Special Edition Using
Microsoft Visual InterDev

Chapter 19
Internet Information Server

Installing Internet Information Server--correctly! Just follow these steps to make sure you've got everything in tip-top shape.
Setting up virtual directories Learn how to make information appear seamless regardless of its location--even on another server.
Configuring IIS to run multiple domains Do you need several www.company.coms? Check out this section.
Securing your server Using a server as a Web or FTP server opens a new can of security worms. Learn how to make it solid.
Getting maximum performance from your server If you need to speed things up, or you just like to tweak, then this part is for you.

What is Internet Information Server 3.0? Internet Information Server (IIS) is a server that can publish information dynamically and interactively for the Internet as well as corporate intranets.

A simplistic view of the Version 3.0 is that it is made up of version 2.0 with the following components added to it:

Active Server Pages--This enables integrated Web scripting and components for the rapid development of applications and processing on the server-side.
Index Server--This provides scaleable, extensible content indexing.
FrontPage Extensions--These extensions enable content developers to use point-and-publish content management services.
NetShow--On-demand streaming media services are now available with version 3.0.
Crystal Reports--This produces a report that logs the analysis of the file system.

SSL v3--This includes client authentication using digital certificates.

Internet Information Server is fully integrated with Windows NT version 4.0 and is currently shipped with the Windows NT package, so there is no need to buy another software package after buying Windows NT. You will however, need to download Active Server Pages from http://www.microsoft.com/iis to create server-side applications.

Getting Started with the Internet Information Server

Internet Information Server 2.0 comes bundled with Windows NT Server 4.0. If it is not installed on your server, you can install it as a separate package from the CD-ROM or diskettes. If you are on a network, it can also be installed from another computer or even from a file on your own computer.

There are no special considerations necessary for the type of hardware needed to install or run Internet Information Server 3.0. Generally, if Windows NT 4.0 is running, Internet Information Server can run too. Microsoft suggests that the minimum hardware configuration for Windows NT Server will do the job, but this can be painstakingly slow and frustrating when trying to manage the different packages on your server. As with most Microsoft minimum hardware configurations, it does work--but that is about all. Go with the recommended hardware configurations, and both you and your server will be much happier.

CAUTION: The more packages that you add to Windows NT 4.0, the more memory it will take to run all of your software at the same speed you feel comfortable with. Don't take shortcuts when it comes to system hardware resources because you will be quite annoyed down the road as your system slows to the pace of cold molasses.

Microsoft Internet Information Server 3.0 requires the following software and hardware requirements to be met before installing on a Windows NT server:

Minimum hardware configuration is the same as Windows NT Server 4.0, but remember not to tax system resources.
You must be running Windows NT 4.0.
Transmission Control Protocol/Internet Protocol (TCP/IP) is required to run Internet Information Server 3.0. This is bundled with Windows NT Server 4.0, and is easily installed by accessing the Network icon in the Control Panel. See your Windows NT Server 4.0 documentation for more information.
A CD-ROM drive is a necessary hardware device for doing installations, though beta releases and some final releases are downloadable from the Microsoft's IIS Web site at http://www.microsoft.com/iis.
Adequate hard disk space is always an important consideration when installing software packages. Internet Information Server 3.0 requires a minimum of 125M of disk space.
Due to the high possibility of security problems on both the Internet and corporate intranets, security options need to be considered.

NOTE: For a detailed discussion of security issues relating to all the integral parts of publishing information on the Internet and corporate intranets, see Chapter 24, "Visual InterDev Security."

Installing the Internet Information Server

The actual install process of the Internet Information Server is a very straightforward process. You will need to have your Windows NT Server CD-ROM handy, as well as an idea of where you want all of your server directories (www, ftp, gopher) located on your hard drive. To install the Internet Information Server, follow these steps:

Install Windows NT Server and Internet Information Server 2.0.

TIP: Make sure that Windows NT 4.0 is configured to run with Internet Information Server 2.0 before doing the installation. By skipping this step, you can run into problems ranging from minor annoyances to having to reinstall the whole Internet Information Server package.
Install and configure your TCP/IP protocols and connectivity utilities. These can be accessed through the Networking icon in the Control Panel.

NOTE: You will need to know your IP address, your subnet mask, and the default gateway IP address. These are supplied by your Internet service provider (ISP) or system administrator.
TIP: If you have a direct connection to the Internet and are not using an ISP, the default gateway IP address is the same as your server.
Remove any FTP protocols previously set up. These can be removed by accessing the Networking icon in the Control Panel.
Besides removing FTP protocols, it is best to disable the guest account for FTP. During the setup process, a screen appears asking if you would like to disable it. Microsoft recommends disabling it before installation.

CAUTION: If you choose not to disable the Guest Account, you will have to individually access each file or folder to check and disable unauthorized access to it.
Remove any Internet services that may have previously been installed on the server. These will also be found in the Networking icon in the Control Panel.

CAUTION: Configure your site's domain or host name. If you want to use "friendly" names to access your servers, this is a must. For example, your server's IP address could be http://150.1.1.56/homepage.htm. You can always access it by typing that address. By using "friendly" names, access can be made by addressing your server site as http://www.wassonWeb.com. Such names are much easier to remember than a bunch of numbers.
NOTE: Your Internet service provider (ISP) is usually happy to register user-friendly names for you. There is a small fee of course. It is possible for you to register domain names with the InterNIC (http://www.internic.net) itself, though you will need some information from your ISP to complete the process.
Configure name resolution. There are a number of ways to resolve "friendly" names to the IP addresses they represent. All of the resolutions come in the Windows NT Server package and are options you can choose during installation. The most common are the Domain Name System (DNS) and the Windows Internet Names Service (WINS) Server packages.

NOTE: If you need more information on setting up and configuring the DMS and WINS Servers, see the online documentation included with Windows NT Server.
TIP: Instead of using the Domain Name System (DNS) Server for user-friendly names on the Internet, you can use a HOSTS file. For the use of such names on intranet servers, you can use the LMHOSTS file instead of the WINS or DNS Server options.
Set up optional virtual servers. You may want to have more than one domain name registered for the Internet. See the section "Setting Up Virtual Domains (or Virtual Servers)" later in this chapter for more information.

Internet and Intranet Considerations

There are a number of considerations that should be addressed for Internet and/or intranet applications. Each will be helpful for users even though they may not all be a minimum requirement to get the job done.

The following hardware and software packages should be installed and configured on the Internet Information Server if you plan to publish information on a corporate intranet:

Install a compatible network interface card (NIC) that will connect you to your Local Area Network (LAN). This will allow information to pass between your computer and the other computers on your network.
An "option" that really isn't one, is the Windows Internet Name Service (WINS) server. This enables users of your corporate intranet to use "friendly" names instead of the tiresome Internet Protocol (IP) addresses (for example, 150.1.1.56) each time they want to move around on the intranet.
Another option that accomplishes the same use of "friendly" names on your corporate intranet is the Domain Name Service server. Friendly names are the names that you give each of the servers on your LAN/WAN. Both of these accomplish the same thing, and both are easy to install. Choose the one you have worked with and are most comfortable using.
Both the Windows Internet Name Service and the Domain Name Service server packages can be set up in the installation procedure and come on the CD-ROM containing Windows NT Server and Internet Information Server.

TIP: Either of these server packages can be used on your corporate intranet. The choice is up to you. Choose the one that is easiest to administer and you feel most comfortable using.

If you are setting up a server to publish information on the Internet, the following are some tasks you must complete before installing the options that are needed to easily accomplish your goal:

The first thing necessary is a connection to the Internet. This can either be of a direct nature or through an Internet service provider (ISP). Speed, of course, is a natural consideration, so do your homework!

TIP: Content can be accessed only as quickly as the slowest link in the system. Don't cut corners.
You will receive an Internet Protocol (IP) address while establishing your link to the Internet. You will need this address to install your server packages.
A network interface card is needed to connect your server to the Internet.
Domain Name Server (DNS) for the above IP address of your server is a good option to have. As noted above for intranets, this is an "option," but it really shouldn't be because it makes accessing your server much easier--whether you're running a corporate intranet or a server site on the Internet.

TIP: On the Internet, DNS is almost always used. On the other hand, intranets use both DNS and WINS.

Post-installation Notes

Internet Information Server 2.0 is being shipped with Windows NT Server 4.0. When you want to upgrade to a newer version, you can simply download the newest version. The newest version of Internet Information Server is available from Microsoft's Web site (http://www.microsoft.com/iis/).

TIP: It only makes common sense to install Windows NT Server and Internet Information Server at the same time and from the same CD-ROM. You will only create many headaches for yourself by trying to upgrade one without the other. This is especially true because the installation procedure is so easy for both software packages.

Setting Up Virtual Directories

On small Web sites, Web files are centrally located on one server in one directory. When the site begins to get more complex, more files are needed, and having them centrally located is not the ideal situation. The solution is to create virtual directories.

Virtual directories appear as though they are centrally located. However, virtual directories can be located in any directory on any server. This consolidation makes your Web site contiguous and seamless.

Modifying Content Directory Setup

Content directories are set up using the Internet Service Manager. By default, the directory c:\wwwroot is the home or start directory. Adding content directories below that can be done with the Windows NT Explorer or at the command line. Follow these steps to instruct the Web server to change content directories:

From within the Internet Service Manager, choose the WWW service.
Click the Directories tab.
Using the buttons on-screen, Add, Remove, or Edit content directories.

NOTE: The following are some terms you'll need to know when modifying content directories:

Directories--This is the actual location of the file, using the Windows Explorer or command prompt.

Alias--This is how Internet Information Server "sees" the directory. Users who visit your site will think the alias is the actual file location.

Addres--This is the IP address used in virtual servers.

Errors--This tells about errors such as missing content or IP addressing problems with Web sites that are housed on this server..

Configuring a Virtual Directory

Virtual directories are quite simple to configure. If the virtual directory is on a different hard drive, it can be set up by just using the drive letter. Virtual directories can be set up across a network by using standard methods. Figure 19.1 illustrates the configuration of a virtual domain Web site.

Figure 19.1
You set up both virtual directories and home directories in the same screen.

Setting up a virtual directory is exactly like setting up a regular content directory except that you choose the alternate setting Virtual Directory instead of Home Directory, and you give it an alias. Once you have an entry under alias, you will be able to reference the new site as "http://www.domain.com/alias" no matter where on the hard drive your content is physically located. The alias is automatically mapped to the right directory by IIS.

TROUBLESHOOTING:
You can't get to the virtual directory on NetWare server. The account is probably not valid on both the NetWare server and the Windows NT server. You may need to use the account name as domainname\username on the NetWare server.

Setting Up Virtual Domains (or Virtual Servers)

Less is more. If you have only one server, you can still make the server appear to be multiple servers. The Internet Service Manager enables you to assign IP addresses to different directories and make multiple virtual servers.

How Do You Do It?

Setting up several virtual servers is a multiple-step process. If you want to set the virtual servers on the Internet, you'll need to register each domain name with the InterNIC. Then you can take the IP address given to you, and plug it in to Internet Service Manager.

If you are creating multiple servers for an intranet (an internal corporate network), then you will need to coordinate the IP addresses with the person who administers the Domain Name Server or WINS server so that there are no address conflicts. (If you are the point of contact, there is no need for a complex conversation with yourself.)

Adding More than Five Virtual Domains

The instructions for adding virtual domains remain identical until you reach five virtual domains. To use more than five virtual domains under a single Windows NT 4.0 server, simply double-click on Network icon in the Control Panel and choose TCP/IP under the protocols tab. Click the Advanced button to add more than five IP addresses.

If you are using Windows NT 3.51 and IIS 1.0 as your Web server, the passage below will tell you how to add more than five IP addresses by editing the Windows Registry.

NOTE: The Registry is a database that contains critical information. If you are familiar with Windows 3.1, you have probably worked with .INI files. Windows NT stores most information normally stored in .INI files in the Registry.

Editing the Registry is done with the REGEDT32.EXE file. This file has no icon on the desktop for a simple reason: It is very powerful and it is not for everyone to use. To edit the Registry, perform the following steps:

Start REGEDT32.EXE.
Open HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\
Choose Edit, Add Value. The Data type is fine as REG_SZ.
Enter the alias name where it says Value Name.
When prompted for a string, type the full path to the virtual directory.

The virtual root uses this form:

Root Name,Host address=Physical path, User name, Access mask

The following is a breakdown of each portion of the string:

Root name--This is the same as an alias. The root name is the virtual directory's name as it would appear in a browser.
Host address--This is the IP address assigned to the virtual server.
Physical path--The is either the drive letter and directory or UNC share name. If you use UNC shares, a user name can be specified in the Registry, but the password must be entered using the Internet Service Manager.
User name--This is used only when UNC shares are accessed. Again the password MSU be entered using the Internet Service Manager.
Access mask--This determines the access to the virtual root. This has no influence on NTFS access settings (ACLs). The four levels of access are the following:
- Read only (FTP and HTTP)
- Write only (Applies only to FTP)
- Execute allowed (HTTP only)
- SSL or PCT encryption required (HTTP only)

Simply add the access levels together and put them as the last variable in the string. For instance, Read and Execute Rights would be 5 (Read=1 + Execute=4 = 5).

Administering IIS

Internet Information Server provides its own level of rights. It works in conjunction with the permissions on an NTFS disk. Administration of Internet Information Server can happen either through a browser or a Win-32 application. Either way, it is not necessary to be at the server console. For more information about setting security parameters within NTFS on a Windows NT Server, please consult Special Edition Using Windows NT Server by Que.

The Internet Service Manager

The Internet Service Manager is comprised of three different views. Each view displays the service (WWW, FTP, and Gopher) that the server is running on and the status of the service. Report view is the default. The three views are as follows:

Report view--This shows the status of each computer and the services on it.
Services view--This displays the information grouped by the service. Each service is expandable to show the status of the servers running it.
Server view--This groups the information by server. Each server icon expands to show the status of each service.

Logging Server Activity

Logging is available in Internet Information Server in a variety of settings. Logs can be sent to a database or a file. New log files can also be automatically made when a certain day, time, or size is reached.

Logging to a database requires extra resources. If traffic is heavy, you can improve performance by logging to a file. Microsoft recommends logging to a SQL Server 6.5 database. Other databases can be configured using ODBC drivers (2.5 or higher), and specifying the Data Source Name and Table along with a user name and password.

To begin logging to a file, follow these steps:

Select the Logging tab within the WWW properties of the Internet Service Manager.
Click the radio button next to "Log to File." Choose which log file option that you want to use, NCSA or Standard.
Click the radio button next to the desired time frame that you want to log, daily, weekly, monthly, or when the log file reaches a certain size.
Type a directory name to house your log files in. Windows NT has a standard logfile directory located at c:\winnt\system32\logfiles that you may wish to keep your IIS logs in.
Click Apply to save your changes.

Internet Information Server Security

Some say that today no server site is safe. This could well be a true statement! But why allow hackers and other unauthorized persons to peruse through your server at their own free will? Just as locks on doors only keep honest people honest, it's still a good idea to take some precautions when it comes to your server and the information that is stored on it.

Take some time to deal with security issues now during installation, and you will save yourself much time and heartache down the road. By using some common sense and following a few simple guidelines, you too can have a server site that is fairly safe from unwanted and uninvited intruders.

Anonymous Access

Take some time to review the IUSR_computername account's rights. This is the account used for anonymous access. Anyone visiting your Web site will probably be using this type of access. (It's the default.) Anonymous access is normally used on FTP sites for files of general interest also.

The IUSR_computername account has a randomly generated password. Also, you may want check the access rights (using the User Manager) and make sure the account has no network rights. If you have multiple servers, it may be simplest to change all the IUSR_computername accounts to one common domain account. This makes reading the logs ea�� work alongside anonymous access--general files are available via anonymous access and more user-specific information could be password protected. The two forms of authenticated access that Windows NT and Internet Information Server support are Basic and Challenge/Response.

Basic is a user name and password encoded with UUencode. There are many UUencode decoders, most of which are available as shareware. If you use Basic, you are opening yourself up for a breach of security as passwords and accounts can be obtained easily by hackers. Basic will, however, keep honest people honest, as most people don't have the skills or tools to catch and decode passwords.

Windows NT Challenge/Response enables secure transmission of user names and passwords. The downside is that Challenge/Response is currently only supported by Internet Explorer 2.0 for Windows 95 (and higher) and Internet Explorer 3.0 for Windows 3.1.

General Security

As an administrator of a information publishing server, you must set up and follow a well-planned set of account policies. These should be fairly strict and be managed in a prudent way so as to protect the hard work put into your server site.

One of the ways to do this is to limit the size and access of the administration group. Every member who has administrative rights provides another opportunity for poorly chosen passwords and mistakes in security settings.

One of the greatest improvements in the Windows operating system today is the Windows NT file system. NTFS, as it is called, enables the administrator of a server site to keep a tight reign on things and enable security. There are a couple of tools that really help.

One security tool--used to control which files are accessed and which are not--is Access Control Lists (ACLs). ACLs should be used without fail.

Another security tool option that every administrator will want to enable is the auditing option. This option enables the manager of the server to see what files have been accessed and by whom.

Hackers are persistent. They will try every possible way to gain access to a computer system. For this reason, you should configure and run only the services that you need. When you stop using a certain service, remove it! Don't allow it to be an open door to an intruder.

Besides removing the unused services, it is also best to unbind services that are no longer necessary from your computer's network interface ca�� see Chapter 24, "Visual InterDev Security."

One last area to check for security leaks is the permissions of anyone who might have access through network shares.

SSL Channels

One of the Internet Server Permissions you can set is Require SSL Channel. SSL is yet another abbreviation; it stands for Secure Sockets Layer. This chapter has already mentioned using different forms of authentication and access. SSL is a way to control access to the system and to ensure that only those with access can read what's on the system. SSL enables private channel communication across an open network (like the Internet.)

If you are going to use SSL over the Internet, consult your certificate authority before generating a key pair. For instance, VeriSign does SSL certificates (http://www.verisign.com).

NOTE: The graphical utility found in the Internet Service Manager only generates a key pair of 512 bits. Using the command keygen at the command prompt can generate a much more secure key pair (1024 bits).

Once you have set up your key pair, you can protect directories and even entire servers using SSL. Only browsers that support SSL can view the information. Also, your URL will actually begin https:// instead of http://.

IIS Performance Tuning

Internet Information Server provides several ways of modifying and monitoring performance. Chapter 19, "Windows NT Server," gives an overview of using the Performance Monitor. Internet Information Server provide a number of variables that can be tracked using the Performance Monitor. Also, Internet Information Server has some powerful keys and values in the Registry that can affect performance.

Using the Performance Monitor

The Performance monitor has a number of objects and counters that are useful for identifying heavy loads and server-side bottlenecks. This section describes two objects and important counters to monitor. For information about using the Performance Monitor, see Chapter 19, "Windows NT Server."

HTTP Service The HTTP Service Performance Monitor counters allow you to keep tabs on the Web server component of IIS. These counters will give you an idea as to how many people are hitting your site and what type of requests are taking place.

Bytes total/sec--Total number of bytes sent and received.
Current anonymous users--Number of anonymous users currently connected to a service. Because most traffic is generated anonymously, showing this gives you a good idea of what kind of load you are carrying.
Current connections--This is the total number of users on the server (both anonymous and known users).
Current ISAPI extension requests--Current number of ISAPI extension requests being run by the WWW service.
Get requests--Total number of HTTP GET requests received by WWW service; GET requests are generally used for basic file retrievals or image maps, though they can be used with forms.
ISAPI extension requests--Total HTTP ISAPI extension requests. This refers to custom DLLs, which can do forms processing and other dynamic data sources.
Maximum ISAPI extension requests--Peak number of ISAPI extension requests run at the same time.
Not found errors--A high number here could indicate a broken link or misguided external link. This indicates the amount of times that a HTTP 404 error was sent to a browser.

Internet Information Services Global The Internet Information Services Global Performance Monitor counters keep track of all of the Internet servers (www, ftp, gopher) that are running on the server. These counters monitor such functions as disk performance as it relates to the servers and what kind of bandwidth is being used by the server.

Cache hits %--This shows graphically the percent of time that a piece of information is in the cache when requested.
Measured asynch I/O bandwidth usage--This shows the bandwidth usage averaged over the last minute.
Total blocked asynch I/O requests--This and the next counter are important if you are limiting IIS's bandwidth.

Total rejected asynch I/O requests--This is the number of requests rejected since bandwidth limiting.

Limiting Bandwidth for IIS

Do you have applications running on your server that are sharing the same connection to the Internet? If so, you may look at limiting the bandwidth that Internet Information Server can use. By limiting its bandwidth, you guarantee that other applications don't get "bumped" because of heavy Web server use. For instance, a company running e-mail and outgoing Web browsers wouldn't want to be choked by a lot of Web activity. The Internet Service Manager enables you to limit the amount of traffic that Internet Information Server can generate and accept. This is done with the Advanced Tab of the WWW Service. Be forewarned however, limiting bandwidth to one of IIS' services, limits them all.

From Here�

In this chapter, you learned how to install, configure, and monitor the Internet Information Server. As new technologies such as Active Server Pages and the Commercial Internet System emerge, you will find that Microsoft goes to great lengths to ensure that new additions are backwards compatible. As you learn how to use the Internet Information Server, keep in mind that the two most important factors of running a good Web server are security and performance. For more information on topics such as security and Web server performance, please read on to Chapter 24, "Visual InterDev Security" and Chapter 34, "Performance Overview".

Special Edition Using Microsoft Visual InterDev

Chapter 19 Internet Information Server