CHAPTER 14
MICROSOFT WINDOWS 2000 APPLICATION SERVERS
Lesson 1:
Exploring Microsoft Internet Information Services 5.0 Features
Windows 2000 Server includes an updated version of IIS (version 5.0). IIS runs as an enterprise
service within Windows 2000 and uses other services provided by Windows 2000, such as security
and Active Directory services. IIS 5.0 improves the Web server’s reliability, performance,
management, security, and application services.
Introduction to Microsoft IIS 5.0
While IIS 4.0 focused on security, administration, programmability, and support for Internet
standards, IIS 5.0 builds on these capabilities to deliver the type of Web sites required in an
increasingly intranet-and Internet-centric business environment. IIS 5.0 has been improved in
the following four areas: reliability and performance, management, security and application
environment.
1. Reliability and
Performance
IIS 5.0 performs better and is more reliable than previous versions of the product for a number
of reasons. Internally, the speed of the IIS 5.0 engine has been increased through coding
refinements. Beyond this, version 5.0 introduces features you can use to improve the speed
and reliability of Web sites.
One of the more significant improvements in IIS 5.0 is the addition of application protection
through support for pooled, out-of-process applications. To better control resource consumption,
new throttling features (based on the new job object feature of Windows 2000) make it easier
for administrators to allocate the amount of CPU bandwidth available to processes, as well as
the amount of network bandwidth available to sites. In addition, the new Socket Pooling feature
allows multiple sites sharing a port also to share a set of sockets.
Application Protection
Most operating systems view a process as a unit of work in a system. Services and applications
are processes that run in memory areas allocated by the operating system to each process. In IIS
5.0, application protection refers to the way in which the operating system guards each application
process from other processes in memory.
======================================================================
winser14.html PAGE
2 2002/02/19
As a first step toward addressing these issues, IIS 4.0 allowed applications to run either in the same
IIS server process (Inetinfo.exe) or out-of-process, that is in a process separate from the IIS Server
process. The DLLHost.exe acts as a surrogate application to the IIS server process to manage each
out-of-process application.
Reliable Restart
In the event of a system failure, it’s clearly to be able to get IIS back to an operational state as quickly
as possible. In the past, rebooting was an acceptable, way to restart IIS. To reliably restart IIS, an
administrator needed to start up four separate services after every stop-page, and was required to
have specialized knowledge, such as which services to start and in what order.
Socket Pooling
IIS 5.0 increases performance by adding the ability to optimize access to your Web Site. A socket
is a protocol identifier for a particular node on a network. The socket consists of a node address
and a port number, which identifies the service. For example, port 80 on an Internet node
represents the WWW HTTP service on a Web Server. There are 1024 well-known ports,
and they store common processes in RAM, if other users want to call on the same information.
21 = FTP
80 = WWW
25 = SMNT
110 = Pop3
In IIS 4.0, each Web site is bound to a different IP address, which means that each site has its
own socket that is not shared with sites bound to other IP addresses. Each socket is created
when the site starts, and consumes significant non-paged memory (RAM). This memory
consumption limits the number of sites bound to IP addresses that can be created on a single
machine.
For IIS 5.0, this process has been modified so that sites bound to different IP addresses but
sharing the same port number can now share the same set of sockets.
======================================================================
winser14.html PAGE
3 2002/02/19
Multisite Hosting
To improve the scalability of IIS, Windows 2000 Server supports the ability to host multiple Web
sites on a single server. This can save the time and money required within a company that wants
to host different sites for different departments, or for an ISP hosting multiple sites for different
customers.
NOTE: IIS 4.0 also allows you to host multiple Web sites on a single server.
Up to 25 different Ips can be attached to one NIC card.
Process Throttling
If you run multiple Web sites that primarily use HTML pages on one computer, or if you have other
applications running on the same computer as your Web Server, you can limit how much processor
time a Web site’s applications are permitted to use.
Bandwidth Throttling
If the network or Internet connection used by your Web server is also used by other services such
as e-mail or news, you may want to limit the bandwidth used by your Web Server in order to free
up bandwidth for other services.
NOTE: IIS 4.0 allows you to throttle bandwidth on a per-Web site basis.
Management
While IIS 4.0 introduced a significant number of new technologies, a core design goal for IIS 5.0
was to make the Web server easier to managers to use.
Setup and upgrade integration
The setup process of IIS 5.0 is integrated with Windows 2000 Server setup, and IIS 5.0 installs
by default as a windows component of Windows 2000 Server.
IIS creates a default
Web site, and Administration Web site, and a Default SMTP Virtual Server
when you install Windows 2000 Server. You an add or remove IIS or select additional
components, such as the Network News Transfer Protocol (NNTP) Service, by using the
Add/Remove Programs application in Control Panel.
======================================================================
winser14.html PAGE
4 2002/02/19
Centralized Administration
IIS 5.0 is managed by using the Internet Information Service snap-in which is integrated with
other administrative functions of Windows 2000. You can access the Internet Information Service
snap-in through the Internet Information Services snap-in, which is located in the Administrative
Tools Program group. The Internet Information Services snap-in is also located in the Computer
Management snap-in under Services and Applications.
The browser-based administration tool, Internet Service Manager (HTML), is no longer available
in the Administrative Tools program group, but it is still available to let you remotely administer
IIS over and HTTP or HTTPS connection, depending on how you have the Administration Web
site configured for security.
NOTE: The TCP port number assigned to the administration site is randomly selected and is
between 2,000 and 9,999. View the Administration Web site Properties, under the Web Site
tab to determine or change the port number assigned to the site.
Browsers other than Microsoft Internet Explorer can be used to access the administration Web
site, but basic authentication must be enabled if the browser does not support NTLM authentication
and you don’t want to enable anonymous access.
Delegated Administration
You can add accounts to the Operators group to help even the work load. Members of the
Operators group have limited administration privileges on Web sites. For example, and ISP that
hosts sites for a number of different companies can assign delegates from each company as the
operators for each company’s Web site.
Processing Accounting
Process Accounting (sometimes referred to as CPU Usage Logging, CPU Accounting or Job Object
Accounting) is a new feature in IIS 5.0 that lets administrators monitor and log how Web sites use
CPU resources on the server.
To enable process accounting on a site using the Internet Information Services snap-in, open the site’s
property page and from the properties of the W3C Extended Log File Format, choose the Extended
Properties tab. In the Internet Service Manager (HTML), follow the same navigation and then choose
the Extended Properties link.
======================================================================
winser14.html PAGE
5 2002/02/19
Improved Command-Line Administration Scripts
IIS 5.0 ships with scripts that can be executed from the command line to automate the management
of common Web server tasks. Administrators can also create custom scripts that automate the
management of IIS. Windows Script Host (WSH) is used to run the .vbs administration scripts
included in IIS 5.0.
Backing Up and Restoring IIS
The Internet Information Services snap-in includes options that allow you to backup and restore your
IIS configuration so that you can save the IIS 5.0 metabase settings to make it easy to return to a
safe, known state.
To back up and restore your Web server configuration, select the IIS computer in Internet
Information Services snap-in, and then select the Backup/Restore Configuration option from
the Action menu.
Custom Error Messages
When a user attempts to connect to a Web site and an HTTP error occurs, a generic message is
sent back to the client browser with a brief description of what happened during the attempt to
establish a connection. As with IIS, 4.0, with IIS 5.0 you can send more informative error
messages to clients that encounter an ASP or HTML error on your site. You can use the custom
error message that IIS 5.0 provides
or create your own. HTML goddies.com (easy to learn).
Support for FrontPage Server Extensions
Windows 2000 Server allows administrators to use FrontPage Web authoring and management
features to deploy and manage Web sites. With FrontPage Server extensions, administrators can
view and manage a Web site in a graphical interface.
Unlike previous versions of IIS, FrontPage Web is enabled by default. The following two setup
features in the FrontPage Server Extensions snap-in are important for initially configuring and
checking the extensions:
======================================================================
winser14.html PAGE
6 2002/02/19
Configuring an existing Web server to use the server extensions. Once a Web site is configured
to use server extensions, Web applications that depend on server extensions like FrontPage,
can operate against the Web site.
Checking server extension security. This feature allows you to check the security of any Web
site or a single Web site running Server Extensions.
In the Internet Information Services snap-in, configuring an existing Web server for server
extensions is accomplished by selecting a Web site and then, from the Action menu, pointing
to New and clicking the Server Extensions Web option.
Web Distributed Authoring and Versioning
The Web is a great medium for publishing documents, but until now it hasn’t been easy for
organizations to use the Internet to let users collaborate on documents. That’s because while it
is easy to read documents stored on a Web site, it has not been easy for users to make changes
to those documents. To address this need IIS 5.0 has added full support for Web Distributed
Authoring and Versioning (Web DAV).
Distributed File System
IIS 5.0 makes use of the Windows 2000 distributed file system (DFs). DFs is a means for uniting
files on different computers into a single namespace. Dfs lets system administrators build a single,
hierarchical view of multiple files servers and file server shares on the network, making it easier for
users to access and manage files
that are physically distributed across a network. Eliminates
the
need for NetBEUI.
HTTP Compression
HTTP compression allows faster transmission of pages between a Web server and compression-
enabled clients. This is useful in situations where bandwidth is limited. Depending on the content
you’re hosting, your storage space, and the connection speed of your typical Web site visitor,
HTTP compression can provide faster transmission of pages between your Web server and
compression-enabled browsers.
From the Internet Information Service (HTML) home page, click the Service option under Master
Properties. View the service properties and configure compression.
======================================================================
winser14.html PAGE
7 2002/02/19
FTP and FTP Restart
The FTP service, an industry standard protocol used to publish information to a Web server, is
integrated into Windows 2000 Server. In IIS 5.0, the FTP Restart protocol is also supported
by Windows 2000 Server.
NOTE: This feature is available only to FTP clients that support the FTP restart function. The
FTP client initiates the REST command to connect and continue a failed download.
Security
Security features, which are an important area of improvement in IIS 5.0, take advantage of the
Internet-standard security features that are fully integrated with Windows 2000.
The security protocols supported by IIS 5.0 are described in the following table:
=====================================================================
Security Protocol description
=====================================================================
Fortezza Support for the
Fortezza is new in IIS 5.0, encryption.
Secure Sockets SSL security protocols are used widely by Internet browsers
Layer (SSL) 3.0 and servers for authentication, message integrity, and
Confidentiality, HTTPS (S = Security)
Transport Layer TLS is based on SSL. If provides for cryptographic user
Security (TLS) authentication and provides a way for independent
programmers to write TLS-enabled code that can exchange
cryptographic information with another process without a
programmer needing to be familiar with another
programmer’s code.
PKCS #7 This protocol describes the format of encrypted data such as
Digital signatures or digital envelopes.
PKCS #10 This protocol describes the format of requests for
certificates that are submitted to certification
authorities.
======================================================================
winser14.html PAGE
8 2002/02/19
Basic authentication Basic authentication is a part of the HTTP 1.0 specification
It sends passwords over networks in Base64-encoded format.
PAP, SSL protocols.
Digest New feature of IIS 5.0, Digest Authentication offers the
Authentication same features as Basic Authentication but involves a
different method for transmitting the authentication
credentials. The authentication credentials pass
through a one-way process, often referred to as hashing.
The result of this process is called a hash, or message
digest, and the original text cannot be deciphered from the
hash. Only 2000 client and Internet
Explorer
5.
Integrated Windows Provides NTLM authentication for older versions of
Authentication Internet Explorer 3.0 that use it to cryptographically
authenticate with IIS.
======================================================================
Security Mechanisms
IIS 5.0 uses five basic security mechanisms: authentication, certificates, access control, encryption
and auditing.
Web sites.
· Anonymous FTP and HTTP authentication
· Basic FTP and HTTP authentication
· Digest authentication for Windows 2000 domains and browsers supporting this
· HTTP 1.1 authentication method
· Integrated Windows authentication (HTTP only)
identification documents that allow both servers and client to authenticate each other.
to resources on your server. IIS 5.0 uses two layers of access control: Web permissions
and NTFS permissions.
information as it passes over the Internet. You can let users exchange private information,
such as credit card numbers or phone numbers, with your server in a secure way by using
encryption.
======================================================================
winser14.html PAGE
9 2002/02/19
Administrators can use security auditing techniques to monitor a broad range of user and
Web server security activity.
Security Wizards
To make it simpler to establish and maintain security settings, IIS 5.0 includes three new security
tasks wizards: The Web Server Certificate wizard, the Permissions wizard, and the Certificate
Trust Lists wizard.
NOTE: Using Internet Information Services (HTML) to create a Web server certificate is similar
to using the Internet Information Services snap-in; however, there is no HTML-based wizard to
walk you through the configuration process.
SSL security is an increasingly common requirement for Web sits that provide e-commerce and
access to sensitive business information.
properties of a Web Site in the Internet Information Services snap.in.
of setting up permissions and authenticated access on an IIS Web site, making it much
easier to set up and manage a Web site that requires authenticated access to its content.
The Permissions wizard provides two top-level options:
· Inherited security settings applied to the parent site or virtual directory
· Security settings based on a template
Two templates are available for configuring security: the Public Web Site template and the Secure
Web Site template. The Public Web Site template applies security settings that are cross-
browser compatible and provide access to the site regardless of whether the user has a Windows
2000 account for the network being accessed. The Secure Web Site template applies security
settings that only users with Windows 2000 user accounts can access.
trust lists (CTLs). A CTL is a list of trusted certificate authorities (CAs) for a particular
directory.
======================================================================
winser14.html PAGE
10 2002/02/19
Application Environment
IIS 5.0 includes performance enhancements that make it easier to develop Web-enabled applications.
The Active Server Pages (ASP) technology within IIS, combined with the data access and component
services within Windows 2000 Server, provides a well-rounded application environment.
ASP is a server-side scripting environment that you can use to create and run dynamic, interactive
Web server applications. With ASP, you can combine HTML pages, scripts commands and
Component Object Model (COM) components to create interactive Web pages or Web-based
applications that are easy to deply and modify.
Component services
IIS 5.0 and the Component Service (COM+) included in Windows 2000 Server work together to
form a basic architecture for building Web applications.
Active Directory Services
Stores and manages information about networked resources. By providing a centralized store for
essential information, Active Directory services simplifies network management, makes it easier for
users to find resources, and makes it easier for developers to write applications.
Installing IIS 5.0
Internet Information Services 5.0 is a component of the Windows 2000 operating system. Installing
and removal of IIS is accomplished in one of three ways: when installing or upgrading Windows
2000, by using the Add/Remove Programs utility in Control Panel, or by using an unattended.txt
file during an unattended installation.
When performing a clean installation of Windows 2000 Server, IIS is installed by default. You
can remove IIS or select IIS components to be added or removed by using the Add/Remove
Programs utility.
======================================================================
winser14.html PAGE
11 2002/02/19
During the IIS installation, the Default Web site, Administration Web site, and Default SMTP
Virtual Server are created.
Setting up a Web Environment
Whether your sit is on an intranet or the Internet, the principles of providing content are the same.
You place your Web files in folders on your server so that users can establish an HTTP connection
and view your files with a Web browser.
Getting Started
You should set up your Web sites by indicating which folders contain the documents that you want
o publish. The Web server cannot publish documents that are not within these specified folders.
So the first step in deploying a Web site should be to first determine hoe you want your files organized.
You then use the internet Information Services snap-in, or the Internet Services Manager (HTML)
interface to identify which folders (called directories in the snap-in and HTML interface), are part
of the site.
If you want to get started right away without having to create a special folder structure and your
files are all located on the same hard disk of the computer running IIS, you can publish your
documents immediately by copying your Web files into the default home folder. Intranet users
can then access these files by using any of the following URLs:
Defining Home Directories
Each Web site and FTP site must have one home directory. The home directory is the central
location for your published pages. It contains a home page (typically named index.htm, index.html,
default,asp, default.htm, or default.html) that welcomes Web browser users and contains links to
other pages in your site.
A default home directory is created when you install IIS and when you create a new Web site.
If you are setting up both a Web site and an FTP site on the same computer, you must specify
a different home directory for each service (WWW and FTP). The default home directory for
WWW service is \InetPub\Wwwroot.
The default home directory for FTP service is \InetPub\Ftproot. You can choose a
different directory as your home
directory.
======================================================================
winser14.html PAGE
12 2002/02/19
Notice that the home directory can reside on the computer running IIS, on a share, or can be
redirected to URL hosted by another Web site. The share option provides transparent support
for Dfs.
Creating Virtual Directories
You can create a virtual directory to publish from a directory not contained within your home
directory.
A virtual directory has an alias, a name that Web browsers use to access that directory. Because
an alias is usually shorter than the path name of the directory, it is more convenient for users to type.
For a simple Web site, you may not need to add virtual directories. You can instead place all of
your files in the site’s home directory. If you have a complex site or want to specify different
URLs for different parts of your site, you can add virtual directories as needed.
In Internet Services Manager (HTML), the same link used to create a new site is also used to
publish your content to a virtual directory or a directory.
Reroute Requests with Redirects
When a browser requests a page on your Web site, the Web server locates the page identified
by the URL and returns it to the browser. To make sure that browsers can find the page at the
new URL, you instruct the Web server to give the browser the new URL. This process is called
redirecting a browser request or redirecting to another URL.
Redirecting a URL is useful when you are updating your Web site and want to make a portion o
f the site temporarily unavailable, or when you have changed the name of a virtual directory and
want links to files in the original virtual directory to access the same files in the new virtual
directory.
Other Tools
Often, it may be useful to dynamically alter Web content after the content has been requested,
but before it is returned to the browser. IIS includes two features that provide this functionality:
server-side includes (SSI) and the ASP scripting environment.
======================================================================
winser14.html PAGE
13 2002/02/19
Using ASP to Manage Web Site Content
Windows 2000 includes Microsoft ASP, a server-side scripting environment that you can use to
automate and centralize many of your Web site management tasks.
Scripting
A script is a series of instructions and commands that you can use to programmatically alter the
content of your Web pages.
There are two kinds of scripting: client-side and server-side. Client-side scripts run on the Web
browser and are embedded in a Web page between HTML <SCRIPT> and </SCRIPT>tags.
Server-side run exclusively on the Web server and are most often used to modify Web pages
before they are delivered to the browser.
ASP Overview
Just as you might write a custom macro to automate repetitive spreadsheet or word processing
tasks, you can create a server-side to automatically perform difficult or repetitious Web
management tasks.
ASP is powerful, server-side scripting environment that you can use to write scripts with only
a standard text editor, such as Notepad.
ASP uses delimiters to differentiate script commands from regular text and HTML.
At a minimum, all ASP files must have an .ASP extension and contain script commands written
in a scripting language such as Microsoft Visual basic Scripting Edition (VBScript) or Microsoft
Jscript.
Lesson Summary:
application environment.
======================================================================
winser14.html PAGE
14 2002/02/19
as the addition of application protection through support for pooled, out-of-process applications.
applications.
upgrading Windows 2000, by using the Add/Remove Programs utility in Control Panel, or by
using an unattended.txt file during an unattended installation.
you want to publish. Each Web or FTP site must have one home directory.
Lesson 2:
Administering a Web Environment
When IIS is installed, a default Web site is created, allowing you to quickly and easily implement a
Web environment. However, you can modify that Web environment to meet your specific needs.
Administering Web and FTP Sites
Originally, each domain name, such as www.microsoft.com, represented an individual computer.
With IIS 5.0 multiple Web sites or FTP sites can be hosted simultaneously on a single computer
running Windows 2000 Server. Because each site mimics the appearance of an individual
computer, sites are sometimes referred to as virtual servers.
Web Sites and FTP Sites
Whether your system is on an intranet or the Internet, you can create multiple Web sites and
FTP sites on a single computer running Windows 2000 in one of three ways:
using host header names.
Though hosted on the same computer, CompanyServer, Marketing and HumanResources each
appears to be a unique Web site. These departmental sites have the same security options as
they would if they existed on separate computers because each site has its own access and
administration permission settings.
======================================================================
winser14.html PAGE
15 2002/02/19
NOTE: When creating a very large number of sites, be sure to consider computer hardware
and network limitations and upgrade these resources as necessary.
Properties and Inheritance of Properties on Sites
Properties are values that can be set on your Web site. For example, you can use the Internet
Information Services snap-in to change the TCP port assigned to the default Web site from the
default value of 80 to another port number.
During the installation of IIS, default values were assigned to the various properties. You can
use the default settings in IIS, or you can customize these settings to suit your Web publishing
needs.
Properties can be set on site level, directory level, or on the file level.
Some properties have a value that takes the form of a list. For instance, the value of the default
document can be a list of documents to be loaded with users do not specify a file in a URL.
Custom error messages, TCP/IP access control, script mappings, and MIME mappings are
other examples of properties stored in a list format.
Master properties, server extensions, bandwidth throttling, and MIME mapping for a site’s
services are viewed from the properties of a computer node appearing in the Internet Information
Service snap-in or in the Internet Services Manager (HTML) interface.
Operators Group
Operators are a special group of users who have limited administrative privileges on individual
Web sites. Members of the Operators group can administer properties that affect only their
respective sites. They do not have access to properties that affect IIS, the Windows server
computer hosting IIS, or the network.
For example, and ISP who hosts for a number of different companies can assign delegates
from each company as the operators fro each company’s Web site. This method of distributed
server administration has the following advantages:
reconfigure the Web site as necessary. For example, the operator can set Web site access
permissions, enable logging, change the default document or footer, set content expiration,
and enable content ratings features.
======================================================================
winser14.html PAGE
16 2002/02/19
the anonymous user name or password, throttle bandwidth, create virtual directories or
change their paths, or change application isolation.
administrators, they are unable to remotely browse the file system and therefore cannot set
properties on directories and files, unless a UNC path is used.
Administering Sites Remotely
Because it may not always be convenient to perform administrative tasks on the computer running
IIS, two remote administration options are available. If you
are on an intranet, you can use either
the Internet Services Manger (HTML) or the
Internet Information Services snap-in.
NOTE: In previous releases the Internet Information Services snap-in was called the Internet
Services Manager. The Internet Information Services snap-in in appears on the Administrative
Tools menu as Internet Services Manager.
Internet Services Manger (HTML) uses a Web site listed as Administration Web site to access
IIS properties. When IIS is installed, a port number between 2,000 and 9,999 is randomly
selected and assigned to this Web site.
NOTE: Although the HTML version of Internet Services Manager (HTML) has much of the
same functionality of the Internet Information Services snap-in, the HTML version is designed
along the lines of a Web page. Accessing context menus on interface objects is not supported.
Many of the familiar toolbar buttons or tab headings are displayed as links in the left frame.
Because of these differences, instructions in the documentation may not always precisely
describe the steps performed in Internet Services Manager (HTML).
FTP Restart
FTP Restart addresses the problem of losing a network connection while downloading files. Clients
that support FTP Restart need only re-establish their FTP connection, and the file transfer
automatically picks up where it left off.
======================================================================
winser14.html PAGE
17 2002/02/19
Managing Sites
By default, sites start automatically when your computer restarts. Stopping a site stops Internet
services and unloads Internet services from your computer’s memory.
Adding Sites
You can add new sites to a computer by launching the Web Site Creating wizard, the FTP Site
Creation wizard, or the SMTP Virtual Server wizard in the Internet Information Services snap-in.
Naming Web Sites
Each Web site (virtual server) has a descriptive name and can support one or more host header
names. Host header names make it possible to host multiple domain names on one computer.
Not all browsers support the use of host header names. Internet Explorer 3.0, Netscape
Navigator 2.0, and later versions of both browsers support the use of head header names:
earlier versions of the browsers do not.
If a visitor attempts to connect to your site with an older browser that does not support host
headers, the visitor is directed to the default Web site assigned to that IP address (if a default
site is enabled), which may not necessarily be the site requested.
Stop, Start, Restart, or Reboot in IIS
In IIS 5.0 you can stop, start, or restart (restart option) all of your Internet services or reboot the
server from within the Internet Information Services snap-in. The stop, start, and restart functions
makes it less likely that you will need to reboot the server when applications misbehave or become
unavailable.
Important Restarting will stop all Drwtsn32.exe. Mtx.exe, and Dllhost.exe processes in order to
restart Internet services. You cannot stop or start IIS or reboot the server by using browser-based
Internet Services Manager (HTML). However, both the snap-in and the HTML interface can be
used to individually start, stop, pause, and resume individual sites.
======================================================================
winser14.html PAGE
18 2002/02/19
Backing Up and Restoring IIS
You can backup your IIS configuration so that it is easy to return to a previous state.
NOTE: You can back up IIS using the Internet Services Manager (HTML) interface, but you
must use the Internet Information Services snap-in to restore your configuration. The Backup
Configuration link appears in the left pane of the Internet Services Manager (HTM) interface.
To restore your IIS configuration in the Internet Information Services snap-in, select the Computer
node in the console tree, click Action and Backup/Restore/ configuration. Select a backup and
click the Restore button. When asked whether to restore your configuration settings, click Yes.
Managing WebDAV Publishing
WebDAV extends the HTTP/1.1 protocol to allow clients to publish, lock and manage resources
on the Web.
feature, users with the appropriate permissions can copy and move files around in a WebDAV
directory.
at a time can modify a file.
limited to the depth of the search.
WebDAV Clients
You can access a WebDAV publishing directory through one of the Microsoft products described in
the following list, or through any other client that support the industry standard WebDAV protocol.
the contents of a WebDAV directory as if it were part of the same file system on your local computer.
you can through Windows 2000.
any application in Office 2000.
======================================================================
winser14.html PAGE
19 2002/02/19
Searching in WebDAV
Once connected to a WebDAV you can quickly search for files on that directory for content as
well as properties.
Integrated Security
Because WebDAV is integrated with Windows 2000 and IIS 5.0, it borrows the security features
offered by both.
Creating and Publishing Directory
To set up a publishing directory, create a physical directory below Inetpub.
You can actually put this directory anywhere, except under the Wwwroot directory.
You are granting users the right to publish documents on this virtual directory and to see a list of the
files in it.
NOTE: Granting Write access does not enable clients to modify Active Server Pages (ASP) or any
other script-mapped files. To allow these files to be modifies, you must grant Write permission and
script source access after creating the virtual directory.
Managing WebDAV Security
To protect your server and its content, you must coordinate three different aspects of security into
an integrated whole: authenticating clients, controlling access and denying service.
Authenticating Clients. IIS 5.0 offers the following levels of authentication.
· Anonymous. Grants everyone access to the directory.
· Basic. Sends passwords over the connection in clear text.
· Integrated Windows. Works best when you are setting up a WebDAV directory
on an intranet.
· Digest. Best choice for publishing information on a server over the Internet and
through firewalls.
======================================================================
winser14.html PAGE
20 2002/02/19
Controlling Access. You can control access to your WebDAV directory by coordinating IIS 5.0
and Windows 2000 permissions.
resources, modify them, publish their own resources and manipulate files.
information on the directory, but do not want others to see what has been published, set Write
permission, but do not set Read or Directory browsing permission.
to rely on obscuring file names as a security method.
With the following permissions, clients can write to an executable file that does not appear in the
Application Mapping:
With the following permissions, clients can also write to an executable file:
Script source access granted
Execute Permissions set to Scripts and Executables
Denying Service. Dragging and dropping extremely large files into a WebDAV directory could take
up a large amount of disk space. To limit this amount, consider setting quotas on disk usages.
Publishing and Managing Files
Users can connect to a WebDAV publishing directory, publish documents by dragging them from
their computers to the publishing directory, and manipulating files in the directory.
NOTE: Even if users connect from behind a firewall, they can still publish on a WebDAV directory
if they have the correct permissions and if the firewall is configured to allow publishing.
======================================================================
winser14.html PAGE
21 2002/02/19
Lesson Summary:
2000 Server. You can back up your IIS configuration so that it is easy to return to a previous state,
and you can administer IIS remotely. You can place a WebDAV directory anywhere you want,
except under the Wwwroot directory. From Windows 2000 you can connect to a WebDAV
publishing directory on another server.
Lesson 3:
Configuring and Running Telnet Services
TELNET must be turned on! I believe the default when installed is set to manual.
In Windows 2000, Telnet provides user support for the Telnet protocol, a part of the TCP/IP suite.
Telnet is a remote access protocol that you can use to log on to a remote computer, network device,
or private TCP/IP network.
The Telnet service allows users of a Telnet client to log on to the computer running the Telnet service
and run character-mode applications on that computer. Your port number is connected, it will show
the connectivity.
Telnet Service
Windows 2000 Telnet Service allows users of a Telnet client to connect to the computer running the
Telnet service and use command-line commands on the computer as it they were sitting in front of it.
The Telnet service also acts as a gateway for Telnet clients to communicate with each other. A
computer running the Telnet service can support a maximum of 63 Telnet client computers at any given time.
Telnet Server Connection Licensing
Two Telnet service connection licenses are provided with each installation of Windows 2000 Server.
This limits Telnet service to two connecting Telnet clients at a time.
======================================================================
winser14.html PAGE
22 2002/02/19
Telnet Authentication
You can use your local Windows 2000 user name and password or domain account information to
access the Telnet server. The security scheme is integrated into Windows 2000 security. Telnet is
not graphical, it is similar to the command line DOS.
If you are using NTLM authentication, the client uses the Windows 2000 security context for
authentication and the user is not
prompted for user name and password. The user name and
password are encrypted.
NOTE: If the User must change password at next Logon option is set for a user, the user cannot log
on to the Telnet service when NTLM authentication is used. The user must log on to the server
directly and change the password, and then log on through the Telnet client.
Starting and Stopping Telnet Server
In a Windows 2000 Server default installation, the Telnet service is set to manual startup. You can
also start or stop the Telnet service from a command prompt.
To start Telnet
Server:
Net^start^tlntsvr
Net^start^telnet at command prompt.
To stop Telnet
Server:
Net^stop^tlntsvr
Net^stop^telnet at the command prompt
Telnet Server Admin Utility
You can use the Telnet Server Admin utility to start, stop or get information about Telnet Server.
Caution: Incorrectly editing the registry may severely damage your system. Before making
changes to the registry, it is strongly recommended that you backup and valuable data on the
computer.
======================================================================
winser14.html PAGE
23
2002/02/19
To open the Telnet Server Admin utility, click the Telnet Administration Tool in the Administrative
Tools programs group or click Start, click Run, type tlntadmn, Okay. It was installed when we ran
adminpak.msi.
=====================================================================
Option Name Description
=====================================================================
0 Quite this application Ends Telnet server admin
1 List the current users Includes the user name,
domain, remote computer
address, session ID, and log
time.
2 Terminate a user session Terminates a selected
user’s session.
3 Display/change registry List of registry settings
settings
4 Start the service Starts Telnet Server
5 Stop the service Stops the Telnet Server
====================================================================
The following table lists the Telnet Server registry settings that you can change:
** See the table on
page 878 and 879 **
When you change the default domain account, the setting takes effect only after the Telnet service is
restarted. You must be logged on as a member of the Administrators group to use the Telnet Server
Administration utility.
Telnet Client
You can use Microsoft Telnet Client to connect to a remote computer running the Telnet service or
other Telnet server software.
The Telnet client uses the Telnet protocol, part of the TCP/IP suite of protocols, to connect to a
remote computer over a network.
======================================================================
winser14.html PAGE
24 2002/02/19
Using Telnet
Start/Run type telnet.
Lesson Summary:
remote computer.
service registry settings.
to log on to a remote computer, network device, or private network.
Lesson 4:
Installing and Configuring Terminal Services
Terminal Services provides access to Windows 2000 and the latest Windows based applications
for client computers.
Overview of Terminal Services
Terminal Services running on a Windows 2000 Server enables all client application execution, data
processing, and data storage to occur on the server.
Gives the help desk the authority, and a copy of the users desktop.
Users can gain access to Terminal Services over any TCP/IP connection including Remote Access,
Ethernet, the Internet, wireless, wide area network WAN, or virtual private network (VPN.
Terminal Services is a built-in feature of Windows 2000. You can enable Terminal Services in one
of two modes: Remote Administration and Application Server.
Remote Administration
Remote administration give system administrators a powerful method for remotely administering each
Windows 2000 Server computer over any TCP/IP connection.
No NetBEUI!!! Only TCP/IP.
======================================================================
winser14.html PAGE
25 2002/02/19
Application Server
In Application Server mode, you can deploy and manage applications from a central location, saving
administrators development and deployment time as well as the time and effort required for
maintenance and upgrade.
Terminal Services Licensing Components
Terminal Services has its own method for licensing clients that log on to Terminal servers. This
method is separate from the licensing method for Windows 2000 Server clients.
*** Page 887 Micros Clearinghouse – Client License key packs ****
Administering the License Server
Deploying Terminal Services license includes setting up the license server, enabling the server,
activating the server, and installing the licenses.
When deciding where on your physical network to deploy your license server, consider how a
Terminal server discovers and communicates with a license server.
NOTE: In Windows 200 domains, the domain license server must be installed on a domain
controller. In workgroups or Windows NT 4.0 domains, the domain license server can be
installed on any server. If you are planning to eventually migrate from a Workgroup or Windows
NT 4.0 domain to a Windows 2000 domain, you might want to install the license server on a
computer that can be promoted to a Windows 2000 domain controller.
To activate the license server quickly and to access the Microsoft Clearing house through the Internet,
install the server on a computer that has Internet access.
======================================================================
winser14.html PAGE
26 2002/02/19
Activating a License Server
A license server must be activated in order to identify the server and allow it to issue client licenses
to your Terminal servers. You can activate a license server by using the Licensing Wizard.
There are four methods to activate your license server:
You are required to activate a license server only once. While waiting to complete the activation
process, your license server can issue temporary licenses for clients that allow them to use Terminal
servers for up to 90 days.
Installing Licenses
Terminal Services licenses must be installed on your license server in order for the Internet Connector
setting to be enabled or for non-Windows 2000 clients to permanently access a Windows 2000
Terminal server.
Deploying to Client Computers
Client computers or terminals connect to a Terminal server by using a small client program installed on
disk or in firmware.
The terminal services client takes up only 500 KB of disk space and typically uses approximately
4MB of RAM when running.
Client Configurations
You can optimize Terminal Services by following these recommendations:
======================================================================
winser14.html PAGE
27 2002/02/19
applications that make use of a NetBIOS function that calls for the computer name.
Upgrading to Terminal Services
The approach you take to upgrade to Terminal Services depends upon your existing Terminal
Services setup.
WinFrame with or without
There is no direct upgrade path from WinFrame to Terminal Services. In this case you firs have to
upgrade to Microsoft Terminal Server 4.0 and then upgrade to Windows 2000.
Terminal Server 4.0 without MetaFrame
With Terminal Server 4.0 installed, there is a direct upgrade path to Terminal Services.
Terminal Server 4.0 with MetaFrame
With MetaFrame for Terminal Server 4.0 installed, you first install Windows 2000 with Terminal
Services, then you install the latest version of MetaFrame for Windows 2000.
Windows NT without Terminal Services
When you install Windows 2000, select Terminal Services in Remote Administration or Application
mode, to enable Terminal Services.
======================================================================
winser14.html PAGE
28 2002/02/19
Installing and Configuring Applications
A Windows 2000 Server configured to run Terminal Services in Application Server mode
provides multiple concurrent user connections to any number of applications.
It is recommended that applications be added or removed by using the Add/Remove Programs
function under Control Panel.
To put the Terminal Server in Install mode, type change user^/install. After the software
installation is complete, type change^user^/execute to return the Terminal Server to execute mode
Deploying Applications through Group Policy
The three main ways you can deploy applications when using Windows Installer:
Lesson Summary:
execution, data processing, and data storage to occur on the server.
location, saving administrators development and deployment time as well as the time
and effort required for maintenance and upgrade.
a license server, a Terminal server, and client licenses.
are added to the Administrative Tools, folder, including Terminal Services Client
Creator, Terminal Services Manager, Terminal Service Configuration, and Terminal
services Licensing.