Tài liệu Web and FTP Services pdf

✦ FrontPage Server Extensions: FrontPage Server Extensions enable the HTTP service in Windows 2000 Server to support FrontPage Webs, which are Websites developed with Microsoft FrontPage

Web and FTP Services

This chapter covers configuring and managing an Internet

or intranet server for HTTP, FTP, SMTP, and NNTP vices and security You’ll learn how to set up a Windows 2000-based Web server to host Web and FTP sites, act as an e-mailserver, and host newsgroups

ser-Overview of Web and FTP Server Administration

Windows NT provided an extensive range of services for figuring and managing an Internet or intranet server based onWindows NT Windows 2000 Server expands those services,making Windows 2000 an even better platform for distributingWeb-based content This chapter explains each of the servicesand also examines global issues such as building a manage-ment team to manage your servers and the services they provide

con-Because designing and implementing an Internet orintranet server is a complex task that would take its ownbook to cover in depth, this chapter can’t cover every facet

of IIS Instead, you’ll examine the most common issuesand learn the procedures you should follow in order toaccomplish various tasks In some cases, we’ll refer you toother sources of information where you can get moredetails if you need them

Configuring andManaging NNTPServices

✦ ✦ ✦ ✦

Web-Related Services

Windows 2000 Server incorporates several services geared toward Internet andintranet clients, collectively know as Internet Information Services (IIS):

✦ World Wide Web Server: This service enables you to configure Windows 2000

to function as an HTTP server for the World Wide Web (WWW) Through thisservice, a Windows 2000 Server computer can host multiple Web sites TheWorld Wide Web Server is also required by certain other services, primarily

to provide remote administrative access to the server and those dependentservices

✦ File Transfer Protocol (FTP) Server: The FTP protocol provides for file

trans-fer between computers Although many sites now provide their file tion efforts with the HTTP server, FTP is still the most widely used mechanismfor serving files for upload and download via the Internet or an intranet.Through the FTP service, a Windows 2000 Server computer can host multipleFTP sites

distribu-✦ Simple Mail Transport Protocol (SMTP) Service: The SMTP protocol and

ser-vice enable you to configure a Windows 2000 Server as an SMTP e-mail server

✦ Network News Transfer Protocol (NNTP) Service: The NNTP protocol and

service enable you to configure a Windows 2000 Server to act as a newsserver You can host public, private, read-only, moderated, and authenticatednewsgroups, and take news feeds from other NNTP servers on the Internet tocreate a public news server

✦ FrontPage Server Extensions: FrontPage Server Extensions enable the HTTP

service in Windows 2000 Server to support FrontPage Webs, which are Websites developed with Microsoft FrontPage In general, the FrontPage ServerExtensions allow for remote authoring and management of FrontPage sites

✦ Visual InterDev RAD Remote Deployment Support: This service enables

developers using Visual InterDev RAD (a development environment authored

by Microsoft) to publish and manage sites created with that developmentplatform

If you are building a public Web server to provide extensive client support, merce, and other Internet services (if you’re an ISP, for example), you’ll probablywant to look at solutions other than just the services built into Windows 2000 Server.For example, Microsoft Commercial Internet Server brings together all the servicesmentioned so far plus additional ones (SQL Server, Site Server) to enable you to cre-ate a full-service Web server However, the services included with Windows 2000Server offer a solid platform for developing an intranet server or a public Internetserver geared toward hosting your own company or organization site

e-com-Web Services Checklist

Before beginning the process of installing and configuring IIS and related services,you should plan the server implementation and make sure the server is ready forIIS The following serves as a checklist for planning and preparing for IIS installationand configuration:

✦ Define the server mission: By knowing what you expect the server to provide

to clients, you can determine which IIS services and related services arerequired for installation The role the server will play has a bearing on theserver’s hardware and connection requirements, as well as how you configuresecurity Know ahead of time exactly what functions you want the server toperform and whether those functions will be made available to anonymoususers or restricted to specific groups or individuals If you’re setting up a Webserver to host several sites for your company or for your clients, for example,you’ll probably want to invest in a high-performance server with RAID, high-capacity backup hardware, and at a minimum a T1 Internet connection

✦ Establish the Internet connection for a public server and acquire IP addresses: If your server will be connected to the Internet, contact your ISP to

establish the connection (if one isn’t already in place) and acquire the sary IP addresses for the server to support its mission

neces-✦ Implement network protection: If your server will be or is connected to the

Internet, implement a firewall (or at the very least a proxy server) to securethe server and its content against malicious attacks

✦ Prepare the hardware, OS, and file system: Based on the server’s mission,

determine the type of hardware required to adequately support the mission

Install Windows 2000 Server and test the server Then, determine where youwill store IIS services and content and convert those volumes to NTFS (notrequired but highly recommended for security)

✦ Secure the server’s non-IIS services and files: Review the server’s other

ser-vices and files and secure them with object permissions and account tions to prevent unauthorized access to these services and files

restric-✦ Install and configure TCP/IP: IIS services require TCP/IP whether you are

installing an Internet or intranet server Install TCP/IP and configure the server’ssettings according to the server’s mission If the server will host multiple sites,bind multiple IP addresses (as many as required) to the TCP/IP protocol

See Chapter 12 for detailed information on installing and configuring TCP/IP

Note

✦ Install and configure DNS to support your domain(s): If you are providing your

own Domain Name Service (DNS) namespace resolution, set up and configurethe DNS service, either on the IIS server or on a different server Create the ini-tial zones to be hosted by the IIS server and create resource records as needed

If an ISP or other organization will be providing DNS services, ensure that thoseservices are in place and the necessary zones and records are ready

✦ Install IIS services: Install the IIS services necessary to support the server’s

mission

✦ Secure directories and develop user access permissions and policies: After

setting up the IIS services, review the object permissions for content foldersand for user accounts and groups to ensure adequate security for the serverand its content

✦ Create and test sites: Create sites that support the server’s mission, then test

those sites for functionality Configure the sites to accommodate specificresource needs, such as throttling bandwidth or limiting connections

The process described in the preceding checklist can take several weeks of carefulstudy, planning, and implementation Each step is critical to successful implementa-tion of an IIS server Many of these topics are covered elsewhere in this book Part

IV, for example, covers TCP/IP configuration, DNS, DHCP, remote access, and relatedtopics See Chapter 3 for a discussion of local and network security issues relevant

to IIS See chapter 22 for information on how to use object permissions to restrictaccess to files and folders, which will help control IIS content access

Installing IIS 5.0

It’s a relatively simple process to install IIS through the Add/Remove Programs wizard in the Control Panel Follow these steps to install IIS:

1 Install, configure, and test any required non-IIS services according to the

server function (DHCP, DNS, TCP/IP, Index Server, and so on)

2 Open the Control Panel and double-click the Add/Remove Programs icon.

3 In the wizard, click Add/Remove Windows Components.

4 After Windows 2000 scans the server for installed components, it displays a

component list (Figure 24-1) To install all IIS services, select the check boxbeside the Internet Information Services (IIS) item Or, click an item and clickDetails to select an individual IIS component

5 After selecting the desired services, click OK Follow the remaining prompts

to complete the installation process Windows 2000 should require no tional input other than you providing the Windows 2000 Server CD for Setup

addi-to copy the required files addi-to the system

6 Reboot the server after installation is complete.

Figure 24-1: Use

Add/Remove Programs toadd IIS service components

to the server

Configuring and Managing HTTP Services

The World Wide Web Server component of IIS enables a Windows 2000 Server puter to function as a Web server for HTTP content The Web service offers severalfeatures that provide considerable control over content, security, and bandwidth,making IIS a good option for Windows 2000 Server-based Web servers The follow-ing sections explain the Web service’s features and how to configure and manageWeb sites under IIS

com-The Default Site

When you install the Web service, IIS creates a default Web site shown in theInternet Information Services MMC console This default site provides certainunderlying services that the server performs through the following functions:

✦ IIS administration: The default site provides a means of managing the Web

server through a browser Administrative content is placed by default in thevirtual folder IISAdmin, which you can access in a browser with the URLhttp://localhost/iisadmin (See the following section for a discussion of

virtual folders.) IIS administration through HTML is restricted by default to

localhost You can, however, configure the IISAdminvirtual directory to allowaccess from other IPs, including those on the LAN as well as on the Internet

For more information on configuring remote administration, see the section

“Remote Administration” later in this chapter

✦ IIS Help: The IISHelpvirtual folder contains documents in HTML format thatprovide detailed information about IIS and its services View the documents

by pointing your browser on the server to http://localhost/iishelp

✦ IIS Samples: This virtual folder contains several sample scripts in Java and

Visual Basic for administration and in Active Server Pages for several differenttask categories

✦ Internet-based printing: IIS Setup creates a Printers virtual folder and

popu-lates it with the files necessary to support Internet Printing Protocol (IPP),which enables clients to print to the server across the Internet

See Chapter 23 for a detailed discussion of IPP and how to configure Windows

2000 Server to support IPP printing from Internet and intranet clients

The default site is bound to all unassigned IP addresses This means that the siteresponds to all IP addresses bound to the server that are not assigned to othersites The default site has other implications, particularly on a server hosting multi-ple sites For example, assume that all sites on the server use the same IP addressand employ host headers to direct incoming client requests to a specific site If aparticular site is not available (because it is stopped, for example), IIS serves thedefault site to the client So, you should take the time to develop a default Web sitethat accommodates situations in which a client will “accidentally” be directed tothe site Think of the default as your “error handler” for incoming Web requests.Design the default site to redirect the clients back to the correct site

Configuring Web Sites

Setting up a Web site under IIS is not a difficult task, but it takes several steps

to accomplish it This section explains how to set up new sites and configure existing sites

Preparing the server

The first step in setting up a site is to prepare the site’s folders Often, the simplestapproach is to place all of a site’s files within a single physical folder structure withall content residing in that folder and its physical subfolders However, IIS doesn’timpose a single folder structure You can create a virtual structure using a folder onthe local server, a share on another server, and virtual folders All of these appear as

a single, logical folder structure to the client and function accordingly within the sitecontent At this stage, determine how you will store the site files, whether they’ll be

on a single server or multiple servers, and what NTFS permissions you need to apply

to the folders to control access if not using anonymous access or using a tion of anonymous and authenticated access Create the folders on the target com-puter(s) and configure permissions as required

combina-Next, verify that you have the necessary IP address bound to the server If theserver will only host one site, you only need one IP address You’ll need to bindmultiple IP addresses to the server, use multiple TCP ports, or use host headers tohost multiple sites (explained in the following section) Use the TCP/IP protocolproperties in the network connection’s settings to view and add IP addresses

Finally, verify that the necessary DNS zone is created for the domain on the site’sdesignated name server(s) and that the zone is populated with the appropriateresource records For example, assume you’re setting up a Web and FTP server forthe mcity.orgdomain Create a DNS zone on your DNS server for mcity.orgwiththe appropriate Start of Authority (SOA) and Name Server (NS) records for the

Note

zone Then, create A records (or CNAME records) for www and ftp that point to theappropriate IP addresses for those services on your IIS server Lastly, make surethat the domain is registered with the root servers and that the root servers’

records point to your DNS server for name resolution

See Chapter 14 for detailed information on configuring DNS zones and records

Creating and configuring the site in IIS

There are several steps to create and configure a Web site in IIS, although the cess of simply putting up a site is relatively simple Applying advanced propertiescan take a little longer if you have special needs for the site or want to provide addi-tional customization of properties or behavior The first step is to run the Web Sitecreation Wizard

pro-Running the site wizard

To add a site, open the IIS console (Start ➪ Programs ➪ Administrative Tools ➪Internet Services Manager) Right-click the server where you want to add the siteand choose New ➪ Web Site to start the Web Site Creation Wizard The wizardprompts you for the following information:

✦ Description: This is the description that appears in the IIS console to identify

the site

✦ IP Address: Select the IP address for the site from the drop-down list Each

site needs a unique IP address unless you use host headers, as describedshortly

✦ TCP port: The default HTTP port is 80, but you can specify any valid port that

doesn’t conflict with other services on the server Specifying a non-defaultport adds a bit of security because the clients will need to know the port num-ber to connect and specify it in the URL, as in http://www.mcity.org:8080,using port 8080 as an example See http://www.isi.edu/in-notes/iana/

assignments/port-numbersfor an up-to-date list of registered well-knownTCP port numbers

✦ Host Header: The host header is the domain name requested by the client’s

URL, such as support.mcity.orgin the URL http://support.mcity.org/

contacts The host name is passed by the client’s browser to the server, andIIS can use that host name to determine which site to serve up on a multi-siteserver See the section “Configuring Multiple Sites with a Single IP” later in thischapter for more information

✦ SSL port: If you are using Secure Socket Layer (SSL) to create a secure Web

site, specify the SSL port number The default port number is 443

✦ Path to the home directory: Type or browse to the path that will serve as the

site’s primary folder You can specify a local folder, network share, or URL

✦ Allow anonymous access: Select this option to allow anonymous connections

to the site Deselect this option to use Windows 2000 accounts to authenticatewithin the site

Note

✦ Access permissions: Configure the type of access permissions you want

clients to have to the site Available options include the following:

• Read: Enable clients to read the site’s content.

• Run Scripts: Allow clients to run scripts such as ASP, Java, and so on.

• Execute: Allow clients to execute applications such as ISAPI, CGI,

and so on

• Write: Allow clients to post content to the site.

• Browse: Allow clients to browse the directory structure for the site.

After you create the site through the wizard, you need to set some additional erties to define the site’s content, permissions, and so on The following sectionsexplain these steps

prop-Configuring default documents

Most sites incorporate at least one default document This is the HTML or ASP

docu-ment presented to the client if no docudocu-ment is submitted in the URL For example,browsing to http://www.mcity.orgwould display whatever default document isconfigured for the www.mcity.orgsite (such as default.htm, or default.asp).However, the client could also request a specific document, such as http://

www.mcity.org/contacts.htm In this case, IIS would serve up the documentContacts.htm, assuming it existed within the site’s root folder

You can configure multiple default documents If one specified in the list is notavailable, IIS serves the next document in the list You configure the document pri-ority when you assign the default documents To do so, open the IIS console, right-click the Web site you want to modify, and choose Properties On the Documentsproperty page, select Enable Default Document, then either verify that you’re usingone of the default document names (Default.htmor Default.asp) for the pri-mary document in the target folder, or click Add to add the document name youwant to use After adding all appropriate names, use the up and down arrows tochange document order

Configuring the Home Directory

When you add the site through the wizard, you specify the local folder, networkshare, or URL to serve as the home directory for the site Another step in config-uring the site is to fine-tune the home directory properties To do so, right-click the site in the IIS console, choose Properties, and click the Home Directory tab

to display the Home Directory page shown in Figure 24-2

As Figure 24-2 illustrates, you can change the home directory location if needed.Use the check boxes on the dialog box to define access permissions and enable log-ging and indexing You also can apply a fine degree of control over application exe-cution and debugging through the Application Settings group of controls Fine-tunethe settings based on the site’s function, intended clients, and your security needs

Figure 24-2: Use the Home

Directory page to fine-tunepermissions or redirect the site

to a different home directory

Configuring security

A site’s Directory Security property page enables you to configure access and rity for the site Through the Directory Security page, you can enable or disableanonymous access and specify authentication options (clear text, digest authenti-cation, or integrated Windows authentication) You also can specify a range of IPaddresses that will be either granted or denied access, giving you a means ofrestricting access to a specific subnet This is particularly useful for allowing accessonly to intranet users in a specific physical location, such as a department orthroughout the entire organization (to prevent outside connections to the site)

secu-You also can use the Directory Security page to configure certificates and enableSSL See the section “Enabling Secure Sockets Layer” later in this chapter for moreinformation

Configuring other site settings

You can get most sites up and running through the tasks and options covered tothis point However, each site provides several other property pages you can use toconfigure a wide variety of site properties to control performance, configure addi-tional security options, and so on While this chapter can’t cover them all in detail,the following list summarizes the types of tasks you can accomplish through each

of the other property pages:

✦ Operators: Use the Operators page to specify users and groups that have

operator privileges to the site Operators have limited administrative leges over the site Operators can configure and modify a site but can’t con-trol site aspects such as anonymous user name and password, bandwidththrottling, virtual directory creation, path changes, or certain other tasks thatare limited to the Administrator

privi-✦ Performance: The Performance page provides a means for controlling site

performance You can set the site priority by specifying a range of the number

of hits expected per day The Performance page also lets you enable and figure bandwidth and CPU throttling, which limit the load on the serverimposed by the site

con-✦ ISAPI Filters: ISAPI filters respond to events during processing of HTTP

requests and can provide background processing for site traffic Use the ISAPIFilters page to install and enable or disable ISAPI filters

✦ HTTP Headers: This property page controls several features related to HTTP

headers for the site, including the following:

• Content expiration: Use this feature to specify when content expires to

enable clients and scripts that test for content expiration and cally refresh content from the site

automati-• Custom HTTP headers: Add custom HTTP headers to the site to enable

custom processing within scripts/browsers

• Content rating: Enable and configure the site’s content rating to enable

rating filters to identify and potentially block the content from the clientbased on its rating values

• MIME mapping for the site: Configure new file type associations for

con-tent on the site

✦ Custom Errors: Defines the error messages received by clients, such as the

page that appears when the client requests a page that doesn’t exist (the NotFound error) The error pages by default are stored in systemroot\help\

iishelp\common You can edit the files with any HTML or text editor to customize the pages

✦ Server Extensions: The Server Extensions page enables you to configure

Server Extensions (also referred to as FrontPage Server Extensions), whichcontrol options for Web authoring through FrontPage and related applica-tions See the section “Configuring Server Extensions” later in this chapter for additional information

Configuring multiple sites with a single IP address

Although you can configure multiple Web sites on a single server using unique IPaddresses for each one, this can pose a problem in cases where only a limited num-ber of addresses are available (if your ISP only gave you a small subnet, for exam-ple) The IP address is just one of three properties that define the site The other

two are the TCP port and host header The TCP port is the port through which the

site communicates, and the host header is (usually) the site’s domain name Ourexample mcity.orgmain site uses an internal address of 192.168.0.3, the defaultTCP port 80, and the host header www.mcity.org The support site could use

192.168.0.3, port 80, and a host header of support.mcity.org Sites on the sameserver can share any two of these properties, but one must be different In thiscase, the host header for each site is unique.

Host headers enable you to share an IP address with multiple sites because mostbrowsers (Internet Explorer 3.0 and Netscape 2.0 and later) support the use of hostheaders These browsers pass the host header information to the server, and theserver directs traffic to the appropriate site based on that header Figure 24-3 illus-trates how host headers help direct traffic to the correct site

Browsers that support HTTP 1.1 support host headers Certain other olderbrowsers also support host headers even though they don’t support HTTP 1.1 Inaddition, sites configured for SSL cannot use host headers, since the header infor-mation is encrypted SSL sites must use a unique IP address

Figure 24-3: Host headers direct traffic to the appropriate site when a

single IP is used for multiple sites

www.mcity.org

Client request forsupport.mcity.orgmcity.org Web Server

Client

TCP port 80support.mcity.org

IIS interpretshost headersales.mcity.org

service.mcity.orgDomains hosted on192.168.0.10www2.mcity.org

Note

To configure the host header for a site, right-click the site in the IIS console andchoose Properties Click Advanced on the Web Site property page In the AdvancedMultiple Web Site Configuration dialog box, select the site identity you want tomodify and click Edit Specify the domain portion of the site’s URL (www.mcity.org

or support.mcity.org, for example) as the host header, then close the site’s erty sheet Finally, make sure you modify the DNS records for each domain to pointthe host (www, support) to the appropriate IP address

prop-Although you can direct traffic to a specific site with a non-unique IP address byspecifying a different port number for each site, that typically requires that theclient know the port number ahead of time You can develop a primary site usingport 80 that serves as a jumping-off point to these other non-default port sites, butyou would need to incorporate the appropriate port value in all hyperlinks withineach site The better, cleaner solution is to use host headers

You have two options for supporting client browsers that do not support host ers: cookies or URL-munging (embedding the host name in the URL) Because thesetopics apply in a limited number of situations (most browsers in use support hostheaders), they are not covered in this chapter See the topic “Supporting HostHeader Names in Older Browsers” in the IIS online Help documentation to learnhow to enable support for browsers that don’t support host headers

head-Configuring server extensions

Microsoft FrontPage is an HTTP publishing application that lets you create, modify,and publish Web sites to a server that supports FrontPage Server Extensions Whilefew Web development companies consider FrontPage a viable tool for professionalWeb development, many companies or organizations use it to enable end-users tocreate and update their own areas of a site or departmental sites This section cov-ers the FrontPage Server Extensions in the event you need to install them on a Webserver to allow users to manage sites on the server

Installing FrontPage Server Extensions is really a two-step process First, you need

to install the extensions on the server Then you install the extensions to each Website that requires them To install FrontPage Server Extensions on the server, openthe Control Panel and run the Add/Remove Programs object Click Add/RemoveWindows Components, double-click Internet Information Services, and selectFrontPage 2000 Server Extensions Click OK and follow the prompts to complete the installation to the server

Next, you need to install Server Extensions on each site for which FrontPage is used.You do so through the IIS console Open the IIS console, right-click the site, andchoose All Tasks ➪ Configure Server Extensions IIS starts the Server ExtensionsConfiguration Wizard, which prompts you for the following information:

Note

✦ Create local machine groups: Select this option to have Windows 2000

auto-matically create local groups for management purposes These groups includeAdmins, Authors, and Browsers Deselect this option if you already have one

or more groups created for grouping site managers

✦ Begin the Group names with this distinguishing label: If creating local

machine groups, you can specify a unique label to begin each group name Ifyou specify Mcity, for example, IIS creates three groups named Mcity Admins,Mcity Authors, and Mcity Browsers Omit the label to create the groupsAdmins, Authors, and Browsers

✦ Group or user account to be Web Administrator for the site: Specify the

account that will serve as the administrator for the site

✦ Mail server settings: Specify the mail settings for the site, including author for

outgoing mail, contact address, and SMTP mail server

After you configure server extensions on a site, you can manage extension settingsthrough the site’s property sheet Right-click the site, choose Properties, and thenclick Server Extensions to display the Server Extensions page shown in Figure 24-4

Figure 24-4: FrontPage extension

options on the Server Extensionspage

The Enable Authoring group of controls determines whether authors can useFrontPage to access and modify the content of the root web for the selected site

Controls in this group configure version control, performance (caching), and scripting options The Options group lets you configure e-mail settings and OfficeCollaboration features (which are available only if Office Web Server — OWS — isinstalled on the server) Use the Don’t Inherit Security Settings option and associated

controls to determine whether or not the site inherits global security settings fromIIS Deselect this option to override global settings with individual settings to config-ure the site differently from other sites on the server.

Enabling secure socket layer

IIS fully supports Secure Socket Layer (SSL) connections to provide secured actions between the client browser and the server SSL is typically used to providesecure credit card transactions and other e-commerce functions, but SSL can beused in any situation in which you want the traffic flowing between the client andserver to be encrypted and secure from outside tampering or hijackers For exam-ple, you might want to use SSL for site authoring

trans-Enabling SSL requires several steps:

1 Obtain a certificate from a Certificate Authority (CA) for the server If you

have Certificate Services installed on a Windows 2000 Server in your prise, you can obtain a certificate from that CA Otherwise, you’ll need toobtain a certificate from another CA, such as Thawte or VeriSign See Chapter

enter-3 for additional information on certificates and CAs The following stepsassume you’re using a Windows 2000 Server running Certificate Serviceseither on the local computer or a computer in your enterprise to generate certificates for you

2 Open the IIS console, then open the properties for the site for which you want

to obtain a certificate to enable SSL Open the Directory Security page

3 Click Server Certificate to start the Web Server Certificate Wizard Within

the wizard, select the option to create a new certificate (You have the option

of assigning an existing certificate and importing a certificate from a KeyManager backup file, but this procedure assumes you’re requesting a new certificate.)

4 Complete the wizard to create the request You can submit the request

imme-diately if an Enterprise CA is available on the network IIS will not recognize astandalone CA server on the same computer or detect one on the network Inthis situation, you need to create the request using the wizard, which creates

an encrypted text file You then run the wizard again to submit the encryptedrequest to the CA The remaining steps assume you’ll be creating the file andsubmitting later Use the following list as a guide to respond to the wizard’sprompts:

• Prepare the request now, but send it later: Use this option if you have no

enterprise CA in your enterprise, or wish to submit to a standalone CA

• Send the request immediately to an online certification authority:

Use this option to submit the request immediately to an enterprise CA(dimmed if IIS doesn’t detect an available CA)

• Name: Friendly name for the certificate.

• Bit length: A longer bit length increases security but can decrease

per-formance The default is 512

• Server Gated Cryptography certificate: Select this option to request an

• Common name: Specify the domain name (such as www.mcity.org) for

a site hosted on the Internet You can specify a DNS name or NetBIOSname for a site hosted on your intranet

• Regional information: Specify country, state, city, or other regional

information for your organization

• File name: Specify a file name under which the certificate request will be

saved

5 With a Web browser, connect to the CA using http://ServerCA/CertSrv,where ServerCAis the DNS name or IP address of the certification server

Choose Request a certificate and click Next

6 Select Advanced Request and click Next.

7 Choose Submit a certificate request using a base64 encoded PKCS #10 file,

then click Next

8 Click Browse and browse for the file created in Step 4, then click Read to read

the file into the form Or, open Notepad and then open the certificate requestcreated in step 4 Copy the text from the file and paste the text into the SavedRequest text box on the form Make sure to select Web Server from theCertificate Template drop-down list Then click Submit

9 Follow the prompts provided by the CA to complete the request Depending

on how the certificate server is configured, you’ll either be granted the cate immediately or will have to return to the page after an Administrator hasissued the certificate In either case, you’ll have the option of downloading thecertificate in DER or Base 64 encoded formats Either format is acceptable

certifi-10 Open the IIS console and open the property sheet for the site, then open the

Directory Security page Click Server Certificate to run the wizard again,which will recognize that a certificate request is pending for the site Throughthe wizard, specify the location of the certificate file provided by the CA instep 9 and then complete the wizard to install the certificate

11 On the Directory Security page, click Edit to display the Secure Communications

page (Figure 24-5) Configure options based on the following list, then close theproperty sheet and stop/start the site in preparation for testing the site:

• Require Secure Channel: Select this option to require the client to use

SSL to connect to the site Deselect the option to allow unencryptedaccess to the site

• Require 128-bit encryption: Select this option to require the client to

use 128-bit encryption

• Client certificates: Specify how client certificates are treated For a

public Web site, choose Ignore client certificates Select Accept clientcertificates to allow clients to optionally use client-side certificates toauthenticate on the site Select Require client certificates to force clients

to use a certificate

• Enable client certificate mapping: Use this option to allow clients to use

their client-side certificates to authenticate against user accounts on theserver This enables you to integrate client logon with your Windows

2000 user accounts and groups

• Enable certificate trust list: Select this option and use the associated

controls to define a list of CAs that are trusted for the site

Figure 24-5: The Secure Communications page

After you configure the site, you should test it to make sure it functions properly.Open a browser on another system and connect to https://site name, where

site nameis the Web site’s DNS name or the NetBIOS server name (intranet) Ifyou receive an error that the site can’t be displayed, open the Directory Securityproperties for the site and view the certificate Make sure the Issued To field for the

certificate matches the name of the site (www.mcity.org, for example) or theNetBIOS name of the server (for an intranet site) If it does not, you need to removethe certificate and request a new certificate with the correct name.

If the certificate’s Issued To field shows a user name or Administrator, you bly neglected to select Web Server from the Certificate Template drop-down listwhen you requested the certificate Resubmit the request with the correct template

proba-Managing the Web Server

The Internet Information Services MMC console provides the primary meansthrough which you manage IIS Web sites You can use the console to set site proper-ties; stop, pause, and start a site; set properties on documents within a site; config-ure FrontPage Server Extensions; define custom headers and error pages; and allother management tasks

You can use the IIS console to manage IIS services and sites locally or to connect toother servers on your network To connect to another server, right-click on InternetInformation Services in the console tree and chose Connect from the context menu

Or, choose Action ➪ Connect from the console menu Specify the name of the puter to manage and click OK You also can connect to systems on a remote net-work if you first establish a VPN connection to the network After establishing theVPN connection, connect with the IIS console to the remote server as you would for

com-a loccom-al server

IIS also provides a means of managing Web sites remotely through a browser TheAdministration Web Site, which Setup creates automatically when you install IIS,enables you to initially connect on the server locally with a browser to perform lim-ited administration tasks on the default Web site Connect to http://localhost/

iisadminto manage the server locally through a browser

You also can configure the IISADMINsite to allow management from other computers,including across the Internet To do so, open the properties for the AdministrationWeb Site and click the Directory Security tab Click Edit in the IP address and domainname restrictions group, then specify the individual computers, group of computers,

or domain from which the server can be managed If you prefer, you can grant all puters access to the server, but this isn’t recommended for security reasons

com-The IISADMINsite lets you manage the Default Web Site, including setting its properties and creating and deleting folders You also can configure IIS to enablebrowser-based management of other sites To do so, add the IISADMINfolder as avirtual folder to those sites you wish to manage through a browser Right-click thesite to which you want to add the folder and choose New ➪ Virtual Directory Create

a virtual directory with an alias of your choosing (such as admin) that points to

Tip

systemroot\System32\inetsrv\iisadmin Configure the server and the new tual directory to allow access by the desired computers or domains, then point abrowser to http://site/alias, where siteis the DNS name or IP address of thesite and aliasis the alias you assigned to the IISADMINfolder.

vir-Unfortunately, you can’t manage FTP, SMTP, or NNTP services through a browser Ifyou need to administer these remotely, connect to the network with a VPN and usethe IIS console instead

You can stop and start the WWW service remotely by connecting to the serverthrough a Telnet session and issuing the commands NET STOP W3SVC or NETSTART W3SVC, respectively This requires that the Telnet service be running andconfigured to allow you to log on through Telnet

Configuring and Managing FTP Services

FTP stands for File Transfer Protocol FTP enables users to upload and downloadfiles to and from the server While HTTP is becoming more common as a means forfile transfer, FTP still serves an important role in providing file transfer services.While HTTP restricts clients to a browser for uploading and downloading files, FTPenables clients to use a browser, FTP command line, or third-party FTP utility totransfer files IIS provides the ability to restart failed FTP transfers, enabling a client

to reconnect to the server and restart the transfer from the point of failure ratherthan transferring the entire file again

Setting up an FTP site is much like setting up a Web site The following sectionexplains the process

Creating and Configuring FTP Sites

As with HTTP, IIS creates a Default FTP Site that responds to FTP requests on allunassigned IP addresses You can configure this site to use as your only FTP site, oryou might prefer to create other FTP sites, particularly if you are hosting multipledomains on a particular server

Either before or after setting up the FTP site on the server, make sure you createthe necessary DNS zone and records to accommodate the site If you don’t alreadyhave a DNS zone set up to accommodate the FTP site, create the zone on your DNSserver with the appropriate SOA and NS records Then, create A or CNAME recordsthat define the host portion of the site name For example, in the zone mcity.org,you might create an A or CNAME record for FTP that points to the IP addressassigned in IIS for the FTP site, enabling clients to connect to the site using the URLftp://ftp.mcity.org After you’ve configured the appropriate DNS records,you’re ready to begin creating the site

Tip

Creating an FTP site

To create a new site, open the IIS console, right-click the server in the tree, andchoose New ➪ FTP Site to start the FTP Site Creation Wizard The wizard promptsyou for the following information:

✦ Description: This is the friendly name for the site that appears in the IIS

console

✦ IP address: Specify the IP address for the FTP server or choose All Unassigned

to have the FTP server respond to all requests for which an IP is not specified

or not available

✦ TCP port: Specify the TCP port to be used by the FTP site The default is 21.

You can use a different port to increase security, but clients will have to knowbeforehand what port to use to connect to the server

✦ Path: Specify the path to the folder that will serve as the FTP site’s root folder.

✦ Read/Write: Choose Read to enable download and Write to enable upload

(subject to NTFS permissions you apply to the site’s folders, if applicable)

Configuring site properties

After you create a site, you can configure its properties to fine-tune its function

Right-click the site in the IIS console and choose Properties to display its propertysheet (Figure 24-6) You’ll find that the properties for an FTP site are similar tothose for a Web site, although there are fewer properties

Figure 24-6: The property sheet for an FTP site

The Connection group on the FTP Site page lets you configure the number of current connections allowed to the site and the connection timeout period Youmight wish to limit the number of connections for sites with high traffic or lowbandwidth to improve performance for connected users Increase the connectiontimeout value if clients are experiencing difficulty in maintaining a connection dur-ing large transfers or times when there is significant traffic on the site.

con-The Enable Logging option lets you turn on connection logging and specify the logfile format Use the Current Sessions button to view a list of currently connectedusers and, if desired, disconnect one or more users

Setting security

The Security Accounts page of the FTP site’s properties lets you configure how IISgrants access to the FTP site The Allow Anonymous Connections option, when

selected, allows users to connect to the site with the user name anonymous If you

deselect this option, users must specify a valid user account and password on theserver or within the domain in order to authenticate and log on to the FTP site.When anonymous connections are enabled, IIS uses the user account and passwordspecified in the Username and Password fields of the Security Accounts page By

default, the account is IUSR_server, where server is the name of the computer In

gen-eral, you shouldn’t change this account, but you can if you prefer to make it moredifficult for hackers to guess the default anonymous account If you specify a differ-ent account, make sure you configure the account’s rights and permissions on fold-ers accordingly to enable the account be used successfully for anonymous logon

In order to log on for FTP, an account must have the right to log on locally The IUSRaccount by default has this right To enable other user accounts to log on for FTP,however, you need to grant those accounts the right to log on locally Although youcan do this on an account-by-account basis, it’s best to create an FTP group, grantthe group the right to log on locally, and then place in the group any users whoneed authenticated (non-anonymous) FTP access

If a virtual folder with the same name as a user exists within the FTP site, IIS matically connects the user to that virtual folder when he or she logs on, makingthe virtual folder the user’s home folder For example, assume the site contains avirtual folder by the name jboyce When jboyce logs on to the FTP site, he or she isautomatically placed in the folder pointed to by the jboyce virtual folder An addedbenefit is that other users don’t see the virtual folders, regardless of their logonaccounts They can, however, change to them manually if they know the virtualfolder name Their access to the folder is subject to its NTFS permissions See thesection “Configuring the Site’s Directory Structure” later in this chapter for addi-tional information

auto-The FTP Site Operators control group on the Security Accounts page defines theaccounts or groups that are designated as site operators A site operator has lim-ited administrative privileges within the site and can configure properties that

Tip

affect the site Site operators do not have the ability to modify global IIS properties

or properties for other sites unless their accounts are designated within that site as

a site operator account or group

Configuring logon and logoff messages

In most cases, you probably will want to define messages that appear when theuser logs on or off the FTP site or when the maximum number of connections isreached for the site You configure these messages through the Messages propertypage for the site In particular, consider posting a welcome message that adequatelyaddresses your company’s legal rights should the site be misused by unauthorizedpersonnel (typically applies to a private FTP site rather than a public site) The fol-lowing is a sample of such a message, although you should consult with the com-pany’s legal counsel to be certain the message addresses your needs:

WARNING: Access to this system by authorized personnel only All users will bemonitored for security purposes and potential law enforcement Unauthorized usewill be subject to criminal and civil prosecution and penalties

Configuring the site’s directory structure

You define an FTP site’s home directory when you create the site, but you can ify the directory through the Home Directory page of the site’s properties in the IISconsole The site’s home directory can be a folder on the local computer or a share

mod-on the network Subfolders of the home directory appear within the site’s folderstructure just as they do on the local computer or network share

You can configure a site’s home directory for Read, Write, and Log Visits Readenables users to download from the site, and Write enables them to upload to thesite, subject to any NTFS permissions you might apply to the folder and its con-tents The Log Visits option turns on logging of access to the selected folder if logging is enabled for the site in the FTP Site property page

In addition to defining the home directory, you also can configure virtual folders for

the FTP site A virtual folder functions as a part of the site’s directory structure but

is effectively hidden from users — it doesn’t show up when users browse the site orissue a DIR command from an FTP prompt However, users can connect to the folder

in one of two ways: specify the folder explicitly in the browser or FTP prompt, orconnect with a user account that matches the virtual folder’s alias name

To create a new virtual folder, open the IIS console, right-click the FTP site whereyou want to create the folder, and choose New ➪ Virtual Directory A wizardprompts you for the folder’s alias name, path, and Read/Write properties After youcreate the folder, right-click the folder in the IIS console and choose Properties toset its properties, which are similar to those for a home directory but more limited

As with a home directory and its child objects, a virtual folder’s NTFS permissionscontrol access to the folder and its contents in conjunction with the Read andWrite properties you set for the folder when you create it in IIS

Note