———————————————

Microsoft’s web server/application server is Internet Information Services (IIS). Windows Server 2008 R2 includes IIS .5; Windows Server 2008 includes IIS 7.0; and Windows Server 2003 includes IIS 6.0. IIS 7.0 and 7.5 support FTP, FTPS, SMTP, and HTTP/HTTPS, while IIS 6.0 supports FTP, SMTP, and HTTP/HTTPS.

———————————————–

INSTALL IIS IN WINDOWS SERVER 2008 R2
To install IIS in Windows Server 2008 R2:
1. Click Start, point to Administrative Tools, and then click Server Manager.
2. In Roles Summary, click Add Roles.
3. Use the Add Roles Wizard to add the web server role.
4. To open IIS Manager, click the Start button. Then select All programs, select Administrative
Tools, and click Internet Information Services (IIS) Manager. See Figure 7-1.

98-365-f86

Figure 7-1 IIS Manager

CREATING WEB SITES AND VIRTUAL DIRECTORIES
When IIS is installed, the server will only have a default Web site. IIS was designed to handle
multiple Web sites. Therefore, if your organization represents several subsidiaries, each with
its own Web site, or you are a company that hosts web services for other companies, you would create multiple sites within IIS.

CREATE A WEB SITE
To create additional Web sites:
1. Open IIS Manager.
2. In the Connections pane, right-click the Sites node in the tree, and then click Add Web Site.
3. In the Add Web Site dialog box, type a friendly name for your Web site in the Web site name box.
4. Click Select if you want to select a different application pool than the one listed in the Application Pool box. In the Select Application Pool dialog box, select an application pool from the Application Pool list and then click OK. Application pools will be discussed a little bit later.
5. In the Physical path box, type the physical path of the Web site’s folder, or click the browse button (. . .) to navigate to the file system to find the folder.
6. If the physical path that you entered in step 5 is to a remote share, click Connect to specify credentials that have permission to access the path. If you do not use specific credentials, select the Application user (pass-thru authentication) option in the Connect As dialog box.
7. Select the protocol for the Web site from the Type list.
8. The default value in the IP address box is All Unassigned. If you must specify a static
IP address for the Web site, type the IP address in the IP address box.
9. Type a port number in the Port text box.
. Optionally, type a host header name for the Web site in the Host Header box.
11. If you do not have to make any changes to the site, and you want the Web site to be
immediately available, select the Start Web site immediately check box.
. Click OK.

The default Web site is made to respond to all IP addresses assigned to server port 80 and
port 443. In addition, the web server will respond to any name that corresponds to one of the
IP addresses of the web server.
To support multiple Web sites, you can assign additional IP addresses and assign a Web site to
each IP address. You can also define a different port instead of port 80 or 443. When a user
tries to access http://acme.com, they are really accessing http://acme.com:80. The :80 means
port 80. If you want to make a Web site to respond to port 8080, you would then access the
Web site by specifying http://acme.com:8080.
One method that allows you to share the same IP address and port is to use host headers,
which are used to specify a name that the Web site will respond to rather than all names that
point to the address.
To configure the IP address, port, and name a Web site will respond to, you need to configure
the site binding. To change the site bindings, right-click the site in IIS Manager and select Edit
Bindings. To change the binding, click the binding you want to change and click the Edit button.
To add a new binding, click the Add button. See Figure 7-2. If you want the Web site to respond
to two different names such as www.acme.com and acme.com, you need to add two bindings.

98-365-f87

Figure 7-2 Creating a site

When you create a Web site, you specify a folder that represents the root of the Web site. Within that folder, you can create subfolders. For example, you have a Web site for acme.com.
When you access http://acme.com, it goes to the root of the folder to access the default web pages.
You can then create a subfolder called sales. Type in a URL similar to http://acme.com/sales
or click on a hyperlink on the home page that points to the http://acme.com/sales folder and
execute a default web page in the sales folder.
A virtual directory is a directory used in a Web site that corresponds to a physical directory
elsewhere on the server, on another server, or on a Web site. This allows you to reuse the same
folder for multiple sites or to connect to content without physically moving it.

ADD A VIRTUAL DIRECTORY
To add a virtual directory within your Web site:
1. Open IIS Manager.
2. In the Connections pane, expand the Sites node in the tree and click to select the site in which you want to create a virtual directory.
3. In the Actions pane, click View Virtual Directories.
4. On the Virtual Directories page in the Actions pane, click Add Virtual Directory.
5. In the Add Virtual Directory dialog box, type a name in the Alias text box. This alias is used to access the content from a URL.
6. In the Physical path text box, type the physical path of the content folder or click Browse to navigate through the file system to find the folder.
7. Optionally, click Connect As to specify credentials that have permission to access the physical path. If you do not use specific credentials, select the Application user (pass-thru authentication) option in the Connect As dialog box.
8. Optionally, click Settings to verify the settings that you specified for the virtual directory.
9. Click OK.

EXPLORING APPLICATIONS AND APPLICATION POOLS
An application is a grouping of content on a Web site that is defined at the root level or in a separate folder that has specific properties, such as the application pool in which the application runs and the permissions that are granted on the folder. Each site must have at
least one application named the root application or default application.
An application pool is a set of resources (a worker process or a set of worker processes) used
by a Web site or application that defines the memory boundaries for the Web site. Forcing
each application to have its own application pool ensures that one Web site does not interfere
with another Web site on the same server, which ensures application performance and improved application availability. Therefore, if one application has a memory leak or crashes,
it will not affect the other sites.

CREATE AN APPLICATION IN IIS
To create an application:
1. Open IIS Manager.
2. In the Connections Pane, expand the Sites node.
3. Right-click the site for which you want to create an application and click Add Application.
4. In the Alias box, type a value for the application URL, such as sales.
5. Click Select if you want to select a different application pool than the one listed in the  Application Pool box. In the Select Application Pool dialog box, select an application pool from the Application Pool List and click OK.
6. In the Physical Path box, type the physical path of the application’s folder or click Browse to navigate the file system to find the folder.
7. Optionally, click Connect As to specify credentials that have permission to access the physical path. If you do not use specific credentials, select the Application user (pass-thru authentication) option in the Connect As dialog box.
8. Optionally, click Test Settings to verify the settings that you specified for the application.
9. Click OK.

CREATE AN APPLICATION POOL
To create an application pool:
1. Open IIS Manager.
2. In the Connections pane, expand the server node and click Application Pools.
3. On the Application Pools page in the Actions pane, click Add Application Pool.
4. On the Add Application Pool dialog box, type a friendly name for the application pool in the Name box.
5. From the .NET Framework version list, select the version of the .NET Framework required by your managed applications, modules, and handlers, or select No Managed Code if the applications that you run in this application pool do not require the .NET Framework.
6. From the Managed pipeline mode list, select one of the following options:
• Integrated if you want to use the integrated IIS and ASP.NET request-processing pipeline.
• Classic if you want to use IIS and ASP.NET request-processing modes separately. In classic mode, managed code is processed using Aspnet_isapi.dll instead of the IIS 7 integrated pipeline.
7. Select Start application pool immediately to start the application pool whenever the WWW service is started. By default, this is selected.
8. Click OK.

CHANGE AN APPLICATION POOL
To change an application pool for an application:
1. Open IIS Manager.
2. In the Connections pane, expand the server node and click Application Pools.
3. On the Application Pools page, select the application pool that contains the application that you want to change.
4. In the Actions pane, click View Applications.
5. Select the application whose application pool you want to change and click Change Application Pool in the Actions pane.
6. In the Select Application Pool dialog box, select an application pool from the Application pool list and click OK.
If you have a problematic application and you cannot easily correct the code that causes the
problems, you can limit the extent of these problems by periodically recycling the worker process that services the application.

RECYCLE A WORKER PROCESS MANUALLY
To manually recycle a worker process:
1. Open IIS Manager.
2. In the Connections pane, expand the server node and click Application Pools.
3. On the Application Pools page, select the application pool you want to recycle immediately.
4. In the Actions pane, click Recycle and then click Yes.

Rather than manually recycling a worker process, you can choose to configure an application pool to recycle at a scheduled time.

CONFIGURE AN APPLICATION POOL TO RECYCLE AT A SCHEDULED TIME
To configure an application pool to recycle at a scheduled time:
1. Open IIS Manager.
2. In the Connections pane, expand the server node and click Application Pools.
3. On the Application Pools page, select an application pool and click Recycling in the Actions pane.
4. Select Specific time(s) and, in the corresponding box, type a time at which you want the application pool to recycle daily. For example, type 11:30 AM or 11:30 PM. You can also specify time intervals such as every 60 minutes.
5. Click Next, select the events that should be logged when an application pool recycles, and click Finish.

EXPLORING DEFAULT DOCUMENTS AND DIRECTORY LISTINGS
By default, when you type in a Web site’s URL such as http://acme.com, it will go to the root
folder designed for acme.com and first look for one of the following files:
1. Default.htm
2. Default.asp
3. Index.htm
4. Index.html
5. Isstart.htm
6. Default.aspx
The Default Documents feature allows you to configure the list of default documents that will automatically be presented to a browser if a document is not specified, such as http://acme.com/start.html. Therefore, it will first look for http://acme.com/default.htm.
If it does not find default.htm, it will then try http://acme.com/default.asp, and so on. You
can change the order of default documents or add additional default documents by clicking
the Web site or folder and double-clicking Default Document under IIS in the left pane. To change the order, click the file you want to change and click the Move Up or Move Down arrows in the Actions pane. If you want to add a new default document, click the Add option
in the Actions pane.
In some instances, you may just want to provide a directory listing of files so that users can quickly download those files. Use the Directory Browsing feature page to modify the content settings for browsing a directory on the web server. When you configure directory browsing, all subdirectories use the same settings unless you override them at a lower level.

USING IIS SECURITY
Since Web sites are designed to provide information, some of which may be sensitive, there will be times when you have to protect that . You can protect it by limiting who can access the Web site, how users authenticate, and/or by encrypting the content when a request is made.
You can grant or deny specific computers, groups of computers, or domains access to sites, applications, directories, or files on your server by using Authorization rules.

VIEW URL AUTHORIZATION RULES
To view the URL authorization rules using IIS Manager:
1. Open IIS Manager and navigate to the level you want to manage.
2. In Features View, double-click Authorization Rules.

CREATE A NEW AUTHORIZATION RULE
To create a new authorization rule using IIS Manager:
1. Open IIS Manager and navigate to the level you want to manage.
2. In Features View, double-click Authorization Rules.
3. In the Actions pane, click Add Allow Rule.
4. In the Add Allow Authorization Rule dialog box, select one of the following types of access:
• All users: Specifies that all users, whether they are anonymous or identified, can access the content.
• All anonymous users: Specifies that anonymous users can access the content.
• Specified roles or user groups: Specifies that only members of certain roles or user groups can access the content. Type the role or user group in the text box.
• Specified users: Specifies that only certain users can access the content. Type the user IDs in the text box.
5. Optionally, check Apply this rule to specific verbs if you want to further stipulate that the users, roles, or groups allowed to access the content can only use a specific list of HTTP verbs or actions. Type those verbs in the text box.
6. Click OK.
To create a Deny Rule, select Add Deny Rule instead of selecting Add Allow Rule.

LIMIT ACCESS TO WEB SITE BY ADDRESS AND DOMAIN
To limit access to the Web site by IPv4 address and domain:
1. Open IIS Manager and navigate to the level you want to manage.
2. In Features View, double-click IPv4 Address and Domain Restrictions.
3. In the Actions pane, click Add Allow Entry.
4. In the Add Allow Restriction Rule dialog box, select Specific IPv4 address, IPv4 address range, or Domain name, add the IPv4 address, range, mask, or domain name, and click OK.
Use the Edit IP and Domain Restrictions dialog box to define access restrictions for unspecified clients or to enable domain name restrictions for all rules.
Authentication is used to confirm the identity of clients who request access to your sites and
applications. IIS 7.0 supports the following forms of authentication:
Anonymous: Allows access without providing a username and password.
ASP.NET Impersonation: Allows you to run ASP.NET applications under a context other than the default ASP.NET account.
Basic Authentication: Requires that users provide a valid username and password to gain access to content. Since basic authentication transmits passwords across the network in clear text, you should use it with a digital certificate to encrypt usernames and passwords being sent over the network.
Digest Authentication: Uses a Windows domain controller to authenticate users who request access to content on your server.
Forms Authentication: Uses client-side redirection to forward unauthenticated users to an HTML where they can enter their credentials, which are usually a username and password.
Windows Authentication: Uses NTLM or Kerberos protocols to authenticate clients.

AD Client Certificate Authentication: Allows you to use the Active Directory service
features to map users to client certificates for authentication.
To configure authentication for a Web site, application, or virtual folder, click the site, application, or virtual folder and double-click Authentication. The default setting for Windows authentication is Negotiate. This setting means that the client can select the appropriate security support provider.

EXPLORING SECURE SOCKETS LAYER AND DIGITAL CERTIFICATES
When you use SSL to encrypt web traffic, you are using asymmetric encryption, which involves
a private key and a public key. The public key is provided to anyone who wants to access the
web server, and the private key is kept secret, usually by the web server that you are trying to
protect. The public key is used to encrypt data, which only the private key can decrypt.
To enable SSL, you must obtain and install a valid server certificate on the web server from a recognized certificate authority (CA) or use a self-signed certificate. The CA can be your internal Windows domain or a trusted third-party public CA such as Entrust or Verisign. While the self-signed certificate is not a trusted certificate, it can still be used for troubleshooting, testing, or application development.
When you visit an SSL Web site using Internet Explorer, you will notice a lock icon at top of the IE window. To view the digital certificate, click the lock and select View Certificates. The most common type of digital certificate is the X.509 digital certificate. See Figure 7-3.

98-365-f88

Figure 7-3 Digital certificate

ACQUIRE A DIGITAL CERTIFICATE
To acquire a digital certificate using IIS 7:
1. Request an Internet server certifi cate from the IIS server. To request an Internet server certificate, click the server from within IIS Manager and double-click Server Certificates in Features View. Then click Create Certificate Request from the Actions Pane.
2. Send the generated certificate request to the CA, usually using the vendor’s Web site.
3. Receive a digital certificate from the CA and install it on the IIS server. Again, open IIS Manage, double-click the server from within IIS Manager, and double-click Server Certificates in Features View. Then select the Complete Certificate Request.
4. On the Distinguished Name Properties page of the Request Certificate Wizard, type the following information and click Next.
• In the Common name text box, type a name for the certificate.
• In the Organization text box, type the name of the organization in which the certificate will be used.
• In the Organizational unit text box, type the name of the organizational unit in the organization in which the certificate will be used.
• In the City/locality text box, type the unabbreviated name of the city or locality here your organization or organizational unit is located.
• In the State/province text box, type the unabbreviated name of the state or province where your organization or organizational unit is located.
• In the Country/region text box, type the name of the country or region where your organization or organizational unit is located.
5. On the Cryptographic Service Provider Properties page, select either Microsoft RSA SChannel Cryptographic Provider or Microsoft DH SChannel Cryptographic Provider from the Cryptographic service provider drop-down list. By default, IIS 7 uses the Microsoft RSA SChannel Cryptographic Provider.
6. In the Bit length drop-down list, select a bit length that can be used by the provider.
By default, the RSA SChannel provider uses a bit length of 1024. The DH SChannel provider uses a bit length of 512. A longer bit length is more secure, but it can affect performance.
7. Click Next.
8. On the File Name page, type a filename in the Specify a file name for the certificate request text box, or click the browse button (. . .) to locate a file, and click Finish.
9. Send the certificate request to a public CA.

From time to time, you may need to import and export digital certificates. The common formats used today are:
X509 format (.cer and .crt file extensions for Windows): A widely supported digital
certificate that represents the individual certificate.
Cryptographic Message Syntax—PKCS 7 Format (.p7b file extension for Windows): Used to export the complete chain of digital certificates.
Personal Information Exchange Syntax—PKCS 12 Format (.pfx and .p12 file
extensions for Windows): Used for exporting the public/private key pair.
Certificate Signing Request (CSR) Syntax—PKCS 10 Format: Used in generating signed requests to trusted certificate signing authorities.
If you have a farm that consists of multiple web servers, you need to install the digital certificate from the first server and then export the digital certificate to a .pfx format to copy
the public and private key to the other servers. Therefore, you will need to export the key
from the first server and import to the other servers.

EXPORT A DIGITAL CERTIFICATE
To export a digital certificate:
1. Open IIS Manager and navigate to the level you want to manage.
2. In the Features View, double-click Server Certificates.
3. In the Actions pane, click Export.
4. In the Export dialog box, type a filename in the Export to box or click the browse button to navigate to the name of a file in which to store the certificate for exporting.
5. Type a password in the Password box if you want to associate a password with the exported certificate. Retype the password in the Confirm password box.
6. Click OK.

IMPORT A DIGITAL CERTIFICATE
To import a digital certificate:
1. Open IIS Manager and navigate to the level you want to manage.
2. In the Features View, double-click Server Certificates.
3. In the Actions pane, click Import.
4. In the Import Certificate dialog box, type a filename in the certificate file box or click the
browse button to navigate to the name of a file where the exported certificate is stored.
Type a password in the Password box if the certificate was exported with a password.
5. Select Allow this certificate to be exported if you want to be able to export the certificate, or clear Allow this certificate to be exported if you do not want to allow additional exports of this certificate.
6. Click OK