Microsoft Windows XP Networking Inside Out
.pdf
Part 2: Internet Networking
9 Chapter
268
Figure 9-11. Content expiration, custom HTTP headers, content ratings, and MIME types are all configured on the HTTP Headers tab.
The Custom HTTP Headers section adds considerable flexibility. This option is used to send a custom HTTP header from the IIS Web server in the page requested by the client. A custom header is used to send custom formatting and/or operational instructions that are not supported in the HTTP specification. Because the HTTP standards are not static, it was necessary to develop a method for implementing new features that would arise between releases of IIS as well as maintain the ability to develop new headers for use with custom applications. To create a new HTTP header, click the Add button, and enter the name and value for the custom header. Repeat this procedure for each custom header you want to add. After adding one or more custom headers, you can also edit their properties or remove them by selecting a header and clicking Edit or Remove.
Clicking Edit Ratings in the Content Rating section opens the Content Ratings dialog box. Content ratings are descriptive HTTP headers that are intended to identify the kind of content hosted on a Web site. Various Web browsers can use this header information to enable content filtering. The user of a compliant browser such as Internet Explorer can set the threshold for the kind of content the user wants to have blocked. This feature only works if the Web site being accessed has encoded its own ratings in its HTTP headers. You can embed your Web pages with content rating information by contacting a rating service to help you evaluate your Web content (select the Rating Service tab in the Content Ratings dialog box), and then rating your own site (select the Ratings tab, and set the ratings for your site’s content).
The MIME Map section of the HTTP Headers tab contains the Multipurpose Internet Mail Extensions (MIME) configuration options. These mappings identify the types of Web content associated with the given MIME information, such as file extensions. There are a wide range of standard MIME types included with IIS, and this option allows the administrator to add to those types if needed. Configuring these MIME
2: Internet Networking
Chapter 9: Using Internet Information Services
types allows the server to properly tell the browser which type of file is being transferred, so that the browser can then handle the file properly. By default, IIS uses the same MIME type mappings that are registered with Windows XP.
Custom Errors
The Custom Errors tab allows the user to configure customized error messages to replace the default messages provided by IIS. IIS contains many default error messages that are displayed to clients when problems occur. To create your own messages using this option, select a message you want to customize from the list, click Edit Properties, and then specify the file or URL containing your custom message.
Configuring Individual (Default) Web Site Properties
In addition to setting global Web site properties, you can also configure the properties for an individual Web site permitted by IIS running on Windows XP Professional. Some of these properties are redundant on Windows XP Professional (because only one Web site can be configured), but other options are available only on the site level and are preserved in this fashion to maintain compatibility with the server editions of IIS. To access the specific properties for a Web site hosted on Windows XP Professional, click the plus sign next to Web Sites in the left pane of the Computer Management console. Then right-click Default Web Site in the left pane, and click Properties on the shortcut menu that appears to open the Default Web Site Properties dialog box. The options available are specific to the individual Web site. You configure those options using the eight tabs of the Default Web Site Properties dialog box described in the following sections.
Web Site
The Web Site tab, shown in Figure 9-12 on the next page, allows for the configuration of several options. The Web Site Identification section lets you configure the Description (name), IP Address (individual or all unassigned), and the TCP Port to use for Web site communications. IIS will examine incoming Web requests and can use the site name to determine content delivery decisions. When you click the Advanced button, the Advanced Multiple Web Site Configuration dialog box opens. The set of options made available with this tool allows you to define multiple IP addresses and ports for the Web site’s use.
This feature lingers from the HTTP 1.0 days, when the HTTP standard lacked Host Headers, and each virtual site on an IIS server had to be mapped to its own IP address. This feature is also useful if the Web server is connected to multiple networks because it will allow users on each of the attached networks to connect to the same Web site using the server IP address that is local to that network.
Chapter 9
269
2: Internet Networking
9 Chapter
270
Part 2: Internet Networking
Figure 9-12. The Default Web Site Properties dialog box allows you to configure the basic properties of the default IIS Web site.
In the Connections section, selecting HTTP Keep-Alives Enabled allows clients to keep a constant connection with your Web server rather than negotiating a new connection each time additional resources or new pages are requested. This option is enabled by default and reduces the load on the server and the network. Disabling this option is not recommended. Use the Connection Timeout box to specify how many seconds of inactivity can elapse before a client is disconnected. Disconnecting inactive clients frees up connections for new clients that might otherwise not be able to access your site because of the 10 connection limit in Windows XP Professional.
The Enable Logging option, when enabled, tracks client connection information and can be used to help solve various connectivity issues. Log files can also be used to track what users access on your Web site and can aid in security audits.
The proper use of Web site logs is critical to securing your IIS installation. For more information, see “Securing IIS,” page 577, and “Examining Log Files,” page 582.
ISAPI Filters
When the focus is at the individual Web site level, there are no ISAPI filters installed by default in the list on the ISAPI Filters tab. Because the ISAPI filters installed in this list will only apply to this Web site, it would seem as though there would be
no particular reason to install filters at this level when working with IIS 5.1 and Windows XP Professional; however, to maintain compatibility and ease when moving applications between Windows XP Professional and Windows server editions, you can install individual site-specific ISAPI filters on the default site for development purposes.
2: Internet Networking
Chapter 9: Using Internet Information Services
Home Directory
At the level of the individual Web site, the location of the HTTP source files can be specified. The location of the source files can be on the computer hosting the server or in a shared directory on another network computer, or the source target can be redirected to another URL. The remaining options change according to which of these three options is selected. Most commonly, a local drive is used to host the Web site. Then, by selecting or clearing the check boxes in the middle of this tab, you can enable or disable access to script source files, directory browsing, and read and write access. Additionally, there are options to enable or disable logging and for indexing the source files for the Web site.
Unlike the global Web site settings, there are a range of application settings available at the Web site level. These options let you configure the default application behavior. This includes setting Execute Permissions to establish the level of execution privileges afforded clients. You can also set Application Protection to determine whether applications are pooled for efficiency or isolated to protect faulty applications from bringing down the Web server. You can choose High (individual processes are isolated from IIS and from one another) to run each script or application in a separate resource space, Medium to run the IIS processes in one memory space and to pool all applications in another memory space, or Low to run all applications in the same resource space as the IIS processes.
Documents
The Documents tab contains two options. Enable Default Document, if selected, specifies a list of default documents the Web server will return when a Web browser does not specify a particular document (for example, if http://www.microsoft.com/windows/ is specified instead of http://www.microsoft.com/windows/index.html). Clients requesting a default document will be served the first file in the list that is found on the Web site. Adjust the order of the documents by selecting documents and clicking the up arrow and down arrow buttons. You can also add new documents and remove unused documents.
Directory Security
The Directory Security tab contains two sections that are available to Windows XP Professional users: Anonymous Access And Authentication Control and Secure Communications. To enable and configure anonymous access, click the Edit button to open the Authentication Methods dialog box. These options are the same as those found on the Directory Security tab of the global Web Site Properties dialog box discussed earlier in this chapter.
HTTP Headers and Custom Errors
The HTTP Headers and Custom Errors tabs contain identical options to those listed in the Web Site Properties dialog box.
271
Chapter 9
2: Internet Networking
9 Chapter
Part 2: Internet Networking
Server Extensions
There are three general groups of settings on the Server Extensions tab, shown in Figure 9-13. If you don’t see any options and you receive a message that the server has not been configured, follow these steps:
1Return to the Computer Management console, and right-click Default Web Site.
2On the shortcut menu that appears, point to All Tasks, and choose Configure Server Extensions.
3Complete the Server Extensions Configuration Wizard. You can accept most of the default values. On the Mail Server page, when asked to configure your mail server settings now, click No, and then click Finish.
4When the wizard closes and returns you to the Computer Management console, open the Action menu and choose Refresh.
5Right-click Default Web Site again, choose Properties, and select the Server Extensions tab, which should now appear with its options.
If you don’t see these options in your installation of IIS, you might need to apply the latest IIS updates. Maintaining a properly updated IIS installation is also critical to securing your Windows XP installation, as discussed in “Securing IIS,” page 577.
Figure 9-13. Configure Web site authoring access on the Server Extensions tab.
The Enable Authoring section allows users who possess the correct credentials to remotely edit and publish Web content. If you enable authoring, you can also specify version control, performance, and client scripting options.
The Options section lets you specify how e-mail is sent to users of your site who want to contact you or who need responses to forms they fill in on your site. Additionally,
272
2: Internet Networking
Chapter 9: Using Internet Information Services
you can specify the encoding you want to use for the mail you send and the character set for your language.
The Don’t Inherit Security Settings option, if enabled, lets you change security settings for this site without regard to the security settings of the global Web server.
Configuring FTP Services
FTP remains a popular online protocol for transferring files. IIS in Windows XP provides FTP services so that users can access online directories and download and upload files. If you need to set up FTP services on Windows XP Professional, the following sections review the configuration options available to you.
If all of your users are running Windows 2000 and Internet Explorer 5 or later, you can use Web Distributed Authoring and Versioning (WebDAV) instead of FTP. See “Using WebDAV,” page 276, for more details.
Configuring Global FTP Server Properties
Like Web site properties, the global FTP server properties are available by using the Computer Management console, or you can open the IIS console (or snap-in) found in your Administrative Tools folder.
note If you do not see FTP Sites listed in the IIS snap-in or in the Computer Management console, you need to install the FTP Service. Follow the instructions for installing IIS in “Installing IIS,” page 259. Click the Details button in step 4, and select File Transfer Protocol to add the service.
In the IIS snap-in or in the Computer Management console, right-click FTP Sites, and then choose Properties to open the global FTP Sites Properties dialog box. You will find three simple tabs to configure your FTP options.
On the Security Accounts tab, shown in Figure 9-14 on the next page, you can choose the account to use for anonymous access by selecting the Allow Anonymous Connections check box. Additionally, you can choose Allow Only Anonymous Connections so that users can only log on with the privileges associated with the anonymous user account, not a user name and password that might have administrative permissions.
caution As discussed in “Securing IIS,” page 577, allowing anonymous FTP on any system is considered an invitation to disaster by most security experts. Use this option only if you are extremely vigilant in maintaining IIS patches and examining log files or if you only intend to use it briefly.
Chapter 9
273
2: Internet Networking
Part 2: Internet Networking
The FTP Site Operators section of the Security Accounts tab allows the addition or removal of accounts designated as Site Operators. However, in this implementation of IIS, only members of the Administrators group are allowed this level of access.
9 Chapter
Figure 9-14. Use the Security Accounts tab to configure FTP access permissions.
The Messages tab lets you configure a variety of messages. The text you type in the Banner Message box is the note displayed to clients when they initially connect. This often takes the form of an official notice such as “Authorized Users Only.” The text you type in the Welcome box is the next message clients see. This is most often a more informational note to connected clients after they have been authenticated on the server. The text you enter in the Exit box is delivered to clients when they close their connection to the FTP server. Also available is the Maximum Connections box. In this box, you can type a message that is delivered when the maximum number of users allowed to connect to the FTP server has been reached, and the client attempting to connect must be turned away until more connections become available.
The Home Directory tab contains relatively few options. The Read, Write, and Log Visits options can be enabled or disabled to determine whether users can download or upload files to the enabled directory and whether their visits will be logged. You can also set the Directory Listing Style option to UNIX or MS-DOS. These options affect the way the list of files and folders are displayed to FTP clients. The default setting for this option is MS-DOS.
Configuring Individual (Default) FTP Site Properties
The individual FTP Sites properties are accessed by clicking the plus sign next to FTP Sites in the Computer Management console or the IIS snap-in, and then right-clicking
274
2: Internet Networking
Chapter 9: Using Internet Information Services
Default FTP Site. Click Properties to open the Default FTP Site Properties dialog box. You will see the same tabs as displayed in the global FTP Sites Properties dialog box, along with one additional tab, FTP Site.
The FTP Site tab, shown in Figure 9-15, lets you configure the FTP site’s identification, connection settings, and logging information. The Identification section contains the Description box for entering a name for the site, an IP Address box if you want to route a specific IP address to the FTP server, and a TCP Port box if you want to specify a different port for the server.
The Connection section lets you set connections for the FTP Service. With IIS version 5.1 running on Windows XP Professional, the HTTP and FTP servers are limited to a maximum of 10 simultaneous connections. Any attempt to set the number of simultaneous connections to a value greater than 10 will result in a licensing warning message. However, you might want to set this to a value lower than 10 so that you can reserve connections for the Web service that might otherwise be consumed by those accessing the FTP Service. You can also set the Connection Timeout value so that inactive users are disconnected after the specified interval to free up connections to others who might be waiting to gain access.
The Enable Logging option, if selected, logs the activities of those accessing your FTP server. You can also choose the format of the log file and its location. (As with the HTTP server, proper use and examination of these logs is critical to server security.) Also, the Current Sessions button can be clicked to reveal the users that are currently attached to the FTP server.
Chapter 9
Figure 9-15. Use the FTP Site tab to configure identification, connection, and logging information.
275
2: Internet Networking
Part 2: Internet Networking
Keeping Access Rights Straight
One of the most common frustrations for new IIS administrators is the looming specter of conflicting permissions. Imagine that you want to grant a remote user access to upload to an FTP folder, but after making the appropriate changes in the IIS console to allow write access, the user receives an “Access Denied” error when trying to copy files into the directory. The problem is likely the result of incorrectly configured fileor directory-level permissions, assuming you’re running IIS on an NTFS volume (which you should always do for security reasons).
9 Chapter
For more information about setting access rights, see “Configuring NTFS Permissions,” page 433.
Using WebDAV
WebDAV is an HTTP 1.1 extension that allows computers running Windows 2000 and later versions (those using Internet Explorer 5 and later) to read and write files in a shared directory under IIS. Basically, users can access and manage files using a Web page just as they would using an FTP site. If all of your users are using Windows 2000 and later, you might consider using WebDAV instead of creating an FTP site—which will be less maintenance in the long run.
Setting up a WebDAV directory is easy. Follow these steps to add a directory within your default Web site for sharing files:
1Assuming your Web site is using the default directory that IIS creates for it, the C:\Inetpub\Wwwroot directory, open Windows Explorer and create a subdirectory, such as C:\Inetpub\Wwwroot\Sharedfiles.
2Right-click the Sharedfiles directory, and choose Sharing And Security from the shortcut menu that appears.
3Select the Web Sharing tab, and then select Share This Folder.
note If you want to create a virtual directory (one located elsewhere but appearing to be a subdirectory of the default Web site), open the IIS snap-in, and right-click Default Web Site. Point to New, and click Virtual Directory to open the Virtual Directory Creation Wizard. Follow the wizard to specify an alias for the directory (the directory name the user will see, such as Sharedfiles), and then specify its actual physical location, such as D:\Webdav\Sharedfiles.
4Once the directory is shared, right-click the directory in IIS or in the Computer Management console, and choose Properties. Select the Directory tab,
276
2: Internet Networking
Chapter 9: Using Internet Information Services
and then select both Read and Directory Browsing permissions for the folder. If you want users to be able to edit files, select the Write permission as well.
Users can then access the directory through Internet Explorer and essentially work with the WebDAV folder as they would an FTP site.
Configuring SMTP Services
SMTP Services in IIS running on Windows XP Professional can be useful for providing a storehouse for SMTP mail on an intranet. The SMTP virtual server acts as a Web server, and client computers can connect to the SMTP virtual server to access mail accounts.
However, you are limited to 10 concurrent connections under Windows XP Professional.
Like Web and FTP Services, you can configure the SMTP virtual server by accessing its Properties dialog box. Open the Computer Management console or the IIS snap-in, and right-click Default SMTP Virtual Server. Click Properties to open the Default SMTP Virtual Server Properties dialog box. The following sections explore the options available on the tabs of the dialog box.
note If you don’t see the SMTP server entry in the left pane of IIS or Computer Management, it is probably not installed. Refer to “Installing IIS,” page 259. In step 4, select the SMTP Service check box.
General
On the General tab of the Default SMTP Virtual Server Properties dialog box, use the IP Address box to select All Unassigned or any individual IP address that the SMTP virtual server should respond to. Click the Advanced button to add multiple IP addresses and custom port numbers. You can also select Limit Number Of Connections To and specify fewer than 10 connections if you want to reserve some connections for Web or FTP connections. Like the FTP server, this option is set to 10 simultaneous users by default, but it is not limited to any number of users (or e-mail addresses). You can also choose Enable Logging to maintain a log of users who utilize the mail server.
Access
On the Access tab, there are four sections of options to configure: Access Control, Secure Communication, Connection Control, and Relay Restrictions, as shown in Figure 9-16 on the next page. The Access Control item is used to set the kinds of authentication methods that will be allowed when accessing the SMTP server. To configure this option, click the Authentication button. By default, all methods of authentication are enabled
(anonymous access, Basic authentication, and Integrated Windows authentication).
Chapter 9
277
2: Internet Networking