- Shopping Bag ( 0 items )
Ships from: Fort Worth, TX
Usually ships in 1-2 business days
Ships from: FORT MYERS, FL
Usually ships in 1-2 business days
Ships from: LEHIGH ACRES, FL
Usually ships in 1-2 business days
Developed specifically for advanced-level users, this guide covers Microsoft Internet Information Server (IIS) 4.0 planning, installation, configuration and resource access. With sample test questions and test-taking tips, it reviews integration, application running, monitoring and troubleshooting.
Resoloving Security Problems
...Security problems relate to a user or users being unable to utilize the sources you have made available to them or too many users being able to access what only one or two should be able to access. There is an unlimited number of reasons why these things could happen, based on what the resources are and how they are accessed.
A number of different problem areas are examined below through the presentation of various issues involving server technologies.
In most Web server operations, you want to make the service available to the public, and to as many users as possible. Unfortunately, this can lead to the risk of letting in unwanted traffic, as well. Solutions to solving this problem are: using a firewall to restrict traffic, disabling anonymous usage, and/or moving the Web server service to a port other than its default 80--essentially hiding it from the outside world (discussed in more detail In the section on resolving WWW service problems).
Following the Basic Steps in the Access Control Process
Solving most security problems involves using a great deal of common sense (if passwords are used, make them more than one character in length, and so on) and understanding what is taking place. The following steps illustrate the access control process:
1. The Web server receives a request from the browser to perform an operation.
2. The Web server checks to see whether the IP address is permitted. If there are no restrictions on IP address ranges, or the request is coming from a valid range, processing continues.
3. The Web server checks to see whether the user is permitted.
4. The Web server checks to see if its own permissions will allow access.
5. A check is made to see whether the NTFS permissions will allow access.
If any of the steps above falls, the access is denied. If they all succeed, access is granted.
Resolving Resource Access Problems
A user or users who are unable to access a resource identify resource access problems. A lack of appropriate security or the TCP/IP configuration of the host can cause this problem for clients.
Using IPCONFIG to Resolve DHCP Address Problems
When a DHCP client gets an IP that is not configured correctly or if the client doesn't get an IP address at all, IPCONFIG can be used to resolve these problems. If the client gets incorrect IP parameters, it should be apparent from the results of IPCONFIG /all. You should be able to see that some of the parameters don't match the IP address or that sonic parameters are completely blank. For example, you could have the wrong default gateway (in which case the entry would not appear), or th client might not be configured to be a WINS client.
When a DHCP client fails to receive an address, the results of IPCONFIG /all are different. In this case, the client has an IP address of 0.0.0.0--an invalid address-and the DHCP server is 255.255.255.255--a broadcast address.
To fix this problem, you can release the incorrect address with IPCONFIG /release and then try to obtain a new IP address with IPCONFIG /renew. The IPCONFIG /renew command sends out a new request for a DHCP address. If a DHCP server is available, the server responds with the lease of an IP address. If there is no response, it sends a request for a new one.
In many cases, the DHCP client will acquire the same address after releasing and renewing. That the client receives the same address indicates the same DHCP server responded to the renewal request and gave out the address that had just been released back into the pool of available addresses. If you need to renew an address because the parameters of the scope are incorrect, you must fix the parameters in DHCP configuration before releasing and renewing the address. Otherwise, the client could receive the same address again with the same incorrect parameters.
Diagnosing and Resolving Name Resolution Problems
Name resolution problems are easily identified as such with the PING utility. If you can ping a host using its IP address but cannot ping it by its host name, you have a resolution problem. If you cannot ping the host at all, the problem lies elsewhere.
Problems that can occur with name resolution and their solutions fit into the following categories:
Part I - What's Important to Know About Exam 70-087
Part II - Inside Exam 70-087
[Figures are not included in this sample chapter]
Create and share directories with appropriate permissions. Tasks include:
Create and share local and remote virtual directories with appropriate permissions.Tasks include:
Create and share virtual servers with appropriate permissions. Tasks include:
Write scripts to manage the FTP service or the WWW service
Manage a Web site by using Content Analyzer. Tasks include:
Configure Microsoft SMTP Service to host personal mailboxes
Configure Microsoft NNTP Service to host a newsgroup
Configure Certificate Server to issue certificates
Configure Index Server to index a Web site
Manage MIME types
Manage the FTP service
Manage the WWW service
To create and share a new WWW or FTP directory, start the Internet Service Managerand select the server on which you want to create the directory. After that, followthe steps outlined here:
2. Enter the Web site description and select Next.
3. Select or verify the IP address to use.
4. The TCP port defaults to 80. This is the default used for all WWW services. If you want to offer the service but hide it from most browsers, choose another port.
5. If SSL is to be used, enter the appropriate port for it (the default is 443), and click Next.
6. Enter the path for what will appear as the home directory (you can also use the Browse button to specify).
7. By default, the check box appears allowing Anonymous Access to This Web Site (see Figure 3.1). If you do not want anonymous access, remove the check. Choose Next.
9. Choose Finish.
The five rights that you can select for IIS access work in conjunction with allother rights. Like share rights, the IIS rights are in addition to NTFS rights,and of greatest value when you are using anonymous access. Allowing Read access letsusers view a file if their NTFS permissions also allow this. Taking away Read, however,prevents the user from viewing the file regardless of what NTFS permissions are set.
At A Glance: Access Rights
|Execute||Allows for CGI and ISAPI scripts to execute|
|Script||Sufficient for IDC, IDQ, and ASP|
NOTE: As listed previously, the names of the rights are pretty self-explanatory as to what they offer. The only caveats to note are that Read and Script access are assigned by default, and Execute is a superset of Script access.
Afte r the wizard has been run and the directory is configured for site access,you can change permissions and access for individual directories by selecting thedirectory in Internet Service Manager, right-clicking, and choosing Properties.
Figure 3.2 shows the properties for a directory. Notice that access permissionshave now been set to read and write, or any combination thereof, and permissionsare now None, Script, or Execute (which includes Script).
Click the Directory Security tab of the directory's properties and you will seethat you have three items you can configure:
The latter two are discussed later in this chapter in the section "DirectorySecurity Tab." Selecting Edit on the Enabling Anonymous Access portion opensthe screen shown in Figure 3.3. From here, you can choose to allow or disallow anonymousaccess, and (by choosing Edit) the name of the anonymous access account (which defaultsto IUSR_computername).
You can also control the permissions for specific files in a similar manner. First,select the file and choose its properties. A screen similar to Figure 3.4 appears.Choosing the File Security tab, you can set the same options for the file as wereillustrated in Figure 3.3 for the directory.
As the name implies, virtual directories are entities that do not exist, but giveyou the ability to reference relative file locations to make it appear as if theyare in a directory. In so doing, you can get around issues such as disk space, anddetermining where best to store files. The biggest disadvantage to using virtualdirectories, however, is a slight decrease in performance because files must be retrievedfrom the LAN, rather than being centralized if the virtual directories are on differentservers (they need not be). The only other downside is that virtual directories arenot visible in directory listings and must be accessed through explicit links withinHTML files, or by typing in the complete URL in the browser; for example, http://www.microsoft.com/iis.
Virtual directories must exist on servers that all reside within the same NT domainand within the domain in which the IIS server resides. Aside from this restriction,the directories can be either local or remote.
If you choose to create the virtual directory on a local computer, the InternetService Manager can be used to assign an alias to it. To do so, follow these steps:
2. Open a Web site, right-click the left pane, and choose New.
3. Select Virtual Directory (as shown in Figure 3.5). This starts the New Virtual Directory Wizard.
4. Enter an al ias to be used for the virtual directory name, and click Next (as shown if Figure 3.6).
After the wizard has been run and the virtual directory is configured for siteaccess, you can change permissions and access for individual directories or filesby selecting the directory/file in Internet Service Manager, right-clicking, andchoosing Properties.
The major benefit of virtual servers is that they allow you to expand your sitebeyond the limitations of a single site per server. You can combine a number of differentsites (domain names) on a single server through the implementation of virtual servers.
Also known as multihomed hosts, multihomed servers, or just plain multihoming, vvirtual servers allow one host to respond to requests for the following totally differententries:
All the previous domain names are Fully Qualified Domain Names (FQDNs). FQDNsare explained fully in MCSE Inside Track: TCP/IP from New Riders Publishing.
Each site is specified by a unique IP address, and the absence of a unique IPaddress makes the site visible to all virtual servers.
To create a virtual server, you must first have created a directory to publish(local or virtual). Then, follow these steps:
2. From the Action menu, select New, and then Web Site (see Figure 3.9).
Permissions for directories and sites on virtual servers can be configured thesame as in the previous sections.
New to IIS 4.0 is the Microsoft Script Debugger. It can be used to d ebug scriptswritten in JScript, Visual Basic Scripting Edition (VBScript), and a number of otherlanguages. If you know one of these languages, you can simply manage administrativetasks by writing scripts to manage your services (FTP or WWW).
Management tasks to automate should include the inspection of log files (describedin "Managing the FTP Service" and "Managing the WWW Service").The log files can be examined for statistical information such as the number of hits,errors, and so on.
The Content Analyzer is a new method of managing your Web site in a simplifiedmanner. It will let you create WebMaps, as shown in Figure 3.11, that let you seea graphical representation of your entire site.
The graphical representation includes all HTML pages, audio and video files, graphicimages, and links to other services. The left side of the WebMap display (shown inFigure 3.11) is a tree view of the site, and the right pane shows Cyberbolic view.You can choose to see either of the two, or both, whichever is most convenient foryou.
In addition to the graphical representation, Content Analyzer can be used to createa set of links to your site in a report that you can use for troubleshooting. Youcan also save the maps of your site (to a database, spreadsheet, or HTML file) forcomparison at later points in time to see what has changed as time has progressed.
SMTP, an acronym for Simple Mail Transfer Protocol, enables you to send mail toothers on your network as well as to the Internet. The SMTP Site prope rty sheet isused to set the basic connection parameters such as the port to use (default portis 25), number of simultaneous connections (default is 1000), and length of inactivitybefore disconnect (default is 60 seconds).
NOTE: A more popular use for the SMTP service is to link its capabilities to a Web page. In other words, if you have a Web site that requires some type of response by the visitor, you can provide a resource for him to use to send you email, without needing a mail client on his end. So, you've given the visitor the power to email you something without requiring him to have an email client such as Outlook installed on their machine.
Regardless of its size, each site has only one Microsoft SMTP site for the service.You cannot create additional sites or delete existing ones. To display the SMTP propertysheets, follow these steps:
2. Highlight and right-click the SMTP site and choose Properties.
Five tabs are displayed, as follows:
NNTP, an acronym for Network News Transport Protocol, enables you to configurea server for clients to read newsgroups. The Microsoft NNTP Service included withIIS 4.0 is the server side of the operation, whereas Microsoft Internet Mail andNews is a common client (now being replaced in the market by Outlook Express).
The default port for NNTP is 119, although this changes to 563 if SSL is used.When the client connects to the service, it requests a list of available newsgroups.The NNTP service authenticates the user, and then sends the list of newsgroups.
The client picks a newsgroup to view, and requests the list of articles. Authenticationtakes place again by the NNTP service, and then the list of articles is sent. Theclient then picks articles she wants to see, and the NNTP Service sends them.
Posting articles works in a similar fashion: NNTP verifies that the client isallowed to post to the newsgroup, and then takes the article, adds it to the newsgroup,and updates the index.
Every newsgroup has its own directory (with the same name as the newsgroup), andevery article is stored as a separate file within that directory (with an .NWS extension).By default, %SystemRoot%\Inetpub\nntproot is the main directory.
When you create a new newsgroup (through the Groups property sheet of InternetServi ce Manager), NNTP automatically creates the new directory. Within the newsgroupdirectory, indexes are also stored. They have an extension of .XIX, and one is createdfor every 128 articles.
The NNTP service starts automatically when the NT Server starts but can be paused,stopped, or started from the Services icon of the Control Panel (where it appearsas Microsoft NNTP Service). It, like other IIS-related services, can also be paused,stopped, or started from the Microsoft Management Console.
Microsoft Certificate Server enables you to generate, create, and use keys fordigital authentication. To use, you must first obtain an industry- recognized servercertificate (generated with Key Manager) from a certificate authority. The followingis a listing of the Web sites of several certificate authorities within the UnitedStates:
|Certificate Authorities||Web Site|
NOTE: You can generate a certificate with Certificate Server without getting certified by an agency, but they aren't considered valid.
After you've created a certificate or a certificate authority has issued you avalid certificate, use Key Manager to activate the certificate.
Index Server is configured based on the size of the site and the number of documentsit contains. Four items should be taken into consideration when configuring IndexServer:
Increasing the amount of memory and going with the fastest CPU available willincrease Index Server performance. The disk space needed for the data is always roughly40% the size of the corpus.
Index Server can be used to index multiple servers by sharing a folder on theremote volume and creating a virtual directory on the indexing server. The biggestdifficulty in doing this is maintaining link integrity.
MIME is an acronym for Multipurpose Internet Mail Extension, and is usedto define the type of file sent to the browser based on the extension. If your serveris supplying files in multiple formats, it must have a MIME mapping for each filetype or browsers will most likely be unable to retrieve the file.
MIME mappings for IIS 4.0 are different than they were in previous versions. Themappings are kept in the Registry under KEY_LOCAL_MACHINE\SOFTWAR E\Classes\MIME\Databases\Content Type, and can be viewed, edited, or new ones added by using REGEDIT or REGEDT32.Figure 3.12 shows an example of the MIME mapping for text files in REGEDT32.exe.
These mappings occur whether IIS is installed or not. It appears to be a Windowscommon registry of MIME types.
If you are not comfortable with editing the Registry directly (and you probablyshould not be), you can also add entries to the Registry through the HTTP Headerstab of any directory or virtual directory. The File Types button at the bottom ofthe properties page enables you to enter MIME Maps in a much simpler way than editingthe Registry. The button is shown in Figure 3.13.
Selecting the Add button enables you to specify new MIME types by giving the associatedextension and the content type as shown in Figure 3.14.
Once installed and running, the FTP service can be managed through two main utilities:
The first utility of note is the Services icon in the Control Panel. From here,you can start, pause, or stop the FTP Publishing Service, as well as configure itfor startup in three ways:
Once started, the service can be stopped or paused (as well as started again aftereither of the other two). When the service is stopped, it is unloaded, whereas whenit is paused, it remains loaded with the intention of it being restarted again.
From the Internet Service Manager, you can select your FTP site and choose tostop, pause, or start the site by right-clicking it. You can also manage all propertiesof the site from here, as shown in Figure 3.15.
There are five tabs to the properties, each containing specific information onthe Web site. Each tab is discussed in the paragraphs that follow in the order thatthey appear by default.
The FTP Site tab enables you to change the description (name) of the FTP site,the IP address, and the TCP port. As has been pointed out before, port 21 is thedefault TCP port, but changing it to another value allows the site to become "hidden."Additional settings on this tab enable you to specify a number of seconds for a connectiontimeout, limit the number of connections allowed (if bandwidth is an issue; the defaultis limited to 1,000 connections), and enable logging. By default, the logs are writtento %SystemRoot%\System32\Logfiles.
You can choose for the log files to be created in a number of different time periods.The way in which you choose for them to be created governs the name of the log filescreated (which al ways consist of some combination of variables). The following summarizesthe log files:
|Log Time Period||Log File Name|
|Unlimited File Size||inetsv#.log|
|When File Size Reaches...(19MB is the default, but
another MB can be specified)
The Security Accounts tab is where you can allow or disallow anonymous accessand define which Windows NT user accounts have operator privileges. You can alsochoose to allow only anonymous connections and enable automatic password synchronization.
At A Glance: Anonymous Only Access
|Anonymous only||2||You cannot configure only anonymous access until you have first enabled anonymous access|
The Messages tab allows you to specify a message to be displayed when users accessthe site. This can be done in three ways:
The Home Directory tab lets you specify a home directory in either of two ways:
If you are specifying a directory on this computer, you must give the path. Ifyou are specifying a share on another computer, you must give the UNC path (\\server\share).In either scenario, you then assign permissions for that directory of Read and/orWrite, and choose whether you want to log access. You also must specify whether directorylistings should appear in UNIX style or MS-DOS style. UNIX should be chosen in mostimplementations for maximum compatibility.
The Directory Security tab allows you to configure IP address and Domain Namerestrictions. When configuring, you have two choices:
Recall that the three ways to enter addresses are as a single computer (by IPaddress), a group of computers (by IP address), or by domain name. Refer to Chapter1, "Planning," for more information about entering addresses.
Once installed and running, the WWW service can be managed through two main utilities:the Services icon of the Control Panel and the Internet Service Manager. Each ofthese utilities is discussed in the following sections.
The first utility of note is the Services icon in the Control Panel. From here,you can start, pause, or stop the World Wide Web Publishing Service, or configureit for startup in three ways:
From the Internet Service Manager, you can select your Web site (or any Web siteif you have multiples) and choose to stop, pause, or start the site by right-clickingit.
You can also manage all properties of the site from here, as shown in Figure 3.16.
There are nine tabs to the properties, each containing specific information ofthe Web site. In order of how they appear by default, each tab is discussed in theparagraphs that follow.
The Web Site tab enables you to change the description (name) of the Web site,the IP address, and the TCP port. As has been pointed out be fore, port 80 is thedefault TCP port, but changing it to another value allows the site to become "hidden."This is useful in a situation where you want to create an intranet and avoid trafficfrom the Internet. The Advanced tab will allow you to assign multiple identitiesfor the Web site. Additional settings on this tab enable you to configure the SSLport, limit the number of connections allowed (if bandwidth is an issue; the defaultis unlimited), and enable logging. By default, the logs are written to:
You can choose for the log files to be created in a number of different time periods,identical for those already presented for FTP. The way in which you choose for themto be created governs the name of the log files created (which always consist ofsome combination of variables).
The Operators tab simply allows you to define which Windows NT user accounts haveoperator privileges.
The Performance tab allows you to tune the Web site according to the number ofhits you expect each day. There are three settings:
You can also enable bandwidth throttling from the Performance tab to prevent theentire network from being slow to service the Web site. By default, bandwidth throttlingis not enabled. Finally, on the Performance tab you can configure HTTP keep-alivesto be enabled. This maintains the open connection and uses it for the next account,rather than having to create a new connection each time a user accesses the site.
The ISAPI Filters tab enables you to add or remove filters for the site. ISAPIfilters are discussed in great detail in Chapter 5, "Running Applications."
The Home Directory tab lets you specify a home directory in three ways:
If you are specifying a directory on this computer, you must give the path. Ifyou are specifying a share on another computer, you must give the UNC path (\\computername\sharename).In either scenario, you then assign permissions for that directory. If you go withthe third option and redirect the home directory to an URL, you must specify theURL and choose how the client will be sent. You can send the client as:
The Documents tab enables you to define the default documents to display if aspecific document is not specified in the URL request.
The Directory Security tab enables you to configure Anonymous Access and authentication,as well as Secure Communications and IP address and Domain Name restrictions. Whenconfiguring the latter, you have two choices:
The three ways to enter addresses are as a single computer (by IP address), agroup of computers (by IP address), or by domain name.
The HTTP Headers tab enables you to specify an ex piration time for your content(the default is none), set custom headers, assign a rating to your content (to alertparents of pornography, and so on), and configure MIME maps (see the section "ManagingMIME Types").
The last tab, Custom Errors, enables you to configure the error message returnedto the user when an event occurs. For example, error 400 is, by default, a Bad Request,and the file 400.htm is used to return the message 404 is Not Found, andso on.
The following bullets summarize the chapter and accentuate the key concepts tomemorize for the exam:
2. Virtual directories do not show up in WWW listings, and must be accessed through explicit links within HTML files, or by typing the complete URL in the browser; for example, http://www.microsoft.com/ii