15.47 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows®...

15.1 © 2004 Pearson Education, Inc.

Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment

Lesson 15: Configuring a Windows Server 2003 Application Server

Internet Information Services (IIS) 6.0 Web server for Windows Server 2003Using IIS, you can publish Web pages and deploy scalable

and reliable Web sitesOptionally installed components

Background Intelligent Transfer Service (BITS) server extensionCommon IIS program filesFile Transfer Protocol ServiceFrontPage 2002 Server Extensions Internet Information Services Manager Internet PrintingNNTP ServiceSMTP ServiceWorld Wide Web Publishing Service

Introducing Internet Information Services 6.0

(Skill 6)




The IIS Admin Service (also referred to as the IIS metabase) is the parent process for all IIS servicesWhen you stop the IIS Admin Service, all other services

are also stopped IIS Admin also supplies the interface that is used to

administer IIS and all of its components In IIS 6.0, the FTP, NNTP, and SMPT services as well as

the IIS Admin service run in Inetinfo.exe, while the WWW service is hosted by the service host (Svchost.exe)

Introducing Internet Information Services 6.0 (2)

(Skill 6)




Features Automatic restart: Will automatically restart in the event of a

system failure or when a Web application becomes unavailable Easy access to Web sites: Each Web site has a unique socket

that consists of an IP address and a port number to identify it Scalability: You can assign different ports, IP addresses, or host

header names to each Web site Bandwidth management: The network or Internet connection

used by a Web server is generally also used by multiple services running on the server such as an e-mail service

Reliability: The newly designed request-processing architecture in IIS 6.0 allows Web-based applications to run in an environment in which they are protected from the malfunctions of other applications


(Skill 6)




Figure 15-35 The IIS Admin Service Properties dialog box

(Skill 6)

Iisrest.exe is configured to run by default




Figure 15-36 The Add/Edit Web Site Identification dialog box

(Skill 6)

You can assign different ports, IP addresses, or host header names to each Web site so that you can host multiple Web sites on the same Web server




WebDAV (Web-based Distributed Authoring and Versioning) Is an extension of the HTTP protocol that is used to access

files on a Web server through an HTTP connectionThe HTTP connection enables users to add, modify, and

delete data from Web pages to facilitate Web page authoring


(Skill 6)




Figure 15-37 The Performance tab in the Default Web Site Properties dialog box

(Skill 6)

Used to limit the bandwidth used by IIS; if the bandwidth approaches or exceeds this limit, bandwidth throttling delays or ejects IIS service requests until more bandwidth becomes available




Figure 15-38 Configuring an Application Server

(Skill 6)




Figure 15-39 Installing dynamic content tools

(Skill 6)




Figure 15-40 Enabling additional dynamic content tools

(Skill 6)




New accounts The IUSR_<server_name> account is the account used for Anonymous

access to the IIS server The IWAM_<server_name> account is the user account used to start

out-of-process applications The IIS_WPG group account is the worker process group

New services (depending on components installed) FTP Publishing service Network News Transfer Protocol service Simple Mail Transfer Protocol service World Wide Web Publishing service

Newl folders Inetpub Inetsrv Iishelp

Examining IIS Configuration Changes

(Skill 7)




Figure 15-41 IIS user and group accounts

(Skill 7)




Figure 15-42 The World Wide Web Publishing Service

(Skill 7)




Figure 15-43 Inetpub

(Skill 7)




Figure 15-44 The Inheritance Overrides dialog box

(Skill 7)




Internet Information Services (IIS) Manager is the main management tool for your Web serverYou can configure properties for an individual site or

for all sites on the serverYou can tune Web site performance based on the

number of visitors expected per dayThe default setting is to accept an unlimited number of

connectionsTo conserve bandwidth, you can limit the number of

connections

Managing IIS

(Skill 8)




Security options and authentication methods Integrated Windows authentication is the default selection

It uses either Kerberos or NTLM (also referred to as Windows NT Challenge/Response authentication)

In NTLM, the user name and password are hashed before they are sent

.NET Passport authentication method A user can create a single sign-in name and passport to access

numerous Web sitesThe sites are configured to use the Passport single sign-on service

(SSI)

Managing IIS (2)

(Skill 8)




Tabs in the Default Web Site Properties dialog box you can use to configure options HTTP Headers Custom Errors Documents Home Directory ISAPI Filters

Managing IIS (3)

(Skill 8)




Figure 15-45 The Web Site tab

(Skill 8)

By default, the Enable Logging check box and W3C Extended Log File Format are selected; this includes logging for the Time Taken, Client IP Address, Method, URI Stem, and HTTP Status fields




Figure 15-46 The Performance tab

(Skill 8)

You can limit the number of connections your IIS server will accept in order to conserve bandwidth and memory and to protect your Web server from overload attacks

Use to limit the bandwidth of your Web server




Figure 15-47 The Directory Security tab

(Skill 8)

Click to start the Web Server Certificate Wizard

Click to disable anonymous access or edit the authentication method




Figure 15-48 The Authentication Methods dialog box

(Skill 8)

Clear to disable anonymous access

Select to have user’s credentials sent as an MD5 message digest hash




Figure 15-49 .NET Passport Authentication

(Skill 8)




Figure 15-50 The Deny Access dialog box

(Skill 8)




Figure 15-51 The HTTP Headers tab

(Skill 8)




Figure 15-52 The Content Ratings dialog box

(Skill 8)




IIS backupsCan be used to restore only the IIS configurations, not the

content files or Registry settingsCreate copies of the metabase configuration file

(MetaBase.xml) and the metabase schema file (MBschema.xml

The metabase files are stored in the folder %systemroot%\system32\inetsrv

Managing IIS (4)

(Skill 8)




Figure 15-53 The Custom Errors tab

(Skill 8)




Figure 15-54 The Edit Custom Error Properties dialog box

(Skill 8)




Figure 15-55 The ISAPI Filters tab

(Skill 8)




Figure 15-56 The Configuration Backup/Restore dialog box

(Skill 8)

Automatic Backups




You can use two types of permissions to control access to the resources on your Web serverWeb permissions apply to all HTTP clients and determine

the level of access to server resources NTFS permissions detail the level of access individual

users or groups can have for files and folders on the Web server

Auditing allows you to monitor Web site usage to maintain the security of the Web server and to track the activities users perform on the site

Configuring IIS Security

(Skill 9)




Figure 15-57 Setting Execute permissions

(Skill 9)

Use if the directory has no executable files so the server will not run scripts or executable files in the directory

Use when other types of executable files can run on the server; the types of applications that can be run will not be limited to the Application Mappings list as they are for the Scripts only permission

Use if only scripts such as .asp files can run on the server; the server will be able to execute only the script types you have defined




Figure 15-58 The Application Configuration dialog box

(Skill 9)

When you use the Scripts only Execute permission, the server will be able to execute only those script types you have defined on the Application Mappings list




Certificates In IIS, digital identification files called certificates can be

used to authenticate both the client and the serverYou use the Web Server Certificate Wizard to request

certificates, apply certificates, and to remove them from a Web site

Client certificates: Optionally, part of the SSL Handshake Protocol can include client authentication to the server to validate users who are asking for data from your Web site

Client Certificate mapping: Another method is to map client certificates to Windows user accounts on the Web server

Configuring IIS Security (2)

(Skill 9)




Figure 15-59 The Logging Properties dialog box

(Skill 9)




Figure 15-60 The Web Server Certificate Wizard

(Skill 9)




Figure 15-61 The location of SSL within the TCP/IP Protocol suite

(Skill 9)




Figure 15-62 SSL Protocol layers

(Skill 9)




Figure 15-63 How SSL authenticates the server to the client

(Skill 9)




EncryptionEncryption is essential if sensitive data such as credit card

information and personal data, including addresses and phone numbers, is being transmitted

The SSL 3.0 protocol is the basis for IIS encryptionThe default secure communication settings for an IIS Web

server requires that the user’s Web browser support a session key strength of 40 bits or above

Configuring IIS Security (3)

(Skill 9)




Figure 15-64 The Secure Communications dialog box

(Skill 9)

This is the Windows Server 2003 default for SSL secure communication sessions; users must have a browser that supports a 128-bit session key in order to create an encrypted channel with your server




Figure 15-65 Allowing directory settings to override Web site settings

(Skill 9)

Click to select all of the child nodes and apply the site setting to the directories




IIS supports the hosting of multiple Web sites on a single Web server, so you can add new Web and FTP sites in addition to the defaults

By default, the home directory for the WWW service is %systemroot%\Inetpub\wwwroot

The default FTP service home directory is %systemroot%\InetPub\Ftproot

A virtual directory is used to make a directory “appear” to be within the home directory, when it really isn’t

Administering the Web Environment

(Skill 10)




Figure 15-66 Default WWW service home directory

(Skill 10)




Figure 15-67 Default FTP service home directory

(Skill 10)




Figure 15-68 The Web Site Creation Wizard

(Skill 10)




Figure 15-69 The Web Site Description screen

(Skill 10)




Figure 15-70 The IP Address and Port Settings screen

(Skill 10)




Figure 15-71 The Web Site Home Directory screen

(Skill 10)




Figure 15-72 Specifying the path to the virtual directory

(Skill 10)




Figure 15-73 Setting Virtual Directory Access Permissions

(Skill 10)




Figure 15-74 Viewing the new Web site

(Skill 10)




The MetaBase.xml file is a text file that can be edited in any text editor such as Notepad

IIS 6.0 also includes new logging functionality, UTF-8 (Uniform Transformation Format-8-bit) logging

MIMESMIME types are used to prevent attackers from sending

malicious files In IIS, only static files that have extensions on the MIME

(Multipurpose Internet Mail Extensions) types list can be served to users

A default global list of MIME types is installed with IIS 6.0

Administering the Web Environment (2)

(Skill 10)




Figure 15-75 Enabling Direct Metabase Edit

(Skill 10)




Figure 15-76 The metabase History folder

(Skill 10)




Figure 15-77 The MIME Types dialog box

(Skill 10)




When you are running IIS 6.0 in worker process isolation mode, you can group Web applications into application pools

You can assign any Web directory or virtual directory to an application pool Improves the efficiency of your IIS server Ensures that other Web applications will not have their service

interrupted when the applications in the new application pool stop

Guidelines for creating application pools Create an application pool for each Web site Configure a user account (process identity) for each application

pool Create a unique application pool for applications that you want to

run with their own unique set of properties

Creating Application Pools

(Skill 11)




Figure 15-78 The Add New Application Pool dialog box

(Skill 11)




Figure 15-79 Assigning an application to an application pool

(Skill 11)




Figure 15-80 The Identity tab on the Properties dialog box for an application pool

(Skill 11)




IIS 6.0 has two modes Worker process isolation mode

The default (and preferred) mode for IIS 6.0Capable of separating applications into isolated pools Identifies unhealthy processes, resources that are being

overtaxed, and memory leaks IIS 5.0 isolation mode

Should be used if you are running legacy Web applications that may not be compatible with worker process isolation mode

Not as secure as worker process isolation mode

Troubleshooting the Web Environment

(Skill 12)




Figure 15-81 Running the WWW service in IIS 5.0 isolation mode

(Skill 12)

IIS 6.0 runs in one of two modes: Worker process isolation mode or IIS 5.0 isolation mode, which provides backward compatibility with older applications




Figure 15-82 Changing IIS modes

(Skill 12)




Figure 15-83 Enabling Web service extensions

(Skill 12)




IIS problemsApplications are denied access to resourcesUsers request dynamic content and receive error 404Users request static content and receive error 404The application session state is dropped by worker

process recyclingClients receive error 503 (Service Unavailable message)

Troubleshooting the Web Environment (2)

(Skill 12)




Figure 15-84 Disabling worker process recycling

(Skill 12)

Clear to disable worker process recycling




Figure 15-85 Increasing the application pool queue length limit

(Skill 12)




Figure 15-86 Configuring rapid-fail protection

(Skill 12)

15.47 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows®...

Documents

Transcript of 15.47 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows®...