Internet Information Services 5.1: XP Pro Only

Includes web server, ftp server, and SMTP virtual server. Limited to one website, one ftp site, and maximum of 10 simultaneous TCP connections. Not installed by default

Use IIS snap-in to manage server. Console tree represents directory structure of your site. Default locations %systemdrive%\inetpub\wwwroot & ftproot. Virtual directories are pointers to directories held elsewhere. IISstart.asp is the only document in the default document list that is installed by default. If site is accessed by 'localhost' then a welcome page and IIS documentation is displayed. To get documentation later, access http://localhost/iishelp or open help from snap-in. To search the documentation, you must be running the Indexing Service. If site is accessed by http://computername then an 'Under Construction' page is displayed.

To configure site properties, right-click the default website and choose properties. On the 'Home Directory' tab, you can specify source of content:

1. a directory on the computer
2. a share on another computer (requires credentials for 'Connect As')
3. a redirection to another URL (enter an exact URL, a child directory of the current home, or a 301 permanent redirect)

IIS searches the default document list from the top and returns the first one it finds. Error 403 is produced if you clear the default document and the site is accessed without a document name. HTML footers can be enable, but impact on performance. By default logging is enabled in W3C format (NCSA and Microsoft IIS format also available). Logfile rollover can be set by schedule or size.

HTTP headers tab allows you to apply content ratings. Ratings Questionnaire needs to filled in and submitted to ratings authority.

Virtual directories

• hide location of content
• simplify access to content
• easier to relocate
• distribute content source and delegate control

To create a virtual directory

• through windows explorer: go to folder properties, web sharing, share on default web site (local folders only, mapped drives not allowed)
• IIS console: right-click parent, choose new virtual directory (remote and local folders)

Access controlled by authentication, IIS permissions (apply to all users) and NTFS permissions (apply per user). If anonymous access is enabled it is used wherever possible otherwise the most restrictive set of permissions are enforced.

Authentication Methods

• Basic
• Advanced Digest
• Integrated Windows Authentication
• Anonymous

Anonymous access: IIS impersonates anonymous users using IUSR_computername account, created during IIS install. IUSR_computername:

• is member of guests
• cannot change password
• password never expires

IIS checks permissions on resource before granting IUSR access. If access restricted, IIS tries other form of authentication if enabled for resource. If authentication failed, 403 access denied returned

Basic Authentication: cleartext, HTTP 1.0 standard, Base64 encoding. User presented with logon dialogue, credentials validated by webserver or its domain controller. Basic authentication can be secured using SSL.

Advanced Digest:

• IIS transmits realm name to client
• browser prompts for logon credentials
• browser creates MD5 hash from credentials and realm
• transmits MD5 hash to IIS
• IIS submits hash to domain controller

Requirements for advanced digest:

• IE5 or later
• client and server must be members of or trusted by same domain
• user needs domain user account (Active Directory)
• .NET server domain
• IIS server must be XP

In Windows 2000 domain, server will use Digest Authentication: password stored in clear text on the server, but transmitted as hash

Integrated Windows Authentication:

• cryptographic exchange between client and server
• logon credentials not submitted
• doesn't work over proxy connections
• IE2 or later required

Specify authentication methods for files, folders, site via Properties, Security, Authentication Control. IIS permissions specify what users can do after authentication. Permissions cover:

• read
• write
• script source access
• directory browsing
• execute permissions (none, scripts, scripts and executables)

SSL

IIS can use SSL for encrypted connections (40-bit or 128-bit). Requires use of certificates. Server certificates used to identify website to client. If browser accepts certificate, SSL connection established with browser using public key and server using private key. Client certificate used to identify browsers to servers. A site can require client certificates as part of authentication. CA certificates provide a trust value for client and server certificates. If CA is not in certificate store, client given option to accept or reject certificate.

Using SSL: obtain and install a server certificate. Then go to Properties, Security, Secure Communications. Select 'Require Secure Channel'. Can be applied to site, directory, virtual directory or file. Users can request SSL, even if it is not required and as long as a certificate is installed, by addressing https instead of http. To obtain a certificate, use the Web Server Certificate Wizard from the security tab. Process involves creating a certificate request, submitting this to a CA, obtaining and installing the certificate.

If you require SSL with basic authentication, all user interaction will use SSL and consequently run more slowly. If user requests SSL for logon when it is not required, they can change subsequent links from https to http, for better performance. Use of client certificates for user authentication, requires that each client certificate is mapped to a user account.

WebDAV

WebDAV allows users read and write access to files on a virtual directory managed by IIS. Supports all the IIS authentication methods and preferred to FTP. Share folders via Web Sharing tab or IIS console, then set IIS permissions. Write permissions combined with script permissions would allow users to upload potentially dangerous scripts to the directory.

Internet Printing

Internet Printing: if server hosts both print shares and IIS, then printers will be available via http://hostname/printers. NTFS and share permissions are enforced. To connect to a particular printer, e.g. haperlaserJ, connect to http://hostname/printers/hplaserj/.printers.