Microsoft Internet Information Server (IIS) is a Web, FTP, and Gopher server developed by Microsoft to exploit various capabilities of Windows NT and to publish content on the Internet. Compared to other Windows NT Web servers, IIS offers many unique features. IIS's security model is based on NTFS security permissions. This is a major advantage since the security of a Web site hosted with IIS can be easily managed using File Manager. Although at the time of this writing IIS is available only for Windows NT Server, a special version of IIS probably will be available for Windows NT Workstation by the time you read this. In Chapter 3, "Preparing Your System for IIS," you reviewed the preinstallation and configuring information; Chapter 4 discusses how you can install and use IIS to publish information on the Internet.
Installing IIS is very easy. A copy of IIS is included in the Windows NT 4.0 distribution CD-ROM. If it is unavailable on CD-ROM, you should be able to download the latest version of IIS from Microsoft's Internet Information Server Web page. After you download IIS, copy it to a temporary directory and decompress the archive by executing the executable program with the -d argument. This extracts the contents of the IIS distribution archive into various subdirectories. You can skip this step if the file SETUP.EXE is in the CD-ROM's IIS directory.
Note: You can get the most up-to-date information about Microsoft Internet Information Server from the official Internet Information Server Web page by visiting the following URL:
Caution: Before you continue to install IIS, it is a good idea to make sure that no other Web servers are running on port 80 of your NT Server. If you already have a Web server installed and you want to continue using it, change its port to a different port number so that the installation program won't have any problems binding IIS to port 80 (the default port for HTTP). The same applies to FTP. If you want to use the FTP server included with IIS, stop the Windows NT FTP service using the command
When SETUP.EXE is executed, the installation program presents you with a dialog box similar to the one shown in Figure 4.1. Using this dialog box, you can select various IIS components to be installed. It is highly recommended that you make sure the Internet Server Manager checkbox is checked. If it is not checked, you will have to use the Windows NT Registry to make changes to IIS. If you have already installed ODBC drivers on your system, you may deselect the ODBC Drivers and Administrator check box. The same applies to Microsoft Internet Explorer.
Figure 4.1. Installing various components of IIS.
If you want to change the default directory in which IIS is installed, click Change Directory and specify another directory using the Select Directory dialog box, as shown in Figure 4.2. For security purposes, it is highly recommended that you install all IIS components in an NTFS partition.
Figure 4.2. Installing IIS on an NTFS partition.
Click the OK button shown in Figure 4.1 to continue. Next, you must specify root directories for all three Internet publishing services (WWW, FTP, and Gopher) by using the Publishing Directories dialog box, as shown in Figure 4.3. These three directories do not have to be sister subdirectories. However, you might find it easier to manage the directory structure if they are sister subdirectories. Be sure to specify directories in an NTFS partition because IIS uses NTFS security. Click the OK button to proceed to the next dialog box.
Figure 4.3. Specifying directories to be used as root directories by the FTP, Gopher, and WWW Publishing Service.
If you already have installed the NT FTP service (that's part of the NT TCP/IP utilities package), the IIS installation program asks whether you want to disable it, as shown in Figure 4.4. Because the FTP server that ships with IIS is more powerful and easier to administer than the FTP service that is part of the NT TCP/IP services package, you should allow the installation program to disable the previously installed FTP service. Note, however, that after the previously installed FTP server is disabled, you cannot restart it using the Services application in the Control Panel. The FTP Server included with IIS can be configured using the Internet Server Manager. Unlike the standard FTP server that's part of the TCP/IP services package, IIS FTP Server statistics can be logged to an ODBC data source. Performance Monitor can also be used to monitor IIS FTP Server statistics in real time. In addition, several useful configuration settings that have to be modified using the registry in the FTP Server that is part of the NT TCP/IP services package can be modified using an easy-to-use dialog box when using the FTP Server that's part of IIS.
Figure 4.4. Deciding whether to disable the FTP service included with the NT TCP/IP services package.
The Install Drivers dialog box prompts you to install the SQL Server driver, as shown in Figure 4.5. After this driver is installed, Microsoft SQL Server databases can be published on the Web using the Internet Database Connector. Click OK to continue installing IIS. Note that Microsoft SQL Server is required for a few sample ISAPI applications shipped with IIS.
Figure 4.5. The SQL Server Install Drivers dialog box.
After the SQL Server driver is installed, you see a message telling you that IIS is installed on your system. All Internet publishing services selected earlier now are ready for use.
At the end of the installation process, four new icons are added to the NT Start menu (see Figure 4.6). Soon, you will see how to use the "Internet Service Manager" to configure various aspects of IIS.
Figure 4.6. Adding four new icons to the NT Start menu.
It is possible to immediately begin publishing on the Web using the "Web Publishing Service" of IIS. If you connect to your computer at this point using a Web browser, you see a Web page that looks similar to the one in Figure 4.7. Use this Web page to familiarize yourself with how IIS works. Also, try out the CGI and database applications that ship with IIS. Be sure to check out the guest book application. It demonstrates how IIS's Internet Database Connector can be used to update and view a Microsoft SQL database. Although these applications are not production quality applications, they will give you some idea of how you can use IIS to interact with users browsing a Web site. At some point, you will need to change the default Web page shown in Figure 4.7 and replace it with one of your own Web pages.
Figure 4.7. The IIS default Web page.
If you look at User Manager (Administrative Tools folder of the Windows NT Start Menu), you will notice that the IIS installation program has created a new user account. Before you publish information on the Internet with IIS, it is crucial that you understand the importance of this account and how it is used by the IIS Web Publishing Service. As you can see in Figure 4.8, the full name of the account created for the IIS is Internet Guest Account. The name of this account depends on the name of your server. If the name of your server is INTERNET, for example, the name of the account created for the IIS is IUSR_INTERNET. This account is referred to as the Internet Guest account in this chapter.
Figure 4.8. Creating a new NT user account to be used by the IIS.
It is important that you understand how IIS implements security and user authentication before you publish information with it. Controlling who has access to what files at your Web site is easy because IIS uses NTFS security. The Internet Guest account should have read permission for all public files that are freely available to users browsing a Web site without a user name and a password. Part of a Web site's directory structure can be restricted by revoking file and directory access from the Internet Guest account and giving it to users who are allowed to access files in a certain directory structure. Note that these users also should be assigned the Windows NT user right "Log on Locally." More information about this is included in the following section. When file-access permission is revoked from the Internet Guest account and is assigned to a few Windows NT users, a user name and a password that has enough permission to access the data must be supplied before IIS allows a browser to view the data. IIS supports three kinds of user name/password authentication methods:
The next few sections discuss how you can configure IIS to serve your needs. You configure IIS using the Internet Service Manager icon (refer to Figure 4.6). When ISM is invoked, it looks similar to Figure 4.9.
Figure 4.9. Using the ISM to configure various aspects of IIS.
You can easily locate the NT Server or Internet service you want to administer by choosing the View option from the Internet Service Manager menu. Figures 4.10 and 4.11 show two server views.
Figure 4.10. ISM with servers grouped by server name.
Figure 4.11. ISM with servers grouped by various Internet services (FTP, Gopher, and WWW).
You can select the WWW Publishing Service to configure from the IIS Manager menu. After selecting the WWW Publishing Service you want to configure, double-click it, or right-click and select Service Properties. You then can configure various aspects of the WWW Publishing Service.
You can use the Service tab of the WWW Service Properties dialog box to configure various key aspects of the WWW (see Figure 4.12). You should not change the default settings for Connection Timeout and Maximum Connections. After monitoring the number of connections at any given time using Performance Monitor, however, you might want to increase this value if you have sufficient network bandwidth to accommodate additional connections. You will learn how to use Performance Monitor to monitor the performance of IIS in the Monitoring Performance of IIS section.
Figure 4.12. The Service tab of the WWW Publishing Service.
As mentioned earlier, IIS uses Windows NT user accounts and NTFS security to enforce file-access permissions. The user name and password specified for anonymous logon are used to determine whether an anonymous user requesting an object from IIS is permitted to have that object. It is recommended that you allow IIS to use the Internet Guest account shown in Figure 4.12. By using File Manager, you can control which objects anonymous users have access to by assigning file permissions to the Internet Guest account.
If your Web site is a public Web site, you should make sure that the Allow Anonymous checkbox in the Service tab is checked. In addition to this, if you want to protect parts of your Web site with a user name and a password, make sure that the Basic (Clear Text) checkbox is enabled. You then are warned about the consequences of using clear text passwords. Never use clear text passwords to safeguard sensitive data from unauthorized users unless an encryption algorithm such as SSL is used.
The Windows NT Challenge/Response authentication method is much safer because user authorization information is encrypted before it is transmitted over the Internet. At the time of this writing, however, only Internet Explorer is capable of handling Windows NT Challenge/Response authentication. Unless you are certain that most users visiting your Web site use Internet Explorer, you should stay away from Windows NT Challenge/Response authentication for now.
Finally, you can specify a comment for the WWW Publishing Service by typing it in the Comment field in the Service tab. This comment will show up in Internet Service Manager under Comments.
You can use the Directories tab to configure how IIS handles directories (see Figure 4.13). Note that several directory mappings already have been set up by the IIS installation program.
Figure 4.13. The directories tab of the WWW Service properties dialog box can be used configure various directory settings.
Adding directory mappings to the WWW Publishing Service is very easy. You can click the Add button, for example, to add a common gateway interface (CGI) directory mapping to the WWW Publishing Service. Applications in this directory then can be executed by users using a Web browser. The Directory Properties dialog box appears, as shown in Figure 4.14. You can select a directory and an alias for it in this dialog box. The alias specified in Figure 4.14 for the CGI directory is cgi-bin. Users can employ this alias to execute applications in the H:\Publish\WWW\cgi-bin directory by using a URL such as
http://server.name.com/cgi-bin/application.exe
Figure 4.14. The Directory Properties dialog box.
Because the cgi-bin directory contains applications, the "Execute" checkbox is enabled in the Directory Properties dialog box so that the WWW Publishing Service will execute applications requested by users and return the output. If the virtual directory points to a network resource using a universal naming convention (UNC) share name, you can specify a user name and a password in the Account Information section. Note that this option is visible only if a UNC share name is entered.
IIS supports virtual servers. You can use the Virtual Server IP Address option if a server has more than one IP address. The virtual server feature is handy for setting up Web servers for several companies on one server. You can use the Virtual Server feature to host Web servers for www.Microsoft.com and www.IBM.com on the same computer (assuming you own both domain names, of course!). Note that properties have to be set separately for each virtual server.
Finally, you can enable the "Require Secure SSL Channel" checkbox if SSL is installed on your server. SSL encrypts data before it is transmitted to users browsing a Web site.
You enable the "Enable Default Document" checkbox in the Directories tab to specify the name of the file that is sent by default if a URL is given without a filename. When a user accesses a Web site with the URL http://www.company.com, the file specified in the Default Document field below the "Enable Default Document checkbox" is sent to the user. If the file is not found or a filename is not specified, the user is presented with a list of files and directories if directory browsing is allowed. Otherwise, the user sees an Access Forbidden message.
You enable the "Directory Browsing Allowed" checkbox in the Directories tab to specify whether IIS should return a list of files and directories if a URL is given with a filename. For example,
http://wonderland.dial.umd.edu/document
refers to a subdirectory. If directory browsing is allowed, the user sees a list of directories. If directory browsing is not allowed, the user sees an Access Forbidden message.
Web server accesses can be logged to a SQL/ODBC database or a plain text file. You can configure WWW Publishing Service access logging by using the Logging tab shown in Figure 4.15. Unless you have special software to analyze data logged to a SQL/ODBC database, you should allow IIS to log Web server accesses to a plain text file.
Figure 4.15. Using the Logging tab of the WWW Service Properties dialog box.
You use the "Advanced" tab of the "WWW Service Properties" dialog box to grant and deny access to various computers on the Internet (see Figure 4.16). You might want to use the Advanced tab to deny access to one or more Internet computers.
Figure 4.16. Using the Advanced tab of the WWW Service Properties dialog box.
You can deny access to a computer by the name of www.hacker.com, for example, by selecting the "Granted Access" radio button and clicking the Add button. You can use the Deny Access On dialog box to specify which IP addresses should be denied access, as shown in Figure 4.17. If you do not know the IP address of a computer but you do know its domain name (www.hacker.com), simply click the ellipsis button and then enter the domain name in the dialog box that appears.
Figure 4.17. The Deny Access On dialog box.
You can use the "Limit Network Use" by All Internet Services on This Computer checkbox in the Advanced tab to limit network bandwidth that will be used by all Internet services (managed by IIS) running on the computer being administered. Again, use the Performance Monitor to determine the network bandwidth used by IIS before changing the default value. If it is necessary to use this option to severely limit network bandwidth, it is a good indication that you need to upgrade your Internet link. If this is not possible, at least move all large graphics files to another server.
You can use the FTP Publishing Service to distribute files on the Internet. Before it is used in a production environment, you should configure the FTP Publishing Service to suit your needs by selecting the FTP Publishing Service you want to configure from the Internet Service Manager and double-clicking it. You configure the FTP Publishing Service by using the Service tab, as shown in Figure 4.18.
Figure 4.18. Using the Service tab of the FTP Service Properties dialog box.
Note: The default TCP/IP port of the FTP Service is 21.
The Service tab here is similar in many ways to the Service tab shown in Figure 4.12. To avoid redundancy, only the dialog box options that are different are discussed here. The "Current Sessions" button and the "Allow Only Anonymous Connections" checkbox are the only differences between these tabs.
You can enable the "Allow Only Anonymous Connections" checkbox to make sure that Windows NT users do not compromise the security of your NT Server by using their user names and passwords to log onto the FTP Publishing Service. User names and passwords used to authenticate users to access the FTP server are transmitted in clear text format. This means that anyone who has a protocol analyzer and access to your network or the part of the Internet the authentication data is transferred across can intercept user names and passwords used by authorized users and gain unauthorized access to your system. If you deselect this option, be aware that every time a user logs on with a user name and password, the same user name and password can be used by an unauthorized person. As a security precaution, advise your users not to store sensitive files on the FTP server. If they do store sensitive files, ask them to encrypt the files using a powerful encryption algorithm, such as Pretty Good Privacy (PGP).
You can click the "Current Sessions" button to access the FTP User Sessions dialog box, which enables you to find out which users are logged onto the FTP server at any given time (see Figure 4.19). You also can use this dialog box to disconnect users from the FTP server. Regular users have a face next to their user name. On the other hand, anonymous users have a question mark next to their e-mail address used to access the FTP server. The anonymous user in Figure 4.19 has used the e-mail address BillGates@Microsoft.com to access the FTP server, for example.
Figure 4.19. The FTP User Sessions dialog box.
You can use the Messages tab to specify various messages displayed to users connecting to the FTP server (see Figure 4.20). You can specify a "welcome message," "exit message," and a "maximum connections message" using this dialog box.
Figure 4.20. Using the Messages tab in the FTP Service Properties dialog box.
You can configure directories of the FTP Publishing Service by using the Directories tab shown in Figure 4.21. This dialog box is very similar in functionality to the Directories tab shown in Figure 4.13. The only difference is the "Directory Listing Style" section. You use this section to specify whether the FTP Publishing Service should return an MS-DOS or UNIX-style directory listing. You should select the UNIX radio button because some Web browsers expect the directory listing format of FTP servers to be in the UNIX (ls -l) directory listing format.
Figure 4.21. The Directories tab of the FTP Service Properties dialog box.
Click the Edit Properties button in the Directories tab to display the Directory Properties dialog box shown in Figure 4.22. It is easy to specify home directories for FTP users. The only requirement is to have the directory structure set up so that all users share the same parent directory and their home directories correspond to their user names. If H:\Publish\FTP\Users is the parent directory, for example, home directories of the two users Sunthar and Kim should be H:\Publish\FTP\Users\Sunthar and H:\Publish\FTP\Users\Kim, respectively. The parent directory of user home directories can be specified as shown in Figure 4.22. Note that the directory H:\Publish\FTP\Users is configured as the home directory of the FTP Publishing Service. Again, be sure that users do not store any sensitive files on your system that are accessible via FTP.
Figure 4.22. The Directory Properties dialog box.
The "Logging" and "Advanced" tabs of the FTP Publishing Service are identical in functionality to those of the WWW Publishing Service discussed earlier. Refer to the earlier discussion for more information about using these two configuration tabs.
IIS includes a Gopher server. Although the Gopher protocol is becoming less and less popular due to inherent limitations of the Gopher protocol, almost anyone who has access to the Internet has access to a gopher client. This is true especially for users who still access the Internet via UNIX shell accounts. You administer the Gopher Server by using the Gopher Service Properties dialog box shown in Figure 4.23.
Figure 4.23. The Service tab of the Gopher Service Properties dialog box.
Note: The default TCP/IP port of the Gopher Service is 70.
The Gopher Service tab is very similar to the WWW Service tab shown in Figure 4.12. The only difference is the "Service Administrator" section. Here, you can specify the name and e-mail address of the Gopher Server Administrator.
The Gopher Server Directories tab shown in Figure 4.24 is very similar to the WWW Service Properties Directories tab shown in Figure 4.13. Note that the home directory of the Gopher service is h:\Publish\Gopher. This information will be used in the following section, where you will see how to publish information on the Internet with the Gopher server.
Figure 4.24. The Gopher Service Properties Directories tab.
It is easy to publish information on the Internet with the Gopher server. To a certain extent, it is similar to simply publishing an entire directory structure of information on the Internet. As you will learn soon, however, you need to take one extra step to publish information using the Gopher service after you copy files to the Gopher directory structure.
As mentioned earlier, the home directory of the Gopher Publishing Service used in this exercise is h:\Publish\Gopher. Figure 4.25 shows the directory structure of h:\Publish\Gopher. Note that there is a file named Welcome.txt in the home directory of the Gopher server. Figure 4.26 shows the contents of this file. Shortly, you will find out how easy it is to publish this file and directory structure on the Internet with the Gopher server.
Figure 4.25. The directory structure of the Gopher server's home directory.
Figure 4.26. Contents of the file Welcome.txt.
At this point, if a user connects to the Gopher Publishing Service, he or she sees a directory listing similar to the one shown in Figure 4.27. Note how the file Welcome.txt is marked as a binary file. This is because, by default, all files published with the Gopher Publishing Service are assumed to be binary files. At this time, you might want to create a text file on your Gopher Server and notice that, if you click on it, it is downloaded as a binary file.
Figure 4.27. A directory listing of the home directory of the Gopher Publishing Service.
You can solve this problem (text files being treated as binary files) by creating a tag file for the text file welcome.txt. You use the following syntax to create tag files:
gdsset -c -g<number> -f <"file description"> -a <"administrator's name"> -e <e-mail address> <filename>
Explanations of various command-line argument substitutions follow:
|
-c |
Edits or creates a new file. |
|
-g<number> |
Specifies the type of file according to the File Type table (Table 4.1). Simply replace <number> with the single-digit file type code from the File Type table. |
|
-a <"administrator's name"> |
Name of Administrator. |
|
-e <e-mail address> |
Administrator's e-mail address. |
|
<filename> |
Name of file. |
Table 4.1 lists the file type codes for publishing various kinds of files with the Gopher Publishing Service.
File Type Code |
File Type Description |
|
0 |
Text file |
|
1 |
Gopher directory |
|
2 |
CSO phone book server |
|
3 |
Error |
|
4 |
Binary Hexadecimal Macintosh file |
|
5 |
MS-DOS binary archive |
|
6 |
UNIX uuencoded file |
|
7 |
Index search server |
|
8 |
Telnet session |
|
9 |
Binary file |
Listing 4.1 shows the command used to publish the file Welcome.txt on the Internet with the Gopher Publishing Service. This command should be typed at the Windows NT command prompt. Note how various command-line arguments are used and the output of the gdsset application.
H:\publish\Gopher>gdsset -c -g0 -f "Welcome Message" -a "Sanjaya" -e sanjaya@erols.com Welcome.txt
Old Tag contents for H:\publish\Gopher\Welcome.txt
Tag information for H:\publish\Gopher\Welcome.txt
Object Type = 9
Friendly Name = Welcome.txt
Admin Name = Default Admin Name
Admin Email = Default Admin Email
Gopher Object Type = 0
Gopher FriendlyName = Welcome Message
Tag information for H:\publish\Gopher\Welcome.txt
Object Type = 0
Friendly Name = Welcome Message
Admin Name = Sanjaya
Admin Email = sanjaya@erols.com
H:\publish\Gopher>
At this point, if a user connects to the Gopher server, he or she sees a directory listing similar to the one shown in Figure 4.27. The description changes from Welcome.txt to Welcome Message. Also, the icon of the text file changes from a binary file icon to a text file icon. If a user clicks on the text file, instead of using a prompt to download the file, she sees the actual contents of the text file.
Various IIS statistics can be monitored using Performance Monitor. Performance Monitor is invoked by executing the Performance Monitor icon in the Administrative Tools Windows NT Start Menu folder. In order to monitor various IIS statistics, after invoking Performance Monitor, select Edit|Add To Chart from the menu bar. The dialog box shown in Figure 4.28 appears. Use this dialog box choose various IIS statistics to monitor by selecting an IIS object and counter as shown in Figure 4.28. Each object has various counters associated with it. After selecting a counter to monitor, click the Add button.
Figure 4.28. Monitoring IIS statistics with the Performance Monitor.
Counters selected using the Add to Chart dialog box can be monitored using Performance Monitor, as shown in Figure 4.29. The Performance Monitor is especially useful for finding bottle necks. For example, the Bytes Total/sec counter of the HTTP Service object can be monitored to determine whether the Internet bandwidth available is sufficient to serve HTTP requests.
Figure 4.29. Monitoring selected IIS statistics with the Performance Monitor.
Microsoft Internet Server is bundled free with Windows NT Server. Although Microsoft intends to make a version of IIS available for Windows NT Workstation, it will not be as powerful as the version that ships with Windows NT Server. Many commercial Web servers are available for Windows NT. As you will learn elsewhere in this book, most of these Web servers come bundled with additional software, such as database setup connectivity wizards and search engines. On the other hand, although IIS is a very powerful server, it does not include any database setup wizards or search engines. Such features must be added separately using custom CGI (or ISAPI) or third-party applications.
IIS is a powerful, easy-to-manage server designed to make maximum use of Windows NT's system architecture. You can use it to publish information on the Internet via HTTP, Gopher, and FTP. In this chapter, you learned how to install and set up IIS to publish information on the Internet. You learned how to configure various aspects of the Web, FTP, and Gopher publishing service to serve your needs. The last section discussed how various IIS statistics can be monitored to fine-tune the IIS and detect bottle necks.
At this point, you should have a basic installation of the Internet Information Server ready to go. To streamline the performance of the system, however, you'll need to do some more planning and implementation. The next chapter delves into the issues surrounding the DHCP, the WINS, and the Microsoft Domain Name Service.
