web Site tab in the site’s
Properties dialog box.
36
The Web Site Tab in the Default Web
Site’s Properties Dialog Box
37
Using Authentication
Authentication is the most common
mechanism used to restrict access to a Web
site or FTP site.
IIS supports four types of authentication:
Anonymous authentication
Basic authentication
Digest authentication
Integrated Windows authentication
38
Anonymous Authentication
Most Web and FTP sites are public and
provide free access to all users.
Windows 2000 uses a special account,
IUSR_computername, and a randomly chosen
password to provide anonymous users with
limited access to resources.
By default, IIS Web and FTP sites permit
anonymous access.
To control anonymous access for a Web site,
configure the Directory Security tab of the
Web site’s Properties dialog box.
39
The Directory Security Tab in a Web
Site’s Properties Dialog Box
40
The Authentication Methods Dialog
Box
41
Basic Authentication
Basic authentication provides more protection
for a site than anonymous authentication.
With basic authentication, every client must
have a user account on the Web server and
must supply a user name and password.
The advantage of basic authentication is that
it is supported by all browsers running on any
operating system.
The disadvantage is that the user’s name and
password are transmitted in clear text and
can be compromised.
42
Basic Authentication (Cont.)
To configure basic authentication for a Web
site on a Windows 2000 IIS server, select the
Basic Authentication check box in the
Authentication Methods dialog box, which is
accessed from the Directory Security tab in
the Web site’s Properties dialog box.
During this process, you can specify that
users authenticate to a different domain than
the one where the IIS server resides.
43
The Internet Service Manager
Message Box
44
The Basic Authentication Domain
Dialog Box
45
Digest Authentication
Digest authentication lets Web clients send
logon credentials to the IIS server with the
password encrypted.
Digest authentication can be used with a
proxy server.
46
IIS Server Requirements for Digest
Authentication
The accounts that clients use to authenticate must be
located in an Active Directory domain.
Each user account must have the Store Password
Using Reversible Encryption option enabled in its user
object properties.
Configure this option in the Account tab of the user’s
object’s Properties dialog box in the Active Directory Users
And Computers console.
IIS sites must be configured to use digest
authentication.
In the IIS snap-in, select the Digest Authentication For
Windows Domain Servers check box in the Authentication
Methods dialog box, which is accessed from the Directory
Security tab in the Web site’s Properties dialog box.
47
Selecting the Store Password Using
Reversible Encryption Option for a
User Account
48
Integrated Windows Authentication
Integrated Windows authentication is best suited for
clients and servers on the same intranet.
The Web client uses the credentials that the user
logged on to the domain with to authenticate itself to
the IIS server.
To configure this type of authentication, select the
Integrated Windows Authentication check box in the
Authentication Methods dialog box, which is accessed
from the Directory Security tab in the Web site’s
Properties dialog box.
49
Using IP Address and Domain Name
Restrictions
Another method for restricting access to IIS
sites is to specify the IP addresses and
domain names that are to be granted or
denied access.
To create IP address and domain name
restrictions, use the IIS snap-in to configure
the IP Address And Domain Name
Restrictions dialog box, which is accessed
from the Directory Security tab in the Web
site’s Properties dialog box.
50
The IP Address And Domain Name
Restrictions Dialog Box
51
The Grant Access On Dialog Box
52
Using Access Permissions
IIS permissions specify what users connected
to a Web site or FTP site are permitted to do.
IIS permissions can be set at any level of the
IIS site hierarchy: the site level, the virtual
directory level, or the directory level.
To set IIS permissions, open the Properties
dialog box for a site, virtual directory, or
directory; and then click the Home Directory,
Virtual Directory, or Directory tab,
respectively.
53
Using Access Permissions (Cont.)
You can select the following IIS permissions:
Script Source Access
Read
Write
Directory Browsing
In addition, in the Execute Permissions dropdown list, you can set the permission that
specifies whether users can execute scripts
only, scripts and executables, or neither.
54
Using SSL
The Secure Sockets Layer (SSL) protocol lets you
configure IIS sites not only to authenticate users
but also to encrypt data transferred between
client browsers and the IIS server.
SSL is commonly used on Web sites, such as
banking and e-commerce sites, that require
clients to transmit sensitive data.
To use SSL on Windows 2000 IIS sites, you must
first obtain a server certificate, either from a
third-party vendor or by using Windows 2000
Certificate Services and the Web Server
Certificate Wizard in IIS.
55
Lesson Summary
Using a nonstandard port number provides weak
security.
Authentication is the most common mechanism used
to control access to a Web site or FTP site. IIS
supports anonymous, basic, digest, and integrated
Windows authentication.
You can specify the IP addresses and domain names
that are to be granted or denied access to an IIS site.
You can assign IIS permissions to specify what users
connected to a Web site or FTP site are permitted to
do.
SSL lets you encrypt data transferred between client
browsers and the IIS server.
56
Troubleshooting IIS
An administrator must be familiar with
common problems that can prevent clients
from connecting to a Windows 2000 IIS Web
server.
57
Common Client Connection Problems
and Solutions
Symptom: Clients fail to connect to a Web
site.
Cause: A network communications problem
is preventing the connection.
Solution: Check communications between
the client and server by using Ping and by
checking the name resolution mechanism
used to resolve the computer or Domain
Name System (DNS) name in the URL to an
IP address.
58
Common Client Connection Problems
and Solutions (Cont.)
Symptom: Clients fail to connect to a Web
site. (Cont.)
Cause: The site is configured to use a TCP
port number other than the default (80).
Solution: Append the correct port number to
the domain or computer name in the browser
URL (as in http://www.microsoft.com:82).
59
Common Client Connection Problems
and Solutions (Cont.)
Symptom: Clients fail to connect to a Web
site. (Cont.)
Cause: The Web site is not configured to use
anonymous access.
Solution: Activate anonymous access in the
site’s Properties dialog box, or supply the user
with the credentials needed to connect to the
site by using another type of authentication.
60
Common Client Connection Problems
and Solutions (Cont.)
Symptom: Clients fail to connect to a Web
site. (Cont.)
Cause: The anonymous access account is
improperly configured.
Solution: Make sure that the account used
for anonymous access exists in the server’s
account database or in Active Directory with
the correct password, and that the account
used for anonymous access has the Log On
Locally and Access This Computer From The
Network user rights.
61
Common Client Connection Problems
and Solutions (Cont.)
Symptom: Clients fail to connect to a Web
site. (Cont.)
Cause: The client does not have an
appropriate user account for the
authentication type the site is configured to
use.
Solution: If the site is configured to use
digest authentication or integrated Windows
authentication only, the client must have a
Windows 2000 user account. In the case of
digest authentication, the client must have an
Active Directory user account.
62
Common Client Connection Problems
and Solutions (Cont.)
Symptom: Clients fail to connect to a Web
site. (Cont.)
Cause: The site, virtual directory, or directory
containing the requested file is not configured
with the correct permissions.
Solution: If the default document or the
requested file is a script or a program, the
site, virtual directory, or directory must be
configured with either the Scripts Only or
Scripts And Executables permission, in
addition to the Read permission.
63
Common Client Connection Problems
and Solutions (Cont.)
Symptom: Clients fail to connect to a Web
site. (Cont.)
Cause: The site requires an SSL connection.
Solution: If the site is configured to require a
secured connection using SSL, the URL in the
browser must use the https:// prefix instead
of http:// and must include the appropriate
SSL port number (as in
https://secure.microsoft.com:5000).
64
Lesson Summary
When troubleshooting Web site connection problems,
check for network communication and networking
hardware failures.
The type of authentication that a site is configured to
use is a frequent source of logon failures.
Digest and integrated Windows authentication
require all Web client users to have Windows 2000
user accounts.
Sites that use scripts or programs must be configured
with the appropriate permissions for clients to be
able to run those scripts or programs.
To connect to a site that requires an SSL connection,
the URL must specify both the https:// prefix and the
65
correct SSL port number.