Previous Page | Next Page

  1. Introduction
  2. Windows 2000 Professional
  3. Windows 2000 Server
  4. Windows 2000 Advanced Server
  5. Windows 2000 Datacenter Server
  6. Application Support
  7. System Operation
  8. Disks and Volumes
  9. Filesystems
  10. Configuration Files
  11. Security
  12. Network Support
  13. Access Management
  14. Processes
  15. AD Structure
  16. AD Objects
  17. AD Object Naming
  18. AD Schema
  19. AD Sites
  20. Domains
  21. AD Functions
  22. AD Replication
  23. DNS
  24. AD Security
  25. AD Installation
  26. AD Configuration
  27. AD Performance
  28. Installation
  29. Installation Options
  30. Unattended Installation
  31. Software Distribution
  32. Remote Installation Service
  33. Language
  34. Accessibility
  35. File Attributes
  36. Shares
  37. Distributed File System
  38. Control Panel
  39. Active Directory Tools
  40. Computer Management Console Tools
  41. MMC Tools
  42. Network Tools
  43. Network Monitor
  44. System Performance Monitoring
  45. Tools
  46. Managing Services
  47. Connections
  48. TCP/IP
  49. DHCP
  50. Printing
  51. Routing
  52. IPSec
  53. ICS
  54. Fault Tolerance
  55. Backup
  56. System Failure
  57. Services
  58. Remote Access
  59. WINS
  60. IIS
  61. Certificate Server
  62. Terminal Services
  63. Web Services
  64. Authentication
  65. Accounts
  66. Permissions
  67. Groups
  68. User Rights and Auditing
  69. Auditing
  70. User Profiles
  71. Policies
  72. Group Policies
  73. Miscellaneous
  74. Terms
  75. Credits

Windows 2000 Internet Information Server

IIS Components

  • File transfer Protocol (FTP) Server
  • World Wide Web (WWW) Server
  • Simple Mail Transfer Protocol (SMTP) Service
  • Network News Transport Protocol (NNTP) Service
  • FrontPage 2000 Server Extensions
  • Internet Services Manager (HTML)
  • Internet Information Services Snap-in
  • Visual InterDev RAd Remote Deployment Support
  • Indexing Service
  • Certificate Services

Windows 2000 Professional can only support 10 network connections and Windows 2000 Servers support an unlimited number of connections. Windows 2000 Professional includes the Personal Web Manager package (a web site administration tool) not included on Windows 2000 servers. The HTML Internet Services Manager and the NNTP Service are not available on Windows 2000 Professional.

Most IIS components are installed when Windows 2000 is installed. The "Add/Remove Programs" applet in the control panel may be used to add any additional IIS components. Select "Add/Remove Windows Components", click on "Internet Information Services (IIS)', then click details.

Created at Installation of IIS

  • Default Web Site located in c:\Inetpub\wwwroot

Security Enhancements

Security of the WWW server can be increased by:

  • Obtaining a certificate for the web server
  • Enable IP address or domain name access restrictions.
  • Disable anonymous access and specify a secure authentication method.
  • Configure the web server to send encrypted communication.
  • Place all content on an NTFS file system.
  • Set up home directory security settings.
  • Use firewalls to protect the server.

Web Site Management

The "Internet Services Manager" is used to manage web sites on the computer. This can be done locally or remotely.

The Web Site Properties dialog box can be displayed by starting the "Internet Services Manager", click on the + next to the server to be configured, then right click the web site to configure, and select "Properties". The Web Site Properties dialog box tabs are:

  • Web Site - Web site properties window with an IIS 3.0 Admin tab allowing selection of the web site to be administered if a user connects with the IIS 3 administration tool. Only one web site may be managed with the IIS 3 administration tool. This tab is used to configure Web site ID, Connections, and Logins. The following may be set:
    • Description - Identifies the site in the Microsoft Management Console.
    • IP Address
    • Advanced button brings up a window:
      • Multiple Identities - A text list box set of entries including IP address, port and host header the site responds to. Default port is 80 and SSL port is 443.
      • Multiple SSL Identities - The site and port number secure connections are made over (default 443).
    • TCP Port - Default is 80.
    • SSL Port - Port for SSL communications. Default is 443.
    • Connections limited or unlimited - Default limited connections is 1000.
    • Connection Timeout - Default is 900 seconds.
    • Enable Logging checkbox and specify "Active log format". Format types:
      • Microsoft IIS Log Format
      • NCSA Common Log Fromat
      • ODBC Logging - For database, very resource intensive.
      • W3C Extended Log File Format - The most flexible
    • Log "Properties" button and window:
      • General Properties - Set log file creation frequency and location where log files are stored.
        • The New Log Time Option - Causes new file creation, set to daily, weekly, monthly, unlimited, or when the log file gets to a specific size. The default is daily.
        • Directory path the log file is stored in.
        • Extended Logging Options list items that can be in the logging file:
          • Date
          • Time - default
          • Client IP Address - default
          • User Name
          • Service Name
          • Server IP
          • Server Port
          • Method - default
          • URL Stem - default
          • URL Query
          • HTTP Status - default
          • Win32 status
          • Bytes Sent
          • Bytes Received
          • Time Taken
          • Protocol Version
          • User Agent
          • Cookie
          • Referrer
      • ODBC Properties - Set the data source name (DSN), log data table. The user name and password used to store data in the database is set.
      • Extended Properties - Use checkboxes to select fields to be put in the log file. Time, client IP address, method, URI stem, and HTTP status are saved by default.
  • Operators - Configure what users may manage the web site. In the Web Site tab, operators cannot set IP Address, Port, SSL Port, or use the Advanced button. In the performance tab, operators can't use the Bandwidth throttling. In the home directory, operators cannot set Directory Source, read setting, write setting, and application settings.
  • Performance
    • Performance Tuning - Sliding bar used to adjust server resources to he held in reserve to service requests quickly. This can be set depending on the number of hist per day that are expected. Fewer than 10,000, fewer than 100,000, or more than 100,000.
    • Enable Bandwidth Throttling - Limits the bandwidth use of one web site. It is enabled (default) or disabled.
    • Maximum Network Use - The value in Kbps of maximum bandwidth the website may use.
    • HTTP Keep-alive Enabled - Requires more resources, but keeps the connection to the web browser open for quicker response. Turning off keep-alives or setting a short timeout can improve the performance of an IIS server that is low on memory and bandwidth.
  • ISAPI Filters - Add ISAPI filters to modify IIS performance for the web site. They are Internet Server Application Prrogramming interfaces and have global and site filters. Global filters are not be displayed, although they are applied. The web server must be restarted after adding or modifying global filters but, site filters are effective immediately. Global filters are run prior to Site filters.
  • Home Directory - Enter username and password who has access to a remote directory where that username and password is used for the access. Select where home files are:
    • Content comes from "A directory located on this computer" radio button.
    • Content comes from "A share located on another computer" radio button.
    • Content comes from "A redirection to a URL". This option is used to redirect to another web site, when that web site has been moved.
    • "Local Path" or "Network Directory".
    • Access Permissions checkboxes of Read, Write (The browser may update files with the PUT command is Write access is allowed), and Script source access".
    • Content Control checkboxes of "Log visits" (Access is logged), "Directory browsing" allowed (A directory listing is sent to the browser), and "Index this resource" (A searchable index is generated)).
    • Application Settings
      • Name
      • Starting point
      • Execute Permissions:
        • None
        • Scripts only - Files with appropriate extensions are run as scripts without execute permission set.
        • Scripts and Executables - Files with proper extensions are run as scripts or ISAPI DLLs or CGI executables.
      • Application Protection
  • Documents - Specifies the default document to be returned by the browser if no document on the web page is specified. A footer for all HTML pages on the web site may also be specified. Options:
    • Enable default document - The page to show if a specific page is not requested. Several documents may be listed with the document at the top of the list being the default document.
    • Enable document footer - Can be used to add footer information to each page.
  • Directory Security - Three buttons:
    • Anonymous Access and Authentication Control - Any account using the anonymous logon or basic authentication must have the log on locally privilege configured in User Manager for Domains.
      • Allow Anonymous Access checkbox - Allows any web browser to access without a username or password. Used rather than basic or Windows NT Challenge/Response authentication if this is on also.
      • Account Used for Anonymous Access button - Specification of the anonymous access account.
      • Basic Authentication checkbox - Allows uses with web browsers that don't support Windows Authentication to give a username and password for restricted web page access. The account name and password are not encrypted. Used if anonymous access is disabled or file permission does not permit anonymous access requiring a domain user account. This requires a domain user account.
      • Default Domain for Basic Authentication "Edit" button - The domain the user using basic authentication is assumed to belong in.
      • Digest authentication for Windows domain servers. - User accounts must store passwords with reversible encryption.
      • Integrated Windows Authentication - Required for requiring SSL communications to the web. Required to connect to the administration web site for this site (To perform remote administration). This requires a domain user account. Used under these conditions:
        • Anonymous access is disabled or denied due to file permissions requiring an NT user account.
      • Secure Communications - The "Server Certificate" button starts the IIS server certificate wizard.
    • IP Address and Domain Name Restrictions - Set all computers to either be granted access (radio button) or denied access (radio button) except those listed in the textbox. The textbox lists the IP and station address or internet names.
    • Assign a certificate to the web site
  • HTTP Headers
    • Enable Content Expiration checkbox
    • Content should (radio buttons) - Sets when the content will expire in the web browser cache by sending expiration headers with the web page.
      • Expire Immediately.
      • Expire after Days(textbox) and minutes (textbox). Default is 30 minutes.
      • Expire on Date (boxes).
    • Custom HTTP Headers
    • Content Rating (Edit Ratings button) - Voluntary classification of subject matter.
      • Rating Service - Tab containing buttons to display a public web site with rating classification information.
      • Ratings - Set ratings from 0 to 4 for violence, sex, language, and nudity. An e-mail address of the rating person and rating expiration date is set.
    • MIME Map (File Types button) - Associate file types on the web page with MIME types. Multipurpose Internet Mail Extensions (MIME) types are sent to the web browser.
  • Custom Errors - What to do if an error is encountered in serving the requested web page. Can specify an HTML file to be sent when an error occurs and use one of the following to specify where the file is:
    • File path
    • URL
  • Server Extensions - Can be used after the web server is configured to use FrontPage server extensions.

Publication Methods

  • Copy web pages into the default web site's home folder in c:\Inetpub\wwwroot.
  • Virtual Directories - Causes directories on other servers to appear as though they are on your server. The Web Services Manager or Windows Explorer can be used to create virtual directories
  • Virtual Servers - A single server is made to appear as though it is more than one server. They only work on Windows 2000 Servers, not on Windows 2000 Professional. Requirements:
    1. One of:
      • An IP address is required for the primary server and each virtual server. IP addresses must be on one NIC. Multiple IP addresses can be assigned to one NIC using the "Network Dial-up Connections" folder.
      • A different TCP port number to be used.
      • A different FQDN to be used to access the new site in the Host Header for this site: text box.
    2. A home directory must be assigned to each IP address using the directories tab.

Web Services Manager Menu Selections

Selections when the web site is selected:

  • New
    • Virtual directory
    • Web Site - Used to create additional virtual web servers.

Personal Web Manager

Accessed from Administrative Tools, Personal Web Manager is for novices.

Indexing Service

This service indexes web site content by creating two databases of words, one based on web server HTML files and the other based on other document types. The database take about 40% of the amount of room the original data takes. The Indexing Service works on all Windows 2000 operating systems and must be configured to start automatically if desired.

Search Tools:

  • Windows Explorer search tool.
  • Start menu search tool.
  • The "Computer Management" Index Service search tool. Computer Management is started by right clicking on "My computer" and selecting "Manage".

Certificate Services

Used to manage and issue security certificates which are used for providing secure web connections between the web client and the web server. The "Add/Remove Programs" applet in the control panel may be used to add Certificate Services.

Terms:

  • Certificate Authority (CA) - An organization that is trusted to issue certificates.
    • Enterprise root CA - The first and most trusted CA on the network requires the use of Active Directory.
    • Enterprise subordinate CA - Subordinate to the enterprise root CA requires the use of Active Directory.
    • Stand-alone root CA - A root for the certificate hierarchy and does not require Active Directory.
    • Stand-alone subordinate CA - Subordinate to the stand-alone root CA and does not require Active Directory.
  • Public Key Infastructure (PKI) - Implemented when certificates are used.
  • Public Key
  • Private Key

After Certificate Authorities are created, certificates can be set up fro use th selecting the administrative tool, "Certification Authority". Selections:

  • Action
    • New
      • Certificate to Issue - Display certificates the CA cannot issue yet. This is where the CA can be authorized to issue these various certificates.

How users get Certificates

  • Windows 2000 users can use the MMC Certificate snap-in command line utility by typing "mmc" on the command line.
  • Access http://CA_server_name/certsrv with a web browser.
  • Administrators can set group policy so computers request certificates automatically when they are required using the administrative tool "Active Directory Users and Computers".