| TOGGIT
IN SEARCH OF CERTIFICATION |
|
 |
Test 070-290 - Managing and Maintaining a Microsoft Windows Server 2003 Environment
|
Logon to ToggIT Join ToggIT |
|||||||||||||||||||||||
| Home | |||||||||||||||||||||||
|
|||||||||||||||||||||||
| Microsoft | |||||||||||||||||||||||
|
|||||||||||||||||||||||
| Cisco | |||||||||||||||||||||||
|
|||||||||||||||||||||||
| CompTia | |||||||||||||||||||||||
|
|||||||||||||||||||||||
| Study tools for exam 070-290 Managing and Maintaining a Microsoft Windows Server 2003 Environment | |||||||
| The Exam | Exam Tips | What to know | Study Guide | Study Tools | Practice Test | ||
Sponsored
Links:
|
|||||||
|
Managing and
Maintaining a Microsoft Internet Information Services (IIS) 6.0 IIS runs as an enterprise service in Windows Server 2003. Windows Server 2003 allows you to host multiple Web sites on a single server because Windows Server 2003 and IIS 6.0 have the ability to distinguish between multiple sites. This is accomplished by using the Web site's identification. Each Web site has a unique, three-part identity: a port number, an IP address, and a host header name. Thus, by specifying different port numbers, IP addresses, or host header names for each website, multiple websites can be supported. Each Web site can share two out of three unique characteristics and still be identified as a unique site. For security reasons, IIS 6.0 is not installed on Windows Server 2003 by default with the exception of the Windows Server 2003, Web Server Edition. Furthermore, a default installation of IIS 6.0 will only serve static content and will not process any scripts or code embedded in the Web pages. Thus, components that support Active Server Pages, Server Side Includes, and FrontPage server extensions, are not installed by default. Installing IIS 6.0 In Windows Server 2003, you can install IIS through the use of the Configure Your Server Wizard or through the use of the Add or Remove Programs applet in the Control Panel. You can also perform an unattended installation of IIS when deploying IIS on multiple servers. Using Configure Your Server or Add or Remove Programs to Install IIS To install IIS 6.0 using the Configure Your Server Wizard, you must configure the Windows Server 2003 server to act as an application server. You can then configure the components of the application server, which includes COM+, ASP.NET, and IIS, through the Configure Your Server Wizard. Unattended Installation You can use an unattended setup to install IIS 6.0 on multiple computers. When you use this option, the configuration settings are read from an answer file with an .inf file extension, and applied automatically by the operating system. You only need to initiate the installation process by running winnt32 or the sysocmgr command-line utility with the answer file as the parameter. 222444 - How to Add or Remove Windows Components with Sysocmgr.exe The following options can be included in an answer file asp.net = on (ASP.NET) iis_ftp = on (FTP service) iis_inetmgr = on (Internet Information Services Manager) iis_nntp = on (NNTP Service) iis_smtp = on (SMTP Service) iis_www = on (WWW Service) iis_asp = on (Active Server Pages) iis_webdav = on (WebDAV Publishing) Note: IIS 6.0 will not function correctly if the Internet Connection Firewall (ICF) is enabled and configured to block the Internet and messaging protocols. Defining Home Directories Every Website and FTP site must have a home directory, which is the central location for your published web pages. This directory contains a home page that welcomes Web browser users and contains links to other pages in your site. A default home directory is created when you install IIS and when you create a new Web site. You must specify a different home directory for each service if you set up a Website and an FTP site on the same computer. The default home directory for the WWW service is \InetPub\Wwwroot. The default home directory for the FTP service is \InetPub\Ftproot. You can choose a different directory as your home directory. Virtual Directories A virtual directory is a directory that is not contained in the home directory but appears to client browsers as though it were. It has an alias name that Web browsers use to access it. In other words, a virtual directory is a reference to an existing directory by a Web or FTP site. This improves security because users would not know where your files are physically located and cannot use that information to modify your files. Aliases also make it easier for you to move directories in your site. Rather than change the URL for the directory, you can simply change the mapping between the alias and the physical location of the directory. You can also specify different alias names for the same home directory. You can create a virtual directory in Internet Services Manager, by expanding the Web Sites or FTP Sites node, right-clicking the Web Site or FTP Site in which you want to create a reference to the virtual directory, selecting New from the pop-up menu and then Virtual Directory. This starts the Virtual Directory Creation Wizard which will lead you through the rest of the process. Hosting Multiple Web Sites With IIS 6.0, multiple Web sites or FTP sites can be hosted on a single Windows Server 2003 computer and each Website can host one or more domain names. You can create multiple Web sites and FTP sites on a single Windows Server 2003 computer in one of three ways: Append port numbers to the IP address; Use multiple IP addresses, each having its own network adapter card; or Assign multiple domain names and IP addresses to one network adapter card by using host header names. Enabling Web Service Extensions Web Service Extensions is a new feature in IIS 6.0. This utility will give a Control Panel-like functionality on your IIS components and allows you to permit, prohibit, or change IIS properties. This utility also allows you to add new IIS extensions to the IIS 6.0 server. The components the Web service extensions can enable or disable are: ASP.NET executions; ASP executions; CGI and ISAPI Applications; Front Page Server Extensions; and WebDAV support for IIS directories. Managing IIS 6.0 IIS 6.0 is managed by using the Internet Information Services Manager console in Administrative Tools. The Internet Information Services Manager console can also accessed through the Computer Management console under the Services and Applications node. The Internet Information Services Manager console allows you to manage all IIS server instances centrally, from one computer. The Internet Information Services Manager console can be used to set up and manage Web sites, FTP sites, SMTP servers, and NNTP servers. It can also be used to stop and restart IIS servers, Web servers, FTP servers, NNTP servers, and SMTP servers. You can use the Internet Information Services Manager to set up Web sites and FTP sites by right-clicking the Web Sites node or FTP Sites node, respectively, selecting New from the pop-up menu and then Web Site or FTP Site. This starts the Web Site Creation Wizard or the FTP Site Creation Wizard. You can also use Internet Information Services Manager to configure SMTP and NNTP virtual servers. Process Accounting Process Accounting allows you monitor the way the Web sites utilize the servers CPU resources. The information gathered through Process Accounting can be used to determine which sites are using disproportionately high CPU resources or that may have malfunctioning scripts or Common Gateway Interface (CGI) processes. Backing Up and Restoring IIS The Internet Information Services Manager includes options that allow you to backup and restore the IIS metabase, which stores the IIS configuration setting as XML entries. The metabase has two components: the metabase.xml and the metabase schema file, both of which are backed up when you backup the metabase. This allows you to backup and restore your Web server configuration, but not the content files or the settings that remain in the registry. Distributed File System IIS 6.0 makes use of the Windows Server 2003 distributed file system (Dfs). Dfs is a means for uniting files on different computers into a single namespace. Dfs lets system administrators build a single, hierarchical view of multiple file servers and file server shares on the network, making it easier for users to access and manage files that are physically distributed across a network. With Dfs, you can make files that are distributed across multiple servers appear to users as if they reside in one place on the network. Users no longer need to know and specify the actual physical location of files in order to access them. IIS 6.0 takes advantage of the Internet-standard security features that are fully integrated with Windows Server 2003. The following list contains the security protocols supported in IIS 6.0: Fortezza satisfies the Defense Message System security architecture with a cryptographic mechanism that provides message confidentiality, integrity, authentication, non-repudiation, and access control to messages, components, and systems. These features are implemented both with server and browser software and with PCMCIA card hardware. Secure Sockets Layer (SSL) 3.0, which is used by most Internet browsers and servers for authentication, message integrity, and confidentiality. You can configure your Web server's SSL security features to verify the integrity of your content, verify SSL security protocols are the identity of users, and encrypt network transmissions. SSL relies upon certificates. Transport Layer Security (TLS), which is based on SSL, provides for cryptographic user authentication. TLS also focuses on improving performance by reducing network traffic and providing an optional session caching scheme that can reduce the number of connections that need to be established from scratch. PKCS #7 describes the format of encrypted data such as digital signatures or digital envelopes. PKCS #10 describes the format of requests for certificates that are submitted to certification authorities. Authentication IIS 6.0 provides a number of authentication methods that you can use to control access to you web sites and FTP sites. These authentication methods are: Anonymous access, which enables the users to access the site without explicitly logging on. IIS will impersonate the IUSR_<computer_name> account to execute scripts in this instance. Basic Authentication, which is a part of the HTTP 1.0 specification. It sends passwords over networks in Base64-encoded format. The Basic Authentication method is an industry-standard method for collecting user name and password information. Because Basic Authentication transmits passwords in an unencrypted form it is not recommended unless you can secure the connection between the user and your Web server. Digest Authentication, which offers the same features as Basic Authentication but uses the hashing method for transmitting the authentication credentials. Digest Authentication is structured to be usable across proxy servers and other firewall applications. As Digest Authentication is a new feature of HTTP 1.1 it is not supported on all browsers. If a non-compliant browser makes a request on a server that requires Digest Authentication, the server will reject the request and send the client an error message. Integrated Windows Authentication, which provides NTLM authentication for older versions of Internet Explorer 3.0 that use it to cryptographically authenticate with IIS. Integrated Windows Authentication also provides Web sites and new versions of Internet Explorer with Kerberos v5 authentication. Integrated Windows Authentication is only used if Anonymous access is disabled or denied as a result of NTFS permissions restrictions but is not supported over Proxy server connections. .NET Passport Authentication, which uses .NET passports to authenticate Web users. This is a single sign-on mechanism. The incoming HTTP requests must have the passport credentials inside the query string or as a cookie value. A hacker might compromise the cookie and expose the user to malicious attacks. Therefore, Microsoft recommends that you implement .NET Passport Authentication over SSL. Certificates Certificates are digital identification documents that allow both servers and clients to authenticate each other. They are required for the server and client's browser to set up an SSL connection over which encrypted information can be sent. Server certificates usually contain information about your company and the organization that issued the certificate. Client certificates usually contain identifying information about the user and the organization that issued the certificate. Controlling Access After authenticating users, you can control the users' access to resources on your server. IIS 6.0 uses two layers of access control: General Access permissions and NTFS permissions. General Access permissions apply to all HTTP clients and define access to server resources. General Access Permissions can be set at the Web site, directory, and file levels. NTFS permissions define what level of access individual user accounts have to folders and files on the server. Read - Allows users to gain access to static files, such as .html, .htm or .txt files, by using a Web browser or Web folder. Disabling Read permissions prevents anyone from viewing your Web sites .html files. Write - Allows users to change the content of static files on a Web site. Directory Browsing - Displays a list of files and subfolders in the home directory if a default web page is not defined or is absent. Script Source - Access Is only available only if either the Read or Write permissions are enabled. This allows a user to read the source code if Read permissions are enabled; and allows a user to write to the source code if Write permissions are enabled. Note: Read and Write permissions only affect static files such as .html, .htm and .txt files. They do not affect scripts or executable files. You can also set Execute permissions on a per-Web site and per-directory basis. Execute Permission Descriptions: None - Does not allow any programs or scripts to run in the specified Web or directory. Scripts Only - Allows applications that are mapped to a script engine to run in the specified directory without having the Execute permission set. This permission is more secure than the Scripts and Executables permission. Scripts and Executables - Allows application, including applications that are mapped to script engines, Windows binary files, and .dll and .exe files, to run in the specified directory. When this option is enabled, a user who has Write access can upload and run potentially harmful programs on the server. Note: If your IIS installation and directories are consolidated on NTFS volumes, you can also use NTFS permissions in Windows Server 2003 to secure your Web server. Encryption You should encrypt data that is transmitted over the internet so as to ensure the security and confidentiality of the data. When you use encryption, the data it scrambled before it is transmitted. It is decrypted, i.e., unscrambled, it after it is arrives at its destination. The foundation for this encryption is the SSL 3.0 protocol and the emerging TLS 1.0 protocol, which provides a secure way of establishing an encrypted communication link with users. SSL confirms the authenticity of your Web site and can also confirm the identity of users accessing restricted Web sites. Managing Websites Using Scripting to Manage Website Content A script is a set of commands that you can use to programmatically alter the content of your Web pages. There are two kinds of scripts: client-side and server-side. Client-side scripts run on the Web browser and are embedded in a Web page while server-side scripts run on the Web server and are most often used to modify Web pages before they are delivered to the browser. Server-side scripts can instruct the Web server to perform an action such as process user input or log how often a user visits your Web site. Reroute Requests with Redirects When a browser requests a page on your Web site, the Web server locates the page and returns it to the browser. When you move a page on your Web site, you can instruct the Web server to give the browser the new URL, which the browser then uses to request the page again. This process is called redirecting a browser request or redirecting to another URL. Redirecting a URL is useful when you are updating your Web site and want to make a part of it unavailable, or when you have changed the name of a virtual directory and want links to files in the original virtual directory to access the same files in the new virtual directory. IIS includes two features that provide this functionality: server-side includes (SSI) and the ASP scripting environment that allows you to dynamically alter Web content after the content has been requested, but before it is returned to the browser. SSI allows you to perform a host of Web site management activities from adding dynamic time-stamping to running a special shell command each time a file is requested. SSI commands, which are called directives, are added to Web pages when the page was designed. When a page is requested, the Web server parses out all the directives it finds in a Web page and then executes them. ASP, which is a server-side scripting environment, is primarily designed for Web application development, but can also be used to ease Website management. It allows you to track users visiting a Web site, or you can customize Web content based on browser capabilities. Operators Group Operators are a group of users who have limited administrative privileges on individual Web sites. Members of this group can administer properties that affect only their respective sites and do not have access to properties that affect IIS, the Windows server computer hosting IIS, or the network. This method of distributed server administration has the following advantages: Each member of the Operators group can act as the site administrator and can change or reconfigure the Web site as necessary. For example, the operator can set Web site access permissions, enable logging, change the default document or footer, set content expiration, and enable content ratings features. The Web site operator is not permitted to change the identification of Web sites, configure the anonymous user name or password, throttle bandwidth, create virtual directories or change their paths, or change application isolation. Because members of the Operators group have more limited privileges than Web site administrators, they are unable to remotely browse the file system and therefore cannot set properties on directories and files, unless a UNC path is used. Administering Sites Remotely IIS 6.0 has remote administration options that you can use to perform administrative tasks on remote computers running IIS. You can use the browser-based Internet Services Manager to change properties on your site if you are connecting to your server over the Internet or through a proxy server; or you can use the Internet Services Manager if you are on an intranet. You can also use Terminal Services over a LAN, PPTP, or dial-up connection to remotely administer IIS. Note: Internet Services Manager uses a Web site listed as Administration Web site to access IIS properties. When IIS is installed, a randomly selected port number is assigned to the Website. The site responds to Web browser requests for all domain names installed on the computer, provided the port number is appended to the address. If Basic authentication is used, the administrator will be asked for a user name and password when the site is reached. Only members of the Administrators group and Operators group can use the site.
|