Configuring Public Access to your Personal IIS Web Server

Having a Web site set up on your XP system and making it easy for users to access that site are somewhat different stories. Unfortunately, most ISPs now allocate IP addresses to clients using DHCP, meaning that those addresses will periodically change, meaning that you would need to inform users of the change every time – not a realistic scenario. Even in cases where your public IP address does not change, users would still need to remember your IP address, making access more difficult than necessary. The solution to this issue lies in the naming infrastructure of the Internet, namely DNS.

If you have your own domain name registered and want users to access your Web server with this name, you’ll need to use a DNS hosting service in order to have clients properly directed to your site. Although many providers offer this service for a fee, check out http://soa.granitecanyon.com/, an organization that providers a free public DNS service.

If you don’t have a domain name registered, all is not lost. A variety of different organizations offer a free dynamic DNS service, such as Dyndns.org. This free service allows you to choose a unique domain name that ends with the dyndns.org domain name, such as danserver.dyndns.org. This address can then be mapped to your IP address, allowing users to access your site using this name rather than having to remember the address. The service also provides links to a wide variety of software utilities that can be used to update DNS dynamically if (or when) your IP address changes, ensuring that your site is always accessible. For more information and to set up an account, see http://www.dyndns.org.

Stopping, Restarting, and Pausing IIS Web Sites

When IIS is installed, both the Web and FTP components run as services. In much the same way that any service of a Windows XP Professional system can be started, stopped, or paused, the same is true of these services. Under normal circumstances, you don’t even need to use the Services MMC snap-in to configure these settings. Instead, you can either right-click on the Default Web Site or Default FTP Site to start, stop, or pause either, or use the control buttons in the Internet Information Services menu if you prefer.

Stopping a site will disconnect all users and stop the service, while pausing a service will stop any new connections to the server, but allow existing connections to continue on their way. If you’re not using a particular service (like FTP) but have it installed, then consider disabling it from the Services MMC – this will ensure that users cannot connect, and will help to reduce resource usage on your system.

Creating and Storing Web Pages on Your IIS Web Server

Once you’ve got all your Web site settings configured, it’s time to change the content of the site from the default pages to those you’ve created. Start by opening the wwwroot directory and deleting all existing files, since you’ll no longer need these. The most effective way to create your own Web pages is to use an HTML editor like FrontPage, and then save the files with an appropriate filename to the C:\Inetpub\wwwroot directory as applicable.

Just remember that your site homepage is usually called index.html, and that this filename must be added to the Documents list on the properties of the Web site. Be sure to add index.html files to all of your virtual directories as well, unless you have directory browsing enabled.

Understanding Virtual Directories with IIS

A virtual directory is simply a subfolder of a Web site, but one with a difference – it doesn’t necessarily have to exist within the root of your Web site. For example, if you create folders and subfolders within the C:\Inetpub\wwwroot directory, these automatically become virtual directories of your Web site, accessible by appending /foldername after the address of your server in Internet Explorer. However, virtual directories can also exist in locations outside of the root of your website, including in a different path, on a shared folder on a different server, and so forth. When you use the Virtual Directory Creation Wizard, an alias can even be assigned to a folder to give it a different name for web access. For example, the folder C:\shared documents could be made a virtual directory with an alias of docs. Then, when a user needs to access this folder on your Web site, they would simply supply the name of the server with /docs appended to the address. For details on creating a virtual directory using the wizard, see the steps below.

In the same way that you can configure Web site settings via the properties of the site, the same is true for a virtual directory. Right-click on the virtual directory and click Properties to configure the Directory, Documents, Directory Security, HTTP Headers, and Custom Errors settings for that virtual directory. These settings are basically identical to those looked at in the properties of the Default Web Site, but provide for more granular control since they apply to a certain virtual directory only.

Step 1: Click Start, and then click Control Panel. Double-click on the Administrative Tools applet. This will provide a list of all Administrative Tools installed on your system. Double-click Internet Information Services.

Step 2: In the Internet Information Services window, click the plus signs next to your computer name and Web Sites to expand them. Right-click on the Default Web Site icon, select New, and then click Virtual Directory.

Step 3: At the Virtual Directory Creation Wizard Welcome screen, click Next. At the Virtual Directory Alias screen type a name for the virtual directory. This will be the name that users access the virtual directory by. Click Next.

Step 4: At the Web Site Content Directory screen, enter the path in which the virtual directory content exists, for example C:\webdocs or browse to the location. The name of this directory can be different from the Alias you assigned in Step 3. Click Next.

Step 5: At the Access Permissions screen, review the permissions assigned by default. If you want users to be able to view and access the contents of a directory via hyperlinks, check the Browse option. Once complete, click Next. Click Finish to complete the wizard.

Step 6: In the Internet Information Services window, click the Default Web Site icon. Notice that the site now includes a virtual directory named testing in this example, and that the path to this virtual directory is C:\webdocs.

Controlling Access to Your Web Site with IIS and NTFS Security Permissions

Outside of authentication, the most common way to secure the contents of your Web site is through the use of permissions. As you learned earlier, the Home Directory tab in the properties of a Web site includes a section with 4 permissions listed: Script source access, Read, Write, and Directory browsing. By default, only the Read permission is enabled, which allows users to view a Web page, but not change it. If the Write permission is enabled, users can change pages via FTP, FrontPage, or similar programs. The Directory browsing permission is one that you may be familiar with from surfing the Web – when enabled, a user can view a listing of all files stored in a directory, and click on hyperlinks to access them – an example is shown below. Finally, the script source access permission allows scripts stored in a directory to be run. Most commonly, this permission is enabled for directories dedicated to holding scripts, such as a CGI-BIN folder. As a general rule, leave the permissions for a site set to Read, unless you specifically want to use a feature like Directory browsing, since it’s much safer setting for your pages and will apply to all users who connect to your server.

In much the same way that NTFS permissions can be used to secure local files and folders on your system, they can also be used to obtain a more granular level of control over who can connect to certain Web site directories or files. For example, if you access the Security tab in the properties of a file or folder under C:\Inetpub\wwwroot, you can configure specific permissions for different user or group accounts that you may have created. As a general rule, use IIS permissions as your first line of security, and use NTFS permissions for more control when necessary. Of course, your Web site will need to be stored on an NTFS partition to be able to make use of these permissions.

Windows XP IIS Security Settings

One of the most important considerations when configuring a Web site is how the site will be secured. For example, most Web sites allow anonymous access by default, allowing any users to connect without the need to be authenticated. However, IIS does allow you to disable anonymous authentication and require that users supply a user name and password when attempting to access your site. To change the authentication settings for your Web site, click the Directory Security tab and click the Edit button in the Anonymous access and authentication control section. This will open the Authentication Methods dialog box. To disable anonymous access, uncheck the checkbox, and then check the Basic authentication checkbox. This will force connecting users to provide a username and password when connecting. To create these user accounts, simply use the User Accounts applet in Control Panel, as if you were creating a normal local user account.

Configuring IIS HTTP Headers and Custom Error Tabs

The HTTP Headers tab is another with important configurable properties. The option to Enable Content Expiration enables you to control how long your web pages are cached on client systems or proxy servers before the content is considered invalid. Although not enabled by default, consider enabling this setting and then select an expiry time consistent with how often you intend to change the content of your site.

This tab also allows you to configure custom HTTP headers. HTTP headers are used to support new HTTP features not supported in the current standard, such as new HTML tags, proxy server caching settings, and so forth. A great quick reference to HTTP headers can be found at http://www.cs.tut.fi/~jkorpela/http.html. The Content Rating section allows you to configure Recreational Software Advisory Council (RSAC) ratings for your site. Definitely consider configuring ratings for your site, since these ratings are used by content filtering software (such as NetNanny) and Web browsers to control the types of content that users (such as children) can access. Finally, the MIME Map section of this tab allows you to configure Multipurpose Internet Mail Extensions, a feature that IIS uses to provide Web browsers with information about the type of file they will be receiving. This section can be used to configure custom MIME types on your server, if necessary.

As its name suggests, the Custom Errors tab allows you to configure the messages that will be presented to the users when an error occurs, such as the “404” message associated with a Web page that does not exist or cannot be found. This tab allows you to change the settings of the built in error messages, and provides the path to the folder where the HTML documents associated with these messages are stored.

Configuring IIS Home Directory and Documents Tabs

One of the more important tabs in the properties of the Default Web Site is Home Directory. From this tab you can change the directory that IIS will use as the root of your Web site, or even point the server to a shared folder on another system, such as one not running IIS. Ultimately, this gives an administrator more control over where content is stored. The second section of this tab allows you to configure IIS permissions, a critical consideration that will be looked at in another article in this series.

The Documents tab is relatively straightforward. This tab controls whether a default document is enabled, along with the order and names of the files that should be used as the default document. For example, if a user attempts to access the site http://localhost, but doesn’t provide a specific page in the format http://localhost/page.html, the server will look for, and attempt to load, one of the default documents in the order listed. As shown below, the Web site will first attempt to load a page named Default.htm. If this file is not available, it will try Default.asp, and so forth. Most users will name the default document index.html, so consider adding an entry for this file, and then using the arrow buttons to move it to the top of the list.

Configuring IIS Web Site and ISAPI Filters Tabs

The IIS Web Site tab includes core information about the Web site, including the IP address on which the server will respond to requests (all by default), the TCP port associated with the site (80 by default), connection timeout settings, and whether logging is enabled. If you want to change the default port number on which your site handles requests, change it from this page. For example, some users will choose a different port number (such as 8080) for security purposes, especially with a site that is not meant to be accessed by the general public. When changed, a user will need to supply the port number as part of the URL typed in a Web browser, for example http://localhost:8080. If your Web site will be accessible to the public, leave the site set to use TCP port 80.

The Default Web Site is configured to log all access requests by default. Ultimately, this allows an administrator to periodically review the logs to check who has been connecting to the site and when, as well as which resources they have been accessing. By clicking on the Properties button on the Web Sites tab, you can configure how often new log files are creates, the types of information that will be logged, and how the files will be named.

The ISAPI Filters tab is used to install DLL files, which are called by the server during an HTTP request. ISAPI Filters are typically used to define custom authentication methods, or configure compression, encryption, and traffic analysis features. Most home Web server users won’t use these features so we won’t get into them in detail here. For more information on these filters, perform a search for ISAPI on the IIS Documentation web site.

Configuring Web Site Properties with IIS

Once your Web server is up and running, it’s time to begin configuring settings associated with your Web site. To begin, open the Internet Information Services MMC snap-in from the Administrative Tools applet in Control Panel. When opened for the first time, the tool will display an icon representing the local computer. Expand this icon and two folders will appear, assuming that you chose to add both the Web and FTP server during the installation process. The Web Sites folder acts as a storage location for the Default Web Site, which will ultimately house your custom site. Unlike the various server versions of IIS, a Windows XP Professional system running IIS can be configured with a single Web site only. As the name suggests, the FTP Sites folder acts as the storage location for the default FTP site, with again only a single FTP site supported on XP Pro.

Expand the Web Sites folder to view the Default Web Site icon. Expanding the Default Web Site icon will list any virtual directories that exist, with names like IISHelp, tsweb, and Printers configured by default. Although virtual directories will be outlined in more detail shortly, for now it is enough to know that these directories are accessible from Internet Explorer by simple appending the name of the directory after the servername in a URL. For example, accessing http://localhost/IISHelp will open the IIS Documentation home page in a Web browser.

To configure settings related to the Default Web Site, right-click on that icon and click Properties. This will open the Default Web Site Properties page. On an XP Professional system, this page will provide access to 7 different tabs, including Web Site, ISAPI Filters, Home Directory, Documents, Directory Security, HTTP Headers, and Custom Errors.