|
This Issue
This article is a reprint of chapter 19, by Nelson Howell , in a new book called 'Using Microsoft Internet Information Server 4' from Que Education & Training (ISBN 0789712636) due for publication in early March 1998. This chapter covers being your own ISP: allowing dynamic user access. Including: setting up and providing clients with the ability to control their own Web site is a simple matter and getting the content there are two ways of uploading content to client Web sites: the traditional FTP method and the newer HTTP PUT facility.
Introduction
Internet Service Providers (ISP) and Web Presence Providers (WPP) both face a difficult and demanding challenge to provide competitive services in a cutthroat market. Traditionally, for organizations hosting Web sites for other individuals or companies, some measure of administration on the part of the ISP was always required. The client could always upload his content, but ultimately any changes to the server-side configuration relied on interacting with the administrators. This created a headache for both sides: ISPs were stuck with more work to do with little monetary gain, and clients were left to wait while the administrative processes were carried out. Thankfully, Internet Information Server 4.0 changes that.
Roadmap
- Why dynamic access?
IIS 4 provides administrators and clients with the means to fully administer Web sites without relying on one another.
- Setting up
Providing clients with the ability to control their own Web site is a simple matter.
- Getting the content
There are two ways of uploading content to client Web sites: the traditional FTP method and the newer HTTP PUT facility.
Determining Load Using Performance Monitor
When you are operating a server that requires constant updates from outside sources, the task of letting people in is a big one. Loosely defined, dynamic access is the process of giving individual users the ability to connect to your server and update only areas where they are permitted. You might be operating an Internet Service Provider with clients updating their own Web sites, or you might be administrating the network for a large company that requires updates by many departments. Regardless of your situation, the task of letting users in and out of your system has doubtlessly been a source of frustration.
The only truly reliable method for dynamic access in the past has been FTP access for your users. Your client would use an FTP client to connect to your server (of course, forcing you to maintain an FTP service), change to his own appropriate directory, and upload at will. Although this solution worked, it did require your users to use an FTP client (or an automated publication system that uses FTP). It also required considerably more planning and effort on your part for security, making sure users could only access their own directories, and not someone else's.
More recently, another solution has become known with server-side extensions, such as Microsoft's FrontPage extensions. Using these extensions, clients can update their Web sites using Microsoft FrontPage or Visual InterDev. These extensions add an upload facility to your Web server, allowing the client's program to upload content changes through the Web server. Although this removes the need for an FTP client, it still doesn't solve the whole issue of allowing clients absolute control over their own Web site. Additionally, they are still forced to use a program such as FrontPage to update their site.
Internet Information Server 4.0 has introduced a number of key enhancements for dynamic access. First off, remote administration of IIS has been put on par with Netscape SuiteSpot (which is entirely HTML administration based). IIS 4 gives administrators the ability to control Web sites using either the Microsoft Management Console (Internet Service Manager) or a Web-based Internet Service Manager. Unlike many products that offer Web-based administration, the HTML Internet Service Manager is a complete solution. You can control every aspect of your Web site from the HTML manager. In addition to HTML administration of the IIS server, IIS 4 has added the capability for individual Web sites to be independently controlled from one another, using either the MMC or HTML Internet Service Manager.
Simply put, this lets your clients connect to their Web site using a standard Web browser and control how their site functions. Every aspect of the site, including security options and error messages, is under the control of the client. As an administrator, you can override their choices and control any site, but are not required to have any constant interaction with the administration. This frees you and other administrators to spend time on the more urgent issues of server administration, not site maintenance.
Beyond administration, IIS 4 now allows clients to update and control the contents of their site using a standard Web browser. Using the RFC 1867 Internet standard for file upload, customers can use the HTTP PUT and DELETE features of their Web browser to add or delete files to their Web site. This is coupled with IIS 4's tight security integration with Windows NT, permitting only authorized users the ability to modify content.
Note
This book was written using Internet Information Server 4.0 beta versions 1 and 2. Some features, including Web browser-based content management, were not available or fully functional at the time of writing. These features are reported by Microsoft to be included in the final release version of Internet Information Server 4.0. Your experiences with the release version might differ from those of the authors using beta 1 or 2.
Internet Service Providers and Web Presence Providers
Internet Service and Web Presence Providers are faced with the insurmountable task of providing high quality service at a cutthroat price. The maintenance required on client Web sites has always been a loss leader for service providers, constantly at the customer's disposal. With the introduction of IIS 4's advanced administration features, service providers can now free themselves of a large burden. Service providers only need to initially set up the client's Web site and provide the client with the necessary permissions to connect. From then on, the client can update and control his own Web site without disturbing the administrator. The administrator then can concentrate on global IIS administration and server maintenance, while keeping an eye on the client's activity.
Consider the example depicted in FIG. 19.1. This diagram demonstrates a sample Internet Service Provider or Web Presence Provider's predicament.
FIG. 19.1
Service providers are responsible for hosting a number of clients. Client A can only modify his own material, never that of Client B.
Click Here For Figure
The service provider traditionally has had to manage each point in the diagram, ensuring that each Web site is properly configured and maintained. Unfortunately, every time that a client requires a change to the Web site's configuration (not content), the service provider has been forced to carry out the changes. With Internet Information Server 4.0, the model changes slightly, as shown in FIG. 19.2.
FIG. 19.2
With IIS 4, the service provider can give the customer more control over his site while retaining administrative abilities. The less hoops to jump through, the happier the client.
Click Here For Figure
Corporations and Intranets
As more companies are moving to open standards-based intranets, departments are trying to cope with updating the contents of their internal sites. An organization might have many internal intranets, likely broken up by department. Each department can have many people updating their site at any given time, and some departments can effect other department Web sites. Maintaining a complex intranet is a looming task for administrators. For many organizations, the security of certain intranet Web sites is of paramount importance. Some employees might be able to access and update a site; others are forbidden. To complicate matters even more, many organizations have very large user bases. Users scattered across many network domains can complicate dynamic access. FIG. 19.3 shows a sample corporate intranet situation.
FIG. 19.3
Intranets that require secure separate sites that rely on dynamic access can become a headache, especially with a large number of network users.
Click Here For Figure
With Internet Information Server 4.0, the situation changes to a model similar to FIG. 19.4.
FIG. 19.4
IIS 4 provides airtight security models and dynamic access for intranets. Even more so, entire teams can administer their department's Web site.
Click Here For Figure
Setting Up Client Sites with Dynamic Access
The IIS 4's features for dynamic access are a simple task to set up. In fact, the HTML administration features of IIS are automatically set up when you install IIS. Each new Web site you create can be accessed from the HTML Internet Service Manager by users with appropriate permissions. The process of setting up client sites can be summarized by these steps:
- Using the Internet Service Manager (MMC or HTML), the administrator creates a new Web (or FTP) service.
- The site is configured for the client's initial use (for example, the proper IP address, resource allocation, and so forth).
- An Windows NT user account for the client is created. This account can have minimal permissions, and will be used to authenticate the user and claim ownership to content files.
- The Windows NT user account is given administrator permissions to the Web site. This allows the client to connect to the site and administer it remotely, using either the MMC or HTML Internet Service Manager.
- The user account information is given to the client. The client can then upload content as needed and modify the site whenever required.
Each of these steps are discussed in the following section. In addition to the creation of the client's site, you must provide a means for the client to update the site's content. This is discussed later in the chapter in the section (c)Letting Clients Update Content."
Note
Many steps and pieces of information have been repeated in this chapter for your convenience. For more comprehensive information on setting up and configuring Web sites, refer to information supplied earlier in this book. Your client's Web site functions identically to your own, except that your client pays you for the privilege.
Creating a New Web or FTP Site
As the service provider or network administrator, it is your responsibility to create the Web or FTP site for your client. You provide the initial configuration for the customer and give him the ability to change it later. Creating a new site for your client is a simple and painless exercise, something you can finish in minutes. Before you begin creating the customer's site, there are two important considerations:
IP Address
Do you have an available IP address bound to your network interface card? Each independent Web and FTP site requires an IP address. You can share IPs for an FTP and Web site through DNS.
DNS
Do you have the DNS information for the customer's Web site prepared? Is it set to the proper IP address? Without a functional DNS set up, users on the Internet (or your local intranet) will not be able to connect to the server by a named address.
Note
These instructions assume that you have secured and bound an IP address to your server, and that your DNS is functionally prepared for the new site. If you need information on binding IP addresses to your server, please refer to the Microsoft online documentation for Windows NT.
Adding a New Web Site
Using the MMC Internet Service Manager, you should follow these steps to create a new virtual Web server for your customer:
- Within the Scope Pane, locate your IIS server in the console tree. Right-click your server name and select Create New, Web Site. The New Web Site Wizard appears, as shown in FIG. 19.5.
FIG. 19.5
The New Web Site Wizard steps you through the creation of a new Web site on your server.
*** Insert Figure 19.5 here (Use file 19FIG5.PCX) ***
- Enter the Web site's description (such as Jose's Web in the Web Site Description text box. This is used to quickly identify different sites.
- Click the Next button to proceed to the next page, shown in FIG. 19.6.
FIG. 19.6
The second page of the New Web Site Wizard determines the IP address for the server, as well as the service port.
*** Insert Figure 19.6 here (Use file 19FIG6.PCX) ***
- From the Select the IP drop-down box, choose the appropriate IP address for your client's site. If you do not assign an IP address, this site will respond on all IP addresses that have not been assigned on this server.
- If you want to have this site operating on a different TCP port than the default port 80, enter the port number into the TCP Port text box.
Caution
Watch out! Be careful about assigning different port numbers to your servers. All Internet services use different ports. Make sure that you aren't choosing a port that is in use by a different service, such as an FTP server or Proxy server.
- Click the Next button to proceed to the third page of the wizard, as shown in FIG. 19.7.
FIG. 19.7
Page three of the wizard asks you to enter the home directory path for your new server. You can also determine whether anonymous users are allowed to connect to this site.
*** Insert Figure 19.7 here (Use file 19FIG7.PCX) ***
- The Enter the Path for Your Home Directory text box asks you to define the root of your client's Web server. Almost all of your customer's content will be located off this directory. You can optionally use the Browse button to use the Windows Explorer interface to locate a directory.
- If you want to allow anonymous (unidentified) users into the customer's Web site, select the Allow Anonymous check box. If this is a public Web site for the Internet, you will want this option selected.
Forard Reference
If you choose not to allow anonymous users into this Web site, they will require a valid Windows NT user name and password to enter. For information on authentication methods and site security, see Chapter 20, "Security Issues[md]Firewalls and Data Security" on p. xx.
- Click the Next button to proceed to the wizard's fourth page, shown in FIG. 19.8. This page is used to control the security settings for your site.
FIG. 19.8
Page four of the wizard concentrates on the customer's Web security. These five check boxes determine access permissions for the Web site's home directory.
*** Insert Figure 19.8 here (Use file 19FIG8.PCX) ***
- If you want to allow visitors the ability to view the contents within the home directory, select the Allow Read Access check box. This lets the visitor's browser open the Web content and images within the directory.
- If your customer is using Active Server Pages for server-side scripting, select the Allow Script Access check box. This option enables the server-side execution of scripts within Web pages.
- To enable server-side programs, such as CGI or ISAPI programs, select the Allow Execute Access check box. This check box also enables server-side script execution.
- If you want to allow visitors the ability to modify the contents of the home directory (perhaps by using the HTTP PUT facility of Internet Explorer or Netscape Navigator), select the Allow Write Access check box. This is a security risk, and the implications should be carefully considered.
- By default, when a visitor enters an address for a directory, the default page is returned. If you want to allow visitors the ability to browse through a directory's contents, select the Allow Directory Browsing check box.
- Click the Finish button to add your client's Web site and close the wizard.
Your customer's new Web site appears in the console tree.
Adding a New FTP Site
Using the MMC Internet Service Manager, you should follow these steps to create a new virtual FTP server for your customer:
- Within the Scope Pane, locate your IIS server in the console tree. Right-click your server name and select Create New, FTP Site. The New FTP Site Wizard appears, as shown in FIG. 19.9.
FIG. 19.9
The New FTP Site Wizard fulfills the same function as the New Web Site Wizard, but focuses on FTP sites rather than Web sites.
*** Insert Figure 19.9 here (Use file 19FIG9.PCX) ***
- To easily identify your client's FTP site, enter a description (such as the client's name) into the FTP Site Description text box.
- Click the Next button to proceed to the next page of the wizard, as shown in FIG. 19.10.
FIG. 19.10
Page two of the New FTP Site Wizard lets you assign the IP address and service port.
*** Insert Figure 19.10 here (Use file 19FIG10.PCX) ***
- Use the Select the IP Address drop-down box to choose the IP address for this site. If you do not assign an IP address, this site will respond on all unassigned IP addresses on this server.
- If you want to operate the customer's FTP site at a non-standard port (not 21), enter the new port value in the TCP Port text box.
Caution
Watch out! Be careful about assigning different port numbers to your servers. All Internet services use different ports. Make sure that you aren't choosing a port that is in use by a different service, such as a Web server or Proxy server.
- Click the Next button to proceed to page three of the wizard, shown in FIG. 19.11.
FIG. 19.11
Page 3 of the wizard lets you set the home directory for this FTP site.
*** Insert Figure 19.11 here (Use file 19FIG11.PCX) ***
- The home directory for your client's FTP site is the root for all of their content. Use the Enter the Path for Your Home Directory text box to enter the appropriate path. You can use the Browse button to use the Windows Explorer to locate this directory.
- Click the Next button to move to the fourth page of the wizard, shown in FIG. 19.12.
FIG. 19.12
The final page of the New FTP Site Wizard lets you decide on the access permissions for the home directory.
*** Insert Figure 19.12 here (Use file 19FIG12.PCX) ***
- If, by default, you want to allow visitors the ability to read the contents of the home directory in this site, select the Allow Read Access check box.
- If you want to allow visitors to modify the contents of the home directory, select the Allow Write Access check box.
Note
You can use NTFS file permissions to extend the security of your files and directories. If you want visitors to be able to upload files, you must have Write access on the directory they will be uploading to.
- Click the Finish button to add your new FTP site and close the wizard.
Your customer's new FTP site appears in the console tree.
Initial Site Configuration
Now that you have created your client's site, you can sit down to configure it. Initial configuration for the site is a simple matter of defining a starting point for the client. The fine-tuning of the site can be done by the customer, at his leisure. The core matters for initial configuration of the customer's site should be:
- Setting the connection limitations and performance tuning options
- Setting the site logging options for the customer's Web statistics and logs
- Defining the default documents and document footers
- Setting security restrictions
You can leave the rest of the options for your customer to deal with. Your situation might differ from this list. You might prefer to leave more of the initial configuration to your client. It is ultimately your discretion, and best sorted out with your customer.
Setting Connection Limitations and Performance Options
Using the Internet Service Manager, you can limit the number of connections that your client's site allows. Ideally, you would place no restrictions on your customer, but unfortunately the need often arises due to bandwidth and server performance concerns. You might choose to limit the total number of connections, the bandwidth usage by the Web site, and the resources to allocate for this site. Without these sort of limitations, many customer Web sites could put your service into a death grip, consuming all of your bandwidth or server resources.
Forward Reference
For more information on limiting connections and tuning your server's performance, see Chapter 15, "Performance Tuning" on p. xx
Logging Options
You have a variety of options for logging your customer's Web or FTP site. By default, each site is logged in separate daily files using the Microsoft Logging format. Each site's log files are placed into separate directories in your server's logfile directory (%WinDir%\System32\LogFiles by default). You can choose to use a different format to better suit your client's needs. The different logfile types are:
- Microsoft Logging[md]The standard IIS logfile format contains the IP address of the Web site being visited, the visitor's IP address, a user name (if available), the date and time of the connection, the service involved (Web or FTP), the number of bytes of being sent and received, as well as the actual HTTP request (for example, GET /index.html).
- NCSA Logging[md]The long running standard for logfiles contains the visitor's IP address, the date and time of the connection, the HTTP request, the HTTP version number, and the number of bytes sent and received.
- Microsoft Extended Logging[md]When the standard logfiles are not giving you the information you need, you can use the extended logging options and choose what you want to log. Considerable flexibility is given for the logging criteria.
- ODBC[md]If you are logging your site's activity to a database, you should be using the ODBC option.
Forward Reference
This section only documents logfile logging and not ODBC logging. For more information about logging and managing log files, see Chapter 14, "Managing the Logs" on p. xx
Here are sample lines for the same visit, in each of the three logfile formats. The first line is Microsoft Logging format, the second is NCSA Logging format, and the last is a sample of the Microsoft Extended Logging format:
[ic: psc]
192.168.0.2, -, 7/16/97, 22:17:06, W3SVC3, SIDESHOW, 192.168.0.1, 34820, 265, 199, 304, 0, GET, /index.html, -,
192.168.0.2 - - [16/Jul/1997:22:17:14 -0700] "GET /index.html HTTP/1.0" 304 199
1997-07-17 04:17:31 192.168.0.2 - 192.168.0.1 GET /index.html 304 199 - -
To choose a logging format for your customer, follow these steps within the MMC Internet Service Manager:
- Right-click your customer's Web or FTP site and choose Properties to open the Properties dialog box, as shown in FIG. 19.13.
FIG. 19.13
The Web Site tab of the Web Properties dialog box lets you change the logging format for your customer's site. The FTP Properties dialog box offers a similar choice with only two logging formats.
*** Insert Figure 19.13 here (Use file 19FIG13.PCX) ***
- Choose the appropriate logging format from the Active Log format drop-down box. If you do not want to have a log file for this site, deselect the Enable Logging check box.
- To alter the properties of your logfile, click the Properties button. This opens the Logging Properties dialog box. This dialog box differs according to the log file format you have selected. Regardless of which of the three logfile formats you chose (omitting ODBC), the first tab should resemble the one shown in FIG. 19.14.
FIG. 19.14
The Logging Properties dialog box differs slightly between logfile formats. The first tab lets you control logfile frequency and location.
*** Insert Figure 19.14 here (Use file 19FIG14.PCX) ***
- The New Log Time radio button grouping lets you choose how often new logfiles are created. Select a value appropriate for your client, ranging from Daily to a logfile of an unlimited size.
- The Log File Directory text box specifies the location of this site's logs. In actuality, your client's logs will appear in a subdirectory within the specified path. Enter the path where you want the logfiles to be stored, or use the Browse button to search for a directory.
- If you chose Microsoft Extended Logging format, select the Extended tab to switch pages (as shown in FIG. 19.15). If you did not choose Extended Logging, click OK to confirm your choice and close the dialog box.
FIG. 19.15
The Extended tab lets you specify the logging criteria for the Microsoft Extended Logging format.
*** Insert Figure 19.15 here (Use file 19FIG15.PCX) ***
- Choose the criteria you want to have logged for this client by selecting the desired check boxes. If you do not want an option logged, make sure the check box is deselected.
- When you are satisfied with your choices, click OK to confirm your choices and close the dialog box.
Default Documents and Footers
The Default Document for a Web site is the file name that your client's Web site looks for first. When a visitor enters an URL that does not specify a document (such as http://www.mycompany.dom instead of http://www.mycompany.dom/index.html), this document is used as the default choice. You can specify a number of different possibilities in the order they should be used. This is a useful feature for clients that have originally been using different types of Web servers, such as UNIX servers, where naming conventions differ. By modifying the default documents for your customer, he might not have to rename documents when he moves his Web site. The standard default document names are:
- Default.HTM for Windows-based Web servers, such as IIS
- Default.ASP for Active Server Pages documents containing server-side scripting
- Default.STM for Windows documents containing server-side includes
- Index.html for most UNIX Web servers
In addition to default documents, you can also specify an optional document footer. This document is appended to the end of each page that is served out of your client's Web site. For example, your client can choose to have a copyright message appended to the end of each page. You can choose to use this for your own needs by appending footers advertising your company's services.
Note
Default documents and document footers only apply to Web sites.
To define default documents and/or document footers, follow these steps from within the MMC Internet Service Manager:
- Right-click your client's Web site and choose Properties to open the Web Properties dialog box.
- Select the Documents tab, as shown in FIG. 19.16.
FIG. 19.16
The Documents tab lets you set the default documents for your client's Web site. You can also set up a document footer to be appended to every outgoing page.
*** Insert Figure 19.16 here (Use file 19FIG16.PCX) ***
- To add a new default document, click the Add button.
- Enter a default document file name into the Default document name text box within the Add Default Document dialog box. Click the OK button to close the dialog box.
- To remove a default document, select the file name and click the Remove button.
- To change the order in which default document file names will be used, select a document name and click the arrows to the left of the list. Moving the document to the top means that it will be the first checked, moving it to the bottom means that it will be last.
- To add a document footer, select the Enable Document Footer check box. The text box below the check box appears.
- Enter the path to the document footer file in the text box, or use the Browse button to locate the file using the Windows Explorer interface.
- When you are satisfied with your changes, click the OK button to close the dialog box and commit your changes.
Caution
Remember that the document footer is appended to every Web page that is sent out of your customer's Web site. Be careful not to disrupt the Web site's integrity or display. Plan your document footer carefully and test it thoroughly.
Security Restrictions
Controlling who has access to your customer's site is important, especially if this is for an intranet. You have several facilities for limiting access to virtual servers:
- Password and Authentication methods[md]To ensure safe and reliable exchange of protected information, you can limit access to certain users. Different authentication methods can be used for transferring passwords and identifying users.
- Secure Communications[md]All communication with your client's Web site can be encrypted using SSL. Secure channels can be used to limit outside eavesdropping.
- TCP/IP Access Restrictions[md]You can limit who can connect to your customer's Web or FTP site by restricting certain Internet domains or IP addresses. This can be done on an individual basis (to weed out troublemakers) or on a group basis.
To control security restrictions for your customer's Web site, follow these steps within the MMC Internet Service Manager:
- Right-click your customer's Web site and choose Properties to open the Web Properties dialog box.
- Choose the Directory Security tab, as shown in FIG. 19.17.
FIG. 19.17
The Directory Security tab controls security for your client's Web site. You can control authentication, encryption, and access right down to the IP address level.
*** Insert Figure 19.17 here (Use file 19FIG17.PCX) ***
- To select password authentication methods, click the Edit button in the Password Authentication Method group. This opens the Authentication Methods dialog box, shown in FIG. 19.18.
FIG. 19.18
The Authentication Methods dialog box lets you choose one or more authentication methods.
*** Insert Figure 19.18 here (Use file 19FIG18.PCX) ***
- Modify the authentication methods as needed by selecting the check box for the appropriate methods. When you are finished, click the OK button to close the dialog box.
Forward Reference
Authentication methods are covered in more detail in Chapter 20, "Security Issues[md]Firewalls and Data Security" on p. xx
- To set up secure communications (using the SSL protocol), click the Edit button in the Secure Communications group. This opens the Secure Communications dialog box, shown in FIG. 19.19.
FIG. 19.19
The Secure Communications dialog box sets up secure channels for this site.
*** Insert Figure 19.19 here (Use file 19FIG19.PCX) ***
- To require a secure channel, select the Require Secure Channel check box. You can then optionally require 128-bit encryption (as opposed to 40-bit) by selecting the Require 128-bit encryption check box.
- To manage your keys, click the Key Manager button. Key Manager is covered comprehensively elsewhere in this book.
- Click the OK button to commit your changes and close the dialog box.
- To restrict access to your customer's site on a TCP/IP level, refer to the TCP/IP Access Restrictions group. Select how all computers will be treated by default: Granted Access or Denied Access.
- For exceptions to your default choice, click the Add button. This opens a dialog box for granting or denying access (based on your default), as shown in FIG. 19.20.
FIG. 19.20
If you by default grant access to all computers, you can selectively deny access to single machines, groups of machines, or entire domains. Alternatively, if you deny all machines, you can choose whom to allow.
*** Insert Figure 19.20 here (Use file 19FIG20.PCX) ***
- To control a particular computer's access, select Single computer. Enter the computer's IP address in the IP Address text box. You can use the DNS lookup button to enter a fully qualified domain name for resolution.
- To control a range of computer's access, select Group of Computers. You must then enter the Network ID and Subnet Mask for the group in the supplied text boxes.
- To control an entire domain's access, select Domain Name. Enter the domain name to control in the Domain Name text box.
- Click OK to add your restriction.
Note
Remember that if you choose by default to grant access to all users, you are specifying that some computers are to be denied access. If you choose by default to deny access to all users, you are then specifying some computers to be allowed access.
- When you are done defining Directory Security, click OK to commit your changes and close the dialog box.
To control security restrictions for your client's FTP site, follow these steps in the MMC Internet Service Manager:
- Right-click your customer's FTP site and select Properties. This opens the FTP Properties dialog box.
- Select the Directory Security tab, as shown in FIG. 19.21.
FIG. 19.21
Controlling TCP/IP access restrictions for an FTP site is identical to the process for a Web site.
*** Insert Figure 19.21 here (Use file 19FIG21.PCX) ***
- To restrict access to your customer's site on a TCP/IP level, refer to the TCP/IP Access Restrictions group. Select how all computers will be treated by default: Granted Access or Denied Access.
- For exceptions to your default choice, click the Add button. This opens a dialog box for granting or denying access (based on your default), as shown in FIG. 19.20.
- To control a particular computer's access, select Single computer. Enter the computer's IP address in the IP Address text box. You can use the DNS lookup button to enter a fully qualified domain name for resolution.
- To control a range of computer's access, select Group of Computers. You must then enter the Network ID and Subnet Mask for the group in the supplied text boxes.
- To control an entire domain's access, select Domain Name. Enter the domain name to control in the Domain Name text box.
- Click OK to add your restriction.
- When you are done defining Directory Security, click OK to commit your changes and close the dialog box.
Creating an NT User Account
Before your customer can administer his site, he must be given a standard Windows NT user account for authentication. This user account is used to identify the user and control his access. The user's account does not need administrator permissions to administer a Web site. The user account only needs the Log On Locally user right. To create a new NT user account for your customer, follow these steps:
- Open the User Manager for Domains, as shown in FIG. 19.22.
FIG. 19.22
The User Manager for Domains is used to add and remove users from the Windows NT domain. It also is used to control user rights and event auditing.
*** Insert Figure 19.22 here (Use file 19FIG22.PCX) ***
- From the menu, choose User, New User. This opens the New User dialog box, shown in FIG. 19.23.
FIG. 19.23
The New User dialog box is where you set up your customer's Windows NT account.
*** Insert Figure 19.23 here (Use file 19FIG23.PCX) ***
- Enter the customer's user name in the Username text box.
- Optionally, enter the customer's full name in the Full Name text box.
- Optionally, enter a description of this account in the Description text box.
- Enter a case-sensitive password for your client in the Password text box. Your typing will be shadowed with asterisks (*) instead of the actual password.
- Re-enter the password, exactly the same way as you typed it the first time, in the Confirm Password text box. This ensures that you did not make a mistake entering the user's password.
- Deselect the User Must Change Password at Next Logon check box.
- Select the Password Never Expires check box.
- If you have defined user groups for this user to belong to, click the Groups button. This opens the Group Memberships dialog box, as shown in FIG. 19.24.
FIG. 19.24
Group memberships are used to logically group users of similar permissions or objectives. You can create your own groups within the User Manager for Domains.
*** Insert Figure 19.24 here (Use file 19FIG24.PCX) ***
- Modify your customer's group memberships as required. To add this user account to a group, select the group in the Not a Member list and click the Add button. To remove this user account from a group, select the group in the Member of list and click Remove.
- When you are done modifying group memberships, click OK to close the dialog box.
- Click the Add button to add this user account to the domain database.
- Click the Close button to close this dialog box.
To give this user the Log On Locally right that is required for remote administration, follow these steps within the User Manager for Domains:
- From the menu, choose Policies, User Rights. This opens the User Rights Policy dialog box, as shown in FIG. 19.25.
FIG. 19.25
User Rights control what users can do on your server. For remote administration, each user account must have the Log On Locally right.
*** Insert Figure 19.25 here (Use file 19FIG25.PCX) ***
- From the Right drop-down box, select Log on Locally.
- The Grant to box lists each user that has this right. To add your client's user account, click the Add button. This opens the Add Users and Groups dialog box, as shown in FIG. 19.26.
FIG. 19.26
You can give individual users this right, or entire group memberships.
*** Insert Figure 19.26 here (Use file 19FIG26.PCX) ***
- Click the Show Users button to refresh the Names list.
- In the Names list, locate your customer's user account name. Select it and click Add. The user account name appears in the Add Names box at the bottom of the dialog box.
- Click OK to close this dialog box.
- The Grant to list now includes your customer's user account. Click the OK button to close this dialog box.
Giving Administrator Privileges
Now that your customer has a user account, you can return to the MMC Internet Service Manager. Within the Properties dialog box for your customer's site, you can add your customer's user account to a list of administrators (also known as site operators). Only users listed as operators for that site can modify its configuration. To add your customer's account to the list of operators, follow these steps:
- In the Internet Service Manager (MMC), right-click the customer's site and choose Properties. This opens the Web or FTP Properties dialog box, depending on the type of site.
- Click the Security Accounts tab. This tab is shown in FIG. 19.27 for Web sites, and in FIG. 19.28 for FTP sites.
FIG. 19.27
The Web Site Operators list contains the names of users who are permitted to administrate this Web site.
*** Insert Figure 19.27 here (Use file 19FIG27.PCX) ***
FIG. 19.28
The FTP Site Operators list contains the names of users who are permitted to administrate this FTP site.
*** Insert Figure 19.28 here (Use file 19FIG28.PCX) ***
- Click the Add button. This opens the Add Users and Groups dialog box, as shown in FIG. 19.26.
- Locate your customer's user account name and select it. Click the Add button. Your user's account name appears in the Add Names list at the bottom of the dialog box.
- Click OK to close this dialog box.
- Your customer's account name is now listed in the Operators list and your customer can now administrate his site independently.
What to Give the Client
For your customer to begin administrating his site, he needs a few pieces of information from you. This includes:
His account name and password
Make sure to note the capitalization of the password (account names are not case sensitive).
His site's name
When your customer first connects to the Internet Service Manager (HTML), he might see a list of sites. Although he might not have access to other sites, you should inform the client of his site name so he can easily pick it from the list.
The administration URL
A specific Web address is used to connect to the HTML Internet Service Manager. When IIS is first installed, the administrator is placed on a random port number. Check your administration port number before giving the customer the URL. A sample URL is: http://www.myserver.dom:3990/iisadmin/iis.asp.
You should also explain the basics of HTML-based administration to your client so that he understands what is involved. Just to be sure, online documentation is available through the Web site in case he gets lost.
Letting Clients Update Content
The most important process in dynamic access is allowing the client to update his site. If the customer could not put his Web or FTP material in his site, it wouldn't do much good as a dynamic access system. IIS 4 provides you with a few methods for content updates:
HTTP PUT
Netscape Navigator 2.01+ and Microsoft Internet Explorer 3.02+ support RFC 1867 for HTTP-based upload and file deletion. This allows clients to update their site's contents using a standard Web browser.
FrontPage Extensions
Both Microsoft FrontPage and Visual InterDev use FrontPage extensions to update and modify Web content. These extensions let these programs upload as well as download through the HTTP protocol.
FTP
When it gets down to brass tacks, FTP is one of the most reliable methods for updating content. By using an FTP client, your customer can upload any changes to his Web site without relying on the Web server.
HTTP PUT Method
Using the Microsoft Posting Acceptor, IIS 4 can allow users to upload Web content through a standard Web browser. A file is dragged onto a form and sent to the server using the HTTP PUT command. The server in turn places the file in the appropriate location, as determined by the form. For files that must be removed, the browser can send the HTTP DELETE command to the server to erase the file.
IIS 4's HTML Administrator allows site operators to control their site's content using this method. When a directory is selected, the client can press the Browse button to view the directory's contents. Using a Web browser, the client can then modify the contents of that directory by uploading and deleting existing files.
Note
At the time of this writing, Internet Information Server 4.0 did not properly support browser-based content management using HTTP PUT and DELETE. This matter should be resolved for the release version.
FrontPage Extensions Method
Microsoft acquired Vermeer Technologies in early 1996. Vermeer had created the FrontPage what-you-see-is-what-you-get (WYSIWYG) Web editor for the Windows platform. FrontPage's key appeal, aside from its ease of use, was its use of server-side extensions for communicating with the Web server. Rather than rely on an outside means of updating content (such as FTP), the FrontPage extensions added functionality to the Web server to allow FrontPage to communicate with the server and upload new content. This simply meant that the user never had to leave FrontPage to modify and update his Web site. Microsoft enhanced FrontPage and the FrontPage extensions, in addition to using the FrontPage extensions for Visual InterDev. Visual InterDev, Microsoft's high-end Web development environment, uses the same extensions as FrontPage, creating a multi-product solution. The FrontPage extensions are also available for several platforms and Web servers, on both the Windows and UNIX platform.
Internet Information Server 4.0 includes support for FrontPage extensions (specifically extensions for the forthcoming FrontPage 98, fully backward compatible with FrontPage 97 and Visual InterDev). FrontPage extensions must be installed using the IIS Setup program. If you did not install these extensions when you first installed your IIS server, follow these steps:
- Open the Internet Information Server Setup program. Click the Next button until you advance to a page offering you three buttons, as shown in FIG. 19.29.
FIG. 19.29
These three buttons let you modify an already installed IIS installation.
*** Insert Figure 19.29 here (Use file 19FIG29.PCX) ***
- Click the Add/Remove button to add a new component. The components list appears, as shown in FIG. 19.30.
FIG. 19.30
The components list lets you add complete components to your installation, or only certain parts.
*** Insert Figure 19.30 here (Use file 19FIG30.PCX) ***
- In the Components list, locate and select FrontPage 98 Extensions.
- Click the Next button to proceed.
- Depending on the components you have installed on your system, you might be prompted to confirm directory locations and other criteria (such as for the Index Server). Confirm these options and continue to press Next.
- Setup carries out the changes you requested. When Setup is complete, click the Finish button to close the dialog box and end Setup.
For a client to update his site using FrontPage or Visual InterDev, his Web site must be designated a FrontPage Web. To do so, follow these steps:
Note
A FrontPage Web is a logical designation for a Web project. A FrontPage Web can be a complete virtual Web server (for example, http://www.myserver.dom), or it can be a sub-site of an existing site (for example, http://www.myserver.dom/fishing).
- Open the MMC Internet Service Manger.
- Right-click the customer's Web site and choose Properties. This opens the Web Properties dialog box.
- Select the Home Directory tab, as shown in FIG. 19.31.
FIG. 19.31
By selecting the FrontPage Web check box, you are setting this site up to be accessible through the FrontPage server extensions.
*** Insert Figure 19.31 here (Use file 19FIG31.PCX) ***
- Select the FrontPage Web check box under Content Control.
- Click OK to commit this change and close the dialog box.
Your client can now use either FrontPage or Visual InterDev to control the content of his site.
FTP Method
The method for updating content that has been in the longest use is FTP. FTP is a reliable means of transferring data without needing special server extensions or browser updates. Any standard FTP client (including command-line clients) can connect to an FTP service and update content. To offer FTP content updates to your clients, you must make a choice. Do you want to use a separate FTP site for each client, connected to his or her Web site's IP address? Or do you want to use one FTP site that requires clients to change to their appropriate home directory? Each offers advantages and disadvantages. The most notable is the ease of use for separate FTP sites. Clients only need to remember their own site's address and they are automatically placed in the appropriate directories. The main disadvantage to this method is each site requires more overhead than a single site.
If you choose to offer individual FTP sites, make sure to assign the FTP site to the same IP address as the Web site. You should assign the FTP site's home directory to be the same as the Web site's home directory. Assign write permissions to the directory and also be sure to prevent anonymous logons.
Note
Make careful use of NTFS file security for FTP sites. Take the time to be sure that all of your customer's files are owned and writable only by their user account (or group). You also must ensure that the anonymous user account for your Web server (usually I_USR) has read permissions to all files. Sample NTFS permissions for a customer's directory and files are:
| Administrator | Full Access |
| Customer's user account | Change |
| Anonymous Web account | Read |
If you have selected to use one central FTP site, there are a two important notes:
- The same rules to NTFS security apply here, if not more so. Every client will be accessing this FTP site, so make sure to lock up all files tight. You don't want clients messing with other people's files.
- If you create a virtual directory in your FTP site pointing to the customer's home directory, use the same as your customer's account name. This will start the customer in that directory.
Letting the Client Administer the Site
The HTML Internet Service Manager provides almost identical functionality to the MMC Internet Service Manager. Most noticeably different is the lack of snap-ins (such as Transaction Manager operation) and right-mouse functionality (it is a Web browser after all). When your client points his frames and JavaScript-capable Web browser to the IISAdmin URL, the following process is carried out:
- If the user is using Microsoft Internet Explorer (the only browser to support NTLM authentication) and has a valid user account, the user is immediately logged in and greeted by the HTML Internet Service Manager, shown in FIG. 19.32.
- If the user is visiting with Netscape Navigator, a different browser, or does not have a valid account through NTLM authentication, he might be prompted for a user name and password. If the user name and password is verified correctly (refer to the security information in Chapter 20, "Firewalls and Data Security" for details), the user is brought to the Internet Service Manager.
FIG. 19.32
The HTML Service Manager differs in appearance from the Microsoft Management Console, but offers the same basic functionality.
*** Insert Figure 19.32 here (Use file 19FIG32.PCX) ***
- The customer must select the appropriate Web or FTP site from the server tree. Only sites that the user has been given Site Operator permissions for are available to the customer.
- Your customer can then start, stop, or pause the service. He also can choose to open the properties for the service for configuration.
Starting, Stopping, Pausing
If your customer wants to stop, restart, or pause his Web site's availability, he can easily do so from the HTML Internet Service Manager. To control the operation of a Web site using the HTML Internet Service Manager, follow these steps:
- Select the appropriate site from the site listing.
- To shutdown the site and make it unavailable, click the Stop button on the left.
- To restart a site that has been shutdown, click the Start button on the left.
- To temporarily pause the site, click the Pause button on the left.
- To resume the site after it has been paused, click the Resume button on the left.
Site Properties
Much like you opening the Properties dialog box for your site in the MMC Internet Service Manager, your customer can use the HTML Internet Service Manager to configure his site. To open the properties of a site within the HTML administration, follow these steps:
- Select the appropriate site from the site list.
- Click the Properties button on the left. The Site properties page appears, as shown in FIG. 19.33.
FIG. 19.33
The Site Properties page mimics the Site Properties dialog box in the MMC Internet Service Manager.
*** Insert Figure 19.33 here (Use file 19FIG33.PCX) ***
- Use the buttons along the left side of the page to switch tabs. Use these tabs to mimic the MMC Internet Service Manager's Site Properties dialog box.
- To return to the site list, click the Back button. This returns you to the IISAdmin main page.
Directory Properties
In addition to site properties, you can manipulate directory properties in the HTML Internet Service Manager. To do so, follow these steps:
- Select the appropriate site in the site list.
- Beside each site is a plus (+) sign denoting a node in the server scope. Click the + sign to expand the node.
- Each directory within the site is listed below the site name. Select the directory you want to modify.
- Click the Properties button on the left of the page. This opens the Directory Properties page, as shown in FIG. 19.34.
FIG. 19.34
The Directory Properties page lets you define directory options and security, just like the MMC Internet Service Manager.
*** Insert Figure 19.34 here (Use file 19FIG34.PCX) ***
- Select the appropriate tab by clicking the buttons on the left of the page. This reproduces the tabs in the MMC Internet Service Manager's Directory Properties dialog box.
- When you are finished, click the Back button to return to the sites list.
The options provided in the HTML Internet Service Manager mirror those of the MMC Internet Service Manager. The function and operation of each option is identical. To extend this, if you modify an option in the HTML Internet Service Manager, the change is reflected in the MMC Internet Service Manager, and vice versa.
Getting Help
The HTML Internet Service Manager has a direct link to online help facilities. In the upper-right corner of the browser screen, a small book icon is present. By clicking this icon, you open the IIS online documentation in a separate window, as shown in FIG. 19.35. Encourage your clients to use this as a reference to aid their configuration.
FIG. 19.35
IIS's online documentation is a wealth of information.
*** Insert Figure 19.35 here (Use file 19FIG35.PCX) ***
Note
At the time of this writing, HTML-based administration only functioned fully when using Microsoft Internet Explorer. This functionality should be extended to any frames and JavaScript capable browser by the release version.
From Here
This chapter has hopefully given you the information you need when investigating dynamic access provision. If you are not careful and fail to plan your dynamic access implementation, you may fall victim to considerable problems. When you are working with dynamic access, there are important considerations for your Web site. These chapters provide further information that will prove of use to you in this regard:
- Chapter 20, "Security Issues[md]Firewalls and Data Security," explores the more heady concepts of securing your site and server. If you are looking to a lot of outside access, you'll want to keep your data safe by reading this chapter.
- Chapter 21, "Advanced Security Concepts," continues the security discussion with more complex security information.
|
