Microsoft Windows XP Networking Inside Out

Chapter 9

Using Internet

Information

Services

The Internet has continued to grow at an astonishing rate. With the widespread use of the Internet, both residential and business users are seeking ways to further leverage Internet connections. Businesses often seek to reach new markets or foster collaborative enterprise with employees in distributed locations working on the same project interactively. Residential users seek new ways to stay in contact with family and friends, work from home, or just share information with others. Web servers are

a tool that can be leveraged to do all of these things.

Microsoft Internet Information Services (IIS) has been the flagship Web server for the Microsoft Windows NT family of products for many years. This tradition is carried through with an IIS implementation in Windows XP Professional. IIS has been developed with the needs of many users in mind.

Microsoft is moving to an operating environment where the Internet is an integrated part of the operating system. This integration will allow a more enriching user experience and perhaps a more productive one as well. The implementation of IIS in Windows XP Professional continues along this path. In this chapter, you’ll learn what you can and can’t do with IIS in Windows XP Professional.

note Windows XP Home Edition does not support IIS.

249

9 Chapter

Part 2: Internet Networking

Running IIS on Windows XP Professional

IIS, as included with Windows XP Professional, is designed primarily for limited use as a Web development tool or as a Web hosting system on an intranet. In Windows XP Professional, only 10 TCP connections to IIS are allowed at any given time. As a result, the maximum number of clients that can access your IIS server at any given moment is 10 (and most likely fewer, because some client requests might use additional TCP connections).

With that thought in mind, Windows XP Professional is not a practical platform on which to host an Internet Web site. However, for a small company that needs an

intranet site to share HTML data, perform FTP transfers, or perform initial development of Web sites and applications that will later be deployed on Windows servers, Windows XP Professional fits the bill.

Using IIS on Windows XP Professional, you can:

●Host one Web site. You can use IIS to host one Web site on an intranet or even the Internet, but you are limited to 10 TCP connections at any given time across all IIS services.

●Host one FTP site. You can host one FTP site, but you are limited to 10 TCP connections at any given time. (These 10 connections constitute the total for all access to the IIS server.)

●Use SMTP Virtual Server. You can use IIS to host an SMTP mail service for your intranet (within the same restrictions on the total number of TCP connections to IIS). See “Configuring SMTP Services” on page 277 for more information about SMTP hosting.

●Use IIS to test Web applications. If you are a developer, you can easily test Web applications on Windows XP using IIS.

●Use Internet printing. IIS provides you with an easy way to share printers over the local intranet or even the Internet. See Chapter 14, “Understanding Resource Sharing and NTFS Security,” to learn more about Internet printing.

note IIS provides a way to host Web sites, not a way to design them. If you need to create a Web site, consider using Microsoft FrontPage. IIS fully supports all FrontPage features. If you need to develop advanced Web applications, you should consider using Microsoft Visual Studio .NET.

Chapter 9: Using Internet Information Services

Getting to Know IIS

IIS provides a number of Web hosting features and functions in Windows XP Professional, but it is less constrained when used on a Windows server platform. IIS uses the same core engine on both XP Professional and on the server versions of Windows, allowing you to easily deploy Web sites and applications developed on XP Professional on the server editions of Windows. Those server editions of Windows provide a full suite of Web hosting, FTP, SMTP, and virtual hosting services. This chapter will take a look at what IIS has to offer. The following sections present a brief history of IIS and the services it provides, along with the technology IIS uses.

History of IIS

In one form or another, IIS has been in existence since the early 1990s. IIS 1.0 was first introduced as an add-on product for Windows NT 3.51 and included basic support for Hypertext Transfer Protocol (HTTP), static Web pages, and Common Gateway Interface (CGI) Web applications. IIS 1.0 also introduced the Internet Server Application Programming Interface (ISAPI), a method for writing Web applications and authentication systems that integrate tightly with IIS for improved performance over CGI applications.

The release of Windows NT 4.0 marked the introduction of IIS 2.0, which shipped with Windows NT 4.0. IIS 2.0 included new enhanced security features as well as enhancements to ISAPI.

The next major release, IIS 3.0, is best known for its introduction of Active Server Pages (ASP), a groundbreaking script-based Web application development system that revolutionized Windows Web site development and spawned a number of imitations for Web servers on Windows and other operating systems.

Microsoft distributed IIS 4.0, the next version, as part of the Windows NT Option Pack. IIS 4.0 included a number of refinements throughout the product. It introduced Web application process isolation and ASP transaction support via Microsoft Transaction Server, another component included in the Option Pack. (Microsoft Transaction Server was later renamed to COM+).

With the release of Windows 2000 Professional (and the suite of server editions of Windows 2000) came IIS 5.0. Numerous improvements in security, application support, and standards compliance were included in this release. Additionally, the management of IIS was made less cumbersome and less intrusive in IIS 5.0. This trend toward improved reliability and usability has continued with the release of version 5.1, which is the version included in Windows XP Professional.

Chapter 9

9 Chapter

252

Part 2: Internet Networking

Features Overview

The feature set available in the 5.x versions of IIS afford you a wide range of configuration options. These options let you configure your FTP server, HTTP server, and SMTP server, which are the three major components of IIS included with Windows XP Professional. Additional services are available in IIS 5.0 as part of the server versions of Windows 2000. New features are planned for IIS in version 6.0, which was in beta testing as this book went to press. For a preview of new features planned for version 6.0, see “Preview of IIS Version 6.0,” page 257. For now, let’s take a closer look at what IIS 5.x has to offer.

IIS Restart

One of the most intrusive features of IIS 4.0 was the fact that restarting IIS could be very inconvenient. In a full-featured IIS 4.0 environment, you had to manually stop the IISAdmin service (which would then stop the various services of IIS), and then track down all the worker processes used by Microsoft Transaction Server and manually stop them. Only then could you restart IISAdmin, bringing the Web server back online. Some administrators found it simpler to just restart the entire computer, thus inconveniencing all users of that system.

With the advent of IIS 5.0, it is now possible to easily restart IIS using the IISReset tool. What used to be minutes of downtime is now only a few seconds of unavailability.

Maintaining the Metabase

New to IIS 5.1 is the capability to reliably back up and restore the metabase in a couple of new ways. The metabase refers to the IIS configuration data for a Web site. Using the IIS backup and restore feature is now more useful than it was before. In addition to making a backup, the restore feature allows the IIS administrator to restore the backup to other computers.

Besides the new flexibility, enhancements have been added to ensure that the backup and restore process files are secure. A tool known as the Metabase Snapshot Writer (MSW) ensures that when the NT Backup tool is used (to make general system backups), the metabase portion is also backed up in a reliable manner. This tool guarantees that the current state of the metabase (a snapshot) is captured during a backup. It is important to note that the MSW is not related to the Configuration Backup/Restore option available in the IIS Microsoft Management Console (MMC) snap-in.

Remote Administration Features

The remote administration features of both IIS and the Windows NT family of operating systems have been around for some time. In Windows XP Professional, there are considerable improvements in the tools and the number of ways in which they can be utilized. IIS version 5.1 has a robust remote administration suite that is managed via a Web browser. This allows the administrator of the Web site to interact with the IIS

Chapter 9: Using Internet Information Services

server from virtually any location or computer system, as long as there is access to a standards-compliant Web browser. Also new in 5.1 is the capability to designate varying levels of administrative control, allowing some of the Web server administration tasks to be delegated to other users without providing full access to the Web server.

Remote Desktop is a new feature in Windows XP Professional (see Chapter 16, “Remote Desktop and Remote Assistance”). Actually, Remote Desktop is a new implementation of a very popular feature known as Terminal Services, which is available with the Windows 2000 family of server products. In Windows 2000, the Terminal Services server was not available in the Professional version. This has been changed in Windows XP in addition to adding new functionality. Neither of these products is part of the IIS suite, but the capability of using Remote Desktop to manage a Windows XP Professional computer running Web services is indeed significant. Remote Desktop allows a properly authorized user to create a virtual session with the IIS computer. From any computer capable of running the Remote Desktop client, the user can interact with IIS as if he or she were sitting directly in front of the computer running IIS. There are many new features in Remote Desktop that did not exist in Terminal Services, but those features relate to its configurability and multimedia support, and are covered in Chapter 16.

User Access Options

User access can now be controlled in a very granular manner with the IIS 5.1 application. Not only can general read, write, and execute access be defined (as in previous versions), but now a whole host of user rights can also be defined. The new options include the capability to define FrontPage user access at the site, directory, and file levels.

Secure Web Sessions

IIS version 5.1 makes full use of the Secure Sockets Layer (SSL) 3.0 standard as part of the Transport Layer Security (TLS) standard. This feature allows the secure transfer of information between Web servers and their hosts. Encased in this process is the capability of the IIS Web server to identify users through industry-standard public key infrastructure (PKI) certificates. When the user initiates a session, the Web server can examine the user’s security certificates (issued by a certificate server) to uniquely identify the client. IIS 5.1 can then map the user certificate to a domain user account. These certificates, which use well-reviewed industry standards, allow IIS 5.1 to verify user identity in an extremely secure fashion.

Cryptography

The SSL standard is a widely used method for enabling private, secure communications as a part of Web browsing. Windows ships with an extension of the SSL package known as Server-Gated Cryptography (SGC). SGC uses specialized certificates to enable 128bit encrypted communications with export versions of IIS (versions used outside the United States).

253

Chapter 9

9 Chapter

254

Part 2: Internet Networking

Kerberos Authentication

IIS makes full use of Kerberos (version 5) authentication available in Windows XP Professional. This integration allows the secure transmission of user credentials from one process or computer to another. Kerberos authentication is an open-standard–based method of securely authenticating users. Instead of sending authentication information in clear text (where it could be intercepted), Kerberos users (known as principals) use a ticket (an ID card of sorts) obtained from the Kerberos server. These tickets reduce network authentication traffic, are encrypted to eliminate the threat of interception, and allow servers and applications to delegate the work of authenticating a user to a centralized authentication service, such as Active Directory. (You can read more about Active Directory in “Active Directory,” page 319.)

Security Certificate Storage Integration

IIS now supports the Fortezza standard. The Fortezza standard was outlined by the United States federal government to ensure that software systems meet the requirements of the Defense Message System architecture. This architectural specification encompasses cryptography, confidentiality, data integrity, authentication, and access control requirements. The goal of this standard is to ensure the secure access of messaging systems and the data they contain. The Fortezza support in IIS is normally used to implement smart card authentication systems.

New Security Wizards

In addition to new security features, the management of Web site security has been greatly improved. Easy-to-follow wizards now exist for several key security features. The Permissions Wizard is designed to make the assignment of user access rights on virtual directories and files easy. Of particular note is that this wizard integrates the changes with local file permissions (defined in the NTFS access list) to ensure that there are not two separate and possibly conflicting sets of access permissions. Chapter 13, “Selecting a File System,” covers the various features of the NTFS file system (definitions, options, tools, and so forth) in detail.

The Web Server Certificate Wizard allows for the easy configuration of security certificates. This wizard makes it easy to create a new certificate, assign an existing certificate, or import an existing certificate from a backup.

In conjunction with the Certificate Wizard, the Certificate Trust List (CTL) Wizard contains a list of entities authorized to issue certificates for a particular location or resource. These authorized entities are known as Certificate Authorities (CA). Because the CTL is only of substantial use to IIS installations supporting multiple Web sites, this feature is unlikely to be of great value with the restricted IIS version included with Windows XP Professional.

Chapter 9: Using Internet Information Services

Flavors of IIS

Microsoft has been moving toward a single, modular operating system platform in the last few years. The Windows 2000 family, which includes Professional, Server, Advanced Server, and Datacenter Server, exemplifies this ideology. Each of these versions is based on the same core operating system. They also share several services, including IIS.

The IIS implementation in Windows 2000 (version 5.0) varies in its feature set with the versions of Windows. The Server editions support multiple Web and FTP sites. The IIS implementation in the Professional operating system supports only a single FTP and Web site.

This difference in features is carried through in Windows XP. The IIS version included with Windows XP Professional has a reduced feature set compared to the server implementation, and Windows XP Home Edition lacks IIS altogether. Future server versions of Windows, on the other hand, will include the entire suite of IIS features.

Advanced Digest Authentication

IIS 5.1 makes use of a new feature, Advanced Digest Authentication, to enable a wide range of secure communications. Advanced Digest Authentication is a lightweight process that permits secure authentication of users across network security devices (such as firewalls). It does not require client-side software and does not send user credentials in a clear text format over public networks. Several other methods of authentication are available including the methods previously available with IIS 4.0 and 5.0.

Chapter 9

9 Chapter

256

Part 2: Internet Networking

By providing a centralized store for information, network management—the process of locating and managing resources—is greatly simplified. Active Directory also makes it easier for applications to access current information about the network, and it simplifies the process of developing applications that need such resources.

You can learn more about Active Directory and Windows domains in Chapter 11, “Understanding Domain Connectivity.”

To facilitate the access of information stored in Active Directory, ADSI was developed. ADSI is a directory service model that allows compliant client applications to access a wide variety of directory protocols including Active Directory and Lightweight Directory Access Protocol (LDAP) while using a standard set of interfaces. ADSI saves the developer the hassle of having to worry about interfacing with these various directory protocols. The ADSI provider has an interface that applications can connect to in order to obtain needed information.

In IIS 5.1, administrators and program developers can add custom objects, properties, and methods to the existing ADSI provider that allows access to the metabase. This flexibility gives system administrators great flexibility in configuring their sites.

HTTP 1.1

IIS 5.0 and 5.1 fully comply with the HTTP 1.1 standard. Both versions include features such as PUT and DELETE commands, HTTP error message customization, and support for custom HTTP headers. (Most of these features, however, are not new to the 5.x versions of IIS.).

Host Headers

With support for host headers, it is now possible to host multiple sites under a single IP address. For example, www.microsoft.com and www.hotmail.com can both be hosted on a single IP address that resides on a Windows 2000 server. This multihost functionality is very useful when it is impractical or not cost-effective to maintain more than a single IP address. Additionally, large Internet providers can leverage existing IP addresses to provide services to a larger number of clients. This feature is one of the components not present in IIS 5.1 as included in Windows XP Professional.

Additional Supported Features

Web Distributed Authoring and Versioning (WebDAV) is a new feature in IIS 5.x. WebDAV allows remotely located, Web page content authors to perform a wide range of content editing from anywhere on the Internet. Content builders can create, move, or delete files, modify file properties, and manage directories on a remote server over an HTTP-based connection.

Chapter 9: Using Internet Information Services

To ensure a full suite of Internet-enabled functions, IIS includes an Internet mail and news server. Both of these components use Internet-standard protocols—SMTP for e-mail and Network News Transfer Protocol (NNTP) for news—to ensure maximum compatibility of the services.

FTP remains a very popular service among Internet users and content providers. It allows the transfer of files in a very efficient manner, often providing the best method for balancing the need to move large volumes of data with the need to maximize available bandwidth. One of the most useful features of FTP is the FTP restart feature. FTP restart allows a user to resume a file download in the event that the download is cancelled prematurely. Instead of having to begin the file transfer at the beginning of the file, the user can start where the interruption occurred and just download the remaining portions of the file.

HTTP compression is provided to aid in the transmission of content between the server and compression-enabled clients. This process takes the form of compressing and storing static files as well as performing compression of dynamic content on an as-needed basis.

tip Using IIS Without Sacrificing Security

IIS, like most Web servers on the market, is an extremely common target for security attacks due to its ubiquity (it’s been shipped with nearly every version of Windows for years) and its past reputation for having a number of security vulnerabilities.

Many of the features previously listed can increase the risk of a successful attack on your Windows XP installation. Before installing and configuring IIS, make sure you read “Securing IIS,” page 577.

Preview of IIS Version 6.0

Under development at the time of this writing, IIS 6.0 promises to considerably enhance the performance of IIS 5.1. One of the primary improvements is in the scope and scale of process isolation, which is the manner in which one process (whether operating normally or failing miserably) is kept from adversely affecting other processes. Basically, this keeps something like a newly developed Web application from unexpectedly crashing the Web server service.

Another operational improvement is the worker process isolation mode. This mode essentially means that all of the individual pieces of application code are run in isolated spaces. This is done in a manner that avoids the performance impacts of isolating services presently in IIS 5.0 and 5.1. The value of this feature is obvious; it further reduces

Chapter 9