In this chapter, we take you through the installation and configuration process for IIS 6.0 and introduce you to its new features, including security features, reliability features, and other new fea- tures. We’ll show you how to use the Web Server Security Lockdown Wizard and how to manage security issues for your Web servers. We’ll also discuss troubleshooting issues, and you’ll learn to use the new IIS command-line utilities. Installing and Configuring IIS 6.0 Before you can use IIS’s services, you have to install it (unless you’re using the Web Server Edition of Windows 2003 Server), so we will first concentrate on the installation process. IIS is not installed by default in any of the other Windows Server 2003 family members.You will learn about all these new security features as we progress though this chapter. First, let’s learn about the prerequisites for installing IIS 6.0 on Windows 2003 Server. Pre-Installation Checklist You should take some precautions before installing IIS.These steps will ensure that your new IIS installation will run smoothly. Here is a checklist to go through prior to the installation: ■ Domain Name Registration for an IP address for the IIS server: If it is to be an Internet Web server (as opposed to an intranet server), the IIS server will be referred by the domain name from outside the enterprise, so you must register a domain name and obtain a public IP address for it.You’ll also need to obtain DNS services for your domain, from your ISP or another public DNS server.You also need to assign an IP address or a unique machine name for references inside the enterprise. ■ Access privileges for installation: Make sure you are logged in with an account (Administrator or a member of the Administrator group for the machine) that has the correct authentication privileges to access the machines and network components. (i.e., – config- uring routers to channel IIS requests). Internet Connection Firewall Windows 2003 comes with a very basic internal software firewall called the Internet Connection Firewall (ICF).This feature is disabled by default. If you enable it, the firewall can be configured to enable or disable protocol access through IIS.The protocols in question that relate to IIS are HTTP, HTTPS, FTP, and SMTP. IIS 6.0 will not function correctly if the ICF is enabled and the relevant protocols are disabled. For example, the IIS 6.0 Web server will not function if the HTTP and HTTPS protocols are disabled.You basically have two options when it comes to the ICF: 1. Disable the firewall. (Warning:You are at the mercy of the corporate firewall!) 2. Enable the firewall and filter the correct protocols. The most cost-effective method is to use the second option and maximize Windows 2003’s built-in functionality. Follow these steps to configure the protocols: 896 Chapter 26 • Managing Web Servers with IIS 6.0 301_BD_W2k3_26.qxd 5/14/04 9:52 AM Page 896 1. Open Start | Control Panel | Network Connections | Local Area Connection. 2. Navigate to the Advanced tab and select the Protect my computer and network by limiting or preventing access to this computer from the internet checkbox. 3. Click the Settings button and navigate to the Services tab.This will bring up a window to select or deselect the access protocols to your server.This is the list of protocols the IIS server will understand to process user requests. Select the correct checkbox next to the protocol name to enable requests using the particular protocol.You can disable the pro- tocol access by clearing the checkbox. 4. Select the appropriate protocols for your organization. Most organizations will enable HTTP, HTTPS, SMTP, and FTP access through the firewall.As part of security best prac- tices, avoid enabling protocols your organization will not be using. Each time you select a protocol, a small window will appear, prompting you to enter the machine name or IP address of the server that hosts the service. 5. Click OK and repeat the process for all other protocols. These are some of the prerequisites for your IIS 6.0 installation.Application of IIS security tem- plates and operating system hardening are some of the other prerequisites.The next step is to initiate the installation process.There are several ways to install IIS in Windows 2003 Server. We will discuss each of these in the next section. Installation Methods IIS is not installed by default in the Windows 2003 Server setup, except in the Web Server Edition. There are three different ways to install IIS.They are listed below: ■ Use the Configure Your Server wizard. ■ Use the Add or Remove option from the Control Panel. ■ Use the Unattended Setup. Using the Configure Your Server Wizard In addition to its other possible roles (domain controller, file server, DNS server, and so forth), the Windows 2003 Server can act as an application server. When the computer is configured as an application server, IIS is installed. Follow these steps to install ISS 6.0 from the Configure Your Server Wizard: 1. Click the Start | Manage Your Server option.You will see the Manage Your Server window. Click the Add or remove a role link. 2. The next screen is the Preliminary Steps window.This is a warning screen that prompts the user to confirm that all prerequisites are met for the installation. Most of these warn- ings relate to hardware not being configured correctly. Click Next. 3. The next screen is the Configuration Options screen.This screen is presented to the user only once.You can select from two options to configure the server.The Typical Managing Web Servers with IIS 6.0 • Chapter 26 897 301_BD_W2k3_26.qxd 5/14/04 9:52 AM Page 897 configuration for a first server option will enable the basic server communication options. It will set up a domain controller by installing Active directory, DNS services, and DHCP services.The second option is Custom Configuration.This will enable you to configure your server by selecting specific options from a list. For this walk-through, we will choose this option. 4. The next screen displays a list of server roles that you can assign to your Windows 2003 server.This screen lists all the server services that are available. We will select the Application Server (IIS, ASP.NET) option from the list.You can also use this screen to install Print,Terminal, DNS, DHCP services, and more, as shown in Figure 26.1. Click Next. 5. The next screen is the Application Server Options window.This screen enables you to configure dynamic options for IIS installation.The options you can select here include ASP.NET and FrontPage Extensions. ASP.NET is a scripting framework that is used to execute IIS applications.The FrontPage extensions will enable your Web application to be ported to another Integrated Development Environment (IDE).That is, the same Web project can be modified using Visual Studio .NET and Web Matrix.The FrontPage exten- sions also will enable users to develop Web content and manage the Web site remotely. Click Next. 6. The next screen is a summary of the items you have selected. Review these, and use the Back button if you want to change anything. Note that Enable COM+ for remote transactions option is added by the installation process. Click Next. 7. The installation process will begin.You will be presented with an Application Selections screen and a progress bar will indicate the installation progress.The installation process will automatically bring up the Configuration Components window and will start to copy the correct files from the Windows 2003 installation CD, DVD, or network share. A con- firmation screen will appear to complete the installation. 898 Chapter 26 • Managing Web Servers with IIS 6.0 Figure 26.1 Server Role Screen 301_BD_W2k3_26.qxd 5/14/04 9:52 AM Page 898 Using the Add or Remove Programs Applet The previous section explained how to install IIS 6.0 by using the Configure Your Server Wizard.The second option is to install IIS through the Add or Remove Programs applets in Control Panel. Select Application Server and click the Details button to configure the application server options. Using Unattended Setup The third option for installing IIS is using the unattended setup feature, which is commonly used by system administrators to install IIS 6.0 on multiple computers. When you use this option, the setup program does not need any manual intervention.The configuration settings (the selections that you would make during an attended setup) are read from a text file and applied automatically by the operating system.You only need to initiate the process and IIS 6.0 will be installed according to the text file settings. After you create the answer file, you run winnt32.exe or the sysocmgr.exe command-line utility with the answer script as the parameter.The answer file has a .inf file extension. Some of the important options that are included in the answer file are shown in Table 26.1. Table 26.1 Answer File Parameters for IIS Unattended Setup Component Answer File Parameter ASP.NET asp.net = on/off FTP service iis_ftp = on/off IIS Manager iis_inetmgr = on/off NNTP Service iis_nntp = on/off SMTP Service iis_smtp = on/off WWW Service iis_www = on/off Active Server Pages iis_asp = on/off WebDAV Publishing (discussed later) iis_webdav = on/off Managing Web Servers with IIS 6.0 • Chapter 26 899 Figure 26.2 Configuring Components Window 301_BD_W2k3_26.qxd 5/14/04 9:52 AM Page 899 Installing IIS with unattended setup is very straightforward.You can also get the help files avail- able for unattended setup by using the syscomgr.exe /? syntax. Installation Best Practices Installation best practice will ensure the optimum scalability and performance of IIS 6.0. Here are some of the important steps to ensure maximum value from IIS: ■ The file system onto which you install IIS should be NTFS. ■ Make sure the Internet Connection Firewall (ICF) is enabled and configured properly unless you will be relying on a separate firewall product. ■ Use unattended setup to install IIS on multiple machines. ■ Configure Your Server Wizard will enable you to install multiple application server components (DNS, File server, etc.).Therefore, you can install other components parallel to IIS 6.0 setup. What’s New in IIS 6.0? There are many new features in IIS 6.0. Many of these features are designed to address technical and architectural issues in IIS 5.0.The new features can be divided into several broad categories.The most important categories are security and reliability. Microsoft has invested a large number of resources on its new Trustworthy Computing initiative. IIS 6.0 is one of the first products to be developed under this security-focused strategy. Performance is also enhanced by some key architec- tural modifications to the IIS 6.0 object model. In the following sections, we investigate these changes in detail. New Security Features IIS 5.0 and earlier versions were constantly patched by hot fixes from Microsoft. IIS was once con- sidered one of the main security holes in Windows architecture.This was a major deterrent to using IIS as a commercial Web server. IIS 6.0 comes with an extensive list of new security features. Advanced Digest Authentication Advanced Digest Authentication is an extension of Digest security. Digest security uses MD5 hashing to encrypt user credentials (user name, password, and user roles). Advanced Digest Security takes the digest authentication model further by storing the user credentials on a domain controller as an MD5 hash.The Active Directory database on the domain controller is used to store the user credentials.Thus, intruders would need to get access to the Active Directory in order to steal the credentials.This adds another layer of security to protect access to Windows 2003 Web sites. 900 Chapter 26 • Managing Web Servers with IIS 6.0 301_BD_W2k3_26.qxd 5/14/04 9:52 AM Page 900 Server-Gated Cryptography (SGC) Communication between and IIS Web server and the Web client is done using Hypertext Transfer Protocol (HTTP).These HTTP network transmissions can be easily compromised due to their text- based massaging formats.To improve security, the HTTP calls between the client and the server can be encrypted. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the most common encryption mechanisms used on Web sites. SSL/TLS will enable a secure communication by encrypting the communication channel with a cipher algorithm.TLS is the later version of the SSL protocol and is more secure than SSL. Server-Gated Cryptography (SGC) is an extension of SSL/TLS. It uses strong 128-bit encryption to encode data. SGC does not require an application to run on client’s machine.A spe- cial SGC certificate is needed to enable SGC support built into IIS 6.0. IIS 6.0 supports both 40-bit and 128-bit encryption sessions.This means older 40-bit SGC certificates are still valid in IIS 6.0. SGC is commonly used for financial sector applications to protect data. Selectable Cryptographic Service Provider (CSP) SSL/TLS offer a secure environment in which to exchange data though it places a heavy load on the CPU. IIS 6.0 comes with a new feature called Selectable Cryptographic Service Provider (CSP) that enables the user to select from an optimized list of cryptography providers. A crypto- graphic provider will provide you with an interface encrypt communication between the server and the client. CSP is not specific to IIS and can be used to handle cryptography and certificate man- agement. Microsoft implements two default security providers.Those are Microsoft DH SChannel Cryptographic provider and Microsoft RSA SChannel Cryptographic provider.The Microsoft implementations are optimized to IIS 6.0 for faster communications.The private keys for these to Microsoft implementations are stored in the registry.The Microsoft Cryptographic API (Crypto API) for every provider contains identical interface for all providers.This will enable developers to switch between providers without modifying the code.The CSP can be configured using the Welcome to the Web Server Certificate Wizard. Click on Properties of a Web site and select the Directory Security tab.Then click the Server Certificate button. Configurable Worker Process Identity One of the most serious problems with previous IIS versions was the instability of the World Wide Web (WWW) Publishing Service.The failure of this service could result in the shutdown of the machine. IIS 6.0 runs each Web site in an isolated process environment.This isolated process envi- ronment is called a Worker Process.Therefore, a Web site malfunction could be limited to its pro- cess environment and therefore avoid a web server shutdown. IIS 6.0 can also run using the IIS 5.0 isolated environment.The IIS system administrator can choose between worker process model or IIS 5.0 isolation model by selecting the correct option from Services Tab by right-clicking We b Sites.You can click the Run WWW service in IIS 5.0 isolation mode option box to run IIS in IIS 5.0 isolation mode. IIS will run on worker process model if you do not check the box.You cannot run worker process model Web sites and IIS 5.0 isolation mode Web sites simultaneously. The worker process can be run with a lower level of permission than the system account.The worker process will shut down the application if the IIS server is targeted with malicious code. IIS Managing Web Servers with IIS 6.0 • Chapter 26 901 301_BD_W2k3_26.qxd 5/14/04 9:52 AM Page 901 6.0 (which is by default run by the local system account) is not affected since the worker process can be configured to run under a less-privileged account. Default Lockdown Status The default installation of IIS 6.0 will result in a “light-weight” Web server.The only default feature available will be the access to static content.This restricted functionality is referred as Default Lockdown status.You can enable or disable IIS features through the Web Services Extensions node of the IIS Manager. New Authorization Framework Authorization refers to the concept of confirming a user’s access for a given resource. (Authentication refers to obtaining access to the resource. When a user is authenticated we need to make sure that he or she is authorized to perform any tasks on the resource.This is the basis of authorization.) There are two types of ASP.NET authorization options available for IIS 6.0: ■ File Authorization FileAuthorizationModule class is responsible for file authorization on Windows 2002 systems.The module is activated by enabling Windows Authentication on a Web site.This module does access control list (ACL) check on the authorization access on an ASP.NET file for a given user. (It could be either “.asmx” file for ASP.NET application or a “.asmx” file for a Web service.) .The file is available for the user if the ACL confirms the user access to the file. ■ URL Authorization URLAuthorizationModule class is responsible for URL authorization on Windows 2003.This mechanism uses the URL namespace to store user details and access roles.The URL authorization is available to use at any time.The authorization information is stored on text file on a directory.The text file will have <authorization> tag to allow or deny access to the directory. (This will apply to the subdirectories if not specified). Here is a sample authorization file: <authorization> <allow users="Chris"/> <allow roles="Admins"/> <deny users="Kirby"/> <deny users="?"/> </authorization> This file will enable Chris to access its content. It will also enable anyone with Admins user roles.The user Kirby is denied access. Any one else will not be able to gain access to this directory (indicated by the ? wild card). New Reliability Features The most significant modification to reliability in IIS 6.0 is the emphasis on the Worker Process Model.This concept was initially embedded into IIS 4.0 as “Running an application in a separate memory space.” 902 Chapter 26 • Managing Web Servers with IIS 6.0 301_BD_W2k3_26.qxd 5/14/04 9:52 AM Page 902 IIS separates all user code from its WWW service.The user application (different Web sites) functions as a separate Internet Server Application Programming Interface (ISAPI) application.The sepa- rate ISAPI workspace is referred as a worker process. IIS 5.0 ran each Web site within its own inetinfo.exe memory space.The IIS 6.0 worker process Web sites do not run within the inetinfo.exe (WWW services) memory space. Because the worker process runs in an isolated environment from the WWW service, an error in the Web site application code (or malicious attack) will not cause the Web server to shut down.The worker process model can store application- specific data on its own memory space. IIS 5.0 stored all the application data within the inetinfo.exe memory space.Therefore, we can assign a Web site to run on specific CPU. Health Detection Health detection is performed by IIS over all its worker processes.This adds another level of relia- bility to the Web applications.The inetinfo.exe process (IIS) will check the availability of each worker process (different Web sites) periodically. IIS manager can configure this time limit. (It is 240 seconds by default).Therefore IIS will maintain a heartbeat between its worker processes New Request Processing Architecture: HTTP.SYS Kernel Mode Driver In Windows 2003 server, the HTTP stack is implemented as a kernel mode device driver called HTTP.sys. All incoming HTTP traffic goes through this kernel process.This kernel process is inde- pendent of application process. IIS 6.0 is an application process and external to HTTP.sys. Recall that application processes (IIS) run in user mode and the operating system functions are run in kernel mode. HTTP.sys is responsible for the following: ■ Connection management (managing the database connections from the ASP.NET pages to data bases), ■ Caching, (reading from a static cache as opposed to recompiling the ASP.NET page), ■ Bandwidth throttling (limiting the size of the Web requests to a Web site), and ■ Text-based logging. (Writing IIS information into a text log file.) In IIS 5.0, the HTTP request was consumed by the IIS inetinfo.exe. HTTP.sys in IIS 6.0 relieves IIS of this responsibility. In doing so, it enhances IIS performance in the following ways: ■ HTTP.sys enables caching (referred as flexible caching) at kernel level so that static data can be cached for faster response time (independent of the user-mode caching).This will be faster than user-mode caching. We need to be careful with flexible caching. Because HTTP.sys is separate from IIS we may still cache old data after an IIS restart. ■ HTTP.sys introduces a mapping concept called “application pool.” Application pooling enables Web sites to run together in one or more processes, as long as they share the same pool designation. Web sites that are assigned different application pools never run in the same process. A central Web site (credit card verification Web site) can be accessed by all the other miscellaneous sites (shopping cart E- Commerce sites) by using this method. By Managing Web Servers with IIS 6.0 • Chapter 26 903 301_BD_W2k3_26.qxd 5/14/04 9:52 AM Page 903 using the correct application pool information HTTP.sys can route the HTTP traffic to the correct Web site. ■ HTTP.sys increases the number of Web sites you can host using the application pool con- cept.This architecture also increases performance and more controlled access to valuable IIS resources. Other New Features Lets concentrate on some of the other new features in IIS 6.0. All of these changes are designed to improve IIS scalability. Some of these changes are a byproduct of the Microsoft .NET strategy. ASP.NET and IIS Integration IIS is a Web server, and one of its functions is to accept HTTP requests. We need to have scripting language that can communicate with IIS in order to do this. Earlier versions of IIS (2.0 through 5.0) used a scripting language called Active Server Pages (ASP). IIS 6.0 uses ASP.NET scripting languages for the same purpose.There are some significant changes to the ASP.NET architecture (compared to the older ASP). Some of those advantages include the following: ■ ASP.NET is based on MS .NET framework. ASP.NET can be coded in multiple lan- guages. (C#, VB.NET, Jscript.NET, etc.) ■ You can have multiple language code in the same ASP.NET page. In other words, you can have a VB.NET function in a C# ASP.NET page. ■ ASP code is interpreted (the code is complied line by line, not as the complete source file at once), while ASP.NET code is compiled. (The complete source file is complied once, not line-by-line compilation.) This makes for a significant performance increase in IIS 6.0. ■ ASP.NET allows you three levels of caching.You can cache complete pages.The second option is to cache selected parts of the pages. (Referred to as fragment caching).The third option is to use Caching API. Developers can use this to exert extensive control over caching behavior, and thus increase performance. Unicode Transformation Format-8 (UTF-8) The earlier version of IIS log file was only in English.This was a major issue for multilingual Web sites. Multilingual support is enabled by supporting UCS Transformation Format (UTF) 8 characters codes. Computer applications do not understand human-readable characters.They only understand binary code.There are conversion tables available to convert a key value to a human readable char- acter (those tables are referred as Local Character Sets or Unicode formats).The tables were language specific.Therefore, we could not read an English log file entry in Japanese. UTF-8 format rectifies these problems. We can instruct HTTP.sys to log details in specific language format. FTP site login does not support UTF-8 login.Therefore, we can maintain multiple log files in multiple languages. UTF-8 support is available for URLs and filenames in IIS 6.0. Active Server Pages (ASP) will also have the UTF-8 support.The Unicode code is converted into UTF-8 in this instance. 904 Chapter 26 • Managing Web Servers with IIS 6.0 301_BD_W2k3_26.qxd 5/14/04 9:52 AM Page 904 XML Metabase The information store that contains IIS configuration settings is referred as the metabase.The metabase is a hierarchical database in which all the information needed to configure IIS is stored. The metabase data was in binary format in earlier IIS versions. It was difficult to edit the entries, or even to read them, since the information was in binary.The IIS 6.0 metabase, on the other hand, is in XML format.These Extensible Markup Language files are plain text.You can use a general text editor to change the XML entries, and these changes can even be performed when ISS 6.0 is running. Editing the XML metabase while IIS is running is referred to as “edit while running.” You do not need to restart IIS to reflect the changes. (Unless you make overwrite the schema file with a new version.) This design change has also significantly increased the performance of IIS 6.0. It has reduced the start-up and shutdown time of ISS considerably. (All the IIS settings were in the inetinfo.exe and system registry.This will result in multiple reads from the registry and accessing system resources as start-up time. We also need to clear all memory references at the shutdown time. We do not need to do these functions in IIS 6.0 due to the XML metabase.) The metabase consists of the following two XML files: ■ Metabase.xml An XML document that contains ISS configuration values for the server (for example, Web site details, virtual directory details). ■ MBSchema.xml An XML document in which the metabase XML schema is stored, which acts as a validation tool to enter correct metabase values in metabase.xml. The metabase files are located in the Systemroot\System32\Inetsrv directory.You need administrator permission to view the contents of the metabase entries.You cannot edit the metabase.xml file.You will not be able to edit the MBSchema.xml file directly.The schema changes are enabled by using Active Directory Service Interface (ADSI). Editing a metabase.xml file is a tedious task. A simple approach is to use the IIS Manager interface to make the changes. However, this could save some effort for the expert users. It is possible to have simultaneous changes to the metabase.xml. (The schema is changed by ADSI while the administrator is making some changes to the metabase.xml file). We can prevent this by using access control lists (ACLs) on the metabase files. This will prevent the XML file changes when the schema changes are made.The metabase history feature stores a history of the metabase.XML file changes.This is valuable for IIS to execute new metabase changes. Thus far, you have learned about the installation process and the new features in IIS 6.0. In the following sections, we will practice using the interface to perform common IIS management tasks. You will learn how to create, manage, stop, start, and delete IIS components. (Web, FTP, NNTP, and SMTP servers). Managing IIS 6.0 The primary tool for managing IIS 6.0 is an MMC called IIS Manager. Most of the management of IIS functions can be done using the IIS Manager. Managing Web Servers with IIS 6.0 • Chapter 26 905 301_BD_W2k3_26.qxd 5/14/04 9:52 AM Page 905 . you’re using the Web Server Edition of Windows 2003 Server) , so we will first concentrate on the installation process. IIS is not installed by default in any of the other Windows Server 2003 family. default in the Windows 2003 Server setup, except in the Web Server Edition. There are three different ways to install IIS.They are listed below: ■ Use the Configure Your Server wizard. ■ Use the Add. are some of the other prerequisites .The next step is to initiate the installation process.There are several ways to install IIS in Windows 2003 Server. We will discuss each of these in the next