In this chapter
Internet Information Services (IIS) is a collection of programs that make up Microsoft's industrial-strength IIS Web server platform. It's included for free as part of Windows XP Professional. Besides the basic Web (HTTP) server, it also includes a File Transfer Protocol (FTP) server, an Indexing Service for site content searching, FrontPage and Visual InterDev publishing extensions, the ASP script processor, support for sophisticated multitier online transaction services, and a Simple Mail Transfer Protocol (SMTP) mail delivery server.
CAUTION
If you are part of a corporate network, before you go any further, check with your network administrators because policies may prohibit you from setting up a Web site on your own. Many legitimate security concerns are involved, and in some companies, you could be fired for violating established security policies. Check first if you're not sure what's permitted.
While I'm on the subject of warnings, I'll give one more that's important enough that I'll repeat it later in the chapter:
CAUTION
Installing Internet Information Services might sound like fun, but don't install it unless you're really sure you need it and are willing to keep up with its frequent bug fixes and maintenance alerts. IIS has been one of Microsoft's biggest sources of strange and dangerous security flaws. All sophisticated services come with a measure of risk, and IIS is very sophisticated.
Microsoft has produced some tools to help you keep up to date on IIS security. Visit www.microsoft.com/technet. At the left, select Security, Security Tools. Check out the contents of the page. The especially useful parts are the IIS Web Server Lockdown Wizard and the Checklists link. The Checklists link leads to two pages devoted to Internet Information Services 5.0.
I'll take you on a brief tour here. If you already are familiar with the function of Web servers, you can skip on down to “IIS Services and Requirements.”
In the most basic sense, a Web server works like a call desk librarian: When you request a book by name, the librarian looks up the book's location, fetches the desired tome, passes it across the counter, and goes on to the next patron as quickly as possible. If the desired book is not in the shelves, the librarian will say so and again go on to the next client. The interactions are brief and involve no interpretation of the content—that is, the content of the book—passing back and forth.
The roles of a Web server and Web browser are very similar. A Web browser sends a short request message to a Web server. The request is a text string, mostly just the Uniform Resource Locator (URL) that you typed in or clicked. The server turns this “virtual” file name into a real or physical filename and passes the appropriate HTML, image, or other type of file back across the Internet. When the URL refers to an executable program or a script file, instead of returning the file itself, a Web server runs the program and passes back whatever the program generates as its response. The Web browser displays the result.
The translation of the URL filename into a physical filename is generally straightforward. When you set up your Web site, you'll specify which directory contains the documents that you want to publish. The Web site has a home directory, which is the starting point for the translation of URL names into filenames. For example, if the home directory is c:inetpubwwwroot, then the URL filename
/index.html
returns the file
c:inetpubwwwrootindex.html
Any file or folder inside this home directory is available to Web browsers. For example, the URL
/sales/catalog.html
would return the file
c:inetpubwwwrootsalescatalog.html
You can also add other folders on your computer to this mapping, even if they aren't in the home directory or its subfolders. They are called virtual directories because to Web visitors, they appear to be part of the home directory structure, but they aren't physically. You could instruct IIS to share folder c:partlist with the virtual URL name of /parts, so that the URL
/parts/index.html
would return the file
c:partlistindex.html
When IIS is installed, adding a virtual folder to your Web site is a piece of cake: This process is integrated right into Explorer and is just a right-click away.
Web servers can also use a process called redirection, where the server is told to make virtual directory whose content is stored on another Web server. When a Web browser requests a file in a redirected virtual directory, the Web server tells the browser program to go fetch the file from the other server (or an alternate location on the same server). Redirection is useful when you rearrange your site—it lets visitors using an old URL obtain the files they want even though they're stored in a new location.
In Web-speak, a home page is a URL that lists a server name but no filename, like “www.brainsville.com.” So what does an empty or home page URL map to? For example, what file does www.brainsville.com refer to? You might guess that it corresponds to just the name of the server's home directory:
c:inetpubwwwroot
Indeed, it does, but this doesn't tell the server what content to return. The Web server has to look for a default document, the file that is to be returned whenever a URL names a folder but not a full filename. IIS looks first for a script file named default.asp. Failing that, default.html or default.htm will do. If a file by one of these names exists, it's returned as the content for this folder. If no default document can be found and “directory browsing” has been enabled for the folder, IIS simply returns a listing of all the files in the folder. Otherwise, it gives up and returns an error message.
Web browsers must be told how to interpret the content returned by the server. They don't know in advance whether they're going to get HTML text, a Microsoft Word document, an image, or something else. Windows determines a file's type from the end of its filename—for example, .doc or .html, but this system isn't used by other operating systems, and the Web was designed specifically to encourage cooperation between different computers and operating systems. So, a standardized naming scheme was developed for the Web. Web browsers get file type information from the Content-type field returned in the response header. This information is called a file's MIME type.
NOTE
MIME stands for Multipurpose Internet Mail Extensions. Prior to MIME, there was no standardized way to encode or name message content other than plain ASCII text.
MIME type names are agreed-upon Internet standards, and it's the Web server's job to know how to label each of the files it shares. When it's sending out files, IIS uses the Windows File Types Registry to map file types like .doc and .html into MIME types, and you can add to the list any special types of files you share.
When a URL refers to a program file, a Web server either can send you the program file itself, which you can save or run on your computer, or it can run the program on its side and return the program's output to you. Whereas Web pages stored in HTML files are static, and only change when their owner edits them, dynamic Web created by programs are generated from scratch every time they're viewed, and thus can contain interactive, up-to-the minute information. Programs on the server's side can do virtually anything: search libraries, access your bank account, buy airline tickets, or move robots on the moon, and then return the results to you as a Web page. In fact, this flexibility is the crucial feature that made the World Wide Web cause such a sensation and made the Internet explode into a global phenomenon.
These programs are generically called CGI (Common Gateway Interface) programs, or server-side scripts, when written in a language such as ASP, Perl, JavaScript, VBScript, or another interpreted language supported by the Web server. Useful CGI programs and scripts can be created with programming know-how, or can be purchased or downloaded from the Net. For IIS, the distinction between “send the program file itself” and “run the program and return the output” is made by changing a Web folder's read, script, and execute attributes. Folders with the read attribute treat scripts and executable programs as data to be returned directly. With the script or execute attribute, scripts and programs, respectively, are run on the server, and their output is sent back to the person visiting your site.
Just to reassure you, you don't need to take advantage of all this complexity if you just want to publish some simple Web pages and make files available to Web visitors. IIS can publish Web pages out-of-the box with no programming.
IIS version 5.1 is included with Windows XP Professional, but not Windows XP Home Edition. Version 5.1 has some minor improvements over version 5.0, which ships with Windows 2000. IIS 6.0 ships with the Windows Server 2003 products. At any rate, the version of IIS in Windows XP Professional has the same capabilities as its server-based brethren, with two major differences.
First, the license agreement for Windows XP Professional restricts the use of your computer and any services it hosts to a maximum of 10 concurrent connections.
Second, the software does not support multiple, separate Web sites with different names, hosted by one computer (that is, it does not support multiple virtual domains).
The bottom line is that it's legal to use Professional only for a low-volume site. Practically speaking, unless you're selling Viagra online or you get listed on Yahoo!'s Cool Site of the Day, you probably don't have to worry about this point.
Before going any further, I should say: If you can get the hosting services you need from your Internet service provider (ISP), your corporate IS department, or just about anyone else, you might not want to bother with setting up your own Web server! There's no glory in hosting your own Web site, just hard work. Web servers at an ISP will have faster connections to the Internet, are probably backed up every night, and some poor soul with a pager tied around his neck is probably on call 24x7 in case something goes wrong with the server. With low-volume Web sites to be had for as little as $5 U.S. a month, including domain name service (DNS), mailboxes, FTP, and FrontPage support, taking this project on yourself hardly seems worthwhile.
Hosting a public World Wide Web site requires domain name service, which Windows XP Professional alone doesn't provide. Therefore, if you want your site to be accessible as www.mysite.com, you still need someone else or an add-on product to provide DNS support. This support alone can cost nearly as much as a full-service Web site package, although there are free and discounted DNS services too.
On the other hand, you might want to install IIS if you
Want to host in-house communication within your company or workgroup.
Want to share files or your printer over the Internet using Web Sharing.
Develop custom Web programs or scripts, or use CGI programs that an ISP can't or won't provide.
Want to write and preview Web pages and applications before deploying them to an online site.
Think that a chance to participate in this global Internet thing is just too cool to pass by, no matter how much work it is. (I have to admit that this was the reason I set up a Web server.)
Whatever your reason, IIS installed in all its glory will give you plenty to chew on.
IIS is a collection of several independent components, which together provide a full range of Web services. You can install any or all of them.
World Wide Web (HTTP) Service—. The WWW service is the basic component that lets your computer host Web pages. The WWW server supports server-side Java, JavaScript, and ASP scripting. You can add third-party support for Perl, Python, databases, and a host of other services. It's the full-blown IIS 5.1 package except for the limit of 10 connections; also, this version doesn't let you host multiple Web sites—for example, for different domain names—as the Server version does.
In addition, the WWW service gives you Internet Printing capability. The Internet Printing Protocol (IPP) lets you manage and print to your Windows printer from anywhere on the Internet. IPP can be used from Windows 95, 98, Me, NT, XP, and 2000.
File Transfer Protocol (FTP) Server—. FTP lets remote users send and/or retrieve files from specified directories on your computer. FTP is a good interplatform file transfer system but poses some security risks, which we'll discuss in the next section.
FrontPage 2000 Server Extensions—. The FrontPage Extensions allow you to post Web pages and graphics to your server directly from the FrontPage design program as well as Word 2000 and later versions. This capability greatly simplifies the process of copying a set of related files (a web) to the server's “online” directories. The Extensions also add searching and form-posting services to the WWW service, which you can include in your pages. The Extensions obey Windows file security, so you can control who has permission to update files on various parts of your Web site.
NOTE
While the FrontPage program has progressed beyond the 2000 edition, the server component is still named FrontPage 2000 Server Extensions. Don't worry; it's up-to-date.
The Extensions also enable Web Sharing, which lets you share files over the Internet with a high degree of security. Web Sharing lets Internet Explorer versions 5 and higher treat Web folders like regular Windows shared folders. You can view, copy, rename, and delete files over the Internet just as if you were using a local area network (LAN).
If your computer is permanently accessible via the Internet, this may be a good enough reason to install IIS.
Internet Information Services Snap-in—. This management tool permits you to configure and manage IIS from Administrative Tools on the Start menu, or from the Microsoft Management Console (MMC).
Visual InterDev RAD Remote Deployment Support—. Visual InterDev is Microsoft's software development system for sophisticated Web-based services that access corporate database and multitier transactional systems. The Remote Deployment Support service lets VID developers install and test software on-the-fly.
SMTP Service—. SMTP (Simple Mail Transfer Protocol) is the foundation for virtually all email exchange on the Internet. The SMTP Service provided with Windows XP is designed to permit IIS and Windows Scripting Host applications to send mail directly. It is, however, only a delivery system and doesn't provide mailboxes or a Post Office Protocol (POP) service, so it's only half of what you need to host your own email system.
Indexing Service—. The Microsoft Indexing Service automatically builds a database of your Web site's content and gives visitors a way to search for documents by keywords and phrases. It understands Microsoft file formats such as RTF and Word Document format, so searches can locate text in these documents as well as plain text and HTML files. It also respects Windows file and folder security and doesn't list files a remote visitor doesn't have permission to view. The Indexing Service also assists when you choose Search for Files and Folders.
NOTE
Indexing Service is installed by default on Windows XP and it's technically not a subcomponent of IIS. I've listed it here because it works hand-in-hand with IIS.
Extensive online documentation is also available. It's helpful, but IIS is a very big program. If you're going to get serious about Web site management and development using IIS, you might want to look at the following books:
Active Server Pages 3.0 by Example, published by Que
Active Server Pages 3.0 from Scratch, published by Que
Microsoft IIS 5 Administration, published by Sams
All IIS services require you to have a network that uses the TCP/IP protocol. These days, it would be very surprising if you did not because the Internet is everywhere, and you probably wouldn't be reading this book if you weren't either getting connected or already connected to it.
If you only want to make Web pages available to others in your company, your computer only needs to be connected to a local area network. If you want to publish Web pages on the Internet at large—that is, be part of the World Wide Web—you need a full-time Internet connection as well. If your site is available only a few hours a day while you're dialed in to your ISP, then few people will ever be able to see it. Full-time, dedicated service is much less expensive today than it was only a few years ago, and can be had in some areas of the U.S. for under $50 a month. (You can read about Internet connectivity in Chapter 8, “Internet and TCP/IP Connection Options,” and Chapter 19, “Connecting Your LAN to the Internet.”) For global availability, you'll also need Domain Name Service, which I'll discuss in the next section.
TIP
IIS requires lots of memory. Don't even think of installing it on your system unless you have 256MB of memory or more.
Finally, your computer should use NTFS-formatted disks so that Windows can use its file security features to protect both your programs and Web data.
Note
→ If you want to learn more details about choosing the best file system (NTFS, FAT32, or FAT) for your Windows XP Professional installation, see “Choosing a File System: FAT, FAT32, or NTFS?,” p. 86.
If you plan to use IIS just to develop and test Web pages, or if you want to share pages on a home, office, or corporate network, you don't have to worry about your computer being visible to the Internet at large. But if you want to host a public Web site with Windows XP Professional, you'll need to arrange for an entry in the Internet's Domain Name Service so that people can find your site using a standard name like www.myfamouswebsite.com. This is the link between your Web site's name and the public IP address of your Web server. Getting this set up is beyond the scope of this book, but here are a few tips:
If your network has Windows 200x or NT Server, your network administrator can probably set up domain name service for you because a DNS server is included with these Server versions. Your site can use your company's domain name, or they might be willing to host an alternate domain name for you.
If you use an always-on Internet connection like a cable modem, DSL service, satellite, or other dedicated link, you may want to see if you can get a permanent, static IP address from your Internet provider. (Some providers won't do this, and some will levy an additional charge.) This will make your life easier, as the link between your domain name and your IP address can be set once and left alone.
Your ISP may provide you with domain name service, or you might be able to buy this type of service from a commercial Web site provider for about $5 U.S. a month. If you have the technical know-how, you might be want to do a Google search for “free DNS service” and check out some of listed providers.
If you use a dial-up connection, logon + password DSL, or DHCP-based cable Internet service, your IP address will change with each connection, and you'll have to use a dynamic DNS service that automatically updates the link between your site's name and IP address every time the address changes. Dynamic DNS service is a little less convenient and reliable, which is why a static IP address is much more desirable. Still, you can check out Dynamic DNS providers like www.dyndns.org, www.tzo.com, and others listed at www.technopagan.org/dynamic.
In any case, you also have to register your domain name with an Internet registry service. The original Internet registrar www.networksolutions.com charges $35 per year. I found registry service for $8 per year, with free (static) DNS included, at www.stargateinc.com and www.godaddy.com. It pays to shop around. The only worry about working with the discounters is that there's no telling if they will still be online next year. If they shut down, you may have a big problem getting your domain name transferred to another registrar.
If you use a shared Internet connection, even if it has a static IP address, you'll also need to configure the sharing software or hardware to direct incoming Web site requests to the computer that's actually running IIS. I'll discuss this later in the chapter, under “Making the Site Available on the Internet.”
IIS is a bulky and sophisticated suite of programs. Although they're not more difficult than they need to be, considering what they do, they're also not “entry-level” programs. They require forethought and oversight to make them useful and to manage the security risk that comes with global accessibility. Two familiar laws of nature come into play here:
As the number of components in a system increases, the number of ways it can fail grows exponentially.
Anything that can go wrong will.
Applied to IIS, these laws mean that you should not install what you don't need. This is not advice to dismiss out of hand! This is a very serious concern: About half of the security problems that were identified in Windows over the last several years were found in IIS and its accessory programs. The problem is that bugs in IIS can let random outside people examine—or worse, modify—files on your computer. Your PC could be taken over and used to commit fraud, send spam, or distribute pornography. The less of IIS you activate, the less of a chance some not-yet-identified security flaw will catch you by surprise.
Enough lecturing, now: What do you need?
The World Wide Web service delivers static and dynamic Web pages and also offers file and document pickup (via Web pages or directory listings), database interactivity, and just about any other sort of information sharing. This is the core of IIS. If you can't or don't want to use a commercial or other hosting service for your pages, or if you want to host Web pages, develop Web applications, or share folders using the Web model, you should install the WWW service.
You should install the FrontPage 2000 Extensions if you want to do any of the following:
Use FrontPage (any version) or Microsoft Office to develop Web pages
Use your WWW service to use FrontPage's searching or form-handling extensions
Copy files to and from your computer via the Internet, using Internet Explorer and Web Sharing
The Extensions provide a way for Web-enabled applications to publish, or deliver, the composed HTML file and graphics to the Web server's online folders. Thus, the author doesn't have to manually drag files into the WWW folders or use the evil FTP service to copy them there. FrontPage Extensions also provide HTML Form processing services, in the form of some special CGI (Common Gateway Interface, or Web server extension) programs that can record or email form responses, as well as index or searching services that let Web site viewers search your Web site for keywords or phrases. They also include as standard equipment a CGI-based Web page system to manage your printers.
NOTE
If you want to learn more information about using the FrontPage Extensions, I recommend that you pick up a copy of Special Edition Using Microsoft FrontPage 2003, published by Que.
TIP
If you use Microsoft Office 2000 or XP for collaborative projects, you might want to use the Office Server Extensions in addition to or instead of the FrontPage Extensions. The Office Server Extensions provide all the functions of the FrontPage Extensions, with additional services for Office users. You can get them with the Microsoft Office XP Pro SE or Developer editions. For more information visit support.microsoft.com and search the knowledge base for “Q235027”.
FTP allows remote users to retrieve or deliver files to your computer. FTP, which is one of the original Internet applications, is available on virtually every Internet-connected system, from mainframe to Macintosh to PC, so it's really handy for file transfers between Windows and non-Windows computers. But the decision to install FTP should not be made lightly because FTP can create some severe security risks.
FTP permits two types of access: anonymous and authenticated. Anonymous access doesn't require a password and should be used to share folders for file-pickup only; you must never allow users from the Internet at large to write files to your computer (lest you find one day that someone has made your computer one of the Internet's prime repositories and distributors of pornography).
You can allow remote users to deliver files to your computer using authenticated access, but FTP doesn't encrypt passwords sent over the Internet, so this method is a security risk. The login name and password used are exposed while they are in transit over the Internet.
In most cases, if you only want to distribute files to the general public, you don't need to install FTP. The World Wide Web service can do the job nicely. The only two reasons to install FTP are as follows:
You need to let remote users pick up files from your computer, and their computers might not have Web browser software.
You need to let remote users deliver files to your computer, and their computers aren't running Windows.
If you decide to install FTP, you must understand the security consequences and take great care configuring the service and the folders it makes public. We'll discuss the risks and configuration issues in excruciating detail later. You might want to read that discussion before you make your decision.
The SMTP Mail service provided with IIS can be used to send email from Web pages, ASP scripts, and FrontPage or Office Server Extensions. However, this is not a good reason to install it. You can configure mail-sending scripts and the Server Extensions to use your company's or ISP's outbound SMTP mail server. The SMTP service doesn't provide you with mailboxes or any of the other user-side services that an email system needs. If you want to host your own email system, you need to purchase a commercial email server such as Microsoft Exchange Server or download a free or shareware mail server system.
The only reason to install the SMTP Mail component is if you want to develop and test applications using the Microsoft Message Queueing (MSMQ) Service.
With the exception of the Visual InterDev RAD Remote Deployment service, the other components of IIS, such as online documentation and the Management Snap-In, are all handy to have. As Martha Stewart would say, “They are good things.” I recommend installing them, and we'll go over their use later.
The RAD Remote Deployment service is a testing tool that's only useful if you are a Visual InterDev developer. Everyone else should skip installing it.
There is also an option for installing a Scripts directory. If you currently use or develop CGI programs or scripts, install the Scripts directory. Otherwise, follow the “if you don't need it, don't install it” rule and leave it out for now. You can always install it later on if you decide you want to develop script programs.
After you've decided which IIS services to install, you'll need to log on as Administrator or as a Computer Administrator user. Then follow these steps:
Click Start, Control Panel, Add or Remove Programs. Select Add/Remove Windows Components from the left pane.
Scroll down the Components list and check Internet Information Services (IIS). Click Details, and deselect any components you have chosen not to install. The following list provides some recommendations for installing IIS:
Component
Should You Install?
Common Files
required
Documentation
yes
File Transfer Protocol (FTP) Server
probably not
FrontPage 2000 Server Extensions
yes
Internet Information Services Snap-In
yes
SMTP Service
optional
Visual InterDev RAD Remote Deployment
optional
World Wide Web Service
required
If you select World Wide Web Service and click Details, you can make additional selections:
Component
Should You Install?
Printers virtual directory
yes
Remote Desktop Web Connection
yes
Scripts Virtual Directory
optional
World Wide Web Service
required
If you change your mind about using any of these services, you can always select Add or Remove Windows Components again later on.
If you want to search the IIS online documentation or want to use site-searching for your own content, be sure that the Indexing Service is also installed. It's listed just above Internet Information Services in the Windows component list.
When you've selected all of the desired IIS components, click Next to complete the Windows Components Wizard. You may be asked to insert your Windows XP Installation CD-ROM.
When the installation procedure is finished—and this is the most important step—click Start, All Programs, Windows Update, and have Windows Update install any available critical security fixes for IIS.
If you want to use the site-searching capabilities of the Windows Indexing service, you'll need to enable the service by following these steps:
Click Start, right-click My Computer, and select Manage.
Open Services and Applications.
Right-click Indexing Service.
Select Start.
When Windows asks if you want the service to start automatically, click Yes.
The Indexing Service builds a database of its default content directories, which include the IIS online documentation and your Web site's home and virtual directories. (It also indexes your own Documents and Settings folder but doesn't make this information available to Internet visitors.) The indexing process will take several minutes, during which you can tour the major components of IIS.
After you've installed IIS, you can take a quick tour of the major components that have been put into place. To do so, first start Internet Explorer, and enter the URL //localhost. Localhost is shorthand for “the IP address of this machine” and will display Internet Explorer's default installation Web page. You will see the default page shown in Figure 13.1. Internet Explorer will also fire up the online documentation for IIS in a separate browser window.
Figure 13.1. IIS serves you a welcome page when first installed. A remote browser, using your real IP address rather than localhost, would see a plain “Under construction” page.
Congratulations! You now have your own Web server. Let's take a look at the built-in pages. If you find them as handy as I did, you might want to add them to your Favorites folder. (You learned how to use Internet Explorer's Favorites folder in Chapter 9, “Browsing the World Wide Web with Internet Explorer.”)
Your Web site can be viewed by other users on your home or office network using the URL http://machinename, where machinename is the name you assigned to your computer. On a corporate LAN, your network manager will set up the necessary DNS information so that your computer can be viewed using a URL like the previous one, or using a more standard http://name.domain format. Later in the chapter I'll talk about making the site available to the Internet at large.
Typing http://localhost/iishelp in the Address bar displays the IIS Online documentation, which has a built-in search and indexing feature. Check this documentation for the latest IIS news, release notes, and detailed instructions. (This documentation is a good place to spend a couple of hours.)
If you chose the “Printers virtual directory” when you installed IIS, you now have a nifty Web-based printer management console. When you type http://localhost/Printers in the Address bar, note that your installed printer(s) and any pending print jobs are listed on the page. Other users on your network can view and use your shared printers by entering the URL http://machine/Printers, replacing the word machine with your computer's actual network identification name, its domain name, or its DNS name—for example, judy.mycompany.com/Printers. Because this page uses Windows user-level security, you must view it with Internet Explorer, and you may not be able to manage the printer if you don't have adequate permissions.
If you are viewing this page from a different Windows XP computer or from a Windows 9x or NT 4 computer with the Internet Printing Protocol add-on (it's available from www.windowsupdate.com), you can also select Connect and install this printer as a remote printer. You'll learn about Web printing in Chapter 18, “Windows Unplugged: Remote and Mobile Networking.”
Right out of the box, IIS is ready to serve up static Web pages and images. If you have files from an existing Web site, or if you can create and edit HTML files yourself, you can simply copy them into the home directory c:inetpubwwwroot and any subfolders you want to create. The default page name is initially default.htm, so give this name to your home page file.
With no further administration or fuss, other users on your network and/or on the Internet can view your Web site, using your computer's Internet domain name or, on a Windows LAN, by viewing http://machinename, where machinename is the Windows name of your computer. (You can find that name by right-clicking My Computer, selecting Properties, and viewing the Network Identification tab.)
You can also use Notepad, FrontPage, FrontPage Express, Microsoft Word, or other editors like Dreamweaver to create Web pages. If you're the impatient type, as I am, you can just follow these steps to build a really quick and dirty home page, just to prove to yourself that you really do have a Web server up and running:
Select Start, Programs, Accessories, Notepad.
Type the following text:
<HTML> <HEAD> <TITLE>This is My Home Page</title> </HEAD> <BODY> <P>Welcome to my completely spiffy new website, hosted by Windows XP! </BODY> </HTML>
Be especially careful to get the angle brackets (< and >) right and to use the forward slash (/), not the backslash ().
Select File, Save As, and enter
c:inetpubwwwrootdefault.htmas the filename. Click OK.View
http:\localhostin Internet Explorer.
Now you have your very own home page. It's not much to look at, but now you can say you've coded Web pages by hand. This will impress people. When you're finished, you can create or copy other HTML documents and images into the wwwroot folder.
IIS can deliver more than static Web pages. I'll talk about dynamic Web pages and scripting in the “Tips from the Windows Pros” section at the end of this chapter.
If you are a Web development professional or want to become one, we recommend the following books as great starting places for learning more:
Special Edition Using Microsoft FrontPage 2003, published by Que
Special Edition Using HTML 4.0, also published by Que
If you want detailed control over access rights in your Web folders, or you have installed the FTP or SMTP services, you should take a look at the Internet Information Services management plug-in. There are three ways to get to it:
Click Start, right-click My Computer, and select Manage. Under Services and Applications, select Internet Information Services.
Open Control Panel and select Performance and Maintenance, Administrative Tools, Internet Information Services.
If you've customized your Start menu so it displays Administrative Tools, just click Start, All Programs, Administrative Tools, Internet Information Services.
Open the Internet Information Services item, and then the entry for your computer, and under this you'll see entries for the specific services you installed: Web Sites, FTP Sites, if you installed the FTP service, and Default SMTP Virtual Server, if you installed the SMTP service. Figure 13.2 shows the manager window with all three services installed.
Figure 13.2. The Computer Management console contains management tools for the FTP server, Web server, and SMTP server.
In this Explorer-like view of the IIS components, you can take complete control of IIS's behavior, down to its treatment of individual files. To get a feel of what is possible, you should look at the Web server's configuration settings. To view them, right-click the Default Web Site entry in the left pane and select Properties. You then are presented with a complex dialog box with eight tabs (see Figure 13.3).
Figure 13.3. On the Default Web Site Properties dialog box, you can control the behavior of the Web server.
As I said earlier, IIS is a complicated program and there are many settings. In my experience, you'll only need to consider a few of them, and it's quite likely that you won't need to make any changes at all. I'll go through some of the more important settings in Table 13.1.
Table 13.1. IIS Web Site Configuration Settings
If you plan to use the FrontPage Server extensions to process forms, or if you plan to send email from forms or scripts, you'll need to make the following settings:
Select the Server Extensions tab, and under Performance, select the approximate number of pages you expect to have on your Web site: fewer than 100; 100 to 1,000; or more than 1,000.
If you plan to use form and email processing with ASP scripts, FrontPage Extensions, and/or Mailing List services with the Office Server Extensions, select Specify How Mail Should Be Sent Settings, and make the following entries:
Web server's mail address: Enter the email address that you want mail sent by your Web site (such as responses from forms) to appear to come from. I use something like “[email protected]”; you'd want to use your own email address.
Contact address: Enter the email address that people should use to report trouble with your Web site. This will appear on error message Web pages generated by Front Page. I use “[email protected]” for this also.
SMTP Mail Server: This is the mail server that will process your outgoing mail. Enter the name of your network's or your ISP's SMTP mail receiver, often something like
smtp.myisp.com. If you've installed the SMTP Mail component, you can enterlocalhosthere.Click OK to close the dialog box.
You also can manage the settings for specific folders listed under the Default Web Site entry, by right-clicking them and choosing Properties. On the Documents tab, you can specify that a given document or folder is to be obtained from a different URL on a different Web server, using a process called redirection. Complex CGI programs called ASP applications are configured here as well.
If you want to add to your Web site a folder that is not inside c:inetpubwwwroot, you can add it as a virtual folder through the Internet Information Services management tool, which I described in the previous section, or through a shortcut feature called Web Sharing.
You can set up Web Sharing using Windows Explorer. It provides a quick and easy way to make a folder available to others through your computer's Web server. To do this, right-click a folder in the Explorer display, and select Properties. You'll see a new tab called Web Sharing—this appears when you've installed IIS. Select the Web Sharing tab, and select Share This Folder. The virtual directory or Edit Directory dialog appears, as shown in Figure 13.4.
Figure 13.4. Here, you can set alias properties for a new virtual directory. The Alias name is the URL name this folder will have.
Enter the URL name you want to use for this folder, and change the Access and Application Permissions check boxes if necessary. For a folder that will hold Web pages and images, check Read. If this folder will also contain scripts and/or CGI programs that you want to have run by the server, check Scripts or Execute (Including Scripts). If you want to let remote users see the contents of the directory in the absence of a default document, check Directory Browsing.
TIP
The best practice is not to enable the Scripts or Execute permissions unless you know you require them.
TIP
To minimize the number of folders requiring Scripts and Execute permissions, use the preinstalled Scripts folder for your scripts and CGI programs.
Remember that as long as the published folders reside on an NTFS-formatted disk partition, Windows file permissions will be in force as well as the permissions you set for Web sharing. If you use Simple File Sharing, you should only use Web sharing on folders that are in your Shared Documents file, so that outside visitors can read the files. If you are on a Windows domain network or are not using Simple File Sharing, you'll need to be sure that you give read permission to the shared folder to Everyone or to IUSR_xxxx, where xxxx is the name of your computer. Simple File Sharing and file permissions are discussed in Chapter 28, “Managing Users.”
If you have installed the FTP service, open the Internet Information Services management tool as described in the previous section, right-click Default FTP Site, and select Properties.
To establish a secure server, make the following settings:
On the FTP Site tab, be sure to check Enable Logging (see the “Log Files” section).
On the Home Directory tab, you can specify the folder in which FTP looks for files.
CAUTION
The FTP folder really should be stored on a disk partition that uses the NTFS format. If possible, you should not use the same disk partition that your Windows folder is on. Software bugs are a fact of life, and bugs in FTP could have very serious consequences. (They've been found before, and bugs are likely to still exist.) Protect yourself by setting up a separate partition just for FTP data. See Chapter 29, “Managing the Hard Disk,” for information on disk partitions.
On the Security Accounts tab, you'll have to decide whether or not to permit access based on account names and passwords. Remember that FTP sends passwords without encryption, so permitting password-controlled access is a security risk. With anonymous access, where passwords are not required, you should let people pick up but not send you files. If you really do need to let people send you files with FTP, you'll have to use password control. Here are the specific things you'll need to do:
If you will use FTP to let people pick up files only, check Allow Anonymous Connections and check Allow Only Anonymous Connections. Be sure that Write permission is not checked on the Home Directory tab or any of its subfolders.
If you want to let people send you files, you should uncheck Allow Anonymous Connections and uncheck Allow Only Anonymous Connections. Select only specific directories to give Write permission. In addition, you should use NTFS- formatted disks, disable Simple File Sharing so you can make user-specific file security settings, and set appropriate user-specific permissions on the folders shared by your FTP server.
You should create “limited” user accounts that are used only for FTP access. Don't use your real Windows logon account to sign on to the FTP server, as it could be picked up by Internet snoopers and used to break into your computer. Instead, give yourself a second identity, and use NTFS security to give both your real Windows account and your FTP-only account read and write privileges to the FTP folders.
On the Messages tab, under Welcome, enter a greeting followed by a warning of this sort:
All access to this server is logged. Access to this server is allowed by permission only and unauthorized use will be prosecuted.
(You might want to consult your attorney to choose the proper wording!)
You can view and disconnect current FTP site visitors from the FTP Site tab of the Default FTP Properties dialog by clicking Current Sessions. You can use Disconnect to remove any of them if, for some reason, you need to terminate their activity on your computer.
If you've installed the SMTP mail delivery service component, you'll need to take a moment to configure it so it can deliver mail generated by your Web sites or MSMQ applications.
Open the Internet Information Services manager as discussed earlier in this chapter (Start, Control Panel, Performance and Maintenance, Administrative Tools, Internet Information Services will do it). Open the Default SMTP Virtual Server entry. Right-click Default SMTP Virtual Server and select Properties, to display the configuration dialog shown in Figure 13.5.
There are four settings you should consider:
Relaying—. Relaying is the process of receiving mail from the outside world, and then sending it on to recipients in the outside world. Mail servers that do this are quickly exploited by people who send “spam,” or junk email. To avoid this, by default, your mail server will not accept outgoing mail from any other computer. If you want it to deliver mail for other computers on your network, you'll have to tell it which computers are allowed to relay. On the Access tab, click Relay, and then Add. Select Group of Computers and enter your computer's IP address and subnet mask. Click OK to close the Add box. This will make the server relay mail for computers on your network but no others.
Message Size—. On the Messages tab, you can configure the maximum message size and maximum number of messages that someone can send at once. You can uncheck all of the “Limit” boxes if you trust the users on your network not to send spam.
Delivery—. By default, the SMTP server will attempt to deliver all mail to all recipients by itself. If you want to give this job to your ISP's mail server, you can tell SMTP to send all mail to a “smart host” for delivery. To do this, on the Delivery tab, click Advanced. Under Smart Host enter the name of your ISP's SMTP server. If you have to authenticate with the server to send mail, click on the Outbound Security button to enter the required name and password.
Receiving domains—. If you want this SMTP server to receive mail, you'll have to tell it what domains are “local.” Mail addressed to any other domains is considered “outside” mail and will be sent out to the Internet. As I mentioned, Windows XP Professional doesn't come with any means of delivering any email that the SMTP service receives. If you devise one, you'll need to configure the local domain list. On the Internet Information Services manager window, select Domains in the left pane. Right-click the default name that appears in the right pane and select Rename. Change the name to your desired domain name, such as “mycompany.com”. This way any mail received for “[email protected]” will be stored rather than sent back out again. You can add additional domains by right-clicking Domains and selecting New, Domain.
By default, IIS services create log files in the Windows directory, usually in WindowsSystem32LogFiles. The Web service log files are in subfolder W3SVC1 and are named exyymmdd.log, where yymmdd are digits indicating the current date. By default, a new log file is created on any day on which Web server activity occurs.
The FTP service follows a similar format, storing its log files in WinntSystem32LogFilesMSFTPSVC1.
You can change the period for changing log files from daily to hourly, weekly, or monthly, or you can base this change on the log file growing to a certain size. To do so, you use the Default Web or FTP Site Properties dialogs. Just locate the Enable Logging check box, and click the Properties button next to it.
The log files are plain ASCII text files that contain a line for each file or page retrieved from the Web server. Each line contains the time, the browser's IP address, the HTTP method used (usually GET), and the URL requested.
If you are interested in analyzing the use of your Web site, several free or shareware analysis tools are available. And, you may want to adjust the list of fields recorded in the log file. Of course, you also can hire hugely expensive consultants for intense analysis of your Web server activity logs for marketing research, but this in-depth analysis is probably more than you want.
CAUTION
While using the Indexing Service can provide great benefits to those using your Web site, it can also provide an open door inviting unscrupulous visitors to perform various nasty things to your Web server and possibly portions of your internal network. Ensure that you have the most up-to-date security patches and hot fixes on your Web server by visiting the Windows Update Web site frequently. For more information on the specific Security Bulletin relating to the Windows XP Indexing Service, see http://www.microsoft.com/technet/security/bulletin/ms02-018.mspx.
If you want to let remote browsers search your Web site for documents of interest, you can install and configure the Indexing Service. This service periodically scours selected Web-shared folders and documents and maintains a list of all the words it finds in them. It actually maintains two separate indexes: one of your whole hard disk, for your use alone, and another of the Web folders for Internet searching. It's also sophisticated enough not to show results for documents Web visitors don't have permission to download. To install this service, follow these steps:
Right-click My Computer and choose Manage. From the Computer Management console, open Services and Applications, and then the Indexing Service section.
Right-click Web, and select Properties.
Select the Generation tab to bring it to the front (see Figure 13.6), and make the following choices:
Check Index Files with Unknown Extensions to include more than the expected .html and .txt files in the index. If you check this option, the Indexing Service will attempt to make sense of every file it finds in your Web folders.
Check Generate Abstracts. This option increases the size of the index in a large Web site but lets the search results return not only a filename but a paragraph or so of text from the beginning of each matching file. You can set the maximum size of this abstract if you want or leave the default setting of 320 characters.
Click OK. The Indexing Service updates the index automatically.
By default, the Indexing Service includes the IIS documentation in its index. You might find this information useful, but visitors to your Web site probably won't. You can open the Directories pane and remove the IIS documentation by selecting all the folders except inetpubwwwroot and any virtual folders you have added, double-clicking them in the right-hand pane, and checking No for Include in Index?
When you specify a folder, all its subfolders are included as well. You can prevent them from being included by specifying a subfolder and marking No under Include in Index.
Enabling the Indexing service only prepares a database of all the words and documents in your site. It doesn't automatically provide your Web pages with a search feature. For that, you'll have to use a Web page editor that can work with the Indexing service through the FrontPage extensions. Microsoft's FrontPage editor, not surprisingly, can do this.
If your computer is on a corporate LAN, your network managers are responsible for making your site available to the Internet at large, if this is permitted at all.
On a home or small office network, as I said earlier, you'll need to arrange for DNS service so that people can type www.yourwonderfulwebsite.org, and their Web browser can figure out how to send the request to your computer.
However, if your computer uses a shared Internet connection, that is, one provided by Internet Connection Sharing or a connection-sharing router device, you'll also have to instruct the sharing service to direct incoming Web server requests to the computer that's running IIS. Otherwise, these requests will stop at the connection sharing computer or router; it won't know what network computer they're intended for.
Connection forwarding is described in “Making Services Available” on page 765 (Chapter 19). For each of the services you've installed and want to make publicly available, you'll need to forward the port(s) listed in Table 13.2 from the sharing service or router to the IIS computer.
With Microsoft's Internet Connection Sharing service on a computer running Windows XP, you can simply specify your computer's name as the target of the forwarded requests. If you use a connection sharing router device, you'll have to enter the IIS computer's IP address. This means that you can't use automatic IP address assignment (DHCP) for the IIS computer because its address could change from day to day, and the forwarded requests would end up going to the wrong computer. You'll have to assign a fixed IP address to the IIS computer.
You can read more about configuring IP address information in Chapter 16, “Creating a Windows XP Pro Network.”
NOTE
If Windows Firewall is enabled on the IIS computer—and unless you are on a corporate domain network, it should be—you will also need to tell Windows Firewall to allow incoming requests through the firewall.
See “Making Services Available” on p. xxx for instructions on configuring the firewall. (Chapter 19). What you'll need to do is to view the firewall's Exceptions tab, and add a Port exception for each of the services you've installed that you want to allow to receive incoming connections. Table 13.2 (page xxx) lists the ports used by each service. Figure 13.7 shows what an exception for the HTTP service would look like.
TIP
You can add exceptions to the firewall from the command line using commands like these:
netsh firewall set portopening proto=tcp port=80 profile=all "Web Server" netsh firewall set portopening proto=tcp port=20 profile=all "FTP Server" netsh firewall set portopening proto=tcp port=21 profile=all "FTP Server"
Simply stated, if your computer is connected to the Internet, it's exposed to millions of people who can reach it in milliseconds from anywhere in the world, many of whom have nothing better to do than to try to break into and damage your computer. They're highly motivated. They want to use your computer to send spam, collect peoples' credit card numbers as part of their fraud operations, and, well, who knows what else. Consider your connection to the Internet like the door to your house, and it's in a rough neighborhood: Never leave the door unlocked (and let's talk about putting bars on the windows).
Dealing with security is a little bit scary, but you can take a few steps to ensure your safety.
Note
→ For a more detailed discussion of keeping your network safe from prying eyes, see “Network Security,” p. 815.
First and foremost, you'll need to keep up on bug fixes and security updates released by Microsoft. Since IIS has full access to your computer, and it's in contact with the rest of the world, it's critical that you keep it up to date. You should be sure that your computer is set up to receive Automatic Updates from Microsoft. You also need to subscribe to the Microsoft security bulletin service so you hear about problems as soon as they're discovered. Sometimes they describe interim precautionary measures you can take before bug fixes are released. You can sign up at www.microsoft.com/security. Click on E-mail Updates.
Your server's file system contributes to the security of data on it. You can do the following:
Use NTFS for any drives containing folders you share using IIS.
By default, Windows puts the Web and FTP data directories on the same drive as Windows. For maximum safety, set up a separate NTFS-formatted drive or partition and use that for your IIS data. You can change the location of the Web and FTP home directories on the Properties pages of these services in the Internet Information Services management tool as I described earlier in the chapter.
If you grant Write permission to any of your Web or FTP folders, you should not use Simple File Sharing. Instead, you should use full user-level security and carefully review and adjust the permissions settings in your inetpub folder and all of its subfolders. By default, Windows assigns new folders Full Control permissions to the Everyone group. Examine folders you create under the inetpub folder to be sure that only authorized users can read and write files there. The user name IUSR_xxxx, where xxxx is your computer's name, is used for anonymous users, so IUSR_xxxx needs read permission in any folder that contains public pages.
Note
→ For information on Simple File Sharing and folder permissions, see “Managing Users,” p. 1063.
Store executable and scripts files in a separate folder from Web pages so that they can be executed but not read. Never check both Write and Script permissions on the same folder: This would let outside people send program scripts to your computer and then run them.
If you want to implement user restrictions to limit access to files or folders in your Web site, the Directory Security tab in the IIS Computer Management plug-in (which you open by right-clicking Default Web Site and choosing Properties) lets you permit or prevent Basic Authentication from being used to view protected Web pages.
Basic Authentication transmits unencrypted usernames and passwords across the Internet. This is a bad thing.
But you get a significant trade-off here. If you don't allow Basic Authentication, no Web browser other than Internet Explorer can view the protected pages. If you do allow Basic Authentication, usernames and passwords are transmitted across the Internet without encryption, which is a significant security risk.
My recommendation is that you not permit Basic authentication. These passwords aren't just for a Web page, remember; they're your Windows XP usernames and passwords, the keys to your computer and network domain. You can mitigate the problem somewhat by creating special limited user accounts that you give out to people who need Internet-based access to your computer via FTP or Web folders; then, if the passwords get intercepted, there is less that an intruder can get away with.
My computer management philosophy is “keep it simple.” The fewer services you run, the less likely that one will be configured incorrectly and become a security liability. Use care in configuring and managing your server. Be sure to read Chapter 21, “Network Security,” for the scoop on securing your computer and network. Here are some additional tips:
Install and run only the services you actually need and use.
Set up a separate disk partition, formatted with the NTFS disk format, and put your inetpub folder there.
Enable auditing of access failures and privilege violations.
Note
→ For instructions on auditing access failures, see “Tightening Local Security Policy,” p. 837.
Back up your system frequently. Include the Registry in your backups, for example, by checking System State in the Backup System Tool or the equivalent in another program.
Run virus checks regularly.
Be sure your computer is behind a firewall (Windows Firewall will do), and that you use a connection sharing router or Windows Internet Connection Sharing. These services help block incoming attacks.
Keep track of the services that should be running on your computer, and watch out for unknown services that may have been installed by rogue software or unauthorized users.
I cannot access my IIS server from another computer.
Go to the computer running IIS, start Internet Explorer, and view the address http://localhost. If you see a Web page, then IIS is functioning. If you don't, try restarting it following the instructions in the next troubleshooting tip.
A Web browser locates my computer, but the status stays at Contacting Server or Waiting for Response. No Web page is returned.
Use the Internet Services Management tool to stop and restart the IIS Server. Open the Management tool, or locate Internet Information Services in Computer Management. Right-click Restart IIS. Then select Restart Internet Services on machinename and click OK.
The IIS computer can view the Web pages it's serving, but other computers can't.
In this case you most likely have a problem with DNS or with the naming service used on your network. On a home/small office LAN, http://machinename may not work if there is a conflict with the Browser service (a Windows name resolving service that has nothing to do with Web browsing), and this is a common problem. Wait 15 minutes and try again; if that doesn't help, shut all of the computers down, boot up the IIS computer, and then boot up the others.
If you can't get to the IIS site through the Internet, your DNS entries could be wrong, or the forwarding entries on your router or on the computer that is sharing your Internet connection could be wrong. To check, have someone with an Internet connection open a Command Prompt window on any version of Windows and type ping www.yourdomain.com, putting your domain name after the ping command. Have them tell you what IP address the ping command is using. If it's not your site's public IP address, you have a DNS problem.
If the address is correct, your router or Internet Connection Sharing could be forwarding TCP port 80 requests to the wrong computer. Check your IIS computer's IP address (type ipconfig in a Command Prompt window to see what it is), and check that against the your network's forwarding setup screen.
If all that checks out, be sure that Windows Firewall is not blocking the incoming requests. There should be an Exception set up for port 80 on the computer that is running IIS, and the scope should be set to Any Computer. The entry should look something like the one shown in Figure 13.8.
If you are running the FTP service, there should be exceptions for TCP ports 20 and 21. If you are running the SMTP service, and only if you need to accept mail from outside servers, there should be an exception for TCP port 25.
When I click on my links, my browser shows a screen full of random letters and numbers.
Check the file-type to MIME-type mappings on the server and the MIME-type to application viewer on the browser. You can choose File, Save As to save the seemingly senseless information to a file with the appropriate name (for example, XXXX.GIF if you think you have downloaded a GIF file) and try to view it by double-clicking the file in Explorer. If it displays correctly there, then the only problem is the MIME-type mapping.
I have modified a file on my Web site, but the browser still gets the old version.
Click Refresh on the browser. If that trick doesn't work, shut down the browser, restart it, and try again. It's usually the browser's fault. If you still get the wrong version, confirm that you are viewing the correct virtual directory.
As I said earlier in the chapter, the idea of using programs to generate Web pages on-the-fly was the real spark that turned the Internet into a global phenomenon.
The original server-side programs were complex and difficult to write and debug, however, until bright people developed scripting languages for Web servers. Scripting systems put most of the complex stuff into one program that was provided with the Web server. Then, users could write short, easy to manage programs, or scripts, that leverage the power in the main program to do all sorts of interesting and interactive things.
The most common scripting language is Perl, which is very popular in the Unix and Linux world. Perl can be added to IIS so that you can take advantage of the huge pool of already-written Perl programs that are available for free on the Internet. If you know Perl or want to learn, you can download a free Windows version at www.activestate.com. These folks give away Windows versions of Python and TCL as well, two other popular scripting programs, and have a huge library of documentation and free scripts.
Microsoft came up with a scripting system called ASP, which stands for Active Server Pages. (Everything at Microsoft was “Active-something-or-other” for a while there. Now it's .NET this and .NET that.) You can choose what programming language you want use inside: the default is a dialect of Visual Basic, but you can also use JavaScript, Perl, or other languages, if you install the appropriate interpreter programs.
The cool thing about ASP is that you can mix HTML and your chosen script language in the same file. You can use HTML to manage the formatting and static part of the page, and scripting to generate the dynamic part, and it's all there in one place.
ASP scripts can take full advantage of Microsoft COM and ActiveX programming objects. These objects provide a way for scripts to perform very complex functions such as manipulating databases and sending email. You can find loads of useful pre-written ASP scripts on the Internet. For example, check out www.asp-pro.com and click on “ASP” on the left-hand side. Also, take a look at Microsoft's Developer's Web site at msdn.microsoft.com/code and on the left side select Code Samples by Topic, ASP.
As an example of what ASP scripting can do, use Notepad to create a file named time.asp in c:inetpubwwwroot, with this inside:
<HTML> <HEAD> <TITLE>What time is it?</TITLE> </head> <BODY> You viewed this web page at <% response.write time() %>, <% response.write date() %>. </BODY> </HTML>
Then you can view http://localhost/time.asp in Internet Explorer.
Here's what's happening: IIS copies most of the file literally. But stuff in between <% and %> is treated as script code, which are commands written in Visual Basic or JavaScript. In this case, VBScript commands insert the time and date into the HTML file at the server, before it's sent to your browser. To see what I mean, right-click the displayed page in Internet Explorer and select View Source. You'll see what the ASP script generated and send to you.
CAUTION
There are dozens of Web sites that have libraries of scripts that you can download and use. Be very careful when you use a script obtained from these sources. Remember, scripts run as programs on your computer, and can do a lot of damage if they're poorly written or have nefarious stuff built in. For example, several widely used but poorly written scripts that are used to send the contents of HTML forms via email can easily be exploited by spammers to send any message they want to anybody they want. You could find one day that your computer had spent the last week or so sending a few million Herbal Viagra ads. The recipients of those emails won't be happy with you. So, do your research and check out the bug history and credibility of any script you download.