Exploring Microsoft Internet Information Services 5.0 Features
Windows 2000 Server includes an updated version of IIS (version 5.0). IIS runs as an enterprise service within Windows 2000 and uses other services provided by Windows 2000, such as security and Active Directory services. IIS 5.0 improves the Web server's reliability, performance, management, security, and application services. Many of these improvements result from the way IIS 5.0 incorporates new operating system features in Windows 2000. This lesson provides an overview of IIS 5.0 and explains how to install IIS and configure a Web environment.
Introduction to Microsoft IIS 5.0
While IIS 4.0 focused on security, administration, programmability, and support for Internet standards, IIS 5.0 builds on these capabilities to deliver the type of Web sites required in an increasingly intranet- and Internet-centric business environment. In particular, IIS 5.0 has been improved in the following four areas: reliability and performance, management, security, and application environment.
Reliability and Performance
IIS 5.0 performs better and is more reliable than previous versions of the product for a number of reasons. Internally, the speed of the IIS 5.0 engine has been increased through coding refinements. The new Reliable Restart feature lets system administrators quickly restart the server. Beyond these inherent capabilities, this version introduces features you can use to improve the speed and reliability of Web sites.
One of the more significant improvements in IIS 5.0 is the addition of application protection through support for pooled, out-of-process applications. To better control resource consumption, new throttling features (based on the new job object feature of Windows 2000) make it easier for administrators to allocate the amount of CPU bandwidth available to processes, as well as the amount of network bandwidth available to sites. In addition, the new Socket Pooling feature allows multiple sites sharing a port also to share a set of sockets.
Application Protection
Most operating systems view a process as a unit of work in a system. Services and applications are processes that run in memory areas allocated by the operating system to each process. In IIS 5.0, application protection refers to the way in which the operating system guards each application process from other processes in memory. In earlier versions of IIS, all Internet Server API (ISAPI) applications (including ASP technology) shared the resources and memory of the IIS server process. Although this provided fast performance, unstable components could cause the IIS server to hang or crash, which made it more difficult to develop and debug new components. In addition, in-process components could not be unloaded unless the server was restarted—which meant that modifying existing components would affect all sites that shared the same IIS server, whether they were directly affected by the upgrade or not.
As a first step toward addressing these issues, IIS 4.0 allowed applications to run either in the same IIS server process (Inetinfo.exe) or out-of-process, that is in a process separate from the IIS server process. The DLLHost.exe acts as a surrogate application to the IIS server process to manage each out-of-process application. Out-of-process applications are run separately from one another which is memory intensive and less efficient than running in-process. In IIS 5.0, there is a third option: applications can be run in a pooled process separate from the IIS server process. This approach allows related applications to be run together without adversely affecting the IIS server process. These three options provide varying levels of protection, each of which impacts performance. Greater isolation comes at the cost of slower performance.
Reliable Restart
In the event of a system failure, it's clearly important to be able to get IIS back to an operational state as quickly as possible. In the past, rebooting was an acceptable, although not optimal, way to restart IIS. To reliably restart IIS, an administrator needed to start up four separate services after every stoppage, and was required to have specialized knowledge, such as which services to start and in what order. To avoid this, Windows 2000 includes IIS Reliable Restart, which is a faster, easier, more flexible one-step restart process.
Socket Pooling
IIS 5.0 increases performance by adding the ability to optimize access to your Web site. A socket is a protocol identifier for a particular node on a network. The socket consists of a node address and a port number, which identifies the service. For example, port 80 on an Internet node represents the World Wide Web HTTP service on a Web server.
In IIS 4.0, each Web site is bound to a different IP address, which means that each site has its own socket that is not shared with sites bound to other IP addresses. Each sockets is created when the site starts, and consumes significant non-paged memory (RAM). This memory consumption limits the number of sites bound to IP addresses that can be created on a single machine.
For IIS 5.0, this process has been modified so that sites bound to different IP addresses but sharing the same port number can now share the same set of sockets. The end result is that more sites can be bound to an IP address on the same machine than in IIS 4.0. In IIS 5.0, these shared sockets are used flexibly among all of the started sites, thus reducing resource consumption.
Multisite Hosting
To improve the scalability of IIS, Windows 2000 Server supports the ability to host multiple Web sites on a single server. This can save the time and money required within a company that wants to host different sites for different departments, or for an ISP hosting multiple sites for different customers.
The key to hosting multiple sites on a single server is the ability to distinguish between them. This can be done in several ways, each using the Web site's identification. Each Web site has a unique, three-part identity it uses to receive and to respond to requests: a port number, an IP address, and a host header name. With IIS 5.0, companies can host multiple Web sites on a single server by using one of three techniques: assigning different ports, assigning different IP addresses, or assigning different host header names. Each Web site can share two out of three unique characteristics and still be identified as a unique site.
Process Throttling
If you run multiple Web sites that primarily use HTML pages on one computer, or if you have other applications running on the same computer as your Web server, you can limit how much processor time a Web site's applications are permitted to use. This can help ensure that processor time is available to other Web sites or applications unrelated to IIS.
Bandwidth Throttling
If the network or Internet connection used by your Web server is also used by other services such as e-mail or news, you may want to limit the bandwidth used by your Web server in order to free up bandwidth for other services. Bandwidth Throttling is an improved feature in IIS 5.0 that allows administrators to regulate the amount of server bandwidth each site uses by throttling the available bandwidth for the net card. For example, this allows an ISP to guarantee a predetermined amount of bandwidth to each site.
While IIS 4.0 introduced a significant number of new technologies, a core design goal for IIS 5.0 was to make the Web server easier for managers to use. For example, some administrators found IIS 4.0 difficult to install. With IIS 5.0, the installation process is built right into Windows 2000 Server Setup. In addition, to make it easier to configure security settings, there are three new security wizards. This release also includes improved command-line administration scripts as well as additional built-in management scripts.
Setup and Upgrade Integration
The setup process for IIS 5.0 is integrated with Windows 2000 Server setup, and IIS 5.0 installs by default as a windows component of Windows 2000 Server. In the Windows Components wizard, it is listed as Internet Information Services (IIS). During operating system setup, a wizard helps you either to install a new copy of IIS 5.0 or to upgrade an older version.
IIS creates a default Web site, an Administration Web site, and a Default SMTP Virtual Server when you install Windows 2000 Server. You can add or remove IIS or select additional components, such as the Network News Transfer Protocol (NNTP) Service, by using the Add/Remove Programs application in Control Panel. Then from Add/Remove Programs, start the Windows Components wizard, and click the Details button of the Internet Information Services (IIS) component.
Delegated Administration
To help distribute the workload of administrative tasks, administrators can add administration accounts to the Operators group. Members of the Operators group have limited administration privileges on Web sites. For example, an ISP that hosts sites for a number of different companies can assign delegates from each company as the operators for each company's Web site. Operators can administer properties that affect only their respective sites. They do not have access to properties that affect IIS, the Windows server computer hosting IIS, or the network. This lets an IT or ISP administrator who hosts multiple Web sites on a single server delegate the day-to-day management of the Web site without giving up total administrative control.
Process Accounting
Process Accounting (sometimes referred to as CPU Usage Logging, CPU Accounting, or Job Object Accounting) is a new feature in IIS 5.0 that lets administrators monitor and log how Web sites use CPU resources on the server. Processes Accounting adds fields to the W3C Extended log file to record information about how Web sites use CPU resources on the server. ISPs can use this information to determine which sites are using disproportionately high CPU resources or that may have malfunctioning scripts or Common Gateway Interface (CGI) processes. IT managers can use this information to charge back the cost of hosting a Web site or application to the appropriate division within a company or to determine how to adjust process throttling to control resource utilization.
Security Mechanisms
IIS 5.0 uses five basic security mechanisms: authentication, certificates, access control, encryption, and auditing.
Authentication
Authentication allows you to confirm the identity of anyone requesting access to your Web sites. IIS supports the following types of authentication for HTTP and FTP services:
- Anonymous FTP and HTTP authentication
- Basic FTP and HTTP authentication
- Anonymous FTP and HTTP authentication
- Digest authentication for Windows 2000 Domains and browsers supporting this HTTP 1.1 authentication method
- Integrated Windows authentication (HTTP only)
Certificates
To complete the authentication process, you need a mechanism for verifying user identities. Certificates are digital identification documents that allow both servers and clients to authenticate each other. They are required for the server and client's browser to set up an SSL connection over which encrypted information can be sent. Server certificates usually contain information about your company and the organization that issued the certificate. Client certificates usually contain identifying information about the user and the organization that issued the certificate.
Access Control
After verifying the identity of a user, you'll want to control their access to resources on your server. IIS 5.0 uses two layers of access control: Web permissions and NTFS permissions. Web permissions apply to all HTTP clients and define access to server resources. NTFS permissions define what level of access individual user accounts have to folders and files on the server.
Encryption
Once you've controlled access to information, you need to protect that information as it passes over the Internet. You can let users exchange private information, such as credit card numbers or phone numbers, with your server in a secure way by using encryption. Encryption scrambles the information before it is sent, and decryption unscrambles it after it is received. The foundation for this encryption is the SSL 3.0 protocol and the emerging TLS 1.0 protocol, which provides a secure way of establishing an encrypted communication link with users. SSL confirms the authenticity of your Web site and, optionally, the identity of users accessing restricted Web sites.
Administering a Web Environment
When IIS is installed, a default Web site is created, allowing you to quickly and easily implement a Web environment. However, you can modify that Web environment to meet your specific needs. In addition, you can implement WebDAV, which allows you to share documents over the Internet or an intranet. This lesson covers several aspects of administering a Web environment: Web site management, FTP site management, and WebDAV publishing. Administering Web and FTP sites is very similar and, as a result, are discussed together. This is followed by a discussion of WebDAV publishing.
Administering Web and FTP Sites
Originally, each domain name, such as www.microsoft.com, represented an individual computer. With IIS 5.0, multiple Web sites or FTP sites can be hosted simultaneously on a single computer running Windows 2000 Server. Each Web site can host one or more domain names. Because each site mimics the appearance of an individual computer, sites are sometimes referred to as virtual servers.
Web Sites and FTP Sites
Whether your system is on an intranet or the Internet, you can create multiple Web sites and FTP sites on a single computer running Windows 2000 in one of three ways:
- Append port numbers to the IP address
- Use multiple IP addresses, each having its own network adapter card
- Assign multiple domain names and IP addresses to one network adapter card by using host header names
The example in Figure 14.13 illustrates an intranet scenario where the system administrator has installed Windows 2000 Server with IIS on the company's server, resulting in one default Web site: http://CompanyServer. The system administrator then creates two additional Web sites, one for each of two departments: marketing and human resources.
Operators Group
Operators are a special group of users who have limited administrative privileges on individual Web sites. Members of the Operators group can administer properties that affect only their respective sites. They do not have access to properties that affect IIS, the Windows server computer hosting IIS, or the network.
For example, an ISP who hosts sites for a number of different companies can assign delegates from each company as the operators for each company's Web site. This method of distributed server administration has the following advantages:
- Each member of the Operators group can act as the site administrator and can change or reconfigure the Web site as necessary. For example, the operator can set Web site access permissions, enable logging, change the default document or footer, set content expiration, and enable content ratings features.
- The Web site operator is not permitted to change the identification of Web sites, configure the anonymous user name or password, throttle bandwidth, create virtual directories or change their paths, or change application isolation.
- Because members of the Operators group have more limited privileges than Web site administrators, they are unable to remotely browse the file system and therefore cannot set properties on directories and files, unless a UNC path is used.
Administering Sites Remotely
Because it may not always be convenient to perform administrative tasks on the computer running IIS, two remote administration options are available. If you are connecting to your server over the Internet or through a proxy server, you can use the browser-based Internet Services Manager (HTML) to change properties on your site. If you are on an intranet, you can use either the Internet Services Manager (HTML) or the Internet Information Services snap-in. Although Internet Services Manager (HTML) offers many of the same features as the snap-in, property changes that require coordination with Windows utilities, such as certificate mapping, cannot be made with Internet Services Manager (HTML).
Configuring and Running Telnet Services
In Windows 2000, Telnet provides user support for the Telnet protocol, a part of the TCP/IP suite. Telnet is a remote access protocol that you can use to log on to a remote computer, network device, or private TCP/IP network. Telnet Server and Telnet Client work together to allow users to communicate with a remote computer. In Windows 2000, Telnet Server is installed as a service, simply named Telnet. The Telnet service allows users of a Telnet client to log on to the computer running the Telnet service and run character-mode applications on that computer. The Telnet service acts as a gateway through which computers running the Telnet client can communicate with each other. The Telnet client allows users to connect to a remote computer and interact with that computer through a terminal window.
Windows 2000 Telnet Service allows users of a Telnet client to connect to the computer running the Telnet service and use command-line commands on the computer as if they were sitting in front of it. Telnet clients can connect to a server, log on to that server, and run character-mode applications. The Telnet service also acts as a gateway for Telnet clients to communicate with each other. A computer running the Telnet service can support a maximum of 63 Telnet client computers at any given time.
Telnet Server Connection Licensing
Two Telnet service connection licenses are provided with each installation of Windows 2000 Server. This limits Telnet service to two connecting Telnet clients at a time. If you need additional licenses, use Telnet services from the Windows Services for UNIX add-on pack.
Telnet Authentication
You can use your local Windows 2000 user name and password or domain account information to access the Telnet server. The security scheme is integrated into Windows 2000 security. If you do not use the NT LAN Manager (NTLM) authentication option, the user name and password are sent to the Telnet server as plain text.
If you are using NTLM authentication, the client uses the Windows 2000 security context for authentication and the user is not prompted for a user name and password. The user name and password are encrypted.
No comments:
Post a Comment