IIS is not installed by default on Windows 2003. Once installed, the default configuration is to serve static content only. Enable dynamic content through IIS.msc, Web services Extensions node. Http connections can be secured by authentication and authorisation (permissions). As well as serving pages, the site can serve a virtual directory (assuming a default page not set). Create virtual directories in explorer with 'Web Sharing' tab or with IIS.msc, Action, New, Virtual Directory. The directory can reside on another machine. IIS.msc includes a command to backup the metabase, configuration information, for the server (stored as an XML document): select All tasks, Backup/Restore Configuration.

IIS Authentication

By default, all requests are serviced by impersonating the user with the IUSR_computername account. Before you can restrict access to resources, you'll need to use alternative, non-anonymous authentication. Available Authentication methods:

• Anonymous: using the IUSR_computername account
• Basic Authentication: local or domain account required, clear text
• Digest Authentication: similar to basic but better security in transmitting credentials
• Advanced Digest: requires AD, IE5 and HTTP 1.1
• Integrated Windows Authentication: using NT Challenge/Response and hashing of credentials
• Certificate Authentication: using SSL sockets and encryption
• .NET passport: using SSL, HTTP redirects, cookies, Microsoft JScript and strong symmetric key encryption

For FTP, authentication restricted to either anonymous or basic logon. Once authentication configured, use NTFS or IIS permissions to secure resources. Most restrictive applies.