Iis Tech - Faq

Download as doc, pdf, or txt
Download as doc, pdf, or txt
You are on page 1of 133

Whats New in IIS6.0 Understanding IIS 5.0 and IIS 6.

0 Using IIS Command-Line Utilities to Manage IIS User Authentication in IIS Troubleshooting IIS SSL Applications SSL and IIS Securing IIS Publishing Contents to IIS Managing the IIS Metabase Installing IIS 6.0 IIS Performance Monitoring and Tuning Understanding and Managing SMTP Virtual Servers

Start Here Whats New in IIS6.0


An Overview of Internet Information Services (IIS)
Internet Information Services (IIS) is one of the more commonly used Web servers utilized on the Internet and in intranets. Through IIS, you can create and manage Web sites, and share and distribute information over the Internet or intranet. With the introduction of the Windows 2000 Server OS came the launch of Internet Information Services (IIS) 5. IIS 5 included the name change from Internet Information Server to Internet Information Services. IIS 5 was integrated with the Active Directory directory service introduced in Windows 2000. It also included support for Web Distributed Authoring and Versioning (WebDAV) which allowed users to edit, delete and move files and directories, and share documents over the Internet. HTTP compression made it possible to transmit pages between the Web server and clients that support compression much faster. IIS 5 support for Terminal Services, also introduced in Windows 2000 Server, allows you to remotely administer IIS and other Windows services. With the introduction of the Windows Server 2003 OS, came the introduction of Internet Information Services (IIS) 6. Because IIS 6 is integrated with Windows Server 2003, you need no additional software to manage multiple Web sites. In Windows Server 2003, IIS has been redesigned, and offers greater reliability, scalability and flexibility, and enhanced performance over its earlier versions. The most important improvements made in IIS 6 pertain to security, and performance and reliability. The remainder of this Article focuses on the new features, and enhancements introduced with IIS 6. 1

IIS 6 Security Enhancements and Features


The security vulnerabilities of earlier versions of IIS, including IIS 5, were continuously patched up by service packs and hotfixes available from Microsoft. Previously when IIS was installed, the following occurred:

All services were enabled and started. All service accounts had high system rights. Permissions were assigned to the lowest levels.

This basically meant that your IIS implementation was vulnerable to attacks by hackers. Microsoft introduced the Security Lockdown Wizard in an attempt to address the security loopholes evident in the previous versions of IIS. The Security Lockdown Wizard in IIS 6 has been included in the Web Service Extensions (WSE). IIS is installed in locked-down mode with IIS 6. The only feature immediately available is to access static content. You actually need to use the WSE feature in the IIS Manager console tree to manually enable IIS to run applications and its features. By default, all applications and extensions are prohibited from running. When installing IIS 6, the following occurs:

ASP and FrontPage extensions are disabled ISAPI extensions and filters are not installed Permissions are assigned to the high levels

The five authentication methods available to authenticate users in IIS 6 are listed below:

Basic Authentication Digest Authentication Anonymous access Integrated Windows Authentication .NET Passport Authentication

The above authentication methods can be configured at the following levels:


Web Sites

node

An individual website A virtual directory An individual file 2

The Integrated Windows Authentication method is the most secure authentication method for authenticating users wanting to connect to IIS 6. IIS can integrate with Microsoft .NET Passport so that it can use Passport as an authentication method. While Basic Authentication sends user credentials in a format that can easily be interpreted, Digest Authentication utilizes MD5 hashing to encrypt user credentials that are sent over the network. The user credentials are encrypted through cipher algorithms which are hard to decipher. With Advanced Digest Authentication, the user credentials are stored in Active Directory as a MD5 hash. The other IIS 6 security enhancements included in IIS 6 are listed below:

Configurable worker process identity: With IIS 6, a Web site runs in an isolated process environment, called a worker process. This ensures that one Web application deployed on IIS is isolated from other Web applications on the same server. Previously, a failure of the World Wide Web (WWW) Publishing Service could cause the machine to shut down. The worker process also shuts down applications if the IIS server is sent malicious code. The worker processes of IIS 6 have low privileges and run in the context of the NetworkService built-in identity. The previous versions of IIS used the LocalSystem account. Hypertext Transfer Protocol (HTTP) transmission data between the IIS Web servers and the client were encrypted through Secure Sockets Layer (SSL) and Transport Layer Security (TLS) in IIS 5. With SSL/TLS, a cipher algorithm is used for encryption. IIS 6 supports the use of Server-Gated Cryptography (SGC), which is an extension of SSL/TLS. With IIS 6, SGC can utilize 128-bit encryption to protect data. Selectable Cryptographic Service Provider (CSP) is a new IIS 6 feature that allows users to choose from a list of cryptography providers to provide the interface for encrypting data between the IIS Web server and Web client. CSP can also be used for certificate management. The default Cryptographic Service Providers are:
o o

Microsoft

RSA SChannel Cryptographic provider

Microsoft DH SChannel Cryptographic provider

Because of IIS 6 integration with Active Directory, you can use the Group Policy feature of Active Directory to further secure IIS. Through Group Policy, you can prevent users from deploying unauthorized web servers on the network. IIS 6 also includes new types of ASP.NET authorization methods:
o

File Authorization: In this method, access control list (ACL) checking is performed for the user on the ASP.NET file. Only authorized users are permitted to access the file. You enable File Authorization by enabling Windows Authentication on the Web site URL Authorization: With this method, the URL namespace is used to store user information and access roles. Authorization information is contained in a text file which indicates whether a user is allowed or denied access. 3

IIS 6 Performance Improvements


With IIS 6 architecture, HTTP listening and routing is moved to the Kernel Mode HTTP Listener component of IIS 6, and is put in operation through the http.sys kernel mode device driver. The Implementation of the Kernel Mode HTTP Listener component through http.sys has led to the following benefits.

Because the handling of HTTP requests has been moved directly into the kernel, IIS 6 provides increased performance and reliability over the earlier versions of IIS. Processes that execute in kernel mode have a higher priority than any user mode processes, which means that http.sys improves on the processing time of HTTP requests. Http.sys can continue to listen for, and queue HTTP requests in cases where the actual Web application for the requests is down.

New features and enhancements in IIS 6 that improve IIS performance are listed below:

HTTP compression improves performance by compressing HHTP responses to clients that support HTTP compression. Using HTTP compression in congested networks is particularly beneficial. You can configure HTTP compression on the following levels:
o o o

Web server level Directory level File level

IIS 6 can cache 64GB of data on 32-bit Intel platforms, and because cached data can be retrieved quite quickly, Web server performance is enhanced. An application pool can have numerous worker processes hosting multiple Web applications. This configuration concept is called a Web garden and is a new IIS 6 feature. You can through Web gardens reduce blocking by binding worker processes to certain processors on SMP machines. When a client requests an ASP page, the ASP code is compiled into an ASP template, which gets cached in the in-memory cache. These templates are cached so that they can be used again. This in turn improves performance. Configurable connection limits and timeouts, bandwidth throttling, queue length limits and memory recycling are also all geared at improving performance of IIS in version 6.

IIS 6 Features and Improvements that Enhance Reliability


The Worker Process Isolation mode, the primary application mode used in IIS 6, includes the application pools, worker processes, health monitoring, and all other IIS 6 specific architectural features In this mode, ASP applications, ASP.NET applications and ISAPI extensions are loaded into the worker processes. Web Administration Service (WAS) manages the application pools and worker 4

processes. The most significant advantage of running IIS 6 in Worker Process Isolation mode is that a single application failure does not result in multiple applications failing - all user developed code is separated from the WWW service Health monitoring and detection of worker processes improves the reliability of Web applications. IIS performs health monitoring. The Demand Start feature of IIS 6 only starts the worker processes associated with an application pool when the initial HTTP request for an application within the particular application pool is detected. This basically means that resources are not allocated at Startup. Through Demand Start, IIS can better manage processor, memory, and disk resources. It only allocates resources to start a worker process when an HTTP request is received for an application. The Web Administration Service (WAS) of IIS 6 manages Demand Start. The Idle Timeout feature is another feature managed by WAS. Idle Timeout enables WAS to automatically shut down worker processes which are idle for a predetermined amount of time. Both the Idle Timeout feature and Demand Start feature improve IIS reliability, scalability, and performance. The Kernel Mode HTTP Listener component, the http.sys device driver, operates within the Windows Server 2003 TCP/ IP network subsystem. Http.sys listens for all incoming HTTP requests and is responsible for routing the HTTP requests to the appropriate worker process. Multiple worker processes usually run simultaneously to handle pools of applications. An application pool is associated with a kernel mode queue to which http.sys routes HTTP requests. Http.sys also caches HTTP responses for static content and dynamic content through a kernel mode cache. It manages TCP connections for HTTP requests and responses, bandwidth throttling, connection limits and connection timeouts, and text based logging for the WWW Publishing service. Through the use of application pools, Http.sys increases the number of websites which can be hosted, and improves performance and reliability of IIS. Access to IIS resources is more controlled in IIS 6.

IIS 6 and ASP.NET Integration


IIS 6 utilizes the newer ASP.NET (Active Server Pages) scripting language. The earlier versions of IIS utilized Active Server Pages (ASP). The benefits associated with using the ASP.NET scripting language are listed below:

With ASP.NET, the following caching options exist:


o o o

Cache complete pages Fragment caching - cache parts of pages Caching API - used by developers to control caching

With ASP.NET, the source file is compiled. In ASP, code is compiled line by line. ASP.NET therefore further improves the performance of II 6. 5

ASP.NET can be coded in multiple languages, including those listed below. An ASP.NET page can also contain multiple language code.
o o o

VB.NET Jscript.NET C#

The XML Metabase


With IIS 6, the IIS metabase is formatted and saved as a plain text file using the Extensible Markup Language (XML). In IIS 4 and IIS 5, the metabase was saved in the binary format. With IIS 6, you can use a text editor tool such as Notepad to edit the metabase file. You can also use Windows Management Instrumentation (WMI) tools or Active Directory Services Interface (ADSI) scripts to change the metabase file. Whether changing the metabase file manually or programmatically, you no longer need to stop and restart IIS to perform any changes to the metabase file. The XML files in the IIS metabase are:

Metabase.xml: Contains the configuration data for the Web server. You can edit this file without stopping IIS. MBSchema.xml: Contains the metabase XML schema

The metabase history feature included in IIS 6 monitors changes made to the IIS metabase, and automatically saves backups of the metabase when changes are made to it. IIS 6 allows administrators to copy IIS configurations from one physical machine to a different machine through the use of ADSI scripts, WMI tools or the admin scripts provided by IIS 6.

Other IIS 6 Features

IIS 6 includes UTF-8 support for file names and URLs. The previous IIS versions of the IIS log file was in English only. This often presented a problem for multilingual Web sites. IIS 6 can be administered in a number of ways:
o o o o o

MMC console Terminal Services WMI ADSI Administration scripts

Less reboots are needed after configuration changes are made. This means less downtime for applications running on IIS 6. 6

Process recycling enables the worker processes to be restarted periodically. This is support applications which have memory leaks or other issues. Through orphaning, IIS can kill any hung worker processes, and start new worker processes to replace.

Understanding IIS 5.0 and IIS 6.0


An Introduction to Internet Information Services (IIS)
Microsoft's integrated Web server, Internet Information Services (IIS) enables you to create and manage Web sites within your organization. It allows you to share and distribute information over the Internet or intranet. With Windows 2000 came Internet Information Services (IIS) 5.0 which was basically the fastest Web server at the time when Windows 2000 Server was introduced. IIS 5.0 was fully integrated with the Active Directory directory service. Because of this integration, and the additional features and enhancements introduced with IIS 5.0 you could create and deploy scalable and reliable Web applications, websites and Web clusters. This led to an improvement in security, administration, reliability, and performance in the Web environment. Windows XP Professional supports IIS 5.1. This version if IIS is a slightly enhanced version of IIS 5. With the introduction of Windows Server 2003, came the advent of Internet Information Services (IIS) 6. IIS 6 is included with the 32-bit version and the 64-bit versions of the Windows Server 2003 Editions. IIS 6 include support for a number of protocols and management tools which enable you to configure the server as a Web server, File Transfer Protocol (FTP) server or a Simple Mail Transport Protocol (SMTP) server. The management tools included with Windows Server 2003 allow you to manage Internet Information Services on the Windows Server 2003 product platforms.

Understanding the Origins of Internet Information Services (IIS)


The first version of IIS, Internet Information Services (IIS) 1, was released for the Windows NT 3.51 Server platform, and included support for Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), Gopher, the Secure Sockets Layer (SSL) version 1 protocol, and Common Gateway Interface (GCI). When initially introduced, IIS signified Internet Information Server and not Internet Information Services. The name change to Internet Information Services only came about when IIS 5 was released with Windows 2000 Server. A few features included with IIS 1 are:

IIS 1 could integrate with the Windows NT platforms. Virtual servers made it possible for multiple websites to be hosted one physical IIS computer, and virtual directories allowed you to store website content on a file server, and not on the actual Web server. This added security to a Web server implementation. Basic Authentication and Windows NT LAN Manager (NTLM) Challenge/Response Authentication were supported to enhance intranet security. 7

SSL version 1 support made it possible to create secure e-commerce sites. Open Database Connectivity (ODBC) logging enabled you to troubleshoot issues. monitor Web traffic and

Internet Server API (ISAPI) was supported for the writing of dynamic web applications, and enabled integration into static HTML pages.

The next IIS version, Internet Information Services (IIS) 2, was introduced with the Windows NT 4 Server platform. The features and enhancements included with this release of IIS 2 were:

IIS was integrated with Windows NT Setup, and you could therefore be installed when you installed Windows NT. HTTP byte range was introduced, which enabled Internet Explorer to recover from interruptions and continue download. Because host names were supported with IIS 2, you could host multiple websites on one server through an IP address and TCP port 80. The logging of successful HTTP transactions and failed HTTP transactions enabled you to more efficiently troubleshoot Web server issues, and Internet communication issues. Key Manager could be used to create key pairs for digital certificates, for Secure Sockets Layer (SSL). The Index Server tool made it possible for users to execute full text queries of the web content hosted on IIS through content sarches. HTML Administrator, an ISAPI application allowed you to remotely administer the IIS server over the Internet using a web browser like Internet Explorer.

About 10 months after IIS was originally launched, Internet Information Services (IIS) 3 was launched.

Key features introduced with IIS 3 were the introduction of Active Server Pages (ASP), and the IIS 3 speed enhancement over IIS 1. Active Server Pages (ASP) made it possible for developers to create dynamic web applications that used a standard web browser for a client interface for IIS. The web applications could include all the functionality of standard client/server applications. ASP included support for connectivity with databases using Microsoft's (ADO) technology and ODBC. ActiveX Data Objects

Microsoft's new Visual Basic Scripting Edition (VBScript) and Jscript scripting languages, together with ODBC could be used to create ASP based websites which was a much more feasible solution to creating ISAPI applications with C++.

Microsoft Visual InterDev was also included in IIS 3 for the development of Web applications with Visual Basic, Visual C++ and Visual J++. Microsoft NetShow was included to offer support for streaming audio and video. Microsoft Transaction Server (MTS) was introduced for distributed web applications.

With the release of Windows NT 4 Option Pack came Internet Information Services (IIS) 4. Windows NT 4 Option Pack included enhancements and features specific to the Windows NT 4 Server OS and IIS. These features and improvements are listed below:

Microsoft Internet Explorer 4.01 Microsoft Transaction Server (MTS) version 2. Version 1 was included in IIS 3. Index Server version 2 as well. Microsoft Certificate Server, for creating a public key infrastructure (PKI) Microsoft Message Queue Server (MSMQ), for asynchronous communications in distributed applications. Site Server Express 2, for managing web content on IIS computers SSL version 3 included support for 128-bit encryption.

The HTTP 1.1 standard enhanced the reliability and effectiveness of HTTP transfers. HTTP 1.1 also improved the functionality of host headers. The IIS metabase was included in IIS 4 to store IIS configuration information. The metabase contains all the settings and configuration data for IIS. Microsoft Management Console (MMC) version 1. A new version of Internet Service Manager was implemented as a number of snap-ins for the Microsoft Management Console (MMC). HTML Administrator (HTMLA) enabled the browser based administration of IIS. Support was included for Simple Mail Transport Protocol (SMTP) and Network News Transport Protocol (NNTP). Personal Web Server (PWS) was included for Windows 95 platforms.

With the introduction of the Windows 2000 Server OS came the launch of Internet Information Services (IIS) 5. With IIS 5 came the name change from Internet Information Server to Internet Information Services. IIS included new features and enhancements which enabled administrators and Internet service providers (ISPs) to create scalable Web applications, Web sites, Web clusters, and a 9

reliable Web environment. IIS 5 also included enhancements specific to security, administration and applications. The key features and enhancements included with IIS 5 are summarized below:

Pooled Process was the application model introduced with IIS 5 which enabled multiple web applications to run in a shared memory space detached from the Inetinfo.exe's In Process space. You could define the CPU share time for a Web site.

IIS was integrated with the Active Directory directory service introduced in Windows 2000. Support for Web Distributed Authoring and Versioning (WebDAV) which allow users to edit, delete and move files and directories, and hare documents over the Internet. HTTP compression made it possible to transmit pages between the Web server and clients that support compression much faster. File Transfer Protocol (FTP) Restart improved on data transfer by resuming the downloading of a file from when interruption occurred in the data transfer process. Administration specific enhancements and features included with IIS 5 are listed below:
o

With the introduction of IIS 5 came the capability of restarting IIS without necessitating a computer restart as well. Web-based administration tools enabled administrators to remotely administer the Web server using virtually any browser. Custom error messages enabled administrators to send a message to clients when HTTP errors or issues exist on the Web site. Terminal Services, introduced in Windows 2000 Server, allows you to remotely administer IIS and other Windows services.

Security specific enhancements and features included with IIS 5 are listed below:
o

Server-Gated Cryptography (SGC), a SSL extension enables stronger 128-bit encryption to be utilized. Digest Authentication improves security for user authentication over and firewalls. proxy servers

IIS 5.0 is integrated with Kerberos version 5 authentication, and is used for authentication between computers running Windows 2000. IIS certificate storage in IIS 5 is integrated with Microsoft CryptoAPI (CAPI) storage. A number of new security wizards are introduced in IIS 5 as well, including: 10

o o

The Permissions Wizard, for configuring Web site access. The Web Server Certificate Wizard, for creating certificate requests and for the administration tasks of the certificates. The CTL (certificate trust lists) Wizard, for configuring CTLs. A CTL contains the trusted Certification Authorities (CAs) for a directory. Configuring CTLs is beneficial when ISPs that have multiple Web sites requiring a unique list of approved CAs for every site.

Programmability specific enhancements and features included with IIS 5 are listed below:

The features included for Active Server Pages (ASP) include:


Enhanced error handling Windows Script Components Scriptless ASP Better flow control methods Integration with Extensible Markup Language (XML)

Performance improved objects

Active Directory Service Interfaces (ADSI) 2.0 enables greater flexibility for site configuration by adding custom objects and properties to the ADSI.

With the introduction of the Windows Server 2003 OS came the launch of Internet Information Services (IIS) 6. A few key features and enhancements included with IIS 6 are summarized below:
o o

IIS 6 is fully integrated with Windows Server 2003. IIS 6 is not by default installed, and ASP and FrontPage extensions are disabled. All permissions are set to high. IIS 6 architecture has been designed to move HTTP listening into the kernel for increased performance and reliability. This means that the handling of HTTP requests has been moved directly into the kernel. Incoming HTTP requests are handled by the http.sys kernel mode component, which means that a bigger number of HTTP requests can be handled by IIS 6 that what IIS 5 could handle. The IIS 5 compatibility mode, included with IIS 6 allows you to switch to IIS 5 when you have applications that only operate under IIS 5. 11

Programmability specific enhancements include support for the latest web standards such as XML, IPv6 and SOAP. The IIS metabase is formatted and saved as a plain text file using the Extensible Markup Language (XML). In IIS 4 and IIS 5, the metabase was saved in the binary format. With IIS 6, you can use a text editor tool such as Notepad to edit the metabase file. You can also use Windows Management instrumentation (WMI) tools or Active Directory Services Interface (ADSI) scripts to change the metabase file. Whether changing the metabase file manually or programmatically, you no longer need to stop and restart IIS to perform any changes to the metabase file. The metabase history feature included in IIS 6 monitors changes made to the IIS metabase, and automatically saves backups of the metabase when changes are made to it. IIS 6 allows administrators to copy IIS configurations from one physical machine to a different machine through the use of ADSI scripts, WMI tools or the admin scripts provided by IIS 6. You can use the IIS Manager, or administration scripts to administer IIS. Digest Authentication can be used over proxy servers and firewalls. IIS 6 can also use Passport authentication because of its integration with Microsoft .NET Passport. You can use the Group Policy feature of Active Directory to further secure IIS.

o o o

IIS Architecture Prior to IIS 6


Before IIS 4, the architecture of IIS consisted of In Process processing. This meant that the Internet Services Application Programming Interface (ISAPI) DLLs executed within the inetinfo.exe service's process. With the launch of IIS 4, came the IIS metabase which stored IIS configuration settings and data. This meant that the IIS configuration settings were no longer stored in the Registry. Only a few settings, such as the keys used to start IIS remained in the Registry. The IIS Admin Service, used for the management of the IIS metabase was included in IIS 4. IIS Admin Service is responsible for maintaining the IIS metabase, and for updating the Registry with the configuration settings for the other key IIS services, including the WWW service, FTP, NNTP and SMTP. Another key architectural change included in IIS 4, was that IIS 4 could run applications Out of Process, or in process isolation. This improved the reliability of the Web environment within your organization because a single application failure no longer caused other applications and processes to fail on the server. You could configure applications that run Out of Process to start automatically when they fail. You could also start and stop applications running on the 12

server, and not impact your other applications. When processes are run In Process, the whole Web server remained unavailable until it was rebooted or inetinfo.exe was restarted. IIS 4 integration with Microsoft Transaction Server (MTS), and MTS's Web Application Manager (WAM) component made it possible for applications to run Out of Process in isolated space. With IIS 4, applications were first setup to execute In Process. Only after the applications were installed could they be setup to execute Out of Process. This was done by navigating to the Properties dialog box of the virtual directory of the application, and then choosing the Run In Separate Memory Space (Isolated Process) checkbox. In summary, IIS 4 provided the means for applications to run in either In Process or Out of Process. A major disadvantage associated with applications executing Out of Process is that they run slower than applications which run In Process. For this reason, applications which were run Out of Process were mainly applications in the testing phase. It was also common to debug applications on IIS in Out of Process mode. Applications running Out of Process could also not communicate with other applications running on the identical machine, which obviously caused problems when certain applications needed to communicate with other applications. With the launch of IIS 5 came the capability of running Web applications in the following modes:
o

In Process: In this mode, applications run in the architecture of IIS 1 - IIS 3, which means that they run as a component of the main Web server process. Out of Process (Isolated): In this mode, applications run in isolation, in its dllhost.exe host process. Poole Process: Applications run as a pooled process, separate from inetinfo.exe, in the dllhost.exe COM+ host process. This is turn allows multiple ISAPI and ASP applications to interact or communicate. Web applications executing in Pooled Out of Process perform better than those applications running Out of Process (Isolated).

The major disadvantages associated with the IIS 5 architecture are listed below:
o

Applications running in IIS Process executed In Process with the core Web server process which meant that while they performed optimally, an application failure could cause the entire Web server process to collapse. Applications running in the isolated Out of Process (Isolated) or Pooled Out of Process had poor performance repercussions. This basically means that out of process applications have a performance issue when they run on IIS 5.

The Key Differences between IIS 6 and IIS 5 Architecture


The main differences between IIS 6 and IIS 5 architecture is summarized below:

13

IIS 6 architecture moves HTTP listening into the kernel for increased performance and reliability. This means that the handling of HTTP requests has been moved directly into the kernel. The WWW Service includes the new Web Administration Service (WAS). The applications models supported in IIS 6 are:

o o

Worker process isolation mode isolates all developer application code from the main IIS services. II5 isolation mode, for backward compatibility for IIS 5 applications.

IIS 6 includes support for multiple application pools, and each application pool can operate in isolation of the other application pools.

Main Components of IIS 6


With IIS 6, HTTP listening and routing is moved to the Kernel Mode HTTP Listener component which is put in operation through the http.sys kernel mode device driver. Http.sys operates within the Windows Server 2003 TCP/ IP network subsystem, in the TCP/IP stack of Windows Server 2003. Http.sys listens for HTTP requests wanting to establish connections with addresses and port numbers of websites hosted on IIS. The responsibilities of http.sys are summarized below:
o

Listen for, and route HTTP requests to the appropriate worker process. Application code run in user mode processes which are referred to as worker processes. Multiple worker processes usually run simultaneously to handle pools of applications. Receives HTTP responses from the IIS worker processes and sends them to the client. Http.sys does not actually process the HTTP requests but forwards it to the correct IIS worker process for processing. With IIS 6, an application pool is associated with a kernel mode queue to which http.sys routes HTTP requests. Cache HTTP responses for static content and dynamic content through a kernel mode cache. Manage TCP connections for HTTP requests and responses. Manage bandwidth throttling

o o o o

Responsible for text based logging for the WWW Publishing service. Manage connection limits and connection timeouts.

The implementation of the Kernel Mode HTTP Listener component through the http.sys kernel has led to the following benefits. 14

Processes that execute in kernel mode have a higher priority than any user mode processes, which means that http.sys improves on the processing time of HTTP requests. Http.sys can continue to listen for, and queue HTTP requests in cases where the actual Web application for the requests is down.

With IIS 6, the IIS Admin Service manages the IIS metabase, and updates the Registry with the configuration settings for the other key IIS services, including the WWW service, FTP service, NNTP service and SMTP service. The Web Administration Service (WAS) component of IIS 6 handles the creation of websites on IIS 6; and consists of the two components listed below. It is implemented as a DLL within the svchost.exe host process.
o

Configration Manager, duties include:


Store and retrieve configuration data from the IIS metabase. Initializes the namespace routing table at startup for http.sys. An entry is created in the routing table for each application pool. Notifies http.sys when the http.sys routing table needs updates made to it. The routing table needs to be updated when new application pools are created for new Web applications.

Application Pool Manager, duties for managing the IIS worker processes include:

Start, stop, restart and recycle worker processes Monitor worker processes

A worker process in IIS 6 is a process wherein user developed Web application code runs. A worker process is actually a host process, called w3wp.exe. Worker processes process the user requests received from the http.sys queues. The worker processes also returns a static page or dynamic page to the requesting client through http.sys. A worker process can host the following:
o o o o

ASP applications ISAPI applications and filters CGI applications Static content

An application pool consists of the following components:


o

A kernel mode http.sys request queue 15

A single instance of or multiple instances of w3wp.exe - worker processes.

In IIS 6, applications can run in different configurations:


o

An application pool has one worker process that hosts the single Web application which in turn is isolated from other applications through process boundaries. An application pool has one worker process hosting two or numerous Web applications. An application pool has numerous worker processes hosting multiple Web applications. This configuration concept is called a Web garden and is a new IIS feature.

o o

Logging of HTTP requests with the earlier versions of IIS included the text file formats listed below. You could also log requests to an ODBC database. Logging was handled by the inetinfo.exe process.
o o o

NCSA standard format W3C Extended format Native IIS format

With IIS 6, logging is handled by the Kernel Mode HTTP Listener, and ODBC logging is handled by worker processes. This in turn leads to better performance. The kernel mode cache is managed by http.sys for static and dynamic content. When http.sys detects a HTTP request, it checks the cache first, and retrieves the page from the cache. This takes place in kernel mode, which means that performance is greatly enhanced for cached content. When a client requests an ASP page, the ASP code is compiled into an ASP template, which gets cached in the in-memory cache. These templates are cached so that they can be used again. With IIS 6, the oldest templates in the in-memory cache are cached offline (on disk) when the memory cache is full. IIS 6 can store 250 templates in-memory. The in-memory cache of IIS 6 can be configured to use 64GB of physical memory.

Worker Process Isolation Mode - IIS 6 Application Mode


Worker process isolation mode is the primary application mode used in IIS, and includes the application pools, worker processes, health monitoring, and all other IIS 6 specific architectural elements. The characteristics of worker process isolation mode are:
o o o

An application pool can have one or multiple web applications. The worker processes handles the HTTP requests from the queue. An application pool can contain one worker process or multiple worker processes (Web garden). 16

o o o

Each application pool has an associated kernel mode queue in http.sys. A single application failure does not result in multiple applications failing. ASP applications, ASP.NET applications and ISAPI extensions are loaded into the worker processes. Inetinfo.exe manages the metabase and the FTP Service, SMTP Service and the NNTP Service. Web Administration Service (WAS) manages the application pools and worker processes.

The process that occurs when a client sends a HTTP request is listed below:
o o o

Http.sys listens for and discovers the client's HTTP request. If the request is invalid, an HTTP error code is returned to the client by http.sys. If the request is valid, http.sys first checks the kernel mode response cache to ascertain whether the page which the client requested is cached. If the requested page is in the cache, it is immediately returned to the client. The request is routed to the kernel mode queue of the application pool by http.sys. A worker process of the application pool takes the request from the kernel mode cache. The worker process sends the response to the client through http.sys. Http.sys caches the response.

o o o o o

IIS 5 Isolation Mode - IIS 6 Application Mode


IIS 6 can run in IIS 5 isolation mode to enable backward compatibility for applications that do not function correctly on IIS 6. Applications that usually need IIS 6 running in IIS 5 isolation mode are:
o

Applications that call processes which do not reside in the application pool associated with the application. Other than for ASP.NET applications, all other applications that requires to persevere session state information. ISAPI applications which load multiple times and run in tandem; and ISAPI filters performing read raw data filtering.

The IIS 6 architectural elements that are not available when IIS 6 runs in IIS 5 isolation mode are: 17

o o o o o

Web gardens Health detection Processor affinity Process recycling Rapid fail protection

The Main IIS Supported Protocols and Services


IIS supports a few key protocols and services, which are:
o

World Wide Web (WWW) service, used to connect HTTP requests from IIS clients to IIS websites. The service is also used to publish Web services. Hypertext Transfer Protocol (HTTP) is a TCP/IP application layer protocol, and is used to connect to websites, and to create Web content. HTTP handles the publishing of static and dynamic Web content. A HTTP session consists of a connection, a HTTP request and a HTTP response

Port 80 is used for HTTP connections. The client establishes a TCP connection to the server by using a TCP three way handshake. After the connection is established, the client sends a HTTP GET request message to the server. The server sends the client the requested Web page. HTTP Keep-Alives maintains the TCP connection between the client and server if it is enabled, so that the client can request additional pages. If HTTP Keep-Alives is not enabled, the TCP connection is terminated after the requested page is downloaded.

File Transfer Protocol (FTP) is a TCP/IP application layer protocol, and is used for copying files to and from remote systems through the Transmission Control Protocol (TCP). FTP makes it possible for clients to upload and download files from a FTP server over an internetwork. Through IIS, you can create and administer FTP servers. You need an FTP server and FTP client to use the protocol. A FTP session has a connection, a request, and a response.

The client establishes a TCP connection to the FTP server through port 21. A port number over 1023 is assigned to the client. The client sends a FTP command to port 21. 18

If the client needs to receive data, another connection is created with the client, to convey the data. This connection utilizes port 20. The second connection remains in a TIME_WAIT state after the data is transferred to the client. The TIME_WAIT state makes it possible for additional data to be transferred. The TIME_WAIT state ends when the connection timeout. IIS Admin Service, used for the management of the IIS metabase. It updates the Registry with the configuration settings for the other key IIS services, including the WWW service, FTP service, NNTP service and SMTP service.

Simple Mail Transfer Protocol (SMTP) is a TCP/IP application layer protocol used for routing and transferring e-mail between SMTP hosts on the Internet. It is a client/server and server/server protocol. Network News Transfer Protocol (NNTP) is a TCP/IP application layer protocol used to send network news messages to NNTP servers and NNTP clients on the Internet. It is a client/server and server/server protocol. The NNTP protocol enables a NNTP host to replicate its list of newsgroups and messages with another host through newsfeeds, using a push method or a pull method. A NNTP client can establish a connection with a NNTP host to download a list of newsgroups, and read the messages contained in the newsgroups. Secure Sockets Layer (SSL) version 3, used to encrypt HTTP and NNTP authentication data and transmission data through public key cryptography Lightweight Directory Access Protocol ( LDAP) is used by the Simple Mail Transfer Protocol (SMTP) service to access data in the directory service. Transport Layer Security (TLS), used to encrypt SMTP data transmissions. Multipurpose Internet Mail Extensions (MIME), used to transmit file formats to HTTP clients. The HTTP service uses MIME.

o o

Using IIS Command-Line Utilities to Manage IIS


The Types of Commands used for Managing IIS from the Command Line
The types of commands which you can use to manage IIS from the command line are:

IISReset, Windows Management Instrumentation (WMI) scripts, Active Directory Services Interface (ADSI), and the standard Windows commands and Support Tools utilities.

IISReset Command-line Utility


IISReset is a command-line utility that has been in existence from IIS 5, which you can use to stop IIS, restart IIS, and reboot the IIS server. Typical reasons for restarting IIS are: 19

When problematic ASP.NET and ASP application exist, and you need to eliminate resource leaks, or initiate resource recycling. When certain IIS configuration changes are made, you would need to restart IIS so that the changes are applied. A few of these types of configuration settings changes are listed below:
o o

IIS needs to be restarted when the IIS isolation mode is changed. When you restore the metabase from a metabase history file manually, you need to restart IIS. You have to restart IIS when you change the Direct Metabase Edit feature's property, EnableEditWhileRunning, directly in the metabase file. IIS also has to be restarted whenever changes are made to any global configuration settings located under HKLM\Software\Microsoft\InetMgr\Parameters.

Windows Management Instrumentation (WMI)


You can use WMI scripts for a few typical IIS management tasks:

Create and delete Web sites and FTP sites Create and delete virtual directories Enable/disable web service extensions Backup and restore IIS configuration, and copy IIS configuration Import/export portions of the metabase, as well as other management tasks

A few WMI scripts are provided by Microsoft, and are located in the \Windows\System32 directory. These WMI scripts and their associated functions are listed below:

iisweb.vbs: Used to perform the following management tasks from the command line:
o o o

List Web sites Create/delete Web sites Start/stop Web sites

iisvdir.vbs: Used for performing the following management tasks from the command line:
o o

Create/delete virtual directories for Web sites List virtual directories in a specified root.

iisapp.vbs: For listing all Web applications which are running on the IIS machine. 20

iisback.vbs: For backing up and restoring IIS configuration settings, and for deleting IIS backups. iiscnfg.vbs: Used to perform the following management tasks from the command line:
o o o

Import and export IIS configurations as XML files Save IIS configuration to disk. Copy IIS configuration settings

iisext.vbs: Used for performing the following management tasks from the command line:
o o o o o o

List applications Enable applications Add/remove application dependencies Enable/disable web service extensions List and add/remove web service extension files Enable/disable web service extension files

iisftp.vbs: Used to perform the following management tasks from the command line:
o o o o

List FTP sites Create/delete FTP sites Start/stop FTP sites Set Active Directory user isolation for your FTP sites

iisftpdr.vbs: Used to perform the following management tasks from the command line:
o o

Create and delete virtual directories in FTP sites List virtual directories in a specified root.

Active Directory Services Interface (ADSI)


Active Directory Services Interface (ADSI) was used in II 5 to manage IIS from the command line. Through ADSI, you can change IIS configuration settings, and configure websites, applications, and virtual directories from the command line. With IIS 6, it is recommended to use WMI scripts over ADSI. Any custom ADSI scripts previously used in IIS 5 should be tested to verify that they work in IIS 6. 21

Windows Commands and Support Tools Utilities


A few IIS specific Windows commands, such as the net commands, can be used to manage IIS from the command line:

net start and net stop: Used to start and stop IIS services. The service name which you should use when utilizing the net command to start, or stop IIS services are listed below:
o o o o o

FTP service = msftpsvc IIS Admin service = iisadmin NNTP service = nntpsvc SMTP service = smtpsvc WWW service = w3svc

net localgroup: Used to add a user account to the IIS_WPG group. Accounts utilized as application pool identities are members of the IIS_WPG group. Cacls: Used to capture NTFS permissions on the IIS server.

Convlog: Used to convert the IIS log files to the NCSA format.

You can also use the resource kit utilities listed below to manage certain elements of IIS:

secedit: Used to administer security templates. auditpol: Used to change audit policies from the command line showmbrs: Used to list the members of security groups which have permissions on directories and files.

How to schedule IISReset.exe through Task Scheduler


IISReset is typically used when you need to recover from faulty application situations. You can use Windows Task Scheduler to schedule IIS to restart according to predefined parameters. 1. Open Control Panel.

2. Select Scheduled Tasks, and then select Add Scheduled Task. 3. Click Next for the Scheduled Task Wizard to start. 4. Click Browse and browse to Windows\System32 folder. 5. Double-click IISReset.exe. 22

6. Enter a task name, and select when the task should run. Click Next. 7. Enter the Administrator account details that should be utilized to run IISReset. Click Next. 8. If you want to configure advanced task scheduling properties, click the Advanced checkbox; or alternatively click Finish. 9. Open the Properties dialog box of the task you just configured, and click the Task tab. 10. Add any additional switches in the Run box. 11. Click OK.

How to use iisweb.vbs to manage Web sites


The iisweb.vbs utility is used to list Web sites, create and delete Web sites, and start and stop Web sites in IIS. iisweb.vbs has the following main switches:
/create, /delete, /start, /stop,

for creating a Web site. for deleting a Web site.

for starting a Web site.

for stopping a Web site for pausing a Web site for troubleshooting a Web site - displaying all the Web sites on the IIS machine

/pause, /query,

To create a Web site, use:


iisweb[.vbs] /create Path SiteName [/b Port] [/i IPAddress] [/d HostHeader] [/dontstart] [/s Computer [/u [Domain\]User [/p Password]]] Path,

the physical location to the files for the Web site. When the directory does not exist, the script creates it.
SiteName,

the name of the new Web site. This is the name which will be displayed in IIS

Manager.
/b Port,

the port on which the new Web site should listen for HTTP requests. The default value is port 80.
/i /d

IPAddress, the

IP address that must be assigned to the Web site.

HostHeader, the host header for the new site. 23

/dontstart,

used to indiate that IIS should not automatically start the Web site after it is created. IIS by default starts a newly created Web site.
/s Computer,

used to indicate that the script should run on this remote computer. The local computer is used by default.
/u [Domain\]User,

the account credentials that must be used to create the Web site on the

remote computer.
/p Password,

the password of the account credentials (above).

To start, stop, delete, or pause a Web site, use:


iisweb[.vbs] {/delete | /start | /stop | /pause} WebSite [WebSite...] [/s Computer [/u [Domain\]User [/p Password]]] WebSite,

the name of the Web site which should be deleted, started, stopped, or paused.

/s Computer,

used to indicate that the script should run on this remote computer. The local computer is used by default.
/u [Domain\]User,

the account credentials that must be used to delete, start, stop, or pause the Web site on the remote computer.
/p Password,

the password of the account credentials (above).

To query Web sites on your IIS servers, use


iisweb[.vbs] /query [WebSite [WebSite...]] [/s Computer [/u [Domain\]User [/p Password]]]

How to use iisvdir.vbs to manage virtual directories


The iisvdir.vbs command can be used to list virtual directories in a specified root, to create and delete virtual directories for websites, and to query virtual directories of an IIS server. To create a virtual directory for a Web site, use:
iisvdir /create WebSite[/VirtualPath] Name PhysicalPath [/s Computer [/u [Domain\]User /p Password]] WebSite,

the name of the Web site which you want to create the virtual directory for. the virtual path under which this virtual directory should be created (optional)

VirtualPath, Name,

the name of the new virtual directory. the name of physical directory where the virtual directory points.

PhysicalPath,

24

/s Computer,

used to indicate that the script should run on this remote computer. The local computer is used by default.
/u [Domain\]User,

the account credentials that must be used to create the virtual directory for the remote computer.
/p Password,

the password of the account credentials (above).

To delete a virtual directory associated with a Web site, use:


iisvdir /delete WebSite[/VirtualPath] Name [/s Computer [/u [Domain\]User/p Password]] WebSite,

the name of the Web site which is associated with the virtual directory that you want to delete.
VirtualPath, Name,

the virtual path which holds the virtual directory (optional).

the name of the virtual directory that you want to delete.

/s Computer,

used to indicate that the script should run on this remote computer. The local computer is used by default.
/u [Domain\]User, /p Password,

the account credentials that must be used to delete the virtual directory.

the password of the account credentials (above).

To query Web site specific virtual directories on your IIS servers, use
iisvdir /query WebSite[/VirtualPath][/s Computer [/u [Domain\] User/p Password]] WebSite,

the name of the Web site which is associated with the virtual directory that you want

to query.
VirtualPath, /s Computer,

the virtual path which holds the virtual directory (optional).

used to indicate that the script should run on this remote computer. The local computer is used by default.
/u [Domain\]User, /p Password,

the account creentials that must be used to query for virtual directories.

the password of the account credentials (above).

How to use iisftp.vbs to manage FTP sites


The iisftp.vbs utility is used to perform management tasks from the command line that are specific to managing FTP sites on the IIS servers. iisftp.vbs has the following main switches: 25

/create, /delete, /start, /stop,

for creating a FTP site. for deleting a FTP site.

for starting a FTP site.

for stopping a FTP site for troubleshooting a FTP site - displaying all the FTP sites on the IIS machine

/query,

/setadprop,

for indicating that Active Directory properties should be used for a particular user accessing the FTP site.
/getadprop,

for obtaining Active Directory properties for the particular user.

To create a FTP site, use:


iisftp /create Path SiteName [/b Port] [/i IPAddress] [/dontstart] [/isolation {AD|Local} [/domain DomainName /Admin [Domain\]User /AdminPwd Password]] [/s Computer [/u [Domain\]User/p Password]] Path,

the physical location to the files for the FTP site. the name of the new FTP site. This is the name which will be displayed in IIS

SiteName,

Manager.
/b Port,

the port on which the new FTP site should listen for FTP requests. The default value is port 21.
/i IPAddress, /dontstart,

the IP address that must be assigned to the FTP site.

used to indicate that IIS should not automatically start the FTP site after it is created. IIS by default starts all newly created sites.
/isolation, domain,

used to indicate the isolation mode that should be used.

when Active Directory is selected as the isolation mode, this is the domain for Active Directory.
admin,

when Active Directory is selected as the isolation mode, this is the admin account credentials for Active Directory.
AdminPwd,

when Active Directory is selected as the isolation mode, this is the password of the admin account for Active Directory (above).
/s Computer,

used to indicate that the script should run on this remote computer. The local computer is used by default.

26

/u [Domain\]User,

the account credentials that must be used to create the FTP site on the

remote computer.
/p Password,

the password of the account credentials (above).

To start, stop, delete, or pause a FTP site, use:


iisftp[.vbs] {/delete | /start | /stop | /pause} FTPSite [FTPSite...] [/s Computer [/u [Domain\]User [/p Password]]] FTPSite,

the name of the FTP site which should be deleted, started, stopped, or paused.

/s Computer,

used to indicate that the script should run on this remote computer. The local computer is used by default.
/u [Domain\]User,

the account credentials that must be used to delete, start, stop, or pause the FTP site on the remote computer.
/p Password,

the password of the account credentials (above).

To query FTP sites on your IIS servers, use


iisftp[.vbs] /query [FTPSite [FTPSite...]] [/s Computer [/u [Domain\]User [/p Password]]]

To use /setadprop, and /getadprop use,


iisftp /SetADProp UserID {FTPDir|FTPRoot} PropertyValue [/s Computer [/u [Domain\]User/p Password]] iisftp /GetADProp UserID [/s Computer [/u [Domain\]User /p Password]] UserID, FTPDir,

the Active Directory user login ID indicates whether the modification is applicable at the directory levl or at the root level. indicates the home directory and relative path.

PropertyValue, /s Computer,

used to indicate that the script should run on this remote computer. The local computer is used by default.
/u [Domain\]User, /p Password,

the account credentials that must be used for remote administration.

the password of the account credentials (above).

How to use iisftpdr.vbsto manage virtual directories


The iisftpdr.vbs command can be used to list virtual directories in a specified root, and to create and delete virtual directories in FTP sites from the command line. 27

To create a virtual directory for a FTP site, use:


iisftpdr /create FTPSite[VirtualPath] Name PhysicalPath [/s Computer [/u [Domain\]User /p Password]] FTPSite,

the name of the FTP site which you want to create the virtual directory for. the virtual path under which this virtual directory should be created (optional)

VirtualPath, Name,

the name of the new virtual directory. the name of physical directory where the virtual directory points.

PhysicalPath, /s Computer,

used to indicate that the script should run on this remote computer. The local computer is used by default.
/u [Domain\]User,

the account credentials that must be used to create the virtual directory on the remote computer.
/p Password,

the password of the account credentials (above).

To delete a virtual directory associated with a FTP site, use:


iisftpdr /delete FTPSite[VirtualPath]/Name [/s Computer [/u [Domain\]User /p Password]]

FTPSite, the name of the FTP site which is associated with the virtual directory that you want to delete. VirtualPath, the virtual path which holds the virtual directory (optional). Name, the name of the virtual directory that you want to delete. /s Computer, used to indicate that the script should run on this remote computer. The local computer is used by default. /u [Domain\]User, the account credentials that must be used to delete the virtual directory. /p Password, the password of the account credentials (above).

To query FTP specific virtual directories on your IIS servers, use


iisftpdr /query FTPSite[/VirtualPath][/s Computer [/u [Domain\]User/p Password]]

FTPSite, the name of the FTP site which is associated with the virtual directory that you want to query. VirtualPath, the virtual path which holds the virtual directory (optional).

28

/s Computer, used to indicate that the script should run on this remote computer. The local computer is used by default. /u [Domain\]User, the account credentials that must be used to query for virtual directories remotely. /p Password, the password of the user account (above).

How to use iiscnfg.vbs to manage IIS from the command line


You can use iiscnfg.vbs to import and export IIS configurations settings of the metabase as XML files. To export IIS configuration settings, use:
iiscnfg /export /f [Path\]FileName.xml /sp SourcePath [/d EncryptingPassword] [/inherited] [/children] [/s Computer [/u [Domain\]User [/p Password]]]

/f [Path\]FileName.xml, the name of the XML file that the configuration settings should be exported to. /sp SourcePath, the node of the metabase configuration settings.

/d EncryptingPassword, the password of the XML file. /inherited, indicates that all inherited information should be exported. /children, indicates that subkeys of the node should be exported. /s Computer, used to indicate that the script should run on this remote computer. The local computer is used by default. /u [Domain\]User, the account credentials that must be used to run the script. /p Password, the password of the account credentials (above).

To import IIS configuration settings, use:


iiscnfg /import /f [Path\]FileName.xml /sp SourcePath /dp DestinationPath [/d EncryptingPassword] [/inherited] [/children] [/merge][/s Computer [/u [Domain\]User [/p Password]]]

/f [Path\]FileName.xml, the name of the XML file that should be used to import IIS configuration settings to the server. /sp SourcePath, the node of the XML file. /dp DestinationPath, the destination node path in the metabase. /d EncryptingPassword, the password of the XML file. 29

/inherited, indicates that all inherited information should be imported. This can only occur when the source node has properties that can be inherited. /children, indicates that subkeys of the node should be imported. /merge, merges different source keys to one metabase key through this value. /s Computer, used to indicate that the script should run on this remote computer. The local computer is used by default. /u [Domain\]User, the account credentials that must be used to run the script. /p Password, the password of the user account (above).

To copy the metabase.xml file and metabase XML file to a different IIS server, use:
iiscnfg /copy /ts TargetComputer /tu TargetUser /tp TargetPassword [/s Computer [/u [Domain\]User [/p Password]]]

/ts TargetComputer, the name or IP address of the IIS computer to which these configuration settings should be copied. tu TargetUser, the user account for logging on the target computer. tp TargetPassword, the password of the account provided above. /s Computer, used to indicate that the script should run on this remote computer. The local computer is used by default. /u [Domain\]User, the account credentials that must be used to run the script remotely. /p Password, the password of the account (above).

To immediately save configuration changes to the metabase, use:


iiscnfg /save [/s Computer [/u [Domain\]User /p Password]]

/s Computer, used to indicate that the script should run on this remote computer. The local computer is used by default. /u [Domain\]User, the account credentials that must be used to run the script. /p Password, the password of the account (above).

How to use iisback.vbs to back up IIS configuration settings and restore IIS configurations
You can use iisback.vbs to back up, and restore IIS configuration settings from the command line 30

To back up IIS configuration settings, use:


iisback /backup [/b BackupName] [/v {Integer | HIGHEST_VERSION | NEXT_VERSION}] [/overwrite] [/e EncryptingPassword] [/s Computer [/u [Domain\]User/p Password]]

/b BackupName, the name of the back up. /v {Integer}, possible values are HIGHEST_VERSION or NEXT_VERSION. HIGHEST_VERSION creates a backup of the highest version number. The HIGHEST_VERSION value has to be utilized with /overwrite. NEXT_VERSION increments the existing version number by one. /overwrite, used to overwrite a current backup /e EncryptingPassword, used to enable password encryption for the backup.

/s Computer, used to indicate that the script should run on this remote computer. The local computer is used by default. /u [Domain\]User, the account credentials that must be used to create backups for the remote computer. /p Password, the password of the account credentials (above).

To restore IIS configuration settings, use:


iisback /restore /b BackupName [/v {Integer | HIGHEST_VERSION}] [/e EncryptionPassword] [/s Computer [/u [Domain\]Userp Password]]

/b BackupName, the name of the backup file that you want to restore. /v {Integer}, possible values are HIGHEST_VERSION or NEXT_VERSION. /e EncryptingPassword, the password for the backup. /s Computer, used to indicate that the script should run on this remote computer. The local computer is used by default. /u [Domain\]User, the account credentials that must be used to restore the backup file for the remote computer. /p Password, the password of the account (above).

To list all IIS backups for an IIS server, use:


iisback /list [/s Computer [/u [Domain\]User/p Password]]

/s Computer, used to indicate that the script should run on this remote computer. The local computer is used by default. 31

/u [Domain\]User, the account credentials that must be used to list all backups for the remote computer. /p Password, the password of the account credentials (above).

To delete an IIS backup, use:


iisback /delete [/bBackupName] [/v {Integer | HIGHEST_VERSION}] [/s Computer [/u [Domain\]User /p Password]]

/bBackupName, the name of the backup file that you want to delete. /v {Integer}, possible values are HIGHEST_VERSION or NEXT_VERSION. /s Computer, used to indicate that the script should run on this remote computer. The local computer is used by default. /u [Domain\]User, the account credentials that must be used to delete the backup file for the remote computer. /p Password, the password of the account credentials (above).

User Authentication in IIS


Overview on IIS User Authentication
Authenticating users in IIS is one of the initial steps in securing IIS. When a user attempts to access a Web site or a FTP site on an IIS machine, authentication is the process which verifies whether the user can indeed access the site. Authentication and permissions are closely coupled. After a user is authenticated, NTFS permissions determine whether the user can access folders and files, and Web permissions indicate whether a Web client or FTP client can read the home directory or virtual directory of the website. The authentication methods which can be used to authenticate users in IIS 6 are listed below. Each authentication method can be used to authenticate users attempting to access Web sites. However, only Anonymous access and Basic Authentication can be enabled for FTP sites.

Anonymous access Basic Authentication Integrated Windows Authentication Digest Authentication .NET Passport Authentication

You can configure an authentication method for a Web site at the following levels: 32

Web Sites

node: The Directory Security tab is used.

Specific websites: The Directory Security tab is used. Virtual directory: The Directory Security tab is used Specific files: The File Security tab is used

You can configure an authentication method for a FTP site at the following levels:

FTP Sites node: The Security Accounts tab is used. Specific FTP site: The Security Accounts tab is used

When more than one authentication method is configured for a website, virtual directory or a file; the order in which the authentication methods supported in IIS are applied, is listed below: 1. The Anonymous access authentication method is applied first. 2. When the Anonymous access authentication method is not configured or supported, then the Windows Integrated Authentication method is attempted, the Digest Authentication method is attempted next, and the Basic Authentication method is attempted last (in that order). 3. No other authentication methods are available when the .NET Passport Authentication method is configured. The Integrated Windows Authentication method is the standard authentication method utilized for authenticating users attempting to log on to a Windows 2000 or Windows Server 2003 computer or network. Integrated Windows Authentication is the recommended authentication method for authenticating users attempting to access Web sites and FTP sites on IIS machines. Integrated Windows Authentication consists of the following two methods of the authentication:

The NTLMv2 method is used when the IIS machine is running in a network that contains Windows NT domain controllers, or when the IIS machine belongs to a workgroup. Kerberos authentication is used when the IIS machine belongs to a domain - no Windows NT domain controllers exist.

The requirements of the Integrated Windows Authentication method are listed below:

Internet Explorer 3.01 or later Integrated Windows Authentication could experience problems with firewalls and proxy servers. You may therefore need to configure Web clients to access the Web server through a tunneled connection, such as Point-to-Point Tunneling Protocol (PPTP).

33

Digest Authentication can only be enabled if Active Directory is used. Digest Authentication sends the user credentials over the network by utilizing an encrypted MD5 hash, and is therefore more secure than the Basic Authentication method. The requirements of the Digest Authentication method are listed below:

Internet Explorer 5 or later Active Directory must be used with domain controllers running Windows 2000 or Windows Server 2003. Domain user accounts must be configured for users. Users and the IIS machine should belong to the same domain. If not, they should be trusted by the same domain. The LocalSystem account must be used by the IIS machine when worker process isolation mode is enabled.

Basic Authentication is considered the most insecure authentication method that can be used for authenticating users in IIS because it uses a clear-text username and password. Basic Authentication functions over proxy servers, and works with all browser clients. Basic Authentication is enabled for FTP sites, by default. With .NET Passport Authentication, .NET passports are utilized for authentication, and authentication occurs via a single sign on method. When enabled, the credentials of users have unique Passport accounts. The Passport accounts are located on Passport servers which are connected to the Internet. The Passport servers are managed by Microsoft. IIS sends the Passport information of the user to the Passport servers for authentication when a user attempts to access an IIS Web site. The steps that should be used to enable .NET Passport Authentication is listed below: 1. You first have to set up a site ID and all necessary Passport configuration settings on the IIS machine. You can use the Passport Manager Administration Utility, msppcnfg.exe, to perform this task. 2. You next have to acquire a server certificate for the Web site. This certificate would identify the Web site when user authentication requests are forwarded to the Passport servers. 3. You have to register the Web site with the Passport site of Microsoft.

How to configure authentication settings at the Web site level


1. Open the IIS Manager. 2. Right-click a Web site in the console tree, and select Properties from the shortcut menu. 3. When the Properties dialog box of the Web site opens, click the Directory Security tab. 34

4. In the Authentication and Access Control section of the Directory Security tab, click the Edit button. 5. The Authentication Methods dialog box opens. You can configure the settings listed below on this dialog box.
o

The Enable anonymous access checkbox can be enabled or disabled for the Web site. Anonymous access is typically used for public sites. The options which you can configure in the Authenticated Access area of the Authentication Methods dialog box are:

Integrated Windows Authentication: This is the most secure option that can be used for authentication in IIS. Kerberos version 5 is utilized if the client browser includes support for the protocol. NTLM authentication is used when the client browser does not support Kerberos version 5. Digest Authentication For Windows Domain Servers: This option can only be enabled if Active Directory is used. Digest Authentication sends the user credentials over the network by utilizing an encrypted MD5 hash. Basic Authentication: This is the weakest authentication method available for IIS, and should be utilized when you cannot use any other authentication method. Basic authentication uses a clear-text username and password. .NET Passport Authentication: When enabled, .NET passports are utilized for authentication, and authentication occurs via a single sign on method.

6. Click OK

How to configure an authentication method at the FTP site level


1. Open the IIS Manager. 2. Right-click a FTP site in the console tree, and select Properties from the shortcut menu. 3. When the Properties dialog box for the FTP site opens, click the Security Accounts tab. 4. The Security Accounts tab has the following two checkboxes:
1.
o o

Allow Anonymous Connections Allow Only Anonymous Connections

5. If you only want to enable the Anonymous Access authentication method, select both the Allow Anonymous Connections checkbox, and the Allow Only Anonymous Connections checkbox. 35

6. If you want to enable both the Anonymous Access authentication method and the Basic authentication method, only select the Allow Anonymous Connections checkbox. Anonymous Access authentication will be automatically attempted before Basic authentication is attempted. 7. If you only want to enable Basic authentication, ensure that the Allow Anonymous Connections and Allow Only Anonymous Connections checkboxes are cleared (not selected). 8. Click OK

How to configure authentication settings at the IP Address level


You can restrict Web access at the IP address level by only allowing users to access a site who are using an IP address from a predefined list of approved IP addresses. To do this, 1. Open the IIS Manager. 2. Right-click a Web site in the console tree, and select Properties from the shortcut menu. 3. When the Properties dialog box of the Web site opens, click the Directory Security tab. 4. In the IP Address and Domain Name Restrictions section of the Directory Security tab, click the Edit button. 5. The Address and Domain Name Restrictions dialog box opens. 6. Using the dialog box, you can specify that all computers are granted access, or you can specify those computers which should not be granted access by listing their IP address or domain name. 7. Click the Add button to include particular users' IP addresses in a list. 8. Click OK.

Troubleshooting IIS
Understanding HTTP Error Messages
HTTP error messages are related to the HTTP status codes which are included in the response headers when pages are requested from the Web server. HTTP status codes are three digit numbers. HTTP status codes are categorized into the following categories:

Informational (1xx): This category is used for testing, and is not used for production Web servers. Successful (2xx): Indicates that requests were successfully received. 36

Redirection (3xx): Indicates that the client needs to perform additional steps for his/her request to be serviced. Client Error (4xx): Indicates an error at the client. Server Error (5xx): Indicates an error at the server.

Understanding HTTP error messages and their associated status codes is important when you need to troubleshoot IIS. A few common errors on the client side (4xx error) and server side (5xx error) are listed below:

400 Bad Request; the server cannot service the request, usually because of an incorrect URL. 401 Unauthorized; the users credentials were not accepted by the authorization process. 403 Forbidden; the request could not be serviced for a number of reasons, even though the user was authenticated. 404 Not Found; the server cannot locate the requested file. 405 Method Not Allowed; the client incorrectly issues a HTTP GET request when a HTTP POST request should have been issued. 406 Not Acceptable; the requested file is not supported by the client. 407 Proxy Authentication Required; the client has to authenticate with the proxy server before its request can be serviced. 410 Gone; the server no longer has the requested file. 500 Internal Server Error; indicates a typical server side error. 501 Not Implemented; the server does not support the HTTP method requested by the client. 502 Bad Gateway; an invalid response was received by the upstream server for which this server is a gateway. 503 Service Unavailable; the server does not support the service requested by the client.

From the above, you can see that a few of the error codes are quite vague in describing the actual issue. For this reason, a few HTTP error messages have substatus codes to provide more information on the current errors. The substatus codes associated with the various HTTP error messages in IIS 6 are:

The substatus codes for the 401 Unauthorized status code are:
o o

1; logon failed 2; logon failed because of the server configuration 37

o o o o

3; logon failed because of the ACL on resource 4; logon failed due to filter 5; logon failed due to ISAPI/CGI application 7; logon failed due to URL Authorization policy

The substatus codes for the 403 Forbidden status code are:
o o o o o o o o o o o o o o o o o o o o

1; Execute access denied 2; Read access denied 3; Write access denied 4; requires SSL 5; requires SSL 128-bit 6; IP address denied

7; requires client certificate 8; site access rejected 9; users too much 10; invalid configuration 11; password modified 12; mapper access rejected 13; client certificate revoked 14; directory listing rejected 15; client Access License exceeded 16; client certificate not trusted 17; client certificate either not valid yet, or expired 18; request cannot be serviced by particular application pool 19; CGI access rejected

20; Passport failed 38

The substatus codes for the 404 Not Found status code are:
o o

2; denied by Lockdown Policy 3; denied by MIME Map Policy

The substatus codes for the 500 Internal Serve Error status code are:
o o o o o o o o

12; application restarting 13; server occupied 15; direct requests forbidden for GLOBAL.ASA 16; UNC access error 17; URL Authorization store not located 18; URL Authorization store cannot be accessed/opened 19; bad file in metabase 100; ASP application error

By default, IIS returns the following default HTTP errors:


403; 14 Forbidden - directory listing rejected 500 Internal Server Error 500; 100 Internal Server Error - ASP error 501 Not Implemented 502 Bad Gateway

Custom HTTP Error Messages


Besides for the default HTTP error messages, IIS returns custom error messages. IIS returns custom error messages for all the other HTTP error messages, other than the default HTTP error messages listed previously. Custom error messages provide more information on the error condition than what the default messages provide, and can be customized. The custom error messages also include additional troubleshooting tips, which the default HTTP error messages do not provide. When custom error messages are enabled, IIS logs the error in the web logs for the site at the same time that it sends the HTTP error message to the client. You can however configure IIS to return a default message over a custom error message for a particular error, or you can configure IIS to return only default error messages for all errors. 39

The details and troubleshooting tips associated with custom HTTP error messages are discussed and condensed in the following section:

The Page Cannot Be Displayed: The page which you are looking for is currently unavailable. Please try the following:
o o o o

Click the Refresh button. Click the Back button to attempt a different link. Ensure that the website page address is spelt correctly. Verify the network connection settings which are being used. To do this, click the Tools menu, click Internet Options, and then click the Connections tab. Click Settings. The settings detailed for the connections must correspond to the settings which were provided by the ISP or LAN administrator. To enable Windows to automatically detect your network connection settings, click Detect Network Settings. Sites may require 128-bit SSL connection security. Use Help | About Internet Explorer to verify that the correct connection security is supported, and can be utilized. Verify that your existing Security settings can support the required connection security by clicking the Tools menu, clicking Internet Options, and clicking the Advanced tab. Verify the settings for SSL 2.0, SSL 3.0, TLS 1.0, and PCT 1.0.

Additional troubleshooting tips:


o o

The client has incorrectly spelt the domain name of the website in the requested URL. The port number of the website has since changed from its standard setting of port 80 to a different port number. The website may have been stopped or paused by the administrator.

400 Bad Request: The page could be temporarily unavailable, could have been removed, could have undergone a name change, or could have its content expired. Please try the following:
o o o

Ensure that the website address is spelt correctly. Click the Back button to attempt a different link to access the same content. Contact an administrator to inform him/her that the link is incorrectly formatted.

Additional troubleshooting tips:

40

The client is normally the cause of this error condition. Typical causes are the utilization of spaces in the URL, or a syntax error in the URL. The Default Web Site could have had its IP address changed from All Unassigned to an IP address which is not specified on IP Settings tab of the Advanced TCP/IP properties window.

401 You Are Not Authorized to View This Page: The credentials which were provided do not include permission to access the page or directory. Please try the following:
o

Click the Refresh button and attempt to access the page/directory by providing different credentials. Contact an administrator to inform him/her that you should be allowed to access the page/directory.

Additional troubleshooting tips:


o o

The provided credentials do not exist for the user. A mapping failure occurred between the .NET Passports and the user accounts stored in Active Directory.

401.2 You Are Not Authorized to View This Page: The credentials which were provided do not include permission to access the page or directory because the Web browser is sending a WWW-Authenticate header field which is not supported by the Web server. Please try the following:
o

Click the Refresh button and attempt to access the page/directory by providing different credentials. Contact an administrator to inform him/her that you should be allowed to access the page/directory.

Additional troubleshooting tips:


o o

The site contains no configured authentication methods. The incorrect credentials are being used to access a remote virtual directory.

401.3 You Are Not Authorized to View This Page: The credentials which were provided cannot be used to access the page or directory because of the ACL set on the resource on the Web server. Please try the following:
o

Click the Refresh button and attempt to access the page/directory by providing different credentials. 41

Contact an administrator to inform him/her that you should be allowed to access the page/directory.

Additional troubleshooting tips:


o

NTFS permissions are incorrectly configured for the requested file.

401.4 You Are Not Authorized to View This Page: The credentials which were provided cannot be used to access the requested page or directory because user authentication failed. This is due to a filter implemented on the Web server which authenticates user access, and authentication has failed. Please try the following:
o

Click the Refresh button and attempt to access the page/directory by providing different credentials. Contact an administrator to inform him/her that you should be allowed to access the page/directory.

401.5 You Are Not Authorized to View This Page: The credentials which were provided cannot be used to access the requested page or directory because authentication failed due to an ISAPI application or a CGI application. Please try the following:
o

Click the Refresh button and attempt to access the page/directory by providing different credentials. Contact an administrator to inform him/her that you should be allowed to access the page/directory.

401.6 You Are Not Authorized to View This Page: The credentials which were provided cannot be used to access the requested page or directory because the authorization scope associated with the URL could not be located on the Web server. Please try the following:
o

Click the Refresh button and attempt to access the page/directory by providing different credentials. Contact an administrator to inform him/her that you should be allowed to access the page/directory.

401.7 You Are Not Authorized to View This Page: The credentials which were provided cannot be used to access the requested page or directory because of the URL Authorization policy configured for the Web server. Please try the following:
o

Click the Refresh button and attempt to access the page/directory by providing different credential. 42

Contact an administrator to inform him/her that you should be allowed to access the page/directory.

403 You Are Not Authorized to View This Page: The credentials which were provided cannot be used to access the requested page or directory. Please try the following:
o

Click the Refresh button and attempt to access the page/directory by providing different credentials. Contact an administrator to inform him/her that you should be allowed to access the page/directory.

403.1 The Page Cannot Be Displayed: An executable program (CGI, ISAPI or some other program) was executed from a directory from which it could not be executed. Please try the following:
o

Contact an administrator to determine whether or not you should be allowed to execute programs from the directory.

Additional troubleshooting tips:


o

Open the Home Directory tab of the website to check what execute permissions has been configured. For CGI and ISAPI applications, check that Script and Executable permissions have been configured.

403.2 The Page Cannot Be Displayed: The page attempting to be accessed cannot be displayed. This is normally due to the directory being configured to allow Script and Execute permissions only. Please try the following:
o

Contact an administrator to determine whether Read permission should be allowed.

Additional troubleshooting tips:


o

Open the Home Directory tab of the website to check whether the Read permission has been configured.

403.3 The Page Cannot Be Saved: The page cannot be saved to the website because Write access is not allowed. Please try the following:
o

Contact an administrator to determine whether Write permission should be allowed for the directory.

Additional troubleshooting tips:


o

For publishing content to IIS using either WebDAV or FrontPage, verify that the correct permission has been configured for the website. 43

For FTP sites, verify that the Write permission is enabled.

403.4 The Page Must Be Viewed Over A Secure Channel: The page requires a Secure Sockets Layer (SSL) connection. Please try the following:
o

Enter

https:// at the start of the address you want to navigate to.

403.5 The Page Must Be Viewed With a High-Security Web Browser: To access the resource, your web browser needs to support 128-bit Secure Sockets Layer (SSL) encryption. Please try the following:
o o

Upgrade the web browser to support 128-bit SSL encryption. Contact an administrator to inform him/her that you should be allowed to access the page/directory.

403.6 You Are Not Authorized to View This Page: The website has a predefined list of denied IP addresses, and the IP address being utilized appears on that list. Please try the following:
o

Contact an administrator to inform him/her that you should be allowed to access the page/directory.

Additional troubleshooting tips:


o

Open the Directory Security tab of the website, and check whether the IP address appears on the IP Address and Domain Name Restrictions list.

403.7 The Page Requires a Client Certificate: To access the page, you need a web browser to have a Secure Sockets Layer (SSL) client certificate which the particular Web server accepts. Please try the following:
o

Contact an administrator to inform him/her that you should be allowed to access the page/directory. Contact an administrator to obtain a client certificate. If you have a client certificate (valid) verify that is installed correctly.

o o

403.8 You Are Not Authorized to View This Page The Web server has a predefined list of denied DNS names, and the DNS name being utilized appears on that list. Please try the following:
o

Contact an administrator to inform him/her that you should be allowed to access the page/directory. 44

Additional troubleshooting tips:


o

Open the Directory Security tab of the website, and check whether the DNS domain name of the client is disallowed.

403.9 The Page Cannot Be Displayed: The Web server is currently too occupied to service the request. Please try the following:
o

Click the Refresh button

Additional troubleshooting tips:


o

Verify whether the Connection Limit for the Web server has been surpassed.

403.10 You Are Not Authorized to View This Page: This directory does not allow executable programs to be executed. Please try the following:
o

Contact an administrator to determine whether or not the directory should be configured to allow execute access.

403.11 You Are Not Authorized To View This Page: The credentials provided to access the page/directory does not have the necessary permissions. Please try the following:
o

Click the Refresh button and attempt to access the page/directory by providing different credentials. Contact an administrator to inform him/her that you should be allowed to view the page/directory.

403.12 The Requested Page Requires A Valid SSL Client Certificate: The account associated with the client certificate on the Web server has not been allowed access to the site. Please try the following:
o o o

Contact an administrator to determine what the client certificate permissions are. If you have a client certificate (valid) verify that is installed correctly. Change the client certificate, click the Refresh button.

403.13 The Page Requires A Valid SSL Client Certificate: The client certificate which was used has been revoked. Please try the following:
o

Contact an administrator to determine what the client certificate permissions are. 45

Contact an administrator to obtain a client certificate.

403.14 Directory Listing Is Denied: A directory listing of this directory's content is not configured on the Web server. Please try the following:
o

Contact an administrator to determine whether a directory listing should be allowed.

Additional troubleshooting tips:


o

Verify whether the Directory Browsing setting, and the Read permission has been enabled on the Home Directory tab for the site.

403.15 The Page Cannot Be Displayed: The Web server has surpassed the configured Client Access License limit. Please try the following:
o

Click the Refresh button.

403.16 The Page Requires A Valid SSL Client Certificate: The current client certificate is invalid/untrusted. Please try the following:
o o o

Contact an administrator to determine what the client certificate permissions are. Verify that your existing valid client certificate is installed correctly. Contact an administrator to obtain a client certificate.

403.17 The Page Requires A Valid SSL Client Certificate: The current client certificate is invalid or has expired. A SSL client certificate is used to verify access to this particular resource. Please try the following:
o o o

Contact an administrator to determine what the client certificate permissions are. Verify that your existing valid client certificate is installed correctly. Change the client certificate, click Refresh.

403.18 Cannot Execute Request from the Current Application Pool: The request could not be executed from the Current Application Pool specified for the particular resource. Please try the following:
o

Contact an administrator to inform him/her that you should be allowed to view the page/directory.

403.19 Cannot Execute CGI Applications in the Current Application Pool on the Web Server: CGI Applications could not be executed from the Current Application Pool because the 46

user has insufficient permissions. Please try the following:


o

Contact an administrator to inform him/her that you should be allowed to execute CGI applications.

403.20 Passport Login Failed: An error was received from the Passport logon server. Please try the following:
o

Contact an administrator to inform him/her that you should be allowed to view the page/directory. Click the Refresh button.

404 The Page Cannot Be Found: The page was either renamed, removed, or is currently unavailable. Please try the following:
o o o

Ensure that the website address is correctly spelt and formatted. Click the Back button to attempt a different link to access the same page. Contact an administrator to inform him/her that the link is incorrectly formatted.

404.1 The Website Cannot Be Found: For this site, an IP address is specified to disallow requests which detail a port number. Please try the following:
o o o

Ensure that the website address is correctly spelt and formatted. Click the Back button to attempt a different link to access the same page. Contact an administrator to inform him/her that the link is incorrectly formatted.

Additional troubleshooting tips:


o

The client is probably requesting a URL for an IP address that is not used by IIS.

404.2 The Page Cannot Be Found: The web service extensions specified for the Web server is preventing the request from being serviced. Please try the following:
o

Contact an administrator to inform him/her that the required web service extension is not configured for the site.

Additional troubleshooting tips:


o

The required web service extension for the ASP.NET, ASP, ISAPI, or CGI application has not been configured. 47

o o

An application extension is not mapped in IIS. The user account under which the application (CGI) executes has the incorrect permissions.

404.3 The Page Cannot Be Found: The Multipurpose Internet Mail Extensions (MIME) map policy specified for the Web server is preventing the request from being serviced. Please try the following:
o

Contact an administrator to inform him/her that the required file extensions have not been enabled via the MIME map policy.

Additional troubleshooting tips:


o

The request is for a static file that's filename extension is not specified in the MIME map for the Web server or website.

405 The Page Cannot Be Displayed: An invalid method, such as a HTTP verb, was used in the request for the page. Please try the following:
o o

Ensure that the website address is correctly spelt and formatted. Contact an administrator to inform him/her that the request should be allowed.

406 The Resource Cannot Be Displayed: The requested page has a filename extension that is not supported by the browser being used. Please try the following:
o

Modify the MIME/security settings of the browser to support the requested page's filename extension.

407 Proxy Authentication Required: To view the requested page, authentication has to occur through a proxy server. Please try the following:
o o

Contact the administrator if you should be allowed to view the page/directory. Retry logging on to the proxy server.

410 The Page Does Not Exist: The requested page has since been removed/deleted. Please try the following:
o

Find additional links to the information which you want to view.

412 The Page Cannot Be Displayed: The request could not be serviced because of preconditions existing in the request header which are preventing the particular request method. Please try the following: 48

o o

Find additional links to the information which you want to view. Delete any cached items and click Refresh.

414 The Page Cannot Be Displayed: The requested URL address length is too long. Please try the following:
o o

Ensure that the website address is correctly spelt and formatted. Contact the administrator to inform him/her of the URL address error.

415 The Page Cannot Be Returned: The requested file has a format which the Web server cannot download. Please try the following:
o

Contact the administrator to inform him/her of the error for the requested file.

500 The Page Cannot Be Displayed: The requested page has a problematic condition which is preventing the request from being serviced. Please try the following:
o

Contact the administrator to inform him/her of the URL address error condition.

500.11 The Page Cannot Be Displayed: The particular website is in the process of shutting down. Please try the following:
o o

Click the Refresh button. Contact the administrator to inform him/her of the URL address error condition if you continuously cannot access the website.

500.12 The Page Cannot Be Displayed: The particular website is in the process of restarting. Please try the following:
o o

Click the Refresh button. Contact the administrator to inform him/her of the URL address error condition if you continuously cannot access the website.

500.13 The Page Cannot Be Displayed: The particular website is too busy to service the request

SSL Applications
Using SSL to Encrypt LDAP and Global Catalog Queries

49

While Secure Sockets Layer (SSL) certificates are mainly installed on IIS machines to encrypt traffic between a Web server and client, you can also use SSL certificates to secure the Lightweight Directory Access Protocol ( LDAP) protocol. LDAP is used in Active Directory environments by applications that need to query domain controllers for information stored in Active Directory. Because LDAP is also utilized to query for sensitive or Active Directory information such as user names, and network service locations; it is easy for this information to be seized when no protection exists to secure it. You can install SSL certificates on Active Directory domain controllers so that SSL encryption can be utilized to encrypt the following:

LDAP queries and responses Global catalog traffic

By default, unencrypted LDAP traffic uses TCP port 389. If SSL is enabled for encrypting LDAP queries and responses, then TCP port 636 is utilized. By default, global catalog queries use TCP port 3268. If SSL is enabled for encrypting global catalog queries, then TCP port 3269 is utilized. LDAP over SSL (LDAPS) is automatically enabled when a domain controller in a forest is configured as an Enterprise CA. Once the Enterprise CA is configured, the remainder of the domain controllers in the forest then enroll and install the certificate automatically. For encryption to work, both the client and server must trust the certification authority (CA) that issued the certificate. To make certificates useful or trusted, you have to obtain a certificate from a trusted entity, called a certification authority (CA). The entities that issue and manage digital certificates are called certificate authorities (CAs). You cannot forge certificates because the CA digitally signs the certificates, and the signature is applied to a hash of the certificate. In addition to each party trusting the issuing CA, the common name of the domain controller must be listed in the Subject field or Subject Alternative Name field of the certificate. To configure the domain controller as an enterprise CA: 1. Place the Windows Server 2003 CDROM in the CD-ROM drive.

2. Click Install optional Windows components. 3. Select Certificate Services in the Wizard Components page. 4. When a message appears warning that the name of the CA server cannot be modified, click Yes to acknowledge the warning message. Click Next. 5. In the CA Type page, select Enterprise 6. Specify a common name for the CA. 7. Specify a validity period for which certificates issued by the CA are valid. Click Next. 50 Root CA. Click Next.

8. You can accept the default location settings for the database file and database log. Click Next. 9. Click Yes if an ASP warning message is displayed, to acknowledge the message. 10. Click Finish.

Using SSL on Mail Servers


You can utilize the Secure Sockets Layer (SSL) protocol and Transport Layer Security (TLS) to enable secure communication by encrypting messages between a client and server, and between mail servers in a particular organization. TLS is an Internet standard version of SSL and is very similar to Secure Sockets Layer version 3 (SSLv3). Both the Simple Mail Transfer Protocol (SMTP) service and Post Office Protocol 3 ( POP3) service are included in Windows Server 2003. To use these services, you merely have to install them. SSL encryption can only though be configured for SMTP. How to install the Simple Mail Transfer Protocol (SMTP) service: 1. Place the Windows Server 2003 CD-ROM in the CD-ROM drive. 2. Click Start, Control Panel, and click Add/Remove Programs.

3. Click Add/Remove Windows Components in the Add Or Remove Programs dialog box. 4. Click Application Server in the Windows Components dialog box, and then click the Details button. li>The Application Server dialog box appears next. 5. Click IIS and then select the Details button. 6. Click the SMTP Service checkbox. 7. Click OK. 8. Open IIS Manager. 9. Verify that the SMTP Virtual Server How to create a SMTP virtual server: 1. Open the IIS Manager. 2. Locate the computer, right-click Default SMTP Server, select New and then Virtual Server from the shortcut menu. 3. The New SMTP Virtual Server Wizard initiates. 4. Enter a name for the SMTP site. Click Next. 51 node appears in the console tree.

5. On the Select Next.

IP Address page, enter the

IP address settings for the SMTP site. Click

6. Enter the path to the home directory for the SMTP server. Click Next. 7. Provide the domain name for the SMTP server. Click Next. 8. Click Finish. You can configure various configuration settings for an SMTP virtual server by accessing its Properties window, and then using the various tabs to configure these settings. The security configuration settings that can be configured for SMTP reside on the Access tab are. For SSL/TLS encryption, the Secure Communication area of the Access tab is utilized. You can click the Certificate button to start the Web Server Certificate Wizard to obtain and install a server certificate on the SMTP virtual server. After the server certificate is installed, click the Communication button to require secure communications. How to install an SSL certificate to enable SMTP encryption: 1. Open the IIS Manager 2. In the console tree, right-click the Default SMTP Virtual Server node, and click Properties from the shortcut menu. 3. Click the Access tab. 4. In the Secure Communication area of the Access tab, click Certificate. 5. The Web Server Certificate Wizard starts. 6. Follow the prompts of the wizard to install the server certificate for the SMTP virtual server. How to require all clients to use SSL encryption: 1. Click Start, click All Programs, click Microsoft Exchange, and click System Manager. 2. In the console tree, expand the Servers node, expand the appropriate Computer node, expand Protocols, and then expand SMTP. 3. Right-click the SMTP virtual server, or the POP3 or IMAP4 virtual server, and select Properties on the shortcut menu. 4. When the Properties window for the virtual server which you have selected opens, click the Access tab. 5. Click the Communication button. 6. Click the Require Secure Channel checkbox. 52

7. If applicable, enable the Require 128-Bit Encryption checkbox as well. 8. Click OK. How to configure a messaging client to use SSL encryption. This illustration utilizes the Outlook 2003 client: 1. Open Control Panel. 2. Double-click Mail. 3. Click E-Mail Accounts. 4. The E-Mail Accounts Wizard starts. 5. Click View Or Change Existing E-Mail Accounts. Click Next. 6. Select the account for which encryption should be enabled, and click Change. 7. On the Internet E-Mail Settings page, click More Settings. 8. Switch to the Advanced tab. 9. Enable the This Server Requires An Encrypted Connection (SSL) checkbox for those protocols that should have encryption enabled. Click OK. 10. Click Next. Click Finish.

Using SSL on Computers Running SQL Server


You can also use SSL certificates to secure data generated by SQL Server queries. You can enable SQL Server SSL encryption on:

SQL Server computer: To encrypt all communication using SSL encryption on a particular server running SQL Server, you would need to enable SSL on the SQL Server computer. No connections would though be allowed for any clients not supporting SSL encryption. In order to enable SSL encryption on the SQL Server computer, you need to perform the following tasks: 1. Install a server certificate. 2. Configure all clients to trust the root CA of the certificate.

SQL Server clients: If you have to allow certain clients to connect to the SQL Server computer without using SSL encryption, and allow other clients to connect to the SQL Server computer only through using SSL encryption, then you would need to enable SSL encryption for individual clients.

How to manually configure clients to trust the root CA. This involves the following steps: 53

1. Export the SQL Server certificate. 2. Copy the exported certificates to each client by importing the certificate into each client's trusted root CAs. To export the SQL Server certificate: 1. Log on the computer running SQL Server. 2. Open Internet Explorer, and select Internet Options from the Tool menu to open the Internet Properties dialog box. 3. Switch to the Content tab. 4. Click Certificates. 5. Switch to the Trusted Root Certification Authorities tab. 6. Select the CA that issued the certificate to the SQL Server computer from the available list, and click Export. 7. The Certificate Export Wizard launches. 8. Click Next on the initial screen of the Wizard. 9. On the Export File Format page, select the Cryptographic Message Syntax Standard - PKCS #7 Certificates (.P7B) option. 10. Enable the Include All The Certificates In The Certification Path If Possible checkbox. Click Next. 11. On the File To Export page, enter a name for the file which will contain the certificate you are exporting. Click Next. 12. Click Finish. How to import the certificate into each client's trusted root CAs: 1. On the client computer running SQL Server, open Internet Explorer. 2. Select Internet Options from the Tool menu to open the Internet Properties dialog box. 3. Switch to the Content tab. 4. Click Certificates. 5. Switch to the Trusted Root Certification Authorities tab. 6. Click Import. 54

7. The Certificate Import Wizard launches. 8. Click Next on the initial screen of the Wizard. 9. On the File To Import page, choose the certificate which was exported from the SQL Server computer. Click Next. 10. Select Automatically Select The Certificate Store Based On The Type Of Certificate. 11. Click Next. Click Finish. 12. Click Yes to add the certificate to the root store. 13. Click OK. Click Close. How to require SSL encryption on the computer running SQL Server: 1. Click Start, click All Programs, click Microsoft SQL Server, and click Enterprise Manager. 2. Find and right-click the computer running SQL Server, and then select Properties from the shortcut menu. 3. On the General tab, click Network Configuration. 4. Click the Force Protocol Encryption checkbox. 5. Click OK. 6. Click OK to restart the SQL Server service.

SSL and IIS


An Overview on Secure Sockets Layer (SSL)
With IIS, you can further secure websites by using the Secure Sockets Layer (SSL) encryption technology. SSL was developed by Netscape Communications, and enables secure communication over the Internet. SSL operates at the transport layer of Transmission Control Protocol/Internet Protocol (TCP/ IP) protocol suite, and uses public key cryptography to establish a secure SSL session between a Web server and client. A few features provided by SSL include authentication, message integrity, and data confidentiality through encryption. To utilize SSL in IIS, the Web server has to obtain a digital certificate from a certification authority (CA), and install the digital certificate as well. A digital certificate usually contains a version number that identifies the X.509 standard version used for the certificate; the serial number of the certificate; the CA that issued the certificate; the signature algorithm identifier which defines the CA's algorithm used for the digital signature of the certificate; the validity period of the certificate; the entity to which the certificate was issued; the intended uses of the certificate; the public key, and the location of the certificate revocation list ( CRL). 55

To make certificates useful or trusted, you have to obtain a certificate from a trusted entity, called a certification authority (CA). A certification authority (CA) is the trusted entity that issues and manages the use of certificates. A CA can be an external third party CA such as VeriSign, GeoTrust, Thawte, IT Institute and GlobalSign; or you can deploy your own internal CAs. You can also use a combination of internal and external CAs. Manually requesting certificates from a CA occurs when you explicitly request the CA to issue a certificate. Certificates are automatically requested when an application requests and obtains a certificate as a background process, with no user intervention. For configuring internal CAs, Microsoft provides Certificate Services. You can install Certificate Services from Control Panel, through Add Or Remove Programs. You can use Certificate Services to deploy either Enterprise CAs, or Stand-alone CAs. Enterprise CAs are integrated in Active Directory, and publish certificates and CRLs to Active Directory. Enterprise CAs can only issue certificates to users and computers within Active Directory. Enterprise CAs utilizes the information in the Active Directory database to automatically approve or deny certificate enrollment requests. Stand-alone CAs are not dependent on Active Directory to issue certificates. When a client Web browser connects to a Web server that is configured for SSL, a SSL handshake is initiated with the Web server. The SSL handshake process occurs between a client and Web server to negotiate the secret key encryption algorithm which the client and Web server will utilize to encrypt the data which is transmitted in the SSL session. The process that occurs to establish a secure SSL session is described below: 1. The client initiates the establishment of the SSL session by requesting the public key from the Web server. 2. The server responds by sending the client the public key. 3. The client proceeds to send the Web server a session key. The key is encrypted with the public key. 4. The server next decrypts the session key it receives by using its private key. 5. The session key is used to encrypt and decrypt data passed between the client and server. 6. The session key is discarded when the SSL session either times out or is terminated.

The Advantages of using SSL in IIS


A few benefits of using SSL in IIS are summarized below:

For
o o

Web traffic, SSL provides the following: Server authentication: This enables a user to verify the identity of the server. Client authentication: This enables a server to verify the identity of the client

56

Secure encrypted connections: Data confidentiality is ensured because communications between the server and client are encrypted and decrypted.

For FTP sites, you can use SSL encryption on WebDAV supported directories to secure FTP communication. For Network News Transfer Protocol (NNTP), an IIS component, you can increase security by using SSL at the server and client to encrypt communication. For the Simple Mail Transfer Protocol (SMTP) service, another IIS component, you can increase security by using Transport Layer Security (TLS) for incoming mail connections. Transport Layer Security (TLS) is an Internet standard version of Secure Sockets Layer (SSL), and is very similar to Secure Sockets Layer version 3 (SSLv3). SSLv3 uses the Message Authenticate Code ( MAC) algorithm, while TLS utilizes a hash for Message Authentication Code, also known as HMAC. Because the differences between SSL and TLC are so few, the protocols are typically called SSL/TLS.

How to request and install server certificates on IIS Web servers


Before you can request and install a server certificate on an IIS machine, you need to install Certificate Services on a domain controller as the Enterprise Root CA. How to install Windows Server 2003 Certificate Services (Enterprise root CA) 1. Place the Windows 2003 CDROM into the CD-ROM drive.

2. Select Install optional Windows components. 3. This action launches the Windows Components Wizard. 4. On the Wizard Components page, select Certificate Services. 5. Click Yes in the message dialog box that warns that you would not be able to modify the name of the server. 6. In the CA Type page, select Enterprise Root CA. Click Next. 7. In the CA Identifying Information page, set the common name for the CA. This name will be used in Active Directory, and in the enterprise. 8. In the Validity Period boxes, enter the lifetime for the CA. Click Next 9. On the Certificate Database Settings page, verify that the locations specified for the database file and log files are correct. 10. At this stage IIS services are stopped, and the certificate service is installed and the CA database started. IIS is restarted after this.

57

11. Click OK when a message dialog box appears, warning that ASP must be enabled for Web enrollment. 12. Click Finish. How to request and install a server certificate on IIS Web servers The Web Server Certificate Wizard is used to request and install a server certificate on IIS Web servers. To launch the Web Server Certificate Wizard, 1. Click Start, click Administrative Tools, and click Internet Information Services (IIS) Manager to open the IIS Manager console. 2. In the console tree, expand the Web Sites node.

3. Right-click the Web site that you want to set up a certificate for, and click Properties. 4. When the Properties dialog box for the Web site opens, click the Directory Security tab. 5. Click the Server Certificate button. To request and install a server certificate, 1. Open the IIS Manager. 2. Open the Properties dialog box for the Web site for which you want to configure a server certificate. 3. Click the Directory Security tab, and then click the Server Certificate button. 4. This action launches the Web Server Certificate Wizard. 5. Click Next on the Welcome To The Web Server Certificate Wizard page. 6. On the Server Certificate page, click the Create A New Certificate option, and click Next. 7. On the following page, select one of the following options:
o

If you want to immediately request and obtain a certificate from a CA, click the Send The Request Immediately To An Online Certification Authority option. If you want to send the certificate request to an offline CA, click te Prepare The Request Now But Send It Later option.

Click Next. 8. On the Name And Security Settings page, enter the following information:
o

A descriptive name for the new server certificate. 58

Specify a new Bit Length setting, or accept the default value of 1024 bits for this setting.

Click Next. 9. On the Organization Information page, enter the name of the Organization and the name of the Organizational Unit in the available text boxes. Click Next. 10. On the Your Site's Common Name page,
o o

For an

intranet, enter the NetBIOS name of the IIS machine.

For an Internet site, enter the fully qualified DNS name for the site.

Click Next. 11. On the Geographical Information page, provide the following information:
o o o

Country State City

Click Next. 12. Specify the TCP port for secure SSL communications. By default, this is port 443. Click Next. 13. Enter a filename for the certificate request if you have previously selected the Prepare The Request Now, But Send It Later option; or select the CA from the Certification Authorities list if you have previously selected the Send The Request Immediately To An Online Certification Authority option. Click Next. 14. On the Summary page, verify that you have selected the proper configuration settings. 15. Click Next to request and install the new server certificate. How to submit a certificate request to a CA If you have selected the Prepare The Request Now But Send It Later option on the configuration pages of the Web Server Certificate Wizard, you have to submit the certificate request to a CA. If you are running Windows Server 2003, you can use Web-based enrollment to submit the certificate request to a CA. 1. Connect to the CA server using Internet Explorer 5.0 or above, and the Administrator account. 2. You can use the following URL: http:// /certsrv. 3. Enter the appropriate user name and password if you are not automatically authenticated. 59

4. The Web based interface for manually requesting certificates opens, and the Welcome page is displayed. 5. Click the Request A Certificate option. 6. On the following page, click Advanced Certificate Request. 7. Select Submit A Certificate Request By Using A Base-64-Encoded CMC Or PKCS #10 File, Or Submit A Renewal Request By Using A Base-64-Encoded PKCS #7 File. 8. Proceed to open the certificate request file which you saved when using the Web Server Certificate Wizard. 9. Copy the file's contents to the Saved Request box in Internet Explorer. 10. Click the Certificate Template list. Click Web Server. Click Submit 11. Click DER Encoded. Click Download Certificate. 12. Save the file on the local computer. 13. Proceed to Launch the Web Server Certificate Wizard. 14. Click Next on the Welcome To The Web Server Certificate Wizard page. 15. On the Pending Certificate Request page select the Process The Pending Request And Install The Certificate option, and then click Next. 16. When the Process A Pending Request page opens, choose the certificate file. Click Next. 17. Specify the TCP port for secure SSL communications. By default, this is port 443. Click Next 18. Click Next. Click Finish.

How to enable SSL security in IIS


1. Open the IIS Manager. 2. In the console tree, right-click the Default Web Site node and select Properties from the shortcut menu. 3. When the Default Web Site Properties dialog box opens, click the Web Site tab. 4. Verify that the SSL port is defined as the default SSL port - 443. 5. Click the Directory Security tab. 6. In the Secure Communications area of the dialog box, click the Edit button. 60

7. In the Secure Communications dialog box, click the Require Secure Channel (SSL) checkbox. 8. ClickOK.

How to require 128-bit SSL encryption


1. Open the IIS Manager. 2. Right-click the Default Web Site node and select Properties from the shortcut menu. 3. Click the Directory Security tab. 4. In the Secure Communications area of the dialog box, click the Edit button. 5. Click the Require Secure Channel (SSL) checkbox. 6. Click the Require 128-Bit Encryption checkbox. 7. Click OK.

How to view installed server certificates


1. Open the IIS Manager. 2. Right-click the Default Web Site node in the console tree, and click Properties on the shortcut menu. 3. When the Web Site Properties dialog box opens, click the Directory Security tab 4. Click the View Certificate button which is located under Secure Communications. 5. The Certificate properties dialog box opens next. The dialog box has the following three tabs:
o

General tab: This tab displays the following information:


The purpose of the certificate Issued To and Issued By information The certificate validity period

o o

Details tab: This tab contains comprehensive certificate information. Certification Path tab: This tab contains a path illustration which displays the root CA.

How to manage server certificates in IIS


The management tasks which you generally perform for server certificates are listed below: 61

Renew an existing server certificate, prior to it expiring. Copy/move an existing certificate to a different IIS Web server or site. Export the existing certificate to store it at a different location Replace the current certificate if it has expired. Remove the existing certificate if the site no longer requires secure SSL communications.

The above management tasks can be performed by re-launching the Web Server Certificate Wizard. After clicking Next on the Welcome To The Web Server Certificate Wizard page, you can choose between performing various server certificate management tasks. To renew an existing server certificate, 1. Open the IIS Manager 2. In the console tree, expand the Web Sites node. 3. Right-click the Web site that you want to renew the certificate for, and click Properties. 4. When the Properties dialog box for the Web site opens, click the Directory Security tab. 5. Click the Server Certificate button. 6. Click Next on the Welcome To The Web Server Certificate Wizard page. 7. On the Modify The Current Certificate Assignment page, click Renew The Current Certificate, and then click Next. 8. Select of the following options:
o

If you want to request and obtain a certificate from a CA, click the Send The Request Immediately To An Online Certification Authority option. If you want to send the certificate request to an offline CA, click the Prepare The Request Now But Send It Later option.

9. Enter a filename for the certificate request if you previously selected the Prepare The Request Now, But Send It Later option; or select the CA from the Certification Authorities list if you previously selected the Send The Request Immediately To An Online Certification Authority option. Click Next. 10. Click Next. Click Finish To assign a current valid server certificate, 1. Open the IIS Manager 62

2. In the console tree, expand the Web Sites node. 3. Right-click the Web site that you want to assign the certificate to, and click Properties. 4. When the Properties dialog box for the Web site opens, click the Directory Security tab. 5. Click the Server Certificate button. 6. Click Next on the Welcome To The Web Server Certificate Wizard page. 7. On the Server Certificate page, click Assign An Existing Certificate. Click Next. 8. Specify the TCP port for secure SSL communications. By default, thi is port 443. Click Next 9. Click Next. Click Finish.

Configuring IIS to Enable Client Certificates


While Basic authentication, Integrated Windows authentication, Digest authentication, or Passport authentication are typically utilized to authenticate users attempting to access a Web site, SSL can also be used to authenticate clients. Through using SSL, you can require client certificates for verifying the identity of clients. The easiest manner in which to authenticate users with certificates is to allow access to the site to those users that have a valid certificate to access the particular site. This solution however offers very little security. In IIS, the Web server automatically trusts certificates which were issued by any trusted root CA. This unfortunately includes public CAs which could have issued a certificate to a user which should be prevented from accessing the site. To enhance security for a site when client certificates are used, you can implement either of the following solutions:

You can use client certificate mappings to restrict access to the site to only those users whom have certain certificates.
o

One-to-one mapping: This configuration maps individual certificates to individual user accounts. A single certificate is associated with a user account. A user is authenticated when they provide a valid user name and password. Many-to-one mapping: This configuration requires certificates to match a certain list of rules. Client certificates that match the specific criteria are accepted.

You can set up a certificate trust list (CTL) to limit the number of root CAs which are able to issue certificates to users. A CTL is a list of CAs for a specific Web site which are considered trusted. CTLs cannot be configured for FTP sites.

How to install a client certificate for a Windows client 1. Open Internet Explorer. 63

2. Enter

https://dc/certsrv/.

3. When the Microsoft Certificate Services Welcome page opens, click Request A Certificate. Click Next. 4. On the Choose Request Type page, click User Certificate. Click Next. 5. Click Submit on the User Certificate Identifying Information page. 6. The Certificate Issued page is displayed once the client certificate is issued. 7. To install the certificate on the browser, click Install This Certificate. How to view existing client certificate information 1. On the client, open Internet Explorer. 2. Select Internet Options from the Tools menu. 3. In the Internet Options dialog box, click the Content tab. 4. Click the Certificates button in the Certificates area of the tab. 5. The Certificates dialog box opens. 6. In the Intended Purpose drop-down list, select Client Authentication to display the currently installed client certificates. 7. Choose the certificate, and click the View button. How to enable client certificates in IIS 1. Open the IIS Manager. 2. In the console tree, right-click the Default Web Site node and select Properties from the shortcut menu. 3. When the Web Site Properties dialog box opens, click the Web Site tab. 4. Verify that the port 443 is defined as the SSL port. 5. Click the Directory Security tab. 6. In the Secure Communications area of the dialog box, click the Edit button. 7. In the Secure Communications dialog box, click the Require Secure Channel (SSL) checkbox. 8. Under Client Certificates, click the Require Client Certificates option to enable client certificates. 64

9. Click OK. How to create one-to-one client certificate mappings Before you can create a one-to-one client certificate mapping, you have to export the user's certificate. To export the user's certificate, 1. On the client, open Internet Explorer. 2. Select Internet Options from the Tools menu. 3. In the Internet Options dialog box, click the Content tab. 4. Click the Certificates button to open the Certificates dialog box. 5. In the Intended Purpose drop-down list, select Client Authentication. 6. Select the certificate from the list of currently installed client certificates. 7. Click the Export button. 8. When the Certificate Export Wizard starts, click Next. 9. On the Export Private Key page, select the No, Do Not Export the Private Key option. Click Next. 10. On the Export File Format page, select the Base-64 Encoded X.509 option. Click Next. 11. Enter a file name for the exported certificate. Click Next. 12. Click Finish. To create one-to-one client certificate mappings, 1. Open the IIS Manager 2. In the console tree, expand the Web Sites node. 3. Right-click the Web Site, and click Properties on the shortcut menu. 4. When the Properties dialog box opens, click the Directory Security tab. 5. In the Secure Communications area of the dialog box, click the Edit button. 6. In the Secure Communications dialog box, select the Enable Client Certificate Mapping checkbox. 7. Click Edit to open the Account Mappings dialog box. 65

8. On the 1-1 tab, click Add. 9. In the Open dialog box, choose the file which you previously exported and click Open. 10. On the Map To Account dialog box, enter a name in the Map Name box. 11. Click the Browse button to search the domain for the particular user account. 12. Select the user, click Add, and click OK 13. Enter the password for the user account. 14. Click OK several times to close all open dialog boxes. How to create many-to-one client certificate mappings 1. Open IIS Manager 2. Open the Properties dialog box for the Web site. 3. Click the Directory Security tab 4. In the Secure Communications area of the tab, click Edit. 5. Select the Enable Client Certificate Mapping checkbox. 6. Click the Edit button. 7. Click the Many-1 tab. 8. Click Add to open the General page. 9. Enter a name for the rule in the Description box, and then click Next. 10. On the Rules page, click New. 11. When the Edit Rule Element dialog box opens, from the Certificate Field list:
o o

Select Issuer, to filter based on the issuing CA; or Select Subject, to filter on the entity to which the certificate was issued.

12. Specify the appropriate criteria for the rule in the Criteria box. Click OK. 13. After adding all the necessary rules, Click Next 14. On the Mapping page, select one of the following:
o

To not accept access that match the criteria, click the Refuse Access option. 66

To map matching certificates to a user account, click the Accept This Certificate For Logon Authentication option.

15. If you previously selected Accept This Certificate For Logon Authentication, enter information in the Account box and Password box. 16. Click Finish. How to configure a certificate trust list (CTL) 1. Open the IIS Manager 2. Open the Properties dialog box for the particular Web site. 3. Click the Directory Security tab, and click Edit under Secure Communications. 4. Select the Enable Certificate Trust List checkbox. 5. Click New to start the Certificate Trust List Wizard. Click Next 6. On the Certificates In The CTL page, click the Add From Store button. 7. The Select Certificate dialog box opens and displays all the available certificates. 8. Choose the certificates you want to use, and click OK. 9. Click Next on the Certificates In The CTL page. 10. On the Name And Description page, enter a name and description for the CTL. Click Next. 11. Click Finish.

Securing IIS
Authentication in IIS
Authentication in IIS verifies whether a user attempting to access a particular website, can indeed access it. Authentication is the process that verifies whether the user can access the site which he/she is attempting to access. The authentication methods which can be used to authenticate users in IIS 6 are listed below. Each authentication method can be used to authenticate users attempting to access Web sites. However, only Anonymous access and Basic Authentication can be used as an authentication method for FTP sites.

Anonymous access: This authentication method is enabled by default for both the Default Web Site and Default FTP Site. Anonymous access allows all anonymous users to access the content of the Web site. Anonymous access is typically utilized for public Web sites which are connected to the Internet. 67

Basic Authentication: This is the weakest authentication method available for IIS, and should be utilized when you cannot use any other authentication method. Basic authentication uses a clear-text username and password. Basic Authentication functions over proxy servers, and works with all browser clients. Basic Authentication is enabled for FTP sites, by default. Integrated Windows Authentication: This is the most secure option that can be used for authentication in IIS. Kerberos version 5 is utilized if the client browser includes support for the protocol. NTLM authentication is used when the client browser does not support Kerberos. Digest Authentication can only be enabled if Active Directory is used. Digest Authentication sends the user credentials over the network by utilizing an encrypted MD5 hash. .NET Passport Authentication: In this authentication method, .NET passports are utilized for authentication, and authentication occurs via a single sign on method. The credentials of users have unique Passport accounts which are stored on Passport servers connected to the Internet. The Passport servers are managed by Microsoft. IIS sends the Passport information of the user to the Passport servers for authentication when a user attempts to access an IIS Web site.

To configure an authentication method for a Web site, 1. Open the IIS Manager. 2. Right-click a Web site in the console tree, and select Properties from the shortcut menu. 3. When the Properties dialog box of the Web site opens, click the Directory Security tab. 4. In the Authentication and Access Control section of the Directory Security tab, click the Edit button. 5. The Authentication Methods dialog box opens. You can configure the authentication methods just discussed on this dialog box.

NTFS Permissions
When securing IIS through permissions, the two types of permissions that are important are NTFS permissions and Web permissions. NTFS permissions form the basis of both Windows Server 2003 and IIS security, and control whether users are permitted to access files and folders, and the level of access users have. There are different levels of NTFS permissions in Windows Server 2003. There are also differences when NTFS permissions are applied on files, and when they are applied on folders. NTFS permissions control what entity can access certain parts of the disk system. You can configure access to resources by either allowing or denying permissions to uses and groups. Resource access permissions are located as access control entries (ACEs) on an access control list (ACL). This forms a component of the security descriptor of every resource. A user can then only access a resource when the security access token of the user is matched to the security identifiers (SIDs) in the access 68

control entries (ACEs) of the access control list (ACL). The security access token of the user holds the SIDs of the user's account and group accounts. The two versions of NTFS are NTFS 4.0 and NTFS 5.0. NTFS 4.0 is commonly used with Windows NT 4.0. Although NTFS 4.0 suppors local and remote access control on files and folders, it does not support the majority of Windows 2000 and Windows Server 2003 file system features. NTFS 5.0 on the other hand supports Active Directory directory service, encryption, compression, and disk quota, among other features. The standard NTFS permissions which you can configure are listed below:

Full Control: Allows users to perform all functions on files and folders, including creating new folders, changing and deleting files, attaching data to files, taking ownership of the file, changing the attributes of the files and folders, and changing permissions on the file. Modify: Allows users to list the contents of a folder and read the data in the folder's files, add and delete files, change files and the properties of files, and change the attributes of files and folders. Read & Execute: Allows users to view the attributes of a file or folder and to execute files (programs) located in folders. Users can also list the contents of a folder, and read data contained in the folder. List Folder Contents: Allows users to list a folder's contents, and view the attributes of files and folders. Write: Allows users to create new files and folders, change the attributes of a file or folder, overwrite a file, and view file ownership and permission. Read: The Read permission allows users to view a file and any subfolder names, attributes, properties, ownership, and list the contents of a folder.

The default NTFS permissions assigned on the \wwwroot directory (Default Web Site) are listed below. To view these permissions, 1. Open IIS Manager 2. In the console tree, right-click the Default Web Site and click Permissions from the shortcut menu.
o

Administrators: Users that belong to the Administrators security group have full control over the \wwwroot directory. Administrators have the following default permissions:

Full Control, Modify, Read & Execute, List Folder Contents, Write, and Read

Users: This group has standard Web users as group members, and group members have the following permissions:

Read & Execute, List Folder Contents, and Read 69

SYSTEM: This is a built-in group (special identity) created by Windows Server 2003. SYSTEM has the following default permissions:

Full Control, Modify, Read & Execute, List Folder Contents, Write, and Read

IIS_WPG: IIS_WPG is a new group in IIS 6. User accounts in this group are used as process identities for the worker processes associated with application pools. IIS_WPG has the following default permissions:

Read & Execute, List Folder Contents, and Read

Internet Guest Account: This group can be used to enable anonymous users to access the content on websites.

The Read permission is set to Deny

When a new Web site is created, the default permissions assigned to security principals are:

Administrators: Full Control Users: Read & Execute SYSTEM: Full Control Creator Owner: Special permissions Internet Guest Account: No permissions are assigned

Web Permissions
Web permissions or IIS access permissions control access to Web content on IIS sites. The Web permissions which you can configure are listed below. To access IIS Web permissions, 1. Open the IIS Manager. 2. Right-click the appropriate Web site and select Properties from the shortcut menu. 3. When the Properties dialog box of the site opens, click the Home Directory tab.
o

Script Source Access: When selected, users will be able to access the source code of ASP pages, and change them when the Write permission is also enabled. It is recommended to only enable this permission on servers used for development purposes. Read: When selected, users can read or download files which are located in the directory. 70

o o

Write: When selected, users can add and change Web content. Directory Browsing: When enabled, users are permitted to browse the directory structure. Log Visits: You can enable logging for the website by selecting the Log Visits option. You should also select the Enable Logging checkbox on the Web Site tab when you select the Log Visits option. Index This Resource: When selected, the Microsoft Windows Content Service creates an index of the home folder. Indexing

You can configure Web permissions at the following levels in IIS:

For all Websites: You can configure Web permissions for all websites through the Home Directory tab of the Web Sites node's Properties dialog box. All websites on the IIS server would inherit these permissions. For a specific Web site(s): You can configure Web permissions for a specific Web site through the Home Directory tab of that particular Web site Properties dialog box. For a specific directory or virtual directory: When you configure Web permissions at the directory level or virtual directory level, the permissions are inherited by all files within the particular directory. You can configure Web permissions for a specific directory through the Directory tab of that particular directory's Properties dialog box. Web permissions can be configured for a specific virtual directory through the Virtual Directory tab of that particular virtual directory's Properties dialog box. For a specific file located in a virtual directory: You can configure Web permissions for a file in a virtual directory through the File tab of the file's Properties dialog box.

When a user cannot access a Web site,


Check which permissions have been configured for the home directory. If Anonymous access is enabled, verify that no password has been specified. Verify whether any IP Address and Domain Name restrictions have been configured, which may deny access to the user.

IP Address and Domain Name Restrictions


You can restrict Web access at the IP address level by only allowing users to access a site who are using an IP address from a predefined list of approved IP addresses. In this manner, you can control access to websites, directories and files based on IP addresses or domain names. To do this, 1. Open the IIS Manager. 71

2. Right-click the Web site in the console tree, and select Properties from the shortcut menu. 3. When the Properties dialog box of the Web site opens, click the Directory Security tab. 4. In the IP Address and Domain Name Restrictions section of the Directory Security tab, click the Edit button. 5. When the Address and Domain Name Restrictions dialog box opens, you can specify that all computers are granted access, or you can specify those computers which should not be granted access by listing their IP address or domain name. 6. Click the Add button to include particular users' IP addresses in a list. 7. Click OK.

Application Security in IIS


Application security in IIS involves the following processes:

Enabling or disabling Web Service Extensions (WSE): To run dynamic Web applications on IIS, you first have to use the Web Service Extensions node in IIS Manager to allow or prohibit the Web service extensions listed below:
o o o o o o o

ASP ASP.NET ISAPI Extensions CGI Extensions Front Page Server Extensions 2000 and 2002 Internet Data Connector WebDAV support

To access the Web Service Extensions (WSE),


o o

Open the IIS Manager Select the Web Server Extensions node

Specifying execute permissions for applications. These permissions enable applications in websites and virtual directories to execute/run. Setting up application pool identities: Application pool identities are configured to control the manner in which worker processes serve application pools. A worker process is a process wherein user developed Web application code runs. A worker process is actually a host 72

process, called w3wp.exe. Worker processes process the user requests received from the http.sys queues. The worker processes also returns a static page or dynamic page to the requesting client through http.sys. A worker process can host the following:
o o o o

ASP applications ISAPI applications and filters CGI applications Static content

An application pool consists of the following components:


o o

kernel mode http.sys request queue

A single instance of or multiple instances of w3wp.exe - worker processes.

The best practices for writing secure code for ASP or ASP.NET applications are:

ASP pages should not contain any hard-coded administrator account names and administrator account passwords. Secure Sockets Layer (SSL) is an encryption technology that can be used to encrypt session cookies. Sensitive or confidential information and data should not be stored in hidden input fields on Web pages and in cookies. You should at all times verify and validate form input prior to it being processed. You should not use information from HTTP request headers to code decision branches for applications. Be wary of buffer overflows generated by unsound coding standards.

How to enable or disable Web service extensions using the Web Service Extensions node in IIS Manager 1. Open IIS Manager 2. Select the Web Server Extensions node 3. To enable a Web service extension, right-click the extension, and select Allow. 4. To disable a Web service extension, right-click the extension, and select Prohibit. How to enable or disable ISAPI and CGI Extensions 73

1. Open IIS Manager 2. Select the Web Server Extensions node. 3. If you want to enable all ISAPI and CGI extensions to run, Allow both the Allow Unknown ISAPI Extensions and the Allow Unknown CGI Extensions options on the Standard tab. 4. You can alternatively switch to the Extended view. You do this by clicking the Extended tab located at the bottom of the details pane. 5. Specify which applications are allowed. 6. The method just described is a better option than allowing all ISAPI and CGI extensions to run on the IIS Server. How to allow all required Web Service Extensions for a specific application 1. Open IIS Manager 2. Select the Web Server Extensions node 3. Switch to the Extended view by clicking the Extended tab located at the bottom of the details pane. 4. Click the Allow All Web Service Extensions For a Specific Application. 5. Select the application from the available list. 6. Click OK. How to add a new Web Service Extension 1. Open IIS Manager 2. Select the Web Server Extensions node 3. Switch to the Extended view by clicking the Extended tab located at the bottom of the details pane. 4. Click the Add A New Web Service Extension option. 5. When the New Web Service Extension dialog box opens, enter a name for the new web extension. This is the name that will be displayed in the IIS Manager. 6. For ISAPI, choose the DLLs that the new extension requires. 7. For CGI, choose the EXEs that the new extension requires. 8. Click OK 74

How to configure execute permissions for applications to run Execute permissions (application permissions) are configured in the Home Directory tab or in the Virtual Directory tab that contains the application root. Application roots can exist in the home directory of a site, or in a virtual directory of a site. To configure execute permissions, 1. Open the IIS Manager 2. Navigate to the Home Directory tab or the Virtual Directory tab. 3. The Execute Permissions drop down list box contains the following options:
o

None, allows only access to static files. Selecting the None option would prevent dynamic applications from running Scripts Only, prohibits the running of executables while allowing scripts to run. Scripts And Executables, scripts and executables are allowed to run.

o o

How to create application pools 1. Open the IIS Manager. 2. Right-click the Application Pools node in the console tree, and select New and then Application Pool from the shortcut menu. 3. When the Add New Application Pool dialog box opens, enter a name for the new application pool. 4. You can specify whether the default settings should be used for the new pool, or you can specify that the settings of an existing pool be used for the new application pool. 5. Click OK How to assign an application to an application pool 1. Open the IIS Manager 2. Right-click the appropriate node in the console tree, and click Properties on the shortcut menu. 3. Click the Home Directory tab. 4. Select the application pool from the Application Pool list. 5. Click OK Selecting an application pool identity 75

You can select between the following built-in service accounts of Windows Server 2003:

Network Service account: The Network Service account is the recommended account to use. In fact, it is the default account utilized by IIS because it has the least privileges, and is more flexible than the Local Service account and the Local System account. The characteristics of the Network Service account are:
o o o

The Network Service account has no password. It is a member of the Everyone group and the Authenticated Users group. The Network Service account has an internal name of NT AUTHORITY\NetworkService

Local Service account: The Local Service account has the identical rights and privileges than that of the Network Service account. However, the Local Service account can only access resources on the local computer. The characteristics of the Local Service account are:
o o o

The Local Service account has no password. It is a member of the Everyone group and the Authenticated Users group. The Network Service account has an internal name of NT AUTHORITY\LocalService

Local System Account: It is recommended to not select this account because of the privileges associated with it. The characteristics of the Local System account are:
o o o

The Local System account has no password. The Local System account has an internal name of \ LocalSystem Processes running under the account have the same privileges as the Service Control Manager. This is entity that controls network services running on the particular computer.

How to configure a custom application pool identity To increase security, it is recommended to configure custom process identities for the different application pools you have. This would prevent an application that is compromised from compromising all applications on the IIS server. To create a custom application pool identity, 1. Create either a domain user account or a local user account 2. Add the newly created user account to the IIS_WPG group, a new group in IIS 6. User accounts in IIS_WPG group are used as process identities for the worker processes associated with application pools. 3. Open IIS Manager. 76

4. Right-click the appropriate application pool, and select Properties from the shortcut menu. 5. Click the Identity tab. 6. If you want to select one of the built-in service accounts of Windows Server 2003, choose the account from the Predefined drop down list. The Predefined option is enabled by defult. 7. If you want to select either a domain user account or a local user account which you have specifically created, select the Configurable option. 8. Click the Browse button to choose the domain user account or a local user account as the application pool identity. 9. Click OK. How to enable parent paths for an application While it is not generally recommended to enable parent paths, there may be occasions when you might need to enable them so that your older applications can work. The Parent paths feature is an ASP specific feature. When enabled, you can use path statements ("..") for upward file access. Because of the security vulnerabilities associated with parent paths, it is disabled in IIS 6. To enable parent paths, 1. Open IIS Manager 2. Locate and right-click the application root node, and select Properties from the shortcut menu. 3. Click either the Home Directory tab, or the Virtual Directory tab. 4. Click Configuration 5. When the Application Configuration dialog box opens, click the Options tab. 6. Check the Enable Parent Paths checkbox. 7. Click OK.

Securing IIS through Secure Sockets Layer (SSL)


Secure Sockets Layer (SSL) is an encryption technology that uses public key cryptography to create an encrypted session key to secure communication between a Web server and a Web client. One of the requirements of using the SSL encryption technology is that you need to acquire a digital certificate and install it on the Web server as a server certificate. The digital certificate verifies the identity of the server to the client and also encrypts communications between the server and a client. You can obtain a digital certificate from an external certificate authority, such as VeriSign, GlobalSign or Thawte; or you can configure an internal CA for the organization.

77

You would need to install and use Certificate Services to configure an internal CA. There are two types of CAs which you can configure, namely an Enterprise CA, or a Stand-alone CA.

Enterprise CAs: An enterprise CA stores its certificate information in Active Directory. Enterprise CAs are essentially dependent on Active Directory to store and replicate certificate data. What this means is that the enterprise CAs have to be configured as domain controllers. Stand-alone CAs: A stand-alone CA stores its certificate data in a shared folder which can be accessed through a Web URL. When users want to request certificates from stand-alone CAs, they have to use Web enrollment.

How to obtain and install a server certificate on an IIS server 1. Open the IIS Manager. 2. Right-click the Default Web Site node and click Properties on the shortcut menu. 3. When the Default Web Site Properties dialog box opens, click the Directory Security tab 4. Click the Server Certificate button in the Secure Communications section of the tab. 5. The Web Server Certificate Wizard starts. 6. On the Welcome to the Web Server Certificate Wizard page, click Next. 7. Select the Create a New Certificate option, and then click Next 8. Select the Send the Request Immediately to an Online Certificate Authority option, and click Next. 9. Enter a name for the new server certificate, and select the bit length. The default value is 1024 bits. Click Next. 10. Enter an organization name and organization unit, and click Next. 11. Enter the name of the site, and click Next. 12. Enter a country code, and the state name and city, and click Next. 13. Select the TCP port that should be used for SSL connections. The default port used is port 443. Click Next. 14. Specify the CA from whom you want to obtain the server certificate. Click Next. 15. Verify that you have selected the correct configuration settings on the Summary page. 16. Click Next. Click Finish. 78

17. The new server certificate is obtained from the CA and installed on the ISS server. How to enable SSL on the IIS server 1. Open the IIS Manager 2. Locate and right-click the Default Web Site node, and select Properties from the shortcut menu. 3. When the Properties dialog box of the Default Web Site opens, click the Directory Security tab. 4. Click the Edit button in the Secure Communications section of the tab. 5. When the Secure Communications dialog box opens, click the Require Secure Channel (SSL) checkbox. 6. Click OK. How to manage existing server certificates on the IIS server. 1. Open the IIS Manager. 2. Right-click the Default Web Site node and click Properties on the shortcut menu. 3. When the Default Web Site Properties dialog box opens, click the Directory Security tab. 4. Click the Server Certificate button in the Secure Communications section of the tab. 5. The Web Server Certificate Wizard restarts, and presents the following options for managing the server certificate.
o o

Renew the existing server certificate. Delete or replace the existing server certificate. This is typically necessary when the server certificate has expired, and when SSL connections are no longer being used. Copy or move the existing server certificate to a different server or site. Export the existing server certificate.

o o

Enabling and Configuring Web Logging (IIS Logging)


A few benefits of Web logging are summarized below:

The event logs contain error, warning, and information events which are logged by IIS. The Web logs contain additional information on these events which can be helpful in troubleshooting IIS issues, and recognizing unusual traffic patterns which could be indicative of an attack on the Web server. 79

The Web logs provide specific information to the causes of HTTP errors.

You can enable Web logging at one of the following levels:

Web Sites level: This automatically enables Web logging for all websites hosted in the IIS server. Particular Web sites: You can enable Web logging for individual Web sites.

After Web logging is enabled, you can specify those home directories, virtual directories, sub directories, and files which should have access logging enabled. To enable Web logging: 1. Open the IIS Manager. 2. Right-click the Default Web Site node, and select Properties from the shortcut menu. 3. When the Properties dialog box of the Default Web Site opens, click the Enable Logging checkbox on the Web Site tab. 4. In the Active Log Format box, select the log file format that the Web logs should use. The options which you can choose between are:
o

W3C Extended Log File format: This is the default log file format used for IIS logging. It allows you to choose which properties should be written to the Web logs. Because you can customize the properties written to the Web logs, the W3C Extended Log File format is considered more flexible than the other formats. IIS Log File format: This fixed log file format cannot be customized and is hardly utilized these days. NCSA Log File Format: This fixed log file format cannot be customized but can be utilized by most of the existing web server products. The W3C Extended Log File format is though still a better option to use. ODBC Logging format: Because ODBC logging generally negatively affects IIS server performance, it is strongly recommended to not enable this logging format. Enabling ODBC logging disables kernel-mode caching in IIS. Centralized Binary Logging format: This logging format is typically used when an ISP hosts a vast number of websites on one IIS machine, because it allows all these websites to log to one log file. The Centralized Binary Logging format is a new feature of IIS.

5. If you want to log access to all physical directories, virtual directories, subdirectories and files, click the Home Directory tab and select the Log Visits checkbox. 6. Click OK. 80

7. If you want to specify that access to files within a virtual directory be logged, navigate to the Properties dialog of the virtual directory, and click the Virtual Directory tab. 8. If you want to specify that access to a specific file be logged, navigate to the Properties dialog of the particular file and click the File tab. To configure which fields or properties should be logged in the W3C Extended Log File Format, 1. Open the IIS Manager. 2. Right-click the Default Web Site node, and select Properties from the shortcut menu. 3. When the Properties dialog box of the Default Web Site opens, click the Enable Logging checkbox on the Web Site tab. 4. Click the Properties button on the Web Site tab. 5. The Logging Properties dialog box opens. 6. Click the Advanced tab. 7. The properties or fields which you can select on the Advanced tab are listed below, together with a description for each field:
o o o o o o o o o o o o o

Date, the date when the action took place. Time, the time when the action took place. Client IP Address, the IP address of the client which accessed the IIS server. User Name, the name of the user. This is the authentication user name. Service Name, the Internet service and the instance number accessed. Server Name, the server's name. Server IP Address, the server's IP address Server Port, the port number which was utilized. Method, the HTTP verb utilized in the HTTP client request URI Stem, the file accessed by the client URI Query, the query performed by the client Protocol Status, the status of the action based on HTTP terms or FTP terms. Win32 Status, the status of the action based on Windows terms. 81

o o o o o o o o

Bytes Sent, the number of bytes which the server transmitted to the client. Bytes Received, the number of bytes which the server received from the client. Time Taken, the duration of the activity. Protocol Version, the protocol version which the client utilized. Host, the content of the host header. User Agent, the browser utilized by the client. Cookie, the contents of both sent and received cookies Referrer, the last site which the user accessed.

How to configure the schedule for Web logging 1. Open the IIS Manager. 2. Right-click the Default Web Site node, and select Properties from the shortcut menu. 3. When the Properties dialog box of the Default Web Site opens, click the Enable Logging checkbox on the Web Site tab. 4. Click the Properties button on the Web Site tab. 5. The Logging Properties dialog box opens. 6. The options which you can configure on the General tab are listed below:
o

In the New Log Schedule section of the tab, you can select when log files are created:

Hourly Daily Weekly Monthly Unlimited file size When the file size reaches:

Use Local Time for File Naming and Rollover checkbox. Select this option if you want IIS to create new log files at midnight local time when the Daily option is selected. The default is that new log files are created at midnight Greenwich Mean Time (GMT). 82

Log File Directory text box: This is the location where the log files are saved. The default log file directory is the \Windows\System32\LogFiles directory. The permissions that should be assigned for a new log file folder are listed below:

Administrators, Full Control SYSTEM, Full Control IIS_WPG, Full Control

Click OK.

Publishing Contents to IIS


Publishing Content using WebDAV
You can use Web Distributed Authoring and Versioning (WebDAV) to manage and publish content such as HTML files, ASP pages, scripts and executables, to IIS. You can use WebDAV to create and modify web content on Internet servers. WebDAV utilizes the port 80. This is the default used by HTTP. By default, WebDAV is not installed, nor enabled in IIS 6.

How to install WebDAV


1. Click Start, Control Panel, and click Add/Remove Programs. 2. Click Add/Remove Windows Components in the Add Or Remove Programs dialog box. 3. Click Application Server in the Windows Components dialog box, and then click the Details button. 4. The Application Server dialog box appears next. 5. Click IIS and then select the Details button. 6. Click the WWW Publishing Service, and then click WebDAV Publishing 7. Click OK

How to enable WebDAV


1. Open the IIS Manager. 2. Select the Web Service Extensions (WSE) node in the console tree 3. Right-click WebDAV in the detail pane, and click Allow to enable WebDAV for all websites and virtual directories on the IIS server.

How to enable WebDAV Clients


Before you can use WebDAV for publishing, you first have to enable your client machines to support WebDAV. To do this, 1. 2. 3. 4. Open the Services console under the Administrative Tools. Menu. Locate the WebClient service. Double-click the WebClient service to open its Properties window. Verify that the Startup Type setting is set to Automatic. 83

5. Click Apply. 6. Click Start to initiate the WebClient service on the client

How to configure WebDAV


The primary steps in configuring WebDAV are:

Create a WebDAV virtual directory: To use WebDAV to publish content to IIS, you have to create a WebDAV virtual directory. To do this, 1. Open the IIS Manager 2. Right-click the Default Web Site, and select New, and then Virtual Directory. 3. Follow the prompts of the New Virtual Directory Wizard to create the WebDAV virtual directory. Configure NTFS permissions: The NTFS permissions which you configure control whether users are able to use WebDAV.

To configure NTFS permissions for the WebDAV virtual directory,

1. Open the IIS Manager 2. Right-click the WebDAV virtual directory and select Permissions. The default permissions for users are Read, users can read the files content Read & Execute, users can read the files content and execute scripts List Folder Contents, users are view the contents of the WebDAV directory. The special permissions assigned to users are:
o

Create Files/Write Data Create Folders/Append Data Configure Web permissions: The Web permissions which you configure have to enable clients to perform the following tasks: o Publish content to IIS. o Manage various types of Web content

To configure Web permissions for the WebDAV virtual directory,

1. Open the IIS Manager 2. Right-click the WebDAV virtual directory and select Properties from the shortcut menu. 3. Click the Virtual Directory tab. The Web permissions and other configuration settings which you can configure are: Script Source Access, if the Write permission is enabled as well, users are able to edit ASP pages and files. 84

Read, enables users to read files, if the NTFS permissions also enables this permission. Write, users can write files to the directory, if the NTFS permissions also enable this permission. Directory Browsing, users can view files in the directory, if the NTFS permissions also enables this permission. Index This Resource, if the Indexing service is enabled, users are able to search the files in the directory.

Publishing Content using FPSE


You can use the FrontPage to publish Web content to IIS, and to manage Web content. IIS 6 includes FrontPage Server Extensions 2002 (FPSE 2002), to provide the following:

Enable client computers to connect with the Web server through FrontPage Enable client computers to create, edit, and delete Web content.

How to install FPSE


1. Click Start, Control Panel, and click Add/Remove Programs. 2. Click Add/Remove Windows Components in the Add Or Remove Programs dialog box. 3. Click Application Server in the Windows Components dialog box, and then click the Details button. 4. The Application Server dialog box appears next. 5. Click IIS and then select the Details button. 6. Click FrontPage 2002 Server Extensions. 7. Click OK

How to enable FPSE


1. Open the IIS Manager. 2. Select the Web Service Extensions (WSE) node in the console tree 3. Right-click FrontPage Server Extensions 2002 in the detail pane, and click Allow to enable FPSE for websites and virtual directories on the IIS server.

How to configure additional websites to support for FrontPage


1. Open the IIS Manger 2. Locate and right-click the website, select All Tasks from the shortcut menu, and then select Configure Server Extensions 2002. 3. When the tool for managing FPSE opens, click the Submit button 4. On the Server Administration page, you can configure the global FPSE settings for the websites on your server.

Configuring Content Expiration

85

The IIS 6 content expiration feature enables you to specify when content should expire. For content that has expired, the page is requested again, and not retrieved from the cache. Content expiration can be configured at the site level, virtual directory level, or file level. To configure content expiration for the Default Web Site, 1. 2. 3. 4. 5. Open the IIS Manager In the console tree, right-click Default Web Site, and select Properties from the shortcut menu. Click the HTTP Headers tab. Click the Enable Content Expiration checkbox. The options that you can select with regard to content expiration are: o Expire Immediately o Expire After, specify the time duration after which content should expire. o Expire On, specify the date and time when content should expire 6. Click OK.

Configuring Redirection for Client Requests


The methods in which you can redirect client requests for files in a directory on the Web server are listed below:

You can redirect client requests to a different directory but on the identical site to which the content is moved. You can redirect client requests to a different website. You can redirect client requests to a specific URL on a site on the Internet You can redirect client requests to a particular file in a directory on the site

How to configure redirection for a website or virtual directory


1. 2. 3. 4. 5. Open the IIS Manager Navigate to either the properties window for the particular site or virtual directory. Select either the Home Directory tab or Virtual Directory tab. On the Home Directory tab, click the A Redirection To A URL option. The Home Directory tab displays the following options for redirecting client requests: o The Exact URL Entered Above o A Directory Below URL Entered o A Permanent Redirection for This Resource 6. Click OK

Managing the IIS Metabase


An Overview of the IIS Metabase
With the introduction of IIS 4, came the introduction of the metabase. IIS configuration information was no longer stored in the Registry, but in the new metabase structure. Some IIS configuration settings however still remained stored in the Registry, under the following keys:

HKLM\SOFTWARE\Microsoft\InetMgr\Parameters 86

HKLM\SYSTEM\CurrentControlSet\Services\InetInfo\Parameters HKLM\SYSTEM\CurrentControlSet\Services\ASP\Parameters HKLM\SYSTEM\CurrentControlSet\Services\Http\Parameters\LogBufferSize HKLM\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters HKLM\SYSTEM\CurrentControlSet\Services\MSFTPSVC\Parameters

In IIS 4, separating the majority of IIS configuration settings into the metabase; speeded up access to the information. The issue with the metabase in IIS 4 and IIS 5 was that it was a binary file. This meant that it could not directly be modified by administrators. With IIS 6 came the new improved metabase. The most significant enhancement to the metabase in IIS 6 is that the binary format has been discarded. In IIS 6, the metabase is formatted as a plain text file using the Extensible Markup Language (XML). This means that you can edit the metabase using a text editor such as Notepad. In addition, whether changes are made manually or programmatically to the metabase, you no longer need to stop and restart IIS. You can use the Windows Management Instrumentation (WMI) or the Active Directory Services Interface (ADSI) to make changes to the metabase. You can also copy configuration settings from one IIS machine to another IIS machine. You can copy a particular website or virtual directory, or you can copy all IIS configurations. The new IIS 6 metabase history feature tracks changes to the metabase, and then automatically saves backups of the metabase. This enables you to revert to a previously saved version when you experience problems with current configuration settings. The IIS 6 version of the metabase no longer consists of only one metabase file (metabase.bin) but two metabase files, namely:

MetaBase.xml: This XML formatted file holds the IIS configuration data. MBSchema.xml: This XML formatted file holds the schema information for the MetaBase.xml file.

Both MetaBase.xml and MBSchema.xml are located under Windows\System32\Inetsrv. Access to the files is controlled by:

Administrators, Full Control; and SYSTEM,Full Control

Management of the metabase functions lies with the IIS Admin service, inetinfo.exe. The responsibilities of inetinfo.exe are:

Metabase Storage Layer and Admin Base Objects: The Metabase Storage Layer formats the MetaBase.xml andMBSchema.xml files from disk and the converts them from XML to binary format when a Windows Server 2003 IIS machine boots. Admin Base Objects (ABO)is used to write the metabase to the IIS file cache. Tracks any changes which are made to the metabase files. Responsible for the metabase history feature. When changes are made to the metabase, the metabase history feature automatically saves backup copies of the metabase. Responsible for the synchronization of the in-memoryversion and on disk version of the metabase files. 87

The following process occurs when you stop IIS via the IIS Manager: 1. IIS first checks the in-memorymetabase to verify that all recent changes are written to disk. 2. IIS stops if all recently madechanges have been written to disk. 3. The in-memory metabase overwritesthe MetaBase.xml and MBSchema.xml files on disk when all recent changes have not yet been written to disk.A new history file is saved to disk for both files. Only after this, doesIIS stop. The following process occurs when you restart IIS via the IIS Manager: 1. 2. 3. 4. The Metabase Storage Layer readsthe MetaBase.xml and MBSchema.xml files on disk. It converts both files to the binaryformat. Admin Base Objects (ABO) is usedto write the metabase to the IIS file cache. ABO also creates the in-memorymetabase nodes.

IIS automatically generates history files which are located in the \Windows\System32\Inetsrv\History folder. The history files are basically versioned copies of the metabase. A history file is generated when the flowing events occur:

Configuration changes are made after the in-memory metabase was already flushed to disk. IIS flushes the in-memory metabase to disk

A history file consists of the following components:


Copy of the in-memory MetaBase.xmlnode Copy of the in-memory MBSchema.xmlnode

A history file has a major version number and a minor version number. The major version number is incremented by one when IIS flushes the in-memory metabase to disk. IIS flushes the in-memory metabase to disk when the following events occurs, thereby creating the major version number:

IIS is stopped using the IIS Manager or the net stop iisadmin command; or IIS is restarted using the IIS Manager. IIS configuration changes are saved to disk using the All Tasks | Save Configuration To Disk option. IIS automatically flushes pending in-memory metabase changes to disk.

The minor version number is incremented by one when changes have been manually made to the metabase files on disk. The minor version number is reset to zero when the MetaBase.xml and MBSchema.xml files are flushed to disk. This occurs when the major version number is incremented by one. The history files for the two types of metabase files are called:

Metabase_majorversion_minorversion.xml,for the MetaBase.xml file MBSchema_majorversion_minorversion.xml,for the MBSchema.xml file

Metabase Flushing
88

Metabase flushing is the terminology utilized to refer to the events when IIS overwrites the MetaBase.xml and MBSchema.xml files located in the System32\Inetsrv folder with the in-memory metabase. This results in new history files being created in the System32\Instsrv\History folder. IIS flushes the in-memory metabase when the events listed below occur:

IIS is stopped using the IIS Manager or the net stop iisadmin command; or IIS is restarted using the IIS Manager. IIS configuration changes are saved to disk using the All Tasks | Save Configuration To Disk option. IIS automatically flushes pending in-memory metabase changes to disk. IIS automatically restarts when the IIS Admin service is terminated in any abnormal manner. This would only occur if the Automatic Restart feature of IIS is enabled. IIS configuration is backed up via the IIS Manager or from the command line. Iiscnfg /save is utilized from the command line. Iiscnfg.vbs is a WMI script. The IIS management tasks that can be performed using Iiscnfg.vbs are:

o o o

Save IIS configuration to disk. Copy IIS configuragtion Export and import IIS configuration

How to edit the metabase


With IIS 6, you can use any of the following approaches to edit the metabase:

Stop IIS, and then manually edit the metabase. Stopping IIS would result in no users being able to accessthe IIS server. Enable the new Direct MetabaseEdit feature, and then manually edit the metabase. When Direct MetabaseEdit is enabled, changes can be made to the metabase without disconnectingusers from the IIS server.

When the Direct Metabase Edit feature is enabled, you can use a text editor such as Notepad to make changes to the MetaBase.xml file. You can also programmatically change the MetaBase.xml file using scripts. When you save the changes you make to the MetaBase.xml file, IIS copies the MetaBase.xml file to the in-memory metabase. There is though a slight time lapse between when the actual changes are saved, and when it is copied to the in-memory metabase. This is due to the response time of the Windows file change notification service. To enable the Direct Metabase Edit feature using IIS Manager, 1. Open IIS Manager 2. Right-click the IIS server node in the console tree, and select Properties from the shortcut menu. 3. When the Properties dialogbox opens, select the Enable Direct Metabase Edit checkbox. 4. Click OK. To enable the Direct Metabase Edit feature using the command line, 89

1. 2. 3. 4.

Open a command prompt on the IIS server. Enter iisreset /stop to stop IIS running on the server. Use a text editor to open the MetaBase.xmlfile. To enable the Direct Metabase Edit feature, change the value of the EnableEditWhileRunning property to 1. 5. Save this change to the MetaBase.xmlfile. 6. Enter iisreset /start to restart IIS. Before making changes to the metabase, whether it is manually or programmatically; it is recommended to first back up the metabase.

How to back up the metabase


IIS creates a metabase backup when it is initially installed, in the System32\Inetsrv\MetaBack folder. IIS also creates history files as backups of the metabase. You can however manually backup the metabase as well. To back up the metabase using IIS Manager, 1. Right-click the IIS server whose metabase you want to back up, select All Tasks from the shortcut menu, and then select Backup/Restore Configuration. 2. The Configuration Backup/Restoredialog box opens. The Configuration Backup/Restore dialog box displays the following information: o The initial configuration backups created when IIS was first installed. o All manually created backups. o All history files. 3. Click the Create Backup button to back up the metabase. 4. When the Configuration Backup dialog box opens, enter a name for the backup and a password for securing the backup. 5. Click OK. 6. The newly created backup is now listed in the Backup list box of the Configuration Backup/Restore dialogbox. 7. All backup files are in the following folder: o Systemroot%\System32\ inetserv\MetaBack An .md0 file extension indicates a metabase backup file An .sc0 file extension indicates a metabase schema backup file To restart IIS using the IIS Manager, <! x } >

An Overview of the IIS Metabase


With the introduction of IIS 4, came the introduction of the metabase. IIS configuration information was no longer stored in the Registry, but in the new metabase structure. Some IIS configuration settings however still remained stored in the Registry, under the following keys:

HKLM\SOFTWARE\Microsoft\InetMgr\Parameters HKLM\SYSTEM\CurrentControlSet\Services\InetInfo\Parameters HKLM\SYSTEM\CurrentControlSet\Services\ASP\Parameters 90

HKLM\SYSTEM\CurrentControlSet\Services\Http\Parameters\LogBufferSize HKLM\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters HKLM\SYSTEM\CurrentControlSet\Services\MSFTPSVC\Parameters

In IIS 4, separating the majority of IIS configuration settings into the metabase; speeded up access to the information. The issue with the metabase in IIS 4 and IIS 5 was that it was a binary file. This meant that it could not directly be modified by administrators. With IIS 6 came the new improved metabase. The most significant enhancement to the metabase in IIS 6 is that the binary format has been discarded. In IIS 6, the metabase is formatted as a plain text file using the Extensible Markup Language (XML). This means that you can edit the metabase using a text editor such as Notepad. In addition, whether changes are made manually or programmatically to the metabase, you no longer need to stop and restart IIS. You can use the Windows Management Instrumentation (WMI) or the Active Directory Services Interface (ADSI) to make changes to the metabase. You can also copy configuration settings from one IIS machine to another IIS machine. You can copy a particular website or virtual directory, or you can copy all IIS configurations. The new IIS 6 metabase history feature tracks changes to the metabase, and then automatically saves backups of the metabase. This enables you to revert to a previously saved version when you experience problems with current configuration settings. The IIS 6 version of the metabase no longer consists of only one metabase file (metabase.bin) but two metabase files, namely:

MetaBase.xml: This XML formattedfile holds the IIS configuration data. MBSchema.xml: This XML formattedfile holds the schema information for the MetaBase.xml file.

Both MetaBase.xml and MBSchema.xml are located under Windows\System32\Inetsrv. Access to the files is controlled by:

Administrators, Full Control; and SYSTEM,Full Control

Management of the metabase functions lies with the IIS Admin service, inetinfo.exe. The responsibilities of inetinfo.exe are:

Metabase Storage Layer and Admin Base Objects: The Metabase Storage Layer formats the MetaBase.xml andMBSchema.xml files from disk and the converts them from XML to binaryformat when a Windows Server 2003 IIS machine boots. Admin Base Objects (ABO)is used to write the metabase to the IIS file cache. Tracks any changes which are made to the metabase files. Responsible for the metabase history feature. When changes are made to the metabase, the metabase historyfeature automatically saves backup copies of the metabase. Responsible for the synchronization of the in-memoryversion and on disk version of the metabase files.

The following process occurs when you stop IIS via the IIS Manager: 1. IIS first checks the in-memorymetabase to verify that all recent changes are written to disk. 91

2. IIS stops if all recently madechanges have been written to disk. 3. The in-memory metabase overwritesthe MetaBase.xml and MBSchema.xml files on disk when all recent changes have not yet been written to disk.A new history file is saved to disk for both files. Only after this, doesIIS stop. The following process occurs when you restart IIS via the IIS Manager: 1. 2. 3. 4. The Metabase Storage Layer readsthe MetaBase.xml and MBSchema.xml files on disk. It converts both files to the binaryformat. Admin Base Objects (ABO) is usedto write the metabase to the IIS file cache. ABO also creates the in-memorymetabase nodes.

IIS automatically generates history files which are located in the \Windows\System32\Inetsrv\History folder. The history files are basically versioned copies of the metabase. A history file is generated when the flowing events occur:

Configuration changes are madeafter the in-memory metabase was already flushed to disk. IIS flushes the in-memory metabaseto disk

A history file consists of the following components:


Copy of the in-memory MetaBase.xmlnode Copy of the in-memory MBSchema.xmlnode

A history file has a major version number and a minor version number. The major version number is incremented by one when IIS flushes the in-memory metabase to disk. IIS flushes the in-memory metabase to disk when the following events occurs, thereby creating the major version number:

IISis stopped using the IIS Manager or the net stop iisadmin command; or IIS is restarted using the IIS Manager. IIS configuration changes aresaved to disk using the All Tasks | Save Configuration To Disk option. IIS automatically flushes pendingin-memory metabase changes to disk.

The minor version number is incremented by one when changes have been manually made to the metabase files on disk. The minor version number is reset to zero when the MetaBase.xml and MBSchema.xml files are flushed to disk. This occurs when the major version number is incremented by one. The history files for the two types of metabase files are called:

Metabase_majorversion_minorversion.xml,for the MetaBase.xml file MBSchema_majorversion_minorversion.xml,for the MBSchema.xml file

Metabase Flushing
Metabase flushing is the terminology utilized to refer to the events when IIS overwrites the MetaBase.xml and MBSchema.xml files located in the System32\Inetsrv folder with the in-memory 92

metabase. This results in new history files being created in the System32\Instsrv\History folder. IIS flushes the in-memory metabase when the events listed below occur:

IISis stopped using the IIS Manager or the net stop iisadmin command; or IIS is restarted using the IIS Manager. IIS configuration changes aresaved to disk using the All Tasks | Save Configuration To Disk option. IIS automatically flushes pendingin-memory metabase changes to disk. IIS automatically restarts whenthe IIS Admin service is terminated in any abnormal manner. This wouldonly occur if the Automatic Restart feature of IIS is enabled. IIS configuration is backed up viathe IIS Manager or from the command line. Iiscnfg /save is utilized from thecommand line. Iiscnfg.vbs is a WMI script. The IIS management tasks thatcan be performed using Iiscnfg.vbs are:

o o o

Save IIS configuration to disk. Copy IIS configuragtion Export and import IIS configuration

How to edit the metabase


With IIS 6, you can use any of the following approaches to edit the metabase:

Stop IIS, and then manually editthe metabase. Stopping IIS would result in no users being able to accessthe IIS server. Enable the new Direct MetabaseEdit feature, and then manually edit the metabase. When Direct MetabaseEdit is enabled, changes can be made to the metabase without disconnectingusers from the IIS server.

When the Direct Metabase Edit feature is enabled, you can use a text editor such as Notepad to make changes to the MetaBase.xml file. You can also programmatically change the MetaBase.xml file using sripts. When you save the changes you make to the MetaBase.xml file, IIS copies the MetaBase.xml file to the in-memory metabase. There is though a slight time lapse between when the actual changes are saved, and when it is copied to the in-memory metabase. This is due to the response time of the Windows file change notification service. To enable the Direct Metabase Edit feature using IIS Manager, 1. Open IIS Manager 2. Right-click the IIS server node inthe console tree, and select Properties from the shortcut menu. 3. When the Properties dialog boxopens, select the Enable Direct Metabase Edit checkbox. 4. Click OK. To enable the Direct Metabase Edit feature using the command line, 1. Open a command prompt on the IIS server. 93

2. Enter iisreset /stop to stop IIS running on the server. 3. Use a text editor to open the MetaBase.xmlfile. 4. To enable the Direct Metabase Editfeature, change the value of the EnableEditWhileRunning property to 1. 5. Save this change to the MetaBase.xmlfile. 6. Enter iisreset /start to restart IIS. Before making changes to the metabase, whether it is manually or programmatically; it is recommended to first back up the metabase.

How to back up the metabase


IIS creates a metabase backup when it is initially installed, in the System32\Inetsrv\MetaBack folder. IIS also creates history files as backups of the metabase. You can however manually backup the metabase as well. To back up the metabase using IIS Manager, 1. Right-click the IIS server whosemetabase you want to back up, select All Tasks from the shortcut menu, andthen select Backup/Restore Configuration. 2. The Configuration Backup/Restoredialog box opens. The Configuration Backup/Restore dialog box displays thefollowing information:

o o o

The initial configuration backups created when IIS was first installed. All manually created backups. All history files.

3. Click the Create Backup button toback up the metabase. 4. When the Configuration Backupdialog box opens, enter a name for the backup and a password for securingthe backup. 5. Click OK. 6. The newly created backup is nowlisted in the Backup list box of the Configuration Backup/Restore dialogbox. 7. All backup files are in thefollowing folder:

Systemroot%\System32\ inetserv\MetaBack

An .md0 file extension indicates a metabase backup file An .sc0 file extension indicates a metabase schema backup file

To restart IIS using the IIS Manager, 94

1. Right-click the IIS server, selectAll Tasks on the shortcut menu, and then click Restart IIS. 2. You can choose between thefollowing options: o Restart IIS o Restart Server o Stop IIS o Start IIS You can use the Iisback.vbs WMI script to perform the management tasks listed below:

Back up and restore IISconfiguration data Delete IIS configuration data View, or list IIS configurationdata

How to export the metabase


You can export portions of the metabase, or the entire metabase configuration information to a file. You can basically export the configuration settings for only a particular website or virtual directory, or you can export all configuration settings. You can also through exporting, create a metabase template file to copy configuration information to multiple IIS machines. You can export metabase configuration information by using the IIS Manager, or the Iiscnfg.vbs WMI script. To export the metabase using the IIS Manager, 1. Open the IIS Manager 2. Right-click the IIS server whoseconfiguration setting you want o export, select All Tasks on the shortcutmenu, and then click Save Configuration To A File. 3. When the Save Configuration To AFile dialog box opens, enter a name for the file in the File Name textbox. 4. Verify that the correct locationis specified in the Path checkbox. 5. Select the Encrypt ConfigurationUsing Password checkbox. 6. Click OK.

How to import the metabase


You can import previously exported files to the same IIS machine, or to a different IIS machine. To import a previously exported file to the same IIS machine, 1. Open the IIS Manager. 2. Right-click the Web Sites node andselect New, and then Web Site (From File) from the shortcut menu. 3. The Import Configuration dialogbox opens 4. Click Browse to select the exportfile which you want to import. 5. Click Read to display the configurationin the Location list box 6. Select the site and click OK 7. Enter the password that was usedto encrypt the file when it was exported. 8. Click OK. 95

In order to import a previously exported file from one IIS machine to a different IIS machine, the following preparation tasks need to be performed.

Delete or edit any referenceswithin the export file that are machine specific, such as o Deleting AdminACL properties, password properties and properties referencing IUSR or IWAM accounts. o Editing file system paths or locations which are different on the target machine. Create the required folders on thetarget machine.

1. Right-click the IIS server, select All Tasks on the shortcut menu, and then click Restart IIS. 2. You can choose between the following options: o Restart IIS o Restart Server o Stop IIS o Start IIS You can use the Iisback.vbs WMI script to perform the management tasks listed below:

Back up and restore IISconfiguration data Delete IIS configuration data View, or list IIS configurationdata

How to export the metabase


You can export portions of the metabase, or the entire metabase configuration information to a file. You can basically export the configuration settings for only a particular website or virtual directory, or you can export all configuration settings. You can also through exporting, create a metabase template file to copy configuration information to multiple IIS machines. You can export metabase configuration information by using the IIS Manager, or the Iiscnfg.vbs WMI script. To export the metabase using the IIS Manager, 1. Open the IIS Manager 2. Right-click the IIS server whoseconfiguration setting you want o export, select All Tasks on the shortcut menu, and then click Save Configuration To A File. 3. When the Save Configuration To A File dialog box opens, enter a name for the file in the File Name textbox. 4. Verify that the correct locationis specified in the Path checkbox. 5. Select the Encrypt Configuration Using Password checkbox. 6. Click OK.

How to import the metabase


You can import previously exported files to the same IIS machine, or to a different IIS machine. To import a previously exported file to the same IIS machine, 96

1. Open the IIS Manager. 2. Right-click the Web Sites node and select New, and then Web Site (From File) from the shortcut menu. 3. The Import Configuration dialogbox opens 4. Click Browse to select the export file which you want to import. 5. Click Read to display the configuration in the Location list box 6. Select the site and click OK 7. Enter the password that was used to encrypt the file when it was exported. 8. Click OK. In order to import a previously exported file from one IIS machine to a different IIS machine, the following preparation tasks need to be performed.

Delete or edit any references within the export file that are machine specific, such as o Deleting AdminACL properties, password properties and properties referencing IUSR or IWAM accounts. o Editing file system paths or locations which are different on the target machine. Create the required folders on the target machine.

Managing IIS 5.0 and iis 6.0


IIS Administration Tools and Methods
The administration methods and management tools which you can use to administer IIS are listed below:

Microsoft Management Console (MMC) tools under the Administrative Tools Menu. o The primary MMC used to administer IIS is the IIS Manager (see below). o You can also use the Computer Management console to perform administration tasks for IIS. The Computer Management console can be opened from the Administrative Tools Menu. To access the Internet Information Services (IIS) node in the Computer Management console, expand the Services And Applications node in the console tree. o The Application Server console can be used to configure IIS, the.NET Framework, and Component Services. To access the Application Server console, open the Manage Your Server window (Administrative Tools), and then select Manage Your Application Server. Windows Server 2003 Administration Tools Remote Desktop, a Terminal Services feature, can be used to remotely manage an IIS 6 machine. Remote Desktop Web Connection enables you to access Remote Desktop by using Internet Explorer. Remote Administration ( HTML) is an IIS Administration website which enables you to manage IIS via Internet Explorer.

Using IIS Manager for IIS Administration


97

The IIS Manager can be used to perform administration functions for the following versions of IIS:

IIS 4, IIS 5, IIS 5.1 and IIS 6

When you perform a basic installation of IIS, the following IIS components are installed:

Files utilized by IIS Microsoft FrontPage server extensions The IIS snap-in, IIS Manager The World Wide Web service and SMTP service

To change any default configuration settings of these components, you can use the IIS Manager. The IIS Manager is a MMC console which is automatically installed when you install IIS. It is the main tool used for performing IIS administration tasks. You can use the IIS Manager GUI tool to machine multiple IIS machines both locally and remotely. Because IIS functions through WAN connections, you can use the IIS Manager for remote management of the IIS machine over LAN and WAN connections. You can perform virtually any IIS administration functions from the IIS Manager tool, including:

Manage IIS security and performance Enable or disable IIS components Create and manage Web sites and SMTP sites Manage services such as File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), Network News Transfer Protocol Configure Application Pools Perform content management tasks

The left pane of the IIS Manager window contains the console tree, which in turn holds the objects which you can perform management tasks for. When you select an object in the console tree, the right pane (details pane) lists the details of that particular object. You can right-click the nodes in the console tree, and select its Properties from the shortcut menu to configure settings. You can also access certain administrative functions by right-clicking the node and selecting the function from the shortcut menu that displays. The three nodes in the IIS Manager's console tree are:

Application Pools: This is the location from where you can create application pools, assign applications to application pools, assign worker processes to applications, configure health and recycling settings, as well as other configuration settings. When you install IIS 6, and it is running in worker process isolation mode, the DefaultAppPool is created under the Application Pools node. Default Application Pool contains Default Application. This is created for the Default Web Site at IIS installation. Right-clicking DefaultAppPool enables you to perform the tasks listed below, by selecting it from th shortcut menu: o Access the Properties dialog box of an application pool to specify configuration settings o Save an application pool's configuration to a XML file so that it can be imported to a different server o Stop and start application pools o Recycle the worker processes of an application pool. 98

Web Sites: This node contains the Default Web Site, which is automatically created when IIS 6 is installed. This is the location from which to configure websites and virtual directories to run dynamic web applications. Web Service Extensions (WSE): By default, IIS 6 is installed in lock down mode. To ensure that your applications run correctly, you have to enable or unlock certain IIS components, including ASP, ASP.NET, ISAPI or CGI, or components. You do this using the Web Service Extensions (WSE) node.

How to open the IIS Manager You can use the methods listed below to open the IIS Manager

Click Start, click Administrative Tools, and then click Internet Information Services (IIS) Manager. Click Start, Run, enter inetmgr in the dialog box, and click OK.

How to connect to an IIS computer using the IIS Manager 1. Right-click the Internet Information Services node in the console tree and click Connect from the shortcut menu. 2. The Connect To Computer dialog box opens. 3. If you know the name of the computer, enter it in the Computer Name box. This has to be the fully qualified domain name (FQDN) or IP address of the computer. Click OK. 4. If you want to browse for the computer name, click the Browse button on the Connect To Computer dialog box. 5. When the Select Computer dialog box opens, search for the computer you want to connect to, and click OK. 6. You can click the Advanced button on the Select Computer dialog box to search Active Directory and the network for the computer name. Click OK. 7. Click OK How to use the All Tasks shortcut menu option to manage IIS servers You can display the All Tasks shortcut menu option by right-clicking the node of a connected IIS computer and selecting All Task from the shortcut menu. This brings up a submenu, from which you can choose to perform the following tasks:

Backup/Restore Configuration Restart IIS Save Configuration To Disk.

To back up the IIS metabase using Backup/Restore Configuration option, 1. Right-click the IIS server whose metabase you want to back up, select All Tasks from the shortcut menu, and then select Backup/Restore Configuration. 2. The Configuration Backup/Restore dialog box opens. 3. All existing backups are listed in the Backup list box of the dialog box. 4. Click the Create Backup button to back up the metabase. 99

5. When the Configuration Backup dialog box opens, enter a name for the backup and a password for securing the backup. 6. Click OK. 7. The newly created backup is now listed in the Backup list box of the Configuration Backup/Restore dialog box. 8. All backup files are in the following folder: o Systemroot%\System32\ inetserv\MetaBack An .md0 file extension indicates a metabase backup file An .sc0 file extension indicates a metabase schema backup file To restart IIS using the Restart IIS option, 1. Right-click the IIS server, select All Tasks on the shortcut menu, and then click Restart IIS. 2. You can choose between the following options: o Restart IIS o Restart Server o Stop IIS o Start IIS Restarting IIS has the following consequences:

Any users connected to IIS lose their connectivity. Websites and Web applications are unavailable for the duration of the restart. All data in memory of any applicatios are lost.

To immediately save configuration changes to the metabase using the Save Configuration To Disk option, 1. Right-click the IIS server whose configuration setting changes you want to save to the metabase, select All Tasks on the shortcut menu, and then click Save Configuration To Disk.

Using Remote Desktop for IIS Administration


The Remote Desktop feature can be used to manage IIS computers using a Terminal Services client running Windows 98, Windows NT 4, Windows 2000 and Windows Server 2003. Essentially, the Windows Server 2003 Remote Desktop feature is alike to the Terminal Services - Remote Administration mode in Windows 2000. However, with Windows Server 2003, the Remote Desktop feature is automatically installed. It does however need to be enabled. To enable the Remote Desktop feature, 1. 2. 3. 4. Open the System utility in Control Panel Click the Remote tab Enable the Users To Connect Remotely To This Computer checkbox Click OK.

The following two Remote Desktop components are also automatically installed:

100

Remote Desktop for Administration (RDA): This feature requires Terminal Services to enable client computers to connect to a server for remote desktop management. Remote Desktop Connection (RDC): You can use RDC to connect to an IIS server and manage it remotely. To connect to a IIS server,

1. Click Start, All Programs, Accessories, Communications, and then click Remote Desktop Connection. 2. When the Remote Desktop Connection dialog box opens, enter the name or IP address of the computer you want to connect to. 3. Click Connect.

How to install IIS Components and create Web, FTP, NNTP, and SMTP sites
How to install IIS components Before you can create and maintain any Web, FTP, the necessary components. NNTP, and SMTP sites, you first have to install

1. Click Start, Control Panel, and click Add/Remove Programs. 2. Click Add/Remove Windows Components in the Add Or Remove Programs dialog box. 3. Click Application Server in the Windows Components dialog box, and then click the Details button. 4. The Application Server dialog box appears next. 5. Click IIS and then select the Details button. 6. After selecting the IIS components you want to install, click OK. 7. When the Insert Disk dialog box appears, insert the Windows Server 2003 CD in the CDROM drive, and click OK. How to create a new Web site The IIS Manager is the primary management tool used to create and manage websites. The Web Site Creation Wizard is used for the creation of new Web sites. 1. Open the IIS Manager 2. Right-click the Web Sites node in the console tree, select New from the shortcut menu, and then select Web Site. 3. The Web Site Creation Wizard initiates. 4. On the Welcome to the Web Site Creation Wizard screen click Next. 5. On the Web Site Description page, enter a name for the website. The name you enter here would be used in the IIS Manager. Click Next. 6. On the IP Address and Port Settings page, o Enter the IP address for the site in the Enter the IP address to use for this Web site text box. o Enter the port number for the site in the TCP Port this Web site should use text box. o Enter the host header name for the new site in the Host header for this Web site text box. 101

Click Next 7. On the Web Site Home Directory page, enter the path to the home directory for the site. It is recommended to host the directory on an NTFS partition because it is the location where the files of the Web site would be stored. You can click the Browse button to locate the folder. 8. The Allow anonymous access to this web site checkbox is enabled by default. If the new Web site is to host confidential data, uncheck the Allow anonymous access to this web site checkbox. This would prvent users to authenticate via anonymous access to access the Web site. Click Next. 9. On the Web Site Access Permissions page, the default access permissions for the Web site is that only the Read and the Run Scripts permissions is allowed. All other permissions are not enabled. The additional permissions which you can set to allow by enabling its associated checkboxes are: o Execute, to enable execute permission for Dynamic Link Libraries (DLLs). o Write, to allow users to upload data to the source directories of the site. o Browse, to allow directory browsing on the new Web site.

Click Next. 10. Click Finish to create the new Web site. How to create a FTP site Before you can create a FTP site or multiple FTP sites, you have to install the FTP Service. Following this, use the steps below to create a FTP site 1. Open the IIS Manager 2. Right-click the FTP Sites node in the console tree, select New from the shortcut menu, and then select FTP Site. 3. The FTP Site Creation Wizard initiates. 4. On the Welcome to the FTP Site Creation Wizard screen click Next. 5. On the FTP Site Description page, enter a name for the new FTP site. Click Next. 6. On the IP Address and Port Settings page, o Enter the IP address for the FTP site in the Enter the IP address to use for this FTP site text box. o Enter the port number for the FTP site in the Type the TCP Port this FTP site text box. Click Next 7. On the FTP User Isolation page, you can select the security setting options listed below: o Do not isolate users: Enables all users to access all directories and files. o Isolate users: Isolates a user from accessing other users' FTP home directories. o Isolate the users using Active Directory: To specify that Active Directory is used to authenticate and assign a FTP home directory to the user. Click Next.

102

8. On the FTP Site Home Directory page, enter the path to the home directory for the FTP site. You can click the Browse button to locate the folder. Click Next. 9. On the FTP Site Access Permissions page, the default access permission enabled for the FTP site is the Read permission. You have to enable the Write permission if you want users to be able to upload any data to the source directories of the site. Click Next. 10. Click Finish to create the new FTP site. How to create a NNTP virtual server While IIS by default does create a NNTP server, you can create additional NNTP servers. 1. Open the IIS Manager 2. Locate the computer, right-click Default NNTP Server, select New and then Virtual Server from the shortcut menu. 3. The New NNTP Virtual Server Wizard initiates. 4. Enter a name for the NNTP site. Click Next. 5. On the Select IP Address page, select the IP address and port number settings for the NNTP site. It is recommended to use unique IP addresses for each NNTP site. Click Next 6. Enter the path to the home directory for the NNTP server. Click Next. 7. On the Select Storage Medium page, choose of the following options: o File System, allows users to store news messages on the local computer o Remote Share, allows users to store news messages remotely. Click Next 8. Enter the physical directory where the news messages are to be located. 9. Click Finish. How to create a SMTP virtual server 1. Open the IIS Manager 2. Locate the computer, right-click Default SMTP Server, select New and then Virtual Server from the shortcut menu. 3. The New SMTP Virtual Server Wizard initiates. 4. Enter a name for the SMTP site. Click Next. 5. On the Select IP Address page, enter the IP address settings for the SMTP site. Click Next 6. Enter the path to the home directory for the SMTP server. Click Next. 7. Provide the domain name for the SMTP srver. Click Next 8. Click Finish. How to create a virtual directory for a Web site A virtual directory is basically a pointer or reference to a Web site or FTP site that enables access to the subdirectories from the root Web directory or FTP directory. 1. Open the IIS Manager 2. Locate the IIS server, right-click the Web site, and select New and then Virtual Directory from the shortcut menu. 103

3. 4. 5. 6. 7.

The Virtual Directory Creation Wizard launches. Click Next on the initial screen of the wizard. On the Virtual Directory Alias page, enter a name for the new virtual directory. Click Next. Choose the physical directory to which this virtual directory should point. Click Next. Choose the access permissions for the virtual directory. The default settings that are enabled on the Virtual Directory Access Permissions page are Read, and Run Scripts. Click Next 8. Click Finish. How to host multiple Web sites The primary method used to host multiple Web sites is to assign a unique IP address to each Web site. You can alternatively assign a different port number for the Web site while using the same IP address, or you can assign unique host headers on a single IP address. To host multiple Web sites, 1. 2. 3. 4. 5. 6. 7. 8. 9. Open the IIS Manager Locate the IIS server, right-click the Web site, and select Properties from the shortcut menu. Click the Web Site tab. If you want to assign a unique IP address for the Web site, enter or select the IP address in the IP address box. Click OK If you want to assign a different port number for the Web site, use the TCP port box. Click OK. If you want to assign unique host headers using the same IP address, click the Advanced button. Click Add Select the IP address and port number of the Web site. In the Host Header value text box, enter the host header details. Click OK.

How to configure master website properties You can configure master properties for websites, based on the computer on which they are created. When you configure master website properties, all sites created on that particular computer inherit the master website properties. To configure master website properties, 1. Open the IIS Manager. 2. Right-click the Web Sites node in the console tree, and then select Properties from the shortcut menu. 3. When the Web Site Properties dialog box opens, use the tabs on the dialog box to configure the settings which should be used for all websites which are going to be created. 4. The Inheritance Overrides dialog box will be displayed when there are existing websites, providing you with the option of overriding your existing settings for these websites.

The Different Administration Levels for Configuring IIS Settings

104

The administration of IIS configuration settings are categorized into different administration levels. The administration levels and the administration tasks typically performed at each administration level are listed below:

Server level administration encompasses the administration tasks listed below. Server configuration settings affect virtual servers on the IIS server: o Connect to, and manage IIS computers o Enable, disable HTTP compression o Enable, disable bandwidth throttling for all sites hosted on the IIS machine o Configure master website properties for all sites hosted on the IIS machine o Configure settings for the MIME map o Configure server extensions o Backup and restore IIS Site level administration relate to setting site configuration settings which affect only a particular Web, FTP, SMTP, or NNTP site on the IIS machine. You can configure settings for these sites through its associated property sheet. Directory level administration relate to directory configration settings. These settings apply to the virtual and physical directories of a Web site or FTP site. Directory administration involves the configuration of these settings: o Application settings o Authentication and access control settings o Configuring IP address and domain name restrictions o The location of content, configuring content expiration and content rating settings. o Configuring default documents and document footers o MIME mappings o Custom HTTP headers and custom HTTP errors File level administration relate to setting the properties of files in the home directory, and other directories of Web sites and FTP sites. The settings you can configure include Directory Browsing, Enable Document Footer, and Index This Resource.

Configuring Web Site Properties


You can configure settings for websites hosted on the IIS server by using its associated Properties dialog box. To access the Properties dialog box of a website, 1. Open the IIS Manager 2. Locate and right-click the website, and select Properties from the shortcut menu. 3. The Properties dialog box contains the following tabs: o Web Site tab, Performance tab, ISAPI Filters tab, Home Directory tab, Documents tab, Directory Security tab, HTTP Headers tab, and Custom Errors tab. Each of these tabs is discussed in more detail next. Web Site tab The configuration settings which you can configure on the Web sites tab are listed below: 105

A description of the Web site is listed in the Description text box. You can change the existing description listed in the Description text box. You can configure the IP address and TCP port for the Web site using the IP address text box and TCP text box. The default TCP port utilized for HTTP is TCP port 80. You can indicate the connection timeout value after which an inactive user would be disconnected from the Web site in the Connection Timeout box. Checking the Enable HTTP Keep-Alives checkbox enables clients to maintain open connections with the IIS server. If you want to enable logging for the Web site, select the Enable logging checkbox. The log formats that can be used with IIS 6 are o Microsoft IIS Log File Format o NCSA Common Log File Format o ODBC Logging o W3C Extended Log File Format

If you want to configure settings for the log schedule and log file directory, click the Properties button. Performance tab The performance specific configuration settings which you can configure on the Performance tab are listed below:

In the Bandwidth Throttling section of the tab, you can enable the Limit the network bandwidth available to this Web site checkbox to control the quantity of bandwidth that the site can use. When enabled, the default setting is 1024 bytes per second. You can however change this setting. In the Web Sites Connections section of the tab, you can select the Unlimited option, or you can specify the number of connections which are allowed by selecting the Connections limited to option and then specifying the number of connections which are allowed.

ISAPI Filters tab You can use the Add, Remove, Edit, Disable, Move up and Move down buttons to manage your ISAPI filters. Home Directory tab The settings and options you can configure on the Home Directory tab are:

The location of the site content can be specified as one of the following options: o A Directory Located On This Computer o A Share Located On Another Computer o A Redirection To A URL You can also change the path to the home directory in the Local path box. The access permissions which you can enable are listed below: o Script Source Access, enables users to access source-code 106

Read, enables users to download and read files in the home directory. Write, allows users to change Web content. Directory Browsing, allows users to browse the directory. Log Visits, logs users who access the site. Index This Resource, enables indexing of the home folder. In the Application Settings section of the Home Directory tab is the name of the root directory that holds the files and subdirectories for an executable application. The Execute permissions options that can be configured are: o None, allows only access to static files. o Scripts Only, prohibits the running of executables. o Scripts And Executables, access to all files are allowed and as well as the running of executables are allowed.
o o o o o

The Documents tab The settings and options you can configure on the Documents tab are:

You can define the default document (home page) which will be presented to users when they access the site. You can specify multiple documents and define the order in which they should be applied. If you want to enable document footers, select the Enable document footer checkbox.

The Directory Security tab The configuration areas in which the Directory Security tab is divided, as well as the settings which you can configure within each section is listed below:

Authentication and Access Control: To change the authentication methods currently used, click the Edit button. The Authentication Methods dialog box is displayed. o The Enable anonymous access checkbox can be enabled or disabled for the site. Anonymous access is typically used for public sites. o The options which you can configure in the Authenticated Access area of the Authentication Methods dialog box are: Integrated Windows Authentication: This is the most secure option that can be used for authentication in IIS. Digest Authentication For Windows Domain Servers: This option can only be enabled if Active Directory is used. Digest Authentication sends the user credentials over the network by utilizing an encrypted MD5 hash. Basic Authentication: This is the weakest authentication method available for IIS, and should be utilized when you cannot use any other authentication method. .NET Passport Authentication: When enabled, authentication occurs via a single sign on method. IP Address and Domain Name Restrictions: To restrict access to websites and directories by using addresses and domain names, click the Edit button in this section of the Directory Security tab. The IP Address And Domain Name Restrictions dialog box is displayed. Using the dialog box, you can specify that all computers are granted access, or you can specify those computers which should not be granted access by listing their IP address or domain name. 107

Secure Communications: If you want to open the Web Server Certificate Wizard, click the Server Certificate button. You need a Web server certificate if you want to maintain Secure Sockets Layer (SSL) connections.

The HTTP Headers tab The settings you can configure on the HTTP Headers tab relate to the information that is displayed in the HTML headers of your web pages. The options which you can select are:

You can select the Enable content expiration checkbox if you want to set when content should expire. The options that you can select with regard to content expiration are: o Expire Immediately o Expire After, specify the time duration after which content should expire. o Expire On, specify the date and time when content should expire

You can specify to use custom HTTP headers when the existing headers cannot be used to send information. You can specify content ratings for the site by clicking the Edit Ratings button i the Content Ratings section of the HTTP Headers tab. If you want to configure Multipurpose Internet Mail Extensions (MIME) maps, click the MIME Types button in the MIME Types area of the HTTP Headers tab.

Custom Errors tab The error messages which are displayed to clients when HTTP errors occur are listed on the Custom Errors tab. You can change the error messages that are shown to clients by clicking the Edit button.

Managing Web Applications and Application Pools


To run dynamic Web applications on IIS, you first have to use the Web Service Extensions node in IIS Manager to allow or prohibit the Web service extensions listed below:

ASP ASP.NET ISAPI Extensions CGI Extensions Front Page Server Extensions 2000 and 2002 Internet Data Connector WebDAV support

To access the Web Service Extensions (WSE), 1. Open the IIS Manager 2. Locate the server, and select the Web Server Extensions node You also have to decide on the application mode which you are going to use in IIS. The two available application modes in IIS 6 are: 108

Worker process isolation mode: This is the preferred IIS 6 application mode. The new architectural features of IIS 6 are available in worker process isolation mode. IIS 5 isolation mode: This mode utilizes the IIS 5 architecture, and supports none of the new IIS 6 features. Applications run in one of the following contexts: o Low (IIS Process) o Medium (Pooled) o High (Isolated)

To change the default application mode, 1. 2. 3. 4. Open the IIS Manager Right-click the Web Sites node, and click Properties from the shortcut menu. When the Web Site Properties dialog box opens, click the Services tab. If you want to use worker process isolation mode, clear the Run WWW service in IIS 5 isolation mode checkbox. 5. If you want to run IIS 5 isolation mode, select the Run WWW service in IIS 5 isolation mode checkbox. 6. Click OK. 7. Restart IIS The four main types of applications that can run on IIS 6 are ASP, ASP.NET, ISAPI, and CGI. The procedure for creating ASP applications and ASP.NET applications are the same. A few advantages of using ASP.NET rather than ASP are listed below:

ASP.NET supports XML Web Services, the .NET class library and Web Forms. ASP.NET is easier to deploy and to debug than ASP. You do not have to restart the Web server when you deploy ASP.NET applications. ASP.NET also has a tracking feature which can be used for application debugging. ASP.NET can cache both portions of pages, and entire pages. ASP.NET executes in compiled code, and its configuration settings are formatted in XML and stored in text files. This in turn increases performance of Web applications and makes it easier to configure. ASP.NET can automatically detect memory leaks and deadlocks, and attempts to automatically recover from these states.

To install and enable ASP.NET, 1. Click Start, Control Panel, and click Add/Remove Programs. 2. Click Add/Remove Windows Components, click Application Server in the Windows Components dialog box, and then click the Details button. 3. Click ASP.NET 4. Click OK. 5. To refresh the IIS Manager, push F5 6. ASP.NET should now be included in the Web Service Extensions node of the IIS Manager. 7. If ASP.NET is listed with the Prohibited status in the Web Service Extensions node, right-click ASP.NET, and select Allow.

109

An application pool called DefaultAppPool is created under the Application Pools node in IIS Manager if IIS is running in the worker process isolation mode. When you right-click DefaultAppPool, you can open the properties sheet for the pool, stop or start the application pool, recycle the worker pocess of the application pool, or save the application pool configuration to a XML file. To create additional application pools, 1. Open the IIS Manager. 2. Right-click the Application Pools node in the console tree, and select New and then Application Pool from the shortcut menu. 3. When the Add New Application Pool dialog box opens, enter a name for the new application pool. 4. You can specify whether the default settings should be used for the new pool, or you can specify that the settings of an existing pool be used for the new application pool. 5. Click OK To assign an application to an application pool, 1. 2. 3. 4. 5. Open the IIS Manager Right-click the appropriate node in the console tree, and click Properties on the shortcut menu. Click the Home Directory tab. Select the application pool from the Application Pool list. Click OK

Installing IIS 6.0


Planning for IIS 6 Deployment
Before you can deploy IIS 6 Web servers within your enterprise, you first need to install Windows Server 2003 or upgrade to Windows Server 2003. Only after Windows Server 2003 is deployed, are you able to install IIS 6 in your environment. Therefore, the majority of planning activities for an IIS 6 installation involves planning for, and deploying the underlying Windows Server 2003 operating system (OS). There are a few ways to install Windows Server 2003, and therefore IIS 6 in your network. For instance, you could use the Windows Server 2003 product CD, use Microsoft Systems Management Server, install from a network distribution point, or install via disk imaging with Sysprep.exe and Sysprep.inf. Before installing Windows Server 2003 (IIS 6), you need to determine which deployment method suits your current situation. In addition to deciding on a deployment method, a number of planning issues or considerations needs to be addressed with regard to deploying Web servers within your network. This is true for both upgrades and clean installations. The factors that should be addressed when planning deployment of your Web servers are listed below:

Determine the Windows Server 2003 Edition to deploy Determine whether a clean installation or an upgrade should be performed Determine which backups should be performed so that if necessary, you can rollback the upgrade. 110

Address any hardware issues,

networking issues, licensing issues, and security needs.

The manner in which you handle and address the before mentioned issues, are greatly impacted by the specific Web server configuration you want to implement, and what your current situation is. A few scenarios are illustrated below, and could be specific to what you need to achieve, or what your current situation is:

Upgrading each server running Windows NT or Windows 2000 to Windows Server 2003. Upgrading existing IIS 4 or IIS 5 Web servers to IIS 6. Whether the deployment would take place once off, or in stages. Whether you have a workgroup security mode, or a domain based security model. Whether Active Directory is already deployed or not.

When deciding on which Windows Server 2003 edition to deploy, incorporate the factors listed below:

Understand the features available with each Windows Server 2003 Edition. Some features, such as using Active Directory or Cluster Services, are not available features of all Windows Server 2003 Editions. Determine the hardware requirements of the Windows Server 2003 Edition which you want to deploy. Each Windows Server 2003 Edition has its own individual hardware requirements. If you are currently running Windows NT or Windows 2000, you need to determine which upgrade path exists to the Windows Server 2003 Edition that you want to deploy.

As with any deployment, deploying IIS 6 has several issues and requirements that need to be addressed. To ensure that you encompass, and address all deployment specific issues and requirements, you should formulate a deployment plan. At a high level, a typical deployment plan includes the following stages:

Determine what upgrade you need to perform, and how you are going to perform the upgrade (once off, in stages) Design your systems to suit the deployment you want to implement, while including requirements of the business. Thoroughly test your system design Perform the actual live deployment. Test your end result.

An expansion of the deployment plan would include the factors listed below.

Your deployment plan should be documented, and should detail clear objectives. Each person in the deployment team should be allocated with specific responsibilities. Investigate and document your existing network, in respective of:

Hardware and software Roles, security groups, users, and permissions

When deciding on a deployment method, select a method suited with your business requirements, and existing resources. Establish a testing environment, or test lab that closely mirrors your production environment, with respect to hardware, software, typical user permissions, expected traffic load, and so forth. 111

When testing your implementation, test for both hardware and software compatibility. Document the results of each test phase. Plan to test after production deployment has occurred.

Deployment Tools
A few deployment tools that you can use to install IIS 6 are listed below:

Windows Server 2003 product CD: The Windows Server 2003 CD can be used to install and upgrade to IIS 6. This CD also comes in handy when you need to use the Recovery Console or Automated System Recovery to repair corrupted OS files. If you want to install IIS 6 over the network, you would need to copy the installation files from the Windows Server 2003 CD to the shared distribution point. Setup.exe: Setup.exe is included on the Windows Server 2003 product CD, and is used to upgrade Windows NT 4 Server or Windows 2000 Server to Windows Server 2003. Setupmgr.exe (Setup Manager): Setup Manager is used to create the answer files for the automated unattended installation method. If you want to perform the installation over the network, Setup Manager can be used to create a distribution point. Unattend.txt: Unattend.txt is an answer file, and can be used to automatically answer the Windows Server 2003 Setup prompts. Sysprep (Windows System Preparation): Used in the disk imaging installation method, to prepare the disk for imaging. Cmdlines.txt, used when deploying Windows Server 2003 through disk imaging.

Deployment Methods
There are both manual deployment methods and automated deployments for installing Windows Server 2003, and thus IIS 6. To install Windows Server 2003 and IIS 6 manually, an administrator has to be present when the actual installation is performed. The deployment methods common to a manual deployment of Windows Server 2003 are:

Upgrade to Windows Server 2003 using the Windows Server 2003 product CD: This deployment method involves using the Windows Server 2003 CD, inserting it directly in the CD- ROM drive, and following the prompts of the installation wizard. You can alternatively perform the upgrade over the network. This involves copying the Windows Server 2003 CD to a shared network folder, called a distribution point. You can also use a self created custom bootable CD. The Windows Preinstallation Environment (WinPE) tools are used to create the CD that you can then use to perform a custom manual deployment.

The deployment methods common to an automated deployment of Windows Server 2003 are:

Perform an unattended installation of Windows Server 2003: This deployment method can only be used for clean installations of Windows Server 2003, and therefore IIS 6. For an unattended installation, you need to create an answer file, which basically answers all the prompts of the Setup program. To create an answer text file, 112

Use the Setup Manager tool, Setupmgr.exe, included in the Support Tools folder of the Windows Server 2003 CD. Use the unattend.txt file in the \I386 folder of Windows Server 2003 CD, and customize it.

Another automated deployment method which you can use is Remote Installation Services (RIS). RIS can be used for server and client machines, and particularly for mass deployments. You can also use Microsoft Systems Management Server ( SMS)to deploy IIS 6 Web servers. It can be used to pgrade both Windows NT and Windows 2000 servers to Windows Server 2003. You can also distribute updates and patches through SMS. The disk imaging method can be used as an automated method for deploying any edition of Windows Server 2003. Disk imaging is best suited when you have a large number of quite similar hardware and software, and you want to perform a fast deployment. The requirements of a disk imaging deployment are:

A disk imaging program The Windows System Preparation tool, Sysprep.exe

The steps common to disk imaging deployment are:


o

Install a system which has the same operating system and configurations which you want to copy. Run the Windows System Preparation tool, Sysprep.exe, on the system. This is to prepare the disk for imaging. Use the disk imaging program or tool to create an image of the disk which you prepared using Sysprep.exe. Copy the image to the appropriate machines. You can burn the image to CD or you can copy it to a network distribution point.

Common IIS 6 Planning Issues


A few IIS 6 specific considerations that should be thought through are discussed in the subsequent section of this Article. IIS 6 has to be manually installed after you installed Windows Server 2003. This statement is true for Windows Server 2003 Standard Edition, Windows Server 2003 Enterprise Edition, and Windows Server 2003 Datacenter Edition. The only Windows Server 2003 Edition that automatically enables IIS 6 is the Web Edition. When upgrading existing IIS 4 or IIS 5 Web servers to Windows Server 2003, both IIS 4 and IIS 5 are however automatically upgraded to IIS 6. After Windows Server 2003 is installed, for all editions of Windows Server 2003 other than the Web Edition, you can install IIS 6 by using one of the methods listed below:

You can install IIS 6 from the Configure Your Server Wizard. When you first log on after Windows Server 2003 is installed, the Manage Your Server Wizard is initiated. To start the Configure Your Server Wizard, choose the Add Or Remove A Role link. You next have to follow the prompts of the Configure Your Server Wizard to install the Application Server (IIS, ASP.NET) option, and select or disable IIS components.

113

You can alternatively use Add/Remove Programs of Control Panel to manually select the IIS 6 components that you want to install. To do this, click Start, Control Panel, Add/Remove Programs, Add/Remove Windows Components, and click Application Server. Select the Details button, and specify the IIS 6 components for the installation. For automated installation, include IIS 6 in the answer text file.

Because IIS 6 installs in locked down mode by default, you manually have to enable certain configuration settings so that ASP.NET applications can function properly. You can do this via the Web Service Extensions (WSE) node in the IIS Manager console tree. As part of your planning phase, determine which configuration settings you need to enable so that applications can perform properly, and be available to clients. When upgrading from IIS 5 to IIS 6, test that any user developed applications which were developed for IIS 5 operate correctly on IIS 6. As part of your planning, test that your IIS 5 applications function correctly when run in the worker process isolation mode. This is the preferred application mode in IIS 6. You might though need to run applications that do not function properly in IIS 5 isolation mode on IIS 6.

When upgrading from IIS 4 or IIS 5 to IIS 6, the default application mode is IIS 5 isolation mode. When a clean installation is performed, the default application mode is worker process isolation mode.

A few other factors to consider and that should be addressed when planning for IIS 6 are listed below:

To Develop and run dynamic web applications, you have to manually install ASP.NET components after IIS 6 is installed. To have users manage content on the Web server through Microsoft FrontPage, you have to manually install FrontPage Server Extensions. To use sample web applications and scripts, you have to manually install them.

How to install IIS 6 using the Configure Your Server Wizard


After Windows Server 2003 Setup has completed, when you first log on to the machine, you are presented with the Manage Your Server Wizard. Before selecting to use the Wizard, if prompted, you can select to change display settings, screen resolution, and color depth settings. You could also be prompted to activate Windows Server 2003. Nonetheless, you can select the Manage Your Server Wizard to navigate to, and launch the Configure the Server Wizard to install IIS 6. The directories listed below are created during the installation of IIS 6:

\Inetpub\wwwroot, is the home directory of the default website site. \Inetpub\AdminScripts, includes scripts for IIS management tasks executed from the command line. \Windows\Help\IISHelp, includes IIS help documents. \Windows\System32\InetSrv, holds the IIS executables, component DLLs, and scripts for IIS administration tasks executed from the command line. \Windows\System32\InetSrv\History, holds the metabase history files. \Windows\System32\InetSrv\MetaBack, holds the metabase backups.

To install IIS 6 using the Configure Your Server Wizard, 1. In the Manage Your Server window, click Add Or Remove A Role. 114

2. The Configure Your Server Wizard starts. 3. The Preliminary Steps screen is a warning screen that prompts you to verify that the requirements for the installation have been met. Click Next. 4. The OS tests the network connections configured on the machine before the Wizard displays the following screen. 5. On the Configuration Options screen, choose one of the following options:

Typical configuration for a first server: You would choose this option to install the server as a domain controller, and to install the Active Directory directory service, DNS service, and DHCP service. Custom Configuration, This option should be selected to install IIS 6 on the server.

Click Next. 6. On the Server Role screen, choose Application Server (IIS, ASP.NET) as the role which you want install on the server. From this screen, you can also select to install Terminal, Print, DNS, and DHCP services. Selecting the Application Server (IIS, ASP.NET) option, installs IIS, ASP.NET and additional components so that the server can host websites and FTP sites. Recall from earlier discussions in this Article, that you can only by default access static HTML content. If you want to develop and run dynamic content, you have to enable this. Click Next. 7. On the Application Server Options screen, you can select that these optional components be installed:

FrontPage Server Extensions, for users to develop Web content and publish Web content on the IIS machine via Microsoft FrontPage or Microsoft Visual Studio. Microsoft Data Engine, for hosting SQL databases on the IIS machine Enable ASP.NET: This option is enabled by default. ASP.NET is the scripting utilized for running IIS applications. framework

Click Next. 8. The Summary of Selections screen displays a summary of the components which you selected for installation. Verify that the correct items are listed on this screen. The Enable COM+ for remote transactions option is automatically added. Click Next. 9. The installation process now commences. You would either have to insert the Windows Server 2003 CD, or indicate the location of the installation files. The Application Selections screen is displayed, the Configuration Components window appears, and the necessary files are copied. After IIS 6 is installed, you can use Add Or Remove Programs in Control Panel to check which IIS 6 components have been installed. The components installed under Application Server would typically include:

Application Server Console ASP.NET Common Files Enable network COM+ access Enable network DTC access 115

Internet Information Services (IIS) Internet Information Services Manager World Wide Web Service

How to install Windows Server 2003 Web Edition over the network (clean install)
To install Windows Server 2003 Web Edition from a network distribution point, you would first have to copy all the necessary installation source files for the Web Edition to the particular network distribution point. To perform a clean install of the Web Edition, you have to create a network boot disk so that you can boot the machine from a floppy, and connect to the shared network distribution point. You would then have to run Winnt32.exe to perform the actual installation. As mentioned, your first task is to create a shared distribution point before you can install Windows Server 2003 Web Edition over the network. You can do this by inserting Windows Server 2003 Web Edition CD in the CD-ROM drive of a file server, copying the I386 folder (including its content) to the hard drive, and then sharing the folder. The next step is to create the network boot disk from which you will boot the target machine. After you created the network boot disk, insert it into the target machine. Proceed to specify the necessary password of the Administrator account for the file server on which the shared distribution point resides. After a connection is established with the distribution point; the Text Mode component of Windows Server 2003 Setup initiates. The installation files are then copied to the hard drive of the target machine. After restarting the machine, you can choose that Windows Server 2003 be installed on an The GUI mode component of Windows Server 2003 Setup starts after another restart. NTFS partition.

How to install IIS 6 using Add/Remove Programs in Control Panel


You can use Add/Remove Programs in Control Panel to select the IIS components you want to install. 1. Click Start, Control Panel, and click Add/Remove Programs. 2. Click Add/Remove Windows Components in the Add Or Remove Programs dialog box. 3. Click Application Server in the Windows Components dialog box, and then click the Details button. 4. The Application Server dialog box next appears. This is where you select the IIS components which you want to install. The World Wide Web Service is by default selected. 5. If you want to configure settings individually, select the item, and then select the Details button. 6. If you want to administer IIS 6 from the GUI, select Internet Information Server Manager. 7. After selecting your components, click OK. 8. When the Insert Disk dialog box appears, insert the Windows Server 2003 CD in the CD-ROM drive, and click OK. 9. An installation confirmations screen is displayed after the IIS installation is completed.

How to install IIS 6 using the unattended installation method clean install
116

The unattended installation method is usually utilized to install IIS 6 on multiple computers. As the term used to describe the installation method indicates, no manual user intervention is required. An unattended installation consists of preparing an answer file which the OS automatically applies. The answer text file contains all the configuration settings which should be applied during the installation o IIS. Once the answer file is ready, you can run winnt32.exe or the sysocmgr.exe command-line utility with your answer file as the parameter. The tools included on the Windows Server 2003 CD under the Support folder can be used for deploying Windows Server 2003 through automated deployment methods. These include:

Setup Manager, Setupmgr.exe: Setup Manager can be used to create your answer file and the distribution points for an unattended installation of IIS 6. Deploy.chm, a help file that holds the Windows Corporate Deployment Tools User Guide. Ref.chm, defines the different answer files which can be created via the Setup Manager tool.

How to run the Setup Manager tool To run Setup Manager, you have to first copy the tool from the Windows Server 2003 CD to the hard drive of the file server containing the shared distribution point. Open Setupmgr.exe to start Setup Manager. Proceed to complete the screens displayed by the Wizard. The Windows Server 2003 CD has to be inserted in the CDROM drive. The options that you should select on the various screens displayed by the Wizard are listed below

New Or Existing Answer File: Create New Type Of Setup: Unattended Setup Product: Select the Windows Server 2003 product that you want to install User Interaction: Fully Automated Distribution Share: Create A New Distribution Share Location Of Setup Files: On The CD Distribution Share Location: Accept the default location, or specify the proper location. License Agreement: Choose the checkbox that accepts the license agreement.

The main Setup Manager window appears after the preceding options have been selected. The information prompted for next is specific to creating an answer file for an unattended installation of IIS 6. The options that should be specified for the various configuration options displayed on the ensuing screens are listed below:

Name And Organization: Enter your name and the name of your organization in the Name and Organization text boxes. Display Settings: Change the display settings, or accept the Windows Default option. Time Zone: Select the time zone. Product Key: Provide the 25 character product key Licensing Mode: Specify the licensing mode which you want to use. Computer Names: Enter the name of the target computer(s). Administrator Password: Provide the Administrator password. Select to have the password encrypted in the answer file. 117

Network Components: Select Custom, and provide the following:


IP address Subnet mask Default gateway

DNS server

Workgroup Or Domain: Specify the appropriate option Windows Components: Choose the World Wide Web Service Telephony: Leave not specified. Regional Settings: English (United States). Languages: Accept or change the default settings Browser and Shell Settings: Accept or change the default settings

Installation Folder: Accept or change the default setting Install Printers: Leave not specified, or specify the appropriate settings. Run Once: Leave not defined, or specify the appropriate setting Additional Commands: Leave not specified, or specify the appropriate setting.

After clicking Finish, you are prompted to specify the name for the answer file, and the location to which the answer file should be saved. After providing this information, the Setup Manager copies the installation source files to the shared distribution folder. You next have to prepare the network boot disk for the unattended installation. After this, insert the network boot disk, and start the machine. A connection is established to the shared distribution point, and the installation of Windows Server 2003 and IIS 6 commences. The IIS components installed can be viewed in Add Or Remove Programs in Control Panel. The components listed under Application Server should include:

Enable network COM+ access Internet Information Services (IIS): Common Files, Internet Information Services Manager, World Wide Web Service

How to perform an upgrade from IIS 4 to IIS 6


Use the steps below to directly upgrade to II6 1. Place the Windows Server 2003 product CD in the CD-ROM drive. 2. Choose the Check System Compatibility option. This is necessary to verify that your existing hardware supports the upgrade to IIS 6. 3. Click OK if the system compatibility check is successful. 4. Choose the appropriate Windows Server 2003 Edition. 118

5. On the Welcome To Windows Setup screen, ensure that Upgrade (Recommended) is specified as the Installation Type. 6. Accept the license agreement. 7. Insert the 25 character product key. 8. The installation files are copied next. 9. After the upgrade is completed, log on as an Administrator. 10. The Manage Your Server Wizard starts, and indicates whether Windows Server 2003 is running in Application Server role or in File Server role. 11. The application mode enabled by default is IIS 5 isolation mode To verify which IIS 6 components are installed, and to install additional IIS 6 components, 1. Click Start, Control Panel, and click Add/Remove Programs. 2. Click Add/Remove Windows Components, click Application Server in the Windows Components dialog box, and then click the Details button. 3. The Application Server dialog box next appears. This is where you select the IIS 6 components which you want to install. 4. Click Internet Information Services (IIS) and click the Details button. 5. Click World Wide Web Service. 6. Select all other IIS components which you want to install. 7. Click OK.

IIS 6 Installation Best Practices


A few best practices for installing IIS are:

It is strongly recommended to install IIS 6 on an NTFS partition. If the existing partition is formatted with the FAT32 file system, upgrade it to a NTFS partition when you install or upgrade to IIS 6. If you need to install IIS 6 on numerous machines, it is best to use the automated unattended installation method. If you need to install multiple application server components, use the Configure Your Server Wizard to do so.

IIS Performance Monitoring and Tuning


Monitoring IIS Performance in Windows Server 2003
The primary performance monitoring MMC snap-ins and tools used for monitoring Windows Server 2003, and IIS are:

119

System Monitor: The System Monitor is the one of the main MMC snap-ins used to monitor system performance. This was previously the Performance Monitor tool in Windows NT. The name change to System Monitor occurred in Windows 2000. Through System Monitor, you can monitor various elements of the performance of a server, and you can collect and view real-time data or you can view historically collected data. System Monitor can be displayed in a graph, histogram, or report format. System Monitor uses objects, counters and instances to monitor the system. An object can be described as a collection of counters that is associated with a system resource or service which produce the data you can assess. When an object executes a function, its associated counters are updated. A counter can be regarded as a data reporting component in an object. The counter represents data for a particular component of the system or service. An instance refers to the incident of multiple performance objects of the identical type on a computer. An object can have one or multiple instances.

You have to be a member of one of the following groups to use System Monitor:
o o o o

Administrators Server Operators Performance Monitor Users Performance Log Users

To open System Monitor,


o o

Click Start, Run, enter perfmon.exe in the Run box, and click OK. Click Start, Administrative Tools, Performance, and then click System Monitor.

A few of commonly monitored objects include,


o o o o o o o

Processor Memory Logical Disk Physical Disk DNS DHCP Server Network interface 120

Web service

To add counters in System Monitor,


o o o

Open System Monitor Click Add to open the Add Counters dialog box. You can choose the Use Local Computer Counters option to monitor the local computer, or you can choose the Select From Computer option. When you use the latter option, you can select a computer from the list and choose counters for that particular computer. Choose the performance object from the list. You can click the All Counters option to monitor all counters associated with the object, or you can click the Select Counters From List option to individually select counters. Click the All Instances option to track all instances, or alternatively click the Select Instances From List option to individually select instances. Click the Add button to add the counters.

o o

Performance Logs and Alerts: You can create counter logs and trace logs, and configure alerts by using Performance Logs and Alerts. Any created logs can be viewed through System Monitor, or exported to a database or spreadsheet. Because performance logging runs as a service, a user does not need to be logged on to the computer being monitored to collect data. You can view data while it is being collected, or after the data has been collected. You can define an alert for a counter to initiate an action when the counter value surpasses or drops below a predefined setting. Counter logs are used to record system performance data at specified intervals. Trace logs are used to record comprehensive system events after the particular event occurred.

To access Performance Logs and Alerts,


o

Click Start, Administrative Tools, Performance, and then expand Performance Logs And Alerts.

Task Manager: If you want to view all applications and processes running on a Windows Server 2003 computer, and view a few common performance measures, you should use Task Manager. You can Task Manager to view system activities such as active applications and processes, memory and CPU usage of processes, and the users who are currently logged on to the server. You can also view a number of memory and network usage statistical information. 121

To open Task Manager, use of the methods listed below:


o o o

Click Start, Run, enter taskmgr.exe in the Run box, and click OK. Press Ctrl + Alt + Delete and select the Task Manager button. Right-click an empty section of the taskbar, and then click Task Manager.

Network Monitor: You can use Network Monitor to monitor network traffic, and to troubleshoot network issues or problems. You can also use Network Monitor to gather network information that can be used in capacity planning efforts, and to establish baselines. Network Monitor shipped with Windows Server 2003 allow you to monitor network activity and use the gathered information to manage and optimize traffic, identify unnecessary protocols, and to detect problems with network applications and services. In order to capture frames, you have to install the Network Monitor application and the Network Monitor driver on the server where you are going to run Network Monitor. Network Monitor saves captured data to a temporary capture file that you then save with a .CAP extension. This enables captured data to be examined in Network Monitor. You can design a capture filter to capture only specific frames, or you can configure it to respond to a specific condition.

To install the Network Monitor Driver : 1.

1. Open the Network Connections folder 2. Right-click Local Area Connection, and select Properties 3. When the Properties dialog box is displayed, click the Install button. 4. When the Select Network Component Type dialog box is displayed, click the Component list, and click the Add button 5. When the Select Driver. 6. Click OK.
To install the Network Monitor application 1.

Protocol in

Network Protocol dialog box is displayed, click Network Monitor

1. Click Start, click

Control Panel, and click Add or Remove Programs

2. When the Add Or Remove Programs dialog box is displayed, click Add/Remove Windows Components 3. This initiates the Windows Component Wizard 4. Select Management and Monitoring Tool, and click the Details button 122

5. Select the Network Monitor Tools check box, and click OK 6. Click Next and Click Finish

Web Application Stress Tool (WAST): You can use WAST to simulate the following:
o

Simulate the effect of multiple web browsers concurrently connecting to IIS to run applications Simulate the effect of multiple web browsers concurrently connecting to IIS to download Web content Simulate different loads so that you can determine the effect on the Web server.

When monitoring Windows Server 2003 and IIS, it is recommended to monitor counters for the following system resources, or objects:

Memory Processor Disk Network

The performance counters that you should enable for the above system resources to monitor IIS performance are listed below.

Memory: The counters useful for IIS monitoring are:


o o o o

Available Bytes, maintain over 20MB. Cache Bytes, a decrease could be indicative of IIS memory depleting Committed Bytes, maintain beneath 75 percent of physical memory. Page Faults/sec, consider adding additional RAM when hard page faults are degrading IIS performance. Pages/sec, maintain a low figure. You should consider supplementing RAM when the counter is over 80. Pool Nonpaged Bytes, if the counter gradually increases, verify that none of your applications have memory leaks.

Processor: The counters useful for IIS monitoring are:


o

% Processor Time, a processor bottleneck typically exists when this counter is over 80 for a continued time, and network usage is low. 123

Disk: The counters useful for IIS monitoring are:


o o o

% Disk Time, it is recommended to maintain a low value for this counter. Avg. Disk Bytes/Transfer, it is recommended to maintain a high value for this counter. Avg. Disk Queue Length, it is recommended to have a value of 4 or lower.

Network: The counter useful for IIS monitoring are:


o

Bytes Total/sec, the value should be checked to the bandwidth of the network card to determine if any network connection bottlenecks exist.

The performance counters of the WWW Service objects that you should enable to monitor the WWW service are listed below.

WWW Service: The counters useful for IIS monitoring are:


o o o

Bytes Total/sec, the counter value should be high File Cache Hits, for static content, the counter value should be quite high. File Cache %, a low counter value could possibly mean that you have to re-examine the design of your applications. ISAPI Extension, a drop of this counter during heavy load could mean that your application might be a bottleneck.

The performance counters of the Active Server Pages object that you should enable to monitor ASP are listed below.

Active Server Pages: The counters useful for IIS monitoring are:
o

Requests/Sec, a drop of this counter during heavy load could mean that your applications might be a bottleneck. Request Queued, maintain a low counter value Request Wait Time, the counter value should generally be low.

o o

Tuning IIS for Maximum Performance


One definite way to ensure maximum IIS performance and security is to have your servers running in the worker process isolation mode of IIS 6. This is the default application mode in IIS 6, where all the new architectural features of IIS 6 are enabled, including:

Application pools and worker processes provide the following key features: 124

CPU monitoring, Processor affinity, Health monitoring, Rapid-fail protection, Recycling, Startup and shutdown time limits, Queue length limits, and Idle timeout capabilities.

ASP.NET provide the following features for applications:


o

Improved performance over ASP applications, extensive programming language support, and XML integration.

To switch to worker process isolation mode, 1. Open the IIS Manager 2. Right-click the Web Sites node, and click Properties from the shortcut menu.

3. When the Web Site Properties dialog box opens, click the Services tab. 4. If you want to use worker process isolation mode, clear the Run WWW service in IIS 5 isolation mode checkbox. 5. Click OK. 6. Restart IIS

How to tune application pools through recycling


Recycling a worker process improves the reliability of IIS. Recycling is beneficial for faulty Web applications which are typically caused by memory leaks. Through recycling, you enable IIS to periodically restart worker processes which are currently servicing an application pool. You can configure recycling for a worker process using a number of criteria:

Once a predetermined number of minutes of inactivity have passed: The default setting is 1740 minutes. Once a worker process has serviced a predefined number of requests. The default setting is 35,000 connections. After the virtual memory usage by the worker process attains a specific threshold. At a specific time of the day

To manually recycle a worker process, 1. Open IIS Manager 2. Locate and right-click the application pool associated with the worker process, and select Recycle from the shortcut menu. To configure all worker processes in each application pool to recycle according to the same criteria, 125

1. Open IIS Manager 2. Right-click the Application Pool node in the console tree, and select Properties from the shortcut menu. 3. The Recycling tab is utilized for configuring recycling.

How to configure the idle timeout feature for all application pools
Through the idle timeout feature, you can enhance web server performance by enabling IIS to shut down idle worker processes. Enabling the idle timeout feature assists in eliminating system resource wasting that normally occurs when worker processes run idly. It allows you to better manage system resources, preserve resources so that they are available when needed, and free up resources. To enable the idle time feature, 1. Open IIS Manager 2. Right-click the Application Pool node in the console tree, and select Properties from the shortcut menu. 3. Click the Performance tab. 4. In the Idle Timeout area of the Performance tab, enable the available checkbox and specify the inactivity time duration after which the worker process should shut down. The default setting is 20 minutes. 5. Click OK.

How to enable the Request Queue Limits, CPU Monitoring, and Web Gardens features to improve IIS performance

A lengthy request queue can result in clients considering the performance of the IIS server as being slow. To prevent this from happening, you can limit the request queue for applications in an application pool. This feature is configured on the Performance tab of the Application Pool's Properties window. You can enable CPU monitoring to track the usage of CPU by the worker processes of an application pool. You can also configure IIS to shut down the worker processes of the application pool when their CPU usage has exceeded a specified threshold. This feature is also configured on the Performance tab of the Application Pool's Properties window. Web Gardens, another IIS feature, improves IIS performance by allowing multiple worker processes to service one application pool. When a worker process fails, the remainder of the worker processes continue to service the application pool.

To configure the Request Queue Limit, CPU Monitoring, and Web Garden features, 126

1. Open IIS Manager 2. Right-click the Application Pool node in the console tree, and select Properties from the shortcut menu. 3. Click the Performance tab. 4. Enable the checkbox under the Request Queue Limit section of the Performance tab, and set the appropriate limit. 5. Enable the checkbox under the CPU Monitoring section of the Performance tab, and specify the fitting setting value. Specify the action that IIS should take when the specified CPU usage level is exceeded. 6. Enable the Web Garden feature by selecting a value greater than one in the Web Gardens area of the Performance tab. A value of one indicates that the Web Garden feature is disabled. 7. Click OK.

How to configure Health Monitoring features

You can enable health monitoring for worker processes to determine whether they are functioning correctly. Health monitoring is enabled by selecting the Enable Pinging checkbox on the Health tab of the Application Pool's Properties window. Rapid-fail protection is another IIS feature that enables you to detect when multiple worker processes associated with an application pool are performing incorrectly. You enable rapid-fail protection by selecting the Enable Rapid-Fail Protection checkbox on the Health tab of the Application Pool's Properties window. To configure the feature, you would need to specify how many worker process failures need to occur, and in how many minutes; before IIS shuts down the application pool which the worker processes are servicing. You can also configure Startup Time Limit and Shutdown Time Limit settings on the Health tab for worker processes that are not running as they should. The Startup Time Limit value indicates the time interval in which another worker process should replace an unhealthy worker process. The Shutdown Time Limit value indicates the time in which an unhealthy worker process can shut itself down, before IIS forcefully terminates it.

The Quality of Service (QoS) features of IIS


The various listed below:

QoS features of IIS which you can enable and configure to tune IIS performance are

HTTP Keep-Alives: This feature allows you to maintain TCP connections between the Web server and a client for a specified duration.

To enable or disable the HTTP Keep-Alives QoS feature, 1.

127

1. Open the IIS Manager. 2. Right-click the Web Sites node and select Properties on the shortcut menu. 3. When the Web Sites Properties dialog box opens, click the Web Site tab. 4. To enable HTTP Keep-Alives, check the Enable HTTP Keep-Alives checkbox. 5. To disable HTTP Keep-Alives, clear the Enable HTTP Keep-Alives checkbox. 6. Click OK.

Connection Timeouts: Connection timeouts and HTTP Keep-Alives are basically interconnected features. Connection timeouts allow IIS to claim back resources when connections are idle. You can enable connection timeouts by setting the Connection Timeout value on the Web Sites Properties windows and then enabling HTTP Keep-Alives. Connection timeouts can be configured at the following levels:
o o

Global level for Web sites and FTP sites. For each individual Web site and FTP site

HTTP Compression: If you have limited bandwidth, or you need to more effectively us your existing bandwidth, you should consider enabling HTTP compression. HTTP Compression can be used to compress static HTML files and dynamic response content for web browsers that support HTTP compression. HTTP compression is supported by:
o o o

Internet Explorer 4 or above Netscape Navigator 4.5 or above Opera 5 or above

To enable HTTP Compression, 1.

1. Open the IIS Manager. 2. Right-click the Web Sites node and select Properties on the shortcut menu. 3. When the Web Sites Properties dialog box opens, click the Services tab. 4. If you want to compress dynamic content, click the Compress Application Files checkbox. 5. If you want to compress static files, click the Compress Static Files checkbox. 6. Click OK. 128

Limiting Connections: You can also limit the number of simultaneous connections which IIS allows on the Performance tab of the Properties window for a website, and on the FTP Site tab on the Properties window for an FTP site. The default setting for Limiting Connections for websites is Unlimited. This means that IIS allows allincoming connections by default. For FTP sites, the default setting is that connections is limited to 100, 000 simultaneous connections. To assist in deciding on the connection limit that you should configure, monitor the Current Connections, Maximum Connections, and Total Connection Attempts counters for the WWW service and the FTP service. Bandwidth Throttling: This feature of IIS allows you to specify the quantity of network bandwidth IIS can consume, and the quantity of network bandwidth each individual website can consume. It is recommended to enable Bandwidth Throttling if the IIS machine uses over 50 percent of available network bandwidth. Bandwidth throttling can be enabled and configured on the Performance tab on a Properties window for a website. The recommended setting is 1024 kilobytes/second.

How to tune the IIS metabase


The properties of the metabase which affect IIS performance, and the performance of ASP.NET, ASP and ISAPI applications which you can configure to tune IIS performance are:

AppAllowDebugging: This property should be set to False so as not to negatively impact application performance, and should only be set to True on development servers. Enabling the AppAllowDebugging property results in IIS application threads being serialized. AspScriptEngineCacheMax: For websites that are large, it is recommended to increase the AspScriptEngineCacheMax property's value to increase the number of scripting engines ASP caches in memory. AspScriptFileCacheSize: It is strongly recommended to enable ASP caching to increase the performance of your ASP applications. AspQueueConnectionTestTime: It is recommended to set the value of this property to only a few seconds, to compel the IIS server to verify that the client is indeed connected, prior to it servicing his/her request. AspBufferingOn: This property should be set to False so that application output is saved prior to flushing to clients. CacheISAPI: This property should be set to True to improve performance by caching ISAPI extensions in memory.

How to tune Registry settings to improve IIS performance


While the majority of IIS configuration information is stored in the metabase, there are still a few IIS settings which are stored in the Registry. The Registry settings which you can tune to improve IIS performance are discussed below. 129

The Registry settings located under HKLM\SYSTEM\CurrentControlSet\Services\ Inetinfo\Parameters are:


o

CacheSecurityDescriptor: Do not change the default value of 1 for this setting because it means that the caching of security descriptors for file objects is enabled. This in turn quickens the retrieval of cached content when an authentication method other than Anonymous access is utilized. CheckCertRevocation: For production servers which are not being utilized for intranet environments, the CheckCertRevocation setting's value should be 0 (disabled). DisableMemoryCache: A setting of 0 enables static file caching. ListenBackLog: Tune this setting's value according to the load of the server. MaxCachedFileSize: Tune this setting's value according to whether or not your server is servicing clients with large files (images or video clips) MemCacheSize: If you set the value of the setting for the cache size, then IIS no longer controls the cache size dynamically. MaxPoolThreads: This setting determines the number of pool threads that can be created for each processor. It is recommended to not set this value to more than 20. MinFileBytesPerSec: Change the setting to limit the time in which the client has to receive a response. ObjectCacheTTL: The value of this setting determines the time duration for which objects are stored in the static file cache.

o o o

The Registry settings located in KLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters are:


o

UriMaxCacheMegabyteCount Through the value of this setting, you can tune the performance of Http.sys. A default setting of 0 allows Http.sys to determine what memory the cache utilizes. UriScavengerPeriod: This setting controls how often the URI cache scavenger removes stale entries. The default value is 120 seconds.

The Registry setting located in HKLM\SYSTEM\CurrentControlSet\Services\ASP\Parameters is:


o

DisableLazyContentPropagation: It is recommended that the value of the DisableLazyContentPropagation key be left at its default value of 0. This prevents the Web server from failing when a large quantity of content needs to be updated.

The Registry setting located in HKLM\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters is: 130

UploadReadAhead: This setting determines how much request data IIS accepts prior to forwarding it to a particular application. Increase this value according to the amount of RAM on the server.

Common Server Tuning Methods for Tuning the IIS machine


A few common methods that should be considered to tune the performance of the IIS machine:

Consider using a SMP-capable to improve processing power.

motherboard so that you can easily add a CPU if you need

If you are using Windows Server 2003, use its capability of effectively defragmenting drives to ensure that the disk subsystem performs efficiently.

NTFS

Consider setting a large enough fixed paging file size, and distributing the paging file over multiple drives. This also assists in improving performance of the disk subsystem. You should consider using a hardware RAID solution over software RAID. Software RAID solutions place an additional burden on the processor subsystem. If your Web servers host e-commerce sites, consider using Windows clustering and network load balancing (NLB). The simplest method which can be used to improve the performance of your IIS machine is to add additional RAM. You should also maximize data throughput so that your RAM is being utilized efficiently. You enable Maximize Data Throughput using Control Panel. A few benefits of enabling Maximize Data Throughput is SMP scalability on multiprocessor machines, improved networking performance, and support for a larger amount of physical memory

To enable Maximize Data Throughput, 1.

1. Open Control Panel 2. Click Network Connections, and then select Local Area Connection 3. Click the General tab, and then click Properties. 4. When the Local Area Connection Properties dialog box opens, select File and Print Sharing for Microsoft Networks, and then click Properties. 5. Select the Maximize Data Throughput for Network Applications option. 6. Click OK. 131

IIS logging depletes processor, disk and memory resources. You should therefore not extensively enable IIS logging. Before enabling remote logging, be sure to check for any performance impacts. Remote logging is definitely slower. It is recommended to not enable ODBC logging because it disables IIS caching. kernel-mode

When using virtual directories, use the local IIS machine over mapping them to a share located on a remote server. Use the FTP user isolation feature with caution. It is recommended to use a separate IIS machine for FTP if you have to use FTP user isolation. Steer clear of using old CGI applications. A better solution would be to use ASP or ASP.NET applications. You should also use ISAPI extensions over ISAPI filters. It is recommended to rewrite any existing ISAP filters to operate as ISAPI extensions. You can save on your CPU resources by disabling content indexing if you are not applying user search pages.

Tuning the Performance of ASP, ASP.NET, and ISAPI Applications


A few common tuning methods which you can use for applications running on IIS 6 are:

You should use static HTML files because they utilize a lesser amount of memory and processor resources Because SSL to. encryption needs extensive CPU resources, only use it when you really have

You should configure expire headers for static HTML files and for image files.

Tune your ASP.NET applications for high performance by implementing the following best practices:

Caching should be enabled. All input validation should be performed on the client If it is not being utilized, disable Session State. It is recommended to store application session data out-of-process if are deploying web gardens and web farms. You should utilize stored procedures to access data on SQL servers. Do not use ad hoc queries. For VBScript code, utilize Option Strict. 132

You should trap exceptions rather than using it for directing program flow.

How to enable ISAPI caching to improve application performance on IIS 6: 1. Open IIS Manager 2. Open the Properties window for the website which contains the particular application. 3. Click the Home Directory tab. 4. Click Create to enter a name for the application if it needs one. 5. Click the Configuration button 6. When the Application Configuration Properties dialog box of the application opens, click the Mappings tab. 7. Select the Cache ISAPI Extensions checkbox. 8. Click OK.

Understanding and Managing SMTP Virtual Servers


Page Not Found!

133

You might also like