Configuring IIS Administration Features
When
you add the Web Server (IIS) role to a computer running Windows Server
2008, the default configuration enables only local administration of
the server. This enhances security because users of other computers are
unable to use IIS Manager to make changes to the server’s
configuration. Although this is appropriate for small, simple
installations, often systems administrators benefit from the ability to
use IIS Manager to configure the server remotely.
In
many environments, multiple systems administrators manage Web sites and
Web applications. In large deployments, it is common to have several
administrators responsible for the same Web server. For example, a
single IIS server might host several important Web applications, each
of which is administered by a different individual or group. In hosting
situations—where an
organization provides IIS server access to subscribers—you must enable
subscribers to control certain Web content and features. In this case,
subscribers act as remote administrators for certain portions of the
servers. Remote administration is helpful for both multiple
administrators and for management performance from multiple locations.
To
allow remote administrators to manage IIS, you must first enable remote
management on the server. You can then define and configure IIS Manager
users. Feature delegation enables you to specify which actions remote administrators can perform.
Enabling Remote Management
To enable remote management functionality, you first add the IIS Management Service
role service to the local server. You can do this by using Server
Manager. Right-click the Web Server (IIS) role in the Roles folder, and
then select Add Role Services. Add IIS Management Service, which is
located in the Management Tools section of the available role services.
The
IIS remote management service works by using a standard HTTP or HTTPS
connection. Communications are configured to transmit over port 8172 by
default. Assuming that traffic is allowed on this port through any
firewalls or network security devices, this enables remote
administrators to manage their IIS servers over a local network
connection or over the Internet.
After
you have added the IIS Management Service role service to the Web
Server (IIS) role, you can use IIS Manager to enable remote management.
To do this, open IIS Manager, and select the Web server object in the
left pane. Then, select Management Service from the Management section
in the Features view. (See Figure 2.)
Initially,
the Enable Remote Connections option will be deselected. To enable
manager users to connect to IIS over the network, select the Enable
Remote Connections option. The Identity Credentials section enables you
to specify whether you will allow authentication by using Windows
credentials only (the default setting), or if you will also allow IIS Manager credentials.
The
Connections portion of the settings enables you to specify on which IP
address(es) and port(s) the management service will respond. The
default setting is for the service to respond to all available IP
addresses on port 8172. If your Web server is configured with multiple
network connections or IP addresses, you can increase security by
restricting remote access connections to a specific address. The SSL
Certificate section enables you to select one of the SSL certificates
that has been configured on the local server. You can also configure
the path into which remote management requests will be logged. The
default is %SystemDrive%\Inetpub\Logs\WMSvc.
Finally,
the IPv4 Address Restrictions section enables you to increase security
by restricting which computers can connect to IIS remotely. As shown in
Figure 3,
you can configure rules based on a specific IPv4 address or based on an
address range (which is defined by a combination of an IP address and
subnet mask). The Access For Unspecified Clients drop-down list defines
whether IP addresses without entries will be allowed or denied. You can
then create Allow or Deny entries to define which IP addresses can
connect. These options are most useful when you have control over the
groups of computers that will be used for administering Web services.
Because the management service is stopped by default, you will need to click the Start
command in the Actions pane to start allowing remote connections. You
must stop the management service to make changes to the configuration.
Understanding IIS Manager Users
To
connect to a Windows Server 2008 Web server using IIS Manager, users
must have the necessary permissions. Users who are logged on to a
computer running Windows Server 2008 with administrator credentials
automatically will have the necessary permissions to complete all the
available tasks on the server. For other types of users, such as remote
systems administrators, you must decide how you want to manage
permissions.
By
default, the Web Server (IIS) role enables permissions to be assigned
using Windows Authentication only. This means that all administrators
who attempt to manage IIS must have Windows-based credentials and
permissions. Windows Authentication is most appropriate for
environments in which all the Web server administrators belong to the
same domain. Users who are logged on to the domain will not have to
supply credentials manually when they connect to a server using IIS
Manager, assuming that they have the necessary permissions. Windows
Authentication is also useful when you plan to create either local or
domain accounts for all the administrators who will need access to IIS
Manager.
In some
cases, it might be impractical to create local or domain accounts for
each of the potential IIS administrators. For example, Web service
hosting companies can have hundreds of users who require the ability to
manage their servers. In these environments, each user generally can
modify specific settings for her or his own Web site. These users
should not have access to other users’ Web sites and often will be
restricted to changing only certain settings. To support these
scenarios, you need to enable the Windows Credentials Or IIS Manager
Credentials option. When this option is enabled using the Management
Service described in the previous section, you will be able to create
username and password combinations solely for the purpose of managing
IIS. These credentials can then be given to other users and
administrators, so they can connect to the Web server without requiring
individual Windows accounts for each of the users.