Microsoft Windows XP Networking Inside Out
.pdf
9 Chapter
258
Part 2: Internet Networking
the possibilities of any kind of service disruption should one of the custom-built components, such as an ASP script, fail. Not only is systemwide disruption avoided, but should a group of custom processes have a single member that fails, the entire group can be kept in a functioning state while the defective component is restarted or replaced. Because all of the processes are running in isolated spaces, each can be given its own priority, and operating system-level features such as CPU throttling can be managed on a per application basis.
The Web Administration Service (WAS) is new in version 6.0. It plays a number of important roles in IIS 6.0, including:
●Process health monitoring. WAS keeps tabs on the status of client processes. By keeping in constant communication with the client processes, WAS is instantly aware of any client services that stop responding. If one of these processes fails to respond, WAS generates a duplicate process (to ensure continuity of services), and then restarts the failing service.
●Idle timeout. If a process is idle for a specified amount of time (configured by an administrator), the process can send a request for permission to shut down. This design element has been added to ensure that system resources are not unnecessarily used. (Administrators can also configure the system to never shut down processes, no matter how long they are idle.)
●Rapid-fail protection. When a client process fails, it ceases communication with the WAS process. Typically, the WAS process logs the error, and then restarts the process. New to IIS 6.0 is the capability of WAS to automatically disable processes that repeatedly fail.
●Orphaning worker processes. WAS can be configured to orphan a worker process if the process is deemed to be terminally ill. A terminally ill process fails to respond to inquiries by the WAS service for a predetermined period of time. Under normal (non-orphan) conditions, the WAS service will terminate nonresponsive processes, and then start a replacement service.
In the orphan scenario, WAS does not terminate the failing service, but instead leaves the process running and starts a new process to replace the functionality of the failing process. The orphaned process can then be debugged to determine why it failed while the replacement process maintains Web availability.
●Recycling worker processes. In IIS 6.0, worker process isolation mode can be configured to restart client processes periodically to manage faulty applications. Periodic recycling can be advantageous when an application is known to leak memory, have coding errors, or suffer from other unsolved problems that cause it to fail after running for an extended period of time. No portion of the IIS server needs to be restarted; instead, the individual defective process is recycled. This recycling is a shutdown and restart of the
2: Internet Networking
Chapter 9: Using Internet Information Services
process. There are a variety of configurable criteria that are used to determine when a process is recycled. Some of these criteria include daily schedules (same time each day), elapsed time since last recycle, and so forth.
Besides these features, you can expect to see additional key improvements in IIS 6.0, such as security. Because it is not possible to predict how every new security vulnerability will manifest itself, the security development component of IIS 6.0 is focused on locking out the commonly exploitable components and minimizing the impact of any new attacks.
One of the major components of this new security approach is the development of the IIS Lockdown Wizard. This tool provides an easy-to-use interface for setting IIS server security to match the needs of the organization. Out-of-the-box IIS is configured to deliver static content only. To use any of the dynamic features (such as ASP and FrontPage Server Extensions), administrators will have to deliberately enable them.
Installing IIS
To use IIS on Windows XP Professional, it must first be installed.
note This is a change from earlier versions of Windows, which automatically installed IIS. This automatic installation resulted in a number of poorly maintained Web servers across the Internet, making them ripe for exploitation by hackers.
To install and run IIS, follow these steps:
1Choose Start, Settings, Control Panel, and open Add Or Remove Programs.
2In the Add Or Remove Programs window, click the Add/Remove Windows Components button.
3The Windows Components Wizard appears. XP Setup appears. In the Components list, select the Internet Information Services (IIS) check box, as shown in Figure 9-1 on the next page.
4Click the Details button. You see a list of the services that will be installed— all of which are selected by default with the exception of the File Transfer Protocol (FTP) Service and the Scripts Virtual Directory component of the World Wide Web Service component. You can clear the check boxes for specific services, such as SMTP Virtual Server, if you know you are not going to use them. Make any necessary decisions and click OK.
5Click Next. Windows XP Setup installs IIS.
Chapter 9
259
2: Internet Networking
Part 2: Internet Networking
9 Chapter
Figure 9-1. IIS is not installed by default, but you can choose to install it using the Windows Components Wizard.
Once these steps have been completed, you can begin configuring the individual IIS services, such as Web and FTP. If you decide to remove any of the components of IIS at a later date, simply repeat the preceding steps and clear the check boxes for any components you want to remove.
Configuring IIS Services
IIS provides a full suite of Web hosting, FTP, SMTP, and related services you can configure. Specifically, the IIS implementation included with Windows XP Professional provides Web server (HTTP), FTP, and SMTP services.
On a full-featured IIS installation, IIS supports the use of multiple Web sites. This allows individual applications or Web sites to be split apart, using different configuration settings, ISAPI tools, and even different server IP addresses and domain names. On Windows XP Professional, you can only use one Web site; however, IIS preserves the distinction between server-wide and site-wide configuration options to allow you to easily move your Web site or Web application to a server edition of IIS.
Configuring Global Web Site Properties
The HTTP server included with IIS is currently one of the most widely used Web server engines. An HTTP server responds to the HTTP requests made by Web browser client software, transferring Web page content to those clients using the same protocol. The IIS MMC snap-in allows the user to configure a wide range of options. To access the HTTP server global Web site properties and an explanation of each option, follow these steps:
260
2: Internet Networking
Chapter 9: Using Internet Information Services
1Choose Start, Settings, Control Panel, and then open Administrative Tools.
2In the list of administrative tools, locate Computer Management, and double-click to open the Computer Management Microsoft Management Console (MMC).
3Under Computer Management in the left pane of the console, click once on the plus symbol next to Services And Applications, and then click once on the plus symbol next to Internet Information Services, as shown in Figure 9-2.
Chapter 9
Figure 9-2. The Computer Management MMC lets you administer several important aspects of Windows XP including IIS.
4Under Internet Information Services, right-click Web Sites, and then choose Properties on the shortcut menu that appears. The Web Sites Properties dialog box appears, as shown in Figure 9-3.
Figure 9-3. The ISAPI Filters tab of the Web Sites Properties dialog box lets you add and configure ISAPI applications.
261
2: Internet Networking
9 Chapter
262
Part 2: Internet Networking
The following sections explore the configuration options for the default Web site properties.
Configuring ISAPI Filters
The Web Site Properties dialog box opens to the ISAPI Filters tab as the default tab, as shown in Figure 9-3. An ISAPI filter is a program that responds to certain events that occur during the processing of an HTTP request. It can modify an incoming request, return custom results, or add completely new functionality to IIS. ISAPI filters are many in number and diverse in function. Basically, they are used to add new functionality and improve various supported features, such as user authentication.
A list of installed ISAPI filters is shown on this tab. Depending on when IIS was installed, whether it has been previously used, or whether it has been upgraded from an earlier version of IIS (as might occur when upgrading from Windows 2000 Professional to Windows XP Professional), the list of installed filters might vary slightly. Although the names of the default filters can be a challenge to decode, some of
the default filters you might see are Md5filt (supports MD5 authentication) and Compression.
The Add button enables you to add additional ISAPI filters. In the event that existing filters are not needed, select the filter, and then click the Remove button. The Edit button enables you to configure the name and filter location for the selected filter. Should a new filter be added, it can be enabled (made active) by clicking the Enable button. In addition, the order in which ISAPI filters are applied to HTTP requests can be changed by selecting a given filter and clicking the up arrow or down arrow button on the left side of the ISAPI Filters tab.
Home Directory
The Home Directory tab, shown in Figure 9-4, contains several options. Note that the upper section, When Connecting To This Resource, The Content Should Come From, is disabled at the global level; this is because Web content must be placed in an actual Web site. To set the location of files for the single Web site permitted under Windows XP Professional, see “Configuring Individual (Default) Web Site Properties,” page 269.
Although it is not possible to configure a global source of Web site content, it is possible to configure global access options. The check boxes in the middle of this tab control directory browsing and read and write access. Additionally, there are options to enable or disable logging (enabled by default) and for indexing the source files for the Web site. If indexing is enabled, the indexing service will create a table of the stored resources that will be used to speed up access times. This feature is also enabled by default.
2: Internet Networking
Chapter 9: Using Internet Information Services
Figure 9-4. The Home Directory tab contains standard directory settings and advanced configuration options for the directory.
Other configurable options on the Home Directory tab of the Web Site Properties dialog box are in the Application Settings section. In this case, the options are accessed by clicking the Configuration button. The Application Configuration dialog box that opens has six tabs for configuring custom applications. The default Mappings tab is shown in Figure 9-5. This tab allows custom mapping of Web files according to their file extensions (.asp, .shtml, and so forth) to the applications that should execute them. This tab enables you to map new file extensions to applications and to edit or remove existing extensions. The single check box present on this tab enables or disables the caching of the ISAPI applications. By default, the caching is enabled.
Chapter 9
Figure 9-5. The Mappings tab determines how extensions are mapped to applications.
263
2: Internet Networking
Part 2: Internet Networking
The Options tab, shown in Figure 9-6, lets you enable session state in ASP applications, which can help to identify a unique user as the user moves through the Web application. The Session Timeout interval ends a Web session if the user has not sent any HTTP requests to the site during the specified period.
Of the other options available on this tab, the Default ASP Language and ASP Script Timeout settings are of the most interest. Default ASP Language specifies the scripting language that the server is expecting ASP scripts to be constructed with. By default, ASP applications can be written in VBScript or JScript; additional scripting engines can be installed on the server (a topic beyond the scope of this chapter) to allow other scripting languages to be used as the default ASP language. The name entered in this text box (VBScript by default) must match the name used by the custom scripting engine exactly. (Other languages can be used within ASP scripts by specifying the language in the ASP page.)
9 Chapter
Figure 9-6. The Options tab provides the default settings for application timeouts and language options.
The Debugging tab enables you to set up clientand server-side script debugging. In the Script Error Messages section of this tab, you can choose Send Detailed ASP Error Messages To Client, which will send detailed error messages when a requested ASP page cannot be processed. Or you can choose Send Text Error Message To Client, which sends a single message for all error types. If you choose the latter option, you can type the text of the error message in the box below the option.
The Cache Options tab, shown in Figure 9-7, controls ASP file caching to both a disk cache directory and to memory. You can disable caching entirely, cache all ASP files to the directory cache, or cache a limited number of the files to the directory cache. If you choose either of the cache options, you can independently specify a maximum number of files to cache in memory.
264
2: Internet Networking
Chapter 9: Using Internet Information Services
Figure 9-7. Manage the ASP file cache on the Cache Options tab.
On the Process Options tab, you can enable the logging of failed client requests. This is particularly useful if you’re troubleshooting client connection problems. You can also configure the logging of debugging exceptions that occur. In addition, you can set a timeout interval for CGI scripts.
Documents
If you return to the Web Sites Properties dialog box and select the Documents tab, shown in Figure 9-8, the Enable Default Document section lets you configure the
Figure 9-8. Manage how the default documents are served to clients on the Documents tab.
Chapter 9
265
2: Internet Networking
9 Chapter
Part 2: Internet Networking
default documents. When a client browses to your Web site without specifying a particular page on your site (for example, if the client browses to http://www.microsoft.com/ windows/ instead of http://www.microsoft.com/windows/index.html), the home page that is delivered to the client will be one of the files you specify in this list. IIS serves these files in the order listed, from top to bottom, stopping after it serves the first of these files that it locates on your Web site. Use the up arrow and down arrow buttons to the left of the list to change the order in which IIS searches for the file to serve to clients visiting your site. You can also use the Add and Remove buttons to add a page with another name or to remove pages that don’t exist on your site. The Enable Document Footer section, if enabled, lets you designate the location of a file that will be appended to the bottom of all the Web pages served on your site. This footer might include your company logo, a copyright message, or contact information.
Directory Security
The Directory Security tab of the Web Sites Properties dialog box, shown in Figure 9-9, only includes one section that is usable with Windows XP Professional (as a global setting, that is), the Anonymous Access And Authentication Control settings.
Figure 9-9. Manage directory security from this tab.
To enable and configure anonymous access to your Web site, click the Edit button, which opens the Authentication Methods dialog box shown in Figure 9-10. If the Anonymous Access section check box is selected (as it is by default), these options allow the configuration of an account to use for anonymous user access.
The Authenticated Access section contains two options for users of Windows XP Professional: Basic Authentication and Integrated Windows Authentication. The default setting is Integrated Windows Authentication, and this setting should be left as is unless compatibility issues require selecting Basic Authentication. When Basic authentication is used,
266
2: Internet Networking
Chapter 9: Using Internet Information Services
Figure 9-10. Manage the way users are authenticated with the Authentication Methods dialog box.
any authentication information (user names and passwords) are sent as clear text. An unscrupulous person could use a tool such as a packet sniffer to obtain unprotected user names and passwords that are passed using the Basic authentication method. Integrated Windows authentication does not pass unencrypted user names or passwords over the network, but it requires all clients to use Microsoft Internet Explorer to access your Web site. This effectively limits this method to an intranet on which all the clients use Internet Explorer for access.
For more information on IIS security options, see “Securing IIS,” page 577.
HTTP Headers
The HTTP Headers tab, shown in Figure 9-11 on the next page, presents four sections of configurable options: Enable Content Expiration, Custom HTTP Headers, Content Rating, and MIME Map, all of which control the contents of the headers of the HTML pages sent to clients browsing your Web site.
The Enable Content Expiration section is used to keep time-sensitive information current for clients using that information. After selecting Enable Content Expiration, select Expire Immediately, Expire After (and a time interval), or Expire On (and a date and time). These options can ensure that content relating to onetime events, for example, will expire after the date they relate to passes. If the client requests a page and the expiration time has passed, the cached page is not served, but rather the server is requested for an (ostensibly) updated page.
267
Chapter 9
2: Internet Networking