Get documents about "APPENDIX A - FTP Rostock
Document Sample
A P P E N D I X A
Common Administrative
Tasks
If you are already familiar with running Internet Information Services (IIS) 6.0 and need only a quick refresher to
perform an administrative task, or if you are learning how to use IIS and want to know the most common tasks that
follow an IIS installation, use this appendix as a quick reference. IIS 6.0 provides a wealth of tools and features,
many of which are outlined in this appendix, to help you create a strong and secure communications platform of
dynamic network applications.
In This Appendix
Overview of Common Administrative Tasks ................................................................................... 988
Important First Tasks in IIS 6.0 ....................................................................................................... 990
Tasks New to IIS 6.0 ....................................................................................................................... 1001
Security-Related Tasks ................................................................................................................... 1008
Tasks for Managing Servers and Applications............................................................................. 1025
Tasks for Administering Servers .................................................................................................... 1030
Related Resources
For information about configuring Web sites as well as the FTP, NNTP, and SMTP services, see
“Configuring Internet Sites and Services” in this book.
For information about configuring IIS 6.0 programmatically, see “IIS 6.0 Administration Scripts,
Tips, and Tricks”.
Overview of Common
Administrative Tasks
Although this appendix is a reference for the common tasks you frequently perform when administering IIS as
your Web server, most tasks in this appendix do not include guidelines for their use or detailed explanations. A
few tasks include brief conceptual information, although they are the exception. However, all topics include cross-
references to IIS Help topics, and to chapters and other appendices in this book so that you can quickly find
additional information on a task.
Table A.1 outlines the tasks that are included in this appendix.
Table A.1 Overview of the Tasks in This Appendix
Task Group Task Describes How To
Important First Starting IIS Manager Open IIS Manager (provides three
Tasks In IIS 6.0 options).
Starting and Start and stop IIS services and
stopping services sites.
and sites
Enabling dynamic Enable dynamic content services,
content services such as Active Server Pages and
ASP.NET (includes information
about default installations).
Creating a Web or Create Web site configurations, and
FTP site install and use File Transfer
Protocol (FTP) services.
Creating virtual Create virtual directories within
directories Web and FTP sites.
Creating and Create and manage applications.
isolating
applications
Creating application Group Web applications into
pools application pools.
Tasks New to IIS 6.0
(tasks that are new Configuring Periodically restart worker
or significantly recycling processes assigned to an
different than they application pool.
were in IIS 5.0)
Backing up and Save metabase and application
restoring metabase configurations, including portable
configurations backups.
Saving and copying Back up your site configurations.
site configurations
Setting Set up and use user authentication
authentication methods.
settings
Obtaining and Set up and use Secure Sockets
Security-related
backing up server Layer (SSL) certification on your
Tasks
certificates sites.
Controlling access Help reduce the attack surface of
to applications your applications with permissions
and restrictions.
Hosting multiple Create and host multiple Web sites.
Web sites
Tasks for Managing Redirecting Web Automatically direct users to the
Servers and sites correct page on your site.
Applications
Assigning Control the amount of resources an
resources to application uses.
applications
Administering Use powerful scripting and
Tasks for servers from the programming tools to access and
Administering command line configure settings.
Servers Administering Use tools to remotely administer
servers remotely your sites.
When performing these tasks — especially security-related tasks — be sure that you are familiar with best practice
guidelines and that you apply those guidelines to these tasks.
To perform most of the tasks described in this appendix, you must be a member of the Administrators group on the
local computer, or you must be delegated the appropriate authority. If you log on to your computer as a member of
the Administrators group, you might make your system vulnerable to malicious programs that could cause security
risks. Instead, use the Run as feature to perform administrative tasks so that you do not need to log on to your
computer as a member of the Administrators group. Using this feature, you can open and execute a program that
uses a different account and security context than the one you logged on with.
You can use Run as through the user interface (UI) or as a command-line tool. The Run as feature that is built
into the UI is a shortcut that you access by right-clicking some programs (files with the .exe file name extension),
some Control Panel items (files with the .cpl file name extension), and Microsoft Management Console (MMC)
(files with the .msc file name extension) snap-ins.
To use the Run as feature to run IIS Manager as an administrator
From the Start menu, point to Administrative Tools, right-click Internet Information Services
(IIS) Manager, and then click Run as.
The runas command provides the same capabilities as the built-in Run as feature.
To use the runas command to run IIS Manager as an administrator
From the Start menu, click Run.
In the Open box, type cmd, and then click OK.
At the command prompt, type the following:
runas /User:Administrative_AccountName "mmc %systemroot%\system32\inetsrv\iis.msc"
To use the runas command to run a command-line script as an administrator
1. From the Start menu, click Run.
2. In the Open box, type cmd, and then click OK.
3. At the command prompt, type the following:
runas /profile /User:MyMachine\Administrator cmd
A new command window, which has administrative rights, opens.
4. In the new command window, type the following at the command prompt:
cscript.exe ScriptName (including the full path with parameters, if any)
For more information about using the Run as feature or the runas command to perform procedures, see “Using
Run as,” “Runas,” and “Create a shortcut using the runas command” in Help and Support Center for Microsoft ®
Windows® Server 2003.
Important First Tasks in IIS 6.0
After you install IIS, if you want to quickly build a few Web sites and virtual directories, this section introduces
the first steps for these basic tasks:
Starting IIS Manager. Learn three ways to open IIS Manager.
Starting and stopping services. Start and stop IIS services.
Enabling dynamic content. Enable Web service extensions, such as Active Server Pages (ASP)
and Microsoft® ASP.NET, so you can serve dynamic content. Includes information about default
installations.
Creating Web or FTP sites. Create Web site configurations, and install and use FTP services.
Creating virtual directories. Create virtual directories within Web and FTP sites.
Starting IIS Manager
IIS Manager is a graphical user interface (GUI) for configuring your application pools or your Web, FTP, Simple
Mail Transfer Protocol (SMTP), or Network News Transfer Protocol (NNTP) sites. You can use IIS Manager to
configure IIS security, performance, and reliability features. For example, you can add or delete sites; start, stop,
and pause sites; back up and restore server configurations; and create virtual directories for better content
management.
In earlier versions of IIS, this tool was called the Internet Service Manager.
Important
You must be a member of the Administrators group on the local
computer to perform the following procedure or procedures, or you must
have been delegated the appropriate authority. As a security best
practice, log on to your computer by using an account that is not in the
Administrators group, and then use the runas command to run IIS
Manager as an administrator. At a command prompt, type runas
/User:Administrative_AccountName "mmc
%systemroot%\system32\inetsrv\iis.msc".
To start IIS Manager
From the Start menu, point to All Programs, point to Administrative Tools, and then click
Internet Information Services (IIS) Manager.
To start IIS Manager from the Run dialog box
1. From the Start menu, click Run.
2. In the Open box, type inetmgr, and click OK.
To start IIS Manager from the Computer Management window
1. From the Start menu, right-click My Computer, and then click Manage.
2. In the console tree, expand the Services and Applications node.
3. In the console tree, click Internet Information Services (IIS) Manager. The names and statuses
of your sites, application pools, and Web service extensions appear in the details pane.
4. In the console tree, expand the Internet Information Services (IIS) Manager node and any site
nodes within it to see a list of directories and virtual directories for each site.
For more information about using IIS Manager to administer IIS, see the “Server Administration Guide” in IIS 6.0
Help, which you can access from IIS Manager. For more information about administering IIS remotely, see “How
to Administer the Server Remotely” in IIS 6.0 Help, which is accessible from IIS Manager.
Starting and Stopping Services and Sites
Infrequently, you might make configuration changes in IIS 6.0 that require you to restart IIS before the changes
can take effect. For example, if you change the application isolation mode in which your server is running, such as
when you change from worker process isolation mode to IIS 5.0 isolation mode or vice versa, you need to restart
IIS. If you make this configuration change by using IIS Manager, you are prompted to restart IIS after you click
OK to confirm the change. If you make this configuration change by using a command-line utility, such as
Adsutil.vbs, you can use the IISReset command-line utility to complete the change. Both methods — using the
Restart IIS command in IIS Manager or using a command-line utility — allow you to stop, start, and restart IIS
Internet services, as well as restart your computer.
When you restart the Internet service, all sessions connected to your Web server (including Internet, FTP, SMTP,
and NNTP) are dropped. Any data held in Web applications is lost. All Internet sites are unavailable until Internet
services are restarted. For this reason, avoid restarting, stopping, or rebooting your server.
For a list of features designed to improve IIS reliability and remedy the need to restart IIS, see the “Alternatives to
Restarting IIS” section in the “Restarting IIS” topic in IIS 6.0 Help, which is accessible from IIS Manager.
Saving Your Configuration to Disk
As a safeguard, if you must stop or restart IIS, save your configuration to disk before you perform the restart. Your
configuration is automatically saved if you enable the edit-while-running feature (this feature is not enabled by
default). For more information about the edit-while-running feature, see “Writing the Metabase to Disk” in IIS 6.0
Help, which is accessible from IIS Manager.
Alternatively, you can manually save your configuration to disk by performing the following procedure.
To manually save your configuration to disk
In IIS Manager, right-click the local computer, point to All Tasks, and then click Save
Configuration to Disk.
If You Receive an Error Stating That IISReset Is Disabled
If the IISReset command-line utility is disabled, then the command-line or IIS Manager calls that require
IISReset.exe fail and return an error stating that IISReset is disabled. Actions that fail include the Restart IIS
command in IIS Manager and Service Control Manager (SCM) recovery configuration actions that use the
IISReset command-line utility (for example, the default IIS Admin SCM recovery path). However, SCM recovery
actions that do not use the IISReset command-line utility continue to function (for example, the default World
Wide Web Publishing Service [WWW service] SCM recovery path that restarts the WWW service).
Starting or Stopping IIS Services and Sites
To restart, stop, or start IIS services
1. In IIS Manager, right-click the local computer, point to All Tasks, and then click Restart IIS.
2. In the What do you want IIS to do list, click the action that you want to perform, such as
Restart Internet Services on ComputerName.
You can also choose to restart the computer, stop the Internet service, or start the Internet service.
IIS attempts to stop all services before restarting.
To start, stop, or pause individual sites
In IIS Manager, right-click the site you want to start, stop, or pause; and then click Start, Stop, or
Pause.
Important
You must be a member of the Administrators group on the local
computer to run scripts and executables, or you must have been
delegated the appropriate authority. As a security best practice, log on to
your computer by using an account that is not in the Administrators
group, and then use the runas command to run your script or executable
as an administrator. At a command prompt, type runas /profile
/User:MyMachine\Administrator cmd to open a command window with
administrator rights and then type cscript.exe ScriptName (including the
full path with parameters, if any).
To restart IIS by using the IISReset command-line utility
1. From the Start menu, click Run.
2. In the Open box, type cmd, and then click OK.
3. At the command prompt, type the following:
Iisreset /noforce ComputerName
If you are logged on locally, the ComputerName parameter is not required. If you are remotely
administering a server running IIS, the ComputerName parameter is the NetBIOS name of the
computer on which you want to restart IIS.
Important
Use the /noforce parameter to help prevent data loss in case the IIS
services cannot be stopped within the one minute time-out period. If you
are certain that it is safe to force IIS to restart, you can omit the /noforce
parameter. However, be aware that you could lose data if you do not
include this parameter.
4. IIS attempts to stop all services before restarting. The IISReset command-line utility waits up to
one minute for all services to stop if you do not include the /noforce parameter. If the services
cannot be stopped within one minute, all IIS services are terminated, and IIS restarts.
The iisreset command provides several additional parameters. For example, you can adjust the time-out value by
using the iisreset/timeout command. For more information about the parameters that are available with the
IISReset command-line utility, open a command-prompt window, and type iisreset /? at the command prompt.
For more information about starting and stopping services or using the IISReset command-line utility to restart
IIS, see “Restarting IIS” in IIS 6.0 Help, which is accessible from IIS Manager, and also see “IIS 6.0
Administration Scripts, Tips, and Tricks” in this book.
Enabling and Disabling Dynamic Content
To help reduce the attack surface of systems, IIS 6.0 is not installed by default on the Microsoft®
Windows® Server 2003, Standard Edition; Microsoft® Windows® Server 2003, Enterprise Edition; and Microsoft ®
Windows® Server 2003, Datacenter Edition. After installing these products, administrators must manually install
IIS 6.0.
When you perform a clean installation of IIS 6.0, the default settings help protect your system from malicious
users and attackers. When you install IIS 6.0, it is locked down — only request handling for static Web pages
(HTTP content, such as .htm and .html files ) is enabled, and only the World Wide Web Publishing Service
(WWW service) is installed. The request handlers that process dynamic content are disabled, which means that
features like ASP, ASP.NET, server-side includes (SSI), FrontPage® 2002 Server Extensions from Microsoft, and
Web Distributed Authoring and Versioning (WebDAV) do not work by default.
You can configure the request handlers (for example, Internet Server API [ISAPI] extensions or Common
Gateway Interface [CGI] programs), which are called Web service extensions, by using the Web Service
Extensions node in IIS Manager or by using the command-line script Iisext.vbs, which is stored in the
systemroot\System32 folder. You can individually enable or disable a Web service extension if it is registered in
the Web Service Extensions node in IIS Manager.
To enable or disable dynamic content
1. In IIS Manager, expand the local computer, and then click Web Service Extensions.
2. In the details pane, click the Web service extension that you want to enable or disable.
3. Do one of the following:
To enable a disabled Web service extension, click Allow.
To disable an enabled Web service extension, click Prohibit.
To view the properties of a Web service extension, click Properties.
For more information about using IIS Manager to administer dynamic content, including step-by-step
documentation for adding new Web service extensions, allowing an application to call a Web service extension, or
disabling all Web service extensions, see “Enabling and Disabling Dynamic Content” in IIS 6.0 Help, which is
accessible from IIS Manager.
For more information about using the Iisext.vbs command-line script to administer dynamic content, such as
enabling, disabling, or listing Web service extensions and their files, see “Managing Applications and Web Service
Extensions” in IIS 6.0 Help.
Enabling ASP Pages
Active Server Pages (ASP) is a server-side scripting environment that you can use to create dynamic and
interactive Web pages, and build powerful Web applications. When the server receives a request for an ASP file, it
processes server-side script code contained in the file to build the Hypertext Markup Language (HTML) Web page
that is sent to the browser. In addition to server-side script code, ASP files can contain HTML (including related
client-side scripts), as well as calls to Component Object Model (COM) components that perform a variety of
tasks, such as connecting to a database or processing business logic.
To enable ASP pages
1. In IIS Manager, expand the local computer, and then click Web Service Extensions.
2. In the details pane, click Active Server Pages, and then click Allow.
If your Web applications require ISAPI, ASP, CGI, ASP.NET, WebDAV, or other extensions to operate, you must
enable those extensions also.
For more information about ASP, including an introduction to ASP concepts, see the “ASP” section in IIS 6.0
Help, which is accessible from IIS Manager. For information about creating ASP pages and developing Web
applications, see the “Web Application Guide” in IIS 6.0 Help.
Installing and Enabling ASP.NET
Microsoft ASP.NET is a unified Web development platform that provides the services necessary for developers to
build enterprise-class Web applications. Although ASP.NET is largely syntax compatible with ASP, it also
provides a new programming model and infrastructure for more secure, scalable, and stable applications. You can
augment your existing ASP applications by incrementally adding ASP.NET functionality to them.
ASP.NET is a compiled, .NET-based environment; you can author applications in any .NET compatible language,
including Microsoft® Visual Basic® .NET, Microsoft® Visual C#®, and Microsoft® JScript® .NET.
To enable ASP.NET by using IIS Manager
1. In IIS Manager, expand the local computer, and then click Web Service Extensions.
2. In the details pane, click ASP.NET, and then click Allow.
To install and enable ASP.NET on a server running Windows Server 2003
1. From the Start menu, click Manage Your Server.
2. In the Manage Your Server window, click Add or remove a role.
3. In the Configure Your Server Wizard, click Next.
4. In the Server Role dialog box, click Application server (IIS, ASP.NET), and then click Next.
5. In the Application Server Options dialog box, select the Enable ASP.NET check box, click
Next, and then click Next again.
6. If necessary, insert your Windows Server 2003 operating system CD in the CD-ROM drive and
then click Next.
7. When the installation is complete, click Finish.
If your applications require ISAPI, CGI, ASP, WebDAV, or other extensions to operate, you must enable those
extensions also. For more information about ASP.NET, see “ASP.NET” in IIS 6.0 Help, which is accessible from
IIS Manager.
Creating a Web Site or an FTP Site
IIS creates a default Web site on your computer during installation. You can use the
LocalDrive:\Inetpub\Wwwroot directory to publish your Web content, or you can create any directory or virtual
directory you choose. Because the FTP service is not installed by default, , you must first install and start the File
Transfer Protocol (FTP) service to create an FTP site.
Creating a Web or FTP site by using IIS Manager does not create content but merely creates a directory structure
and configuration files from which to publish the content.
To use the default Web site
1. In IIS Manager, expand the local computer, expand the Web Sites folder, right-click Default
Web Site, and then click Properties.
2. On the Web Site tab, under Web site description, type the name of your Web site in the
Description box.
3. Click OK. The name of the new site appears in IIS Manager.
To create a new Web site
1. In IIS Manager, expand the local computer, right-click the Web Sites folder, point to New, and
then click Web Site. The Web Site Creation Wizard appears.
2. Click Next.
3. In the Description box, type the name of your site, and then click Next.
4. Type or click the IP address (the default is All Unassigned), TCP port, and host header (for
example, www.mysite.com) for your site, and then click Next.
Important
To help ensure that user requests reach the correct Web site, configure
a unique identity for each site on the server by distinguishing each Web
site with at least one of three unique identifiers: a host header name, an
IP address, or a TCP port number.
Using unique host header names is the preferred way to identify multiple
Web sites on a single server. For more information about choosing
unique identifiers, see “Hosting Multiple Web Sites on a Single Server”
and “Adding Web Sites to Your Server” in IIS 6.0 Help, which is
accessible from IIS Manager.
5. In the Path box, type or browse to the directory that contains, or will contain, the site content, and
then click Next.
6. Select the check boxes for the Web site access permissions you want to assign to your users, and
then click Next.
7. Click Finish.
To change these and other settings later, right-click the Web site, and click Properties.
To install FTP services
1. From the Start menu, click Control Panel, and then double-click Add or Remove Programs.
2. Click Add/Remove Windows Components.
3. In the Components box, click Application Server, and then click Details.
4. In the Subcomponents of Application Server box, click Internet Information Services (IIS),
and then click Details.
5. In the Subcomponents of Internet Information Services (IIS) box, select the File Transfer
Protocol (FTP) Service check box.
6. Click OK twice.
7. If necessary, insert your Windows Server 2003 operating system CD in the CD-ROM drive and
then click Next. You might also be prompted for the network install path.
8. Click Finish.
When you install the FTP service, IIS creates a default FTP site at LocalDrive:\Inetpub\Ftproot. You can use that
site to publish your content, or you can create a new FTP site.
To create a new FTP site
1. In IIS Manager, expand the local computer, right-click the FTP Sites folder, point to New, and
click FTP Site. The FTP Site Creation Wizard appears.
2. Click Next.
3. In the Description box, type the name of your site, and then click Next.
4. Type or click the IP address (the default is All Unassigned) and TCP port for your site, and then
click Next.
5. Click the user isolation option you want, and then click Next.
6. In the Path box, type or browse to the directory that contains or will contain shared content, and
click Next.
7. Select the check boxes for the FTP site access permissions you want to assign to your users, and
then click Next.
8. Click Finish.
You can use IIS Manager to change the site settings by right-clicking the FTP site and then clicking Properties.
For more information about configuring Web and FTP sites, see “Configuring Internet Sites and Services” in this
book, and also see “Web Site Setup” and “FTP Site Setup” in IIS 6.0 Help, which is accessible from IIS Manager.
Creating Virtual Directories
In most cases, the content you publish to your Web or FTP site is located in a root or home directory on your
computer, such as LocalDrive:\Inetpub\Wwwroot\. However, you might need to publish content that is located
elsewhere, such as on a remote computer.
To publish from a directory that is not contained within your home or root directory, you can create a virtual
directory. A virtual directory is a directory that is not contained in the home directory but appears to client
browsers as though it were.
To create a virtual directory by using IIS Manager
1. In IIS Manager, expand the local computer, expand the Web site or FTP site to which you want to
add a virtual directory, right-click the site or folder within which you want to create the virtual
directory, point to New, and then click Virtual Directory. The Virtual Directory Creation
Wizard appears.
2. Click Next.
3. In the Alias box, type a name for the virtual directory. (Choose a short name that is easy to type
because the user types this name.)
4. Click Next.
5. In the Path box, type or browse to the physical directory in which the virtual directory resides,
and then click Next.
6. Under Allow the following permissions, select the check boxes for the access permissions you
want to assign to your users, and then click Next.
7. Click Finish.
Important
For security reasons, when selecting access permissions, consider
allowing only the default Read permission. By restricting permissions in
this way, you can help avoid attacks against your Web site by malicious
users. For more information about setting access permissions, see
“Securing Virtual Directories” and “Access Control” in Help and Support
Center for Windows Server 2003.
To locate the virtual directory that you just created, look in the console tree below the currently selected level.
If you are using the NTFS file system, you can also create a virtual directory by using Windows Explorer.
To create a virtual directory by using Windows Explorer
1. In Windows Explorer, right-click the folder you want to be a virtual directory, and then click
Sharing and Security.
2. Click the Web Sharing tab, and then click Share this folder.
3. In the Alias box, type the name for the virtual directory.
4. Click OK twice.
To create a Web virtual directory by using the Iisvdir.vbs script
1. From the Start menu, click Run.
2. In the Open box, type cmd, and then click OK.
3. At the command prompt, type the following:
cscript %SystemRoot%\system32\iisvdir.vbs /create SampleWebSite[/Path] VirtualDirectory
drive:\path
where SampleWebSite, VirtualDirectory, and path is the physical directory, as appropriate.
For more information about creating Web virtual directories by using the Iisvdir.vbs command and its parameters,
type the following at the command prompt: iisvdir /create /?
To create an FTP virtual directory by using the Iisftpdr.vbs script
1. From the Start menu, click Run.
2. In the Open box, type cmd, and then click OK.
3. At the command prompt, type the following:
cscript %SystemRoot%\system32\iisftpdr.vbs /create FTPSite[/Path] VirtualDirectory
drive:\path
where FTPSite, VirtualDirectory, and path is the physical directory, as appropriate.
For more information about creating FTP virtual directories by using the Iisftpdr.vbs command and its parameters,
type the following at the command prompt: iisftpdr /create /?
For more information about creating a virtual directory, including alternate ways to create a Web or FTP virtual
directory, see “Using Virtual Directories” in IIS 6.0 Help, which is accessible from IIS Manager. For more
information about using command-line scripts to create Web or FTP virtual directories, see “Creating Web Virtual
Directories” or “Creating FTP Virtual Directories” in IIS 6.0 Help.
Tasks New to IIS 6.0
If you upgrade from an earlier version of IIS, you need to learn the tasks that are new to IIS 6.0. This section
introduces the basic tasks that are new, or significantly different, in IIS 6.0:
Creating and isolating applications. Create and manage applications.
Creating application pools. Group Web applications into application pools.
Configuring recycling. Periodically restart worker processes assigned to an application pool.
Backing up and restoring metabase configurations. Save metabase and application
configurations.
Saving and copying site configurations. Copy site configurations for use on new sites.
Creating and Isolating Applications
To create an application, you designate a directory as the starting point (application root) for the application. You
can then set properties for the application. Each application can have a friendly name; this name appears in IIS
Manager and gives you a way to distinguish between applications.
Web sites are root-level applications by default. When you create a Web site, a default application is created at the
same time. You can use this root-level application, remove it, or replace it with a new application by removing it
and creating a new application.
Important
You must be a member of the Administrators group on the local
computer to perform the following procedure or procedures, or you must
have been delegated the appropriate authority. As a security best
practice, log on to your computer by using an account that is not in the
Administrators group, and then use the runas command to run IIS
Manager as an administrator. At a command prompt, type runas
/User:Administrative_AccountName "mmc
%systemroot%\system32\inetsrv\iis.msc".
To create an application
1. In IIS Manager, expand the local computer, right-click the directory that is the application starting
point, and then click Properties.
2. Click the Home Directory, Virtual Directory, or Directory tab.
3. In the Application settings section, click Create.
Note that if you see the Remove button instead of the Create button, an application has already
been created.
4. In the Application name box, type a name for your application.
5. In the Execute Permissions list box, set permissions by doing one of the following:
Click None to prevent any programs or scripts from running.
Click Scripts only to enable applications mapped to a script engine to run in this directory
without having permissions set for executables. Setting permissions to Scripts only is more
restrictive than setting them to Scripts and Executables because you can limit the
applications that can be run in the directory.
Click Scripts and Executables to allow any application to run in this directory, including
applications mapped to script engines and Microsoft ® Windows® binaries (.dll and .exe file
name extensions).
6. Click OK.
To isolate an application means that you configure it to run in a process (memory space) separate from the Web
server and other applications. You can run IIS 6.0 in one of two application isolation modes: worker process
isolation mode or IIS 5.0 isolation mode. IIS cannot run both application isolation modes simultaneously on the
same computer. If you have applications that require different modes, you must run them on separate computers.
Worker process isolation mode is the default application isolation mode that the server runs in on a clean
installation. In this mode, you can isolate an application by adding it to an application pool that includes isolation
settings. For more information about creating and configuring application pools, see “Configuring Application
Pools” in IIS 6.0 Help, and also see “Running IIS 6.0 as an Application Server” in this book.
Tip
Before you isolate an application, verify in which application isolation
mode the computer is running. You can determine the application
isolation mode in which IIS is running by the presence (worker process
isolation mode) or absence (IIS 5.0 isolation mode) of the Application
Pools folder.
To isolate an application in worker process isolation mode
1. In IIS Manager, expand the local computer, expand the Web Sites folder, right-click the
application you want to isolate, and then click Properties.
2. Click the Home Directory, Virtual Directory, or Directory tab (depending on the application).
3. In the Application settings section, in the Application pool list box, click an application pool.
4. Click Apply, and then click OK.
IIS 5.0 isolation mode is provided for applications that depend on specific features and behaviors of IIS 5.0. Use
this mode only if an application has a compatibility issue when it runs in worker process isolation mode and you
cannot resolve the problem.
To isolate an application in IIS 5.0 isolation mode
1. In IIS Manager, expand the local computer, expand the Web Sites folder, right-click the
application you want to isolate, and click Properties.
2. Click the Home Directory, Virtual Directory, or Directory tab (depending on the application).
If you are in the directory listed as the Starting Point directory, the Application name box is
already filled in.
3. In the Application protection list box, click the appropriate process option.
4. Click OK.
The Web server finishes processing any current requests for the application before creating a
separate process. At the next request for the application, the application runs in the appropriate
memory space.
For more information about creating and isolating applications, including guidelines for when to use each isolation
mode, see “Running IIS 6.0 as an Application Server” in this book. Also see “Creating Applications” and “Web
Application Isolation” in IIS 6.0 Help, which is accessible from IIS Manager.
Creating Application Pools
When you run IIS 6.0 in worker process isolation mode, you can group Web applications into application pools.
An application pool is a grouping of URLs routed to one or more worker processes that share the same
configuration. Application pools allow you to apply specific configuration settings to groups of applications and
the worker processes servicing those applications. Any Web site, Web directory or virtual directory can be
assigned to an application pool.
By creating new application pools and assigning Web sites and applications to them, you can make your server
more efficient and reliable. In addition, your other applications are always available, even when the applications in
the new application pool terminate.
To create a new application pool
1. In IIS Manager, expand the local computer, right-click Application Pools, point to New, and then
click Application Pool.
2. In the Application pool ID box, type the name of the new application pool.
3. Under Application pool settings, click either Use default settings for new application pool or
Use existing application pool as template.
4. If you selected Use existing application pool as template from the Application pool name list
box, click the application pool to be used as a template.
5. Click OK.
For more information about creating application pools and configuring worker processes, see “Running IIS 6.0 as
an Application Server” in this book. Also see “Configuring Application Pools” and “Configuring Application Pool
Identity” in IIS 6.0 Help, which is accessible from IIS Manager.
Configuring Recycling
In worker process isolation mode, you can configure IIS to periodically restart the worker processes that are
assigned to an application pool in order to manage faulty Web applications. Recycling keeps problematic
applications running smoothly, especially when it is not practical to modify the application code. Recycling
ensures that application pools remain healthy and that system resources are recovered.
You can configure worker processes to restart based on one of several options, including elapsed time, number of
requests served, scheduled times, and memory usage; or you can configure worker processes to start on demand. In
IIS 6.0, worker process recycling is available only when IIS is running in worker process isolation mode.
To set a worker process to recycle after a specified elapsed time
1. In IIS Manager, expand the local computer, expand Application Pools, right-click the application
pool, and click Properties.
2. On the Recycling tab, select the Recycle worker processes (in minutes) check box.
3. Click the up or down arrow to set the number of minutes you want to elapse before the worker
process is recycled.
4. Click OK.
To configure a worker process to recycle after a set number of processing
requests
1. In IIS Manager, expand the local computer, expand Application Pools, right-click the application
pool, and then click Properties.
2. On the Recycling tab, select the Recycle worker process (number of requests) check box.
3. Click the up or down arrow to set the number of requests to be processed before the worker
process recycles.
4. Click OK.
To configure a worker process to recycle at scheduled times
1. In IIS Manager, expand the local computer, expand Application Pools, right-click the application
pool, and click Properties.
2. On the Recycling tab, select the Recycle worker processes at the following times check box.
3. Do one of the following:
Click Add to add a recycle time to the list.
Click Remove to delete a recycle time from the list.
Click Edit to change an existing time at which the worker process is recycled.
4. Click OK.
When recycling is set to occur at scheduled times, it can occur off-schedule if you alter the system time. To avoid
unintended changes in scheduled recycling times, recycle the scheduled worker processes right after you change
the system time.
To configure a worker process to recycle after it consumes a specified amount
of memory
1. In IIS Manager, expand the local computer, expand Application Pools, right-click the application
pool, and click Properties.
2. On the Recycling tab, under Memory recycling, select the Maximum virtual memory (in
megabytes) or Maximum used memory (in megabytes) check box.
3. Click the up or down arrow to set memory limits.
4. Click OK.
For more information about recycling worker processes, see “Running IIS 6.0 as an Application Server” in this
book and also see “Recycling Worker Processes” in IIS 6.0 Help, which is accessible from IIS Manager.
Backing Up and Restoring the Metabase
Metabase backup files provide a way to restore your metabase configuration and schema data if your metabase
becomes corrupted. You can create backup files by using IIS Manager or an administration script. The backup files
are copies of the metabase configuration file (MetaBase.xml) and the matching metabase schema file
(MBSchema.xml). Use the metabase configuration backup and restore feature to restore the metabase from backup
files.
You can create two types of metabase backups:
Portable backups. When you create a portable backup, you provide a password that is used by
IIS to encrypt the backup files. IIS encrypts the password and stores it in the header of the backup
file. Only the administrator password and secure properties within the backup files are encrypted;
all other information within the backup files are plaintext. After the backup file is encrypted, you
cannot change the password of the backup file.
Non-portable backups. When you create a non-portable backup, you do not supply a password.
Therefore, IIS encrypts non-portable backup files with a blank password, which allows any
member of the Administrators group to restore the metabase by using non-portable backup files.
Only the blank password and secure properties are encrypted; all other information within the
backup file is plaintext.
You can restore a metabase backup to the computer on which the backup was made or to a different computer that
is running Microsoft® Windows® Server 2003, Standard Edition; Windows® Server 2003, Enterprise Edition;
Windows® Server 2003, Datacenter Edition; and Windows ® Server 2003, Web Edition. However, before you
restore a metabase backup from one computer to another, you must first delete the machine-specific information
from the metabase file. For more information about restoring a metabase backup to a different computer, see
“Machine-Specific and System-Specific Information” in IIS 6.0 Help, which is accessible from IIS Manager.
Before you create a backup of the metabase, consider the following:
A non-portable backup can only be restored to the computer on which the backup was made.
The metabase is locked while the backup is in progress.
Backup files contain only configuration data; they do not include your content.
To back up your content, use the Windows Backup feature. For more information about Windows Backup, see
“Backing up and Restoring Data” in Help and Support Center for Windows Server 2003.
To create a portable backup (password required)
1. In IIS Manager, right-click the local computer, point to All Tasks, and click Backup/Restore
Configuration.
2. Click Create Backup.
3. In the Configuration backup name box, type a name for the backup file.
4. Select the Encrypt backup using password check box, type a password into the Password box,
and then type the same password in the Confirm password box.
5. Click OK, and then click Close.
To create a non-portable backup (password not required)
1. In IIS Manager, right-click the local computer, point to All Tasks, and click Backup/Restore
Configuration.
2. Click Create Backup.
3. In the Configuration backup name box, type a name for the backup file.
4. Click OK, and click Close.
To restore the metabase backup
1. In IIS Manager, right-click the local computer, point to All Tasks, and click Backup/Restore
Configuration.
2. In the Backups list box, click a backup version that you previously created, or select an
Automatic Backup file (IIS periodically creates these), and then click Restore. If prompted for a
password, type the password you that you used to make the backup portable.
3. When a confirmation message appears, click Yes.
4. Click OK, and then click Close.
For more information about backing up and restoring the metabase, see “Working with the Metabase” in this book,
and “Backing Up and Restoring the Metabase” in IIS 6.0 Help, which is accessible from IIS Manager.
Saving and Copying Site Configurations
After your site and applications are running the way you want, you can save all or part of the configurations for a
backup copy, or for import and export to other sites or computers. You can use the following procedure to save site
configurations for Web or FTP sites, as well as Web or FTP virtual directories.
IIS automatically makes a backup copy of the metabase configuration and schema files each time you make
changes to the metabase. Backup files contain only configuration data; they do not include your content (.asp files,
.htm files, .dll files, and so on). You can also create backup files on demand, or create backup copies of individual
site or application configurations and then export and import them to and from other sites or computers.
For more information about backing up the metabase, including step-by-step procedures, see “Backing Up and
Restoring the Metabase” earlier in this appendix.
To save a site or application configuration
1. In IIS Manager, right-click the site or application you want to back up, point to All Tasks, and
click Save Configuration to a File.
2. In the File name box, type a file name.
3. In the Path box, type or browse to the location where you want to save the file.
4. To make the configuration that you are saving portable, select the Encrypt backup using
password check box, type a password in the Password box, and then type the same password in
the Confirm password box.
5. Click OK.
For more information about importing and exporting site and application configurations, see “Managing IIS
Configurations” in IIS 6.0 Help.
Security-Related Tasks
IIS 6.0 and Windows Server 2003 provide several ways to help secure your application servers and their content.
This section provides information about the following security-related topics:
Setting Web site authentication. Set up Web site authentication for your Web sites.
Setting FTP site authentication. Set up FTP site authentication to validate users who request
access to your FTP sites.
Obtaining and backing up server certificates. Set up Secure Sockets Layer (SSL) certification
on your sites. SSL certificates enable Web servers and users to authenticate each other before
establishing a connection.
Controlling access to applications. Reduce the attack surface of your applications with
permissions and restrictions; control which users and computers are allowed to access your Web
server and its resources.
Before you do any of these security-related tasks, be sure that you are familiar with best practice guidelines and
that you apply those guidelines to these tasks. If you are new to using IIS or if you are unfamiliar with any of the
following security-related tasks, be sure to read the cross-references to additional information that are provided in
this section.
Setting Web Site Authentication
You can require users to provide a valid Windows user account name and password before they access any
information on your server. This identification process is called authentication. Authentication, like many of the
features in IIS, can be set at the Web site, directory, or file level.
This section contains step-by-step procedures for configuring Web site authentication. For information about
configuring FTP sites, see “Setting FTP Site Authentication” later in this appendix.
To set Web authentication, choose from the following authentication methods:
Anonymous authentication. This authentication method gives users access to the public areas of
your Web site without prompting them for a user name or password.
Basic authentication. This authentication method requires a previously assigned Windows
account user name and password, also known as credentials.
Digest authentication. This authentication method offers the same functionality as Basic
authentication, while providing an additional level of security because the user's credentials are
not sent over the network in plaintext.
Advanced Digest authentication. This authentication method offers similar functionality to
Digest authentication; however, collects user credentials and stores them on the domain controller
as an MD5 hash, or message digest. Advantages of this authentication are that the worker process
does not need to run as local system and the user password is not stored as plaintext on the domain
controller. This authentication method requires a Windows Server 2003 domain controller
infrastructure.
Integrated Windows authentication. This authentication method collects information through a
method where the user name and password are hashed before being sent across the network.
Certificate authentication. This authentication method adds SSL security through client or server
certificates. For information about this type of authentication, see “Obtaining and Backing Up
Server Certificates” later in this appendix.
.NET Passport authentication. This authentication method provides a single sign-in service that
is HTTP cookie-based.
Configuring Anonymous Authentication
Anonymous authentication gives users access to the public areas of your Web or FTP site without prompting users
for a user name or password. When a user attempts to connect to your public Web or FTP site, your Web server
assigns the connection to the Windows user account IUSR_computername, where computername is the name of
the computer on which IIS is running. By default, the IUSR_computername account is included in the Users and
Guests user groups.
Important
You must be a member of the Administrators group on the local
computer to perform the following procedure or procedures, or you must
have been delegated the appropriate authority. As a security best
practice, log on to your computer by using an account that is not in the
Administrators group, and then use the runas command to run IIS
Manager as an administrator. At a command prompt, type runas
/User:Administrative_AccountName "mmc
%systemroot%\system32\inetsrv\iis.msc".
To enable Anonymous authentication
1. In IIS Manager, expand the local computer, right-click a site, directory, or file, and then click
Properties.
2. Depending on the security setting level that you are changing, click either the Directory Security
or the File Security tab.
3. In the Authentication and access control section, click Edit.
4. Select the Enable anonymous access check box.
5. Click OK twice.
To change the account used for Anonymous authentication
1. In IIS Manager, expand the local computer, double-click a site, directory, or file, and then click
Properties.
2. Depending on the security setting level that you are changing, click the Directory Security or the
File Security tab.
3. In the Authentication and access control section, click Edit.
4. Select the Enable anonymous access check box.
5. Click Browse and type or browse to the valid Windows user account that you want to use for
anonymous access.
Before you can change the account, you must create the user account; IIS does not create the
account for you.
6. Click OK three times.
For more information about configuring Anonymous authentication, see “Anonymous Authentication” in IIS 6.0
Help, which is accessible from IIS Manager.
Configuring Basic Authentication
The Basic authentication method transmits user names and passwords across the network in an unencrypted form.
You need to use SSL, in combination with Basic authentication, to encrypt user account information that is
transmitted across the network.
Configuration settings made at the Web Sites folder level can be inherited by all Web sites unless you specify
otherwise at the individual Web site level. Enabling Basic authentication does not automatically configure your
Web server to authenticate users. You must also create Windows user accounts and set NTFS permissions.
To enable Basic authentication
1. In IIS Manager, right-click the Web Sites folder, Web site, directory, virtual directory, or file, and
click Properties.
2. Depending on the security setting level that you are configuring, click either the Directory
Security or File Security tab.
3. In the Authentication and access control section, click Edit.
4. In the Authenticated access section, select the Basic authentication check box.
5. Because Basic authentication sends passwords over the network unencrypted, a dialog box
appears asking if you want to proceed. Click Yes to proceed.
6. In the Default domain box, do either of the following:
Type the domain name you want to use.
Click Select to browse to a new default logon domain.
If the Default domain box is filled in, the name is used as the default domain. If the Default
domain box is left empty, IIS uses the domain of the computer that is running IIS as the
default domain. IIS configures the value of the DefaultLogonDomain property, which
determines the default domain that is used to authenticate clients who access your IIS server
by using Basic authentication. However, the domain specified by the DefaultLogonDomain
property is used only when a client does not specify a domain in the logon dialog box that
appears on the client computer.
Note
Optionally, you can enter a value in the Realm box, which configures the
value of the Realm property. If the Realm property is set, its value
appears on the client's logon dialog box when Basic authentication is
used. The value of the Realm property is sent to the client for
informational purposes only and is not used to authenticate clients that
use Basic authentication.
7. Click OK twice.
For more information about configuring Basic authentication, see “Basic Authentication” in IIS 6.0 Help, which is
accessible from IIS Manager.
Configuring Digest Authentication
Digest authentication offers the same functionality as Basic authentication; however, Digest authentication
provides a means to help ensure that user credentials are not sent across the network in plaintext. Digest
authentication transmits credentials across the network as an MD5 hash, or message digest, where the original user
name and password cannot be deciphered from the hash. Digest authentication is available to WebDAV
directories.
Digest authentication is enabled by default for upgrades from an earlier version of IIS. If you need to enable Digest
authentication on a server running IIS 6.0, do the following:
1. Enable Digest authentication for Windows domain servers.
2. Configure the realm name.
To enable Digest authentication for Windows domain servers
1. In IIS Manager, right-click the Web Sites folder, Web site, directory, virtual directory, or file, and
then click Properties.
Note
Configuration settings made at the Web Sites folder level are inherited by
all Web sites unless you specify otherwise at the individual Web site
level.
2. Depending on the security settings level that you are configuring, click the Directory Security or
File Security tab.
3. In the Anonymous access and authentication control section, click Edit.
4. In the Authenticated access section, select the Digest authentication for Windows domain
servers check box.
5. In the Realm box, type the realm name, or click Select to browse for a domain.
6. Click OK twice.
If Basic authentication is enabled for the site, virtual directory, or folder that you are configuring, the Default
domain box is also available. However, only Realm is meaningful to Digest authentication.
Configuring the Realm Name
In addition to using IIS Manager to enable Digest authentication on a Windows domain server, you can use
scripting to configure the realm name at any level of the metabase, as shown in the Table A.2.
If a child key in the metabase is not configured with a realm name, that child key inherits the realm name from the
next parent key that has the realm name configured. If the realm name is not configured, IIS sends its own
computer name as the realm name. If IIS sends its own name as the realm name and IIS is not running on a
Windows Server 2003 domain controller with Active Directory® directory service, Digest authentication fails. As
a best practice, avoid running IIS on a domain controller; whenever possible, physically separate a server that is
running IIS from a domain controller.
Table A.2 Configuring the Realm Name at Any Level of the Metabase
Metabase Level Description
W3SVC The W3SVC level, also known as the
IISWebService level, is the highest level in the
metabase where Digest authentication can be
configured. Lower levels that do not have
specific configuration settings inherit
configurations set at this level.
W3SVC/n The W3SVC/n level, also known as the
IISWebService level, is a specific Web site,
where n is the number of the site. Sites are
numbered starting at 1. The default Web site
is 1.
W3SVC/n/root The W3SVC/n/Root level, known as the
IISWebVirtualDir level, is the starting point for a
Web Site, where n is the number of the site.
W3SVC/n/root/vdir The W3SVC/n/Root/WebVirtualDir level, known
as the IISWebVirtualDir level, is a virtual
directory within a Web Site, where n is the
number of the site.
W3SVC/n/root/vdir/webdir The W3SVC/n/Root/WebVirtualDir/WebDir level,
also known as the IISWebDirectory level, is a
physical directory within a virtual directory
within a Web site, where n is the number of the
site.
W3SVC/n/root/vdir/file The W3SVC/n/Root/Vdir/file level is an
individual file within the
W3SVC/n/Root/WebVirtualDir level, where n is
the number of the site.
W3SVC/n/root/vdir/webdir/file The W3SVC/n/Root/Vdir/file level is an
individual file within the
W3SVC/n/Root/WebVirtualDir/WebDir level,
where n is the number of the site.
You can configure either single or multiple realm names on a server running IIS. You might want to configure
multiple realm names if the domains do not have a trusted relationship. If you configure multiple realm names, you
must configure them at different levels of the metabase.
For more information about Digest authentication, see “Digest Authentication” in IIS 6.0 Help, which is accessible
from IIS Manager.
Configuring Advanced Digest Authentication
Under Advanced Digest authentication, user credentials are stored on the domain controller as an MD5 hash.
Because credentials are stored in Active Directory as an MD5 hash, user passwords cannot be discovered by
anyone with access to the domain controller, not even by the domain administrator. Advanced Digest
authentication is available to WebDAV directories.
In IIS 6.0, Advanced Digest authentication is preferred over Digest authentication; however, you can use Digest
authentication where your systems do not meet the requirements for Advanced Digest authentication.
Advanced Digest authentication is enabled by default on a clean installation of IIS 6.0. If you need to enable
Advanced Digest authentication on a server running IIS 6.0, do the following:
1. Enable Digest authentication for Windows domain servers.
2. Configure the realm name.
3. Set the UseDigestSSP metabase property to TRUE.
Important
If you perform the two procedures that precede this note but do not
configure the UseDigestSSP metabase key, you are using Digest
authentication, not Advanced Digest authentication.
Enabling Digest authentication and Configuring the Realm Name
For step-by-step instructions to enable Digest authentication for Windows domain servers and configure the realm
name, see “Configuring Digest Authentication” earlier in this appendix.
Setting the UseDigestSSP Metabase Property
Advanced Digest authentication uses a metabase key called UseDigestSSP. This metabase key is a switch between
Digest and Advanced Digest Security Support Provider Interface (SSPI) code.
After you set the key, the only valid property values are 1 (TRUE), 0 (FALSE), or empty. If you set the property to
TRUE, IIS uses the new SSPI code for Advanced Digest authentication. In all other cases (FALSE, empty, or not
set), IIS uses the Digest authentication code.
You can configure the UseDigestSSP metabase property at the W3SVC level of the metabase. A child key inherits
its configuration from the level above it.
For more information about Advanced Digest authentication, see “Advanced Digest Authentication” in IIS 6.0
Help, which is accessible from IIS Manager.
Configuring Integrated Windows Authentication
Integrated Windows authentication (formerly called NTLM, and also referred to as Windows NT
Challenge/Response authentication) is a form of authentication that hashes the user name and password before
they are sent across the network. When you enable Integrated Windows authentication, the client submits the
password through a cryptographic exchange with your Web server that involves hashing. Integrated Windows
authentication is the default authentication method used in Windows Server 2003.
Integrated Windows authentication has the following limitations:
Only Microsoft® Internet Explorer version 2.0 and later support this authentication method.
This authentication method might not work over HTTP proxy connections.
Therefore, Integrated Windows authentication is best suited for an intranet environment, where both user and Web
server computers are in the same domain and where administrators can ensure that every user has Internet Explorer
version 2.0 or later.
To enable Integrated Windows authentication
1. In IIS Manager, right-click the Web Sites folder, Web site, directory, virtual directory, or file, and
then click Properties.
Note
Configuration settings made at the Web Sites folder level are inherited
by all Web sites unless you specify otherwise at the individual Web site
level.
2. Depending on the security settings level that you are configuring, click the Directory Security or
the File Security tab.
3. In the Authentication and access control section, click Edit.
4. In the Authenticated access section, select the Integrated Windows Authentication check box.
5. Click OK twice.
For more information about configuring Integrated Windows authentication, see “Integrated Windows
Authentication” in IIS 6.0 Help, which is accessible from IIS Manager.
Enabling .NET Passport Authentication
You can enable Microsoft® .NET Passport authentication on a Web site by using IIS Manager. When
.NET Passport is enabled, requests coming into IIS must contain .NET Passport credentials on either the query
string or within a cookie. The credentials also have to be valid, meaning the ticket has not expired. If IIS does not
detect .NET Passport credentials, requests are redirected to the .NET Passport sign-in page.
.NET Passport uses cookies, which contain information that can be compromised. However, you can use
.NET Passport authentication over a SSL connection, which reduces the potential of replay attacks.
To enable .NET Passport authentication on a Web site
1. In IIS Manager, expand the local computer, expand the Web Sites folder, right-click the Web site
on which you want to enable .NET Passport authentication, and then click Properties.
2. Click the Directory Security tab.
3. In the Authentication and access control section, click Edit.
4. In the Authenticated access section, select the .NET Passport Authentication check box.
You cannot use .NET Passport authentication with other authentication methods because
.NET Passport validates user credentials in a fundamentally different way. Hence, when you select
.NET Passport authentication, all other authentication methods are unavailable.
5. Click OK.
For information about configuring .NET Passport authentication, see “.NET Passport Authentication” in IIS 6.0
Help.
Setting FTP Site Authentication
Based on your security requirements, you can select an IIS authentication method to validate users who request
access to your FTP sites. To set FTP site authentication, choose from the following authentication methods:
Anonymous FTP authentication. This authentication method gives users access to the public
areas of your FTP site without prompting them for a user name or password.
Basic FTP authentication. This authentication method requires users to log on with a user name
and password corresponding to a valid Windows user account.
You cannot use Digest or Integrated Windows authentication with FTP sites, and you must set available
authentication settings at the site level for FTP sites.
Enabling Anonymous FTP Authentication
You can configure your FTP server to allow anonymous access to FTP resources. If you select Anonymous FTP
authentication for a resource, all requests for that resource are accepted without prompting the user for a user name
or password. This is possible because IIS automatically creates a Windows user account called
IUSR_computername, where computername is the name of the server on which IIS is running. This is very similar
to Web-based Anonymous authentication. If Anonymous FTP authentication is enabled, IIS always try to use it
first, even if you enable Basic FTP authentication.
To enable the Anonymous FTP authentication
1. If the IUSR_computername account is not used for Anonymous FTP authentication, you must
create a Windows user account appropriate for the authentication method and add the account to a
Windows user group.
2. Configure NTFS permissions for the directory or files for which you want to control access by
using the user account you selected in step 1.
3. In IIS Manager, right-click the FTP site, directory, virtual directory, or file, and then click
Properties.
4. Click the Security Accounts tab.
5. Select the Allow anonymous connections check box.
6. To allow your users to gain access by Anonymous authentication only, select the Allow only
anonymous connections check box.
7. In the User name and Password boxes, enter the anonymous logon user name and password you
want to use. The user name is the name of the anonymous user account, which is typically
designated as IUSR_computername.
8. Click OK.
9. Set the appropriate NTFS permissions for the anonymous account.
Important
If you change the security settings for your FTP site or virtual directory,
your FTP server prompts you for permission to reset the security settings
for the child keys of that site or directory. If you choose to accept these
settings, the child keys inherit the security settings from the parent site or
directory.
For more information about creating Windows user accounts, see “Securing Files with NTFS” in IIS 6.0 Help,
which is accessible from IIS Manager. For more information about setting NTFS permissions, see “Setting NTFS
Permissions for Directories or Files” in IIS 6.0 Help.
Enabling Basic FTP Authentication
To establish an FTP connection with your Web server by using Basic FTP authentication, users must log on with a
user name and password corresponding to a valid Windows user account. If the FTP server cannot verify a user's
identity, the server returns an error message. Basic FTP authentication transmits the user name and password
across the network in an unencrypted form.
To enable Basic FTP authentication
1. Create a Windows user account appropriate for the authentication method. If appropriate, add the
account to a Windows user group.
2. Configure NTFS permissions for the directory or file for which you want to control access.
3. In IIS Manager, right-click the FTP site, directory, virtual directory, or file, and then click
Properties.
4. Click the Security Accounts tab.
5. Clear the Allow anonymous connections check box.
6. Click OK.
7. Set the appropriate NTFS permissions for the account.
Important
If you change the security settings for your FTP site or virtual directory,
your FTP server prompts you for permission to reset the security settings
for the child keys of that site or directory. If you choose to accept these
settings, the child keys inherit the security settings from the parent site or
directory.
For more information about setting Basic FTP site authentication, see “FTP Site Authentication” in IIS 6.0 Help,
which is accessible from IIS Manager.
Obtaining and Backing Up Server Certificates
Server certificates contain information used in establishing identities over a network, which is a process called
authentication. Similar to conventional forms of identification, certificates enable Web servers and users to
authenticate each other before establishing a SSL connection.
Server certificates contain information about the server that allows the client to positively identify the server
before sharing sensitive information. Client certificates contain personal information about the clients requesting
access to your site that allow you to positively identify them before allowing them access to the site.
Certificates include keys used in establishing an SSL secure connection. A key is a unique value used to
authenticate the server and the client in establishing an SSL connection. A public key and a private key form an
SSL key pair. Your Web server uses this key pair to negotiate a secure connection with the user's Web browser to
determine the level of encryption required for securing communications.
For more information about obtaining client certificates, see “Obtaining Client Certificates” in IIS 6.0 Help, which
is accessible from IIS Manager.
You can obtain a server certificate in one of two ways: issue your own server certificate or obtain a server
certificate from a certification authority.
Issue your own server certificate
To request and install your own server certificate, use the Web Server Certificate Wizard to create a customizable
service for issuing and managing certificates. You can create server certificates for the Internet or for corporate
intranets, giving your organization complete control over certificate management policies.
Obtain a server certificate from a certification authority
To obtain a server certificate from a certification authority, follow these steps:
1. Do either of the following:
Find a certification authority that provides services that meet your business needs and request
a server certificate.
–Or–
Use the Web Server Certificate Wizard to create a certificate request that you can send to the
certification authority.
2. After the certificate is processed and returned to you, use the Web Server Certificate Wizard to
install the certificate.
Important
To help safeguard the certificate and your private and public keys,
always back them up and keep the backup copy in a safe place.
To obtain a new server certificate by using the Web Server Certificate Wizard
1. In IIS Manager, expand the local computer, expand the Web Sites folder, right-click the Web site
or file for which you want to obtain a certificate, and then click Properties.
2. Depending on the resource for which you are requesting a certificate, click the Directory
Security or File Security tab.
3. Under Secure communications, click Server Certificate.
The Web Server Certificate Wizard appears.
4. Click Next.
5. Accept the default option, which is Create a new certificate, and then click Next.
6. Follow the instructions in the Web Server Certificate Wizard, which guides you through the
process of requesting a new server certificate.
To install a server certificate by using the Web Server Certificate Wizard
1. In IIS Manager, expand the local computer, expand the Web Sites folder, right-click the Web site
or file for which you want to install a certificate, and then click Properties.
2. Depending on the resource for which you are installing a certificate, click the Directory Security
or File Security tab.
3. Under Secure communications, click Server Certificate.
The Web Server Certificate Wizard appears.
4. Click Next.
5. Accept the default option, which is Assign an existing certificate, and then click Next.
The Web Server Certificate Wizard describes this step as assigning a certificate to a resource
(such as a file, directory, or site), not as installing.
6. Follow the instructions in the Web Server Certificate Wizard, which guides you through the
process of installing a server certificate.
To create a backup copy of your server certificate and private key
1. Locate the correct certificate store. This is typically the Local Computer store in Certificate
Manager.
If you do not have Certificate Manager installed in MMC, install it by following the steps outlined
in the next procedure.
2. Right-click the certificate in the Personal store, point to All Tasks, and then click Export.
3. Select the Yes, export the private key check box.
When you install a certificate, you can import it by marking the certificate as non-exportable. In
such cases, the option to export the private key does not appear when you try to create a backup
copy of the certificate, which prevents you from creating the backup.
4. Follow the wizard default settings, and enter a password for the certificate backup file when
prompted.
Do not select Delete the private key if export is successful check box because doing so disables
your current server certificate.
5. Complete the wizard to export a backup copy of your server certificate.
If you already have Certificate Manager installed in MMC, it points to the correct Local Computer certificate
store.
To add Certificate Manager to MMC
1. From the Start menu, click Run.
2. In the Open box, type mmc, and then click OK. The Microsoft Management Console appears.
3. In the File menu, click Add/Remove Snap-in.
4. On the Standalone tab, click Add.
5. From the Available Standalone Snap-ins list box, click Certificates, and then click Add.
6. Click the Computer account option, and then click Next.
7. Click the Local computer: (the computer this console is running on) option, and then click
Finish.
8. Click Close, and then click OK.
For more information about SSL certificates, including how to obtain, install, and back up server certificates, see
“Certificates” in IIS 6.0 Help, which is accessible from IIS Manager. For more information about Microsoft
Certificate Services, see “Certificate Services” in Help and Support Center for Windows Server 2003.
Controlling Access to Applications
You can control which users and computers are allowed to access your Web server and its resources. You can use
both the NTFS file system and Web server security features to assign users specific permissions to directories and
files. You can also use IP address restrictions to limit access by specific computers or groups of computers.
Securing your files with NTFS permissions. With the NTFS file system, you can limit access to
your Web server's files and directories. You can configure the file and directory permissions that
set the access level assigned to a particular user account or user group. For example, you can
configure your Web server to enable a specific user to view and execute a file, while excluding all
other users from accessing that file.
Securing your Web site with Web permissions. Web permissions, unlike NTFS permissions,
apply to all users accessing your Web sites. NTFS permissions apply only to a specific user or
group of users with a valid Windows account. NTFS controls access to physical directories on
your server, whereas Web permissions control access to virtual directories on your Web site.
Restricting access to your Web site by using IP addresses. With IP address restrictions, you
can configure your Web server to assign or deny specific computers, groups of computers, or
domains access to Web sites, directories, or files. For example, if your intranet server is connected
to the Internet, you can prevent Internet users from accessing your Web server by assigning access
only to members of your intranet, and explicitly denying access to outside users.
Securing Your Files with NTFS Permissions
You can control access to your Web site's directories and files by setting NTFS access permissions. You can use
NTFS permissions to define the level of access that you want to assign to specific users, and groups of users.
Correct configuration of file and directory permissions is crucial for preventing unauthorized access to your
resources.
To secure a Web site by using NTFS permissions
1. In IIS Manager, expand the local computer, right-click a Web site or file, and then click
Permissions.
2. Do one of the following, as shown in Table A.3:
Table A.3 Options for Securing a Web Site by Using NTFS Permissions
Task Procedure
Add a group or user that does not 1. Click Add.
appear in the Group or user names list 2. In the Enter the object name to
box. select box, type the name of the
user or group, and then click OK.
Change or remove permissions from In the Group or user names list box,
an existing group or user. click the name of the group or user.
3. To allow or deny a permission, in the Permissions for User or Group list box, select the Allow or
Deny check box.
Inherited Deny permissions do not prevent access to an object if the object has an explicit Allow permission entry.
Explicit permissions take precedence over inherited permissions, including inherited Deny permissions.
With NTFS permissions, you also have the choice of assigning special permissions to groups or users. Special
permissions are permissions on a more detailed level. For better management, assign broad-level permissions to
users or groups, where it is applicable. For descriptions of permissions, see “Permissions for Files or Folders” in
Help and Support Center for Windows Server 2003.
Securing Your Web Site with Web Permissions
You can also use Web permissions to help secure your Web site. When you configure your Web site's access
permissions for specific sites, directories, and files, keep in mind the following:
Web permissions are not meant to be used in place of NTFS permissions; instead, use Web
permissions with NTFS permissions.
Although you can use Web permissions with both the NTFS and FAT file systems, use NTFS
whenever possible.
Unlike NTFS permissions, Web permissions affect everyone who tries to access your Web site.
Disabling permissions restricts all users. For example, disabling the Read permission restricts all
users from viewing a file, regardless of the NTFS permissions applied to those users' accounts.
However, enabling the Read permission can allow all users to view that file, unless NTFS
permissions that restrict access have also been applied.
If Web permissions conflict with NTFS permissions for a directory or file, the more restrictive
settings are applied. For example, if you set both IIS and NTFS permissions, the permissions that
explicitly deny access take precedence over permissions that grant access.
If you want to set permissions for a WebDAV directory, keep in mind the following:
You must enable WebDAV before you can publish in a WebDAV directory.
You must turn off Anonymous access to your WebDAV directory. Protect your WebDAV
directory by using one of the following authentication methods in IIS 6.0, such as Integrated
Windows authentication and the discretionary access control lists (DACL) in NTFS. For more
information about WebDAV security, see “Managing WebDAV Security” in IIS 6.0 Help,
which is accessible from IIS Manager.
To set permissions for Web content (including WebDAV)
1. In IIS Manager, right-click a Web site, virtual directory, or file, and then click Properties.
2. Depending on the permissions that you are assigning, click the Home Directory, Virtual
Directory, or File tab.
3. Select or clear any of the following check boxes (if available):
Read. Users can view directory or file content and properties (default selection).
Write. Users can change directory or file content and properties.
Script source access. Users can access source files. If Read is selected, then source can be
read, if Write is selected, then source can be written to. Script source access includes the
source code for scripts. This option is not available if neither Read nor Write is selected.
Important
When you select Script source access, users might be able to view
sensitive information, such as a user name and password. They might
also be able to change source code that runs on your server, and
significantly affect your server configuration and performance.
Directory browsing. Users can view file lists and collections.
Log visits. A log entry is created for each visit to the Web site.
Index this resource. Allows Indexing Service to index this resource. This allows searches to
be performed on the resource.
4. In the Execute Permissions list box, select the appropriate level of script execution:
None. Do not run scripts or executables on the server.
Scripts only. Run only scripts on the server.
Scripts and Executables. Run both scripts and executables on the server.
5. Click OK.
Restricting Access to Your Web Site by Using IP Addresses
You can configure your Web site to grant or deny specific computers, groups of computers, or domains access to
Web sites, directories, or files. For example, if your intranet server is connected to the Internet, you can prevent
Internet users from accessing your Web server by assigning access only to members of your intranet, and explicitly
denying access to outside users.
IP address restrictions apply only to Internet Protocol version 4 (IPv4) addresses.
To grant or deny access to a computer
1. In IIS Manager, expand the local computer, right-click a Web site, directory, or file, and then click
Properties.
2. Depending on the resource for which you are granting or denying access, click the Directory
Security or File Security tab.
3. Under IP address and domain name restrictions, click Edit.
4. Click either Granted access or Denied access.
If you select Denied access, you deny access to all computers and domains, except those to which
you specifically grant access. If you select Granted access, you grant access to all computers and
domains, except those to which you specifically deny access.
5. Click Add, and then click Single computer.
6. Click DNS Lookup to search for computers or domains by name, rather than by IP address.
7. Type the Domain Name System (DNS) name for the computer. IIS searches on the current domain
for the computer, and if found, enters its IP address in the IP address box.
The following information is important to remember when using the DNS Lookup feature:
It causes a performance decrease on your server while it is looking up DNS addresses.
A user accessing your Web server through a proxy server appears to have the IP address of
the proxy server.
Some user server access problems can be corrected by entering the "*.domainname.com"
syntax, rather than the "domainname.com" syntax.
8. Click OK three times.
To grant or deny access to a domain
1. In IIS Manager, expand the local computer, right-click a Web site, directory, or file, and click
Properties.
2. Depending on the resource for which you are granting or denying access, click the Directory
Security or File Security tab.
3. Under IP address and domain name restrictions, click Edit.
4. Do one of the following:
Click Granted access. When you select Granted access, you grant access to all computers
and domains, except to those that you specifically deny access.
–or–
Click Denied access. When you select Denied access, you deny access to all computers and
domains, except to those that you specifically grant access.
5. Click Add.
6. Click Domain name.
7. In the Domain name box, type the domain name.
8. Click OK three times.
For more information about granting or denying access to computers or to groups of computers, see “Securing
Sites with IP Address Restrictions” in IIS 6.0 Help, which is accessible from IIS Manager.
Tasks for Managing Servers and
Applications
Use the following tasks to manage your servers and applications:
Using host header names to host multiple Web sites. Create and host multiple Web sites.
Redirecting Web sites. Automatically direct users to the correct page on your site.
Assigning resources to applications. Control the amount of resources an application uses.
Using Host Header Names to Host Multiple
Web Sites
IIS supports multiple Web sites on a single server. To create and host multiple Web sites, you must configure a
unique identity for each site on the server. To assign a unique identity, distinguish each Web site with at least one
of three unique identifiers: a host header name, an IP address, or a TCP port number.
One method for providing each site with a unique identifier is to use IIS Manager to assign multiple host header
names. Browsers must comply with HTTP 1.1 to support the use of host header names. Microsoft® Internet
Explorer 3.0, Netscape Navigator 2.0, and later versions of both browsers support host header names.
Important
Avoid assigning a host header name to the Default Web Site; instead,
use an IP address of All Unassigned, a TCP port of 80, and no host
header name.
Table A.4 briefly describes and compares the three ways that you can uniquely identify your Web sites.
Table A.4 Ways You Can Uniquely Identify Multiple Web Sites
Web Site Identifier Description
Host header name Recommended for most situations. Requires that your
computer or network use a name resolution system.
Organizations typically use DNS name resolution.
Unique IP Address Used primarily for Internet services that host SSL on the
local server. Typically, only large corporations and
Internet service providers (ISPs) obtain and maintain
multiple IP addresses.
Nonstandard TCP Generally not recommended. Can be used for private Web
port number site development and testing purposes but rarely used on
production Web servers because users must add the port
to the URL and the port must be opened on the firewall.
Choose one method of uniquely identifying Web sites for each server. Using one method for each server improves
performance by optimizing cache and routing lookups. Conversely, using any combination of host headers, unique
IP addresses, or non-standard port numbers to identify multiple Web sites degrades the performance of all Web
sites on the server.
If you use host header names to identify a new Web site, select a unique name as follows:
On the Internet. The host header must be a publicly available DNS name, such as
support.microsoft.com. Register a public DNS name with an authorized Internet name authority.
For more information about using DNS names to identify your site, see “Domain Name
Resolution” in IIS 6.0 Help, which is accessible from IIS Manager.
On a private network. The host header can be an intranet site name. To resolve host names to an
IP address, register the host header name with your intranet’s DNS administrator. Alternatively,
you can resolve host names to an IP address by using a locally stored database file called the
Hosts file, which is located in the systemroot\System32\Drivers\Etc folder. The following is an
example of the contents of a Hosts file:
#
Table of IP addresses and host names
#
IP Address TCP Port Host Header Name
#
192.168.0.100 80 www.example1.com
192.168.0.100 80 example1.com
Use Windows Explorer to create a home directory for your Web site content. Create subdirectories to store HTML
pages, image files, and other content as needed. To organize home directories for multiple Web sites on the same
server, you can create a top-level directory for storing all home directories, and then create subdirectories for each
site.
Important
You must be a member of the Administrators group on the local
computer to perform the following procedure or procedures, or you must
have been delegated the appropriate authority. As a security best
practice, log on to your computer by using an account that is not in the
Administrators group, and then use the runas command to run IIS
Manager as an administrator. At a command prompt, type runas
/User:Administrative_AccountName "mmc
%systemroot%\system32\inetsrv\iis.msc".
To assign multiple host header names to a single Web site
1. In IIS Manager, expand the local computer, click the Web Sites folder, right-click the Web site
for which you want to assign a host header name, and then click Properties.
2. Click the Web Site tab.
3. In the IP Address list, select the IP address that you want assigned to this Web site.
4. Click Advanced.
5. Under Multiple identities for this Web Site, select the IP address, and then click Edit.
6. In the Host Header Value box, type the host header name (for example, www.example1.com).
7. Click OK twice.
For more information about using host header names to host multiple Web sites, see “Hosting Multiple Web Sites
on a Single Server” in IIS 6.0 Help, which is accessible from IIS Manager. Also see article 324287, “Use Host
Header Names to Configure Multiple Web Sites in Internet Information Services 6.0” in the Microsoft Knowledge
Base. To find this article, see the Microsoft Knowledge Base link on the Web Resources page at
http://www.microsoft.com/windows/reskits/webresources.
Redirecting Web Sites
When a browser requests a page or program on your Web site, the Web server locates the page identified by the
URL and returns it to the browser. When you move a page on your Web site, you cannot always correct all the
links that refer to the old URL. To make sure that browsers can find the page at the new URL, you can instruct the
Web server to redirect the browser to the new URL.
You can redirect requests for files in one directory to a different directory, to a different Web site, or to another file
in a different directory. When the browser requests the file at the original URL, the Web server instructs the
browser to go to the new URL.
To redirect requests to another Web site or directory
1. In IIS Manager, expand the local computer, right-click the Web site or directory you want to
redirect, and click Properties.
2. Depending on the resource you want to redirect, click the Home Directory, Virtual Directory, or
Directory tab.
3. Under The content for this source should come from, click A redirection to a URL.
4. In the Redirect to box, type the URL of the destination directory or Web site.
For example, to redirect all requests for files in the Catalog directory to the NewCatalog directory,
type /NewCatalog.
To redirect all requests to a single file
1. In IIS Manager, expand the local computer, right-click the Web site or directory you want to
redirect, and then click Properties.
2. Click the Home Directory, Virtual Directory, or Directory tab.
3. Under The content for this source should come from, click A redirection to a URL.
4. In the Redirect to box, type the URL of the destination file.
5. Select The exact URL entered above check box to prevent the Web server from appending the
original file name to the destination URL.
You can use wildcards and redirect variables in the destination URL to precisely control how the original URL is
translated into the destination URL.
You can also use the redirect method to redirect all requests for files in a particular directory to a program.
Generally, you need to pass any parameters from the original URL to the program, which you can do by using
redirect variables.
To redirect requests to a program
1. In IIS Manager, expand the local computer, right-click the Web site or directory that you want to
redirect, and then click Properties.
2. Depending on the resource you want to redirect, click the Home Directory, Virtual Directory, or
Directory tab.
3. Under The content for this source should come from, click A redirection to a URL.
4. In the Redirect to box, type the URL of the program, including any redirect variables needed to
pass parameters to the program.
For example, to redirect all requests for scripts in a Scripts directory to a logging program that
records the requested URL and any parameters passed with the URL, type:
/Scripts/Logger.exe?URL=$V+PARAMS=$P
where $V and $P are redirect variables.
5. Select The exact URL entered above check box to prevent the Web server from appending the
original file name to the destination URL.
For more information about redirect variables, see “Redirect Reference” and “Redirecting Requests to Files,
Directories, or Programs” in IIS 6.0 Help, which is accessible from IIS Manager.
Assigning Resources to Applications
There are several ways to assign, or limit, the amount of resources an application can use. You can use application
property sheets to control performance, cache, and process options of individual applications, or you can use
bandwidth throttling to limit resources for an entire site or application pool. A third alternative is to control access
to your application through the NTFS file system and Web server security features.
To assign resources by using property sheets
1. In IIS Manager, expand the local computer, right-click the Web site or root directory of an
application, and then click Properties.
2. Depending on the location of the application, click the Home Directory, Virtual Directory, or
Directory tab.
3. In the Application settings section, click Configuration.
4. On the Mappings and Options tabs, select the appropriate check boxes to enable or disable
caching, session states, buffering, and side-by-side assemblies.
To globally assign resources by using bandwidth throttling
1. In IIS Manager, expand the local computer, right-click the Web Sites folder, and then click
Properties.
2. Click the Performance tab.
3. Under Bandwidth throttling, select the Limit the total network bandwidth available for all
Web sites on this server check box.
4. In the Maximum bandwidth box, type or click the up and down arrows to set the maximum
number of kilobytes per second that you want each site contained in the directory to use.
5. Under Web site connections, click either Unlimited or Connections limited to. If you select
Connections limited to, type or click the up and down arrows to set the maximum number of
kilobytes per second that you want each site contained in the directory to use.
To assign resources to an individual Web site by using bandwidth throttling
1. In IIS Manager, expand the local computer, expand the Web Sites folder, right-click the Web site
to which you want to assign resources, and then click Properties.
2. Click the Performance tab.
3. Under Bandwidth throttling, select the Limit the network bandwidth available to this Web
site check box.
4. In the Maximum bandwidth box, type or click the up and down arrows to set the maximum
number of kilobytes per second you want each site contained in the directory to use.
5. Under Web site connections, select either Unlimited or Connections limited to. If you select
Connections limited to, type or click the up and down arrows to set the maximum number of
Web site connections.
Bandwidth throttling is not supported on Internet Protocol Version 6 (IPv6) Web sites. For more information about
bandwidth throttling, see “Throttling Bandwidth” in IIS 6.0 Help, which is accessible from IIS Manager.
Tasks for Administering Servers
IIS 6.0 and Windows Server 2003 provide several tools to help you administer your servers. This section provides
task-based information about the following:
Administering servers from the command line. Use the following powerful scripting and
programming tools to access and configure settings:
Supported command-line scripts. Supplied scripts for the IIS Windows Management
Instrumentation (WMI) provider to manage and set IIS metabase configurations.
Adsutil.vbs IIS administration utility. Uses VBScript and Active Directory Service
Interfaces (ADSI) as a learning tool to manipulate the IIS configuration.
Administering servers remotely. Use the following tools to remotely administer your sites:
IIS Manager. Remotely connect to and administer an intranet server.
Terminal Services. After you use Terminal Services to connect to the server that is running
IIS, you can use IIS Manager on the Web server as if you were logged on locally.
Remote Administration (HTML) tool. Administer your IIS Web server from Web browsers
on your intranet.
Supported command-line scripts. Use with the IIS WMI provider to remotely manage an
IIS machine. Each command-line script supports the /s parameter, which you can use to
specify the remote server against which you want to perform the command.
Administering Servers from the Command
Line
IIS provides powerful scripting and programming tools that you can use to access and configure settings from
within a command-line script or compiled application. You can use these tools to create, delete, start, stop, pause,
and list various sites and applications, as well as to copy, import, and export configurations.
Important
You must be a member of the Administrators group on the local
computer to run scripts and executables, or you must have been
delegated the appropriate authority. As a security best practice, log on to
your computer by using an account that is not in the Administrators
group, and then use the runas command to run your script or executable
as an administrator. At a command prompt, type runas /profile
/User:MyMachine\Administrator cmd to open a command window with
administrator rights and then type cscript.exe ScriptName (including the
full path with parameters, if any).
IIS provides the following command-line tools:
Supported command-line scripts. Use the supplied scripts for the IIS WMI provider to manage
and set IIS metabase configurations.
Adsutil.vbs IIS administration utility. Uses Microsoft® Visual Basic® Scripting Edition
(VBScript) with ADSI to manipulate the IIS configuration.
Supported Command-Line Scripts
IIS 6.0 includes supported scripts that you can find in the systemroot\System32 directory. These VBScript scripts
use the IIS WMI provider to manage configuration settings in the IIS metabase.
When you use these scripts to create a new site or virtual directory, you can specify the basic properties that are
needed to create the site or directory and identify its contents. The scripts apply the same default properties that IIS
Manager uses to create new sites or virtual directories, and they adhere to the same rules for inheriting properties.
To configure more advanced properties for a site or virtual directory, use IIS Manager. Alternatively, you can
build an XML template that contains the properties you want to apply to a new Web site or virtual directory and
then use the Iiscnfg.vbs script to apply this template to any Web site or virtual directory in the IIS metabase.
The computer that runs the command must be running Microsoft ® Windows® XP Professional or Windows Server
2003. The computer that the command affects must be running Windows Server 2003 with IIS 6.0. You cannot
use these scripts to manage IIS 6.0 on clients running Windows XP Professional because Windows XP runs with
IIS 5.1.
Table A.5 lists the supported command-line scripts for IIS 6.0.
Table A.5 Supported Command-Line Scripts for IIS 6.0
For These Tasks IIS Help Topics
Script
Areas
Iisweb.vbs Web sites Create, delete, start, “Managing Web Sites”
stop, pause, and query
or list Web sites.
Iisftp.vbs FTP sites Create, delete, start, “Managing FTP Sites”
stop, pause, and query “Setting Active
or list FTP sites. Directory User
Query and set Active Isolation”
Directory properties for
a user’s FTP home
directory (use in FTP
user isolation).
Iisvdir.vbs Web virtual Create, delete, or list “Managing Web
directories the Web virtual Virtual Directories”
directories of a given
root.
Iisftpdr.vbs FTP virtual Create, delete, or list “Managing FTP Virtual
directories the FTP virtual Directories”
directories of a given
root.
iisback.vbs Back up and Create, delete, restore, “Managing IIS
restore IIS and list backup copies Configurations”
configuration of IIS configuration.
Iiscnfg.vbs Export or Export or import an IIS “Managing IIS
import IIS configuration to or Configurations”
configuration from an XML file; copy
the metabase and
schema to another
computer; and save
configuration changes
to disk.
Iisext.vbs Applications Configure and manage “Managing
and dynamic applications, Web Applications and Web
content service extensions (like Service Extensions”
services ASP and ASP.NET),
and individual files.
Iisapp.vbs Application List the worker “Listing Running Web
pools and processes (W3wp.exe) Applications”
their worker currently running and
processes the application pool
each one serves.
Adsutil.vbs IIS Administration Utility
Adsutil.vbs is an IIS administration utility that uses VBScript with ADSI to manipulate the IIS configuration and
modify the metabase. You must run this script by using CScript, which is installed with Windows Script Host.
Adsutil.vbs is a flexible and generic command-line tool. Because Adsutil.vbs is not supported (its documentation
and format can change at any time), use Adsutil.vbs primarily as a learning tool.
For more information about how to use Adsutil.vbs, including Adsutil.vbs syntax, parameters, commands and
examples, see “IIS 6.0 Administration Scripts, Tips, and Tricks” in this book.
Administering Servers Remotely
When you run IIS on an intranet or the Internet, you can administer your server remotely by using the following
tools:
IIS Manager. Use on your server to remotely connect to and administer an intranet server running
IIS 5.x or IIS 6.0.
Terminal Services. Does not require you to install IIS Manager on the remote client computer
because, after you are connected to the server that is running IIS, you can use IIS Manager on the
Web server as if you are logged on locally.
Remote Administration (HTML) tool. Use to administer your IIS Web server from any Web
browser on your intranet. This version of the tool runs only on servers running IIS 6.0.
Supported command-line scripts. Use the IIS-supported command-line scripts with the IIS WMI
provider to remotely manage a server running IIS. Each command-line script supports the /s
parameter, which you can use to specify the remote server against which you want to perform the
command.
Important
You must be a member of the Administrators group on the local
computer to perform the following procedure or procedures, or you must
have been delegated the appropriate authority. As a security best
practice, log on to your computer by using an account that is not in the
Administrators group, and then use the runas command to run IIS
Manager as an administrator. At a command prompt, type runas
/User:Administrative_AccountName "mmc
%systemroot%\system32\inetsrv\iis.msc".
To administer your intranet server remotely by using IIS Manager
1. In IIS Manager, right-click the local computer, and then click Connect.
2. In the Computer name box, type or browse to the computer you want to connect to.
3. Click OK.
If you do not have TCP/IP and a name resolution server, such as Windows Internet Name Service (WINS)
installed, you might not be able to connect to a server running IIS by using the computer name. As an alternative,
you can use the IP address of the server running IIS. For more information about IP addresses and name
resolution, see “Name resolution for TCP/IP” .in Help and Support Center for Windows Server 2003.
To administer your intranet server remotely by using Terminal Services
1. Install the Terminal Services client on the local computer.
2. While the remote computer is running, start Terminal Services and identify the name of the
remote computer.
3. From the Terminal Services window, administer IIS as you do locally.
You can start IIS Manager on any network computer that is running Windows. You can also run
scripts from the Terminal Services window.
To enable the Remote Administration (HTML) tool through Control Panel
1. From the Start menu, click Control Panel.
2. Double-click Add or Remove Programs.
3. In the left pane, click Add/Remove Windows Components.
4. Click Application Server, and then click Details.
5. Click Internet Information Services (IIS), and then click Details.
6. Click World Wide Web Publishing Service, and then click Details.
7. Select the Remote Administration (HTML) check box, and click OK.
8. Click OK two more times, click Next, and then click Finish to complete the Windows
Components Wizard.
To view the Remote Administration (HTML) tool from IIS Manager
Expand the local computer, expand the Web Sites folder, right-click the Administration Web
site, and then click Browse.
To administer an IIS Web server by using the Remote Administration (HTML)
tool
Open your intranet site from a Web browser and type the following in the address bar:
http://HostName: 8098
In this procedure, HostName is the name of the computer that you want to connect to and
administer.
For more information about remotely managing servers by using this tool, from the Help menu in the Remote
Administration (HTML) tool, click Help Topics.
