Microsoft Windows NT and the Internet Information Server (IIS) need no introduction. Windows NT is becoming one of the major operating systems for application servers, and now Microsoft has integrated the Internet Information Server with the NT 4.0. With NT 4.0, IIS is a good choice for any corporate Intranet system. The IIS advantage comes from its features as well as its close integration with the NT monitoring, administration, and security systems.
In this chapter, you will learn about the following:
On a top-level architecture, the Microsoft IIS (for trivia buffs, this product was known as "Gibraltar") extends Windows NT Server to the world of Intranets. It works closely with NT services, security, and monitoring. It adds World Wide Web Service, Gopher and FTP Service, Internet Service Manager, Internet Database Connector, and Secure Sockets Layer (SSL) to a Windows NT server. IIS 2.0 is a part of Windows NT 4.0. You can install IIS when you install Windows NT 4.0 or later, after installing Windows NT 4.0. We will cover the installation later in this chapter.
| NOTE |
You can download the IIS and the browsers free from Microsoft's WWW site. As an administrator of Intranets, it's a good practice to download the latest versions on a periodic basis. In addition to bug fixes, the upgrades in the Web site will include security patches, which are very important. |
IIS provides full Intranet capability ranging, from publishing information, to complete access to data stored in various client/server databases. It supports the popular Common Gateway Interface (CGI). But CGI creates a separate process for every request, which could mean more server resources, including RAM. Microsoft's antidote to this is the Application Program Interface (API) called Internet Server Application Programming Interface (ISAPI). You can write ISAPI applications-as dynamic-link libraries-which will be loaded in the same address space of the HTTP server. One DLL can handle all the user forms, data, and so on. Another feature of the ISAPI is the ability to write HTTP filters to handle chosen events.
One of the most important, and possibly most useful, features for Intranets is the back-end database access and programming. IIS has IDC or Internet Database Connector, which connects to back-end ODBC databases. The IDC capabilities include insert, update, delete, and performing other SQL commands. We will introduce these areas in this book. Intranet interface to legacy and client/server databases is an essential part in the development of corporate information systems. So keep the intranet and database interface topic in the top five subjects to learn about!
The IIS is managed by using a graphical interface program called the Internet Service Manager. The Internet Service Manager uses the Windows NT DCE-compatible Remote Procedure Call (RPC) to securely administer the server and all the Web applications running on it. You can manage systems locally, over their LAN, and even over the Internet from a Windows NT Workstation.
When you start budgeting for an IIS Intranet, questions like "How many servers do you need?" or, "How many users can you support?" or, "What is the estimated throughput?" or most importantly, "How long will our users have to wait to get to the information?" will be asked. These estimates are needed even after the successful implementation of an Intranet project.
It is almost impossible to estimate the capacity of an Intranet server. I have included this section to aid the Intranet practitioners in getting some idea about the throughputs, connections, interactive Web page performance, and so on. Hopefully, this section will give you a few performance measures and representative IIS ratings for those measures.
| NOTE |
More detailed and latest performance benchmarks for IIS are available at http://www.microsoft.com/infoserv/docs/Iisperf.htm. |
| NOTE |
The IIS ratings on the following performance measures are based on tests performed with the IIS 1.0 running on a 133 MHz HP server/32 MB RAM/ 2 X 1 GB Hard Disks/DEC 10/100 Megabit Ethernet card. That looks like a good normal configuration for an IIS server. To run SQL server from the same computer, increase the memory to 64 MB. |
Throughput measures the maximum rate at which the Web server transfers data to its clients. Throughput is reported as megabits per second (Mbps). The IIS 1.0 rates at approximately 13 Mbps at 64 clients.
| NOTE |
When you compare the throughput numbers, remember that on corporate LANs with normal Ethernet, the maximum throughput is 10 Mbps while the newer fastEthernet clocks at a maximum of 100 Mbps; ISDN line has a maximum capacity of 64 Kbps for 1 channel or 128 Kbps for 2 channels combined. |
Connections per second represents the sum of successful interactions across all the clients. An interaction is successful when a connection is made from a client to a server, or data transfer was successfully done through the connection and the connection closed. The IIS 1.0 is capable of handling 250 such connections when handling only HTML data.
Average response time measures the amount of time required to complete an operation once it is started. Average response time has two components: connection response time measures the time taken to establish a connection, and transfer response time measures the time to complete a data transfer once a connection has been established. A typical Web page is made up of several files, usually an HTML file, and several GIF/JPEG, or other graphics files. For IIS 1.0 the average response time ranged from 0.2 seconds per file (16 clients) to 0.5 seconds per file (128 clients). On small networks, the average time can be reduced to less than 0.1 seconds.
Dynamic Web pages involve server-side programming using CGI scripts
or ISAPI DLLs. CGI inherently is a slower approach. You should
use the API native to a Web server, like the ISAPI, for faster
web page processing. Table 4.1 shows the connection rate and throughput
numbers for ISAPI and CGI programs.
| Connections Per Second | ||
| Throughput (Megabits per second) |
As mentioned previously, IIS runs on the top of Windows NT 4.0 server. So the total IIS Intranet server requirements are Windows NT 4.0 requirements plus IIS requirements, as discussed next.
You will need a Pentium 120 or 133 MHz machine with 32 MB RAM for Windows NT Server and IIS. Add a minimum of 32 MB more memory for SQL server. For more than 25 users, I recommend about 80 MB RAM. Windows NT performance falls sharply when it exhausts the memory; it is not a gradual decay. This performance cutoff point can be extended by adding more memory. Servers with 128 MB memory are the norm today, so plan ahead.
The recommended disk space is 4 to 8 GB. Again, this number will depend on the amount of data to be published. If you are also going to add SQL Server data, that should be taken into account.
Microsoft recommends that all IIS disks be formatted by using the NTFS format and enable auditing. This is recommended for security reasons as well as redundancy reasons.
If the Intranet server has mission-critical information, one or more of the following fault tolerance mechanisms should be considered. This strategy will affect the disk capacity required.
In this case, two drives are connected to the same controller and all data on the first drive is duplicated on the second drive. Even though mirroring essentially duplicates one disk on another disk, NT does not require identical hard disks for mirroring. This is RAID Level 1.
| RAID |
RAID (Redundant Arrays of Inexpensive Disks) is a scheme to increase performance and reliability of disk storage using normal hard disks. The RAID levels range from 0 to 5. Windows NT server supports RAID 0, 1 and 5. The different RAID levels have different performance and reliability characteristics. The RAID level for a system depends on the requirement (for example, Mission critical systems need maximum reliability), type (for example, publishing systems with a lot of read only data can use a Level 5 RAID), and so on. |
Disk Duplexing is mirroring with two controllers, where the two drives are connected to two disk controllers. Duplexing improves performance (as parallel reads/writes result in faster I/O) and fault tolerance (as it protects against controller failures also).
In this case, multiple partitions from different drives are combined to form logical drives. This is RAID level 5. The disk striping gives maximum performance, and the parity information gives the redundancy. This strategy is recommended over mirroring for applications that require redundancy and that are primarily read-oriented.
Any normal VGA CRT is sufficient. Usually, when there are many servers, it is better to connect many computers to a master console and master mouse share device. This way, one CRT and mouse can be shared by many servers.
Now there are faster Ethernet cards (100 Mbps throughput, for example) that will give good performance in terms of raw throughput. To use one of these cards, your router or hub also should support the data rates and the cards. As you shall see later, there are also other components to be considered for a responsive Intranet site.
An Internet connection is needed to publish on the Web. For small businesses, this will translate to getting the services of an Internet Service Provider (ISP). As a start, the URL http://thelist.iworld.com/ gives a list of ISPs around the world, searchable in a variety of ways.
For corporate Intranets operating behind a fire wall, the organization is already on the Internet, and so you need to configure the TCP/IP protocol as discussed in the TCP/IP section below.
Windows NT Server 4.0 software from Microsoft includes the IIS 2.0 also.
TCP/IP should be installed and configured as one of the network protocols and can be accessed from the network applet in the control panel. The typical Intranet server will be on a shared 10-100 MB network.
Figure 4.1 shows the IP Address configuration screen for the TCP/IP setup. To configure the TCP/IP, you need the server's Internet Protocol (IP) address, subnet mask, and the default gateway's IP address router addresses obtained from the network installation group. The default gateway is the computer through which your computer will route all Internet traffic.
You also will need to configure a Domain Name Service (DNS) like the Microsoft Windows Internet Name Server (WINS).
On Intranets, an alternative to WINS Servers is to use an LMHOSTS file, which contains the IP address and computer name.
| NOTE |
The WINS is a Windows NT Server computer running Microsoft TCP/IP and the Windows Internet Name Service (WINS). This server will be assigned a static IP address. The Windows Internet Name Server maintains a central database that maps the Intranet computer names to IP addresses. The TCP/IP driver will get the IP address of a computer from this server. In organizations where there are multiple WIN Servers, the directory database can be replicated among the different servers. |
The following are some points you should be aware of before installing the IIS on a Windows NT computer:
| TIP |
After uninstalling older versions, it is a good practice to shutdown and restart the machine, because some files might be marked "remove during next reboot". If this is the case, a system reboot will delete all old files. |
| NOTE |
Remember to back up or transfer HTML and other user files before the uninstall to a directory, because the uninstall procedure will delete all directories. |
While installing Windows NT 4.0, if the install program finds an earlier version of IIS, it will install IIS 2.0 automatically. Alternatively, on the desktop, an icon titled "Install Internet Information Server" will be created during the NT 4.0 installation. In this case, after Windows NT is installed and configured, log on to the NT domain with a user who has administrator privileges (the most common user is the "Administrator") and double-click the "Install Internet Information Server" icon to start the IIS installation process. Click OK to the Welcome screen.
Now the Options screen as shown in figure 4.2 appears. Usually, all the options are checked, and you can click OK to continue.
If you are re-installing some particular component or want to install a particular component, such as Internet Service Manager, for remote monitoring from a NT Workstation, this options choice comes in handy.
The next screen as shown in figure 4.3 is the publishing directories dialog box. This shows the root directories for the WWW, FTP, and Gopher services. The default directories are usually fine. Click the OK button to continue. The setup now continues.
Figure 4.3 : IIS 1.0 Publishing Directories screen.
As the setup progresses, the installation program will ask for confirmations to create directories, warning about services that are not available, and so on. Figure 4.4 is an example of a warning message. It is a security alert message which warns the installer about the GUEST account.
Figure 4.4 : Installation Security Alert message.
At this point, the message "IIS Successfully Completed" appears. It is always a good practice to reboot the machine after the installation.
The default installation of the Microsoft Internet Information Server (IIS) contains sample files that can be used to test the functionality of your IIS WWW publication service.
To test a server connected to the Internet, follow these steps:
| TIP |
To test the Internet connection, try to access a well known site such as http://www.microsoft.com. You should see the Microsoft home page. |
To test a server on the Intranet, follow these steps:
The URL will be http:// followed by the Windows Networking name of your server, followed by the path of the file you want to view. (Note the forward slash marks.) For example, if your server is registered with the WINS server as "Admin1" and you want to view the file "default.htm" in the root of the home directory, in the Location box you would type http://admin1/default.htm and then press the Enter key. The home page as shown in figure 4.6 should appear on the screen.
| TIP |
You really do not need a URL to test the installation. From any computer connected to the company's Intranet or LAN, start a WWW browser like the Internet Explorer or Netscape Navigator and type in the IP address on the IIS server just installed. For example, http://145.101.138.99/ and press the enter key. The IIS home page as shown in figure 4.6 will be displayed. |
Now that IIS is successfully installed and configured, you would think that your work is done. Well, now comes the problems, resolutions, and workarounds, which are a part of Web site administration. IIS administration is done using the Microsoft Internet Service Manager. Figure 4.5 shows the ISM window. The services and their status are displayed on the main window.
Figure 4.5 : Internet Service Manager showing the status of IIS services.
The properties for a service can be displayed by double-clicking a service. For example, by double-clicking the WWW service, the property pages for that service are displayed as shown in figure 4.6.
It is a good practice to log the activities for all the services and analyze the logs periodically. After installation, check the logs directory and select a frequency (daily, weekly and so on). You can either use log analysis tools to analyze the logs, or log the activities to a SQL/ODBC database and do analysis by writing a custom program.
| NOTE |
For the first few weeks, check the activities (of WWW, FTP, and Gopher services) on a daily basis, then move on to weekly or monthly basis. |
To publish information via the World Wide Web, the HTML files should be copied to the directory specified in the directories property page, as shown in figure 4.7.
IIS supports virtual servers to host multiple domain names on the same computer running Microsoft Internet Information Server. This is done, from the advanced TCP/IP configuration settings, by binding multiple IP addresses to the network adapter card connected to the Internet. This is done through the Network applet in Control Panel from the settings option in the start menu. The directories for the virtual servers are configured in the Directories property page as shown in figure 4.7.
Security is, and always will be, a major concern of Intranet practitioners and users. In general, the four most important characteristics of a secure system are as follows:
This section discusses the security issues related to the accounts created during installation. These discussions pertain mainly to the security from Windows NT server.
The types available are Anonymous, Basic, and Challenge/Response. The screen is accessed from the Internet Service Manager Service property page.
| CAUTION |
Basic authentication sends Windows NT user names and passwords across the network without encryption. Hackers using network packet sniffers can see the password as it is transmitted over the network. This check box is unchecked by default for security reasons. |
| NOTE |
If the client browser does not support the NTLM authentication, the users will get messages like "Access denied, Server does not specify the authentication method," or "Authentication required for this document," and so on. At that point, there are two alternatives: either disable challenge/response and enable basic, or get a client browser that supports the NTLM authentication scheme. Intranets inside a firewall can use the Basic method. If you are giving access to your sensitive data outside the firewall, you should consider secure communication alternatives, including digital signatures. |
Microsoft suggests the following checks on the NT security system. Please follow them.
The IIS 2.0 provides users with a secure communication channel through support for Secure Sockets Layer (SSL) and RSA encryption. This provides secure data communication through data encryption and decryption. SSL is a WWW feature that supports data encryption and server authentication. In the Open Systems Interconnect (OSI) model, SSL protocol layers between the TCP/IP transport/network layer and the application layer where HTTP operates. IIS 2.0 has a new program called Key Manager to manage SSL keys.
| Portable Certificates and IDs? |
Microsoft has proposed Personal Effects Exchange (PFX), which is titled "multi-browser, multi-platform, secure exchange interoperability standard for certificates, CRLs, private keys, and personal secrets." (Wow! It is an earful, isn't it?) Internet security is still a young field. A lot of work is being done to make security wallets and distributed security systems, like the public key/group based system proposed by Rivest and Lampson called SDSI, a Simple Distributed Security Infrastructure. |
Enabling PCT/SSL security on a Microsoft Internet Information Server involves generating a key pair file and a request file, requesting a certificate from a Certification Authority, and then installing and activating SSL security.
| NOTE |
Digital certificates can be obtained from Verisign. More information is available from http://www.verisign.com/microsoft/. The IIS Installation and planning guide also has more information on the SSL implementation. |
All the IIS services rely on NT server user accounts, ACLs, and permissions. Every access to a resource (for example, a file, an HTML page, an Internet Server API (ISAPI) application, and so on) is done by the services on behalf of a Windows NT user. The service impersonates the user by supplying a username/password pair in the attempt to read/execute the resource for the client.
The Windows NT File System (NTFS) allows Access Control Lists (ACLs) to be assigned to files and directories. ACLs grant and/or deny access to the associated file or directory by specific Windows NT user accounts or groups of users. When an Internet service attempts to read or execute a file on behalf of a client request, the user account offered by the service must have permission, as determined by the ACL associated with the file, to read or execute the file, as appropriate. If the user account does not have permission to access the file, the request fails, and a response is returned, informing the client that access has been denied.
File and directory ACLs are configured by using the Windows NT File Manager, Security submenu. Remember, ACLS are supported in the NTFS partitions.
If you are publishing sensitive data and require a secure communication, the Internet Server API (ISAPI) Software Developer's Kit (SDK) can be used to develop filter DLLs that implement secure algorithms.
Performance Monitor is a graphical tool in the Windows NT server that can be used for analyzing throughput, site traffic, and internal congestion measurements. It provides charting, alerting, and reporting capabilities that reflect current activity along with ongoing logging. One advantage is that the Performance Monitor program can function as a server data recorder when you log the counters to disk. You can then open log files at a later time for browsing and charting.
The monitoring should be an ongoing activity for an Intranet. A good plan is to log the counters and analyze them weekly.
The WWW server adds the HTTP Service, FTP Server, Gopher Service, and Internet Information Services Global performance counter objects to the existing list in the Windows NT Performance Monitor.
| SNMP MIBS |
SNMP MIBs: As with any network systems, management is an important part of IIS. The most commonly used protocol to gather information and manage network devices is the SNMP (Simple Network Management Protocol). The Windows NT SNMP service includes MIB II (based on RFC 1213). The SNMP and TCP/IP services use a set of objects known as the Management Information Base (MIB). Given the popularity of SNMP, it is not surprising that IIS supports the Performance Monitor objects as MIB objects for SNMP. These MIB objects are described in the IIS user's manual as well as at the Microsoft Web site http://www.microsoft.com/infoserv/samples/tour/mib.htm. |
Windows and DOS had config.sys, autoexec.bat, and a host of ini files. In Windows NT, configuration information is stored in the registry. If you are working with IIS, at some time you will need to edit the values in the registry.
The registry has a tree-like structure. There is one root and many branches. The major subtrees are HKEY_LOCAL_MACHINE, H_KEY_CLASSES_ROOT, HKEY_CURRENT_USER, and HKEY_USERS. (For IIS configuration and administration, we are mainly interested in the HKEY_LOCAL_MACHINE\System \CurrentControlSet\Services\InetInfo branch.) The leaf is an entry that appears as a string that consists of a name, data type, and a value. The name can be MemoryCachSize, Bandwidth, or something similar. The common data types we are interested in are REG_BINARY: Binary data in any form; REG_DWORD: a 32-bit number; REG_EXPAND_SZ: a null-terminated string that contains unexpanded references to environment variables (for example, %PATH%); REG_SZ: a null-terminated string. The value can be numbers or strings. The Registry preserves case as you type it for any entry, but ignores case in evaluating the data. The names are case insensitive. However, the data is defined by specific applications (or users), so it might be case sensitive, depending on how the program that uses it treats the data.
The registry is manipulated using the regedt32.exe program usually found in the winNT35\system32 subdirectory. You can start the program from the File Manager. I recommend creating a program icon for the regeditor in the Administrative Tools program group. Please refer to the help in the regedit32 program for more details like editing/adding/deleting an entry or key.
| CAUTION |
Be very careful when deleting a key entry because there is no Undo command. In general, exert caution when editing registry entries. A wrong or inadvertent mistake can result in a non-bootable system. |
The Internet Information Server stores information in four registry keys. They are Internet Information Server (IIS), FTP, Gopher, and HTTP. These keys are independent of each other.