Home > Articles

This chapter is from the book

Monitor, Configure, Troubleshoot, and Control Access to Web Sites

As mentioned, Internet Information Services (IIS) version 5.0 is included as part of Windows 2000. IIS version 5.0 includes a number of improvements and features that are designed to provide highly secure, highly available Web services to users.

Web Site Performance and Reliability Features in IIS 5.0

As part of these improvements, IIS includes configuration options that are used to fine-tune Web site performance and increase service reliability. For example, IIS 5.0 has addressed an issue with servers running previous versions of IIS hosting multiple Web sites. When a server hosts multiple Web sites, each site requires a unique IP address to ensure that traffic is directed correctly. To do this, the server creates a protocol identifier called a socket, which is made up of the Web site's node address and the port number it is using.

Sockets are created when the server is started, and each socket requires a significant chunk of physical (non-paged) RAM. The number of sites a server could host is limited by the amount of memory that can be loaded on the system. IIS 5.0 has addressed this issue by allowing hosted sites that have different IP addresses, but are using the same socket, to share the sockets through socket pooling. This means that more sites could be hosted from a single server and that the performance of those sites would be better.

In addition, Microsoft has included process throttling and bandwidth throttling features in IIS 5.0. These are used to improve site performance. They allow administrators to specify the maximum percentage of a system's processor and network bandwidth that each site on the server is allowed to use. This helps to ensure that one site doesn't dominate the server's resources, resulting in poor performance for the other hosted sites. IIS 5.0's ability to host multiple sites has also improved. Each site on an IIS server is identified by a three-part address. This version is able to let sites share two of the three address parts to save resources and still ensure that the traffic is directed correctly.

Web Site Security Features in IIS 5.0

One of the biggest concerns for administrators today is having their Web site attacked. There are many ways that this can be done, and Microsoft has attempted to address them with IIS 5.0. One of the keys to this implementation of IIS is its ability to isolate the application from outside attack. Application protection is used to isolate each application process from the other processes in memory.

IIS 4.0 began to address these issues by allowing Web applications to be launched outside the IIS server process. In this configuration, if a Web application fails, it affects only the other applications launched in that environment. IIS 5.0 takes this further by pooling similar applications separately from the server service. Another significant improvement seen with IIS 5.0 is the way in which the service is restarted. Before this version of IIS, if there was a system failure, the computer would have to be restarted. In IIS 5.0, however, the service and all its components can be restarted without taking the server down.

IIS is installed by default during a new Windows 2000 Server installation and will be installed during an upgrade if an earlier version of IIS, Peer Web Services, or Personal Web Server is detected on the existing system. If IIS is not detected during an upgrade, however, it will not be installed.

IIS and its components can be installed and removed through the Add/Remove Windows Components Wizard in the Add/Remove Programs utility in Control Panel. If TCP/IP is not already installed before the installation, it will be installed automatically and configured to utilize DHCP for addressing. As part of the installation process, the Default Web Site, Administration Web site, Default SMTP Virtual Server, and Default FTP site are created.

Once installed, IIS can be managed through two versions of the same interface, each found in either Administrative Tools or in the Computer Management utility. When configuring IIS from the server console or from another Windows 2000 system, use the Internet Information Services utility in Administrative Tools. Like other MMC-based interfaces, the Internet Information Services tool can be used to remotely access and configure servers.

The same snap-in is included in the Computer Management utility under Services and Applications. It's important to note that earlier versions of the MMC utility were called Internet Services Manager. You may still see this name associated with IIS management, depending on the method used to install or upgrade the server.

As an alternative to the snap-in, IIS 5.0 includes support for securely accessing and managing the server across the Internet via a Web browser. Referred to as Internet Services Manager (HTML), it is a Web site that is automatically created when IIS is installed. You can launch the HTML version of the management tool from the snap-in by right-clicking on the Administration Web site link and selecting Browse. IIS 5.0 secures this site by randomly choosing a port number when it is created and by requiring authentication before granting access. To use the Internet Servers Manager (HTML) without launching it from the snap-in, you must have the port number assigned to the Administration Web site. Right-click on the site link and select Properties. Figure 3.9 shows the configuration properties for the Administration Web site on a newly created IIS server. To use Internet Services Manager (HTML) to manage the server, enter the Web site address and port in this format: http://<server address>:<port number>. You will be prompted to provide a login name and password.

Figure 3.9Figure 3.9 The Properties settings for the Administration Web site on an IIS server.

Although the Internet Information Services utility and the Internet Services Manager (HTML) Web site offer nearly identical functions, not all options are available through Internet Services Manager (HTML). For example, both interfaces allow you the ability to stop, start, pause, and resume individual sites, but only the Internet Information Services utility lets you stop and start IIS itself.

Among the other enhancements seen with IIS 5.0 are the ability to delegate administration tasks to other users, process accounting to ensure Web site scripts are not consuming processor time, custom error messages for the sites, enhanced command-line utilities to allow for greater site automation, support for the FTP Restart protocol which lets interrupted file transmissions resume the partial download rather than start over, and support for HTTP compression, which increases transmission speeds over the Internet. From an administration standpoint, it is easier than ever to back up and restore the IIS server's configuration; it's an option in both management tools. To back up a server's configuration, select the server in the Internet Information Services snap-in and select Backup/Restore Configuration from the Action menu. In the (HTML) version of the manager, the link is at the bottom of the main page. In addition, because IIS integrates closely with Windows 2000, it can utilize Dfs to synchronize files among servers.

IIS Security

Discussed briefly earlier in the chapter, IIS 5.0 includes comprehensive internal security capabilities to keep intruders away and keep the information on Internet sites secure. This security structure is based on an extensive list of industry-standard security protocols and authentication methods.

One of the most stringent standards IIS 5.0 adheres to is Fortezza, which satisfies the very strict Defense Messaging System security architecture. Fortezza employs cryptography that ensures message confidentiality, integrity, and authenticity, while controlling access to the messages, components, and systems. Note, however, that the Fortezza standards are only used when IIS 5.0 is implemented on a server and PCMCIA hardware and browser software are on the client computer.

IIS also supports Secure Sockets Layer (SSL) 3.0, which has been adopted as an industry standard for authentication over the Internet. SSL relies on certificates to provide the encryption algorithms. Transport Layer Security (TLS) is based on SSL, but it performs encryption at a lower level in the process, which improves performance, and in such a way that a programmer decrypting a message does not require the key code from the sender. It is expected to lay the groundwork for a truly secure public network. Public-Key Cryptography Standard (PKCS) #7 and PKCS #10 are enhanced security protocols that are also supported by IIS 5. They define the format for encrypted data (digital signatures are a good example) and for requests for certificates made to certification authorities.

IIS 5.0 Authentication Methods

IIS has supported two primary authentication methods for some time, Basic and Integrated Windows. As mentioned in the WebDAV discussion earlier in the chapter, Basic Authentication dictates that users provide a user name and password to access a site, but this information is not encrypted for transmission. Because Basic Authentication is part of the original HTTP 1.0 standard, it is supported by most Web-enabled products, which almost ensures that the client device will be able to respond to the request for authentication information. However, because the password is not encrypted, it could potentially be intercepted during transmission and used to gain unauthorized access to the site.

Integrated Windows Authentication, previously Windows NT Challenge/Response, uses NTLM to authenticate older browsers with IIS servers, and uses the industry standard Kerberos v5 for authentication with supported browsers. Integrated Windows Authentication should only be used if Anonymous access has been denied and the IIS server is not behind a proxy server.

Digest Authentication is a new process for ensuring secure transmission of the information between the client and server. It functions in much the same way as Basic Authentication, but the authentication credentials are passed through a one-way process called hashing. The result is a message digest (a hash) that masks the original text of the message. The server sends additional information with the password so that if it were intercepted it could not be used. Perhaps the biggest benefit, however, is that Digest Authentication is part of HTTP 1.1 and can be transmitted seamlessly across proxy servers.

Managing IIS Servers

As mentioned, IIS is managed through one of the Internet Information Services utilities, either the MMC snap-in or the HTML version. A Web or FTP site's configuration settings are accessed by selecting the site, then choosing Properties from the Action menu. The settings on the Home Directory tab, discussed in the earlier WebDAV section of this chapter, are of particular importance. Of note as well are the options available on the Directory Security tab, which is where the authentication control method is defined and IP address restrictions are enforced. Click Edit in the "Anonymous access and authentication control" section to specify whether to allow anonymous access, and define the authentication method for the site—Basic, Digest, or Integrated Windows.

Virtual directories are used to link Web sites to folders outside the home directory. When a user accesses the Web site, the contents of the virtual directory are presented as though they were contained in the home directory. A virtual directory assigns an alias to the destination folder, allowing for a more secure Web site and easier administration. Virtual directories are more secure because the users cannot determine the actual location of the files in the virtual directory. Without virtual directories, moving files and folders that make up a Web site requires changing the URL links to the folders. Using virtual directories simplifies the process because it is no longer necessary to change the URL on the Web site, but merely to change the mapping between the alias and the folder.

Virtual directories are created through the Virtual Directory Creation Wizard, which is launched from the Internet Information Services snap-in by selecting the Web site, right-clicking and select New, and then selecting Virtual Directory. In Internet Services Manager (HTML), virtual directories are created through the IIS New Site Wizard. To launch the wizard, select the Web site, then click New in the left pane. Click Next, then select Virtual Directory from the list of options, then click Next again. Enter the alias for the virtual directory, click Next, and then enter the path for the virtual directory. Click Next, select the permissions to assign to the alias, and then click Finish.

Hosting Several Sites on One IIS 5.0 Server

IIS includes three features that allow hosting multiple sites on a single server: port number assignment, multiple network adapters with separate IP addresses, and multiple IP address/domain name combinations assigned to a single network adapter using host header names. The decision on which option to use depends on the server's hardware capabilities and the structure of the network. Even though the sites are hosted on the same server, they each have their own security configurations, which allows administrators greater flexibility in assigning management responsibility.

Although the properties for sites hosted on an IIS server can be configured individually, they are initially established based on the server's Master Properties values for the Web and FTP services. To configure the Master Properties for IIS, select the server in the Internet Information Services tool and choose properties. After sites have been established, their properties can be configured individually. Site components such as virtual directories or files can be configured to inherit the settings from the parent object. If a lower-level object is configured manually, updates made to the properties of the site will not be passed on to the component automatically; you will be prompted to choose whether to change the setting for the individual components affected.

Individual Site Management in IIS 5.0

Individual site management is assigned to a special group called Operators. By default, members of the local group Administrators are identified as Operators for IIS sites, but this can be changed for new sites at the Master Properties level, as well as within each of the individual site configurations. Although members of the Operators group have administrative control over their site, they cannot change settings that affect IIS functions or the Windows 2000 server itself.

Pearson IT Certification Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Pearson IT Certification and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Pearson IT Certification products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by Adobe Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.pearsonitcertification.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020