Windows Server 2003 ships with the latest version of Internet Information Server (IIS), version 6.0, redesigned to provide better reliability and more flexibility in configuring application environments. The new version includes improvements to the core functionality and services, administration, security, and performance.
by Chris Peiris
Aug 20, 2003
Page 1 of 4
icrosoft's Internet Information Services (IIS) is one of the most popular Web servers in use on the Internet and in intranets throughout the world. A Web server is a common point of vulnerability to hackers becauseby necessityit exposes itself to the Web,. Previous Microsoft server OS versions installed IIS by default, and hackers used these installations to run "rogue" Web services without the knowledge of administrators. Microsoft has fixed that vulnerability; IIS 6.0 is no longer installed by default on Windows Server 2003 servers (with the exception of the Web Server Edition). When administrators do install IIS, it's initially configured in a high security ("locked") mode. Security is a priority in this new version. Consequently, administrators must explicitly enable a number of important Web services features which worked automatically in previous versions. This new focus on security means administrators must familiarize themselves with the changes to provide the Web server services needed on their networks.
The information contained in this article is based on Chris Peiris' new book MCSA/ MCSE Exam 70-290 Study Guide : .NET Server 2003. The book provides sample exam questions for all the Windows 2003 server topics. Thanks to Mr. Jon Babcock for his help with this publication.
IIS 6.0 Installation Best Practices
To ensure the optimum scalability and performance of IIS 6.0, you should follow these steps:
Make sure you install IIS onto a partition that uses the NTFS file system, not the FAT32 file system. If the partition is not already formatted as NTFS, upgrade the FAT32 file system to NTFS prior to installation or during the upgrade process.
Make sure the Internet Connection Firewall (ICF) is enabled and configured properly unless you plan to rely on a separate firewall product.
Use unattended setup to install IIS on multiple machines. You can create a setup script to configure a common IIS installation for multiple computers. The setup file is called an "Answer file" and eliminates the need for manual intervention while installing IIS 6.0.
Internet Connection Firewall
Windows 2003 comes with a very basic internal software firewall called the Internet Connection Firewall (ICF). This facility is disabled by default. If you enable it, you can configure the firewall to enable or disable HTTP, HTTPS, FTP, and SMTP protocol access through IIS. IIS 6.0 will not function correctly if the Internet Connection Firewall is enabled and the relevant protocols are disabled. For example, the IIS 6.0 Web server will not function if the HTTP and HTTPS protocols are disabled. You have two basic options for the Internet Connection Firewall.
Disable the firewall. (Warning: That leaves your IIS installation at at the mercy of the corporate firewall!)
Enable the firewall and filter for the correct protocols.
Microsoft recommends that you use the ICF for small to medium size Web project developments unless you have a more sophisticated firewall solution such as Internet Security and Acceleration Server (ISA) deployed. The ICF is adequate to protect Internet traffic on most Web sites; however, large organizations should consider ISA or another heavy-duty firewall product. You do not need to enable the Internet Connection Firewall if you have a corporate firewall to protect your Web servers.
Organizations often place Web servers accessible from the Internet in a "DMZ" or perimeter network (also sometimes called a screened subnet). To do that, you can configure a "tri-homed DMZ" in which you have a firewall server (such as ISA) with three interfaces (an internal network interface to the LAN, a public interface with a public IP address, and a DMZ interface with a public address). Alternatively, you can configure a "back to back DMZ," where you have two firewall servers, an external one and an internal one.
The most cost effective method is to use the second option and maximize Windows 2003's built-in functionality. Follow these steps to configure the protocols:
Open Start | Control Panel | Network Connections | Local Area Connection
Navigate to the Advanced tab and select the Protect my computer and network by limiting or preventing access to this computer from the internet checkbox. (see Figure 1)