Web and FTP Services T his chapter covers configuring and managing an Internet or intranet server for HTTP, FTP, SMTP, and NNTP ser- vices and security. You’ll learn how to set up a Windows 2000- based Web server to host Web and FTP sites, act as an e-mail server, and host newsgroups. Overview of Web and FTP Server Administration Windows NT provided an extensive range of services for con- figuring and managing an Internet or intranet server based on Windows NT. Windows 2000 Server expands those services, making Windows 2000 an even better platform for distributing Web-based content. This chapter explains each of the services and also examines global issues such as building a manage- ment team to manage your servers and the services they provide. Because designing and implementing an Internet or intranet server is a complex task that would take its own book to cover in depth, this chapter can’t cover every facet of IIS. Instead, you’ll examine the most common issues and learn the procedures you should follow in order to accomplish various tasks. In some cases, we’ll refer you to other sources of information where you can get more details if you need them. Note 24 24 CHAPTER ✦✦✦✦ In This Chapter Overview of Internet and Intranet Server Administration Installing IIS 5.0 Configuring and Managing HTTP Services FrontPage Server Extensions Configuring and Managing FTP Services Configuring and Managing SMTP Services Configuring and Managing NNTP Services ✦✦✦✦ 4667-8 ch24.f.qc 5/15/00 2:19 PM Page 871 872 Part VI ✦ File, Print, and Web Services Web-Related Services Windows 2000 Server incorporates several services geared toward Internet and intranet clients, collectively know as Internet Information Services (IIS): ✦ World Wide Web Server: This service enables you to configure Windows 2000 to function as an HTTP server for the World Wide Web (WWW). Through this service, a Windows 2000 Server computer can host multiple Web sites. The World Wide Web Server is also required by certain other services, primarily to provide remote administrative access to the server and those dependent services. ✦ File Transfer Protocol (FTP) Server: The FTP protocol provides for file trans- fer between computers. Although many sites now provide their file distribu- tion efforts with the HTTP server, FTP is still the most widely used mechanism for serving files for upload and download via the Internet or an intranet. Through the FTP service, a Windows 2000 Server computer can host multiple FTP sites. ✦ Simple Mail Transport Protocol (SMTP) Service: The SMTP protocol and ser- vice enable you to configure a Windows 2000 Server as an SMTP e-mail server. ✦ Network News Transfer Protocol (NNTP) Service: The NNTP protocol and service enable you to configure a Windows 2000 Server to act as a news server. You can host public, private, read-only, moderated, and authenticated newsgroups, and take news feeds from other NNTP servers on the Internet to create a public news server. ✦ FrontPage Server Extensions: FrontPage Server Extensions enable the HTTP service in Windows 2000 Server to support FrontPage Webs, which are Web sites developed with Microsoft FrontPage. In general, the FrontPage Server Extensions allow for remote authoring and management of FrontPage sites. ✦ Visual InterDev RAD Remote Deployment Support: This service enables developers using Visual InterDev RAD (a development environment authored by Microsoft) to publish and manage sites created with that development platform. If you are building a public Web server to provide extensive client support, e-com- merce, and other Internet services (if you’re an ISP, for example), you’ll probably want to look at solutions other than just the services built into Windows 2000 Server. For example, Microsoft Commercial Internet Server brings together all the services mentioned so far plus additional ones (SQL Server, Site Server) to enable you to cre- ate a full-service Web server. However, the services included with Windows 2000 Server offer a solid platform for developing an intranet server or a public Internet server geared toward hosting your own company or organization site. 4667-8 ch24.f.qc 5/15/00 2:19 PM Page 872 873 Chapter 24 ✦ Web and FTP Services Web Services Checklist Before beginning the process of installing and configuring IIS and related services, you should plan the server implementation and make sure the server is ready for IIS. The following serves as a checklist for planning and preparing for IIS installation and configuration: ✦ Define the server mission: By knowing what you expect the server to provide to clients, you can determine which IIS services and related services are required for installation. The role the server will play has a bearing on the server’s hardware and connection requirements, as well as how you configure security. Know ahead of time exactly what functions you want the server to perform and whether those functions will be made available to anonymous users or restricted to specific groups or individuals. If you’re setting up a Web server to host several sites for your company or for your clients, for example, you’ll probably want to invest in a high-performance server with RAID, high- capacity backup hardware, and at a minimum a T1 Internet connection. ✦ Establish the Internet connection for a public server and acquire IP addresses: If your server will be connected to the Internet, contact your ISP to establish the connection (if one isn’t already in place) and acquire the neces- sary IP addresses for the server to support its mission. ✦ Implement network protection: If your server will be or is connected to the Internet, implement a firewall (or at the very least a proxy server) to secure the server and its content against malicious attacks. ✦ Prepare the hardware, OS, and file system: Based on the server’s mission, determine the type of hardware required to adequately support the mission. Install Windows 2000 Server and test the server. Then, determine where you will store IIS services and content and convert those volumes to NTFS (not required but highly recommended for security). ✦ Secure the server’s non-IIS services and files: Review the server’s other ser- vices and files and secure them with object permissions and account restric- tions to prevent unauthorized access to these services and files. ✦ Install and configure TCP/IP: IIS services require TCP/IP whether you are installing an Internet or intranet server. Install TCP/IP and configure the server’s settings according to the server’s mission. If the server will host multiple sites, bind multiple IP addresses (as many as required) to the TCP/IP protocol. See Chapter 12 for detailed information on installing and configuring TCP/IP. Note 4667-8 ch24.f.qc 5/15/00 2:19 PM Page 873 874 Part VI ✦ File, Print, and Web Services ✦ Install and configure DNS to support your domain(s): If you are providing your own Domain Name Service (DNS) namespace resolution, set up and configure the DNS service, either on the IIS server or on a different server. Create the ini- tial zones to be hosted by the IIS server and create resource records as needed. If an ISP or other organization will be providing DNS services, ensure that those services are in place and the necessary zones and records are ready. ✦ Install IIS services: Install the IIS services necessary to support the server’s mission. ✦ Secure directories and develop user access permissions and policies: After setting up the IIS services, review the object permissions for content folders and for user accounts and groups to ensure adequate security for the server and its content. ✦ Create and test sites: Create sites that support the server’s mission, then test those sites for functionality. Configure the sites to accommodate specific resource needs, such as throttling bandwidth or limiting connections. The process described in the preceding checklist can take several weeks of careful study, planning, and implementation. Each step is critical to successful implementa- tion of an IIS server. Many of these topics are covered elsewhere in this book. Part IV, for example, covers TCP/IP configuration, DNS, DHCP, remote access, and related topics. See Chapter 3 for a discussion of local and network security issues relevant to IIS. See chapter 22 for information on how to use object permissions to restrict access to files and folders, which will help control IIS content access. Installing IIS 5.0 It’s a relatively simple process to install IIS through the Add/Remove Programs wizard in the Control Panel. Follow these steps to install IIS: 1. Install, configure, and test any required non-IIS services according to the server function (DHCP, DNS, TCP/IP, Index Server, and so on). 2. Open the Control Panel and double-click the Add/Remove Programs icon. 3. In the wizard, click Add/Remove Windows Components. 4. After Windows 2000 scans the server for installed components, it displays a component list (Figure 24-1). To install all IIS services, select the check box beside the Internet Information Services (IIS) item. Or, click an item and click Details to select an individual IIS component. 5. After selecting the desired services, click OK. Follow the remaining prompts to complete the installation process. Windows 2000 should require no addi- tional input other than you providing the Windows 2000 Server CD for Setup to copy the required files to the system. 6. Reboot the server after installation is complete. 4667-8 ch24.f.qc 5/15/00 2:19 PM Page 874 875 Chapter 24 ✦ Web and FTP Services Figure 24-1: Use Add/Remove Programs to add IIS service components to the server. Configuring and Managing HTTP Services The World Wide Web Server component of IIS enables a Windows 2000 Server com- puter to function as a Web server for HTTP content. The Web service offers several features that provide considerable control over content, security, and bandwidth, making IIS a good option for Windows 2000 Server-based Web servers. The follow- ing sections explain the Web service’s features and how to configure and manage Web sites under IIS. The Default Site When you install the Web service, IIS creates a default Web site shown in the Internet Information Services MMC console. This default site provides certain underlying services that the server performs through the following functions: ✦ IIS administration: The default site provides a means of managing the Web server through a browser. Administrative content is placed by default in the virtual folder IISAdmin, which you can access in a browser with the URL http://localhost/iisadmin. (See the following section for a discussion of virtual folders.) IIS administration through HTML is restricted by default to localhost. You can, however, configure the IISAdmin virtual directory to allow access from other IPs, including those on the LAN as well as on the Internet. For more information on configuring remote administration, see the section “Remote Administration” later in this chapter. ✦ IIS Help: The IISHelp virtual folder contains documents in HTML format that provide detailed information about IIS and its services. View the documents by pointing your browser on the server to http://localhost/iishelp. ✦ IIS Samples: This virtual folder contains several sample scripts in Java and Visual Basic for administration and in Active Server Pages for several different task categories. 4667-8 ch24.f.qc 5/15/00 2:19 PM Page 875 876 Part VI ✦ File, Print, and Web Services ✦ Internet-based printing: IIS Setup creates a Printers virtual folder and popu- lates it with the files necessary to support Internet Printing Protocol (IPP), which enables clients to print to the server across the Internet. See Chapter 23 for a detailed discussion of IPP and how to configure Windows 2000 Server to support IPP printing from Internet and intranet clients. The default site is bound to all unassigned IP addresses. This means that the site responds to all IP addresses bound to the server that are not assigned to other sites. The default site has other implications, particularly on a server hosting multi- ple sites. For example, assume that all sites on the server use the same IP address and employ host headers to direct incoming client requests to a specific site. If a particular site is not available (because it is stopped, for example), IIS serves the default site to the client. So, you should take the time to develop a default Web site that accommodates situations in which a client will “accidentally” be directed to the site. Think of the default as your “error handler” for incoming Web requests. Design the default site to redirect the clients back to the correct site. Configuring Web Sites Setting up a Web site under IIS is not a difficult task, but it takes several steps to accomplish it. This section explains how to set up new sites and configure existing sites. Preparing the server The first step in setting up a site is to prepare the site’s folders. Often, the simplest approach is to place all of a site’s files within a single physical folder structure with all content residing in that folder and its physical subfolders. However, IIS doesn’t impose a single folder structure. You can create a virtual structure using a folder on the local server, a share on another server, and virtual folders. All of these appear as a single, logical folder structure to the client and function accordingly within the site content. At this stage, determine how you will store the site files, whether they’ll be on a single server or multiple servers, and what NTFS permissions you need to apply to the folders to control access if not using anonymous access or using a combina- tion of anonymous and authenticated access. Create the folders on the target com- puter(s) and configure permissions as required. Next, verify that you have the necessary IP address bound to the server. If the server will only host one site, you only need one IP address. You’ll need to bind multiple IP addresses to the server, use multiple TCP ports, or use host headers to host multiple sites (explained in the following section). Use the TCP/IP protocol properties in the network connection’s settings to view and add IP addresses. Finally, verify that the necessary DNS zone is created for the domain on the site’s designated name server(s) and that the zone is populated with the appropriate resource records. For example, assume you’re setting up a Web and FTP server for the mcity.org domain. Create a DNS zone on your DNS server for mcity.org with the appropriate Start of Authority (SOA) and Name Server (NS) records for the Note 4667-8 ch24.f.qc 5/15/00 2:19 PM Page 876 877 Chapter 24 ✦ Web and FTP Services zone. Then, create A records (or CNAME records) for www and ftp that point to the appropriate IP addresses for those services on your IIS server. Lastly, make sure that the domain is registered with the root servers and that the root servers’ records point to your DNS server for name resolution. See Chapter 14 for detailed information on configuring DNS zones and records. Creating and configuring the site in IIS There are several steps to create and configure a Web site in IIS, although the pro- cess of simply putting up a site is relatively simple. Applying advanced properties can take a little longer if you have special needs for the site or want to provide addi- tional customization of properties or behavior. The first step is to run the Web Site creation Wizard. Running the site wizard To add a site, open the IIS console (Start➪ Programs➪ Administrative Tools➪ Internet Services Manager). Right-click the server where you want to add the site and choose New➪ Web Site to start the Web Site Creation Wizard. The wizard prompts you for the following information: ✦ Description: This is the description that appears in the IIS console to identify the site. ✦ IP Address: Select the IP address for the site from the drop-down list. Each site needs a unique IP address unless you use host headers, as described shortly. ✦ TCP port: The default HTTP port is 80, but you can specify any valid port that doesn’t conflict with other services on the server. Specifying a non-default port adds a bit of security because the clients will need to know the port num- ber to connect and specify it in the URL, as in http://www.mcity.org:8080, using port 8080 as an example. See http://www.isi.edu/in-notes/iana/ assignments/port-numbers for an up-to-date list of registered well-known TCP port numbers. ✦ Host Header: The host header is the domain name requested by the client’s URL, such as support.mcity.org in the URL http://support.mcity.org/ contacts . The host name is passed by the client’s browser to the server, and IIS can use that host name to determine which site to serve up on a multi-site server. See the section “Configuring Multiple Sites with a Single IP” later in this chapter for more information. ✦ SSL port: If you are using Secure Socket Layer (SSL) to create a secure Web site, specify the SSL port number. The default port number is 443. ✦ Path to the home directory: Type or browse to the path that will serve as the site’s primary folder. You can specify a local folder, network share, or URL. ✦ Allow anonymous access: Select this option to allow anonymous connections to the site. Deselect this option to use Windows 2000 accounts to authenticate within the site. Note 4667-8 ch24.f.qc 5/15/00 2:19 PM Page 877 878 Part VI ✦ File, Print, and Web Services ✦ Access permissions: Configure the type of access permissions you want clients to have to the site. Available options include the following: • Read: Enable clients to read the site’s content. • Run Scripts: Allow clients to run scripts such as ASP, Java, and so on. • Execute: Allow clients to execute applications such as ISAPI, CGI, and so on. • Write: Allow clients to post content to the site. • Browse: Allow clients to browse the directory structure for the site. After you create the site through the wizard, you need to set some additional prop- erties to define the site’s content, permissions, and so on. The following sections explain these steps. Configuring default documents Most sites incorporate at least one default document. This is the HTML or ASP docu- ment presented to the client if no document is submitted in the URL. For example, browsing to http://www.mcity.org would display whatever default document is configured for the www.mcity.org site (such as default.htm, or default.asp). However, the client could also request a specific document, such as http:// www.mcity.org/contacts.htm . In this case, IIS would serve up the document Contacts.htm, assuming it existed within the site’s root folder. You can configure multiple default documents. If one specified in the list is not available, IIS serves the next document in the list. You configure the document pri- ority when you assign the default documents. To do so, open the IIS console, right- click the Web site you want to modify, and choose Properties. On the Documents property page, select Enable Default Document, then either verify that you’re using one of the default document names ( Default.htm or Default.asp) for the pri- mary document in the target folder, or click Add to add the document name you want to use. After adding all appropriate names, use the up and down arrows to change document order. Configuring the Home Directory When you add the site through the wizard, you specify the local folder, network share, or URL to serve as the home directory for the site. Another step in config- uring the site is to fine-tune the home directory properties. To do so, right-click the site in the IIS console, choose Properties, and click the Home Directory tab to display the Home Directory page shown in Figure 24-2. As Figure 24-2 illustrates, you can change the home directory location if needed. Use the check boxes on the dialog box to define access permissions and enable log- ging and indexing. You also can apply a fine degree of control over application exe- cution and debugging through the Application Settings group of controls. Fine-tune the settings based on the site’s function, intended clients, and your security needs. 4667-8 ch24.f.qc 5/15/00 2:19 PM Page 878 879 Chapter 24 ✦ Web and FTP Services Figure 24-2: Use the Home Directory page to fine-tune permissions or redirect the site to a different home directory. Configuring security A site’s Directory Security property page enables you to configure access and secu- rity for the site. Through the Directory Security page, you can enable or disable anonymous access and specify authentication options (clear text, digest authenti- cation, or integrated Windows authentication). You also can specify a range of IP addresses that will be either granted or denied access, giving you a means of restricting access to a specific subnet. This is particularly useful for allowing access only to intranet users in a specific physical location, such as a department or throughout the entire organization (to prevent outside connections to the site). You also can use the Directory Security page to configure certificates and enable SSL. See the section “Enabling Secure Sockets Layer” later in this chapter for more information. Configuring other site settings You can get most sites up and running through the tasks and options covered to this point. However, each site provides several other property pages you can use to configure a wide variety of site properties to control performance, configure addi- tional security options, and so on. While this chapter can’t cover them all in detail, the following list summarizes the types of tasks you can accomplish through each of the other property pages: ✦ Operators: Use the Operators page to specify users and groups that have operator privileges to the site. Operators have limited administrative privi- leges over the site. Operators can configure and modify a site but can’t con- trol site aspects such as anonymous user name and password, bandwidth throttling, virtual directory creation, path changes, or certain other tasks that are limited to the Administrator. 4667-8 ch24.f.qc 5/15/00 2:19 PM Page 879 880 Part VI ✦ File, Print, and Web Services ✦ Performance: The Performance page provides a means for controlling site performance. You can set the site priority by specifying a range of the number of hits expected per day. The Performance page also lets you enable and con- figure bandwidth and CPU throttling, which limit the load on the server imposed by the site. ✦ ISAPI Filters: ISAPI filters respond to events during processing of HTTP requests and can provide background processing for site traffic. Use the ISAPI Filters page to install and enable or disable ISAPI filters. ✦ HTTP Headers: This property page controls several features related to HTTP headers for the site, including the following: • Content expiration: Use this feature to specify when content expires to enable clients and scripts that test for content expiration and automati- cally refresh content from the site. • Custom HTTP headers: Add custom HTTP headers to the site to enable custom processing within scripts/browsers. • Content rating: Enable and configure the site’s content rating to enable rating filters to identify and potentially block the content from the client based on its rating values. • MIME mapping for the site: Configure new file type associations for con- tent on the site. ✦ Custom Errors: Defines the error messages received by clients, such as the page that appears when the client requests a page that doesn’t exist (the Not Found error). The error pages by default are stored in systemroot\help\ iishelp\common . You can edit the files with any HTML or text editor to customize the pages. ✦ Server Extensions: The Server Extensions page enables you to configure Server Extensions (also referred to as FrontPage Server Extensions), which control options for Web authoring through FrontPage and related applica- tions. See the section “Configuring Server Extensions” later in this chapter for additional information. Configuring multiple sites with a single IP address Although you can configure multiple Web sites on a single server using unique IP addresses for each one, this can pose a problem in cases where only a limited num- ber of addresses are available (if your ISP only gave you a small subnet, for exam- ple). The IP address is just one of three properties that define the site. The other two are the TCP port and host header. The TCP port is the port through which the site communicates, and the host header is (usually) the site’s domain name. Our example mcity.org main site uses an internal address of 192.168.0.3, the default TCP port 80, and the host header www.mcity.org. The support site could use 4667-8 ch24.f.qc 5/15/00 2:19 PM Page 880 [...]... Internet Services Manager to manage FTP sites or services, because it restricts you to managing only the default Web site Tip You can stop and start the FTP service from a command prompt (including through a Telnet session to a server) using the NET STOP MSFTPSVC and NET START MSFTPSVC commands from the command prompt FTP Client Access Clients can connect to an FTP site using a Web browser, FTP command-line... a VPN and use the IIS console instead Tip You can stop and start the WWW service remotely by connecting to the server through a Telnet session and issuing the commands NET STOP W3SVC or NET START W3SVC, respectively This requires that the Telnet service be running and configured to allow you to log on through Telnet Configuring and Managing FTP Services FTP stands for File Transfer Protocol FTP enables... 889 Chapter 24 ✦ Web and FTP Services Creating an FTP site To create a new site, open the IIS console, right-click the server in the tree, and choose New ➪ FTP Site to start the FTP Site Creation Wizard The wizard prompts you for the following information: ✦ Description: This is the friendly name for the site that appears in the IIS console ✦ IP address: Specify the IP address for the FTP server or choose... Protocol FTP enables users to upload and download files to and from the server While HTTP is becoming more common as a means for file transfer, FTP still serves an important role in providing file transfer services While HTTP restricts clients to a browser for uploading and downloading files, FTP enables clients to use a browser, FTP command line, or third-party FTP utility to transfer files IIS provides... ability to restart failed FTP transfers, enabling a client to reconnect to the server and restart the transfer from the point of failure rather than transferring the entire file again Setting up an FTP site is much like setting up a Web site The following section explains the process Creating and Configuring FTP Sites As with HTTP, IIS creates a Default FTP Site that responds to FTP requests on all unassigned... would require a URL of ftp: //jboyce @ftp. mcity.org Internet Explorer will prompt for the password To log on using the anonymous account, specify anonymous in the URL or choose File ➪ Login As to display a login dialog box in which you can specify the account to use Note For information on using the FTP command, open a console prompt and enter ftp /? to view a description of the FTP command’s options The... features: ✦ Integrated Management: The SMTP service uses the same IIS console for management as Web, FTP, and NNTP services, providing a single point for management of all services You also can use SNMP, the Windows 2000 event logs (and Event Viewer), and SMTP transaction logs to monitor the service ✦ Directed mail drop and delivery: The SMTP service can be configured to drop all incoming mail into a drop directory... controlling security and connections for both incoming and outgoing messages For example, you can limit the number 895 4667-8 ch24.f.qc 896 5/15/00 2:19 PM Page 896 Part VI ✦ File, Print, and Web Services of connections for both incoming and outgoing connections, specify timeout for connections, and limit the number of connections per domain (outgoing) To secure both incoming and outgoing access, SMTP... object in the Control Panel to add the service Open the Control Panel, open Add/Remove Programs, and click Add/Remove Windows Components Double-click Internet Information Services, select SMTP Service, and click OK Click Next to run the wizard and add the service Configuring SMTP As with the Web and FTP services, IIS automatically creates an SMTP server that by default responds to all unassigned IP... headers and error pages; and all other management tasks You can use the IIS console to manage IIS services and sites locally or to connect to other servers on your network To connect to another server, right-click on Internet Information Services in the console tree and chose Connect from the context menu Or, choose Action ➪ Connect from the console menu Specify the name of the computer to manage and click . 872 873 Chapter 24 ✦ Web and FTP Services Web Services Checklist Before beginning the process of installing and configuring IIS and related services, you should. up a Windows 2000- based Web server to host Web and FTP sites, act as an e-mail server, and host newsgroups. Overview of Web and FTP Server Administration Windows