Windows 2000 Internet Information Server
- File transfer Protocol (FTP) Server
- World Wide Web (WWW) Server
- Simple Mail Transfer Protocol (SMTP) Service
- Network News Transport Protocol (NNTP) Service
- FrontPage 2000 Server Extensions
- Internet Services Manager (HTML)
- Internet Information Services Snap-in
- Visual InterDev RAd Remote Deployment Support
- Indexing Service
- Certificate Services
Windows 2000 Professional can only support 10 network connections and Windows 2000 Servers support an unlimited number of connections. Windows 2000 Professional includes the Personal Web Manager package (a web site administration tool) not included on Windows 2000 servers. The HTML Internet Services Manager and the NNTP Service are not available on Windows 2000 Professional.
Most IIS components are installed when Windows 2000 is installed. The "Add/Remove Programs" applet in the control panel may be used to add any additional IIS components. Select "Add/Remove Windows Components", click on "Internet Information Services (IIS)', then click details.
Created at Installation of IIS
- Default Web Site located in c:\Inetpub\wwwroot
Security of the WWW server can be increased by:
- Obtaining a certificate for the web server
- Enable IP address or domain name access restrictions.
- Disable anonymous access and specify a secure authentication method.
- Configure the web server to send encrypted communication.
- Place all content on an NTFS file system.
- Set up home directory security settings.
- Use firewalls to protect the server.
Web Site Management
The "Internet Services Manager" is used to manage web sites on the computer. This can be done locally or remotely.
The Web Site Properties dialog box can be displayed by starting the "Internet Services Manager", click on the + next to the server to be configured, then right click the web site to configure, and select "Properties". The Web Site Properties dialog box tabs are:
- Web Site - Web site properties window with an IIS 3.0 Admin tab allowing selection of the web site to be administered if a user connects with the IIS 3 administration tool. Only one web site may be managed with the IIS 3 administration tool. This tab is used to configure Web site ID, Connections, and Logins. The following may be set:
- Description - Identifies the site in the Microsoft Management Console.
- IP Address
- Advanced button brings up a window:
- Multiple Identities - A text list box set of entries including IP address, port and host header the site responds to. Default port is 80 and SSL port is 443.
- Multiple SSL Identities - The site and port number secure connections are made over (default 443).
- TCP Port - Default is 80.
- SSL Port - Port for SSL communications. Default is 443.
- Connections limited or unlimited - Default limited connections is 1000.
- Connection Timeout - Default is 900 seconds.
- Enable Logging checkbox and specify "Active log format". Format types:
- Microsoft IIS Log Format
- NCSA Common Log Fromat
- ODBC Logging - For database, very resource intensive.
- W3C Extended Log File Format - The most flexible
- Log "Properties" button and window:
- General Properties - Set log file creation frequency and location where log files are stored.
- The New Log Time Option - Causes new file creation, set to daily, weekly, monthly, unlimited, or when the log file gets to a specific size. The default is daily.
- Directory path the log file is stored in.
- Extended Logging Options list items that can be in the logging file:
- Time - default
- Client IP Address - default
- User Name
- Service Name
- Server IP
- Server Port
- Method - default
- URL Stem - default
- URL Query
- HTTP Status - default
- Win32 status
- Bytes Sent
- Bytes Received
- Time Taken
- Protocol Version
- User Agent
- ODBC Properties - Set the data source name (DSN), log data table. The user name and password used to store data in the database is set.
- Extended Properties - Use checkboxes to select fields to be put in the log file. Time, client IP address, method, URI stem, and HTTP status are saved by default.
- Operators - Configure what users may manage the web site. In the Web Site tab, operators cannot set IP Address, Port, SSL Port, or use the Advanced button. In the performance tab, operators can't use the Bandwidth throttling. In the home directory, operators cannot set Directory Source, read setting, write setting, and application settings.
- Performance Tuning - Sliding bar used to adjust server resources to he held in reserve to service requests quickly. This can be set depending on the number of hist per day that are expected. Fewer than 10,000, fewer than 100,000, or more than 100,000.
- Enable Bandwidth Throttling - Limits the bandwidth use of one web site. It is enabled (default) or disabled.
- Maximum Network Use - The value in Kbps of maximum bandwidth the website may use.
- HTTP Keep-alive Enabled - Requires more resources, but keeps the connection to the web browser open for quicker response. Turning off keep-alives or setting a short timeout can improve the performance of an IIS server that is low on memory and bandwidth.
- ISAPI Filters - Add ISAPI filters to modify IIS performance for the web site. They are Internet Server Application Prrogramming interfaces and have global and site filters. Global filters are not be displayed, although they are applied. The web server must be restarted after adding or modifying global filters but, site filters are effective immediately. Global filters are run prior to Site filters.
- Home Directory - Enter username and password who has access to a remote directory where that username and password is used for the access. Select where home files are:
- Content comes from "A directory located on this computer" radio button.
- Content comes from "A share located on another computer" radio button.
- Content comes from "A redirection to a URL". This option is used to redirect to another web site, when that web site has been moved.
- "Local Path" or "Network Directory".
- Access Permissions checkboxes of Read, Write (The browser may update files with the PUT command is Write access is allowed), and Script source access".
- Content Control checkboxes of "Log visits" (Access is logged), "Directory browsing" allowed (A directory listing is sent to the browser), and "Index this resource" (A searchable index is generated)).
- Application Settings
- Starting point
- Execute Permissions:
- Scripts only - Files with appropriate extensions are run as scripts without execute permission set.
- Scripts and Executables - Files with proper extensions are run as scripts or ISAPI DLLs or CGI executables.
- Application Protection
- Documents - Specifies the default document to be returned by the browser if no document on the web page is specified. A footer for all HTML pages on the web site may also be specified. Options:
- Enable default document - The page to show if a specific page is not requested. Several documents may be listed with the document at the top of the list being the default document.
- Enable document footer - Can be used to add footer information to each page.
- Directory Security - Three buttons:
- Anonymous Access and Authentication Control - Any account using the anonymous logon or basic authentication must have the log on locally privilege configured in User Manager for Domains.
- Allow Anonymous Access checkbox - Allows any web browser to access without a username or password. Used rather than basic or Windows NT Challenge/Response authentication if this is on also.
- Account Used for Anonymous Access button - Specification of the anonymous access account.
- Basic Authentication checkbox - Allows uses with web browsers that don't support Windows Authentication to give a username and password for restricted web page access. The account name and password are not encrypted. Used if anonymous access is disabled or file permission does not permit anonymous access requiring a domain user account. This requires a domain user account.
- Default Domain for Basic Authentication "Edit" button - The domain the user using basic authentication is assumed to belong in.
- Digest authentication for Windows domain servers. - User accounts must store passwords with reversible encryption.
- Integrated Windows Authentication - Required for requiring SSL communications to the web. Required to connect to the administration web site for this site (To perform remote administration). This requires a domain user account. Used under these conditions:
- Anonymous access is disabled or denied due to file permissions requiring an NT user account.
- Secure Communications - The "Server Certificate" button starts the IIS server certificate wizard.
- IP Address and Domain Name Restrictions - Set all computers to either be granted access (radio button) or denied access (radio button) except those listed in the textbox. The textbox lists the IP and station address or internet names.
- Assign a certificate to the web site
- HTTP Headers
- Enable Content Expiration checkbox
- Content should (radio buttons) - Sets when the content will expire in the web browser cache by sending expiration headers with the web page.
- Expire Immediately.
- Expire after Days(textbox) and minutes (textbox). Default is 30 minutes.
- Expire on Date (boxes).
- Custom HTTP Headers
- Content Rating (Edit Ratings button) - Voluntary classification of subject matter.
- Rating Service - Tab containing buttons to display a public web site with rating classification information.
- Ratings - Set ratings from 0 to 4 for violence, sex, language, and nudity. An e-mail address of the rating person and rating expiration date is set.
- MIME Map (File Types button) - Associate file types on the web page with MIME types. Multipurpose Internet Mail Extensions (MIME) types are sent to the web browser.
- Custom Errors - What to do if an error is encountered in serving the requested web page. Can specify an HTML file to be sent when an error occurs and use one of the following to specify where the file is:
- Server Extensions - Can be used after the web server is configured to use FrontPage server extensions.
- Copy web pages into the default web site's home folder in c:\Inetpub\wwwroot.
- Virtual Directories - Causes directories on other servers to appear as though they are on your server. The Web Services Manager or Windows Explorer can be used to create virtual directories
- Virtual Servers - A single server is made to appear as though it is more than one server. They only work on Windows 2000 Servers, not on Windows 2000 Professional. Requirements:
- One of:
- An IP address is required for the primary server and each virtual server. IP addresses must be on one NIC. Multiple IP addresses can be assigned to one NIC using the "Network Dial-up Connections" folder.
- A different TCP port number to be used.
- A different FQDN to be used to access the new site in the Host Header for this site: text box.
- A home directory must be assigned to each IP address using the directories tab.
Web Services Manager Menu Selections
Selections when the web site is selected:
- Virtual directory
- Web Site - Used to create additional virtual web servers.
Personal Web Manager
Accessed from Administrative Tools, Personal Web Manager is for novices.
This service indexes web site content by creating two databases of words, one based on web server HTML files and the other based on other document types. The database take about 40% of the amount of room the original data takes. The Indexing Service works on all Windows 2000 operating systems and must be configured to start automatically if desired.
- Windows Explorer search tool.
- Start menu search tool.
- The "Computer Management" Index Service search tool. Computer Management is started by right clicking on "My computer" and selecting "Manage".
Used to manage and issue security certificates which are used for providing secure web connections between the web client and the web server. The "Add/Remove Programs" applet in the control panel may be used to add Certificate Services.
- Certificate Authority (CA) - An organization that is trusted to issue certificates.
- Enterprise root CA - The first and most trusted CA on the network requires the use of Active Directory.
- Enterprise subordinate CA - Subordinate to the enterprise root CA requires the use of Active Directory.
- Stand-alone root CA - A root for the certificate hierarchy and does not require Active Directory.
- Stand-alone subordinate CA - Subordinate to the stand-alone root CA and does not require Active Directory.
- Public Key Infastructure (PKI) - Implemented when certificates are used.
- Public Key
- Private Key
After Certificate Authorities are created, certificates can be set up fro use th selecting the administrative tool, "Certification Authority". Selections:
- Certificate to Issue - Display certificates the CA cannot issue yet. This is where the CA can be authorized to issue these various certificates.
How users get Certificates
- Windows 2000 users can use the MMC Certificate snap-in command line utility by typing "mmc" on the command line.
- Access http://CA_server_name/certsrv with a web browser.
- Administrators can set group policy so computers request certificates automatically when they are required using the administrative tool "Active Directory Users and Computers".