Microsoft Internet Information Server (IIS) is a Web, FTP, and Gopher server developed by Microsoft to exploit various capabilities of Windows NT and to publish content on the Internet. Compared to other Windows NT Web servers, IIS offers many unique features. IIS's security model is based on NTFS security permissions. This is a major advantage, because the security of a Web site hosted with IIS can be easily managed using File Manager. Although at the time of this writing IIS is available only for Windows NT server, most likely a special version of IIS will be available for Windows NT Workstation by the time you read this. The following sections discuss how IIS can be installed and used to publish information on the Internet.
Installing IIS is easy. A copy of IIS will be included in the
Windows NT 4.0 distribution
CD-ROM. The latest version of IIS can be downloaded from Microsoft's
IIS Web page. It's always best to check the IIS Web site for a
more recent version of IIS before installing the version included
in the Windows NT 4.0 distribution CD-ROM. After downloading IIS,
copy it to a temporary directory and decompress the archive by
executing the executable program with the -d
argument. This will extract contents of the IIS distribution archive
into various subdirectories. You can skip this step if the file
SETUP.EXE is found in the CD-ROM's IIS directory.
Url |
You can obtain the most up-to-date information about MS Internet Information Server from the official Internet Information Server Web page by visiting the following URL: http://www.microsoft.com/InfoServ/ |
Caution |
Before continuing to install IIS, it's a good idea to make sure that no other Web servers are running on port 80 of your NT server. If you already have a Web server installed and would like to continue using it, change its port to a different port number so that the installation program will not have any problems binding IIS to port 80 (default port for HTTP). The same applies to FTP. If you wish to use the FTP server included with IIS, stop the Windows NT FTP service by using the command net stop "FTP Server". |
When SETUP.EXE is executed, the installation program presents you with a dialog box similar to the one shown in Figure 6.1. In this dialog box, you can select various IIS components to be installed. It is highly recommended that you make sure the Internet Server Manager checkbox is checked. If it is not checked, you will have to use the Windows NT Registry to make changes to IIS. If you have already installed ODBC drivers on your system, you may deselect the ODBC Drivers and Administrator checkbox. The same applies to Microsoft Internet Explorer.
Figure 6.1: You can selectively install various components of IIS.
If you wish to change the default directory in which IIS is installed, click Change Directory and specify another directory by using a dialog box similar to the one shown in Figure 6.2. For security purposes, it is highly recommended that you install all IIS components in an NTFS partition.
Figure 6.2: Install IIS on an NTFS partition.
Next, you need to specify root directories for all three Internet publishing services. This is accomplished by using a dialog box similar to the one shown in Figure 6.3. These three directories do not have to be sister subdirectories. However, you might find it easier to manage the directory structure if they are sister subdirectories. Be sure to specify directories in an NTFS partition because IIS uses NTFS security.
If you have already installed the NT FTP service that's part of the NT TCP/IP utilities package, the IIS installation program asks if you'd like to disable it, as shown in Figure 6.4. Because the FTP server that ships with IIS is more powerful and easier to administer than the FTP service that's part of the NT TCP/IP services package, it's recommended that you allow the installation program to disable the previously installed FTP service. Note, however, that after the previously installed FTP server is disabled, you cannot restart it using the Services application in the Control Panel. The FTP Server included with IIS can be configured using the Internet Server Manager. Unlike the standard FTP server that's part of the TCP/IP services package, IIS FTP Server statistics can be logged to an ODBC data source. Performance Monitor can also be used to monitor IIS FTP Server statistics in real time. In addition to that, several useful configuration settings that have to be modified using the registry in the FTP Server that's part of the NT TCP/IP services package can be modified using an easy-to-use dialog box when using the FTP Server that's part of IIS.
The next dialog box prompts you to install the SQL Server driver, as shown in Figure 6.5. After this driver is installed, Microsoft SQL Server databases can be published on the Web using the Internet Database Connector. When the dialog box in Figure 6.5 appears, click OK to continue installing IIS. Note that MS SQL Server is required for a few sample ISAPI applications shipped with IIS.
Figure 6.5: SQL Server driver install dialog box.
After the SQL Server driver is installed, the message box in Figure 6.6 appears, telling you that IIS is successfully installed on your system. All Internet publishing services selected earlier are now ready for use.
Figure 6.6: A message box appears confirming that Internet Information Server is fully installed.
At the end of the installation process, four new icons are added to the NT start menu. These icons appear in Figure 6.7. In the "Configuring the Microsoft Internet Information Server" section, you are shown how to use the Internet Service Manager to configure various aspects of IIS.
Figure 6.7: Four new icons are added to the NT Start menu by the IIS installation program.
It's possible to immediately begin publishing content on the Web by using the Web Publishing Service of IIS. If you connect to your computer at this point by using a Web browser, you'll see a Web page similar to the one in Figure 6.8. Use this Web page to get familiar with how IIS works and to try out the CGI and database applications that ship with IIS. Be sure to check out the guest book application. It demonstrates how IIS's Internet Database Connector can be used to update and view a Microsoft SQL database. Although these applications are not production-quality applications, they will give you some idea of how IIS can be used to interact with users browsing a Web site. At some point, you'll need to change the default Web page shown in Figure 6.8 and replace it with one of your own Web pages.
Figure 6.8: Internet Information Server default Web page.
If you look at User Manager, you'll notice that the IIS installation program has created a new user account. Before publishing information on the Internet with IIS, it's crucial that you understand the importance of this account and how it's used by the IIS Web Publishing Service. As you can see in Figure 6.9, the full name of the account created for the IIS is Internet Guest Account. The name of this account depends on the name of your server. For example, if the name of your server is INTERNET, the name of the account created for the IIS is IUSR_INTERNET. This account will be referred to as the Internet Guest Account in future sections.
It's important that you understand how IIS implements security and user authentication before publishing information with it. It's easy to control who has access to what files at your Web site because IIS uses NTFS security. The Internet Guest Account should have read permission for all public files freely available to users browsing a Web site without a username and a password. A part of a Web site's directory structure can be restricted by revoking file and directory access from the Internet Guest Account and by giving it to users who are allowed to access files in a certain directory structure. Note that these users should also be assigned the Windows NT user right "Log on Locally." More information about this is presented in the following section. When file access permission is revoked from the Internet Guest Account and is assigned to a few Windows NT users, a username and a password that has enough permission to access the data has to be supplied before IIS allows a browser to view the data. IIS supports three kinds of username/password authentication methods:
The next few sections discuss how you can configure IIS to suit your needs. IIS is configured by using the Internet Service Manager icon shown in Figure 6.7. When Internet Service Manager is invoked, it looks similar to Figure 6.10.
Figure 6.10: The Internet Service Manager application is used to configure various aspects of IIS.
It's easy to locate the NT Server or Internet service you wish to administer by using the View option of the Internet Service Manager menu. Various server views appear in Figure 6.11 and Figure 6.12.
Figure 6.11: Internet Service Manager with servers grouped by server name.
You can select the WWW publishing service to configure from the IIS manager menu shown in Figure 6.10, 6.11, or 6.12. After selecting the WWW publishing service you wish to configure, either double-click on it or use the right mouse button to select Service Properties. You then can configure various aspects of the WWW Publishing Service.
As shown in Figure 6.13, the Service tab of the WWW Publishing Service can be used to configure key aspects of the WWW publishing service. It's recommended that you don't change the default settings for Connection Timeout and Maximum Connections. However, after monitoring the number of connections at any given time by using Performance Monitor, you might want to increase this value if you have sufficient network bandwidth to accommodate additional connections. In the "Monitoring Performance of Internet Information Server" section, you're shown how to use Performance Monitor to monitor the performance of IIS. Performance Monitor is a utility shipped with Windows NT that can be used to monitor various statistics of Windows NT resources and applications.
Figure 6.13: The Service tab of the WWW Publishing Service.
As mentioned earlier, IIS uses Windows NT user accounts and NTFS security to enforce file access permissions. The username and password specified for Anonymous Logon is used to determine if an anonymous user requesting an object from IIS is permitted to have that object. It's recommended that IIS be allowed to use the Internet Guest Account shown in Figure 6.13. By using File Manager, you can control which objects anonymous users have access to by assigning file permissions to the Internet Guest Account.
If your Web site is a public Web site, make sure that the Allow Anonymous checkbox in Figure 6.13 is checked. If you want to protect parts of your Web site with a username and a password, make sure that the Basic (Clear Text) checkbox is checked. As Figure 6.14 shows, you are then warned about the consequences of using clear text passwords. As a rule of thumb, never use clear text passwords to safeguard sensitive data from unauthorized users unless an encryption algorithm such as SSL is used.
Figure 6.14: You should not use clear text passwords to restrict access to sensitive data.
The Windows NT Challenge/Response authentication method is much safer than clear text user authentication because user authorization information is encrypted before it's transmitted over the Internet. However, at the time of this writing, only Internet Explorer was capable of handling Windows NT Challenge/Response authentication. Unless you're certain most users visiting your Web site use Internet Explorer, it's recommended that you stay away from Windows NT Challenge/Response authentication for now.
You can specify a comment for the WWW Publishing Service by typing it in the space provided for Comment. This comment will show up in Internet Service Manager under "Comments."
You can use the Directories tab shown in Figure 6.15 to configure how IIS handles directories. As you can see in Figure 6.15, several directory mappings have already been set up by the IIS installation program.
Figure 6.15: The directories tab of the WWW Service properties dialog box can be used to configure various directory settings.
It's very easy to add directory mappings to the Web Publishing Service. For example, you can use the Add button to add a CGI (Common Gateway Interface) directory mapping to the WWW Publishing Service. Applications in this directory can then be executed by users using a Web browser. After pressing the Add button, the Directory Properties dialog box appears, as shown in Figure 6.16. In this dialog box, you can select a directory and an alias for it. The alias specified in Figure 6.16 for the CGI directory is cgi-bin. You can use this alias to execute applications in the H:\Publish\WWW\CGI-BIN directory by using a URL such as http://server.name.com/cgi-bin/application.exe. Because the cgi-bin directory contains applications, the Execute checkbox is selected in Figure 6.16; this enables the WWW Publishing service to execute applications requested by users and return the output. If the virtual directory points to a network resource using a Universal Naming Convention (UNC) share name, a username and a password that has access to the share can be specified in the space provided for Account Information. Note that this option is visible only if a UNC share name is typed in.
Figure 6.16: Directory Properties dialog box.
IIS supports virtual servers. You can use the Virtual Server checkbox if a server has more than one IP address. The virtual server feature is handy for setting up Web servers for several companies on one server. For example, you can use the virtual server feature to host Web servers for www.Microsoft.com and www.IBM.com on the same computer (assuming you own both domain names, of course!). Note that properties have to be set separately for each virtual server.
Finally, you can select the Require Secure SSL Channel checkbox if SSL is installed on your server. SSL encrypts data before it's transmitted to users browsing a Web site.
The Enable Default Document checkbox, shown in Figure 6.15, is used to specify the name of the file that is sent by default if a URL is given without a filename. For example, when a user accesses a Web site with the URL http://www.company.com/, the filename specified under Enable Default Document is sent to the user. If the file is not found or if a filename is not specified under Enable Default Document, the user is presented with a list of files and directories, as shown in Figure 6.17, if directory browsing is allowed. Otherwise, the user is presented with a message similar to the one shown in Figure 6.18.
Figure 6.17: A list of files and directories appears if a URL without a filename is used and directory browsing is allowed.
Figure 6.18: An Access Forbidden message appears if a URL without a filename is used and directory browsing is not allowed.
The Directory Browsing Allowed checkbox, shown in Figure 6.15, is used to specify if IIS should return a list of files and directories if a URL is given with a filename. For example, http://wonderland.dial.umd.edu/document refers to a subdirectory. If directory browsing is allowed, the user sees a list of directories, as shown in Figure 6.17. On the other hand, if directory browsing is not allowed, the user will see a message similar to the one shown in Figure 6.18.
Web server accesses can either be logged to an SQL/ODBC database or a plain text file. WWW Publishing Service access logging is configured by using the Logging tab shown Figure 6.19. Unless you have special software to analyze data logged to an SQL/ODBC database, it's recommended that you allow IIS to log Web server accesses to a plain text file. Refer to Chapter 24, "Utility Applications for Your Server," for more information about analyzing Web server access log files.
Figure 6.19: WWW Publishing Service access logging dialog box.
The Advanced tab of the WWW Service Properties dialog box shown in Figure 6.20 is used to grant and deny access to various computers on the Internet. You might want to use this dialog box to deny access to one or more Internet computers.
Figure 6.20: WWW Publishing Service advanced properties dialog box.
For example, it's possible to deny access to a computer by the name of www.hacker.com by selecting the "Denied Access" radio button and by clicking the Add button. You can use the dialog box shown in Figure 6.21 to specify which IP addresses should be denied access. If you don't know the IP address of a computer but only its domain name (www.hacker.com), simply click the ellipsis button shown in Figure 6.21, and you can enter the domain name as shown in Figure 6.22.
Figure 6.21: Deny Access On dialog box.
Figure 6.22: You can use the DNS Lookup dialog box to look up an internet computer by its domain name.
The Limit Network Use checkbox, shown in Figure 6.20, is handy for limiting network bandwidth that will be used by all Internet services (managed by IIS) running on the computer being administered. As shown in the "Monitoring Performance of Internet Information Server" section, use Performance Monitor to determine network bandwidth used by IIS before changing the default value. If it's necessary to use this option to severely limit network bandwidth, it's a good indication that you need to upgrade your Internet link. If this isn't possible, at least move all large graphics files to another server.
You can use the FTP Publishing Service to distribute files on the Internet. Before using it in a production environment, it's recommended that the FTP Publishing Service be configured to suit your needs. Just select the FTP Publishing Service you wish to configure from the Internet Service Manager and double-click it. The FTP Publishing Service is configured by using a tabbed dialog box similar to the one shown in Figure 6.23.
Figure 6.23: FTP Publishing Service configuration dialog box.
Technical note |
The default TCP/IP port of the FTP Service is 21. |
The dialog box shown in Figure 6.23 is identical in many ways to the dialog box in Figure 6.13. To avoid redundancy, this section covers only those dialog box options that are different. The Allow only anonymous connections checkbox and the Current Sessions button are the only options that are different between Figure 6.23 and Figure 6.13.
You can check the Allow only anonymous connections checkbox to ensure that Windows NT users do not compromise the security of your NT server by using their usernames and passwords to log on to the FTP Publishing Service. Usernames and passwords used to authenticate users to access the FTP server are transmitted in clear text format. This means that anyone who has a protocol analyzer and access to your network or the part of the Internet that the authentication data is transferred across can intercept usernames and passwords used by authorized users and gain unauthorized access to your system. If you deselect this option, be aware that every time a user logs on with a username and password, the same username and password can be used by an unauthorized person. As a security precaution, advise your users not to store sensitive files on the FTP server. If they should store sensitive files, ask them to please encrypt the files by using a powerful encryption algorithm such as Pretty Good Privacy (PGP).
You can use the Current Sessions button to find out which users are logged on to the FTP server at any given time by using the dialog box in Figure 6.24. You can use the same dialog box to disconnect users from the FTP server. Regular users have a face next to their username; anonymous users have a question mark next to the e-mail address used to access the FTP server. For example, the anonymous user shown in Figure 6.24 has used the e-mail address BillGates@Microsoft.com to access the FTP server.
Figure 6.24: FTP User Sessions dialog box.
You can use the Messages tab shown in Figure 6.25 to specify various messages displayed to users connecting to the FTP server. As shown in Figure 6.25, you can specify a Welcome message and an Exit message, as well as a Maximum connections message by using this dialog box.
Figure 6.25: FTP Publishing Service message dialog box.
Directories of the FTP Publishing service can be configured by using the Directories tab shown in Figure 6.26. This dialog box is very similar in functionality to the dialog box in Figure 6.16. The only difference is the Directory Listing Style option. This option is used to specify if the FTP Publishing Service should return an MS-DOS- or UNIX-style directory listing. It's recommended that the UNIX radio button be selected because some Web browsers expect the directory listing format of FTP servers to be in the UNIX (ls -l) directory listing format.
Figure 6.26: FTP Publishing Service directories dialog box.
It's very easy to specify home directories for FTP users. The only requirement is to have the directory structure set up so that all users share the same parent directory and their home directories correspond to their usernames. For example, if H:\Publish\FTP\Users is the parent directory, home directories of the two users Sunthar and Kim should be H:\Publish\FTP\Users\Sunthar and H:\Publish\FTP\Users\Kim, respectively. The parent directory of user home directories can be specified as shown in Figure 6.27. Note that the directory H:\Publish\FTP\Users is configured as the Home Directory of the FTP Publishing Service. Again, be sure users don't store any sensitive files on your system that are accessible via FTP.
Figure 6.27: FTP Publishing Service home directory configuration dialog box.
The Logging and Advanced tabs of the FTP Publishing service are identical in functionality to that of the WWW Publishing Service discussed earlier. Please refer to the earlier discussion for more information about using these two configuration tabs.
IIS also includes a Gopher server. Although the Gopher protocol is becoming less and less popular by the day due to inherent limitations of the Gopher protocol, almost anyone who has access to the Internet has access to a Gopher client. This is especially true for users who still access the Internet through UNIX shell accounts. The Gopher server is administered by using the Gopher Publishing Service properties dialog box, shown in Figure 6.28.
Figure 6.28: Gopher Publishing Service properties dialog box.
Technical note |
The default TCP/IP port of the Gopher Service is 70. |
The dialog box in Figure 6.28 is very similar to the dialog box in Figure 6.13, which was discussed in detail earlier. The only difference is the space provided for Service Administrator information. The name and e-mail address of the Gopher server administrator can be specified as shown in Figure 6.28.
The Gopher Service directories dialog box shown in Figure 6.29 is very similar to the dialog box in Figure 6.16, which was discussed in detail earlier. Note that the home directory of the Gopher service is H:\Publish\Gopher. This information is used in the following section where you're shown how to publish information on the Internet with the Gopher server.
Figure 6.29: Gopher Publishing Service directories dialog box.
It's very easy to publish information on the Internet with the Gopher server. To a certain extent, it's similar to publishing an entire directory structure of information on the Internet. However, as you learn shortly, there is one extra required step to publish information by using the Gopher service than merely copying files to the Gopher directory structure.
As mentioned earlier, the home directory of the Gopher Publishing Service used in this exercise is H:\Publish\Gopher. The directory structure of H:\Publish\Gopher is shown in Figure 6.30. Note that there is a file by the name of Welcome.txt in the home directory of the Gopher server. The contents of this file are shown in Figure 6.31. Shortly, you find out how easy it is to publish this file and directory structure on the Internet with the Gopher server.
Figure 6.30: Directory structure of the Gopher server's home directory.
Figure 6.31: Contents of file Welcome.txt.
At this point, if a user connects to the Gopher Publishing Service, he or she sees a directory listing similar to the one shown in Figure 6.32. Note how the file Welcome.txt in Figure 6.32 is marked as a binary file. This is because, by default, all files published with the Gopher Publishing Service are assumed to be binary files. At this time, you might want to create a text file in your Gopher server directory and notice that if you click it, it is downloaded as a binary file.
Figure 6.32: Directory listing of the home directory of the Gopher Publishing Service.
You can solve this problem by creating a tag file for the text file Welcome.txt. You create a tag file by using the following syntax:
gdsset -c -g<number> -f <"file description> -a <"administrator's name"> -e <e-mail address> <filename>
Explanations of various command-line argument substitutions are listed here:
-c:-Edits or creates a new file.
-g<number>:-Specifies the type of file according to the file type table shown next. Simply replace <number> with the single digit File Type Code from the file type table.
-a <"administrator's name">:-Name of administrator.
-e <e-mail address>:-Administrator's e-mail address.
<filename>:-Name of file.
The following is the file type code table for publishing various
kinds of files with the Gopher Publishing Service.
File Type Description | |
Text file | |
Gopher directory | |
CSO phone book server | |
Error | |
Binary Hexadecimal Macintosh file | |
MS-DOS binary archive | |
UNIX UUencoded file | |
Index search server | |
Telnet session | |
Binary file |
Listed next is the actual command used to publish the file Welcome.txt on the Internet with the Gopher Publishing Service. This command should be typed at the Windows NT command prompt. Note the various command-line arguments that are used and the output of the gdsset application.
H:\publish\Gopher>gdsset -c -g0 -f "Welcome Message" -a "Sanjaya" -e sanjaya@erols.com Welcome.txt Old Tag contents for H:\publish\Gopher\Welcome.txt Tag information for H:\publish\Gopher\Welcome.txt Object Type = 9 Friendly Name = Welcome.txt Admin Name = Default Admin Name Admin Email = Default Admin Email Gopher Object Type = 0 Gopher FriendlyName = Welcome Message Tag information for H:\publish\Gopher\Welcome.txt Object Type = 0 Friendly Name = Welcome Message Admin Name = Sanjaya Admin Email = sanjaya@erols.com H:\publish\Gopher>
At this point, if a user connects to the Gopher server, he or she sees a directory listing similar to the one shown in Figure 6.33. Compare the directory listing in Figure 6.32 with the listing in Figure 6.33. Note how the description of the file is now changed to Welcome Message from Welcome.txt. Also, note the icon of the text file is changed to a text file icon from a binary file icon. If a user clicks on the text file rather than a prompt to download the file, the user now sees the actual contents of the text file, as shown in Figure 6.34.
Figure 6.34: Contents of text file Welcome.txt viewed via the Gopher Publishing Service.
Various IIS statistics can be monitored using Performance Monitor. Performance Monitor is invoked by executing the Performance Monitor icon in the Administrative Tools Windows NT Start Menu folder. In order to monitor various IIS statistics, after invoking Performance Monitor, select Edit | Add To Chart from the menu bar. The dialog box shown in Figure 6.35 appears. Use this dialog box to choose various IIS statistics to monitor by selecting an IIS object and counter as shown in Figure 6.35. Each object has various counters associated with it. After selecting a counter to monitor, click the Add button.
Figure 6.35: A number of IIS statistics are available to be monitored with Performance Monitor.
Counters selected using the Add to Chart dialog box can be monitored using Performance Monitor as shown in Figure 6.36. Performance Monitor is especially useful for finding bottle necks. For example, the Bytes Total/sec counter of the HTTP Service object can be monitored to determine if Internet bandwidth available is sufficient to serve HTTP requests.
Figure 6.36: Selected IIS statistics can be monitored with Performance Monitor.
Microsoft Internet Server is bundled free with Windows NT server. Although Microsoft intends to make a version of IIS available for Windows NT Workstation, it will not be as powerful as the version that ships with Windows NT server. There are many commercial Web servers available for Windows NT. Most of these Web servers come bundled with additional software, such as database setup connectivity wizards and search engines. On the other hand, although IIS is a very powerful server, it doesn't include any database setup wizards or search engines. Such features have to be added separately by using custom CGI (or ISAPI) or third-party applications.
IIS is a powerful, easy-to-manage server designed to make maximum use of Windows NT's system architecture. You can use it to publish information on the Internet via HTTP, Gopher, and FTP.
At the time of this writing, over a dozen Web servers are available for Windows NT. Although this proves the success of Windows NT as an ideal operating system for setting up Web sites, it can certainly make things rather confusing when selecting a Web server. The next chapter discusses a number of Web servers available for Windows NT, highlighting advantages and drawbacks of choosing one Web server over the other.