Hands-On Microsoft Windows Server 2003 Administration Chapter 7 Administering Web Resources in...
-
date post
21-Dec-2015 -
Category
Documents
-
view
226 -
download
1
Transcript of Hands-On Microsoft Windows Server 2003 Administration Chapter 7 Administering Web Resources in...
Hands-On Microsoft Windows Server 2003
Administration
Chapter 7
Administering Web Resources in
Windows Server 2003
2
Objectives• Install and configure Internet Information
Services (IIS)• Create and configure Web-site virtual servers
and virtual directories• Configure Web-site authentication• Configure and maintain FTP virtual servers• Update and maintain security for an IIS server• Create and modify Web folders• Install and use the Remote Administration
(HTML) tools• Troubleshoot Web client-browser connectivity
3
Installing and Configuring Internet Information Services
• Internet Information Services (IIS) 6.0– Provides Web-related services to an organization– Four main components
• World Wide Web (HTTP) services– Provides the capability of hosting multiple Web sites
accessible from the Internet or an intranet• File Transfer Protocol (FTP) services
– Provides the ability to copy files between the server and a remote location
4
Installing and Configuring Internet Information Services (Continued)
• Network News Transfer Protocol (NNTP) services– Used to provide a means of maintaining a list of
topics and threaded conversations between users
• Simple Mail Transfer Protocol (SMTP) services– Provides e-mail capabilities to the other services of
IIS
5
Installing Internet Information Services
• IIS 6.0– Not installed by default during a standard
installation of Windows Server 2003
– Individual IIS components can be manually installed via the Add or Remove Programs applet in Control Panel
6
Internet Information Services components
7
Installing Internet Information Services (Continued)
• Changes on the server after a successful installation of IIS– Additional folders on the hard drive
• %systemroot%\system32\inetsrv• C:\Inetpub• C:\WINDOWS\Help\iishelp
– Additional user objects in Active Directory• ISUSR_servername• IWAM_servername• IIS_WPG group
8
Installing Internet Information Services (Continued)
• Changes on the server after a successful installation of IIS (Continued)– Additional services installed within the operating
system• FTP Publishing Service• IIS Admin Service• Network News Transfer Protocol (NNTP)• Simple Mail Transfer Protocol (SMTP)• World Wide Web Publishing Service
9
Architectural Changes in IIS 6.0
• Metabase– Central storage location for IIS configuration
information
– Stored in two standard Extensible Markup Language (XML) files
• MetaBase.xml– Contains the actual configuration settings for IIS 6.0
• MBSchema.xml– Contains the XML schema that provides the default
values of the various metabase properties
10
Architectural Changes in IIS 6.0 (Continued)• A number of process management and administration
features have been introduced in IIS 6.0
11
Configuring Web Server Properties
• IIS MMC snap-in– Primary tool used for configuration purposes
– Available on the Administrative Tools menu
– Initially displays the default sites and services:• FTP Sites• Application Pools• Web Sites• Web Service Extensions• Default SMTP Virtual Server• Default NNTP Virtual Server
12
Configuring Web Server Properties (Continued)
• Master properties– IIS parameters that are
• Configured at the site-folder level• Inheritable by all Web or FTP sites hosted on the
server
– Benefit• You can quickly set various common
configurations on all Web or FTP sites at once
– Configuration settings changed at the site, folder, or file level override the master properties
13
Creating and Configuring Web-Site Virtual Servers• IIS can host a large number of Web sites or
virtual servers on a single server– Virtual server
• A unique Web site that behaves as if it were on its own dedicated server
• Before creating a Web site– Identify the IP address to which the Web site
responds– Identify the TCP port to which the Web site responds– If you have multiple virtual servers responding to the
same IP address, identify the host header name to which your new Web site responds
14
Creating and Configuring Web-Site Virtual Servers (Continued)
• Each Web site on your server must have a way of being uniquely identified
• Ways to make sure that each Web site is unique– Use a separate IP address to distinguish each
Web site– Use a single IP address with a specific port
number for each Web site– Use a single IP address with multiple host
headers representing each Web site
15
Creating and Configuring Web-Site Virtual Servers (Continued)
• Web Site Creation Wizard– Provides a simple, step-by-step method of
creating and initially configuring Web sites
• iisweb.vbs script– Can be used to create new Web sites from the
Windows Server 2003 command line
16
Modifying Web-Site Properties
• Once a Web site is created, a number of properties can be modified to fine-tune the parameters of the site
• Configuring the properties page for a specific Web site affects only that site and no others
• Any parameters configured at the Website level override the master properties that may have been set at the server level
17
Web site properties tabs
18
Creating Virtual Directories
• To include information stored on multiple servers in a Web site– Create a virtual directory that specifically points to
the shared folder that stores the data• An alias of the virtual directory can be used to
– Hide the real directory name– Simplify the path that the server should use to
access the information
19
Configuring Authentication for Web Sites
• All Windows Server 2003 servers require that any user who tries to access the server be authenticated to a valid user account
• Authentication– Determining whether or not a user has a valid
user account with the proper permissions to access a resource
20
Configuring Authentication for Web Sites
• IIS provides five levels of authentication– Anonymous access
– Basic authentication
– Digest authentication
– Integrated Windows authentication
– .NET Passport authentication
• Authentication settings are configured from within the properties of a Web site in the Authentication and access control section of the Directory Security tab
21
Configuring Web site authentication options
22
Anonymous Access
• Allows users to access a Web site without having to provide a user name and password
• IUSR_servername user account– Used by IIS to provide the required authentication
credentials to a user
– Member of the Domain Users (on a domain controller) and Guests groups by default
23
Basic Authentication
• Prompts users for a user name and password to be able to access the Web resource
• Requirement– User needs to have a valid Windows Server 2003
user account to be able to gain access to the Web site
• Potential problem– User name and password are transmitted using
Base64 encoding (not encryption) and can easily be captured and read by hackers
24
Digest Authentication
• Works the same way as Basic authentication• Difference from Basic authentication
– User name and password are hashed using the MD5 algorithm to prevent hackers from obtaining the information
25
Digest Authentication (Continued)
• Requirements – Users must
• Be running Internet Explorer 5.0 or higher• Have an account in Active Directory or a trusted
domain
– An IIS server using Digest authentication must• Be part of an Active Directory domain
• Running HTTP 1.1 and WebDAV
26
Integrated Windows Authentication
• Does not ask the user for a password• Uses the client’s currently logged-on credentials
to supply a challenge/response to the Web server
• Primarily used on internal intranets• Once this choice has been enabled, it can only
be used if– Anonymous access is disabled on the Web site– Windows file permissions have been set,
requiring users to provide authentication to access the resources
27
.NET Passport Authentication
• Allows a Web site to use the functionality of the .NET Passport service to authenticate user identities
• Requirements for authenticating users with a .NET Passport– The company must
• Carry out a variety of preproduction tests with Microsoft
• Go through a registration process
28
.NET Passport Authentication (Continued)
• The following rules apply if multiple authentication methods are configured– If Anonymous authentication and one other
method are selected, the other method only applies if Anonymous authentication fails
– FTP sites cannot use Digest, Integrated Windows, or .NET Passport authentication
– Both Digest and Integrated Windows authentication take precedence over Basic authentication
29
Configuring Server Certificates and Secure Sockets Layer
• Secure Sockets Layer (SSL) protocol– Used to encrypt Web traffic between a client and
the Web server
– Clients can access a secure server using SSL by using URLs that begin with https:// instead of the http:// prefix
– Implemented using the Directory Security tab of a Web site
30
Configuring Server Certificates and Secure Sockets Layer (Continued)
• A server certificate– Needed to use SSL on a Web server
– Can be • Obtained from a certificate authority (CA)• Created by the company itself for internal purposes
31
Configuring FTP Virtual Servers
• File Transfer Protocol (FTP)– Used to transfer files between two computers that
are both running TCP/IP
• The FTP service included with IIS 6.0 enables users to transfer files to and from it using FTP client software such as– The command-line ftp utility
– A Web browser
32
File Transfer Protocol
• FTP– An industry-standard method of transferring files
between two hosts running TCP/IP
– Uses two ports for connections during a single session
• TCP port 21– Usually used to initiate the connection and for
diagnostic functions
• TCP port 20– Usually used to pass data
33
File Transfer Protocol (Continued)
• Transmission Control Protocol (TCP)– Used by FTP for file transfers– A connection-based protocol
• To use FTP to transfer files between two computers– One machine must be running FTP client
software– Other machine must be running FTP server
software
34
Configuring FTP Properties
• When multiple FTP sites are configured to run on a single IIS 6.0 server, each site– Behaves and operates independently
– Appears to the client to be running on its own FTP server
– Has its own set of property sheets
• Five tabs are available from the site properties window of an FTP site
35
FTP site property tabs
36
Creating an FTP Site Virtual Server
• New FTP sites can be created by:– Using the Internet Information Services tool
– Scripting
• FTP sites allow you to create virtual directories that can be both local and remote to the IIS server
37
Updating and Maintaining Security for an IIS Server: Resource Permissions
– Specify the types of access users are granted
– Types of permissions • NTFS permissions• IIS permissions
– To provide the most security for Web content• Combine NTFS permissions and IIS permissions
38
IP Address and Domain Name Security
• To secure Web content– Administrators can grant or deny access to users
based on their• IP address
– Administrators can grant or deny access to:» An individual IP address» A particular address range
• Domain name
39
Starting and Stopping Services
• At some point, administrators may need to stop and restart services related to IIS for administrative purposes
• IIS 6.0 allows services to be stopped and restarted through the Internet Information Services console
40
Backing Up the IIS Configuration
• Options for backing up the metabase– Use the backup utility in the IIS console to back
up the database– Copy the contents of the backup directory to
another folder to provide redundancy after an initial backup has been performed
– Use the metabase editor tool to export the contents of the database to a text file
– Use the iisback.vbs script– Use the Windows Server 2003 Backup utility or a
third party utility and choose to backup System State data
41
Backing Up the IIS Configuration (Continued)
• Two common types of updates that can be applied to a IIS Server– Service packs
– Hot fixes
• Microsoft Baseline Security Analyzer– Can be used to determine which IIS hot fixes are
currently installed on the Web server
42
Creating and Modifying Web Folders
• A Web folder– Designed to be accessed from the Internet or an
intranet using the HTTP or FTP protocols• Web Sharing tab
– Used to configure a folder to be shared over the Web
• Access permissions and application permissions can be configured for Web folders
43
Web folder access permissions and Application permissions
44
Installing and Using Remote Administration (HTML) Tools
• Remote Administration (HTML) tools– Can be used to remotely manage
• IIS 6.0 servers• System elements, such as
– Network settings
– Disk quotas
– Installation• Must be added manually via the Add/Remove
Windows Components feature of Add or Remove Programs in Control Panel
45
Troubleshooting Web Client Connectivity Problems: Client Access Problems
• Problem– Users unable to gain access to an IIS Server
• To troubleshoot– Verify the TCP/IP configuration settings that have
been configured on the client– Check the proxy settings that have been
configured through the client’s Web browser
46
Troubleshooting Web Client Connectivity Problems: Client Access Problems (Continued)
– Check for obvious problems such as• Whether the proxy server is available and online• Whether the client is connected to the network
– Enable or disable the Show friendly HTTP error messages options in the properties of Internet Explorer
– Use a protocol analyzer to capture packets moving between the client and the Web server to determine where communications errors may be taking place
47
Troubleshooting Web Client Connectivity Problems: Client Access Problems (Continued)
• Problem– Users complaining that they are unable to gain
access to a Web site or FTP site configured on an IIS server
• To troubleshoot– Check permissions assigned to the site– Check to see which authentication method has
been configured for the site– Check to see what IP address and domain name
restrictions have been applied to the site
48
Troubleshooting Web Client Connectivity Problems: Client Access Problems (Continued)
– If there is a connection limit set for the site, make sure this limit has not been exceeded
– If the service has been configured to use a port other than the default, make sure the client is specifying the correct port number
– If you have not enabled Anonymous access, make sure the client has a valid user account
– On the client computers, from the command prompt, type “ipconfig /flushdns” to clear the DNS cache
49
Summary
• Internet Information Services includes four main components – World Wide Web (HTTP) services
– File Transfer Protocol (FTP) services
– Network News Transfer Protocol (NNTP) services
– Simple Mail Transfer Protocol (SMTP) services
• Master properties– IIS parameters that can be configured on the
server and are inheritable by all Web and FTP sites hosted on the server
50
Summary (Continued)
• Multiple Web sites can be distinguished on a single Web server by– Configuring individual IP addresses for each site– Configuring individual port numbers for each site– Configuring a host header for each site
• A virtual directory– Can be used to include information that may be
stored on a different server from the one on which the Web site home directory is located
• By default, Anonymous access is used to allow public access to a Web site
51
Summary (Continued)
• Five main authentication methods used in IIS– Anonymous– Basic– Digest– .NET Passport– Integrated Windows authentication
• Regular IIS maintenance tasks include– Backing up the IIS configuration– Starting or stopping services– Installing of hot fixes or service packs