Internet Information Server 4.0
-
Administration
-
MMC - Microsoft Management Console
Properties are inherited through the site hierarchy (Site, Directory
and Files), unless specified otherwise in the individual property
sets of the lower level items. For example, Site settings will
be inherited by the directories and files beneath them.
A web site operator is an individual who has limited
administration rights on an individual website. This administrator
only has the rights to change website settings, not IIS settings.
Web site operators can be assigned to a website by accessing
the website's properties, clicking the Operators tab, and adding
the proper user accounts in the web site operator window.
The MMC can stop, start and pause services.
To stop, start or pause services, either:
A) Click the respective stop, start or pause icon in the
toolbar menu.
B) Right-click the service you would like to affect, and
click Start, Stop or pause.
To remotely remotely administer IIS, specify within
the address which port to connect to, such as: http://www.cramsession.com:6967/iisadmin/
.
-
Authentication
-
Authentication methods available:
- Allow Anonymous - Any visitor can access your site.
- Basic - Uses user names and passwords to verify access.
- Windows NT Challenge/Response - Uses user login access through
the domains User Manager to verify rights.
- SSL Client Certificate - Certificate installed on the client
system is used for authentication verification.
If user access rights are changed while IIS is loaded,
you must either wait 15 minutes for the change to happen, or stop
and restart the corresponding service for an immediate change.
Web users are prompted for authentication only when
either:
- Anonymous access is disabled.
- Anonymous user is denied access to a resource.
When challenge/response is required, a non-challenge/response
browser (non-MS browser) will receive an Access is Denied
error message.
If a browser supports only basic authentication,
do not turn basic authentication off in IIS to prevent site inaccessibility.
IIS read permission allows the visitor to read or
download files.
You must provide a user name and password for directories
that are located on an NTFS partition on a remote server.
To avoid passing userid and passwords on the network,
use challenge/response in WWW and allow ONLY anonymous in FTP.
Remote virtual directories require an NT user account
that can access them.
If IIS is located on server1, and a virtual directory
is located on server2, and the two systems do not share a common
NT domain, you must add an equal user account to both server1
and server2.
Client certificates can be mapped to NT accounts.
NTFS permissions and IIS:
- Content = Read
- Programs = Read and Execute
- Database = Read and Write
To prevent anonymous user access to certain directories:
- Remove guest group from NTFS permission
- Assign IUSR_ComputerName no access
When only anonymous accounts are used in FTP, Check
both Allow Anonymous Connections and Allow Only Anonymous Connections
in the Security Accounts tab of the FTP site's properties.
-
WWW
-
There are two ways a user can access a virtual
directory:
- Links.
- Type the alias in the URL name space.
Spaces in virtual directories will cause problems
for older browsers.
If you don't specify the IP address of a virtual
server to a virtual directory, the virtual directory will be seen
by all virtual servers.
When replicating your web site to multiple servers,
use the same name to get to any site. Create separate entries
with the name of the web server as an alias.
The default user must have the logon local right
in order to access the WWW pages on the server.
To improve download time for web pages, increase
the HTTP keep alive time.
Virtual directories on another server:
- Create a share on the remote server
- Use UNC path for remote server and share
- Enter a userid and password to connect with
- The remote server must be in same domain, or add a userid
from with access in both domains.
You can only create one home directory per virtual
server.
A scripts directory under a virtual home directory
handles the scripts for that virtual home directory.
A common scripts directory not assigned to a virtual
home can handle scripts for all virtual servers.
Virtual directories are referenced by alias names.
The alias is tied to a virtual directory in the directory tab.
If you delete the IISadmin virtual directory on
the server that you are administering, you'll be unable to use
the HTML administrator.
-
FTP
-
To enable directory annotations:
- Insert AnnotateDirectories REG_DWORD=1 in registry.
- Create ~ftpsvc~.ckm in each directory.
Some browsers cannot handle having more than one
line in the FTP welcome message, and will receive a 404 error.
Changing the TCP Port number within the FTP Site
Properties will require the client to change their FTP software
to the corresponding TCP port in order to connect properly.
Types of FTP directory listings:
- DOS - date, time, size, name
- UNIX - permissions, owner, group, size, date, time, name
-
Ports
-
Port
|
Number
|
FTP |
21 |
Telnet |
23 |
SMTP |
25 |
HTTP |
80 |
SSL |
443 |
If you change the port number, the client must specify
the specified port number to access the resource.
-
ISAPI/CGI/Perl
-
Execute permission is required for ISAPI and CGI
applications.
Read permission is not required for ISAPI and CGI
applications.
Read and write NTFS permissions are required by ISAPI/CGI
on NTFS volumes.
To enable the server to launch CGI application without
a normal extension, add an entry for application type to registry.
CGI applications cannot run when only using challenge/response
authentication.
CGI requires a new process for each execution.
ISAPI filters - customize authorization, access or
logging.
Perl requires a command interpreter to be installed
on the IIS server.
-
MIME
-
-
MIME (Multipurpose Internet Mail Extensions) -
Contains a list of extensions and their associated application
mappings.
MIME settings exist in the metabase. The metabase
is similar to the registry, but used specifically for storage
of IIS settings.
The MIME map exists within the MMC - Web Site Properties,
under the HTTP Headers tab. You must stop and start the web site
to allow MIME changes to be recognized.
Add a MIME type in order to permit files with certain
extensions to be treated as files with another extension. For
example, add a MIME type to allow .WEB files to be read as .HTML
files.
-
SSL - Secure Sockets Layer
-
SSL pages are CPU intensive, and take longer to
download.
SSL URLs begin with https:// rather than http://.
Use Key Manager to request and import security certificates.
If two companies are using the same IIS server, you
will need two SSL certificates.
You can specify the IP address and port number to
apply the certificate to when importing into KEYMGR.
You can apply SSL certificate to a virtual server
that doesn't have IIS installed by specifying it's IP address.
Procedure for SSL certificate retrieval and implementation:
1) Generate a key pair file and request file.
2) Request a certificate from authority.
3) Install the certificate.
4) Activate SSL on the site/directory.
-
Error Codes
-
Code
|
Error Description
|
401 |
Unauthorized; Requests required user authentication. |
403 |
Forbidden; Server understood the request but refuses to fulfill
it. Authentication will not help. Common when trying to access
SSL enable web page without SSL enabled browser. |
404 |
File not found; Requested resource can not be found. Virtual
Directory could have a space in its name. |
500 |
Internal Server Error; Anonymous user account does not have
the log on local right. |
502 |
Bad gateway; Error could be caused when trying to access SQL
database with incorrect DSN in the .IDC file. |
-
Logging
-
Logging can be enabled for only the services desired,
not for pages, files, etc.
Text file logging has minimal performance impact.
Logging to an SQL database takes more resources.
You can determine hit counts for page from the logging
file.
Only one log file can be created for all WWW virtual
servers.
You can track the logins of Anonymous users within the
log file.
-
CONVLOG.EXE - Used to convert IP addresses to DNS
names, and to convert web log files to the NCSA Common Log File
format.
-
Performance Tuning
-
You can limit bandwidth for IIS by clicking the limit
bandwidth box. This limits the bandwidth available for WWW services
(specifically .HTML file transfers), to make more bandwidth available
for other services.
Bandwidth can be limited individually per site.
ASP applications, CGI scripts and databases are CPU-intensive,
in comparison with standard .HTML and FTP file transfers.
Calculate bandwidth by adding 4 bits for a total of
12 bits per byte:
- i.e. 56,000 bytes takes 56k*12 to transmit.
Upgrade to a faster network architecture (100 BaseT,
FDDI) when the network utilization is over 60%.
-
IIS/SQL
-
.IDC files contain the name and location of the .HTX
file, ODBC datasource name (DSN), SQL statements, and user ID/password
(both optional).
.IDC communications require 32-bit ODBC drivers.
.HTX file is an HTML template to display requested SQL
data.
Changing the transport protocol between a SQL and IIS
servers (on different machines) prevents hackers from accessing SQL
via TCP/IP.
Three files are required for connectivity between IIS
and SQL:
If IIS and SQL servers are in different domains, either
a trust must be setup between the two domains or the IUSR_WEB
account has to be added to the SQL domain.
A special license one-user license (per SQL Server)
is necessary to will allow unlimited Internet access.
If challenge authentication is enabled in IIS, it prevents
logging onto remote SQL server. You will need to use basic authentication,
or install SQL server on same server as IIS.
-
Index Server
-
Index files occupy approximately 40% of the corpus.
Index Server can search ONE catalog per query.
There are two ways to monitor the performance of Index
Server:
- Performance Monitor
- .IDA script
You can make Index Server merge more frequently by forcing
a merge from the web administration page, or by reducing maximum number
of persistent indexes in the registry by decreasing MaxIndexesValue.
.IDQ are similar to .IDC files, and are used as helper
files to assist in query conversion from WWW. They contain the input
from the HTML form filled in by the user. They specify information
such as:
- Scope of query
- Query restrictions
- Query itself
- Name of .HTX file
Avoid irrelevant Index Server hits by adding noise words
to WINNT\SYSTEM32\NOISE.ENU.
Avoid unwanted hits in Index Server by creating separate
catalogs for each virtual directory with different contents, and associating
separate catalogs with respective virtual servers.
Having separate catalogs in IS fixes I know the document
is there but my query doesn't return it.
Index Server queries that take too much CPU time return
null results.
Three step filtering process for Index Server:
- Content filtering - Extracts text from the file.
- Word breaking - Identifies words within character stream
- Normalizing - Removes capitalization, punctuation, and noise
words.
Types of indexes:
- Word lists - Words extracted from docs in memory as soon as
document is filtered.
- Shadow indexes - Persistent (stored on disk, not memory) - created
by merging word lists and other shadow indexes.
- Master index - Persistent, highly compressed; contains indexed
data for large number of documents created by master merge. Merges
shadow indexes and current master index.
Can have multiple shadow indexes in a catalog.
-
Subnetting
Decimal |
Subnets |
# Class A Hosts |
# Class B Hosts |
# Class C Hosts |
.192 |
2 |
4,194,302 |
16,382 |
62 |
.224 |
6 |
2,097,150 |
8,190 |
30 |
.240 |
14 |
1,048,574 |
4,094 |
14 |
.248 |
30 |
524,286 |
2,046 |
6 |
.252 |
62 |
262,142 |
1,022 |
2 |
.254 |
126 |
131,070 |
510 |
NA |
.255 |
254 |
65,534 |
254 |
NA |
-
-
- ODBC Error Codes
-
-
- Microsoft OLE DB Provider for ODBC Drivers error "80004005"
[Microsoft] [ODBC Microsoft Access Driver] The Microsoft Jet database
engine cannot open file "(unknown)". It is already opened
exclusively by another user, or you need permission to view its data.
Cause - the user account (usually IUSR) does not have The correct permissions.
Check NTFS and Share Permissions.
-
- Microsoft OLE DB Provider for ODBC Drivers error "800004005"
[Microsoft] [ODBC Microsoft Access 97 Driver] Couldn't use "(unknown)";
file already in use.
Cause - The database cannot be locked correctly for multiple users
-
- Microsoft OLE DB Provider for ODBC Drivers error "800004005"
[Microsoft] [ODBC Driver Manager] Data source not found and no default
driver specified.
Cause - GLOBAL.ASA file was not properly executed. Check that the file
is in the Application Root for IIS, and that users have Execute permission
for this folder.
-
- Microsoft OLE DB Provider for ODBC Drivers error '80004005' [Microsoft][ODBC
Access 97 ODBC driver Driver]General error Unable to open registry key
'DriverId'.
Cause -This error is caused by reading a value from the registry. Check
the permissions on the registry key using the registry editor, Regedt32.exe.
You may also wish to use the Windows NT Registry Monitor to check for
registry read failures.
-
- Microsoft OLE DB Provider for ODBC Drivers error '80004005' [Microsoft][ODBC
Driver Manager] Data source name not ??
Cause - This appears to be an issue with the order in which software
is installed and uninstalled on the computer. If the ODBC core files
become unsynchronized (they should all be the same version) you may
see this error.
-
- Microsoft OLE DB Provider for ODBC Drivers error "800004005"
[Microsoft] [ODBC Microsoft SQL Driver] [dbnmpntw] ConnectionOpen (create
file)
Cause - IIS will use (by default) a Windows NT account called IUSR_Computername.
This account is local to the Web server and is essentially unknown to
any other computers on the network. When IIS, operating under the security
context of the IUSR account, tries to access any resources on a remote
computer, the remote computer tries to validate the account being used.
Since the IUSR account is a local account that is unknown to the remote
computer, access is denied.
-
- Microsoft OLE DB Provider for ODBC Drivers error "800004005"
[Microsoft] [ODBC Microsoft SQL Driver] Logon Failed
Cause - The SQL server denied access to the account attempting to access
the SQL server. Check that the SQL and NT account passwords match, and
that the IIS connection to the SQL server maps the user's name properly.
-
- Microsoft OLE DB Provider for ODBC Drivers error '80004005' [Microsoft][ODBC
SQL Server Driver][SQL Server] Login failed- User: Reason: Not defined
as a valid user of a trusted SQL Server connection.
Cause - Integrated Security is turned on in the SQL Enterprise Manager,
and the Windows NT account being used has not been mapped to a SQL account.
- Try changing SQL to use Standard Security. If running under IIS 4.0,
turn off "Password Synchronization" for that project.
|