Internet Information Server 4.0 - Cramsession

Administration

MMC - Microsoft Management Console
    Properties are inherited through the site hierarchy (Site, Directory and Files), unless specified otherwise in the individual property sets of the lower level items. For example, Site settings will be inherited by the directories and files beneath them.

    A web site operator is an individual who has limited administration rights on an individual website. This administrator only has the rights to change website settings, not IIS settings. Web site operators can be assigned to a website by accessing the website's properties, clicking the Operators tab, and adding the proper user accounts in the web site operator window.

    The MMC can stop, start and pause services.

    To stop, start or pause services, either:

      A) Click the respective stop, start or pause icon in the toolbar menu.
      B) Right-click the service you would like to affect, and click Start, Stop or pause.

To remotely administer IIS, specify within the address which port to connect to, such as: http://www.cramsession.com:6967/iisadmin/ .

Authentication

Authentication methods available:
  • Allow Anonymous - Any visitor can access your site.
  • Basic - Uses user names and passwords to verify access.
  • Windows NT Challenge/Response - Uses user login access through the domains User Manager to verify rights.
  • SSL Client Certificate - Certificate installed on the client system is used for authentication verification.

If user access rights are changed while IIS is loaded, you must either wait 15 minutes for the change to happen, or stop and restart the corresponding service for an immediate change.

Web users are prompted for authentication only when either:

  • Anonymous access is disabled.
  • Anonymous user is denied access to a resource.

When challenge/response is required, a non-challenge/response browser (non-MS browser) will receive an Access is Denied error message.

If a browser supports only basic authentication, do not turn basic authentication off in IIS to prevent site inaccessibility.

IIS read permission allows the visitor to read or download files.

You must provide a user name and password for directories that are located on an NTFS partition on a remote server.

To avoid passing userid and passwords on the network, use challenge/response in WWW and allow ONLY anonymous in FTP.

Remote virtual directories require an NT user account that can access them.

If IIS is located on server1, and a virtual directory is located on server2, and the two systems do not share a common NT domain, you must add an equal user account to both server1 and server2.

Client certificates can be mapped to NT accounts.

NTFS permissions and IIS:

  • Content = Read
  • Programs = Read and Execute
  • Database = Read and Write

To prevent anonymous user access to certain directories:

  • Remove guest group from NTFS permission
  • Assign IUSR_ComputerName no access

When only anonymous accounts are used in FTP, Check both Allow Anonymous Connections and Allow Only Anonymous Connections in the Security Accounts tab of the FTP site's properties.

WWW

There are two ways a user can access a virtual directory:
  • Links.
  • Type the alias in the URL name space.

Spaces in virtual directories will cause problems for older browsers.

If you don't specify the IP address of a virtual server to a virtual directory, the virtual directory will be seen by all virtual servers.

When replicating your web site to multiple servers, use the same name to get to any site. Create separate entries with the name of the web server as an alias.

The default user must have the logon local right in order to access the WWW pages on the server.

To improve download time for web pages, increase the HTTP keep alive time.

Virtual directories on another server:

  • Create a share on the remote server
  • Use UNC path for remote server and share
  • Enter a userid and password to connect with
  • The remote server must be in same domain, or add a userid from with access in both domains.

You can only create one home directory per virtual server.

A scripts directory under a virtual home directory handles the scripts for that virtual home directory.

A common scripts directory not assigned to a virtual home can handle scripts for all virtual servers.

Virtual directories are referenced by alias names. The alias is tied to a virtual directory in the directory tab.

If you delete the IISadmin virtual directory on the server that you are administering, you'll be unable to use the HTML administrator.

FTP

To enable directory annotations:
  • Insert AnnotateDirectories REG_DWORD=1 in registry.
  • Create ~ftpsvc~.ckm in each directory.

Some browsers cannot handle having more than one line in the FTP welcome message, and will receive a 404 error.

Changing the TCP Port number within the FTP Site Properties will require the client to change their FTP software to the corresponding TCP port in order to connect properly.

Types of FTP directory listings:

  • DOS - date, time, size, name
  • UNIX - permissions, owner, group, size, date, time, name

Ports

Port
Number
FTP 21
Telnet 23
SMTP 25
HTTP 80
SSL 443

If you change the port number, the client must specify the specified port number to access the resource.

ISAPI/CGI/Perl

Execute permission is required for ISAPI and CGI applications.

Read permission is not required for ISAPI and CGI applications.

Read and write NTFS permissions are required by ISAPI/CGI on NTFS volumes.

To enable the server to launch CGI application without a normal extension, add an entry for application type to registry.

CGI applications cannot run when only using challenge/response authentication.

CGI requires a new process for each execution.

ISAPI filters - customize authorization, access or logging.

Perl requires a command interpreter to be installed on the IIS server.

MIME

  • MIME (Multipurpose Internet Mail Extensions) - Contains a list of extensions and their associated application mappings.

    MIME settings exist in the metabase. The metabase is similar to the registry, but used specifically for storage of IIS settings.

    The MIME map exists within the MMC - Web Site Properties, under the HTTP Headers tab. You must stop and start the web site to allow MIME changes to be recognized.

    Add a MIME type in order to permit files with certain extensions to be treated as files with another extension. For example, add a MIME type to allow .WEB files to be read as .HTML files.

    • SSL - Secure Sockets Layer

    SSL pages are CPU intensive, and take longer to download.

    SSL URLs begin with https:// rather than http://.

    Use Key Manager to request and import security certificates.

    If two companies are using the same IIS server, you will need two SSL certificates.

    You can specify the IP address and port number to apply the certificate to when importing into KEYMGR.

    You can apply SSL certificate to a virtual server that doesn't have IIS installed by specifying it's IP address.

    Procedure for SSL certificate retrieval and implementation:

      1) Generate a key pair file and request file.
      2) Request a certificate from authority.
      3) Install the certificate.
      4) Activate SSL on the site/directory.

    Error Codes

    Code
    Error Description
    401 Unauthorized; Requests required user authentication.
    403 Forbidden; Server understood the request but refuses to fulfill it. Authentication will not help. Common when trying to access SSL enable web page without SSL enabled browser.
    404 File not found; Requested resource can not be found. Virtual Directory could have a space in its name.
    500 Internal Server Error; Anonymous user account does not have the log on local right.
    502 Bad gateway; Error could be caused when trying to access SQL database with incorrect DSN in the .IDC file.

    Logging

    Logging can be enabled for only the services desired, not for pages, files, etc.

    Text file logging has minimal performance impact.

    Logging to an SQL database takes more resources.

    You can determine hit counts for page from the logging file.

    Only one log file can be created for all WWW virtual servers.

    You can track the logins of Anonymous users within the log file.

  • CONVLOG.EXE - Used to convert IP addresses to DNS names, and to convert web log files to the NCSA Common Log File format.

    • Performance Tuning

    You can limit bandwidth for IIS by clicking the limit bandwidth box. This limits the bandwidth available for WWW services (specifically .HTML file transfers), to make more bandwidth available for other services.

    Bandwidth can be limited individually per site.

    ASP applications, CGI scripts and databases are CPU-intensive, in comparison with standard .HTML and FTP file transfers.

    Calculate bandwidth by adding 4 bits for a total of 12 bits per byte:

    • i.e. 56,000 bytes takes 56k*12 to transmit.

    Upgrade to a faster network architecture (100 BaseT, FDDI) when the network utilization is over 60%.

    IIS/SQL

    .IDC files contain the name and location of the .HTX file, ODBC datasource name (DSN), SQL statements, and user ID/password (both optional).

    .IDC communications require 32-bit ODBC drivers.

    .HTX file is an HTML template to display requested SQL data.

    Changing the transport protocol between a SQL and IIS servers (on different machines) prevents hackers from accessing SQL via TCP/IP.

    Three files are required for connectivity between IIS and SQL:

    • .IDC
    • .HTX
    • HTTPODBC.DLL

    If IIS and SQL servers are in different domains, either a trust must be setup between the two domains or the IUSR_WEB account has to be added to the SQL domain.

    A special license one-user license (per SQL Server) is necessary to will allow unlimited Internet access.

    If challenge authentication is enabled in IIS, it prevents logging onto remote SQL server. You will need to use basic authentication, or install SQL server on same server as IIS.

    Index Server

    Index files occupy approximately 40% of the corpus.

    Index Server can search ONE catalog per query.

    There are two ways to monitor the performance of Index Server:

    • Performance Monitor
    • .IDA script

    You can make Index Server merge more frequently by forcing a merge from the web administration page, or by reducing maximum number of persistent indexes in the registry by decreasing MaxIndexesValue.

    .IDQ are similar to .IDC files, and are used as helper files to assist in query conversion from WWW. They contain the input from the HTML form filled in by the user. They specify information such as:

    • Scope of query
    • Query restrictions
    • Query itself
    • Name of .HTX file

    Avoid irrelevant Index Server hits by adding noise words to WINNT\SYSTEM32\NOISE.ENU.

    Avoid unwanted hits in Index Server by creating separate catalogs for each virtual directory with different contents, and associating separate catalogs with respective virtual servers.

    Having separate catalogs in IS fixes I know the document is there but my query doesn't return it.

    Index Server queries that take too much CPU time return null results.

    Three step filtering process for Index Server:

    • Content filtering - Extracts text from the file.
    • Word breaking - Identifies words within character stream
    • Normalizing - Removes capitalization, punctuation, and noise words.

    Types of indexes:

    • Word lists - Words extracted from docs in memory as soon as document is filtered.
    • Shadow indexes - Persistent (stored on disk, not memory) - created by merging word lists and other shadow indexes.
    • Master index - Persistent, highly compressed; contains indexed data for large number of documents created by master merge. Merges shadow indexes and current master index.

    Can have multiple shadow indexes in a catalog.

    Subnetting
    Decimal Subnets # Class A Hosts # Class B Hosts # Class C Hosts
    .192 2 4,194,302 16,382 62
    .224 6 2,097,150 8,190 30
    .240 14 1,048,574 4,094 14
    .248 30 524,286 2,046 6
    .252 62 262,142 1,022 2
    .254 126 131,070 510 NA
    .255 254 65,534 254 NA

    ODBC Error Codes
    Microsoft OLE DB Provider for ODBC Drivers error "80004005" [Microsoft] [ODBC Microsoft Access Driver] The Microsoft Jet database engine cannot open file "(unknown)". It is already opened exclusively by another user, or you need permission to view its data.
    Cause - the user account (usually IUSR) does not have The correct permissions. Check NTFS and Share Permissions.
    Microsoft OLE DB Provider for ODBC Drivers error "800004005" [Microsoft] [ODBC Microsoft Access 97 Driver] Couldn't use "(unknown)"; file already in use.
    Cause - The database cannot be locked correctly for multiple users
    Microsoft OLE DB Provider for ODBC Drivers error "800004005" [Microsoft] [ODBC Driver Manager] Data source not found and no default driver specified.
    Cause - GLOBAL.ASA file was not properly executed. Check that the file is in the Application Root for IIS, and that users have Execute permission for this folder.
    Microsoft OLE DB Provider for ODBC Drivers error '80004005' [Microsoft][ODBC Access 97 ODBC driver Driver]General error Unable to open registry key 'DriverId'.
    Cause -This error is caused by reading a value from the registry. Check the permissions on the registry key using the registry editor, Regedt32.exe. You may also wish to use the Windows NT Registry Monitor to check for registry read failures.
    Microsoft OLE DB Provider for ODBC Drivers error '80004005' [Microsoft][ODBC Driver Manager] Data source name not ??
    Cause - This appears to be an issue with the order in which software is installed and uninstalled on the computer. If the ODBC core files become unsynchronized (they should all be the same version) you may see this error.
    Microsoft OLE DB Provider for ODBC Drivers error "800004005" [Microsoft] [ODBC Microsoft SQL Driver] [dbnmpntw] ConnectionOpen (create file)
    Cause - IIS will use (by default) a Windows NT account called IUSR_Computername. This account is local to the Web server and is essentially unknown to any other computers on the network. When IIS, operating under the security context of the IUSR account, tries to access any resources on a remote computer, the remote computer tries to validate the account being used. Since the IUSR account is a local account that is unknown to the remote computer, access is denied.
    Microsoft OLE DB Provider for ODBC Drivers error "800004005" [Microsoft] [ODBC Microsoft SQL Driver] Logon Failed
    Cause - The SQL server denied access to the account attempting to access the SQL server. Check that the SQL and NT account passwords match, and that the IIS connection to the SQL server maps the user's name properly.
    Microsoft OLE DB Provider for ODBC Drivers error '80004005' [Microsoft][ODBC SQL Server Driver][SQL Server] Login failed- User: Reason: Not defined as a valid user of a trusted SQL Server connection.
    Cause - Integrated Security is turned on in the SQL Enterprise Manager, and the Windows NT account being used has not been mapped to a SQL account. - Try changing SQL to use Standard Security. If running under IIS 4.0, turn off "Password Synchronization" for that project.