IIS 6.0 Features

[May 2003]
IIS 6.0 Features
IIS 6.0 improves security and unlocks the metabase
By: Brett Hill
Feature
InstantDoc #38496
From the May 2003 edition of Windows IT Pro

In "IIS Overhauled in Version 6.0," April 2003, http://www.winnet
mag.com, InstantDoc ID 38285, I describe Microsoft Internet Information Services (IIS) 6.0 installation and the Web server's new architecture. IIS 6.0 also has a surprising number of new features. A handful of these features are so interesting that they capture nearly all the attention. In this second installment of my two-part look at IIS 6.0, I review a couple of these "stars" but also shine some light on a variety of IIS 6.0's lesser-known, but nevertheless significant, improvements.

Security
A peculiar thing happens at Microsoft from time to time. The company gets fed up with a problem in one of its products and solves it. For example, after releasing Windows NT 4.0, Microsoft was hammered with stability complaints. When the company released Windows 2000, the OS was praised for out-of-the-box stability. IIS 5.0, which is installed by default on Win2K servers, is a mammoth security risk until properly secured. IIS 6.0 isn't installed by default, and when you do install it, the Web server renders only static content. Thus, IIS 6.0 presents a much-reduced security risk, even if problems with IIS 6.0 application engines and components crop up later. Additionally, Windows Server 2003 has a new group policy: Prevent IIS installation. You can use this policy to prevent Windows 2003 from installing IIS 6.0 on servers in an Active Directory (AD) forest that aren't intended to be Web servers. The policy will help prevent rogue and possibly insecure IIS servers from popping up on the network. Note that this policy works only on Windows 2003 servers for the time being and won't prevent Windows XP Professional Edition or Win2K from installing IIS 5.0.

Of course, the fact that IIS 6.0 doesn't render dynamic content out of the box automatically creates the second most frequently asked question about IIS 6.0: "Why isn't my server delivering Active Server Pages (ASP)?" (As I mentioned in "IIS Overhauled in Version 6.0," the most frequently asked question is, "Can IIS 6.0 be installed on Win2K Server?" The answer is no.) To permit programs to run under IIS 6.0, you use a new feature named Web service extensions. (The name implies some kind of relationship with XML Web services, but no connection exists.)

To add or enable a Web service extension for a program, open IIS Manager (formerly Internet Services Manager—ISM); select Web Service Extensions, as Figure 1, page 70; shows, and click Add a new Web service extension to start a wizard that creates a new rule. Assign the rule a name, then navigate to the executable you want to allow. You can use the iisext.vbs script in \system32\inetsrv to manipulate Web service extension settings.

In Figure 1, notice the Web service extensions All Unknown ISAPI Extensions and All Unknown CGI Extensions. By default, these two entries are set to Prohibited, meaning that unless you specifically permit an application to run on IIS 6.0, it won't. If a user requests a file that isn't mapped to an enabled process, IIS 6.0 returns HTTP Error 404 File or directory not found to the user and records 404.2 Denied due to lockdown policy in the W3SVC log. The 404.2 and other substatus codes are available in IIS 6.0 as an option for the W3SVC log file to aid in troubleshooting. (Substatus codes exist in IIS 5.0 and Internet Information Server—IIS—4.0, but IIS doesn't record them in the W3SVC logs. You can route them to custom error pages for special processing.) The IIS 6.0 substatus codes are helpful because they provide details about the problem: for example, 403.18 Forbidden — Cannot execute request from this application pool; 403.20 Forbidden: Passport Login failed; and 404.3 Not Found - Denied due to MIMEMAP Policy. These and other errors are also mapped to a custom error page that doesn't reveal the substatus code to the user, so potential intruders can't exploit the information.

Another security enhancement is the ability to designate a Cryptographic Service Provider (CSP) that helps integrate hardware-based Secure Sockets Layer (SSL) accelerators with IIS 6.0. Moving the task of encryption from the server's general-purpose CPU to dedicated hardware optimized for this purpose can greatly improve performance. To designate a CSP, select the Select cryptographic service provider (CSP) for this certificate check box when you use the IIS Certificate Wizard to create a certificate request. You will then see a list of Available Providers from which you can choose. If you're using an encryption device, the vendor will provide the name of the appropriate CSP.

The Metabase
In IIS 6.0, Microsoft has abandoned the binary file structure of the IIS 5.0 and IIS 4.0 metabase that chained the metabase to the server on which it was created. The IIS 6.0 metabase consists of a pair of XML files: Metabase.xml contains the settings for the IIS 6.0 server, and mbschema.xml contains the metabase schema. A new feature in IIS Manager lets you save a copy of the metabase by right-clicking Web Sites and selecting All Tasks, Save Configuration to a File. You then provide a filename and path for the metabase backup. When you save the metabase in this way, IIS 6.0 uses the machine key of the system to encrypt some metabase parts. Consequently, the metabase backup is useful only on the machine that created the backup. However, you can also select the Encrypt configuration using password check box to encrypt the exported metabase file with a password that you provide. When you do so, IIS 6.0 substitutes the password you provide for the machine key and you can import the metabase file to another server by providing the same password. If you want to automate metabase backup, you can use the iisback.vbs and iiscnfg.vbs utilities in \windows\system32.

In some cases, you might want to save the configuration of an application pool, Web site, or virtual directory without saving the entire metabase. To do so, right-click the object whose configuration you want to save and again select All Tasks, Save Configuration to a File, as Figure 2 shows. If you plan to import the settings to another server, provide a password to encrypt the file.

Prev. page [1] 2 3 4 next page

You must log on before posting a comment.

If you don't have a username & password, please register now.

Reader Comments

Thanks for your article, i have the same problem. Now I can do it. Thanks a lot.

HangPhucBinh- November 05, 2003

in the site ID generation section, the reg_dword value IncrementalSiteIDCreation is advised to set to 2. but only with a with 1 as value, it does what the section is explaining.

Jeroen Polman- November 23, 2003

ADS BY GOOGLE SPONSORED LINKS

Order Your SharePoint Fundamentals CD!: Learn how to uncover rich information management capabilities with this free SharePoint CD.

Try Idera’s new SQL admin toolset!: 24 essential desktop tools for managing SQL Server for $495.

Simplify your data management: Affordable multi-database query and design tool-- free trial!

Virtualization Congress Oct. 14-16: Don't miss Virtualization Congress, the premiere EMEA conference dedicated to hardware, OS and application virtualization. Oct. 14-16 in London.

FEATURED LINKS

Master SharePoint with 3 eLearning Seminars: Learn how to customize field types, create scheduled services, and go further with the Content Query Web Part with MVP Andrew Connell. Register today!

Microsoft BI Conference – Oct. 6-8: Discover best practices and gain product insight from Microsoft’s product experts in the 2nd annual event in Seattle.

Attention User Groups & User Group Leaders...: Announcing the eNews Generator—a FREE HTML e-newsletter builder for user group leaders. Build your HTML and text e-newsletters in minutes. And add Windows IT Pro & SQL Server Mag articles alongside your own message!.

Get SQL Server 2008 at SQL Connections: Don’t miss SQL Server Magazine Connections Conference, the premier event for Microsoft developers and DBAs, in Las Vegas, November 10-13. Every attendee will receive a copy of SQL Server 2008 Standard Edition with one CAL.

SQL Server Magazine Master CD: Take the Experts with You!: Find the solutions you need in thousands of searchable articles, helpful bonus content, and loads of expert advice with the SQL Server Magazine Master CD. Order comes with a 1-year subscription to the new, online articles posted every day!

	SQL Server Magazine Register Subscribe FAQ for Windows WinInfoNews
	Contact Us / Customer Service Editorial Calendar Media Kit Affiliates / Licensing Technical Resources Directory
	Windows IT Pro Office & SharePoint Pro Windows Dev Pro IT Library Connected Home Windows Excavator SuperSite IT Job Hound ITTV

	Copyright © 2008 Penton Media, Inc. All rights reserved. Terms and Use Privacy Statement Reprints and Licensing

Search

Reader Comments

Related Whitepapers

Related Events

Related eBooks

Related Essential Guides

Related Resources

vLabs Links

SQL Job Openings

ADS BY GOOGLE SPONSORED LINKS

FEATURED LINKS