In "IIS Overhauled in Version 6.0," April 2003, http://www.winnet
mag.com, InstantDoc ID 38285, I describe Microsoft Internet Information Services (IIS) 6.0 installation and the Web server's new architecture. IIS 6.0 also has a surprising number of new features. A handful of these features are so interesting that they capture nearly all the attention. In this second installment of my two-part look at IIS 6.0, I review a couple of these "stars" but also shine some light on a variety of IIS 6.0's lesser-known, but nevertheless significant, improvements.
Security
A peculiar thing happens at Microsoft from time to time. The company gets fed up with a problem in one of its products and solves it. For example, after releasing Windows NT 4.0, Microsoft was hammered with stability complaints. When the company released Windows 2000, the OS was praised for out-of-the-box stability. IIS 5.0, which is installed by default on Win2K servers, is a mammoth security risk until properly secured. IIS 6.0 isn't installed by default, and when you do install it, the Web server renders only static content. Thus, IIS 6.0 presents a much-reduced security risk, even if problems with IIS 6.0 application engines and components crop up later. Additionally, Windows Server 2003 has a new group policy: Prevent IIS installation. You can use this policy to prevent Windows 2003 from installing IIS 6.0 on servers in an Active Directory (AD) forest that aren't intended to be Web servers. The policy will help prevent rogue and possibly insecure IIS servers from popping up on the network. Note that this policy works only on Windows 2003 servers for the time being and won't prevent Windows XP Professional Edition or Win2K from installing IIS 5.0.
Of course, the fact that IIS 6.0 doesn't render dynamic content out of the box automatically creates the second most frequently asked question about IIS 6.0: "Why isn't my server delivering Active Server Pages (ASP)?" (As I mentioned in "IIS Overhauled in Version 6.0," the most frequently asked question is, "Can IIS 6.0 be installed on Win2K Server?" The answer is no.) To permit programs to run under IIS 6.0, you use a new feature named Web service extensions. (The name implies some kind of relationship with XML Web services, but no connection exists.)
To add or enable a Web service extension for a program, open IIS Manager (formerly Internet Services Manager—ISM); select Web Service Extensions, as Figure 1, page 70; shows, and click Add a new Web service extension to start a wizard that creates a new rule. Assign the rule a name, then navigate to the executable you want to allow. You can use the iisext.vbs script in \system32\inetsrv to manipulate Web service extension settings.
In Figure 1, notice the Web service extensions All Unknown ISAPI Extensions and All Unknown CGI Extensions. By default, these two entries are set to Prohibited, meaning that unless you specifically permit an application to run on IIS 6.0, it won't. If a user requests a file that isn't mapped to an enabled process, IIS 6.0 returns HTTP Error 404 File or directory not found to the user and records 404.2 Denied due to lockdown policy in the W3SVC log. The 404.2 and other substatus codes are available in IIS 6.0 as an option for the W3SVC log file to aid in troubleshooting. (Substatus codes exist in IIS 5.0 and Internet Information Server—IIS—4.0, but IIS doesn't record them in the W3SVC logs. You can route them to custom error pages for special processing.) The IIS 6.0 substatus codes are helpful because they provide details about the problem: for example, 403.18 Forbidden — Cannot execute request from this application pool; 403.20 Forbidden: Passport Login failed; and 404.3 Not Found - Denied due to MIMEMAP Policy. These and other errors are also mapped to a custom error page that doesn't reveal the substatus code to the user, so potential intruders can't exploit the information.
Another security enhancement is the ability to designate a Cryptographic Service Provider (CSP) that helps integrate hardware-based Secure Sockets Layer (SSL) accelerators with IIS 6.0. Moving the task of encryption from the server's general-purpose CPU to dedicated hardware optimized for this purpose can greatly improve performance. To designate a CSP, select the Select cryptographic service provider (CSP) for this certificate check box when you use the IIS Certificate Wizard to create a certificate request. You will then see a list of Available Providers from which you can choose. If you're using an encryption device, the vendor will provide the name of the appropriate CSP.
The Metabase
In IIS 6.0, Microsoft has abandoned the binary file structure of the IIS 5.0 and IIS 4.0 metabase that chained the metabase to the server on which it was created. The IIS 6.0 metabase consists of a pair of XML files: Metabase.xml contains the settings for the IIS 6.0 server, and mbschema.xml contains the metabase schema. A new feature in IIS Manager lets you save a copy of the metabase by right-clicking Web Sites and selecting All Tasks, Save Configuration to a File. You then provide a filename and path for the metabase backup. When you save the metabase in this way, IIS 6.0 uses the machine key of the system to encrypt some metabase parts. Consequently, the metabase backup is useful only on the machine that created the backup. However, you can also select the Encrypt configuration using password check box to encrypt the exported metabase file with a password that you provide. When you do so, IIS 6.0 substitutes the password you provide for the machine key and you can import the metabase file to another server by providing the same password. If you want to automate metabase backup, you can use the iisback.vbs and iiscnfg.vbs utilities in \windows\system32.
In some cases, you might want to save the configuration of an application pool, Web site, or virtual directory without saving the entire metabase. To do so, right-click the object whose configuration you want to save and again select All Tasks, Save Configuration to a File, as Figure 2 shows. If you plan to import the settings to another server, provide a password to encrypt the file.
Previous
Register
