Internet Information Services (IIS) 7.0 is very different from its predecessors in earlier versions of Windows. There are core components like the World Wide Web Publishing Service (WWW service) into which optional modules such as ODBC logging and the HTTP listener, HTTP.sys, plug in. The Windows Process Activation Service (WAS) is installed as a separate feature. In previous versions of IIS many features were only available to HTTP applications, but separating the process model into WAS these are available to any application hosting Windows Communication Foundation (WCF) services. From a system’s administrator point of view it means that your installation options are more flexible, you are able to more precisely able to control which role services and features are installed based on the requirements of the applications running on the server. To get perform the exercises described throughout this chapter you need to install the Web Server role, the WAS feature, and the SMTP feature. When you install the Web Server role and each feature be sure to install all required role services and features. Because of the work you completed in other chapters you probably installed portions of the Web Server role and WAS, double-check to ensure that everything is installed. In a production deployment it is unlikely that you would install so many components on a single server, normally you customize the configuration by selecting specific modules. The Add Roles Wizard organizes them into several categories: Performance, Common HTTP Features, Security, Health and Diagnostics, and Application Development. When you launch Internet Information Services (IIS) Manager from the Administrative Tools folder the features are instead grouped by areas, such as ASP.NET, IIS, and Management, as shown in figure 1.

Figure 1: Internet Information Services (IIS) Manager

Specific terms are used to describe the user interface of IIS Manager. The top toolbar is called the Navigation Toolbar, it displays what is currently selected in the Connection Manager Tree, which is the left-hand pane. By default IIS Manager connects to the local host, you can right-click on Start Page in the Connection Manager Tree to connect to other servers, sites, and applications. The middle pane is called the Workspace, where features can be grouped by either area or category. What is displayed in the Workspace depends upon what is selected in the Connection Manager Tree and what features are available. The right-hand pane is called the Actions Pane, the commands displayed in it will vary based on what is selected in the Connection Manager Tree or Workspace. When you double-click a feature or select it and click Open Feature in the Actions Pane the Workspace will change to show you options for configuring that feature. For the sake of brevity in the remainder of the chapter I will simply say things like “Select the Default Web Site and open Authentication” rather then specifying each and every user interface element involved. In this chapter you will learn to:

• Configure Web applications.
• Manage Web sites.
• Configure a File Transfer Protocol (FTP) server.
• Configure Simple Mail Transfer Protocol (SMTP).
• Manage Internet Information Services (IIS).
• Configure SSL security.
• Configure Web site authentication and permissions.

 Managing Internet Information Services

You can configure IIS servers using three methods: with IIS Manager, from a command prompt using AppCmd.exe, or by using Windows Management Interface (WMI). It appears that the exam does not place much emphasis on the two latter methods so this chapter will focus on how to use IIS Manager to configure web applications, web sites, and other aspects of IIS. The Connection Manager Tree lists servers running IIS. Below each server there’s an application pool, FPT sites, and web sites. Each website contains one or more applications, folders, and files. Most settings can be configured at server, site, or application level, this section focuses on server-wide management tasks. You can enable and configure remote management by selecting the server, clicking Management Service, and clicking Open Feature. As shown in figure 2, you can specify what kind of credentials are accepted, what IP addresses the service will listen on, what TCP port is used, what Secure Sockets Layer (SSL) certificate is employed for encryption, where to store the Management Service logs, and what IPv4 Address Restrictions to enforce. For your practice lab, select Windows credentials or IIS Manager credentials under Identity Credentials and click Apply in the actions pane.

Figure 2: Configuring the Management Service

Configuring Server Features

 I find it odd that the first task listed on the study guide for this area is web site content backup and restore because there are no procedures unique to IIS for backing up web content. Simply use Windows Server Backup as described in Configuring File and Print Services and Maintaining the Active Directory Environment. Backing up the IIS configuration is also straightforward, however I think you may find it valuable to understand how IIS stores its configuration information.

IIS stores configuration information for the server and each site on the server in several different extensible markup language (XML) files. Several are stored at %systemroot%\System32\inetsrv\config:

• administration.config – Contains information for the Management Service.
• applicationHost.config  – This file replaces the metabase used in IIS 6.0, it contains global settings.
• redirection.config – Contains configuration information for redirecting a web server to configuration files stored on a different computer.

Two more are stored at %systemroot%\microsoft.net\framework\v2.0.50727\config\.:

• machine.config – Contains .NET Framework configuration information.
• web.config – Contains the settings for ASP.NET web applications.URL specific settings can be stored directly in the application code or as files in the website’s folders. Storing the configuration for ASP.NET and the .NET Framework makes it easier for Microsoft to publish new versions of each separately from the other.

IIS may use other configuration files based on which features are installed. While it is possible to edit the configuration files directly you should not attempt to do so until you have a clear understanding of their syntax and the significance of the sections and variables within them. Editing the files in such a manner appears to be outside the scope of the exam, and therefore not it will not be discussed further here. To learn more about managing the IIS configuration files take a look at Deep Dive into IIS7 Configuration.

You can configure a server to utilize a shared configuration stored on a different server. This is convenient when deploying a farm of web servers that all host the same content and applications. To configure it select the server, click Shared Configuration, and click Open Feature. In the Workspace, enable the Enabled Shared configuration checkbox, specify the path to the configuration files, and enter a user name and password for IIS to use when connecting to the shared folder.

Internet Server Application Programming Interface (ISAPI) enable dynamic content by allowing the ISAPI application to execute when requested by a client.Common Gateway Interface (CGI) extensions define how the server passes information to external programs, for example, a script to e-mail registration information to a new user. You can control which extensions are allowed by clicking the server, selecting ISAPI and CGI Restrictions, and clicking Open Feature. While this is a convenient capability, in most cases you would not install undesired extensions in the first place.

Delegating Administration of IIS

In IIS 7.0 you can delegate administration at any of five levels: server, site, application, directory, and file. Delegating content management is simple: configure the desired NTFS permissions on the appropriate folders and files. At the other levels you must configure delegation and then set permissions on the corresponding configuration files. At the server level configure permissions on machine.config; at the site level configure permissions on web.config file at the root of the site; at the application level configure permissions on applicationHost.config.

Administration can be delegated to Active Directory Directory Services (AD DS) accounts, Windows accounts stored locally on the web server, or IIS Manager user accounts. To create IIS Manager accounts using IIS Manager select the server, select IIS Manager Users, then click Open Feature, click Add User in the actions pane, and specify a name and password for the account. Accounts created this way can be permitted to access and manage IIS sites and applications but they are not recognized by Windows. If you want to use IIS Manager accounts you must configure the Management Service to accept both Windows credentials or IIS Manager credentials, as described at the beginning of the Managing Internet Information Services section earlier in this chapter.

Default rules for feature delegation are defined during the installation of IIS, you can modify these rules in IIS Manager by selecting the server, selecting Feature Delegation, and clicking Open Feature.  The delegation state for each feature is server-wide, how it is configured determines whether or not users can configure that feature in their applications and sites. Select a feature in the Workspace, then click one of the delegation rules from the Set Feature Delegation list in the actions pane, as shown in figure 3.

Figure 3: Configuring Feature Delegation.

Now that you have configured user accounts and feature delegation at the server level you can configure permissions for individual sites and applications. To do so using IIS Manager do the following:

1. Select the desired site or application.
2. Select IIS Manager Permissions.
3. Click Open Feature.
4. Click Allow User in the actions pane.
5. Specify whether it’s a Windows or IIS Manager user, then enter the account name and click OK, as shown in figure 4.

Figure 4: Delegating a Site to a User.

You might be wondering why you can configure a feature to allow read only delegation, but there are situations where allowing some people to see how a feature is configured but not modify it can be useful. One example would be granting this right to content developers to help them troubleshoot. Another good example is in a shared webhosting scenario where the hosting service has multiple customers publishing sites on the same server, it may help the customers to understand how the server is configured without allowing them to make changes.

 Monitoring IIS

Tracing rules are used track requests as they are processed by IIS and the applications it is hosting. They can be configured at the site or server level, to configure them using IIS Manager do the following:

1. Select the appropriate site or server, then select Failed Request Tracing Rules, and click Open Feature.
2. Click Add in the actions pane to launch the Add Failed Request Tracing Rule Wizard.
3. Use the wizard to specify what to trace and under what conditions to conduct a trace.
4. You must also enable tracing for each site to be monitored: select the site, select elect Failed Request Tracing Rules, and click Open Feature.
5. Click Edit Site Tracing.
6. Enable the Enable checkbox, specify the directory, and the maximum number of trace files to retain. Note that trace files can be hundreds of kilobytes or even larger.

When a situation arises that matches one of the tracing rules IIS will log information about the request in an XML-formatted log at the location specified in step 6. By default this is %SystemDrive%\inetpub\logs\FailedReqLogFiles, a subdirectory for each site is created with an XSL stylesheet, and a separate trace file for each failed request. Detailed information is recorded, as shown in figure 5. In this trace 122 steps were recorded for a simple HTTP 404 error that was generated when I attempted to access a URL that does not exist.

Figure 5: Examining a Failed Request Trace File.

There are many options available when creating trace rules. On the Define Trace Conditions page of the wizard you specify three types of conditions:

1. Status code: Select this option to specify that a trace will be logged when the HTTP status codes you list are generated.
2. Time taken: Select this option to record a trace when requests exceed the time specified.
3. Event Security: Select this option to trace events based on their severity.

On the Select Trace Providers page you specify the providers, you can select ASP, ASP.NET, ISAPI Extentions, or WWW Server. For each provider you choose how much information to record from the Verbosity drop-down list, you can choose one of the options: General, Critical Errors, Errors, Warnings, Information, or Verbose. Choosing Verbose will cause the most detailed information to be recorded. The areas that can be traced will vary depending on the provider, as follows:

• ASP.NET
  • Infrastructure
  • Module
  • Page
  • AppServices
• WWW Server
  • Authentication
  • Security
  • Filter
  • StaticFile
  • CGI
  • Compressoin
  • Cache
  • RequestNotifications
  • Module

I doubt that you do not need to memorize all of these options in order to succeed on the exam, but you should understand that these options exist and that tracing can be used to troubleshoot complex problems with IIS-based applications.

 Configuring IIS Logging

In IIS 7.0 logging can be configured at the server, site, or application level. At the server level you can specify whether to create one log per site or server, the default setting is to maintain separate logs for each site. You also configure the encoding format at the server level, either UTF-8 or ANSI. The default, UTF-8, is suitable for most situations for a couple of reasons. UTF-8 facilitates reading the logs in languages other than English and this format reduces the risk of attackers using specially crafted URLs that IIS is unable to translate correctly to compromise the server. For practice, select the Default Web Site, select Logging, and click Open Feature.

You need to specify a format and location where the logs will be saved and define how the log files well be rolled over. The format is important because each has different options for what is recorded and some log parsing tools only understand certain formats. W3C is the default value, it’s the most flexible and its understood by the majority of log analysis utilities. The W3C format also allows you to select which fields to record with each request submitted to the server, as shown in figure 6. The default directory for storing the logs is %SystemDrive%\inetpub\logs\LogFiles, if logs are created for each site then IIS will create a subdirectory for each site. It’s a best practice to store the IIS logs on a storage volume other than the system volume, doing so eliminates the possibility of a denial of service situation caused by the the log files consuming all available space on the system volume.

Figure 6: Specifying Data Fields to Record.

Rollover is particularly important on busy web servers because when hundreds of thousands of requests are processed each day the files will become quite large. The larger the files the longer it will take analysis tools to process them. On most servers the default value of creating a new log file each day is fine. One issue that IIS does not address is deleting old files. Web masters typically schedule a custom script that scans %SystemDrive%\inetpub\logs and all subdirectories to find and remove log files older than 30 or 60 days. If you created scripts that automaticly delete old logs be sure to inform the people hosting sites on the server that this is the case so that they can periodically copy files from the server if they anticipate a need to analyze them later on.

 Managing Web Sites

This section examines the small number of management tasks that are only performed at the site level in IIS 7.0 including creating new sites, configuring ISAPI filters, and migrating existing sites to IIS 7.0.

 Creating New Web Sites

Publishing a new website is easy using IIS Manager, right-click on the server and select Add Web Site. The Add Web Site dialog box will appear, you must provide a name for the site and you must specify the physical path for the root folder where the content is stored, as shown in figure 7. You must also provide binding information however in many cases the default values will suffice. Use the Type drop-down list to select http, https, net.msmg, etc. Use the IP address drop-down list to select which IP address clients will use to submit requests. Specify the TCP port number in the Port text box, 80 is the default for HTTP and 443 for HTTPS. You can use alternative ports but then users will have to specify them in the URLs they submit to the server. Entering the host name is not required, unless you wish to employ host headers. Host headers allow IIS to host multiple websites on the same IP address, IIS uses the host header in each client request to determine which website should process it. When hosting multiple websites on the same server you can bind each site to a unique IP address, use host headers, or combine the two approaches.

Figure 7: Publishing a New Site.

 Configuring Web Site Settings

After creating a site you can alter any of the settings by selecting it and clicking on Bindings or Basic Settings in the actions pane. You can bind the site to additional addresses, ports, and host names, and edit or delete existing bindings. You can update the physical path, the path credentials, and the application pool for the site. In IIS 7.0, application pools separate applications into groups to prevent one application from affecting other those in other pools. Application pools can be in integrated mode or classic mode. Integrated mode application pools leverage the integrated request-processing architecture of IIS and ASP.NET including the streamlined process model and fully managed code. Classic mode application pools simulate the way IIS 6.0 behaves, they can be used to facilitate migrating applications to IIS 7.0. To add, configure, and remove application pools select Application Pools in the Connection Manager Tree

To control access to the site configure the NTFS permissions on the root folder, sub-folders, and files to grand Read, Read & execute, and List folder contents to the groups that you want to be able to browse the site. Also assign Modify and Write permissions (or Full control) to the groups that you want to be able to manage the content. You can assign permissions using Windows Explorer, or by selecting the site in IIS Manager and clicking Edit Permissions in the actions pane.

To add an application or virtual directory right-click on it and select the appropriate command from the context menu. Specify an alias and physical path, the alias will appear in the URL while the physical path can point to any local or network folder that the server can access. For example, if website URL is http://www.kurtdillard.com, the alias is publications, and the physical path is \\dfs1\dfs\website\content\books then the URL a visitor would specify to access content in this virtual folder would be http://www.kurtdillard.com/publications. While this may strike you as confusing, it provides content developers with a great deal of flexibility regarding how they organize content on the server and present it to web site visitors.

ISAPI filters are dynamically linked libraries (DLLs) that change the behavior of IIS or provide new functionality. For example, a filter can modify how the server responds to a certain kind of request. They are replaced by native-code modules in IIS 7.0, however the feature is still available to facilitate migration from previous versions of IIS. ISAPI filtering can only be configured at the site level, select the desired site, select ISAPI Filters, and click Open Feature to do so. Click Add to specify a new ISAPI filter, enter the filter name and the location of the corresponding executable. You can edit, delete, or rename an existing ISAPI filter by selecting it and clicking the desired command in the actions pane, as shown in figure 8.

Figure 8: Configuring ISAPI Filters.

Migrating Sites and Applications to IIS 7.0

A few features to help migrate websites have already been mentioned in previous sections. Since the possible combinations of commercial and internally developed applications and other content are nearly infinite I think it would be most effective to discuss the process rather than all of the detailed procedures that might be required. First determine what content is to be migrated, then you analyze each application to determine what can run natively on IIS 7.0 in integrated mode, what can run if the proper compatibility features are utilized, and what will need to be rewritten or replaced. This is a group effort which requires collaboration between the server administrators, web masters, content developers, and testers to succeed.

If an application fails you can try using the appcmd command prompt tool with the migrate config options to migrate the application configuration to IIS 7.0 in integrated mode, see Getting Started with AppCmd.exe for more information. If the application still does not function run it in application pool configured in classic mode. If the application still does not work as expected then the developers will have to update the application for IIS 7.0.

Tip: The team that manages Microsoft’s public website created a tool to help with their own migration project which they recently made available online: the Microsoft Web Deployment Tool.

 Configuring Web Applications

To IIS 7.0, an application is a collection of files that provide content or services over network protocols like HTTPS. Each site must have a root application, but they can have many more. As mentioned earlier, each application is assigned to an application pool. If you select an application and click Advanced Settings in the action pane the dialog box shown in figure 9 appears. You can assign it to a different application pool and make other configuration changes most of which are be accessed by selecting Basic Settings.

Figure 9: Configuring Advanced Site Settings.

Enhancing IIS Performance.

To configure compression select the site, application, or virtual directory; click Compression, and then click Open Feature. You can improve performance by enabling compression for either static or dynamic content, or for both. Output caching can also be used to improve performance; to configure it select the site, application, or virtual directory; click Output Caching, and then click Open Feature. Click Add to create a new cache rule, the rule includes the file name extension to cache, e.g. .html and whether to perform user-mode or kernel-mode caching or both.

Understanding Application Development Modules

There are over a dozen modules designed to help application developers create dynamic and interactive IIS-based applications. Rather than memorize every setting available with each module I think you should understand the capabilities and requirements of each. All IIS modules are managed in the same basic manner: select the module in the Workspace then click Open Feature in the actions pane.

• .NET Compilation – IIS compiles application code into one or more DLLs when responding to user requests that include such code. Use this module to control how ASP.NET code is compiled.
• .NET Globalization – Globalization is the process of translating and customizing applications for other languages and cultures. When this module is utilized by developers IIS can present content localized for each client’s locale. Configure the module to specify the default locale, the assumed encoding for incoming requests, and other .NET globalization settings.
• .NET Profile – Use this module to manage a list of profile properties that include any custom information needed by the application. When an application uses a large number of profile properties they can be organized into groups.
• .NET Roles  – Use this module to manage a list of security groups which can be used to categorize users for managing them collectively.
• .NET Trust Levels – Use this module to define the permissions in the ASP.NET code access policy. The default value is Full Trust, which means that the application has unrestricted access. Four lower levels of trust are available: High, Medium, Low, and Minimal.
• .NET Users – Use this module to manage the list of user identities for the application.
• Application Settings – Use this module to store application settings in the application’s web.config file. Each setting includes a name and a value, they can be accessed from anywhere within the application. If stored at a higher level, such as at the site level, they will be accessible to all of the child applications.
• ASP –Active Server Pages (ASP) is one of the methods IIS 7.0 provides for server-side scripting. When a client requests content that includes an ASP script this module will process it and generate an HTML web page that is returned to the client. Use the ASP module to manage how ASP scripts are processed by IIS, as shown in figure 10.

Figure 10: Configuring the ASP Module.

• CGI – CGI is an older technology for processing server-side scripts, use this module to configure such CGI settings as the script time-out value and whether each CGI process executes in the content of the system or of the requesting user.
• Connection Strings – Use this module to configure information needed by the application to connect to databases stored on Microsoft SQL server and other database management systems. The string must include the name of the server, the name o fthe database, and credentials to be used for establishing the connection.
• Machine Key – Machine keys are used for encryption functions within applications, for example, to protect forms authentication cookie data. Use this module to configure the encryption and decryption algorithms and whether to use runtime or static keys. You should specify static keys and use the same keys on all servers when configuring a web farm, as shown in figure 11. These are operations are separate from SSL encryption which is discussed later in this chapter.

Figure 11: Configuring Machine Keys.

• Pages and Controls – Use this module to specify how the server will compile custom ASP.NET pages, controls, and other elements. 
• Providers – Providers are an interface between ASP.NET services and data stores such as Microsoft SQL server databases. Use this module to configure any of the three types of providers: .NET Roles, .NET Users, and .NET Profile.
• Session State – Applications use session state to track what users are doing, the session state can be maintained in several ways, each has its own advantages.
  • In process means that the state data is stored by IIS in the worker process for a managed-code application. This configuration requires no additional servers but it consumes additional system resources and the information will be lost if the worker process is recycled.
  • Custom means that IIS will use a custom provider to handle session state.
  • State Server enables the aspnet_state service and stores the session state within the service, this saves memory on the IIS server and allows the data to be retained when the worker process recycles however the service must be installed on a server.
  • SQL Server stores the session state data in a SQL Server database. This also saves memory on the IIS server and ensures the data is retained when the worker process recycles but it requires a database server.
  • Cookies can be configured in one of four modes: If Auto Detect is selected cookies will be used if the browser supports them. If Use Cookies is selected state data is stored in cookies that are stored on the client and sent to the server with each client request. If Use Device Profile is selected the cookies will be used if the device supports them, even if the user has disabled cookies. If Use URI is selected the session ID is stored as part of the Uniform Resource Identifier (URI) string that the client submits for each request.

 Managing Other IIS Modules

There are a handful of additional IIS modules that do not really fit into any of the other sections in this chapter:

• Default Document – When default documents are enabled visitors can access content without needing to specify the document name, for example, if you enter http://www.kurtdillard.com your browser will actually retrieve and display http://www.kurtdillard.com/index.aspx. You can configure multiple default documents, if a folder includes more than one then the document that is highest on the list will be sent.
• Directory Browsing – Directory browsing is disabled by default, when enabled website visitors can view the contents of any directory if the directory does not contain a default document. From a usability perspective, this can be good in that users can view any file they want even those that the content developers forgot to link to in their other documents. It can also be bad though because users may encounter incomplete our outdated content. From a security perspective it can be bad because visitors may view files that you never intended for them to see.
• Error Pages – Custom error pages can be very useful for troubleshooting purposes, however, malicious users may be able to learn details about the server configuration that they should not know. What some webmasters do is enable detailed error pages on internal and development sites but configure a generic error page for all errors on publicly accessible sites.
• Handler Mappings – Use this module to manage the list of handlers for the specified file types.
• HTTP Redirect – Redirection is useful when moving content between servers, sites, and directories. You can configure relative or exact destinations and whether also redirect requests to subdirectories.
• HTTP Response Headers – Response headers are used to send additional information to every client request. For example, companies that offer free webhosting might include the name of the hosting company a link for new visitors to find out how to set up their own free website. This module is also used to enable HTTP keep-alive and content expiration.
• MIME Types – Multipurpose Internet Mail Extensions (MIME) types is a method for identifying file formats. IIS uses the default list of MIME types to determine how to process requested files based on their extension.
• Modules – Use this module to configure the native code and managed code modules on the server. Modules perform specific tasks when client requests are being processed by the server.

 Configuring SSL Security

 SSL allows the server to identify itself to clients and to encrypt communication between the server and clients. To enable SSL you must install a server certificate. You can install additional certificates and manage existing ones by selecting the server, then selecting Server Certificates, and clicking Open Feature. You can create a self-signed certificate on the IIS server, however these are only suitable for development and testing. For production deployments you should obtain a certificate from a Certificate Authority (CA) that its trusted by the clients who will be connecting to the server. For publicly accessible servers you should purchase a certificate from a commercial CA. For internal servers you can do the same or install certificates from a CA that is part of the organization’s Public Key Infrastructure (PKI), deploying a Windows-based CA is discussed in  Configuring Active Directory Certificate Services.

To generate a self-signed certificate click Create Self-Signed Certificate. You can request and install a certificate from an AD-integrated CA by clicking Create Domain Certificate. To request a certificate from an external CA or one that is not integrated with a trusted AD domain click Create Certificate Request and submit the certificate request file to the CA using whatever method it supports. When the certificate is received click Complete Certificate Request to install it on the server. The common name must match the hostname that clients will use when accessing the server, e.g. www.kurtdillard.com.

Web server farms should all use the same certificate, again, the common name should match the hostname used by clients. For example, if www2 and www3 are both hosting the www.kurtdillard.com site then the common name on the certificate should be www.kurtdillard.com. Web browsers validate server certificates by comparing the common name in the certificate with the hostname in the URL, so specifying www2.kurtdillard.com as the common name would cause browsers to present warning messages to users. You can export the server certificate from one server and import it into the certificate store on other servers using the appropriate commands in the actions pane. To avoid user confusion and frustration be sure to renew certificates several weeks before they expire.

Although you configure certificates at the server level you configure SSL at the site and application levels. To configure SSL select the desired site or application, select SSL Settings and click Open Feature. Enable or disable the Require SSL checkbox, 128-bit SSL provides greater security but some clients do not support it so use the Require 128-bit SSL checkbox only when you are confident that all clients are compatible with it. When all visitors to the website are using computers managed by the organization requiring client certificates also increases security.

  Configuring Web Site Authentication and Permissions

 There are several ways to control access to web sites and applications hosted on IIS 7.0. You can enable and disable different kinds of user authentication. You can configure permissions on the content and applications. You can also configure IIS to allow or deny access based on the IP address of the client’s computer or its DNS domain name. This section examines each of these methods.

Configuring Authentication

IIS 7.0 includes a variety of means for authenticating users. Most can be implemented at the server, site, application, or folder level using IIS Manager. Some are challenged-based in which the client must respond correctly to a challenge from the server, Windows authentication is an example of this type. Others are login redirection-based, for example, in forms authentication the user is redirected to a login page. You cannot implement both challenge-based and redirection-based methods simultaneously. Select the desired object in the Connection Manager Tree, select Authentication, and click Open Feature to get started. The following methods are available:

• Active Directory Client Certificate Authentication – Use this method if you want to use Active Directory to authenticate users who have client certificates. This approach requires AD DS, a certification authority for the domain, user accounts that have unique certificates mapped to them, and the web server must be configured to use SSL. You cannot use IIS certificate mapping if you use this method, to learn how to configure IIS certificate mapping see Configure Client Certificate Mapping Authentication.
• Anonymous Authentication – enabled by default, this method allows unauthenticated access to the site. That means that any user can access public content without providing credentials, however, if they attempt to access content that is restricted by NTFS permissions they will either be prompted for credentials if another method is configured or receive an error message and be unable to view the content. When anonymous authentication is enabled unauthenticated users browse the content in the context of the specified user account or the application pool identity. By default the local IUSR account is used, an account created during the installation of IIS. It is important that you understand what identy is used for anonymous access so that you can configure NTFS permissions appropriately.
• ASP.NET Impersonation – use this method when you want ASP.NET applications to execute under the context other than the default security context of the ASP.NET applications. You can configure it to impersonate the user visiting the website or to a specific account such as IUSR.
• Basic Authentication – Visitors are prompted for a user name and password in order to access content. The advantage of this method is that its supported by all major browsers, the perilous downside is that unencrypted passwords are transmitted between the client and server. You can mitigate much of the risk associated with this method by implementing SSL encryption.
• Digest Authentication – Use this method to use a Windows domain controller for authentication, its more secure than basic authentication but still less secure than Windows authentication, you should configure the server to use SSL to encrypt digest authentication traffic. A significant disadvantage of digest authentication is that it cannot be combined with anonymous authentication.
• Forms Authentication – users are redirected to an HTML form where they provide their user name and password in order to access content. The credentials are transmitted to the server in plain text so you should configure the server to use SSL to encrypt it.
• Windows Authentication – use this method to authenticate users via NTLM or Kerberos. This is an excellent choice for intranets because client computers and the web servers can be located in the same or AD DS forest and you can ensure that all clients are using a browser that supports the method. One reason this is not a good approach to use in Internet scenarios is that NTLM cannot traverse HTTP proxy servers.

  Configuring Authorization Rules

Authorization rules are used to allow or deny access to content for specific roles, groups, or accounts, as shown in figure 12. You can further refine a rule by limiting it to certain HTTP verbs such as POST and GET. You can assign authorization rules at the server, site, application, or folder level. You can combine NTFS permissions on files and folders with authorization rules to fine tune access to the content, configuring NTFS permissions was discussed earlier in this chapter, in the section called Configuring Web Site Settings.

Figure 12: Configuring an Authorization Rule.

Implementing IPv4 Address and Domain Restrictions

Another method for controlling which users can access content on the web server is to configure rules based on IPv4 addresses and DNS domain names. You can take one of two approaches. The default is to allow all hosts and configure rules to block specific addresses and domains. The more secure approach is to block everything and configure rules to allow traffic from specify addresses and domains. To configure this feature using IIS Manager select the server, site, application, or folder you wish to manage and do the following:

1. Select IPv4 Address and Domain Restrictions, then click Open Feature.
2. Click Edit Feature Settings.
3. To define the default rule select Allow or Deny from the Access for unspecified clients drop-down list.
4. If you want to be able to configure rules based on domain names enable the Enable domain name restrictions checkbox, however this will significantly increase the time required to establish connections because the server will have to complete a reverse DNS lookup on every client that tries to connect.
5. Click either Add Allow Entry or Add Deny Entry to create a new rule.
6. Specify the scope of the rule by selecting the desired radio button and providing the appropriate address or domain information.

 Configuring a File Transfer Protocol Server

 To manage the built-in File Transport Protocol (FTP) feature in Windows Server 2008 you must launch the Internet Information Services (IIS) 6.0 Manager. To create an FTP site expand the server in the navigation tree, right-click on the FTP Sites node, select New, then select FTP Site. The FTP Site Creation Wizard will prompt you to provide all of the information needed to establish the new site. You can also manage an existing FTP site by right-clicking on it and selecting Properties. The FTP Site tab is where you provide binding information, specify connection limits, and configure logging.  Use the Security Accounts tab to configure anonymous access. Use the Messages tab to configure a custom server banner, welcome message, and exit message. Select the Home Directory tab to specify the root directory for the site and to enable read or write access, note that what you specify here combines with the NTFS permissions to determine each user’s effective permissions. This is analogous to the way NFTS and share permissions interact, as described in  Configuring File and Print Services. Select the Directory Security tab to define access rules based on IPv4 addresses.

FTP in the Real World

The exam is probably going to have little focus on FTP, and its likely that whatever questions are included are going to be about the version that shipped with Windows Server 2008. However, I recommend that you download and install the new version of Microsoft’s FTP Publishing Server, also called FTP 7. The 32-bit installation package is available at: http://go.microsoft.com/fwlink/?LinkId=87847; the 64-bit installation package can be found here: http://go.microsoft.com/fwlink/?LinkId=89114. Also note that you cannot use both versions at the same time, before installing FTP7 be sure to uninstall the FTP feature included with IIS 7.0. FTP7 has many advantages including support for FTP over SSL, IPv6, and UTF8. You can also host multiple FTP sites on the same address. After installing FTP7 you will see new features in the Workspace of IIS Manager. Several work very much like their web service counterparts: FTP Logging, FTP Authorization Rules, FTP Authentication; and FTP IPv4 Address and Domain Restrictions. Others are entirely new:

• FTP Current Sessions shows information about all active sessions including user name, IP address, and the last command that was submitted.
• FTP Firewall Support is used to enable support for passive connections, which will allow clients to traverse an external firewall.
• FTP Messages can be configured to specify a custom server banner, welcome message, exit message, and a denied connection message.
• FTP SSL Settings is for configuring FTP over SSL.
• FTP User Isolation is for preventing users from accessing the home directories of other users.

  Configuring Simple Mail Transfer Protocol

 You must configure this feature in IIS Manager to be able to send email from ASP.NET applications that use the System.Net.Mail API. To configure SMTP select the desired server, site, application, or folder; then select SMTP E-mail, and click Open Feature. Enter the e-mail address that will be inserted in the reply to field of all outgoing messages then select either Store e-mail in pickup directory or Deliver e-mail to SMTP server. In the former case messages will be saved as individual files in the location you specify. In the later messages will be forwarded to another SMTP server, in which case you must specify the server’s hostname, what port it is using, and how to authenticate to the server, as shown in figure 13.

Figure 13: Configuring SMTP E-mail.

To configure the SMTP virtual server use IIS 6.0 Manager. Right-click on the server and select Properties to customize the settings. Configure bindings, connection limits, and logging on the General tab. To configure access controls select the Access tab. Click Authentication to enable, disable, and configure each type of access. Click Connection to specify which computers are allowed to submit SMTP requests and click Relay Restrictions to define which computers can relay through the server. Select the Messages tab to specify size, session, and recipient limitations and to define the badmail folder. Click the Delivery tab to configure how messages are forwarded from the server, click Advanced to specify the smart host if you do not want the SMTP server to attempt to deliver messages to the destination domain.

Note: This feature is designed to support sending email from within IIS-based applications running on the server, its not intended to provide robust SMTP services to an entire organization. For enterprise e-mail you should consider Microsoft’s Exchange Server or other products designed for that purpose.

Summary

In this chapter you learned how to install and manage IIS 7.0 and all of its features. A lot of information was presented, I do not think that you need to remember every single detail of how to configure every feature but you do need to understand what the capabilities and requirements of each is. You also need to know how to troubleshoot common problems relating to IIS such as misconfigured permissions or server certificates whose common name does not match the URL used by website visitors. Entire books have been published focusing on IIS, due to space limitations I was not able to cover every detail of designing, optimizing, and resolving problems with IIS-based applications; I encourage you to examine the documents available at the sites noted in the References section, especially if you need to deploy it in a production environment.

Chapter Review

This section presents a list of review questions designed to help reinforce the knowledge presented earlier in the chapter. To persuade you to explore the management tools more deeply a few questions may require you to examine those tools further rather than rereading the chapter.

Questions

1. You manage a farm of web servers. You want to reduce the amount of time you spend managing them. What could you do? (pick 2)
   1. Join the servers to an AD DS domain.
   2. Create a group policy object with the desired settings.
   3. Share the configuration folder on one of the server.
   4. Configure the servers to use a shared configuration.
   5. Create a startup script and configure it to run on each server.
2. Which of the following files contains configuration information that was stored in the metabase in IIS 6.0?
   1. administration.config.
   2. applicationHost.config.
   3. redirection.config.
   4. machine.config.
   5. web.config.
3. You create several IIS Manager user accounts so that you can delegate management tasks to some users without giving them full administrative privileges on a web server. Using IIS Manager you select a site you want to delegate, then open IIS Manager Permissions, and try to grant permissions to the new accounts but when you click Allow User you find that the IIS Manager user type is disabled. What should you do to resolve this problem?
   1. Reboot the server.
   2. Configure the Management Service to accept both Windows and IIS Manager credentials.
   3. Start the Management Service.
   4. Configure the server to accept both Windows and IIS Manager credentials.
   5. Configure the site to accept both Windows and IIS Manager credentials.
4. You have been collecting information about errors encountered by visitors to one of the websites on a server that you manage using Failed Request Tracing Rules. You want to examine the data that has been recorded, what should you do?
   1. Use Internet Explorer to view the files.
   2. Open IIS Manager, select the server, select Failed Request Tracing Rules, and click Open Feature.
   3. Open Event Viewer, expand Application and Services Logs, expand Microsoft, expand Windows, and select W3svc to view the files.
   4. Use Notepad or another text editor to view the files.
5. Which of the following is not a valid option for log file format in IIS 7.0?
   1. W3C.
   2. IIS.
   3. Event log.
   4. NCSA.
6. You manage an IIS 7.0 web server that hosts a busy website. The server only has one IP address assigned to it public-facing network adapter. You need to add several more sites to the server, each with a unique host name. What should you do to ensure that users are able find the sites? (Pick 2)
   1. Configure a host name for the binding of each site.
   2. Configure round robin DNS.
   3. Install the Network Load Balancing Service.
   4. Enable host headers at the server level.
   5. Configure DNS records for each hostname that point to the public IP address of the server.
7. Windows Server 2008 does not include a full implementation of SMTP?
   1. True
   2. False
8. You are testing an internally developed website that was designed to run on IIS 6.0. It includes application code based on ASP.NET and the .NET Framework to see if it is compatible with Windows Server 2008 and IIS 7.0. Most features work as expected but some are failing. What should you do next?
   1. Inform the site developers that they need to rewrite all code to make it work with IIS 7.0.
   2. Download and install version 1.1 of the Microsoft .NET Framework.
   3. Try migrating the application to IIS 7.0 using appcmd with the migrate config command.
   4. Configure the site to run in IIS 6.0 compatibility mode.
9. What features in IIS can help improve web site responsiveness?
   1. Compression.
   2. Network Load Balancing Service.
   3. Failover clustering.
   4. Pre-compiling .NET applications.
   5. Output Caching.
   6. HTTP Response Headers
10. Which of the following methods would be a poor way to track session state for site visitors in a web farm?
    1. State server.
    2. SQL Server
    3. Client-side cookies.
    4. In process.
11. You want to ensure visitors to your website are unable to view the contents of folders but only files and applications that you specifically intend for them to see. What should you do? (pick 2, either answer represents a complete solution)
    1. Remove the NTFS List permission from every folder in the site.
    2. Remove the NTFS Read permission from every folder in the site.
    3. Disable anonymous access.
    4. Ensure that every folder has a default document.
    5. Disable directory browsing.
12. You want to allow everyone to be able to read most of the content on an internal website but restrict portions of it to specific groups of users. What should you do?
    1. Enable both anonymous and windows authentication, configure NTFS permissions to only allow the appropriate groups access to the restricted content.
    2. Enable both digest and anonymous authentication, configure NTFS permissions to only allow the appropriate groups access to the restricted content.
    3. Enable windows authentication, configure NTFS permissions to only allow the appropriate groups access to the restricted content.
    4. Enable forms authentication.

Answers

1. C and D are correct, using a shared configuration is an easy way to manage a farm of web servers. The other answers are incorrect because you cannot use group policy to fully manage IIS 7.0 and a startup script would be unnecessarily complex.
2. B is correct, in IIS 7.0 the applicationHost.config file replaces the metabase.
3. B is correct, you need to select the server and then configure the Management Service. This service does not need to be running in order to be able to use IIS Manager credentials, you only start the service if you want to enable remote management.
4. A is correct, Internet Explorer is the best way to view the trace files because they are XML files and IIS saves an XSL stylesheet in the folder with the trace files to ensure that the browser renders the files in an easily navigated format.
5. C is correct, IIS cannot record the HTTP logs in the logs visible in Event Viewer, all of the other formats are valid.
6. A and E are correct. Host headers are enabled by default, you merely have to specify the host name in the site’s binding for IIS to start utilizing them.
7. False is correct, although Microsoft recommends against using the SMTP feature available as a role service of IIS 7.0 it does provide all of the core requirements of an SMTP server.
8. C is correct, appcmd is able to resolve some issues when migrating applications from IIS 6.0 to IIS 7.0. Although the developers may end up having to rewrite some code its premature to demand that they rewrite everything.
9. A and E are correct. B is incorrect because while NLBS can be used to load balancing client requests across a web farm, its not a feature of IIS. C is wrong because failover clustering is usually less effective and efficient than NLBS, and its not a feature of IIS. D is a completely made-up answer, and F is incorrect because HTTP Response Headers is not a performance-related feature.
10. D is correct because if the data is tracked within the worker process for a site there is no way for another server in the farm to access that information should the server become unavailable.
11. D and E are correct. A and B are incorrect because configuring permissions in this manner will block all access. C is incorrect because the authentication method has nothing to do with the problem.
12. A is correct. B is incorrect because you cannot combine digest and anonymous authentication. C is incorrect because if you do not enable anonymous authentication only users with valid AD DS credentials will be able to access the site and one of the requirements was to allow anyone access to portions of the content.

References

The Web Server page on TechNet has links to many solid papers and articles on deploying, managing, and troubleshooting IIS 7.0.

Microsoft created a website dedicated to helping people develop web applications for IIS and for administrators to support the platform and applications running on it: http://www.iis.net.

Migrating a Large, High-Volume Website to Internet Information Services 7.0.