Internet Information Services (IIS)

Configuring a website on IIS can be done either by editing the default web site or by creating a new site altogether. A single IIS server is capable of supporting many web sites, and differentiating them in a number of ways. The first is via port number. By default, a web server responds on port 80, although this can be changed. If you only had a single IP address, you could host multiple websites by assigning each a different port number. Second, you can use host headers. In this scenario, a web site is identified by its host header name, which matches the domain name used to access it. In the third scenario, a server is assigned multiple IP addresses, and each site simply uses a different address. To create a new WWW or FTP site, simply right-click the server name and choose to create a new site, a wizard will walk you through the basic creation process.The majority of the properties must still be configured by accessing the properties of the site itself. The screen shot below shows the many tabs that can be configured for a web site:

An explanation of the tabs is listed below:

  • Web Site – basic identification information about the site including the port number, IP address, description, logging type, and connection information.
  • Operators – controls which users have operator privileges for the site, allowing them administrative control over many properties of the site.
  • Performance – allows the website to be tuned for expected hits, as well as bandwidth and CPU throttling for the site to be configured.
  • ISAPI filters – allows you to configure settings relating to isapi filters and their processing order.
  • Home Directory – specifies which directory on the server acts as the root directory for this site, sets permissions and application properties.
  • Documents – defines default document to be loaded when a request is sent to the server.You can specify alternative documents, as well as change the order of search.
  • Directory Security – controls site authentication, IP address and domain name restrictions, and the configuration of certificates.
  • HTTP Headers – allows you to set content expiration, custom http headers, set content ratings (like RSAC ratings), and configure additional MIME types.
  • Custom Errors – allows you to edit or define custom error pages – for example you could create your own, including your logo.
  • Server Extensions – allow you to use version control, set server performance, set client scripting and properties relating to inheritance of security settings.

As you may have noticed, for a website you are able to set basic permissions that will apply to all users who connect to the site. However, you should also note that all resources may also be protected by NTFS permissions, and this allows you a more granular level of control, if required. For example, a user who has the NTFS permission Deny Read for a folder will not be able to view files in that folder, even if accessing the resources via the web server which allows Read to the directory.

Internet Information Services allows a number of different authentication options, depending upon the type of usage required for the server. The screen shot below outlines the choices available. Note that by default, anonymous access and Integrated Windows authentication are selected.

  • Anonymous access – this option does not require the user to provide credentials to access the resource.
  • Basic authentication – password is sent as clear text. Some browsers (like Netscape Navigator) do not support integrated windows authentication, necessitating this option.
  • Digest authentication – a challenge/response system that does not pass unencrypted passwords between the client and server.
  • Integrated Windows authentication –formerly called NTLM, uses the credentials of the currently logged-on user.

Both FTP and WWW sites can control access via IP address, while a WWW site can also control access via domain name. This allows you to control either who does not (common) or does (less common) have access to the given site. This would allow you to block connections from a given domain or certain IP address, or limit access to only a selected group or person in the same manner. The screenshot below shows an example of a site that allows access to everyone, except for users from a certain subnet.

Note that you should know how to designate an entire subnet in one of these lists – that will require knowledge of subnetting.

Author: Dan DiNicolo

Dan DiNicolo is a freelance author, consultant, trainer, and the managing editor of 2000Trainers.com. He is the author of the CCNA Study Guide found on this site, as well as many books including the PC Magazine titles Windows XP Security Solutions and Windows Vista Security Solutions. Click here to contact Dan.