Windows Server 2008 : Installing the Web Server Role (part 1)

Understanding Web Server Security

IIS 7.0 includes an array of features and options to support different types of Web services and applications. Using the Server Manager utility simplifies the process of installing IIS and its related features and options. As a systems administrator, you will be responsible for deploying IIS based on different needs and requirements. Therefore, it is important to understand the design of IIS before learning methods for installing the Web Server and Application Server roles. This section will provide details about deployment options for the IIS platform.

Web Standards and Protocols

To understand the purpose and function of the IIS platform, you must first understand the protocols and standards used by Web Applications. Hypertext Transfer Protocol (HTTP) is the primary protocol that communicates with Web services. HTTP is designed to provide a request–response model for communicating among computers across a network. HTTP traffic is accessed by using Transmission Control Protocol/Internet Protocol (TCP/IP)–based network connections. Due to the importance of Web-based traffic, most organizations allow their users to access the Internet by using TCP port 80, the default HTTP port. The HTTP protocol is stateless; that is, it provides no built-in mechanism to keep track of conversations between clients and servers. Each request must include details that identify the requester and any other data that might be required to complete a transaction.

Web standards and protocols also include methods for securing data as it is passed among computers. By default, HTTP traffic is transmitted using a plaintext stream that can be decoded easily. Although this is acceptable when users are accessing public content, many Web sites and applications need to transmit information securely between clients and servers. The most common example is that of a payment-processing site that accepts credit card information over the Internet. The HTTP Secure (HTTPS) protocol is designed to provide support for encryption of HTTP-based traffic. By default, HTTPS connections use TCP port 443 for communications, although any other port can be used as well. The most commonly used encryption mechanisms are Secure Sockets Layer (SSL) and Transport Layer Security (TLS). Other encryption mechanisms can also be used, especially in intranet environments.

Web standards and protocols provide a consistent method of exchanging information among computers. The Hypertext Markup Language (HTML) is the primary specification for Web pages. The tag-based format of HTML pages enables developers to use a variety of technologies to create their content in a way that is accessible by different Web browsers. The development tools can range from text editors such as Microsoft Windows Notepad to full-featured development environments such as the Microsoft Visual Studio platform.

The HTTP and HTML specifications were designed to provide basic communication and presentation services. Modern Web applications include features that enable complex application functionality to be presented using these standards. Web developers can use development platforms such as ASP.NET (a component of the Microsoft .NET Framework) to build active Web sites. These sites can keep track of user sessions and can provide access to databases and other information that is stored within the environment.

Web Server Usage Scenarios

The primary advantage of using Web-based content and applications is accessibility from a broad range of client computers. Unlike standard applications, there is generally no need to install or configure any software on users’ computers. Because modern operating systems include or support standards-based Web browsers such as Windows Internet Explorer, most users already have the basic client tools they need to access content. IT staff and software developers can use various technologies to present content and deploy applications to both internal and external users.

The IIS platform has been designed to support a variety of scenarios. Some examples include:

• Public Web sites Many businesses have relatively simple needs for communicating information on the Internet. For example, a small business might want to provide contact information and details about its services on a simple Web site.

• Online shopping The Internet has become a commercial marketplace that enables vendors to display and sell a wide variety of products. Online sites include shopping-cart functionality, order processing, and customer support features.

• Intranet scenarios The Web provides a simple method for all users within an organization to access and present content. Company tasks such as creating expense reports or verifying benefits can often be performed online without the need to contact internal staff.

• Enterprise applications A common challenge with enterprise line-of-business applications is the need to deploy and manage client-side installations. To alleviate some of these problems, many organizations have created internal applications that are designed to be accessed through a Web browser. The applications can range from basic single-function sites to distributed enterprise-wide systems.

• Internet applications Users can access their e-mail and create documents, for example, without installing applications on their computers. Distributed organizations and teams can also take advantage of secure access to corporate applications by using the Internet while traveling or working from remote locations.

• Extranet scenarios Businesses commonly partner with other organizations to obtain services. An extranet scenario is one in which users from outside the organization are able to access information. Security is an important concern, but Web-based applications are a good choice because they provide a standard method by which users can access the information they need.

• Web hosting Many companies have focused on offering the service of hosting Web sites for their customers. These hosting companies tend to run large numbers of Web sites on a single physical server, so ensuring security, performance, and reliability are key concerns.

Most organizations will deploy IIS in several roles within the organization. It is important to note that requirements related to features and options will vary based on the specific needs of each deployment.

You’ll learn more about the specific features and services that the IIS platform supports later in this lesson.

New Features in IIS

The IIS platform is one of the most popular Web servers in use for both public and private Web sites. IIS 7.0 in Windows Server 2008 includes numerous new features that provide increased performance and functionality in a broad range of areas. The major areas of improvement include:

• Administration One of the primary challenges of working with previous versions of IIS was dealing with a large number of property pages and dialog boxes. IIS 7.0 includes new administration tools that are designed to manage the many available options and settings more effectively. The user interface has been designed to be both powerful and accessible for both Web developers and systems administrators.

• Security By default, the Web Server (IIS) server role is enabled with only a basic set of functionalities. Even the binary files for unused features are not available for access in the standard operating system locations. Systems administrators must enable additional services and features explicitly. This helps reduce the attack surface of IIS while also simplifying manageability. In addition, functionality for automatically detecting common hacking attempts is included with the product itself. (This feature was commonly enabled in the past by installing the URLScan utility.)

• Diagnostics and troubleshooting Because organizations depend on Web services as a mission-critical component of their infrastructure, it’s important to detect and resolve any Web-based errors quickly. IIS 7.0 includes new features that make it easier to pinpoint problems and obtain the details necessary to address them.

• Centralized configuration management Many organizations support dozens or even hundreds of IIS installations. To meet scalability and performance requirements, it is often necessary to deploy numerous Web servers that essentially have the same configuration settings. In previous versions of IIS, it was difficult to manage these configurations without connecting to each server. IIS 7.0 provides a simplified method by which administrators can share configuration information across server farms. Further, a consistent set of user accounts, including globally unique identifiers (GUIDs) and permissions, are used for IIS security accounts. This means administrators can depend on specific account names and settings when scripting and automating common processes. IIS 7.0 also includes greatly improved command-line support.

• Support for delegation It is often necessary to divide Web server administration tasks for security or management reasons. IIS 7.0 provides the ability to implement granular security configuration permissions to support Web-hosting environments and enterprise-level configurations.

• Backward compatibility The vast majority of Web sites and applications that were created for previous versions of IIS will remain compatible with IIS 7.0. In addition, IIS 6.0 management tools are provided for those applications that depend on them.

Overall, IIS 7.0 has been designed to address the most common issues encountered with previous versions of IIS.