7. To create or edit approved certificate trust lists (CTL) for the Web site, enable this option and click New or Edit to configure it. A CTL is a list of approved CAs for a particular Web site. 8. Click OK to close the Secure Communications dialog. TEST DAY TIP If you set the Require 128-bit encryption option and clients connect with a valid certificate but with a browser that cannot support 128-bit encryption, they will not be able to connect. Select this option with care! Troubleshooting IIS 6.0 Let’s examine some of the troubleshooting associated with IIS 6.0.Troubleshooting can be divided in three different areas: ■ Content errors ■ Connection errors ■ Miscellaneous errors Troubleshooting Content Errors Content errors are often caused by ASP or ASP.NET application codes.These application codes or scripts are required to perform business intelligence tasks to manipulate data. Some of the more common content errors are discussed in the following sections. Static Files Return 404 Errors This is the most common IIS error and could be due to one of two main reasons: ■ The user may have entered an incorrect URL ■ The file extension is invalid IIS is configured to only accept requests from files that have a valid extension. For example, IIS will understand the “.ASPX” extension, but it will not understand an “.ABC” file extension. www.syngress.com 258 Chapter 4 • Managing and Maintaining Web Servers EXAM 70-292 OBJECTIVE 3.3.1 271_70-292_04.qxd 8/21/03 5:11 PM Page 258 TEST DAY TIP You can enable IIS 6.0 to accept all requests for any file extension by adding the “*,application/octet-stream” value to the MIME types list in IIS 6.0. IIS checks for the file extension upon its receipt of a request.All of the valid file exten- sions are available as Multipurpose Internet Mail Extensions (MIME) formats in IIS. MIME types instruct the Web server how to process the incoming requests. For example, if an administrator requests an “.ASPX” file, the Web server knows to instruct ASP.NET to process the request.The MIME type does not have any effect on the returned data to the client. E XAM WARNING If you change the MIME settings, you need to restart the World Wide Web Publishing service. IIS 6.0 worker process needs to be recycled to detect the new MIME types. Therefore, a restart of the WWW service is necessary. Dynamic Content Returns a 404 Error IIS 6.0 default installation does not activate ASP.NET and CGI applications.These have to be manually enabled using the Web Service Extensions node of the IIS Manager, as previ- ously discussed previously in the “Enabling Web Service Extensions” section. If the ASP.NET or CGI applications are not enabled, users will receive a 404 error on dynamic content. Sessions Lost Due to Worker Process Recycling A session could best be described as a data storage mechanism for a single user on a Web site. HTTP cookies are used to store information about the user activities; this information is referred to as session data.These ASP sessions were alive until the IIS server was restarted or they timed out. IIS 6.0 works on a worker process model, as previously discussed. Therefore, when the worker process stops, all session information is lost.The default instal- lation configures IIS to recycle worker process every 120 minutes. This session information is kept in RAM on the IIS server and can grow quite bulky in larger IIS implementations.This can result in adverse performance on the servers; there- fore IIS 6.0 empties the session information by recycling the worker process every 1,740 minutes (or 29 hours) by default.The network administrator can either disable worker pro- cess recycling or extend the time settings if this creates problems.Worker process recycling can be configured by completing the steps outlined here: 1. Start the IIS Manager by clicking Start | Programs | Administrative Tools | Internet Information Services (IIS) Manager. www.syngress.com Managing and Maintaining Web Servers • Chapter 4 259 271_70-292_04.qxd 8/21/03 5:11 PM Page 259 2. Expand the Applications Pools node and select the application pool that con- tains your Web site. 3. Right right-click on the selected application pool and select Properties from the context menu. 4. The Recycling tab, as seen in Figure 4.56, is shown by default and allows you to configure recycling as needed. ASP.NET Pages are Returned as Static Files ASP.NET files are processed at the server and the HTML is returned to the browser. In some cases this could be DHTML, depending on the complexity of the browser. If the IIS server does not recognize an ASP.NET file or the .ASPX file extension, the server returns the static text as the reply.This can happen if IIS is reinstalled without reregistering ASP.NET. Troubleshooting Connection Errors Typically, connection issues are related to the performance of IIS and ASP.NET. Some of the more common connection errors are discussed in the following sections: 503 Errors This error is generally caused by HTTP.sys overload and is usually due to one of two reasons: ■ The request queue length has exceeded the number of available application pool resources ■ Rapid-fail protection has been initiated by IIS www.syngress.com 260 Chapter 4 • Managing and Maintaining Web Servers Figure 4.56 Configuring the Recycling Properties for an Application Pool 271_70-292_04.qxd 8/21/03 5:11 PM Page 260 Every application pool has a configurable queue length. If the request pool queue exceeds this amount, the HTTP.sys cannot process the requests.This results in a 503 error being sent to the client.The queue length of an application pool can be changed by per- forming the following steps: 1. Start the IIS Manager by clicking Start | Programs | Administrative Tools | Internet Information Services (IIS) Manager. 2. Expand the Applications Pools node and select the application pool that con- tains your Web site. 3. Right right-click on the selected application pool and select Properties from the context menu. 4. Switch to the Performance tab, as seen in Figure 4.57. 5. In the Request queue limit area, select the Limit the kernel request queue option and put a value in the text box. 6. Click OK to close the application pool Properties dialog box. IIS initiates rapid-fail protection when too many application pool errors are generated for a specified time frame, which is usually the result of a memory leak in the application code. The default is five errors occurring in five minutes.This scenario triggers IIS to restart and issue a 503 error to the client. Alternatively, you can increase the error count and expand the timeframe by performing these steps: 1. Start the IIS Manager by clicking Start | Programs | Administrative Tools | Internet Information Services (IIS) Manager. 2. Expand the Applications Pools node and select the application pool that con- tains your Web site. www.syngress.com Managing and Maintaining Web Servers • Chapter 4 261 Figure 4.57 Configuring the Performance Properties of an Application 271_70-292_04.qxd 8/21/03 5:11 PM Page 261 3. Right right-click on the selected application pool and select Properties from the context menu. 4. Switch to the Health tab, as seen previously in Figure 4.42. 5. In the Enable rapid-fail protection area, enter the value for Failures and Time Period (in minutes) spaces. 6. Click OK to close the application pool Properties dialog box. 401 Error – Sub-authentication Error Anonymous access to Web sites is managed by the sub-authentication component (iissuba.dll). This DLL is not enabled by default in IIS 6.0, to avoid potential security risks due to anonymous access.The network administrator can enable the sub-authentication component by registering iissuba.dll and setting the AnonymousPasswordSync attribute in the metabase to true.The IIS administrator gets a warning when anonymous access is enabled. TEST DAY TIP The sub-authentication component for anonymous access is enabled by default in IIS 5.0 and lower. Remember, it is not enabled by default in IIS 6.0. Client Requests Timing Out There was less emphasis on connections timing out in IIS 5.0 and below; IIS 6.0 has made some considerable ground on this issue. IIS 6.0 has locked down and reduced the size of many client request properties, which has resulted in better efficiency and performance. Here are the new features in IIS 6.0 that deal with time outs: ■ Limits on response buffering The network administrator can buffer all the process output at the server end and send the whole output to the client as a single entity, as opposed to processing some data, sending the information and starting to process the next bit of the initial request.This is referred to as response buffering. A timeout will result if the buffer exceeds the limit.This feature can be modified by using the ASPBufferingLimit metabase property. ■ Limits on posts The maximum ASP post size is 204,800 bytes. A post refers to a HTTP POST response to the Web server.This is usually done as an HTML form submission. Sometimes these HTML form variables can be very lengthy.The maximum size allowed as HTTP POST request is referred to as Post limit/size. Each individual field can have up to 100k of data. If these fields are exceeded, a time out error is caused.This property can also be modified from the AspMaxRequestEntityAllowed property of the metabase. www.syngress.com 262 Chapter 4 • Managing and Maintaining Web Servers 271_70-292_04.qxd 8/21/03 5:11 PM Page 262 ■ Header size limitation HTTP.sys only accepts a request that has less than 16K as the request header. HTTP.sys believes that anything larger is malicious and ter- minates the connection.The administrator can change this value by modifying the MaxRequestBytes registry key. Troubleshooting Other Errors The rest of the common errors you may experience do not clearly fall into content or con- nection categories, thus they are referred to as “other” errors. File Not Found Errors for UNIX and Linux Files IIS 6.0 can access and share information with UNIX and Linux systems. IIS 6.0, UNIX, and Linux all support mixed-case filenames. Unfortunately, the IIS static file cache stores file- names as upper case. UNIX and Linux systems are case sensitive whereas IIS is not.This results in the first file access occurring trouble-free; subsequent access to the same file will result in a File Not Found error because IIS 6.0 will try to extract it from the static file cache.The remedy is to disable static file cache if dealing with UNIX or Linux systems. To disable static file cache on a Web site or a virtual directory, change the metabase property MD_VR_NO_CACHE to 1. To disable static file cache for all sites, edit the DisableStaticFileCache=1 value in the registry. Changing these settings affect only ASP.NET files. ASP files are not affected by this change.The static file cache caches all of the static Web content for faster response times. Performance slips if this facility is disabled. ISAPI Filters Are Not Automatically Visible as Properties of the Web Site IIS 5.0 used to display all the ISAPI filters that are associated with a particular site. IIS 6.0 does not load an ISAPI DLL until it is actually invoked from a client request.Therefore, until the ISAPI DLL is loaded, it will not show up in the ISAPI tab of the Properties window.The network administrator must run IIS 6.0 in isolation mode if they want to get a complete list of ISAPI DLLs available for a site. The Scripts and Msadc Virtual Directories Are Not Found in IIS 6.0 IIS 5.0 had executable permission on the Scripts and Msadc directories.This was one of the common security breaches of IIS 5.0.A malicious user could start to execute code in these virtual directories and take control of the IIS server.Therefore, IIS 6.0 is configured not to have these two directories to beef up security. www.syngress.com Managing and Maintaining Web Servers • Chapter 4 263 271_70-292_04.qxd 8/21/03 5:11 PM Page 263 Summary of Exam Objectives This chapter examined the installation, configuration, management, and troubleshooting of IIS 6.0 in Windows Server 2003.The objective was to get familiar with the new features and learn the main features of IIS. IIS 6.0 incorporates World Wide Web Service, FTP ser- vice, NNTP server, and SMTP server. It investigated the new features in IIS 6.0.There are several new security features, including Advanced Digest authentication, SGC, SCP, and default lock down status.The new reliability features in IIS 6.0 are Health Detection and request processing architecture using HTTP.sys. Miscellaneous new features include XML Metabase, UTF-8 support and ASP.NET integration with IIS 6.0 We learned to create, start, stop, and delete all of these sites and virtual servers.The management of the IIS 6.0 functions is mainly done through the IIS Manager console. There are also command-line utilities available for these functions, as discussed in Appendix A.This chapter ended by examining security options available in IIS 6.0. Digest security, Basic Authentication,Windows Integrated Security, and .NET passport security models can be used to manage security.The new Web Service Extensions window can be used to con- veniently enable or disable ASP, ASP.NET, FrontPage extensions, and WebDAV support on an IIS server. Exam Objectives Fast Track What is New in IIS 6.0?  The new feature can be categorized into two main sections: security and reliability.  Advance Digest authentication, Server-gated Cryptography, Selectable Cryptography Service Provider, separate Worker Process, and Default Lockdown Wizard are some of the new security features.  IIS 6.0 runs on a separate worker process model.This means every Web site is a separate ISAPI application memory space, which is detached form IIS.  There is Heath Detection system between IIS and the separate worker processes.  HTTP.sys is the new kernel process that accepts all incoming IIS traffic. It uses application pools to assign resources to Web sites.  ASP.NET is the default scripting mechanism available in IIS 6.0. It still supports the old ASP applications.  IIS configuration settings are stored in a XML Metabase. www.syngress.com 264 Chapter 4 • Managing and Maintaining Web Servers 271_70-292_04.qxd 8/21/03 5:11 PM Page 264 Installing and Configuring IIS 6.0  IIS can be installed in three different ways.The first is by using Configure your Server Wizard.The second option is to use Add/Remove Programs from Control Panel.The final option is unattended setup.  Systems administrators use the unattended setup to configure multiple computers. Managing IIS 6.0  Common management tasks that you should be familiar with include: ■ Creating new Web sites, FTP sites, NNTP virtual servers, and SMTP virtual servers ■ Enabling Web Service Extensions ■ Creating virtual directories ■ Hosting multiple Web sites ■ Configuring Web site performance ■ Working with ASP.NET ■ Backing up and restoring the IIS metabase ■ Enabling health detection  The IIS Manager is the primary interface that you will use to perform all IIS functions.  The IIS Manager can be used to manage multiple IIS servers from one location. Managing IIS Security  The network administrator can force the user to authenticate using Digest, Basic, Integrated Windows, and .NET Passport security.  Anonymous access is not recommended for a Web site containing sensitive data.  The safest authentication is the Digest Security option.  The network administrator can also include IP restrictions to restrict known offenders and networks.  Another security mechanism is to use SSL certificates to encrypt the communication between the server and the client. www.syngress.com Managing and Maintaining Web Servers • Chapter 4 265 271_70-292_04.qxd 8/21/03 5:11 PM Page 265 Troubleshooting IIS 6.0  Troubleshooting IIS can be categorized into two main sections: Content and Connection errors.  Α 404 error is due to a misspelled URL or an invalid file extension.  Session data in IIS 6.0 can be lost because the worker process is recycled every two hours. (This is the default configurable setting.)  503 errors are due to an influx of HTTP requests to HTTP.sys.This can lead to Rapid-fail protection to restart the worker process.  The time out parameters in IIS 6.0 are much more extensive than the IIS 5.0 settings. Q: How do I replicate Web content on multiple servers? A: IIS 6.0 does not have a built-in content replication tool. Content replication is a major issue in managing large Web farms. Please use Microsoft Content Management Server (CMS) or Site Server tools for content replications. Q: Can I remotely administer my IIS Server? A: Yes. Both IIS Manager and the command-line tools provide tools to do this. IIS Manager lets you add remote computers as nodes to the IIS Manager console. All com- mand-line utilities come with parameters to configure user name/password support for remote computers. All command-line utilities come with /s parameters for the remote computer name, /u parameters for the user name to logon to the remote machine, and /p parameters for the password for the user account. Appendix A covers a variety of the command-line utilities in additional detail. Q: Can I give different access points to different users for a FTP site? A: Yes. Using the FTP isolation utilities in IIS, you can point different FTP users to dif- ferent physical FTP home directories. www.syngress.com 266 Chapter 4 • Managing and Maintaining Web Servers Exam Objectives Frequently Asked Questions The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the Exam Objectives presented in this chapter, and to assist you with real-life implementation of these concepts. You will also gain access to thousands of other FAQs at ITFAQnet.com. 271_70-292_04.qxd 8/21/03 5:11 PM Page 266 Q: How can I convert a FAT system to an NTFS system? A: There is a command-line utility called convert.exe for this purpose.The syntax is con- vert DriveLetter: /FS:NTFS. It is important to understand that a NTFS system cannot convert to a FAT system using this tool. Q: How do I obtain SSL security access information? A: This can be achieved by using the IIS Manager. Click on the Web site and select Properties.Then select the Directory Security tab. Chose the View Certificate button under the Secure Communications group box.The Certificate will have information on the version, serial number, signature algorithm (i.e. sha1RSA), Issuer, Valid From,Valid To, Subject, and Public Key. Q: Can we have multiple SSL security certificates for a single Web site? A: No. Only one security certificate is permitted for a single Web site. Q: Can I reuse the same server certificate for multiple Web sites? A: Yes.You can use the same SSL security certificate in multiple Web sites. Multiple sites have to be configured separately to use the same certificate. Q: Can I attach SSL security certificates for FTP sites? A: No. FTP sites do not support SSL without third party add-ons. Q: Can I count my FTP users at a given point of time? A: Yes. Click on the Properties of the FTP site. Click Current Sessions on the FTP Site tab.The FTP User Sessions message box will display the value. www.syngress.com Managing and Maintaining Web Servers • Chapter 4 267 271_70-292_04.qxd 8/21/03 5:11 PM Page 267 [...]... 271 _70-292_ 05. qxd 8/20/03 4:19 PM Page 2 75 Chapter 5 MCSA/ MCSE 70-292 Managing and Implementing Disaster Recovery Exam Objectives in this Chapter: 4.1 Perform system recovery for a server 4.1.1 Implement Automated System Recovery (ASR) 4.1.2 Restore data from shadow copy volumes 4.1.3 Back up files and System State data to media 4.1.4 Configure security for backup operations Summary of Exam Objectives Exam. .. some of which cannot be accessed when the wizard is used.To access the options examined in the following sections, you will need to launch the Backup Utility in Advanced Mode as seen in Figure 5. 5 www.syngress.com 289 271 _70-292_ 05. qxd 290 8/20/03 4:19 PM Page 290 Chapter 5 • Managing and Implementing Disaster Recovery Figure 5. 5 The Backup Utility Allows for Advanced Configuration To begin the process... father backup tape Figure 5. 2 illustrates a sample GFS rotation system for a month containing 31 days and four Fridays Note that any combination of daily, differential, or incremental backups can be used for those days where a full backup is not being performed www.syngress.com 271 _70-292_ 05. qxd 8/20/03 4:19 PM Page 2 85 Managing and Implementing Disaster Recovery • Chapter 5 Figure 5. 2 The GFS Rotation... 5. 3 illustrates a sample Tower of Hanoi rotation system that uses five backup tapes www.syngress.com 2 85 271 _70-292_ 05. qxd 286 8/20/03 4:19 PM Page 286 Chapter 5 • Managing and Implementing Disaster Recovery Figure 5. 3 The Tower of Hanoi Rotation System can be Difficult to Implement As seen in Figure 5. 3, it can become difficult to maintain a Tower of Hanoi rotation system if careful planning and scheduling... 271 _70-292_ 04.qxd 8/21/03 5: 11 PM Page 273 Managing and Maintaining Web Servers • Chapter 4 Self Test Quick Answer Key For complete questions, answers, and explanations to the Self Test questions in this chapter as well as the other chapters in this book, see the Self Test Appendix 1 C 9 B 2 A 10 B 3 C 11 B 4 C 12 B 5 B 13 B 6 D 14 A 7 C 15 B 8 C www.syngress.com 273 271 _70-292_ 04.qxd 8/21/03 5: 11... seen in Figure 5. 6 Configuring the General Options From the General tab of the Options dialog box, as seen in Figure 5. 6, you can configure several options that define how the backup operation will be performed Figure 5. 6 Configuring the General Backup Options Table 5. 4 explains each of the options available on the General tab of the backup Options dialog box www.syngress.com 271 _70-292_ 05. qxd 8/20/03 4:19... www.syngress.com 271 _70-292_ 05. qxd 8/20/03 4:19 PM Page 293 Managing and Implementing Disaster Recovery • Chapter 5 Configuring the Backup Type Options From the Backup Types tab of the Options dialog box, as seen in Figure 5. 8, you can select which type of backup will be performed.You can select from the five types of backups previously examined in the “Backup Types” section of this chapter Figure 5. 8 Configuring... Backup or Restore Wizard www.syngress.com 287 271 _70-292_ 05. qxd 288 8/20/03 4:19 PM Page 288 Chapter 5 • Managing and Implementing Disaster Recovery NOTE The Welcome page of the Backup Utility provides a checkbox to configure backup to always start in Advanced Mode This disables the wizard The Backup Utility can be opened in one of two ways: I I EXAM 70-292 Click Start | Programs | Accessories | System... and System State data to media 4.1.4 Configure security for backup operations Summary of Exam Objectives Exam Objectives Fast Track Exam Objectives Frequently Asked Questions Self Test Self Test Quick Answer Key 2 75 271 _70-292_ 05. qxd 276 8/20/03 4:19 PM Page 276 Chapter 5 • Managing and Implementing Disaster Recovery Introduction Regardless of how hard network administrators work to protect their networks... time impossible Figure 5. 1 illustrates a sample five-tape rotation system for a month containing 31 days Note that an administrator can use any combination of daily, differential, or incremental backups for those days they are not performing a full backup www.syngress.com 283 271 _70-292_ 05. qxd 284 8/20/03 4:19 PM Page 284 Chapter 5 • Managing and Implementing Disaster Recovery Figure 5. 1 The Five-tape Rotation . Chapter 5 MCSA/ MCSE 70-292  Summary of Exam Objectives  Exam Objectives Fast Track  Exam Objectives Frequently Asked Questions  Self Test  Self Test Quick Answer Key 271 _70-292_ 05. qxd 8/20/03. Appendix. 1. C 2. A 3. C 4. C 5. B 6. D 7. C 8. C 9. B 10. B 11. B 12. B 13. B 14. A 15. B 271 _70-292_ 04.qxd 8/21/03 5: 11 PM Page 273 271 _70-292_ 04.qxd 8/21/03 5: 11 PM Page 274 2 75 Managing and Implementing. security. www.syngress.com Managing and Maintaining Web Servers • Chapter 4 263 271 _70-292_ 04.qxd 8/21/03 5: 11 PM Page 263 Summary of Exam Objectives This chapter examined the installation, configuration, management, and